Muhammad Noman

Email: mohammad.noman@ucp.edu.pk
Information Security 1
Basic Terminologies

Lecture 3

Muhammad Noman
Email: mohammad.noman@ucp.edu.pk
Information Security 2
Introduction to Cryptography
Key Concepts:
• Plaintext: Original message before encryption.
• Example: "HELLO"
• Ciphertext: Coded message after encryption.
• Example: "URYYB" (using Caesar Cipher with key = 13)
• Cipher: Algorithm for transforming plaintext into
ciphertext.
• Example: Caesar Cipher shifts each letter by a certain number.

Muhammad Noman
(Lecturer FOIT) 3
(University of Central Punjab)
Key and Encryption/Decryption

• Key: Information used in the cipher, known only to the

sender and receiver.
Example: In Caesar Cipher, the key is the number of positions
to shift each letter (e.g., key = 3).
• Encipher (Encrypt): Converting plaintext to ciphertext.
Example: "HELLO" becomes "KHOOR" using a Caesar Cipher
with key = 3.
• Decipher (Decrypt): Recovering plaintext from ciphertext.
Example: "KHOOR" decrypted back to "HELLO" with the same
key = 3.

Muhammad Noman
(Lecturer FOIT) 4
(University of Central Punjab)
Cryptography vs Cryptanalysis

• Cryptography: Study of encryption methods.

Example: Symmetric-key encryption (AES) and public-key
encryption (RSA).
• Cryptanalysis (Codebreaking): Study of methods to
decipher ciphertext without knowing the key.
Example: Frequency analysis used to break simple
substitution ciphers.
• Cryptology: Field encompassing both cryptography and
cryptanalysis.

Muhammad Noman
(Lecturer FOIT) 5
(University of Central Punjab)
What is Social Engineering?
Social Engineering is the act of manipulating people into
revealing confidential information or performing actions
that could lead to security breaches. It takes advantage of
human psychology rather than technical vulnerabilities.

OR

Social Engineering is a method used by attackers to trick

individuals into giving away confidential information,
usually through deception and manipulation.

Muhammad Noman
(Lecturer FOIT) 6
(University of Central Punjab)
What is Social Engineering?
Example:
Scenario: A hacker calls an employee, pretending to be from
the company's IT department. They claim there's an urgent
issue and ask the employee to reset their password. The
employee follows the instructions and shares their new
password over the phone.

Result: The hacker now has access to the employee's

account, potentially leading to a security breach.

Muhammad Noman
(Lecturer FOIT) 7
(University of Central Punjab)
Types of Social Engineering Attacks:

• Phishing: Fake emails or websites that trick people into

revealing passwords.
• Pretexting: Creating a fabricated scenario to get
information.
• Baiting: Offering something tempting (e.g., free USB
drives) to trick people into exposing their system.

Muhammad Noman
(Lecturer FOIT) 8
(University of Central Punjab)
How to Prevent It:
• Be cautious of unsolicited requests for information.
• Verify the identity of anyone asking for sensitive
information.
• Don’t share passwords or personal information without
confirmation.

Muhammad Noman
(Lecturer FOIT) 9
(University of Central Punjab)
 CODE & DECODE
• An original message is known as the plaintext, while the coded message is called the
cipher text. The process of converting from plaintext to cipher text is known as
enciphering or encryption.
• Restoring the plaintext from the cipher text is deciphering or decryption.
• The many schemes used for encryption constitute the area of study known as
cryptography.
• Techniques used for deciphering a message without any knowledge of the enciphering
details fall into the area of cryptanalysis.
• Cryptanalysis is what the layperson calls “breaking the code.”
• The areas of cryptography and cryptanalysis together are called cryptology.

Muhammad Noman
(Lecturer FOIT)
(University of Central Punjab)
Symmetric Cipher Model

Muhammad Noman
(Lecturer FOIT)
(University of Central Punjab)
Symmetric Cipher Model
A symmetric encryption scheme has five ingredients
Plaintext: This is the original, understandable message or
data that you start with before any processing.
Encryption Algorithm: This algorithm takes the plaintext
and performs a series of changes and substitutions to make it
unreadable.
Secret Key: This is an additional input that goes into the
encryption process. It's a separate value from the plaintext
and the algorithm itself. The algorithm uses this key to
determine how it will change the plaintext. Using different
keys will result in different scrambled outputs even if the
original message is the same.

Muhammad Noman
(Lecturer FOIT)
(University of Central Punjab)
Symmetric Cipher Model
Ciphertext: This is the jumbled, unreadable version of the
original message that comes out after encryption. It looks like
random data and doesn't make sense on its own. The specific
key used during encryption will produce a unique ciphertext
for the same message.
Decryption Algorithm: This process is essentially the
encryption algorithm in reverse. It takes the scrambled
ciphertext and the secret key, and turns it back into the
original readable message (plaintext).

Muhammad Noman
(Lecturer FOIT)
(University of Central Punjab)
 ATTACKS
• The main objective of attacking an encryption system is to
recover the key.
• Two Approaches for attacking a conventional encryption
scheme:
CRYPTANALYSIS:
• Rely on the nature of the algorithm
• knowledge of the general characteristics of the plaintext
• plaintext–ciphertext pairs
BRUTE-FORCE ATTACK:
• Attacker tries every possible key on a piece of ciphertext
until plaintext is obtained.
• Half of all possible keys must be tried to achieve success.
Muhammad Noman
(Lecturer FOIT)
(University of Central Punjab)
 Types of Cryptanalysis

• Ciphertext-only Attack: The attacker only has access to

the ciphertext.
Example: An attacker intercepts an encrypted message and
tries to break it using patterns or frequency analysis.
• Known-plaintext Attack: The attacker has both the
plaintext and its corresponding ciphertext.
Example: If an attacker knows the phrase "HELLO"
corresponds to "KHOOR" (in a Caesar Cipher), they can
work out the key (shift of 3).

Muhammad Noman
(Lecturer FOIT)
(University of Central Punjab)
 Types of Cryptanalysis

• Chosen-plaintext Attack: The attacker can encrypt

plaintext of their choice and study the resulting ciphertext.
Example: Sending specific messages to an encryption
system and analyzing how they get transformed.

• Differential and Linear Cryptanalysis: Advanced

techniques used to break modern cryptosystems by
analyzing how small changes in input affect the output.

Muhammad Noman
(Lecturer FOIT)
(University of Central Punjab)
 Brute Force Attack

A brute force attack is a cryptanalytic method where the

attacker systematically tries all possible keys or passwords
until the correct one is found.

How It Works:
• The attacker generates every possible combination of
letters, numbers, and symbols until the right key is found.
• Example: In a Caesar Cipher, an attacker could try all
possible shifts (from 1 to 25) to decrypt the ciphertext.

Muhammad Noman
(Lecturer FOIT)
(University of Central Punjab)
 Brute Force Attack

Example:
• Password Cracking:
• If the password is a simple combination of 4 digits, the
brute force attacker tries all combinations from "0000"
to "9999".
• If the correct password is "4679", the attacker
eventually finds it after checking 4679 combinations.

Muhammad Noman
(Lecturer FOIT)
(University of Central Punjab)
 Brute Force Attack

Why Brute Force Attacks Work:

• They are effective against weak ciphers or short
passwords.
• The longer and more complex the password, the harder
and more time-consuming the attack.

Muhammad Noman
(Lecturer FOIT)
(University of Central Punjab)
Types of Brute Force Attack
Simple Brute Force Attacks: Trying all possible combinations
of passwords until the correct one is found.
Dictionary Attacks: Using a pre-defined list of words (like a
dictionary) to guess the password.
Hybrid Brute Force Attacks: Combining dictionary attacks
with random variations (e.g., adding numbers or symbols).
Reverse Brute Force Attacks: Using a known password to
find matching usernames or accounts.
Credential Stuffing: Using stolen usernames and passwords
from one service to try and access other services.

Muhammad Noman
(Lecturer FOIT)
(University of Central Punjab)
Brute Force Attack

Countermeasures:
1. Use Strong Passwords: Include a mix of uppercase,
lowercase, symbols, and numbers.
2. Increase Key Length: Larger key sizes in encryption (e.g.,
AES-256) make brute-force attacks practically impossible
due to time constraints.
3. Implement Lockout Mechanisms: After several incorrect
attempts, lock the system to prevent further attacks.

Muhammad Noman
(Lecturer FOIT)
(University of Central Punjab)
Questions

Information Security 22