Cryptography &

Network Security

Dr. M Rajamani
Asst. Professor,
Dept of CSE
Course Particulars
• Course Code : 19ECS305
• Category : Core
• Credits : 03
• Faculty Name : Dr. M.Rajamani
• Offered to : ¾ B. Tech (CSE)
• Semester : 5
• Academic year : 2022-2023
• Offering Dept. : CSE, GIT, Visakhapatnam
Course Overview
The aim of this course is to introduce about information Security concepts to the students. This course
develops a basic understanding of goals, threats, attacks and mechanisms of security, the algorithms and their
design choices. The course also familiarizes students with a few mathematical concepts used in cryptology.
The course emphasizes to give a basic understanding of attacks in cryptosystems as well, how to shield
information from attacks. It also deals with message authentication, Digital signatures and Network security.

Course Objectives

 Understand security concepts, goals, threats and Security services, mechanisms to counter them. (L2)
 Comprehend and apply Classical Encryption Techniques. (L3)
 Understand various symmetric cryptographic techniques. (L2)
 Learn number theory related to Modern Cryptography. (L2)
 Learn different kinds of Message Authentication Techniques. (L2)
Course Outcomes

After completion of this course, the student will be able to:

 distinguish between Symmetric and Asymmetric cryptosystems (L4)
 analyze and implement Symmetric Classical Ciphers (L4)
 explain Hash functions and its algorithms (L2)
 apply Digital signature and its algorithms (L3)
 discuss public key distribution, Kerberos (L6)
 understand security at application and transportation layers. (L2)
Module-1 Syllabus
•Introduction:
• Computer Security Concepts
• The OSI Security Architecture
• Cryptography
• Cryptanalysis, attacks, services, security mechanisms.

•Classical Encryption Techniques:

• Substitution Techniques
• Caesar Cipher
• Monoalphabetic Ciphers
• Playfair Cipher
• Hill Cipher
• Polyalphabetic Ciphers.

• Transposition Techniques
Module – 1 Learning Outcomes
After Completion of this unit the student will be able to
•illustrate different security attacks (L2)
•apply to problems related classical substitution methods (L3)
•explain Transposition techniques(L2)
Computer Security Concepts
• Definition (NIST):
• The protection afforded to an automated information system in order to attain the applicable
objectives of preserving the integrity, availability, and confidentiality of information system
resources (includes hardware, software, firmware, information/data, and telecommunications).

The 3 concepts introduced in this definition are shown below. They are also called as CIA Traid.
• Confidentiality
• Integrity
• Availability
 Security Requirements
• The following are the minimal requirements for computer security:
• Confidentiality

• Integrity

• Availability

• Authenticity

• Accountability
• Authenticity and Accountability are also added to the current security
mechanisms along with the components of CIA Traid.
Cont…
• Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for
protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of

information.
• controlling access to data to prevent unauthorized disclosure.
• Ex: payroll , ecommerce customers
• Counter measures : strong access control and authentication mechanisms; encryption, steganography

• Integrity: Guarding against improper information modification or destruction, including ensuring information

nonrepudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information .
• ensuring that data has not been tampered with and, therefore, can be trusted. It is correct, authentic, and
reliable.
• involves protecting data in use, in transit and when it is stored.
• Ex: ecommerce customers, Bank customers
• Counter measures : encryption, hashing, digital signatures
Cont…
• Availability: Ensuring timely and reliable access to and use of information. A
loss of availability is the disruption of access to or use of information or an
information system.

• Authenticity: The property of being genuine and being able to be verified and
trusted. Confidence in the validity of a transmission, a message, or message
originator. This means verifying that users are who they say they are and that
each input arriving at the system came from a trusted source.
•  the proven fact that something/someone is legitimate or real.
Cont…
• Accountability:
 Accountability is an assurance that an individual or an organization will be evaluated
on their performance or behavior related to something for which they are responsible.
 The security goal that generates the requirement for actions of an entity to be traced
uniquely to that entity.
 This supports nonrepudiation, deterrence, fault isolation, intrusion detection and
prevention, and after-action recovery and legal action.
 Truly secure systems are not yet an achievable goal, therefore we must be able to at
least trace a security breach to a responsible party.
 Systems must keep records of their activities to permit later forensic analysis to trace
security breaches or to aid in transaction disputes.
What is Cryptology, Cryptography
& Cryptanalysis?
• Greek word : kryptós = “hidden” and graphein = “to write”.

• Cryptology = “Study of codes, both hiding and solving them”

= cryptography + cryptanalysis

• Cryptography = Art of creating codes

• Cryptanalysis = Analyzing or breaking the coded message

Why do we need Cryptography?
 Is Internet secure?
Obviously NOT.
 Cryptography secures information and communications using a set of rules that
allows only intended users to receive the information to access and process it.
What is Cryptography?

• Cryptography is a method of
protecting information and
communications through the
use of codes, so that only those
for whom the information is
intended can read and process
it.
Basic Terminologies
Plain Text :
Is the original message
Cipher Text :
Is the encrypted message
Encryption :
transforming information from readable format into unreadable format
Decryption :
transforming information from unreadable format to readable format
Key :
a string of bits used by a cryptographic algorithm to transform plain text into
cipher text or vice-versa.
What is Cryptanalysis?

• Greek word : kryptós = “hidden”

and analýein = “"to loosen“ or
“untie”
• Cryptanalysis is used to
breach cryptographic security
systems and gain access to the
contents of encrypted messages,
even if the cryptographic key is
unknown.
 Model for computer security
The assets of a computer system are as follows:
• Hardware: Including computer systems and other data processing, data storage, and
data communications devices
• Software: Including the operating system, system utilities, and applications.
• Data: Including files and databases, as well as security-related data, such as password
files.
• Communication facilities and networks: Local and wide area network communication
links, bridges, routers, and so on.
Adversary (threat agent) : An entity that attacks, or is a threat to, a system.
Attack: an intelligent act that is a deliberate attempt to evade security services and
violate the security policy of a system.
Countermeasure An action, device, procedure, or technique that reduces a threat, a
vulnerability, or an attack by eliminating or preventing it.
Risk An expectation of loss expressed as the probability that a threat will exploit a
vulnerability with a harmful result.
Security Policy A set of rules and practices that specify or regulate how a system or
organization provides security services to protect sensitive and critical system resources.
OSI Security architecture
• The security manager is responsible for :
• assessing and evaluating the security needs of an organization effectively,
• evaluating and choosing various security products, policies,
• He needs some systematic way of defining the requirements for security and characterizing the
approaches to satisfying those requirements.
• Designing the above needs is too difficult in a centralized data processing environment; which
uses of local and wide area networks.
• Security architecture and design contains the concepts, principles, structures, and standards used
to design, monitor, and secure; operating systems, equipment, networks, applications, and those
controls used to enforce various levels of availability, integrity, and confidentiality.
OSI Security Architecture
• The OSI security architecture is useful to managers as a way of organizing the
task of providing security.
• This architecture was developed as an international standard
• All computer and communications vendors have developed security features for
their products and services that relate to this structured definition of services and
mechanisms.
• The OSI security architecture focuses on security attacks, mechanisms, and
services.
OSI Security Architecture
• Security attack: Any action that compromises the security of information owned
by an organization.
• Security mechanism: A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security attack.
• Security service: A processing or communication service that enhances the
security of the data processing systems and the information transfers of an
organization.
• The services are intended to counter security attacks, and they make use of one or more
security mechanisms to provide the service.
Difference between a Threat & Attack
• Threat: A potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security and
cause harm. That is, a threat is a possible danger that might exploit a
vulnerability(loop holes or weaknesses).

• Attack: An assault on system security that derives from an intelligent

threat; that is, an intelligent act that is a deliberate attempt (especially in the
sense of a method or technique) to evade security services and violate the
security policy of a system.
Attacks
Two types of attacks:
• Passive attack: An attempt to learn or make use of information from the system
that does not affect system resources.
•Active attack: An attempt to alter system resources or affect their operation.
We can also classify attacks based on the origin of the attack:
• Inside attack: Initiated by an entity inside the security perimeter (an “insider”).
The insider is authorized to access system resources but uses them in a way not
approved by those who granted the authorization.
• Outside attack: Initiated from outside the perimeter, by an unauthorized or
illegitimate user of the system (an “outsider”).
On the Internet, potential outside attackers range from amateur pranksters to organized criminals,
international terrorists, and hostile governments.
Passive attacks
Types of Passive attacks
Release of Message contents
• Eavesdropping on, or monitoring
of, transmissions.
• The goal of the opponent is to
obtain information that is being
transmitted.
• A phone conversation, an email or
a file under transmission may be
eavesdropped.
Cont…
Traffic Analysis
• If the messages are encrypted the
opponents, cannot extract the information
even if they captured the message.
• Opponent might still be able to observe
the pattern of these messages.
• The opponent could determine the
• location and identity of
communicating hosts
• observe the frequency and length of
messages being exchanged.
• This information is useful in guessing the
nature of the communication that’s taking
place.
Active attacks
Types of Active attacks
A masquerade takes place
when one entity pretends
to be a different entity.
Cont..
Modification of messages simply
means that some portion of a
legitimate message is altered, or
that messages are delayed or
reordered, to produce an
unauthorized effect
Cont…
Replay involves the passive capture
of a data unit and its subsequent
re-transmission to produce an
unauthorized effect
 Cont…
The denial of service:
• Prevents or inhibits the normal use or management
of communications facilities.
• may have a specific target; for example, an entity may
suppress all messages directed to a particular
destination (e.g., the security audit service).
• Another form is the disruption of an entire network,
either by disabling the network or by overloading it
with messages so as to degrade performance.
Active Vs Passive attacks

• Active attacks present the opposite characteristics of passive attacks.

• Passive attacks are difficult to detect. Measures are available to prevent their
success.

• On the other hand, it is quite difficult to prevent active attacks absolutely, because
of the wide variety of potential physical, software, and network vulnerabilities.

• The goal is to detect active attacks and to recover from any disruption or delays
caused by them.
Services
• X.800 defines a security service as a service that is provided by a protocol layer of communicating systems and
that ensures adequate security of the systems or of data transfers.

• RFC 4949 defines security service as a processing or communication service that is provided by a system to
give a specific kind of protection to system resources. Security services implement security policies with the
help of security mechanisms.

• X.800 divides security services into five categories and fourteen specific services.

• X.800 : Security architecture for Open Systems Interconnection for CCITT (Consultative Committee for International Telephony
and Telegraphy) applications  

• RFC (stands for Request For Comments) is a document that describes the standards, protocols, and technologies of the Internet
and TCP/IP
X.800 Security Services
• Authentication • Data Integrity
• Peer Entity Authentication • Connection Integrity with Recovery

• Data-Origin Authentication • Connection Integrity without Recovery

• Access Control • Selective-field Connective Integrity

• Connectionless Integrity
• Data Confidentiality
• Selective-field Connectionless Integrity
• Connection Confidentiality

• Connectionless Confidentiality
• Nonrepudiation
• Nonrepudiation Origin
• Selective-Field Confidentiality
• Nonrepudiation Destination
• Traffic-flow Confidentiality
X.800
Securit
yServic
es
Security Mechanisms

• Specific Security Mechanisms • Notarization

• Encipherment • Pervasive Security Mechanisms

• Digital Signature • Trusted Functionality

• Access Control • Security Label

• Data Integrity • Event Detection

• Authentication exchange • Security Audit Trail

• Traffic Padding • Security Recovery

• Routing Control
X.800
Security
Mechanism
s
X.800
Security
Mechanism
s
Specific Security Mechanisms
Specific security mechanisms may be incorporated into an appropriate layer to provide some of the
security services 

Encipherment

• The use of mathematical algorithms to transform data into a form that is not readily intelligible.
The transformation and subsequent recovery of the data depend on an algorithm and zero or more
encryption keys.
Digital Signature

• Data appended to, or a cryptographic transformation of, a data unit that allows a
recipient of the data unit to prove the source and integrity of the data unit and
protect against forgery (e.g., by the recipient).
Access Control
• A variety of mechanisms that enforce access rights to resources.

Data Integrity
• A variety of mechanisms used to assure the integrity of a data unit or stream of data units.

Authentication Exchange
• A mechanism intended to ensure the identity of an entity by means of information
exchange.
Traffic Padding
• The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.

Routing Control
• Enables selection of particular physically secure routes for certain data and allows routing
changes, especially when a breach of security is suspected.

Notarization
• The use of a trusted third party to assure certain properties of a data exchange.
Pervasive Security Mechanisms
Pervasive security mechanisms are not specific to any particular security service and are in general directly related
to the level of security required.

Trusted Functionality
• The general concept of trusted functionality can be used to either extend the scope or to establish the effectiveness of other security
mechanisms. Any functionality that directly provides, or provides access to, security mechanisms should be trustworthy.

Security Label
• System resources may have security labels associated with them, for example, to indicate sensitivity levels. It is often necessary to convey

the appropriate security label with data in transit. A security label may be additional data associated with the data transferred or may be

implicit (e.g., implied by the use of a specific key to encipher data or implied by the context of the data such as the source address or

route).
Event Detection
• Security-relevant event detection can be used to detect apparent violations of security.

Security Audit Trail

• A security audit refers to an independent review and examination of system records and activities to test for

adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect

breaches in security, and to recommend any indicated changes in control, policy, and procedures. Consequently,

a security audit trail refers to data collected and potentially used to facilitate a security audit.

Security Recovery
• Security recovery deals with requests from mechanisms such as event handling and management functions, and
takes recovery actions as the result of applying a set of rules.
Relationship Between Security
Services and Mechanisms