Module 1

Introduction To Cryptography

OVERVIEW
• Services, mechanisms and attacks,
• Model for network security
• Symmetric Cipher Model.

• Substitution Techniques: Caesar Cipher. Mono Alphabetic Cipher. Playfair Cipher,

Hill Cipher, poly alphabetic Cipher and One-Time Pad(OTP)
• Transposition Technique: Rail Fence , Row Column Technique

• Steganography

Various concepts and technical issues related to security (i.e. trying to understand how to
protect),
 It is essential to know what we are trying to protect.
 What are the various dangers when we use computers, computer networks, and the
biggest network of them all, the Internet?
 What are the likely pitfalls?
 What can happen if we do not set up the right security policies, framework
and technology implementations.

Why is security required in the first place?

People sometimes say that security is like statistics:
what it reveals is trivial, what it conceals is vital!
In other words, the right security infrastructure opens up just enough doors that are mandatory. It
protects everything else.
 Especially these days, when serious business and other types of transactions are
being conducted over the Internet to such a large extent, that inadequate or improper
security mechanisms can bring the whole business down,
THE NEED FOR SECURITY
 Most previous computer applications had no, or at best, very little security. This
continued for a number of years until the importance of data was truly realized.
 When computer applications were developed to handle financial and personal data, the
real need for security was felt like never before. People realized that data on computers is
an extremely important aspect of modern life. Therefore, various areas in security began
to gain prominence.

Two typical examples of such security mechanisms were as follows:

● Provide a user identification and password to every user, and use that information to
authenticate a user.
● Encode information stored in the databases in some fashion, so that it is not visible to users
who do not have the right permission

Example of information traveling from a client to a server over the Internet

• Figure shows such an example of what can happen when you use your credit card for
making purchases over the Internet.

• From the user’s computer, the user details such as user id, order details such as order id
and item id, and payment details such as credit-card information travel across the Internet
to the server (i.e. to the merchant’s computer).
 • The merchant’s server stores these details in its database. There are various security
holes here.

• First of all, an intruder can capture the credit-card details as they travel from the client to
the server. If we somehow protect this transit from an intruder’s attack, it still does not
solve our problem.
• Once the merchant computer receives the credit-card details and validates them so as to
process the order and later obtain payments, the merchant computer stores the credit card
details into its database.

• Now, an attacker can simply succeed in accessing this database, and therefore gain
access to all the credit-card numbers stored therein
Methods employed must reformat and transform our data, making it safer on its trip between
computers.

• The technology is based on the essentials of secret codes, augmented by modern mathematics
that protects our data in powerful ways.

• Security forms can be of different kinds:

• Computer Security – a collection of tools designed to protect data and to prevent hackers

• Network Security - measures to protect data during their transmission

• Internet Security - measures to protect data during their transmission over a collection of
interconnected networks

To assess the security needs of an organization effectively, approach is to consider three aspects
of information security:
1. Security attack – Any action that compromises the security of information owned
by an organization.
2. Security mechanism – A mechanism that is designed to detect, prevent or
recover from a security attack.
3. Security service – A service that enhances the security of the data processing
systems and the information transfers of an organization. The services are
intended to counter security attacks and they make use of one or more security
mechanisms to provide the service.
 Classifying security attacks, is in terms of passive attacks and active attacks.
Passive attacks:

• A Passive attack attempts to learn or make use of information from the system but does
not affect system resources. Passive Attacks are in the nature of monitoring transmission.

• The goal of the opponent is to obtain information that is being transmitted. Passive
attacks involve an attacker passively monitoring or collecting data without altering or
destroying it.

• Examples of passive attacks include eavesdropping, where an attacker listens in on

network traffic to collect sensitive information, and sniffing, where an attacker captures
and analyzes data packets to steal sensitive information.
Types of Passive attacks are as follows:
• The release of message content
• Traffic analysis

1) The release of message content

Telephonic conversation, an electronic mail message, or a transferred file may contain sensitive
or confidential information. Need to prevent an opponent from learning the contents of these
transmissions.

Traffic analysis
Suppose that we had a way of masking (encryption) information, so that the attacker even
if captured the message could not extract any information from the message.
The opponent could determine the location and identity of communicating host and could
observe the frequency and length of messages being exchanged. This information might
 be useful in guessing the nature of the communication that was taking place.
The most useful protection against traffic analysis is encryption of SIP traffic. To do this,
an attacker would have to access the SIP proxy (or its call log) to determine who made
the call.

Active attacks:
Active attacks are a type of cybersecurity attack in which an attacker attempts to alter, destroy,
or disrupt the normal operation of a system or network. Active attacks involve the attacker taking
direct action against the target system or network, and can be more dangerous than passive
attacks, which involve simply monitoring or eavesdropping on a system or network.
Types of active attacks are as follows:
 Masquerade
 Modification of messages
 Repudiation
 Replay
 Denial of Service

Masquerade –
Masquerade is a type of cybersecurity attack in which an attacker pretends to be someone else
in order to gain access to systems or data. This can involve impersonating a legitimate user or
system to trick other users or systems into providing sensitive information or granting access to
restricted areas.
There are several types of masquerade attacks, including:
 Username and password masquerade: In a username and password masquerade attack,
an attacker uses stolen or forged credentials to log into a system or application as a
legitimate user.
 IP address masquerade: In an IP address masquerade attack, an attacker spoofs or forges
their IP address to make it appear as though they are accessing a system or application from
a trusted source.
 Website masquerade: In a website masquerade attack, an attacker creates a fake website
that appears to be legitimate in order to trick users into providing sensitive information or
downloading malware.
 Email masquerade: In an email masquerade attack, an attacker sends an email that
appears to be from a trusted source, such as a bank or government agency, in order to trick
the recipient into providing sensitive information or downloading malware.

Masquerade Attack
Modification of messages –
It means that some portion of a message is altered or that message is delayed or reordered to
produce an unauthorized effect. Modification is an attack on the integrity of the original data. It
basically means that unauthorized parties not only gain access to data but also spoof the data by
triggering denial-of-service attacks, such as altering transmitted data packets or flooding the
network with fake data. Manufacturing is an attack on authentication. For example, a message
meaning “Allow JOHN to read confidential file X” is modified as “Allow Smith to read
confidential file X”.
 Modification of messages
Repudiation –
Repudiation attacks are a type of cybersecurity attack in which an attacker attempts to deny or
repudiate actions that they have taken, such as making a transaction or sending a message.
These attacks can be a serious problem because they can make it difficult to track down the
source of the attack or determine who is responsible for a particular action.
There are several types of repudiation attacks, including:
 Message repudiation attacks: In a message repudiation attack, an attacker sends a
message and then later denies having sent it. This can be done by using spoofed or falsified
headers or by exploiting vulnerabilities in the messaging system.
 Transaction repudiation attacks: In a transaction repudiation attack, an attacker makes a
transaction, such as a financial transaction, and then later denies having made it. This can
be done by exploiting vulnerabilities in the transaction processing system or by using
stolen or falsified credentials.
 Data repudiation attacks: In a data repudiation attack, an attacker modifies or deletes data
and then later denies having done so. This can be done by exploiting vulnerabilities in the
data storage system or by using stolen or falsified credentials.
Replay –
It involves the passive capture of a message and its subsequent transmission to produce an
authorized effect. In this attack, the basic aim of the attacker is to save a copy of the data
originally present on that particular network and later on use this data for personal uses. Once
the data is corrupted or leaked it is insecure and unsafe for the users.
 Replay
Denial of Service –
Denial of Service (DoS) is a type of cybersecurity attack that is designed to make a system or
network unavailable to its intended users by overwhelming it with traffic or requests. In a DoS
attack, an attacker floods a target system or network with traffic or requests in order to
consume its resources, such as bandwidth, CPU cycles, or memory, and prevent legitimate
users from accessing it.
There are several types of DoS attacks, including:
 Flood attacks: In a flood attack, an attacker sends a large number of packets or requests to
a target system or network in order to overwhelm its resources.
 Amplification attacks: In an amplification attack, an attacker uses a third-party system or
network to amplify their attack traffic and direct it towards the target system or network,
making the attack more effective.
 Parameter Active Attack Passive Attack

While in a passive attack,

In an active attack, Modification
Modification Modification in the information
in information takes place.
does not take place.

Active Attack is a danger Passive Attack is a danger

Danger factor
to Integrity as well as availability. to Confidentiality.

In an active attack, attention is on While in passive attack attention

Attention
prevention. is on detection.

Due to active attacks, the

While due to passive attack, there
System execution system is always
is no harm to the system.
damaged.

While in a passive attack, Victim

Information to In an active attack, Victim gets
does not get informed about the
Victim informed about the attack.
attack.

In an active attack, System While in passive attack, System

System resources
resources can be changed. resources are not changing.

While passive attacks are

In an active attack, information
performed by collecting
Data Usage collected through passive attacks
information such as passwords,
is used during execution.
and messages by themselves.

Detection Can be easily detected. Very difficult to detect.

The purpose of an active attack is The purpose of a passive attack is

Purpose
to harm the ecosystem. to learn about the ecosystem.
 Information In an active attack, the original In passive attack original
Alteration information is modified. information is Unaffected.

The duration of an active attack is The duration of a passive attack is

Duration
short. long.

The prevention possibility of The prevention possibility of

Prevention
active attack is High passive attack is low.

Complexity Complexity is High Complexity is low.

SECURITY SERVICES :
The classification of security services are as follows:
Confidentiality: Ensures that the information in a computer system and transmitted information
are accessible only for reading by authorized parties.
Authentication: Ensures that the origin of a message or electronic document is correctly
identified, with an assurance that the identity is not false.
Integrity: Ensures that only authorized parties are able to modify computer system assets and
transmitted information. Modification includes writing, changing status, deleting, creating and
delaying or replaying of transmitted messages.
Non repudiation: Requires that neither the sender nor the receiver of a message be able to deny
the transmission.
Access control: Requires that access to information resources may be controlled by or the target
system.

SECURITY MECHANISMS
Encipherment
The use of mathematical algorithms to transform data into a form that is not readily intelligible.
The transformation and subsequent recovery of the data depend on an algorithm and zero or
more encryption keys.

Digital Signature
Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the
data unit to prove the source and integrity of the data unit and protect against forgery (e.g., by the
recipient).

Access Control
A variety of mechanisms that enforce access rights to resources.

Data Integrity
A variety of mechanisms used to assure the integrity of a data unit or stream of data units.

Authentication Exchange
A mechanism intended to ensure the identity of an entity by means of information exchange.

Traffic Padding
The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.

Routing Control
Enables selection of particular physically secure routes for certain data and allows routing
changes, especially when a breach of security is suspected.

Notarization
The use of a trusted third party to assure certain properties of a data exchange.
A MODEL FOR NETWORK SECURITY

 A security-related transformation on the information to be sent. Examples include the

encryption of the message, which scrambles the message so that it is unreadable by the
opponent, and the addition of a code based on the contents of the message, which can be
used to verify the identity of the sender
 Some secret information shared by the two principals and, it is hoped, unknown to the
opponent. An example is an encryption key used in conjunc- tion with the transformation
to scramble the message before transmission and unscramble it on reception.
 This general model shows that there are four basic tasks in designing a particular security
service:

1. Design an algorithm for performing the security-related transformation. The algorithm

should be such that an opponent cannot defeat its purpose.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of the secret information.
4. Specify a protocol to be used by the two principals that makes use of the security
algorithm and the secret information to achieve a particular security service.
SYMMETRIC CIPHER MODEL

A symmetric encryption scheme has five elements

Simplified Model of Symmetric Encryption

• Plaintext: This is the original intelligible message or data that is fed into the algorithm
as input.

• Encryption algorithm: The encryption algorithm performs various substitutions and

transformations on the plaintext.

• Secret key: The secret key is also input to the encryption algorithm. The key is a value
independent of the plaintext and of the algorithm. The algorithm will produce a different
output depending on the specific key being used at the time. The exact substitutions and
transformations performed by the algorithm depend on the key.

• Ciphertext: This is the scrambled message produced as output. It depends on the

plaintext and the secret key. For a given message, two different keys will produce two
different ciphertexts. The ciphertext is an apparently random stream of data and, as it
stands, is unintelligible.

• Decryption algorithm: This is essentially the encryption algorithm run in reverse. It

takes the ciphertext and the secret key and produces the original plaintext.
Model of Symmetric Cryptosystem

Model of Symmetric Cryptosystem

A source produces a message in plaintext, X = [X1, X2, XM].

The M elements of X are letters in some finite alphabet. Traditionally, the alphabet usually
consisted of the 26 capital letters. Nowadays, the binary alphabet {0, 1} is typically used.

For encryption, a key of the form K = [K1, K2, KJ] is generated. If the key is generated at
the message source, then it must also be provided to the destination by means of some
secure channel.

Alternatively, a third party could generate the key and securely deliver it to both source
and destination.

With the message X and the encryption key K as input, the encryption algorithm forms the
ciphertext Y = [Y1, Y2,…, YN].
 We can write this as Y = E(K, X) This notation indicates that Y is produced by using
encryption algorithm E as a function of the plaintext X , with the specific function
determined by the value of the key K.

The intended receiver, in possession of the key, is able to invert the transformation: X =
D(K, Y) An opponent, observing Y but not having access to K or X , may attempt to recover
X or K or both X and K.

It is assumed that the opponent knows the encryption (E) and decryption (D) algorithms.
If the opponent is interested in only this particular message, then the focus of the effort is
to recover X by generating a plaintext estimate XN .

Often, however, the opponent is interested in being able to read future messages as well,
in which case an attempt is made to recover K by generating an estimate K N .

Types of Cryptography
1. Symmetric cryptography
2. Asymmetric cryptography
Symmetric cryptography
It relies on algorithms that use a single key to encrypt and decrypt information.
In other words, the sender uses a secret key to encrypt the message. Then, the
recipients use the same key to decrypt and read the data. So, the key needs to be
shared across all parties that are authorized to decrypt the message.
Depending on the algorithm, if it’s strong enough, decryption of the ciphertext without
having the secret key shouldn’t be possible. The strength of the algorithm also depends
on how complicated is the key.
For example, it’s estimated that breaking a 128bit long AES (Advanced Encryption
Standard) key using modern hardware would take 500 billion years or more. Moreover,
the 256 bits long keys are considered highly unbreakable.
As we can see, the secret keys are very secure in terms of cracking. On the other hand,
we need to share it with all parties that should be able to decrypt the message. So, it
results in some weak points. First of all, the way of providing the key to other parties
should be secure to avoid any exposures.

Asymmetric cryptography :
It relies on a pair of two separate but mathematically connected keys.
The first of them is called a public key. It’s used to encrypt the message and it can be
publicly shared.
The second one is the private key. Its job is to decrypt the data. The private key should
be securely stored and shouldn’t be transferred at all.
Calculating the private key based on the public one is theoretically possible but
practically nearly unachievable.

We can see that asymmetric cryptography eliminates two main weaknesses of the
symmetric one. First of all, the private key that decrypts the data isn’t transferred
anywhere. Therefore, only the recipient possesses the private key and is the only person
responsible for its security.

Symmetric Key Encryption Asymmetric Key Encryption

It requires two keys, a public key and a private

It only requires a single key for both
key, one to encrypt and the other one to
encryption and decryption.
decrypt.

The size of cipher text is the same or The size of cipher text is the same or larger
smaller than the original plain text. than the original plain text.

The encryption process is very fast. The encryption process is slow.

It is used when a large amount of data

It is used to transfer small amounts of data.
is required to transfer.

It provides confidentiality, authenticity, and

It only provides confidentiality.
non-repudiation.

The length of key used is 128 or 256

The length of key used is 2048 or higher
bits

Examples: 3DES, AES, DES and Examples: Diffie-Hellman, ECC, El Gamal,

RC4 DSA and RSA