Cryptography

Introduction to Symmetric-Key
Encipherment
Topics
• Introduction
• Security Goals
• Cryptographic Attacks
• Services and Mechanism
• Techniques
Introduction
• In this era of computers and technology, Information is an
asset.
• Facebook and Google are collecting data, extracting
valuable information about users.
• The information gathered are usually distributed and not
stored at a single place.
• This information must be secured from attacks.
Topics
• Introduction
• Security Goals
• Cryptographic Attacks
• Services and Mechanism
• Techniques
Security Goals
• Three security goals:
– Confidentiality
– Integrity
– Availability
• Confidentiality
– is the most important aspect of information security. Military (Defence
Information), Industry (Competitors), Banks (Customer Information) etc.
– should be maintained not only during storage but also during
transmission of information.
• Three security goals:
– Confidentiality
– Integrity
– Availability
• Integrity
– In banks information will be constantly changed (say balance after
a transaction). This change should be done only by authorized
entities through authorized mechanisms.
– Violation of integrity may be caused by a malicious attack or even
by interruption in the system (power failure)
• Three security goals:
– Confidentiality
– Integrity
– Availability
• Availability
– The information should be available to authorized entities at any
given point in time.
– Unavailability is as harmful as confidentiality and integrity.
– If bank customers are not able to access their accounts.
Topics
• Introduction
• Security Goals
• Cryptographic Attacks
• Services and Mechanism
• Techniques
Cryptographic Attacks
• They can be broadly categorized into two types:
– Cryptanalytic
– Non-cryptanalytic
• Cryptanalytic Attacks
– These attacks are combination of statistical and algebraic techniques
aimed at finding the key of the cipher.
– Inspect the mathematical properties of the cryptographic algorithms
from uniform distributions.
– Objective of cryptanalysis is to find those properties which are not
seen in random function.
–Attacker employs divide and conquer strategy to
guess the key.
–Theoretically, these kind of attacks are possible but
practically they are infeasible (brute force and
dictionary attacks)
– This kind of attack is said to be successful if the guessing
complexity is less than the brute force complexity.
• They can be broadly categorized into two types:
– Cryptanalytic
– Non-cryptanalytic
• Non-cryptanalytic Attacks
– Attacks which do not exploit mathematical weakness of the
algorithm.
– These can affect the security goals of a good cryptographic
system.
– Attacks can be grouped related to the security goal which they
affect.
– Confidentiality (Snooping and Traffic analysis)
– Integrity (Modification, Masquerading, Replaying and
Repudiation)
– Availability (Denial of service)
• Attacks Threatening Confidentiality
– Snooping – Unauthorized access or interception of data. Example-
Data in a file being transmitted. Solution- Encryption.
– Traffic analysis – Monitoring the traffic. Guessing the nature of
transaction by observing requests and responses.
• Attacks Threatening Integrity
– Modification – Modify the information, so that it can benefit the
attacker.
– Masquerading – Attacker impersonates somebody else. Gain
bank details and act as a legitimate account holder.
– Replaying – Gain copy of the message and resent/replay it later.
– Repudiation – can be performed by one of the two parties in the
communication, wherein they deny an action performed.
• Attacks Threatening Availability
– Denial of service – DoS may slow down or totally interrupt the
system. Many bogus requests are sent to the server until the server
crashes because of heavy load.
– Might even delete server’s response leading to an assumption that
the server is not responding.
– Intercept clients request, leading multiple requests from the clients
• Passive versus Active Attacks
– Passive attacker’s goal is to obtain information.
– Does not modify the data or harm the system. Targets will be the
sender and receiver of the message.
– Snooping and traffic analysis are passive attacks.
– Encipherment can prevent passive attacks.
• Passive versus Active Attacks
– May change the data or harm the system.
– Attacks on Integrity and Availability are active attacks.
– Detection is easy, prevention is difficult.
Topics
• Introduction
• Security Goals
• Cryptographic Attacks
• Services and Mechanism
• Techniques
Services and Mechanism
• The International Telecommunication Union- Telecommunication
Standardization Sector (ITU-T) provides some security services
and mechanisms to implement them.
• Security Services
– ITU-T (X.800) security services recommendations
• Data confidentiality – is designed to protect from disclosure attack. X.800
service defined for confidentiality is very broad and ensures confidentiality of
the message. (Prevents Snooping and traffic analysis attacks)
• Data Integrity – is designed to protect from modification, insertion, deletion
and replaying attacks.
• Authentication
– In connection oriented communication authentication is done during connection
establishment (Peer entity)
– In connectionless communication, it authenticates the source of the data. (Data
origin)

• Non-repudiation – protects against repudiation by either side. At receiver

side proof of origin and at the sender side proof of delivery is provided.
• Access Control – protection against unauthorized access. (Read, Write,
Modify, execute, etc.)
• Security Mechanisms
ITU-T (X.800) security mechanisms
– Encipherment
– Data Integrity
– Digital Signature
– Authentication exchange
– Traffic padding
– Routing control
– Notarization
– Access control
• Encipherment
– Hide data for confidentiality. Used with other mechanisms.
– Cryptography and Steganography are used.
• Data Integrity
– Check value is attached to data.
– Receiver checks the value and compared the value received from the
sender.
• Digital Signature
– Electronically sign the data.
– Private key and public key are used.
• Authentication exchange
– Two entities exchange messages to prove their identity.
– Example- A secret of ‘A’ that only ‘B’ knows and vice versa
• Traffic padding
– Inserting bogus data into the data traffic to avoid traffic monitoring
• Routing control
– Selecting and continuously changing available routes between
sender and receiver.
• Notarization
– Selecting a third-party to control the communication. Example:
Solving repudiation by saving a copy of the message.
• Access control
– Proving that a user has access right to data.
– Using PINs and Passwords.
Techniques
• Implementation of security goals are achieved by two
techniques
– Cryptography
– Steganography
• Cryptography – art of secret writing. Modern cryptography
techniques involve:
– Symmetric key Encipherment
– Asymmetric key Encipherment
– Hashing
• Symmetric-Key Encipherment- (Secret Key Encryption)
– Alice encrypts the message and sends it to bob.
– Bob decrypts the message and uses it.
– Both use same key (Secret Key) to encrypt and decrypt.
– Electronic lock- Put data into a box and lock it using the shared key.
Bob unlocks the box with the same key.

• Asymmetric-Key Encipherment – (Public Key Encryption)

– Same as above but the key varies. Two keys are used in this technique.
Private key and Public Key.
– Sender - Alice makes use of Bob’s public key.
– Receiver- Bob uses his own private key to decrypt the information.
• Hashing
–A fixed length message digest is created from a variable
length message.
–Digest is smaller than the message.
–Digest could be check values (CRC).
• Steganography
–Means “covered writing”
–Cryptography- Concealing the contents of a message
–Steganography- Concealing the message itself by
covering it with something else
• Historical Use
– China- war messages written on silk, these were rolled into
small balls, they would be swallowed.
– Rome and Greece- messages carved on wood, then dipped
into wax.
– Messages written using invisible ink between the normal
messages.
• Modern Use
– In digitized data, adding bits of information along with actual
data. Example: Copy right protection, Prevent tampering etc.
– Text cover
• Secret data can be inserted in normal texts in many ways.
Assume that single space represents binary 0 and double space
represents binary 1.
• ASCII of ‘A’ in binary is 01000001

0_1__0_0_0__0_0_0_1 Text with intentional spaces

0 1 0 0 1 0 0 0 Single space-0, double space-1

I have used ‘_’ (Underscore) for better understanding

• Alternative is to make use of common dictionary organized
according to their grammatical usages.
• Sample pattern: article-noun-verb-article-noun
• Consider articles -> a, the. ‘a’ will be represented as 0 and ‘the’
will be represented as 1
 • In the same way we agree upon all kinds of verbs and nouns, with each
word having a designated value.
• Example:
article-noun-verb-article-noun

A friend called a doctor

0 10010 0001 0 01001

ASCII of secret code ‘Hi’

• Image Cover
– Each pixel in a image consists of 1 byte. Usually the last bit, (LSB) is
set to 0, making the imaging little lighter in some areas.
– This LSB can used to send secret information in coloured images.
– If we need binary 0, we will retain the LSB, otherwise we will set it to 1.
 Example: Pixels are as shown below

01010111 10111110 01010101

11010100 10111110 01010101
11010100 10111010 00010101

• Other Covers
– Sound and Video can also be used as covers to send secret
information
– Example: Information can be added during the compression of
audio and video
References
• Cryptography and Network Security – Behrouz A. Forouzan, Debdeep
Mukhopadhyay
• http://thehackernews.com/2016/08/hack-yahoo-account.html
• http://resources.infosecinstitute.com/popular-tools-for-brute-force-attacks/