CE-408: Cryptography & Network Security SSUET/QR/114

Computer Laboratory Manual

Cryptography & Network Security
CE-408

Department of Computer Engineering, SSUET Page | 2

CE-408: Cryptography & Network Security SSUET/QR/114

CE-408: Cryptography and Network Security

Table of content
Lab No. Objective CLO No.
1 The purpose of this lab is to implement the basics of MATLAB. CLO-4
The purpose of this lab is to implement the following algorithms in
MATLAB:
1. Monoalphabetic cipher
2 CLO-4
 Additive Cipher, Multiplicative Cipher
 Affine Cipher
2. Monoalphabetic Substitution cipher
The purpose of this lab is to implement the following algorithms in
MATLAB:
3 CLO-4
1. Polyalphabetic Cipher
2. Transposition Cipher
The purpose of this lab is to implement SDES encryption and decryption
4 CLO-4
in MATLAB.
The purpose of this lab is to implement DES encryption and decryption in
5 CLO-4
MATLAB.
6 The purpose of this lab is to implement S-AES algorithm in MATLAB. CLO-4
7 Open Ended Lab I CLO-4
The purpose of this lab is to implement RSA Algorithm and use it for
8 CLO-4
encryption and to perform digital signature in MATLAB.
9 The purpose of this lab is to implement SHA-512 algorithm in MATLAB. CLO-4
The purpose of this lab is to implement the DSS (DSA) algorithm in
10 CLO-4
MATLAB for providing a digital signature to a message.
The purpose of this lab is to
 Configure routers as NTP clients.
 Configure routers to update the hardware clock using NTP.
 Configure routers to log messages to the syslog server.
11  Configure routers to timestamp log messages. CLO-4
 Configure local users.
 Configure VTY lines to accept SSH connections only.
 Configure RSA key pair on SSH server.
 Verify SSH connectivity from PC client and router client.
The purpose of this lab is to configure AAA (RADIUS) for authenticating
12 CLO-4
host on Cisco router in Packet tracer.
The purpose of this lab is to configure IPsec site-to-site Virtual Private
13 CLO-4
Network (VPN) on Cisco routers in Packet tracer.
14 Open Ended Lab II CLO-4

Department of Computer Engineering, SSUET Page | 3

CE-408: Cryptography & Network Security SSUET/QR/114

COURSE LEARNING OUTCOMES (CLOs) and its mapping with Program Learning Outcomes
(PLOs):

CLO Bloom’s
Course Learning Outcomes (CLOs) PLOs
No. Taxonomy
Explain fundamental security objectives, PLO_1 C2
1
security attacks, services, and mechanisms (Engineering knowledge) (Understanding)
Apply various algorithms and security PLO_3
C3
2 mechanisms to provide confidentiality, integrity, (Design/Development of (Applying)
and authentication Solutions)
Identify appropriate techniques to analyze the PLO_2 C4
3
problems in the discipline of network security (Problem Analysis) (Analyzing)
Use appropriate tools to apply different PLO_5 C3
4 cryptographic algorithms and network security (Modern Tool Usage) (Applying)
mechanisms

Department of Computer Engineering, SSUET Page | 4

CE-408: Cryptography & Network Security SSUET/QR/114

Annexure C

SSUET/QR/118
(Form IIa)
Sir Syed University of Engineering & Technology, Karachi
Computer Engineering Department
Rubric Guideline for Software Based Lab

Course Name (Course Code), ________________________________ Semester, Batch _______

Name of Student: _______________________________ Roll No. __________________

Criteria Exceeds Expectations Meets Expectations Developing Unsatisfactory

(>=90%) (70%-89%) (<50%)
(50%-69%)

Software Able to use software Able to use software Able to use Unable to use the
Handling with its standard and with its standard and software with its software
advanced features advanced features with standard features
without assistance minimal assistance with assistance

Programming/ Able to program/ Able to program/ Able to program/ Unable to

Simulation simulate the lab tasks simulate the lab tasks simulate lab tasks program/simulate
with simplification without errors with errors

Able to achieve all the Able to achieve all the Able to achieve Unable to
Results desired results with desired results most of the achieve the
alternate ways desired results desired results
with errors

Laboratory manual has Laboratory manual has Laboratory Laboratory

no grammatical and/ or very few grammatical/ manual has manual has
spelling errors. spelling errors. multiple several
Laboratory grammatical/ grammatical/
All sections of the All sections of the spelling errors. spelling errors
Manual report are very well report are technically and sentence
written and technically accurate. Few sections of construction is
accurate. the report contains poor.
technical errors.

Department of Computer Engineering, SSUET Page | 5

CE-408: Cryptography & Network Security SSUET/QR/114

SSUET/QR/118
[Form-IIb]
Sir Syed University of Engineering & Technology, Karachi
Computer Engineering Department
Rubric-Laboratory Manual
Course Name (Course Code), __________________________Semester, Batch _______
Name of Student: ___________________________________Roll No. __________________
Lab Description & Score

1. Software Handling Programming/ Simulations Results Lab Report Score

( )/0.2 ( )/0.5 ( )/0.2 ( )/0.1 ( )/1.0

2. Software Handling Programming/ Simulations Results Lab Report Score

( )/0.2 ( )/0.5 ( )/0.2 ( )/0.1 ( )/1.0

3. Software Handling Programming/ Simulations Results Lab Report Score

( )/0.2 ( )/0.5 ( )/0.2 ( )/0.1 ( )/1.0

4. Software Handling Programming/ Simulations Results Lab Report Score

( )/0.2 ( )/0.5 ( )/0.2 ( )/0.1 ( )/1.0

5. Software Handling Programming/ Simulations Results Lab Report Score

( )/0.2 ( )/0.5 ( )/0.2 ( )/0.1 ( )/1.0

6. Software Handling Programming/ Simulations Results Lab Report Score

( )/0.2 ( )/0.5 ( )/0.2 ( )/0.1 ( )/1.0

7. Software Handling Programming/ Simulations Results Lab Report Score

( )/0.2 ( )/0.5 ( )/0.2 ( )/0.1 ( )/1.0

8. Software Handling Programming/ Simulations Results Lab Report Score

( )/0.2 ( )/0.5 ( )/0.2 ( )/0.1 ( )/1.0

9. Software Handling Programming/ Simulations Results Lab Report Score

( )/0.2 ( )/0.5 ( )/0.2 ( )/0.1 ( )/1.0

10. Software Handling Programming/ Simulations Results Lab Report Score

( )/0.2 ( )/0.5 ( )/0.2 ( )/0.1 ( )/1.0

11. Software Handling Programming/ Simulations Results Lab Report Score

( )/0.2 ( )/0.5 ( )/0.2 ( )/0.1 ( )/1.0

12. Software Handling Programming/ Simulations Results Lab Report Score

( )/0.2 ( )/0.5 ( )/0.2 ( )/0.1 ( )/1.0

13. Software Handling Programming/ Simulations Results Lab Report Score

( )/0.2 ( )/0.5 ( )/0.2 ( )/0.1 ( )/1.0

14. Software Handling Programming/ Simulations Results Lab Report Score

( )/0.2 ( )/0.5 ( )/0.2 ( )/0.1 ( )/1.0
TOTAL SCORE
Overall Score: ___________ out of 5 Examined by:_____________________________
(Obtained Score / Total Score) x 5 (Name and Signature of concerned lab instructor)
Department of Computer Engineering, SSUET Page | 6
 CE-408: Cryptography & Network Security SSUET/QR/114

Annexure C
SSUET/QR/118
(Form IIIb)
Sir Syed University of Engineering & Technology, Karachi
Computer Engineering Department
Rubric for Lab Exam
Course Name (Course Code), _______________________________ Semester, Batch _______
Name of Student: ________________________ Roll No. __________________

Criteria Exceeds Meets Expectations Developing Unsatisfactory Score

Expectations (70%-89%) (<50%) Obtained
(>=90%) (50%-69%)

Performance

Able to present full Able to present Able to present sufficient No or very less
knowledge of both adequate knowledge of knowledge of both knowledge of
problem and solution. both problem and problem and solution both problem
solution and solution

Viva

Able to answer the Able to answer the Able to answer the Unable to
questions easily and questions related to questions but with answer the
correctly across the the project mistakes questions
project.

Total Score
Final Lab Assessment

Criteria Score Obtained

Laboratory Manual

Subject Project (If any)

Lab Exam

Total (20)

Examined by: _______________________________

(Name and Signature of concerned lab instructor)

Department of Computer Engineering, SSUET Page | 7

CE-408: Cryptography & Network Security SSUET/QR/114

LAB#01
MATLAB Commands & Functions
OBJECTIVE

The purpose of this lab is to implement the basics of MATLAB. The main goals are to

1. Get familiar with GUI of the software.

2. Implementation of different commands and statements.
3. Using the help command to explore a function
4. Programming in MATLAB
5. Creating and executing m-files.
6. Exploring tool boxes

MATLAB
MATLAB (Matrix laboratory) is an interactive software system for numerical computations and graphics.
A numerical analyst called Cleve Moler wrote the first version of Matlab in the 1970s. It has since
evolved into a successful commercial software package. As the name suggests, Matlab is especially
designed for matrix computations: solving systems of linear equations, computing eigen values and
eigenvectors, factoring matrices, and so forth. In addition, it has a variety of graphical capabilities, and
can be extended through programs written in its own programming language. Many such programs come
with the system; a number of these extend Matlab's capabilities to nonlinear problems, such as the
solution of initial value problems for ordinary differential equations.

Characteristics of MATLAB:

1. Slow (compared with FORTRAN or C) i.e. not pre-compiled. Avoid for loops; instead use vector
form.
2. Automatic memory management, i.e., you don't have to declare arrays in advance.
3. Shorter program development time than traditional programming languages such as FORTRAN
and C.
4. Can be converted into C code via MATLAB compiler for better efficiency.
5. Many application-specific toolboxes available.

Main toolboxes which are going to be used are: communication toolbox, signal processing toolbox and
other supplement tool boxes.

Department of Computer Engineering, SSUET Page | 8

CE-408: Cryptography & Network Security SSUET/QR/114

Simple commands and statements:

 Arithmetic operations and variables.

 Matrix and vectors.
 Matrix operations and point wise operations.
 Element extraction from a matrix.
 Basic functions and special matrices
 help, who, whos and clear commands
 Creating m files and basic programs

Variables in MATLAB:

Type of variable in MATLAB is determined when it is created. One don’t have to declare variable before
assigning it a value. There are two types of variable.

i) Scalar Variables
Those variables that have one (1) row and one (1) column

ii) Vector Variables

Vector is a matrix with wither one (1) row or one (1) column (1xn) or (nx1)

Try the following codes:

Open a new m file and name it prog1 then execute the following commands:

%Always use comments

a = 5; % numeric variable

b = [1 2 3] % A row vector which also can be written as b = [1,2,3]

c = [4; 5; 6] % A column vector which also can be written as

% c = [4 5 6]' where ' indicates the transpose of a matrix

d = [2 4 5;3 3 3; 1 2 7] %matrix creation 3 by 3

f = [] %to create an empty matrix

g = ones(3,4) %3by4 matrix with all ones

h = zeros(6) %create 6by6 matrix of all zeros

size(g) %finds the size of g matrix

Department of Computer Engineering, SSUET Page | 9

CE-408: Cryptography & Network Security SSUET/QR/114

size(g,1) %finds number of rows in g

size(g,2) %finds number of columns in g

length(b) %number of elements in b

length(c) %number of elements in c

length(g) %number of elements in a single row in g

Random Number Generators:

There are 3 types of random number generator (RNG)

1) True Random Number Generator (TRNG)

E.g. flipping coin (flipping coin 100 times), lottery, and thermal noise in chips/semiconductors,
mouse movement and keystroke timings

2) Pseudo Random Number Generator (PRNG)

PRN are computed i.e. they are deterministic and often computed with the following function

S0= seed

Si+1=F(Si)

These cannot use for the key because they are deterministic e.g. in software testing etc.

3) Cryptographically Secure PRNG (CPRNG)

CPRNGs are PRNGs with an additional property--- the numbers are unpredictable

k = randint(3,4) %3by4 randomly generated 0s and 1s.

l = randint(4,4,[3,5]) %4by4 randomly generated integer numbers from3 to 5.

m = randsrc(4,4,[3:5]) %same as l

n = randsrc(4,4,[3,5]) %4by4 randomly generated integer numbers of3 and 5 only.

o = rand(2,2) %2by2 randomly generated numbers between 0 and 1 %uniformly

distributed.

randperm(5) %generate random permutation of integer 1 to n

p = magic(5) %5by5 magic matrix. See the details of this matrix in the %detailed
help. Note that the magic matrix can only be a %square matrix

Department of Computer Engineering, SSUET Page | 10

CE-408: Cryptography & Network Security SSUET/QR/114

%Operations on matrices

q = 2*g %scalar multiplication

r = b + c' %Addition

s=g*m %matrix multiplication

t = b' .* c %element wise multiplication

u = o .^ 4 %each element in o is raised to power 4

det(m) %the determinant of m

v = eye(4) %identity matrix of 4by4

%Element extraction

m(2,2) %extracts the element intersection at 2nd row 2nd column in m

m(1:3,2) %extracts the elements at 1 to 3 rows and 2nd column in min %this
way using the range sign : , you can extract any element %or elements
depending on the intersections

m(:,3) %means extract the whole 3rd column

m(1,:) %means extract the whole 1st row

m(:,:) %extracts the whole matrix m

m(:) %arrange m in a single column vector

w = [b' c d] %concatenate different matrices into a single one such that the
%resultant matrix forms an acceptable shape.

z = [4:0.1:5] %creates a row vector having an increment of 0.1

diag(l) %extracts the diagonal elements of the square matrix

%Basic functions

sum(d)

mean(d)

max(d)

min(d)

Department of Computer Engineering, SSUET Page | 11

CE-408: Cryptography & Network Security SSUET/QR/114

sin(d)

cos(d)

exp(d)

log(d)

%for more built in functions, see the help on list of functions

whos %detailed information about the variables

clear dm %clears the variables d and m

whos %confirm that m and d are cleared

clear all %clears all currently assigned variables

%Basic plotting

t = [0:0.001:10];

y = sqrt(100 - t.^2);

plot(t,y) %plot y vs t

hold on %to hold the previous plot

plot(t,-y,'r') %'r' means red color

hold on

plot(-t,-y,'g')

hold on

plot(-t,y,'k')

Some basic programming. Open a new m file and name it prog2 then execute the following
commands

function res = prog2( v ) %function definition. This function can be called from any %place
after passing it the argument v such that v is a row (in %this %example)

for b=1:size(v,2) %for loop

Department of Computer Engineering, SSUET Page | 12

CE-408: Cryptography & Network Security SSUET/QR/114

ind(b) = v(b) * randint(1);

end %terminate the loop with end

if (ind-v == 0) %if-else condition

display('all ones sequence') %to display a text or value

else

display('not all zeros sequence')

end %to terminate the if-else or if condition

%Explore different plotting commands and other useful commands fromthe help menu.

Lab Tasks:
1. Using a programming approach, create the following matrix:

9 9 9 9 9 9 9 9 9

9 0 0 0 0 0 0 0 9

9 0 0 0 0 0 0 0 9

9 0 0 0 0 0 0 0 9

9 0 0 0 0 0 0 0 9

9 0 0 0 0 0 0 0 9

9 0 0 0 0 0 0 0 9

9 0 0 0 0 0 0 0 9

9 9 9 9 9 9 9 9 9

2. A system is performing an encryption operation on a text data using the figure shown below. The
letters are mapped into bits in the following manner: the letter is converted into its corresponding
sequence number in the English alphabets and then that number is converted into binary
representation. The length of the key used the same as the length of a single letter in bits. Display
the encrypted message in text form. Assume your roll no as a key of your choice.

Department of Computer Engineering, SSUET Page | 13

CE-408: Cryptography & Network Security SSUET/QR/114

The text to encrypt is your complete name e.g. Rabia. Hint: discard the spaces between name and
the capitalization of letters.

Department of Computer Engineering, SSUET Page | 14

CE-408: Cryptography & Network Security SSUET/QR/114

LAB#02
Classical Encryption Techniques (Mono alphabetic Ciphers)
OBJECTIVE

The purpose of this lab is to implement the following algorithms in MATLAB:

3. Monoalphabetic cipher
 Additive Cipher
 Multiplicative Cipher
 Affine Cipher
4. Monoalphabetic Substitution cipher

THEORY

Basic Vocabularies of General Encryption Algorithms:

Plaintext: This is what you want to encrypt

Ciphertext: The encrypted output

Enciphering or encryption: The process by which plaintext is converted into ciphertext

Encryption algorithm: The sequence of data processing steps that go into transforming plaintext into
ciphertext. Various parameters used by an encryption algorithm are derived from a secret key.

Secret key: A secret key is used to set some or all of the various parameters used by the encryption
algorithm. The important thing to note is that the same secret key is used for encryption and decryption in
classical cryptography. It is for this reason that classical cryptography is also referred to as symmetric key
cryptography.

Deciphering or decryption: Recovering plaintext from ciphertext

Decryption algorithm: The sequence of data processing steps that go into transforming ciphertext back
into plaintext. Various parameters used by a decryption algorithm are derived from the same secret key
that was used in the encryption algorithm. In classical cryptography for commercial and other civilian
applications, the decryption algorithm is made public.

Department of Computer Engineering, SSUET Page | 15

CE-408: Cryptography & Network Security SSUET/QR/114

Block cipher: A block cipher processes a block of input data at a time and produces a ciphertext block of
the same size.

Stream cipher: A stream cipher encrypts data on the y, usually one byte at a time.

1. CEASER CIPHER / ADDITIVE CIPHER / SHIFT CIPHER

 Ceaser Cipher is a substitution technique.

 It is the earliest known example of a substitution cipher. Each character of a message is replaced
by a character k position down in the alphabet where k is the index of the key letter in the English
alphabet minus one. For instance, if the plain text is “are you ready” and the key is “d”, then the
cipher text becomes “duhbrxuhdgb”. This is done according to the following formula:
C  Ek , P  P  k  mod 26

Hence in this case, k  3 , and p represent the integer representation of letters minus one. So p have the
values [0 17 4 24 14 20 17 4 0 3 24] . Hence, C contains the numbers corresponding to the cipher
text.

In these formulas, 'k' would be the secret key. The symbols 'E' and 'D' represent encryption and
decryption where decryption is given as:

P  Dk , C   C  k  mod 26

Matlab Code:

 Store the letters in a vector. Their locations in the vector represent their values.
 Use find() command to find the plaintext in the letters vector.
 Use mod() command for the modular arithmetic.

2. MULTIPLICATIVE CIPHER

 In multiplicative cipher, we multiply each plain letter by our secret key.

C=E(k,P)=(P x k)mod 26

 For decryption in multiplicative cipher we use the following formula

P=D (k,C)=(C x k-1)mod 26

3. AFFINE CIPHER

Department of Computer Engineering, SSUET Page | 16

CE-408: Cryptography & Network Security SSUET/QR/114

 Affine cipher is the combination of multiplicative and additive cipher.

 In Affine cipher we uses a pair of key K= (k1,k2)
 In Affine cipher the encryption is done by the following formula
C= (P*k1+k2) mod 26

 In Affine cipher the decryption is done by the following formula

P=((C-k2)*k1-1)) mod 26

4. MONOALPHABETIC CIPHER

 In monoalphabetic, rather than substituting all letters with a single key, multiple keys are used
instead. The Key size becomes 26!.
 Rather than just shifting the alphabet could shuffle (jumble) the letters arbitrarily.
 Each plaintext letter maps to a different random ciphertext letter
 Another attack is possible using language characteristics
 Letters are not equally commonly used in English E is by far the most common letter followed by
T,R,N,I,O,A,S. Other letters like Z,J,K,Q,X are fairly rare.
 Have tables of single, double & triple letter frequencies for various languages and accordingly,
monoalphabetic ciphers can be compromised.

For Example:

Matlab Code:

 Same code for Ceaser cipher is used here.

 The only difference is that the key size is increased. Hence a mapping should be introduced first
in a 2 by 26 matrix.
 A linear search is done on the plaintext to find the corresponding key for which encryption has to
take place.

Lab Tasks:
3. Implement Ceasar Cipher both encryption and decryption or the plaintext “ilikecomputersecurity”
by taking key is equal to your roll number.
Department of Computer Engineering, SSUET Page | 17
CE-408: Cryptography & Network Security SSUET/QR/114

4. Implement multiplicative Cipher both encryption and decryption or the plaintext

“thismessageiseasytoencrpyt” by taking any key by the user.

5. Implement Affine Cipher both encryption and decryption or the plaintext “itshardtofindkey” by
taking any pair of key.

6. Encrypt and decrypt the text using monoalphabetic substitution cipher. The key arrangement
should be different for each student. The plain text is same as in task 1.

Department of Computer Engineering, SSUET Page | 18

CE-408: Cryptography & Network Security SSUET/QR/114

LAB#03
Classical Encryption Techniques II (Polyalphabetic and
Transposition Ciphers)
OBJECTIVE

The purpose of this lab is to implement the following algorithms in MATLAB:

5. Polyalphabetic Cipher
6. Transposition Cipher

THEORY

5. POLYALPHABETIC CIPHER

 Polyalphabetic ciphers are based on substitution or transposition mechanisms.

 Improve security using multiple cipher alphabets.
 It is a combination of separate monoalphabetic ciphers.
 Make cryptanalysis harder with more alphabets to guess and flatter frequency distribution.
 Use a key (or sometimes calledkey word) to select which alphabet is used for each letter of the
message. The length of the key is sometimes called the period of the encryption.
 Use each alphabet in turn and repeat from start after end of key is reached.
 The simplest polyalphabetic substitution cipher is called “Vigenère”
 Effectively multiple Caesar ciphers
 Key is multiple letters long K = k1 k2 ... kd
 ith letter specifies ith alphabet to use and use each alphabet in turn.
 Repeat from start after d letters in message
 Decryption simply works in reverse

Vigenere Cipher

 Write the plaintext out.

 Write the keyword repeated above it.
 Use each key letter as a Caesar cipher key.

 Encrypt the corresponding plaintext letter

Department of Computer Engineering, SSUET Page | 19

CE-408: Cryptography & Network Security SSUET/QR/114

For Encryption
Ci = Pi + ki
For Decryption
Pi = Ci - ki

 Use the same concept of Ceasar cipher or monoalphabetic for letter look up using find()
command.
Hill Cipher

In classical cryptography, the Hill cipher is a polygraphic substitution cipher based on linear algebra.
Each letter is represented by a number modulo 26. Often the simple scheme A = 0, B = 1, ..., Z = 25 is
used, but this is not an essential feature of the cipher. To encrypt a message, each block of n letters
(considered as an n-component vector) is multiplied by an invertible n × n matrix, against modulus 26. To
decrypt the message, each block is multiplied by the inverse of the matrix used for encryption.
The matrix used for encryption is the cipher key, and it should be chosen randomly from the set of
invertible n × n matrices (modulo 26). The cipher can, of course, be adapted to an alphabet with any
number of letters; all arithmetic just needs to be done modulo the number of letters instead of modulo 26.

Department of Computer Engineering, SSUET Page | 20

CE-408: Cryptography & Network Security SSUET/QR/114

6. TRANSPOSITION CIPHER

 Referred as classical Transposition or Permutation ciphers

 These hide the message by rearranging the letter order without altering the actual letters used.
 Scheme uses writing message in a rectangle, row by row, and reading the message off, column by
column, but permute the order of the columns.
 The order of the columns then becomes the key to the algorithm.
 The transposition cipher can be made significantly more secure by performing more than one
stage of transposition.

Example 1 (Method 1 – Rail Fence):

 Write message with letters on alternate rows of depth ‘n’.

 Read off cipher row by row.
 E.g. (Rail fence cipher with depth 2)

Plaintext: “meet me after the toga party”

Arrange:

Ciphertext: “mematrhtgpryetefeteoaat”

Example 2 (Method 2 – Keyed Transposition):

 A more complex transposition is achieved by writing letters of message out in rows over a
specified number of columns.
 Then reorder the columns according to some key before reading off the rows.
 The number of columns and the rearrangement becomes the key.

Matlab Code:

 A simple tool for such technique is to use the transpose operator

 You can use the reshape() command according to the depth parameter
 For decryption, use the inverse of the key to rearrange the ciphertext back to plaintext

Department of Computer Engineering, SSUET Page | 21

CE-408: Cryptography & Network Security SSUET/QR/114

Lab Tasks:
7. Implement Polyalphabetic both encryption and decryption of the plaintext
“ilikecomputersecurity” such that the key is “sight”.

8. Encrypt and decrypt the plaintext “over the crimson sky” using Rail Fence with depth 5.

9. Encrypt and decrypt the plaintext “let us fly over the blue crimson sky ” using Keyed
Transposition with the following key combination: 2 5 4 3 1 6.

10. Encrypt your name by using key [5 6 ; 2 3] using Hill Cipher.

Department of Computer Engineering, SSUET Page | 22

CE-408: Cryptography & Network Security SSUET/QR/114

LAB#04
Modern Encryption Techniques
Simplified DES (S-DES)
OBJECTIVE

The purpose of this lab is to implement SDES encryption and decryption in MATLAB.

THEORY

 Encryption: It takes an 8-bit block of plain text and a 10-bit key as input and produces an 8-bit
block of cipher text as output.
 Decryption: It takes an 8-bit block of cipher text and the same 10-bit key used to produce that
ciphertext as input and produces the original 8-bit block of plaintext.
 Algorithm involves 5 functions:
1. An initial permutation (IP).
2. A complex function, fK , that involves both permutation and substitution operations and depends
on the sub key input. In the first fKblock, sub key 1 is used.
3. A simple permutation function that switches the two halves of the data (SW).
4. The function fK again with sub key 2 being used in this case.
5. A permutation function that is the inverse of the initial one (IP-1) as shown below

C  (IP -1  f K 2  SW  f K1  IP)
or
Ciphertext  IP -1 (f K 2 (SW(f K1 (IP(plaint ext)))))

where
K1  P8(Left Shift - 1 (P10(key)))
K 2  P8(Left Shift - 2(Left Shift - 1(P10(key) )))
and
Plaintext  IP -1 (f K1 (SW(f K2 (IP(cipher text)))))

Department of Computer Engineering, SSUET Page | 23

CE-408: Cryptography & Network Security SSUET/QR/114

 Refer to the detailed figure for encryption and decryption from the lecture notes.
 The reference figures are shown below for encryption and key generation:

Matlab Code:

 The constants being used are hard coded first in MATLAB.

Department of Computer Engineering, SSUET Page | 24

CE-408: Cryptography & Network Security SSUET/QR/114

 Create three functions, main, key generator and fk function. The key and fk functions are going to
be called from the main body.
 Define the constants within the main body and pass them to the appropriate functions.
 The format for basic function is as follows:

function [parm1,parm2,…] = Function_name(passing_parm1, passing_parm2,…)

 Where parm1,parm2,… are the returned values stored in these variables. The file name and the
name of the function should be same.

Lab Tasks:
11. Write the program for the main code for encryption through which the key and fk function are
called. Perform Initial permutation, switching and inverse permutation here. Display the final
ciphertext along with key and plaintext.

12. Write the program for sub key generation.

13. Write the program for the fk function.

14. Write the program for the main code for decryption through which the key and fk function are
called. Perform Initial permutation, switching and inverse permutation here. Display the final
plaintext along with key and plaintext.

Department of Computer Engineering, SSUET Page | 25

CE-408: Cryptography & Network Security SSUET/QR/114

LAB#05
Modern Encryption Techniques
Data Encryption Standard (DES)
OBJECTIVE

The purpose of this lab is to implement DES encryption and decryption in MATLAB.

THEORY

 Encryption: It takes 64-bit block of plain text and a 58-bit key as input and produces 64-bit block
of cipher text as output.
 Decryption: It takes 64-bit block of cipher text and the same 58-bit key used to produce that
ciphertext as input and produces the original 64-bit block of plaintext.

 Refer to the detailed figure for encryption and decryption from the lecture notes.
 The reference figures are shown below for encryption and key generation:

Department of Computer Engineering, SSUET Page | 26

CE-408: Cryptography & Network Security SSUET/QR/114

Lab Tasks:
15. Write the program for sub keys generation of DES 16 rounds.

16. Write the program for the fk function.

17. Write the program for the main code for encryption through which the key and fk function are
called. Perform Initial permutation, switching and inverse permutation here. Display the final
ciphertext along with key and plaintext.

18. Write the program for the main code for decryption through which the key and fk function are
called. Perform Initial permutation, switching and inverse permutation here. Display the final
plaintext along with key and plaintext.

Department of Computer Engineering, SSUET Page | 27

CE-408: Cryptography & Network Security SSUET/QR/114

LAB#06
Simplified Advance Encryption Standard (S-AES)

OBJECTIVE

The purpose of this lab is to implement S-AES algorithm in MATLAB. The main objectives are to
implement the following:

 Perform S-AES key generation

 Perform multiplication using GF(24) arithmetic for mix column
 Perform a encryption rounds for S-AES

THEORY

 Encryption: It takes 16-bit block of plaintext and creates a 16 bit ciphertext. The key size is 16
bits (8 bit word) for both encryption and decryption. It uses one pre-round transformation and two
rounds. In S-AES there are three round keys, K0, K1 and K2. The structure of the rounds along
with the general encryption flow is shown below:

Algorithm’s Specifications:

 The plaintext is 16 bits represented by a data block of 2 columns of nibble which is called state
 The data are arranged column wise and not row wise.
 It has 3 rounds for the key size of 16 bits
 Each other round has the following steps:

◦ Nibble substitution using SubNibble table

◦ Shift rows (permute nibble between columns)
◦ Mix columns (substitution using matrix multiply of columns)
◦ Add round key (XOR the output of mix columns with sub key for that round)

 Round 0 has only one step (i.e. Add round key ) which XOR the state (i.e. PT) with the original
key
 Round 3 has all steps except mix column

Department of Computer Engineering, SSUET Page | 28

CE-408: Cryptography & Network Security SSUET/QR/114

Key Generation:

 Key expansion routine creates three 16 bit round keys from one single 16 bit cipher key. The first
round key is used for pre-round transformation (AddRoundKey); the remaining round keys are
used for the last transformation at the end of round 1 and round 2.

 6 words are made from the original key. The process is as follows

AES ROUND:

Figure shows that each transformation takes a state and creates another state to be used for the next
transformation.

Department of Computer Engineering, SSUET Page | 29

CE-408: Cryptography & Network Security SSUET/QR/114

Figure 1: S-AES Encryption & Decryption Process

1. Nibble substitution
S-Box Nibble Substitution is used to at the encryption site and Inverse S-Box Nibble Substitution. To
substitute a nibble, the left 2 bits define the row and the right 2 bits define the column of the
substitution. In the process, each nibble is transformed independently.

Figure 2: S-AES Nibble Substitution

Department of Computer Engineering, SSUET Page | 30

CE-408: Cryptography & Network Security SSUET/QR/114

S-BOX & Inverse S-Box Nibble substitution

2. Shift Rows
A circular byte shift in each row

a. Row 0 is unchanged
b. Row 1 is shifted 1 nibble to left

Figure 3: S-AES Shift Row

Decrypt inverts using shifts to right

3. Mix Column
The MixColumns transformation operates at the column level; it transforms each column of the state into
a new column. The transformation is actually the matrix multiplication of a state column by a constant
square matrix. The nibbles in the state column and constants are interpreted as 4-bit words (or
polynomials) with coefficients in GF(2). Multiplication of bytes is done in GF(24 ) with modulus (10011).

Figure 4: S-AES Mix Column

Department of Computer Engineering, SSUET Page | 31

CE-408: Cryptography & Network Security SSUET/QR/114

4. Add Round Key

It is a simple XOR operation between the round key and the state value.

Figure 5: S-AES Add round key

Lab Tasks:
19. Write the program for the main code for encryption. Also write the code for the transform
function.

20. Write the program for generating sub keys for each round.

Department of Computer Engineering, SSUET Page | 32

CE-408: Cryptography & Network Security SSUET/QR/114

LAB#7
OPEN ENDED LAB

TITLE:

1. Objective
Design and implement a cipher for secure communication that should have the mixture of atleast two
substitution and transposition ciphers for two rounds (use algorithm of your choice) in Feistel structure.
It is to be noted that the encrypted text should be converted back into the plaintext.

2. Hardware/Software required

3. Diagram

4. Methodology

5. Observation

6. Result and Discussion

7. Conclusion

Department of Computer Engineering, SSUET Page | 33

CE-408: Cryptography & Network Security SSUET/QR/114

LAB#08
Public Key Cryptography – RSA Algorithm

OBJECTIVE

The purpose of this lab is to implement RSA Algorithm and use it for encryption and to perform digital
signature in MATLAB.

THEORY

 Traditional private/secret/single key cryptography uses one key which is shared by both sender
and receiver. If this key is disclosed then communications are compromised. As a result, another
approach uses two keys – a public & a private key which is called Asymmetric since parties use
different keys and they are not equal. If one is encrypting using a key, then the other cannot
decrypt using the same key.

 The public key cryptosystems can be classified into 3 categories:

 Encryption/decryption (provide secrecy)
 Digital signatures (provide authentication)
 Key exchange (of session keys)
 Some algorithms are suitable for all uses, others are specific to one

RSA:

 Developed by Rivest, Shamir & Adleman of MIT in 1977

 Best known & widely used public-key scheme
 Based on exponentiation in a finite (Galois) field over integers modulo a prime
 Uses large integers (e.g. 1024 bits)
 Security due to cost of factoring large numbers

Department of Computer Engineering, SSUET Page | 34

CE-408: Cryptography & Network Security SSUET/QR/114

Procedure:

 Each user generates a public/private key pair by:

 Selecting two large primes at random p,q
 Computing their system modulus n = p.q and ø(n)=(p-1)(q-1)
 Selecting at random the encryption key e where 1<e<ø(n), gcd(e,ø(n))=1
 Solve following equation to find decryption key d such that
e.d = 1 mod ø(n) and 0 ≤ d ≤ n and gcd(e,ø(n)) = 1

 d is nothing but the multiplicative inverse of e and vice versa in mod ø(n)
 Publish their public encryption key: KU = {e,n}
 Keep secret private decryption key: KR = {d,n}
 To encrypt a message M the sender obtains public key of recipient KU={e,n}
 Computes: C = Me mod n, where 0≤M<n
 To decrypt the ciphertext C the owner uses their private key KR={d,n}
 Computes: M = Cd mod n
 Note that the message M must be smaller than the modulus n

Matlab code:

 The only primary operation here is modulo operation. Use mod command for evaluating modulo
of two numbers.
 To generate random prime numbers, use the command primes(n).
 To find primitive root of a number, use if statement and mod function.
 Use gcd(a,b) command to verify whether e and d are relatively prime to ø(n)
 To find the multiplicative inverse a number, use series of if statements and mod function.

Lab Tasks:
Perform the following tasks

1. Perform the block shown below such that RSA algorithm is used. Use the following parameters to
create the whole scenario.
User A: generates two prime numbers q = 3 and p = 5 and e = 7. The message M to be sent by this
user to user B is M = [0 1 1 0].

User B: generates two prime numbers q = 7 and p = 3 and e = 11.

2. Using an appropriate method, find (2080 mod 95) in MATLAB.

Department of Computer Engineering, SSUET Page | 35

CE-408: Cryptography & Network Security SSUET/QR/114

Department of Computer Engineering, SSUET Page | 36

CE-408: Cryptography & Network Security SSUET/QR/114

LAB#09
SHA-512 ALGORITHM

OBJECTIVE

The purpose of this lab is to implement SHA-512 algorithm in MATLAB. The main objectives are to
implement the following:

 Perform SHA-512 key generation

 Perform a encryption rounds for SHA-512

THEORY

Algorithm:

SHA-512 processing consists of the following steps:

• Step 1: Append padding bits, consists of a single 1-bit followed by the necessary number of 0-
bits, so that its length is congruent to 896 modulo 1024
• Step 2: Append length as an (big-endian) unsigned 128-bit integer
• Step 3: Initialize hash buffer to a set of 64-bit integer constants
• Step 4: Process the message in 1024-bit (128-word) blocks, which forms the heart of the
algorithm. Each round takes as input the 512-bit buffer value Hi, and updates the contents of that
buffer.
• Step 5: Output the final state value as the resulting hash

Department of Computer Engineering, SSUET Page | 37

CE-408: Cryptography & Network Security SSUET/QR/114

Round Function:

Each 64-bit word is shuffled along one place, and in some cases manipulated using a series of simple
logical functions (ANDs, NOTs, ORs, XORs, ROTates), in order to provide the avalanche &
completeness properties of the hash function. The elements are:

Ch(e,f,g) = (e AND f) XOR (NOT e AND g)

Maj(a,b,c) = (a AND b) XOR (a AND c) XOR (b AND c)

∑(a) = ROTR(a,28) XOR ROTR(a,34) XOR ROTR(a,39)

∑(e) = ROTR(e,14) XOR ROTR(e,18) XOR ROTR(e,41)

+ = addition modulo 2^64

Department of Computer Engineering, SSUET Page | 38

CE-408: Cryptography & Network Security SSUET/QR/114

Kt = a 64-bit additive constant

Wt = a 64-bit word derived from the current 512-bit input block.

Six of the eight words of the output of the round function involve simply permutation (b, c, d, f, g, h) by
means of rotation. This is indicated by shading in Figure 11.10. Only two of the output words (a, e) are
generated by substitution. Word e is a function of input variables d, e, f, g, h, as well as the round word W
t and the constant Kt. Word a is a function of all of the input variables, as well as the round word W t and
the constant Kt.

Key Generation:

Wt are derived from the 1024-bit message. The first 16 values of Wt are taken directly from the 16 words
of the current block. The remaining values are defined as a function of the earlier values using ROTates,
SHIFTs and XORs as shown. The function elements are:

∂0(x) = ROTR(x,1) XOR ROTR(x,8) XOR SHR(x,7)

∂1(x) = ROTR(x,19) XOR ROTR(x,61) XOR SHR(x,6)

Thus, in the first 16 steps of processing, the value of Wt is equal to the corresponding word in the

Department of Computer Engineering, SSUET Page | 39

CE-408: Cryptography & Network Security SSUET/QR/114

message block. For the remaining 64 steps, the value of Wt consists of the circular left shift by
one bit of the XOR of four of the preceding values of Wt, with two of those values subjected to
shift and rotate operations. This introduces a great deal of redundancy and interdependence into
the message blocks that are compressed, which complicates the task of finding a different message
block that maps to the same compression function output.

Lab Tasks:
21. Write the program for the round function of SHA-512.

22. Write the program for generating sub keys for each round.

Department of Computer Engineering, SSUET Page | 40

CE-408: Cryptography & Network Security SSUET/QR/114

LAB#10
Digital Signature Algorithm (DSA)

OBJECTIVE

The purpose of this lab is to implement the DSS (DSA) algorithm in MATLAB for providing a digital
signature to a message.

THEORY

 Must depend on the message signed

 Must use information unique to sender to prevent both forgery and denial
 Must be relatively easy to produce
 Must be relatively easy to recognize & verify
 Must be computationally infeasible to forge
 It must be practical to retain a copy of the digital signature in storage
 Two approaches are used, RSA and DSS.

DSS Approach:

 US Govt approved this signature scheme which was designed by NIST & NSA in early 90's and
published as FIPS-186 in 199. Further, it was revised in 1993, 1996 & then 2000
 Uses the SHA hash algorithm
 DSS is the standard, DSA is the algorithm

DSA Algorithm:

 It is a digital signature scheme only and cannot be used for other purposes like RSA approach
 Creates a 320 bit signature with 512-1024 bit security (i.e. value of L)
 Smaller and faster than RSA
 Security depends on difficulty of computing discrete logarithms

 Variant of ElGamal & Schnorr schemes

 Have shared global public key values (p,q,g):

Department of Computer Engineering, SSUET Page | 41

CE-408: Cryptography & Network Security SSUET/QR/114

 Choose a large prime p with 2L-1 < p < 2L where L= 512 to 1024 bits and is a multiple of
64
 Choose q with 2159 < q < 2160 such that q is a 160 bit prime divisor of (p-1)
 Choose g = h(p-1)/q mod p where 1<h<p-1 and h(p-1)/q mod p > 1

 Users choose private & compute public key: choose random x<q (Private key)
 Compute y = gx mod p (Public key)

Signing:

 To sign a message M the sender:

 Generates a random signature key k, k<q
 The key must be random, and must be destroyed after use, and never be reused

 Then computes signature pair:

 r = (gk mod p)mod q
 s = [k-1(H(M)+ xr)] mod q

 Sends signature (r,s) with message M

Verifying:

 w = s-1 mod q
 u1= [H(M)w ]mod q
 u2= (rw)mod q
 v = [(gu1 yu2)mod p ]mod q
 If v = r then signature is verified

MATLAB Code:

 The first step is simply to select the parameters satisfying the above mentioned rules.
 The rest of the operations either in signing or verifying is the modulo operation.

Department of Computer Engineering, SSUET Page | 42

CE-408: Cryptography & Network Security SSUET/QR/114

Lab Tasks:

Perform the following tasks

 Perform the DSS (DSA) by assuming the Hash function and perform necessary modifications in
the global parameters. Choose all the parameters by yourself.

Department of Computer Engineering, SSUET Page | 43

CE-408: Cryptography & Network Security SSUET/QR/114

LAB#11
Configure Routers for Syslog, NTP, and SSH Operations

OBJECTIVE

The purpose of this lab is to

 Configure routers as NTP clients.
 Configure routers to update the hardware clock using NTP.
 Configure routers to log messages to the syslog server.
 Configure routers to timestamp log messages.
 Configure local users.
 Configure VTY lines to accept SSH connections only.
 Configure RSA key pair on SSH server.
 Verify SSH connectivity from PC client and router client.

THEORY

The network topology shows three routers. You will configure NTP and Syslog on all routers. You will
configure SSH on R3.
Network Time Protocol (NTP) allows routers on the network to synchronize their time settings with an
NTP server. A group of NTP clients that obtain time and date information from a single source have more
consistent time settings and Syslog messages generated can be analyzed more easily. This can help when
troubleshooting issues with network problems and attacks. When NTP is implemented in the network, it
can be set up to synchronize to a private master clock, or to a publicly available NTP server on the
Internet.
The NTP Server is the master NTP server in this lab. You will configure the routers to allow the software
clock to be synchronized by NTP to the time server. Also, you will configure the routers to periodically
update the hardware clock with the time learned from NTP. Otherwise, the hardware clock will tend to
gradually lose or gain time (drift) and the software clock and hardware clock may become out of
synchronization with each other.
The Syslog Server will provide message logging in this lab. You will configure the routers to identify
the remote host (Syslog server) that will receive logging messages.
You will need to configure timestamp service for logging on the routers. Displaying the correct time and
date in Syslog messages is vital when using Syslog to monitor a network. If the correct time and date of a
message is not known, it can be difficult to determine what network event caused the message.
R2 is an ISP connected to two remote networks: R1 and R3. The local administrator at R3 can perform
most router configurations and troubleshooting; however, since R3 is a managed router, the ISP needs
access to R3 for occasional troubleshooting or updates. To provide this access in a secure manner, the
administrators have agreed to use Secure Shell (SSH).

Department of Computer Engineering, SSUET Page | 44

CE-408: Cryptography & Network Security SSUET/QR/114

You use the CLI to configure the router to be managed securely using SSH instead of Telnet. SSH is a
network protocol that establishes a secure terminal emulation connection to a router or other networking
device. SSH encrypts all information that passes over the network link and provides authentication of the
remote computer. SSH is rapidly replacing Telnet as the remote login tool of choice for network
professionals.
The servers have been pre-configured for NTP and Syslog services respectively. NTP will not require
authentication. The routers have been pre-configured with the following:
 Enable password: ciscoenpa55
 Password for vty lines: ciscovtypa55
 Static routing

Packet tracer commands

Department of Computer Engineering, SSUET Page | 45

CE-408: Cryptography & Network Security SSUET/QR/114

Addressing Table

This lab is divided into three parts

Part 1: Configure routers as NTP Clients.

Part 2: Configure routers to log messages to the Syslog Server.
Part 3: Configure R3 to support SSH connections.

Part 1: Configure routers as NTP Clients.

Step 1. Test Connectivity

 Ping from PC-C to R3.

 Ping from R2 to R3.
 Telnet from PC-C to R3.
 Telnet from R2 to R3.

Step 2. Configure R1, R2 and R3 as NTP clients.

Verify client configuration using the command show ntp status.

Step 3. Configure routers to update hardware clock.

Device Interface IP Address Subnet Mask Default Gateway Switch Port

R1 FA0/1 192.168.1.1 255.255.255.0 N/A S1 FA0/5

S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
R3 FA0/1 192.168.3.1 255.255.255.0 N/A S3 FA0/5
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
PC-A NIC 192.168.1.5 255.255.255.0 192.168.1.1 S1 FA0/6
PC-B NIC 192.168.1.6 255.255.255.0 192.168.1.1 S2 FA0/18
Configure
PC-C NIC 192.168.3.5 255.255.255.0 192.168.3.1 S3 FA0/6 R1, R2 and

Department of Computer Engineering, SSUET Page | 46

CE-408: Cryptography & Network Security SSUET/QR/114

R3 to periodically update the hardware clock with the time learned from NTP.

Verify that the hardware clock was updated using the command show clock.

Step 4. Configure routers to timestamp log messages.

Step 5. Configure timestamp service for logging on the routers. ·

Part 2: Configure routers to log messages to the Syslog Server.

Step 1. Configure the routers to identify the remote host (Syslog Server) that will receive logging
messages.

The router console will display a message that logging has started.

Step 2. Verify logging configuration using the command show logging.

Step 3. Examine logs of the Syslog server.

From the Config tab of the Syslog server’s dialogue box, select the Syslog services button. Observe the
logging messages received from the routers.
Note: Log messages can be generated on the server by executing commands on the router. For example,
entering and exiting global configuration mode will generate an informational configuration message.

Part 3: Configure R3 to support SSH connections.

Step 1. Configure a domain name.

Configure a domain name of ccnasecurity.com on R3.

Step 2. Configure users for login from the SSH client on R3.

Create a user ID of SSHadmin with the highest possible privilege level and a secret password
of ciscosshpa55.

Step 3. Configure the incoming VTY lines on R3.

Use the local user accounts for mandatory login and validation. Accept only SSH connections.

Department of Computer Engineering, SSUET Page | 47

CE-408: Cryptography & Network Security SSUET/QR/114

Step 4. Erase existing key pairs on R3.

Any existing RSA key pairs should be erased on the router.

Note: If no keys exist, you might receive this message: % No Signature RSA Keys found in
configuration.

Step 5. Generate the RSA encryption key pair for R3.

The router uses the RSA key pair for authentication and encryption of transmitted SSH data. Configure
the RSA keys with a modulus of 1024. The default is 512, and the range is from 360 to 2048.
R3(config)# crypto key generate rsa [Enter]
The name for the keys will be: R3.ccnasecurity.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]:1024

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Note: The command to generate RSA encryption key pairs for R3 in Packet Tracer differs from those
used in the lab.

Step 6. Verify the SSH configuration.

Use the show ip ssh command to see the current settings. Verify that the authentication timeout and
retries are at their default values of 120 and 3.

Step 7. Configure SSH timeouts and authentication parameters.

The default SSH timeouts and authentication parameters can be altered to be more restrictive. Set the
timeout to 90 seconds, the number of authentication retries to 2, and the version to 2.
Issue the show ip ssh command again to confirm that the values have been changed.

Step 8. Attempt to connect to R3 via Telnet from PC-C.

Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect
to R3 via Telnet.
PC> telnet 192.168.3.1
This connection should fail, since R3 has been configured to accept only SSH connections on the virtual
terminal lines.

Department of Computer Engineering, SSUET Page | 48

CE-408: Cryptography & Network Security SSUET/QR/114

Step 9. Connect to R3 using SSH on PC-C.

Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect
to R3 via SSH. When prompted for the password, enter the password configured for the
administrator ciscosshpa55.

PC> ssh –l SSHadmin 192.168.3.1

Step 10. Connect to R3 using SSH on R2.

In order to troubleshoot and maintain the R3 router, the administrator at the ISP must use SSH to access
the router CLI. From the CLI of R2, enter the command to connect to R3 via SSH version 2 using the
SSHadmin user account. When prompted for the password, enter the password configured for the
administrator: ciscosshpa55.

R2# ssh –v 2 –l SSHadmin 10.2.2.1

Lab Task:

Perform the following tasks

 Configure a topology of four routers for Syslog and NTP. Also provide authentication using SSH
protocol.

Department of Computer Engineering, SSUET Page | 49

 CE-408: Cryptography & Network Security SSUET/QR/114

LAB#13
Authentication, Authorization &
Accounting (AAA) Server
OBJECTIVE
The purpose of this lab is to configure AAA (RADIUS) for authenticating host on Cisco router in Packet
tracer.

THEORY

RADIUS means Remote Authentication Dial-In User Service server or proxy. It is a distributed
client/server system that secures networks against unauthorized access. . In the Cisco implementation,
RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that
contains all user authentication and network service access information. RADIUS is a fully open
protocol, distributed in source code format that can be modified to work with any security system
currently available on the market.
Cisco supports RADIUS under its AAA security paradigm. RADIUS can be used with other AAA
security protocols, such as TACACS+, Kerberos, and local username lookup. RADIUS is supported on
all Cisco platforms, but some RADIUS-supported features run only on specified platforms.
RADIUS has been implemented in a variety of network environments that require high levels of security
while maintaining network access for remote users. It can control the access for all sorts of networks,
wireless, VPN, dial-up, direct device to device like router to router connections, basically wherever put it
can do the control. There is also RADIUS proxy configuration where proxy only receives and accepts the
connection requests but for the decision making it will be connected to other server who will do the
RADIUS role.
RADIUS is not suitable in the following network security situations:

• Multiprotocol access environments. RADIUS does not support the following protocols:

– AppleTalk Remote Access (ARA)

– NetBIOS Frame Control Protocol (NBFCP)
– NetWare Asynchronous Services Interface (NASI)
– X.25 PAD connections

Department of Computer Engineering, SSUET Page | 50

 CE-408: Cryptography & Network Security SSUET/QR/114

• Router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used
to authenticate from one router to a non-Cisco router if the non-Cisco router requires RADIUS
authentication.
• Networks using a variety of services. RADIUS generally binds a user to one service model.

There are two major ways to deploy radius server and that are:

 Deployment of Free RADIUS server on UNIX servers. This is by many network engineers basically a
best daemon which implements radius protocol and makes UNIX server a RADIUS enabled server.

 Deployment of IAS role – Internet Authentication Service on Windows Server machine will allow to
make Windows Server machine respond to RADIUS requests and act as a real RADIUS server.
It includes some AD stuff implemented in so it will be able to authenticate the users from Active
Directory domain. Which is his biggest advantage over UNIX deployment of course if there is an AD
deployed in the organization, and it’s surely.

RADIUS server connects to user account database which is Active Directory in Windows Server or some
normal user database in UNIX. Can be normal SQL table with users in it and can checks access
credentials. If the user is authorized to access some network that is secured with RADIUS, it will authorize
the access for that user and writes a log of the user entrance to the network.

Department of Computer Engineering, SSUET Page | 51

 CE-408: Cryptography & Network Security SSUET/QR/114

Components of a RADIUS infrastructure

These are the components of RADIUS infrastructure.

 RADIUS server
 RADIUS clients or Access servers the same thing
 Access clients
 RADIUS proxies
 User account databases

Access clients
It is a computer, phone, tabled or some other IP enabled network device who wants to connect to the
network.

RADIUS servers
RADIUS server processes connection requests or accounting messages from RADIUS clients and grants
the connection of some devices to the network or not.

RADIUS clients or Access servers

It is a device through which the access client will enter into the network. Access client will connect to this
access server and it will use it as a next hop to reach network resources. This can be any sort of Wireless
access points, Network access server that supports VPN remote access services or old but still good dial-
in method. Access server can be also every switch or router that supports physical normally Ethernet
connection to your network.

RADIUS proxy
A RADIUS proxy is a mediator between RADIUS clients and servers. It will receive connection requests
and accounting messages from Access server and forward those messages to RADIUS Server.

User account database

This is a list of users with some attributes by which the RADIUS can decide who can get into the network
and who cannot. It can be based on some user group membership, password configuration or some other
attribute defined for the users. User database can be some simple SQL database.

RADIUS Operation
When a user attempts to log in and authenticate to an access server using RADIUS, the following steps
occur:

Department of Computer Engineering, SSUET Page | 52

 CE-408: Cryptography & Network Security SSUET/QR/114

1. The user is prompted for and enters a username and password.

2. The username and encrypted password are sent over the network to the RADIUS server.
3. The user receives one of the following responses from the RADIUS server:

a. ACCEPT The user is authenticated.

b. REJECT The user is not authenticated and is prompted to reenter the
username and password, or access is denied.
c. CHALLENGE A challenge is issued by the RADIUS server. The challenge collects
additional data from the user.
d. CHANGE PASSWORD A request is issued by the RADIUS server, asking the user to select
a new password.

The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network
authorization. You must first complete RADIUS authentication before using RADIUS authorization.

Packet tracer commands

Department of Computer Engineering, SSUET Page | 53

CE-408: Cryptography & Network Security SSUET/QR/114

 Configure an IP Address on Router interface FastEthernet0/0

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 192.168.0.2 255.255.255.0
Router(config-if)#no shutdown

Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

 Change hostname of Router to R0

Router(config)#hostname R0
R0(config)#

 To configure RADIUS click on server icon then click to services tab

Enable Service Put your Client name, its IP Address and Select Radius, click on Add button
Define a Username and password, then click on Add button

Department of Computer Engineering, SSUET Page | 54

CE-408: Cryptography & Network Security SSUET/QR/114

 Enter aaa new-model command

R0(config)#aaa new-model

 For Configuring RADIUS Server type following

Host IP = RADIUS Server IP

Key = 123

R0(config)#radius-server host 192.168.0.2 key 123

 Assign Authentication Model name = default

R0(config)#aaa authentication login default group radius

 And now assign aaa model to console interface

R0(config)#line console 0
R0(config-line)#login authentication default
R0(config-line)#end
R0#
%SYS-5-CONFIG_I: Configured from console by console

 You can write configuration with write memory command

R0#wri mem
Building configuration...
[OK]

 End the session with logout command

R0#logout

 Reconnect by entering username & password

R0 con0 is now available

Press RETURN to get started.

User Access Verification

Username: demo
Password:

Department of Computer Engineering, SSUET Page | 55

CE-408: Cryptography & Network Security SSUET/QR/114

R0>

Lab Tasks:

Perform the following tasks

 Adding two more hosts on the topology and perform authentication of them from RADIUS server.
 What is AAA?
 What is Network Access Server?

Department of Computer Engineering, SSUET Page | 56

CE-408: Cryptography & Network Security SSUET/QR/114

LAB#13
IPsec Site-to-Site Virtual Private Network (VPN)

OBJECTIVE

The purpose of this lab is to configure IPsec site-to-site Virtual Private Network (VPN) on Cisco routers
in Packet tracer.

THEORY

Virtual Private Networks (VPNs) can provide a secure method of transmitting data over a public network,
such as the Internet. VPN connections can help reduce the costs associated with leased lines. Site-to-Site
VPNs typically provide a secure (IPsec or other) tunnel between a branch office and a central office.
Another common implementation that uses VPN technology is remote access to a corporate office from a
telecommuter location such as a small office or home office.
Packet tracer commands

 Scenario

In this lab, you build a multi-router network and configure the routers and hosts. You use Cisco IOS and
SDM to configure a site-to-site IPsec VPN and test it. The IPsec VPN tunnel is from router R1 to router
R3 via R2. R2 acts as a pass-through and has no knowledge of the VPN. IPsec provides secure
transmission of sensitive information over unprotected networks such as the Internet. IPsec acts at the
network layer, protecting and authenticating IP packets between participating IPsec devices (peers), such
as Cisco routers.

Department of Computer Engineering, SSUET Page | 57

CE-408: Cryptography & Network Security SSUET/QR/114

 Configure an IP Address on Routers, Switches and PCs according to the following table

 ISAKMP Phase 1 Policy Parameters

 IPsec Phase II Policy Parameters

Department of Computer Engineering, SSUET Page | 58

CE-408: Cryptography & Network Security SSUET/QR/114

This lab is divided into four parts

Part 1: Enable Security Features

Part 2: Configure IPsec Parameters on R1
Part 3: Configure IPsec Parameters on R3
Part 4: Verify the IPsec VPN

Part 1: Enable Security Features

Step 1: Activate securityk9 module

The Security Technology Package license must be enabled to complete this activity.

a. Issue the show version command in the user EXEC or privileged EXEC mode to verify that the
Security Technology Package license is activated.

R1# show version

b. If not, activate the securityk9 module for the next boot of the router, accept the license, save the
configuration, and reboot.

R1(config)# license boot module c2900 technology-package securityk9

R1(config)# end
R1# copy running-config startup-config
R1# reload

c. After the reloading is completed, issue the show version again to verify the Security Technology
Package license activation.

Department of Computer Engineering, SSUET Page | 59

CE-408: Cryptography & Network Security SSUET/QR/114

R1# show version

d. Repeat Steps 1a to 1c with R3.

Part 2: Configure IPsec Parameters on R1

Step 1: Test connectivity

Ping from PC-A to PC-C.

Step 2: Identify interesting traffic on R1

Configure ACL 110 to identify the traffic from the LAN on R1 to the LAN on R3 as interesting. This
interesting traffic will trigger the IPsec VPN to be implemented whenever there is traffic between R1 to
R3 LANs. All other traffic sourced from the LANs will not be encrypted. Due to the implicit deny any,
there is no need to add the statement to the list.

R1(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Step 3: Configure the ISAKMP Phase 1 properties on R1

Configure the crypto ISAKMP policy 10 properties on R1 along with the shared crypto key cisco. Default
values do not have to be configured therefore only the encryption, key exchange method, and DH method
must be configured.

Department of Computer Engineering, SSUET Page | 60

CE-408: Cryptography & Network Security SSUET/QR/114

R1(config)# crypto isakmp policy 10

R1(config-isakmp)# encryption aes
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# exit
R1(config)# crypto isakmp key cisco address 10.2.2.2

Step 4: Configure the ISAKMP Phase 2 properties on R1

Create the transform-set VPN-SET to use esp-3des and esp-sha-hmac. Then create the crypto map VPN-
MAP that binds all of the Phase 2 parameters together. Use sequence number 10 and identify it as an
ipsec-isakmp map.

R1(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac

R1(config)# crypto map VPN-MAP 10 ipsec-isakmp
R1(config-crypto-map)# description VPN connection to R3
R1(config-crypto-map)# set peer 10.2.2.2
R1(config-crypto-map)# set transform-set VPN-SET
R1(config-crypto-map)# match address 110
R1(config-crypto-map)# exit

Step 5: Configure the crypto map on the outgoing interface

Finally, bind the VPN-MAP crypto map to the outgoing Serial 0/0/0 interface.

R1(config)# interface S0/0/0

R1(config-if)# crypto map VPN-MAP

Part 3: Configure IPsec Parameters on R3

Step 1: Configure router R3 to support a site-to-site VPN with R1

Now configure reciprocating parameters on R3. Configure ACL 110 identifying the traffic from the LAN
on R3 to the LAN on R1 as interesting

R3(config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0

0.0.0.255

Department of Computer Engineering, SSUET Page | 61

CE-408: Cryptography & Network Security SSUET/QR/114

Step 2: Configure the ISAKMP Phase 1 properties on R3

Configure the crypto ISAKMP policy 10 properties on R3 along with the shared crypto key cisco.

R3(config)# crypto isakmp policy 10

R3(config-isakmp)# encryption aes
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# group 2
R3(config-isakmp)# exit
R3(config)# crypto isakmp key cisco address 10.1.1.2

Step 3: Configure the ISAKMP Phase 2 properties on R1

Like on R1, create the transform-set VPN-SET to use esp-3des and esp-sha-hmac. Then create the crypto
map VPN-MAP that binds all of the Phase 2 parameters together. Use sequence number 10 and identify it
as an ipsec-isakmp map.

R3(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac

R3(config)# crypto map VPN-MAP 10 ipsec-isakmp
R3(config-crypto-map)# description VPN connection to R1
R3(config-crypto-map)# set peer 10.1.1.2
R3(config-crypto-map)# set transform-set VPN-SET
R3(config-crypto-map)# match address 110
R3(config-crypto-map)# exit

Step 4: Configure the crypto map on the outgoing interface

Finally, bind the VPN-MAP crypto map to the outgoing Serial 0/0/1 interface. Note: This is not graded.
R3(config)# interface S0/0/1
R3(config-if)# crypto map VPN-MAP

Part 4: Verify the IPsec VPN

Step 1: Verify the tunnel prior to interesting traffic

Issue the show crypto ipsec sa command on R1. Notice that the number of packets encapsulated,
encrypted, decapsulated and decrypted are all set to 0.

R1# show crypto ipsec sa

Department of Computer Engineering, SSUET Page | 62

CE-408: Cryptography & Network Security SSUET/QR/114

Step 2: Create interesting traffic

Ping PC-C from PC-A.

Step 3: Verify the tunnel after interesting traffic

On R1, re-issue the show crypto ipsec sa command. Now notice that the number of packets is more than 0
indicating that the IPsec VPN tunnel is working.

R1# show crypto ipsec sa

Department of Computer Engineering, SSUET Page | 63

CE-408: Cryptography & Network Security SSUET/QR/114

Step 4: Create uninteresting traffic

Ping PC-B from PC-A.

Step 5: Verify the tunnel

On R1, re-issue the show crypto ipsec sa command. Finally, notice that the number of packets has not
changed verifying that uninteresting traffic is not encrypted.

Lab Tasks:

Perform the following tasks

 Configure a VPN tunnel between R3 and R4 via R2 by adding R4 in above topology

Department of Computer Engineering, SSUET Page | 64

CE-408: Cryptography & Network Security SSUET/QR/114

LAB#14
OPEN ENDED LAB

TITLE:

1. Objective
Design a scenario for two company networks, you need to synchronize the timings and logging of the
messages/activities and also establish a secure connection between your company and another network.
Also make sure the admin user the network is authorized to configure the router of its respective network

2. Hardware/Software required

3. Diagram

4. Methodology

5. Observation

6. Result and Discussion

7. Conclusion

Department of Computer Engineering, SSUET Page | 65