CRPTOGRAPHY AND NETWORK SECURITY

UNIT – 1 SECURITY CONCEPTS & CRYPTOGRAPHY

CONCEPTS AND TECHNIQUES
PART – 1 SECURITY CONCEPTS
INTROUCTION
What is Network Security?
Every company or organization that handles a large amount of data, has a degree of solutions
against many cyber threats. This is a broad, all-encompassing phrase that covers software and
hardware solutions, as well as procedures, guidelines, and setups for network usage,
accessibility, and general threat protection.
The most basic example of Network Security is password protection which the user of the
network chooses. In recent times, Network Security has become the central topic of cyber
security with many organizations inviting applications from people who have skills in this
area. The network security solutions protect various vulnerabilities of the computer systems
such as users, location, data, devices, and applications.
What is Network Security?
Any action intended to safeguard the integrity and usefulness of your data and network is
known as network security. In other words, Network security is defined as the activity created
to protect the integrity of your network and data.
Network security is the practice of protecting a computer network from unauthorized access,
misuse, or attacks. It involves using tools, technologies, and policies to ensure that data
traveling over the network is safe and secure, keeping sensitive information away from
hackers and other threats.
How Does Network Security Work?
Network security uses several layers of protection, both at the edge of the network and within
it. Each layer has rules and controls that determine who can access network resources. People
who are allowed access can use the network safely, but those who try to harm it with attacks
or other threats are stopped from doing so.
The basic principle of network security is protecting huge stored data and networks in layers
that ensure the bedding of rules and regulations that have to be acknowledged before
performing any activity on the data. These levels are:
• Physical Network Security: This is the most basic level that includes protecting the
data and network through unauthorized personnel from acquiring control over the
confidentiality of the network. The same can be achieved by using devices like
biometric systems.
• Technical Network Security: It primarily focuses on protecting the data stored in the
network or data involved in transitions through the network. This type serves two
 purposes. One is protected from unauthorized users, and the other is protected from
malicious activities.
• Administrative Network Security: This level of network security protects user
behavior like how the permission has been granted and how the authorization process
takes place. This also ensures the level of sophistication the network might need for
protecting it through all the attacks. This level also suggests necessary amendments
that have to be done to the infrastructure.
THE NEED FOR SECURITY
In the realm of cryptography and network security, the necessity for robust security
mechanisms stems from various critical needs that form the backbone of digital
communication and data protection. Here are the main points explained in detail:
1. Confidentiality: One of the fundamental needs for security is to ensure the
confidentiality of data. This means that sensitive information must be kept secret from
unauthorized individuals or entities. In a digital context, cryptography provides tools
to encrypt data, making it unreadable to anyone who does not have the correct
decryption key. Without these measures, personal data, corporate secrets, and
government information would be vulnerable to interception and misuse, leading to
breaches that could compromise privacy and competitive advantages.
2. Integrity: Data integrity ensures that information remains unaltered during
transmission or storage. This is crucial to prevent tampering by malicious actors who
may seek to modify data for personal gain or disruption. Cryptographic techniques
such as hashing are used to verify that data has not been altered, creating a sense of
trustworthiness in digital communications and transactions. Without such measures,
organizations could fall victim to fraud, misinformation, or data corruption,
undermining the reliability of the systems.
3. Authentication: Security in network communications also addresses the need for
verifying the identity of users or systems. Authentication ensures that data is being
accessed or sent by legitimate parties and not by impostors. This involves
cryptographic protocols such as digital certificates and signatures that confirm the
authenticity of communications. Without authentication, networks are exposed to
risks such as impersonation attacks, where malicious actors pretend to be someone
they are not, potentially gaining access to sensitive information.
4. Non-repudiation: This aspect of security ensures that a party involved in a
communication or transaction cannot deny its involvement later. Digital signatures
and public key infrastructure (PKI) are used to provide evidence of origin, delivery,
and integrity of data. Non-repudiation is vital for legal and financial transactions
where proof of the involved parties’ actions is necessary to prevent disputes. Without
these mechanisms, trust in electronic transactions would diminish, hindering e-
commerce and digital agreements.
5. Access Control: Effective security also requires ensuring that only authorized users
have access to certain information or resources. Access control mechanisms,
supported by cryptographic methods, help maintain this level of security by enforcing
 user permissions and preventing unauthorized access. Without strict access control,
sensitive data can fall into the wrong hands, leading to significant breaches and loss of
proprietary information.
6. Protection against Cyber Attacks: Cryptography and network security address the
need to protect systems from various cyber threats, such as man-in-the-middle attacks,
phishing, and denial-of-service attacks. Encryption, secure communication protocols
(e.g., TLS/SSL), and network firewalls help prevent attackers from exploiting
vulnerabilities to gain unauthorized access or disrupt services. The absence of these
measures can lead to service outages, data loss, and severe financial and reputational
damage.
7. Compliance and Legal Obligations: With increasing regulatory demands (e.g.,
GDPR, HIPAA), organizations must ensure that they comply with laws designed to
protect user data. Network security and cryptographic practices provide the means to
meet these standards by safeguarding personal and sensitive data. Failure to adhere to
these regulations can result in heavy fines, legal repercussions, and loss of customer
trust.
PRINCIPLES OF SECURITY
Cryptography and network security are critical components of modern information systems,
ensuring the confidentiality, integrity, and availability of data. From encryption algorithms to
secure communication protocols, understanding these principles is crucial for any networking
professional.
The Principles of Security can be classified as follows:
1. Confidentiality:
The degree of confidentiality determines the secrecy of the information. The principle
specifies that only the sender and receiver will be able to access the information
shared between them. Confidentiality compromises if an unauthorized person is able
to access a message..
2. Authentication:
Authentication is the mechanism to identify the user or system or the entity. It ensures
the identity of the person trying to access the information. The authentication is
mostly secured by using username and password. The authorized person whose
identity is preregistered can prove his/her identity and can access the sensitive
information.
3. Integrity:
Integrity gives the assurance that the information received is exact and accurate. If the
content of the message is changed after the sender sends it but before reaching the
intended receiver, then it is said that the integrity of the message is lost.
• System Integrity: System Integrity assures that a system performs its intended
function in an unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system.
 • Data Integrity: Data Integrity assures that information (both stored and in
transmitted packets) and programs are changed only in a specified and authorized
manner.
4. Non-Repudiation:
Non-repudiation is a mechanism that prevents the denial of the message content sent
through a network. In some cases the sender sends the message and later denies it. But
the non-repudiation does not allow the sender to refuse the receiver.
5. Access control:
The principle of access control is determined by role management and rule
management. Role management determines who should access the data while rule
management determines up to what extent one can access the data. The information
displayed is dependent on the person who is accessing it.
6. Availability:
The principle of availability states that the resources will be available to authorize party
at all times. Information will not be useful if it is not available to be accessed. Systems
should have sufficient availability of information to satisfy the user request.
7. Issues of ethics and law
The following categories are used to categorize ethical dilemmas in the security
System.
Individuals’ right to access personal information is referred to as privacy.
Property: It is concerned with the information’s owner.
Accessibility is concerned with an organization’s right to collect information.
Accuracy: It is concerned with the obligation of information authenticity, fidelity, and
accuracy.
TYPES OF SECURITY ATTACKS
Active Attacks
Active attacks are unauthorized actions that alter the system or data. In an active attack, the
attacker will directly interfere with the target to damage or gain unauthorized access to
computer systems and networks. This is done by injecting hostile code into communications,
masquerading as another user, or altering data to get unauthorized access. This may include
the injection of hostile code into communications, alteration of data, and masquerading as
another person to get unauthorized access.
Types of active attacks are as follows:
1. Masquerade Attack
2. Modification of Messages
3. Repudiation
4. Replay Attack
5. Denial of Service (DoS) Attack
1. Masquerade Attack
Masquerade attacks are considered one type of cyber attack in which the attacker disguises
himself to pose as some other person and accesses systems or data. It could either be
impersonating a legal user or system and demanding other users or systems to provide
information with sensitive content or access areas that are not supposed to be accessed
normally. This may even include behaving like an actual user or even some component of the
system with the intention of manipulating people to give out their private information or
allowing them into secured locations.
There are several types of masquerading attacks, including:
• Username and Password Masquerade: In this masquerade attack, a person uses
either stolen or even forged credentials to authenticate themselves as a valid user
while gaining access to the system or application.
• IP address masquerade: This is an attack where the IP address of a malicious user is
spoofed or forged such that the source from which the system or the application is
accessed appears to be trusted.
• Website masquerade: A hacker creates a fake website that resembles as a legitimate
one in order to gain user information or even download malware.
• Email masquerade: This is an e-mail masquerade attack through which an attacker
sends an apparently trusted source email so that the recipient can mistakely share
sensitive information or download malware.

2. Modification of Messages
This is when someone changes parts of a message without permission, or mixes up the order
of messages, to cause trouble. Imagine someone secretly changing a letter you sent, making it
say something different. This kind of attack breaks the trust in the information being sent. For
example, a message meaning “Allow JOHN to read confidential file X” is modified as
“Allow Smith to read confidential file X”.
3. Repudiation
Repudiation attacks are a type of cyber attack wherein some person does something
damaging online, such as a financial transaction or sends a message one does not want to
send, then denies having done it. Such attacks can seriously hinder the ability to trace down
the origin of the attack or to identify who is responsible for a given action, making it tricky to
hold responsible the right person.
There are several types of repudiation attacks, including:
• Message repudiation attacks: In this attack, a message has been sent by an attacker,
but the attacker later denies the sending of the message. This can be achieved either
through spoofed or modified headers or even by exploiting vulnerabilities in the
messaging system.
• Transaction repudiation attacks: Here, in this type of attack, a transaction-for
example, monetary transaction-is made, and at after some time when the evidence
regarding the same is being asked to be give then the attacker denies ever performing
that particular transaction. This can be executed either by taking advantage of the
vulnerability in the transaction processing system or by the use of stolen and forged
credentials.
• Data repudiation attacks: In a data repudiation attack, data is changed or deleted.
Then an attacker will later pretend he has never done this. This can be done by
exploiting vulnerabilities in the data storage system or by using stolen or falsified
credentials.
4. Replay
It is a passive capturing of a message with an objective to transmit it for the production of an
authorized effect. Thus, in this type of attack, the main objective of an attacker is saving a
copy of the data that was originally present on that particular network and later on uses it for
personal uses. Once the data gets corrupted or leaked it becomes an insecure and unsafe tool
for its users.
5. Denial of Service (DoS) Attack
Denial of Service (DoS) is a form of cybersecurity attack that involves denying the intended
users of the system or network access by flooding traffic or requests. In this DoS attack, the
attacker floods a target system or network with traffic or requests in order to consume the
available resources such as bandwidth, CPU cycles, or memory and prevent legitimate users
from accessing them.
There are several types of DoS attacks, including:
• Flood attacks: Here, an attacker sends such a large number of packets or requests to a
system or network that it cannot handle them all and the system gets crashed.
• Amplification attacks: In this category, the attacker increases the power of an attack
by utilizing another system or network to increase traffic then directs it all into the
target to boost the strength of the attack.
To Prevent DoS attacks, organizations can implement several measures, such as:
1. Using firewalls and intrusion detection systems to monitor network traffic and block
suspicious activity.
2. Limiting the number of requests or connections that can be made to a system or network.
3. Using load balancers and distributed systems to distribute traffic across multiple servers
or networks.
4. Implementing network segmentation and access controls to limit the impact of a DoS
attack.

Passive Attacks
A Passive attack attempts to learn or make use of information from the system but does not
affect system resources. Passive Attacks are in the nature of eavesdropping on or monitoring
transmission. The goal of the opponent is to obtain information that is being transmitted.
Passive attacks involve an attacker passively monitoring or collecting data without altering or
destroying it. Examples of passive attacks include eavesdropping, where an attacker listens in
on network traffic to collect sensitive information, and sniffing, where an attacker captures
and analyzes data packets to steal sensitive information.
Types of Passive attacks are as follows:
1. The Release of Message Content
2. Traffic Analysis
1. The Release of Message Content
Telephonic conversation, an electronic mail message, or a transferred file may contain
sensitive or confidential information. We would like to prevent an opponent from learning the
contents of these transmissions.

2. Traffic Analysis
Suppose that we had a way of masking (encryption) information, so that the attacker even if
captured the message could not extract any information from the message.
The opponent could determine the location and identity of communicating host and could
observe the frequency and length of messages being exchanged. This information might be
useful in guessing the nature of the communication that was taking place.
The most useful protection against traffic analysis is encryption of SIP traffic. To do this, an
attacker would have to access the SIP proxy (or its call log) to determine who made the call.

SECURITY SERVICES
Security services in cryptography and network security are essential components designed to
protect data, communication, and systems from unauthorized access, attacks, and other
security threats. Here is an explanation of the main security services provided in this field:
1. Confidentiality: Confidentiality ensures that information is only accessible to
authorized users and remains protected from unauthorized access. In cryptography,
techniques such as encryption are employed to encode data so that even if it is
intercepted during transmission, it cannot be read without the appropriate decryption
key. This service is crucial for safeguarding sensitive information, such as personal
data, financial details, and intellectual property, during transmission and storage.
2. Integrity: Integrity guarantees that data has not been altered or tampered with during
transmission or storage. This service is crucial for maintaining trust and accuracy in
communication. Hash functions and digital signatures are common tools used to
 provide data integrity, allowing the recipient to verify that the received data matches
the original content and has not been modified by unauthorized parties.
3. Authentication: Authentication services are responsible for verifying the identities of
users or devices participating in a communication session. This ensures that the entity
accessing the data or network is who it claims to be. Cryptographic techniques such as
digital certificates, public-key infrastructure (PKI), and challenge-response protocols
are employed to authenticate users or systems. Authentication prevents unauthorized
access and helps maintain secure communication channels.
4. Non-repudiation: Non-repudiation ensures that a sender of a message cannot deny
having sent the message, and the recipient cannot deny receiving it. This service is
essential for accountability and legal purposes, especially in digital transactions and
communication. Digital signatures and cryptographic timestamping are used to
provide proof of origin and delivery, ensuring that actions taken during a transaction
can be verified and cannot be refuted later.
5. Access Control: Access control restricts who can access specific data or network
resources and what actions they can perform. It enforces policies that prevent
unauthorized users from accessing confidential data or critical systems. Techniques
like user authentication, role-based access control (RBAC), and multi-factor
authentication (MFA) are implemented to strengthen this security service. By
enforcing these controls, organizations can limit exposure to potential security threats
and protect valuable assets.
6. Availability: Availability ensures that authorized users have continuous access to data
and services when needed. This service protects against denial-of-service (DoS)
attacks, system failures, and other disruptions that can make a system or network
resource unavailable. Techniques such as redundancy, failover systems, and
distributed architectures help maintain availability. Proper network configuration and
regular monitoring can also aid in preventing potential service interruptions.
SECURITY MECHANISMS
A security mechanism is a method or technology that protects data and systems from
unauthorized access, attacks, and other threats. Security measures provide data integrity,
confidentiality, and availability, thereby protecting sensitive information and maintaining
trust in digital transactions. In this article, we will see types of security mechanisms.
What is Network Security?
Network Security is a field in computer technology that deals with ensuring the security
of computer network infrastructure. The network is very necessary for sharing information
whether it is at the hardware level such as printer, scanner, or at the software level. Therefore
security mechanisms can also be termed as is set of processes that deal with recovery from
security attacks. Various mechanisms are designed to recover from these specific attacks at
various protocol layers.
Types of Security Mechanism
• Encipherment : This security mechanism deals with hiding and covering of data
which helps data to become confidential. It is achieved by applying mathematical
calculations or algorithms which reconstruct information into not readable form. It is
achieved by two famous techniques named Cryptography and Encipherment. Level of
data encryption is dependent on the algorithm used for encipherment.
• Access Control : This mechanism is used to stop unattended access to data which you
are sending. It can be achieved by various techniques such as applying passwords,
using firewall, or just by adding PIN to data.
• Notarization : This security mechanism involves use of trusted third party in
communication. It acts as mediator between sender and receiver so that if any chance
of conflict is reduced. This mediator keeps record of requests made by sender to
receiver for later denied.
• Data Integrity : This security mechanism is used by appending value to data to
which is created by data itself. It is similar to sending packet of information known to
both sending and receiving parties and checked before and after data is received.
When this packet or data which is appended is checked and is the same while sending
and receiving data integrity is maintained.
• Authentication Exchange : This security mechanism deals with identity to be known
in communication. This is achieved at the TCP/IP layer where two-way handshaking
mechanism is used to ensure data is sent or not
• Bit Stuffing : This security mechanism is used to add some extra bits into data which
is being transmitted. It helps data to be checked at the receiving end and is achieved
by Even parity or Odd Parity.
• Digital Signature : This security mechanism is achieved by adding digital data that is
not visible to eyes. It is form of electronic signature which is added by sender which
is checked by receiver electronically. This mechanism is used to preserve data which
is not more confidential but sender’s identity is to be notified.
A MODEL FOR NETWORK SECURITY
When we send our data from the source side to the destination side we have to use some
transfer method like the internet or any other communication channel by which we are able to
send our message. The two parties, who are the principals in this transaction, must cooperate
for the exchange to take place. When the transfer of data happened from one source to
another source some logical information channel is established between them by defining a
route through the internet from source to destination and by the cooperative use of
communication protocols (e.g., TCP/IP) by the two principals. When we use the protocol for
this logical information channel the main aspect of security has come. who may present a
threat to confidentiality, authenticity, and so on. All the techniques for providing security
have two components:
1. A security-related transformation on the information to be sent.
2. Some secret information is shared by the two principals and, it is hoped, unknown to
the opponent.
A trusted third party may be needed to achieve secure transmission. For example, a third
party may be responsible for distributing the secret information to the two principals while
keeping it from any opponent. Or a third party may be needed to arbitrate disputes between
the two principals concerning the authenticity of a message transmission. This model shows
that there are four basic tasks in designing a particular security service:
1. Design an algorithm for performing the security-related transformation.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of secret information.
4. Specify a protocol to be used by the two principals that make use of the security
algorithm and the secret information to achieve a particular security service.
SECURITY APPROACHES
Network security encompasses various strategies and practices designed to protect a
network's integrity, confidentiality, and accessibility from unauthorized access, misuse, or
cyberattacks. Here’s an overview of the main approaches to network security:
1. Firewalls:
Firewalls act as the first line of defense in network security, establishing a barrier between a
trusted internal network and untrusted external networks such as the internet. They monitor
incoming and outgoing network traffic based on predefined security rules, allowing or
blocking data packets based on security protocols. Firewalls can be hardware-based,
software-based, or a combination of both, and they help prevent unauthorized users from
accessing private networks connected to the internet.
2. Intrusion Detection and Prevention Systems (IDPS):
Intrusion detection and prevention systems are crucial for monitoring network traffic and
identifying suspicious activities that could indicate a potential attack. An IDS (Intrusion
Detection System) only detects and reports threats, whereas an IPS (Intrusion Prevention
System) takes proactive measures to block or mitigate these threats. By analyzing network
traffic patterns, IDPS solutions help to thwart a variety of attacks, such as denial-of-service
(DoS) and malware distribution.
3. Virtual Private Networks (VPNs):
VPNs create a secure and encrypted connection over the internet, allowing remote users to
access a private network as if they were directly connected to it. This approach ensures that
data transmitted between the user and the network is encrypted and protected from
eavesdropping or interception. VPNs are commonly used by businesses to enable employees
to work securely from remote locations, enhancing data security and user privacy.
4. Endpoint Security:
Endpoint security focuses on protecting individual devices that connect to the network, such
as computers, smartphones, and IoT devices. This approach involves using antivirus software,
anti-malware programs, and endpoint detection and response (EDR) solutions. By securing
endpoints, organizations reduce the risk of malware and unauthorized access that can
originate from compromised devices, thus reinforcing the overall security posture of the
network.
5. Encryption:
Encryption is a key technique in securing data as it travels across a network. It involves
converting data into a coded format that can only be deciphered by those with the appropriate
decryption key. This approach protects sensitive information from being intercepted and read
by unauthorized entities during transmission. Network security protocols, such as SSL/TLS
for web traffic and IPSec for VPNs, use encryption to ensure the confidentiality and integrity
of data.
6. Network Access Control (NAC):
Network Access Control (NAC) is a security approach that enforces policies to regulate
which devices and users can access the network. It can include pre-admission checks, which
assess devices for compliance with security policies (such as up-to-date antivirus software),
as well as post-admission controls to monitor device behavior. NAC solutions help prevent
unauthorized devices from compromising network security and ensure that only compliant,
secure devices have access.
7. Segmentation and Microsegmentation:
Network segmentation involves dividing a larger network into smaller, isolated subnetworks
to control and limit traffic flow between them. This approach helps contain potential breaches
and limits an attacker’s ability to move laterally within the network. Microsegmentation goes
a step further by implementing granular security policies at the individual workload level,
providing robust security controls tailored to specific applications and services.
8. Zero Trust Architecture:
The zero trust security model operates on the principle of "never trust, always verify,"
assuming that threats may exist both inside and outside the network. In this approach, every
request to access network resources is authenticated and authorized based on strict identity
verification and continuous validation. Zero trust architectures rely on multi-factor
authentication (MFA), role-based access control, and continuous monitoring to ensure only
trusted users and devices are allowed access.
9. Security Information and Event Management (SIEM):
SIEM systems provide comprehensive network visibility by collecting and analyzing security
data from various network components. They offer real-time event monitoring and help
detect, respond to, and investigate security incidents. By correlating data from multiple
sources, SIEM solutions enable security teams to identify complex attack patterns, improve
incident response times, and maintain regulatory compliance.
10. User Education and Training:
While technological measures are crucial, human error remains one of the most significant
security risks. Educating and training employees on safe practices, such as recognizing
phishing attacks, using strong passwords, and following security protocols, is vital for
maintaining network security. Regular training helps users understand the importance of
cybersecurity measures and their role in preventing breaches.

PART – 2 CRYPTOGRAPHY CONCEPTS AND TECHNIQUES

INTRODUCTION
Cryptography is the study and practice of techniques for secure communication in the
presence of third parties called adversaries. It deals with developing and analyzing protocols
that prevents malicious third parties from retrieving information being shared between two
entities thereby following the various aspects of information security. Secure Communication
refers to the scenario where the message or data shared between two parties can’t be accessed
by an adversary. In Cryptography, an Adversary is a malicious entity, which aims to retrieve
precious information or data thereby undermining the principles of information security. Data
Confidentiality, Data Integrity, Authentication and Non-repudiation are core principles of
modern-day cryptography.
1. Confidentiality refers to certain rules and guidelines usually executed under
confidentiality agreements which ensure that the information is restricted to certain
people or places.
2. Data integrity refers to maintaining and making sure that the data stays accurate and
consistent over its entire life cycle.
3. Authentication is the process of making sure that the piece of data being claimed by
the user belongs to it.
4. Non-repudiation refers to the ability to make sure that a person or a party associated
with a contract or a communication cannot deny the authenticity of their signature
over their document or the sending of a message.
PLAIN TEXT AND CIPHER TEXT
Defining Plain Text
Encrypted communication transforms plain text using ciphers or encryption methods. Plain
text refers to any readable information presented in a format that is accessible and usable
without the need for a decryption key or specific decryption tools, encompassing even binary
files.
Every communication, document, or file intended to be encrypted or previously encrypted
would be categorized as plain text. A cryptographic system takes plain text as input and
generates ciphertext as output. Within cryptography, algorithms facilitate the conversion of
ciphertext back into plain text and vice versa. The terms “encryption” and “decryption”
denote these respective processes. This mechanism ensures that data can only be
comprehended by its intended recipient.
Safeguarding plain text stored within computer files is of utmost importance, as unauthorized
theft, disclosure, or transmission can expose its contents entirely, potentially leading to
actions based on that information. To this end, the storage medium, the device itself, its
components, andany associated backups must all be secured if preservation is necessary.
Defining Ciphertext
The result of employing encryption methods, often referred to as cyphers, is called ciphertext.
When data cannot be understood by individuals or devices lacking the appropriate cypher, it
is considered encrypted. To interpret the data, the cypher is necessary. Algorithms transform
plaintext into ciphertext, and vice versa, to convert ciphertext back into plaintext. These
processes are known as encryption and decryption.
Ciphertext, represents a cryptographic approach in which an algorithm utilizes substitutions
instead of original plaintext elements. Substitution ciphers replace individual letters, letter
pairs, letter triplets, or various combinations of these while preserving the initial sequence.
Single-letter substitutions are utilized in simple substitution cyphers, while polygraphed
cyphers involve larger letter groupings.
In simpler terms, letters are substituted for other letters. In the past, recording corresponding
characters to decipher a message was feasible.
Difference Between Plain Text And Cipher Text

Category Plain Text Cipher Text

Original readable data in its Encrypted form of data, not

Definition
natural form. easily readable.

It can be understood and used Requires decryption to be

Accessibility
without decryption. understood.

Represents the actual content of Represents an encrypted version

Representation
the message. of the message

Prone to unauthorized access and Offers greater security against

Security
disclosure. breaches.
 Input to encryption; output from Output of encryption; input for
Conversion
decryption. decryption.

Easily read and understood by Secure transmission and storage

Purpose
humans. of data.

Encryption and decryption applications in everyday life

Encryption and decryption play pivotal roles in everyday applications, ensuring data
confidentiality, integrity, and security in our digital interactions. Here are some examples of
how they are used in everyday life:
1. Secure Messaging Apps
o End-to-end Encryption
Messaging apps like WhatsApp, Signal, and Telegram use end-to-end encryption to secure
conversations. When you send a message, it’s encrypted and only decrypted on the recipient’s
device, preventing anyone, including the service provider, from intercepting and reading your
messages.
2. Online Banking
o Secure Communication
When you access your bank’s website or mobile app, encryption ensures that your login
credentials, personal information, and financial transactions are transmitted securely over the
Internet. This protects you from eavesdropping and data theft.
o Two-Factor Authentication (2FA)
Many online banking services use encryption to secure the delivery of one-time codes for
2FA. This ensures only you can access your account, even if someone has your password.
3. E-commerce
o Payment Security
When making online purchases, encryption (usually SSL/TLS) secures the connection
between your browser and the e-commerce website. This safeguards your credit card
information and personal details during the transaction.
o Digital Wallets
Mobile payment apps like Apple Pay and Google Pay use encryption to protect your payment
card data when making in-store or online purchases.
4. Email Encryption
o Secure Email Services
Some email services, like ProtonMail, offer end-to-end encryption for email communication.
This means that the content of your emails is encrypted and can only be read by the intended
recipient.
Importance of the strength of the cipher
The strength of the cipher is a critical factor in ensuring the security of encrypted data. It
refers to its ability to resist attacks and maintain the confidentiality and integrity of encrypted
information.
It’s important to note that the strength of a cipher is not solely determined by the algorithm
itself but also by the length and randomness of encryption keys and the implementation of the
encryption process. Even a strong cipher can be compromised if keys are poorly managed, or
there are vulnerabilities in the encryption software.
In summary, the strength of the cipher is a foundational element of data security.
Organizations and individuals must prioritize using strong, well-vetted encryption algorithms
to protect sensitive information and maintain trust in an increasingly interconnected and data-
driven world.
SUBSTITUTION TECHNIQUES
Hiding some data is known as encryption. When plain text is encrypted it becomes
unreadable and is known as ciphertext. In a Substitution cipher, any character of plain text
from the given fixed set of characters is substituted by some other character from the same set
depending on a key. For example with a shift of 1, A would be replaced by B, B would
become C, and so on.
Note: A special case of Substitution cipher is known as Caesar cipher where the key is taken
as 3.
Mathematical representation
The encryption can be represented using modular arithmetic by first transforming the letters
into numbers, according to the scheme, A = 0, B = 1,…, Z = 25. Encryption of a letter by a
shift n can be described mathematically as.
Examples:
Plain Text: I am studying Data Encryption
Key: 4
Output: M eq wxyhCmrk Hexe IrgvCtxmsr

Plain Text: ABCDEFGHIJKLMNOPQRSTUVWXYZ

Key: 4
Output: EFGHIJKLMNOPQRSTUVWXYZabcd
Algorithm for Substitution Cipher:
Input:
• A String of both lower and upper case letters, called PlainText.
• An Integer denoting the required key.
Procedure:
• Create a list of all the characters.
• Create a dictionary to store the substitution for all characters.
• For each character, transform the given character as per the rule, depending on
whether we’re encrypting or decrypting the text.
• Print the new string generated.
TRANSPOSITION TECHNIQUES
Transposition Ciphers are an essential part of cryptography that uses systematic shuffling of
plain text characters or bits to secure data by altering their positions based on some defined
way or algorithm. Moreover, unlike substitutive codes where different letters substitute
others, in these, you just shift about original letters hence it does not at all look like any
message.
The utilization of these strategies in relatively primitive encryption methodologies, which in
their simplicity formed the basis for more sophisticated forms of encoding is shown by other
historical ciphers like Rail Fence and Columnar Transposition. Columnar transpositions are
still being explored and employed today within complex systems. For instance, such as those
involving hierarchical structures that are meant to increase message secrecy through extra
levels of obscurity.
In this article, we will learn about techniques used to encrypt the message earlier. This article
will provide details about the Transposition Cipher Technique. Then we are going to explore
various types of Transposition Cipher Technique.
Transposition Cipher Technique
The Transposition Cipher Technique is an encryption method used to encrypt a message or
information. This encryption method is done by playing with the position of letters of the
plain text. The positions of the characters present in the plaintext are rearranged or shifted to
form the ciphertext. It makes use of some kind of permutation function to achieve the
encryption purpose. It is very easy to use and so simple to implement.
Types of Transposition Cipher Techniques
There are three types of transposition cipher techniques
• Rail Fence Transposition Cipher
• Block (Single Columnar) Transposition Cipher
• Double Columnar Transposition Cipher
Rail Fence Transposition Cipher
Rail Fence Transposition cipher technique is the simplest transposition cipher techniqueits. It
is also termed as a zigzag cipher. It gets its name from the way through which it performs
encryption of plain text. The steps to get cipher text with the help of the Rail Fence
Transposition cipher technique are as follow-
Technique of Rail Fence Transposition Cipher
Example: The plain text is "Hello Krishna"
Now, we will write this plain text in the diagonal form:

Now, following the second step we get our cipher text.

Cipher Text = "rsnelkiha"
Block (Single Columnar) Transposition Cipher
Block Transposition Cipher is another form of Transposition Cipher which was used to
encrypt the message or information. In this technique, first, we write the message or plaintext
in rows. After that, we read the message column by column. In this technique, we use a
keyword to determine the no of rows.
• Step 1: First we write the message in the form of rows and columns, and read the
message column by column.
• Step 2: Given a keyword, which we will use to fix the number of rows.
• Step 3: If any space is spared, it is filled with null or left blank or in by (_).
• Step 4: The message is read in the order as specified by the keyword.
For example: The plaintext is "KRISHNA RANJAN"
Now we will write the plaintext in the form of row and column.
Cipher Text = IAN_RNANS_J_KHRA
Double Columnar Transposition Cipher
Double Columnar Transposition Cipher is another form of Transposition Cipher Technique. It
is just similar to the columnar transposition technique. The main objective of using a
Double Columnar Transposition Cipher is to encrypt the message twice. It makes use of the
Single Columnar Transposition technique but uses two times. It can use the same or different
secret keys. The output obtained from the first encryption will be the input to the second
encryption.
• Step 1: First we write the message in the form of rows and columns, and read the
message column by column.
• Step 2: Given a keyword, which we will use to fix the number of rows.

• Step 3: If any space is spared, it is filled with null or left blank or in by (_).
Now applying keyword 2:

• Step 4: The message is read in the order in by the keyword.

Now apply step 3:

Step 3
• Step 5: Then the output from the first encryption is input to the second.
• Step 6: Now the message is read in Technique in the order specified by the second
keyword.

The Cipher Text is: "S_J_IAN_RNANKHRA"

ENCRYPTION & DECRYPTION
Encryption is the process of converting a normal message (plain text) into a meaningless
message (ciphertext). Decryption is the process of converting a meaningless message
(ciphertext) into its original form (plaintext). The major distinction between secret writing
and associated secret writing is the conversion of a message into an unintelligible kind that’s
undecipherable unless decrypted. whereas secret writing is the recovery of the first message
from the encrypted information.
What is Encryption?
Data can be secured with encryption by being changed into an unintelligible format that can
only be interpreted by a person with the proper decryption key. Sensitive data, including
financial and personal information as well as communications over the internet, is frequently
protected with it.
Application of Encryption
Many different fields employ encryption, including:
• Online Banking: To secure transactions, use online banking.
• Email security: To safeguard the contents of emails.
• Secure Messaging: To protect the privacy of discussions.
• Data Storage: To prevent unwanted access to data that has been stored.
What is Decryption?
To make encrypted data comprehensible again, it must first be decrypted and then put back
into its original format. To access and utilize the protected information, authorized parties
must follow this procedure.
Real-Life Examples of Encryption and Decryption
• WhatsApp Messaging: It encrypts It encrypts communications from beginning to
end so that only the sender and recipient can read them.
• HTTPS websites: Encrypt user data to prevent third parties from intercepting it.
• Encrypted Email Services: Email services that use encryption, like ProtonMail,
protect email contents.
Why are Encryption and Decryption Important?
Maintaining privacy, securing communications, and shielding sensitive data from cyber
dangers all depend on encryption and decryption. They are crucial instruments for
cybersecurity and aid in maintaining the privacy and integrity of data.
Encryption converts data into a format that is unreadable without a key, while
decryption reverses the process to make the data readable again. Understanding these
processes is crucial for securing information in a world where data privacy is paramount. To
master concepts of encryption, decryption, and other security protocols, the GATE CS Self-
Paced Course offers detailed modules with hands-on examples, perfect for competitive
exams or real-world applications.
Let’s see the difference between encryption and decryption:

Encryption Decryption

Encryption is the process of converting a While decryption is the process of

normal message into a meaningless converting meaningless messages into their
message. original form,.

Encryption is the process that takes place at While decryption is the process that takes
the sender’s end. place at the receiver’s end,.

Its major task is to convert the plain text While its main task is to convert the cipher
into cipher text. text into plain text,.

Whereas the encrypted message can be

Any message can be encrypted with either a
decrypted with either a secret key or a
secret key or a public key.
private key,.

Whereas in the decryption process, the

In the encryption process, the sender sends
receiver receives the information (cipher
the data to the receiver after encrypting it.
text) and converts it into plain text.

The only single algorithm used for

The same algorithm with the same key is
encryption and decryption is a pair of keys,
used for the encryption-decryption process.
each used for encryption and decryption.

Encryption is used to protect the

Decryption is used to reverse the
confidentiality of data by converting it into
encryption process and convert the
an unreadable form that can only be read by
ciphertext back into plaintext.
authorized parties.

The output of encryption is a ciphertext that

The output of decryption is the original
is unintelligible to anyone who does not
plaintext message.
have the decryption key.
SYMMETRIC AND ASYMMETRIC KEY
Encryption is one of the most basic concepts in the world of cybersecurity as it ensures that
some information does not fall into the wrong hands. There are two primary types of
encryption techniques: In encryption techniques, there are two types, namely symmetric key
encryption and asymmetric key encryption. Anyone involved in data security must know the
differences between these two methods.
What is Symmetric Key Encryption?
Encryption is a process to change the form of any message to protect it from reading by
anyone. In Symmetric-key encryption the message is encrypted by using a key and the same
key is used to decrypt the message which makes it easy to use but less secure. It also requires
a safe method to transfer the key from one party to another.
What is Asymmetric Key Encryption?
Asymmetric key encryption is one of the most common cryptographic methods that involve
using a single key and its pendent, where one key is used to encrypt data and the second one
is used to decrypt an encrypted text. The second key is kept highly secret, while the first one
which is called a public key can be freely distributed among the service’s users.
Difference Between Symmetric and Asymmetric Key Encryption

Symmetric Key Encryption Asymmetric Key Encryption

It requires two keys, a public key and a

It only requires a single key for both
private key, one to encrypt and the other to
encryption and decryption.
decrypt.

The size of ciphertext is the same or smaller The size of ciphertext is the same or larger
than the original plaintext. than the original plaintext.

The encryption process is very fast. The encryption process is slow.

It is used when a large amount of data needs

It is used to transfer small amount of data.
to be transferred.

It provides confidentiality, authenticity,

It only provides confidentiality.
and non-repudiation.

The length of key used is 128 or 256 bits The length of key used is 2048 or higher
Symmetric Key Encryption Asymmetric Key Encryption

In symmetric key encryption, resource

In asymmetric key encryption, resource
utilization is low compared to asymmetric
utilization is high.
key encryption.

It is efficient as it is used for handling large It is comparatively less efficient as it can

amount of data. handle a small amount of data.

Security is higher as two keys are used,

Security is lower as only one key is used for
one for encryption and the other for
both encryption and decryption purposes.
decryption.

The Mathematical Representation is as

The Mathematical Representation is as
follows-
follows-
P = D(Kd, E (Ke,P))
P = D (K, E(K, P))
where Ke –> encryption key
where K –> encryption and decryption key
Kd –> decryption key
P –> plain text
D –> Decryption
D –> Decryption
E(Ke, P) –> Encryption of plain text using
E(K, P) –> Encryption of plain text using K
encryption key Ke. P –> plain text

Examples: Diffie-Hellman, ECC, El

Examples: 3DES, AES, DES and RC4
Gamal, DSA and RSA

STEGANOGRAPHY
Steganography is defined as which involves caching of secret information. This word is
derived from two Greek words- ‘stegos’ meaning ‘to cover’ and ‘grayfia’, meaning ‘writing’,
thus translating to ‘covered writing’, or ‘hidden writing’. The sensitive information will also
be uprooted from the ordinary train or communication at its discovery. With the help of
Steganography, we can hide any digital thing like textbook, image, videotape, etc behind a
medium.
Different Types of Steganography
Text Steganography
Text Steganography is defined as a type of steganography which involves caching dispatches
or secret information within a textbook document or other textual data. In this system, we try
to hide secret data with the help of each letter of the word. It is challenging to describe
especially when the variations or changes made are subtle.
Image Steganography
Image Steganography is defined as a type of steganography which involves caching
dispatches or secret information within digital images. It is achieved by making changes in
the pixels of the image to render the information. It is generally used for watermarking,
covert communication, brand protection, etc.
Audio Steganography
Audio Steganography is defined as a type of steganography which involves caching
dispatches or secret information within audio lines. The ideal behind using this fashion is to
hide information in such a way that people cannot notice it when they hear the audio. It's
generally used for digital rights operation in audio lines.
Video Steganography
Video Steganography is defined as a type of steganography which involves caching
dispatches or secret information within digital videotape lines. The ideal way to use Video
Steganography is to detect secret information in a videotape in such a way that normal people
won't notice it.
Network or Protocol Steganography
Network or Protocol Steganography is defined as a type of steganography which involves
caching dispatches or secret information within network protocols or dispatches. It tries to
hide secret information in the usual inflow of internet or network exertion so that nothing can
describe it.
Advantages of Steganography
• It offers better security for data sharing and communication.
• It's veritably important delicate to descry. It can only be detected by the receiver party.
• It can apply through colorful means like images, audio, videotape, textbook,etc.
• It plays a vital part in securing the content of the communication.
• It offers double subcaste of protection, first being the train itself and second the data
decoded.
• With the help of Steganography advanced functional agency can communicate
intimately.
Difference between Steganography and Cryptography
Steganography Cryptography

Steganography is defined as a system of Cryptography is defined as the system of

concealing data or information guarding information and communication
underknown-secret data or training. with the help of colorful ways.

Its main purpose is to maintain

Its main ideal is to give data protection.
communication security.

The structure of data is not modified in the The structure of data is modified in the case
case of Steganography. of Cryptography.

It is less popular. It is further popular.

The use of key is not obligatory, but if it is The use of key is obligatory in the case of
used it enhances security. Cryptography.

In Steganography, the use of fine But, in Cryptography, there is use of fine

metamorphoses is not involved metamorphoses to play with the data and
importantly. increase protection.

Steganography Tools
Steganography Tools are defined as tools which help the stoner to hide secret dispatches or
information inside another train in colorful formats. There are colorful tools available in the
request which helps to perform steganography. Some of the steganography tools are
following-
• OpenStego
• Steghide
• OutGuess
• Hide n shoot
• QuickStego
• disguise
KEY RANGE & KEY SIZE
In cryptography, key size and key range are essential factors that determine the security level
of encryption algorithms. Here's a detailed explanation of these concepts and their
implications:
1. Key Size:
• Definition: The key size is the length of the cryptographic key, expressed in bits (e.g.,
128-bit, 192-bit, 256-bit). It directly influences how resistant an encryption algorithm
is to brute-force attacks.
• Bit Representation: The key size represents how many binary digits (0s and 1s) are
in the key. For example, a 128-bit key has 21282^{128}2128 possible combinations.
• Security Level:
o 128-bit keys (e.g., used in AES-128) are considered secure for most purposes,
providing protection that would require astronomical computational power to
break via brute-force.
o 256-bit keys (e.g., used in AES-256) are significantly more secure than 128-
bit keys, offering a level of security that is considered quantum-resistant
against current and foreseeable computing power.
o Comparative Strength: As the key size increases, the number of possible
combinations grows exponentially, making larger key sizes far more resistant
to exhaustive search attacks.
2. Key Range:
• Definition: The key range refers to the set of all potential keys that can be generated
given a certain key size. This range defines the total number of distinct keys that are
available for use within the algorithm.
• Mathematical Context: The range of possible keys is defined by
2key size2^{\text{key size}}2key size. For example:
o For a 128-bit key, the key range is 21282^{128}2128 (approximately 3.4 x
103810^{38}1038).
o For a 256-bit key, the key range is 22562^{256}2256 (approximately 1.15 x
107710^{77}1077).
• Impact on Security: A larger key range means more potential keys, which translates
to greater difficulty for attackers to guess the correct key using brute-force methods.
This ensures that even with advancements in computing power, an attacker would
need an impractically long time to try all possible keys.
3. Practical Implications:
• Computational Feasibility: The time required to brute-force a key depends on the
processing power available. While advancements in computational technology have
 made certain smaller key sizes less secure over time (e.g., 56-bit DES keys), modern
algorithms like AES with key sizes of 128 bits or higher remain secure.
• Choice of Key Size: Choosing the appropriate key size depends on the specific
application and threat model. For example, financial and governmental sectors might
prefer 256-bit keys for sensitive data, ensuring long-term security even against
potential future threats like quantum computing.
• Algorithm Dependency: While key size is important, the security of an encryption
scheme also depends on the strength of the algorithm itself. For example, both RSA
and AES can use large key sizes, but the level of security they provide varies due to
their different underlying structures. RSA typically requires a much larger key size
(e.g., 2048 bits) to match the security of a 128-bit AES key due to the mathematical
differences in their designs.
4. Quantum Computing Considerations:
• Quantum Threats: Quantum computers, once sufficiently advanced, are expected to
impact the security of current cryptographic systems. Algorithms like RSA and ECC
(Elliptic Curve Cryptography) would be vulnerable due to Shor's algorithm, which
can efficiently factorize large numbers and compute discrete logarithms.
• Quantum-Resistant Algorithms: AES with 256-bit keys is often considered secure
against potential quantum attacks because Grover’s algorithm, which can theoretically
reduce the brute-force time, would only halve the effective key size. Thus, AES-256
would be reduced to the security level of AES-128, which remains strong.
5. Real-World Applications:
• AES (Advanced Encryption Standard): Widely adopted and can use 128-bit, 192-
bit, or 256-bit keys. It is used in various applications, including data encryption,
network security protocols, and secure communications.
• RSA: Utilizes key sizes that are typically much larger (2048 or 4096 bits) to achieve a
similar security level to a smaller symmetric key algorithm like AES. The security
here relies on the difficulty of factorizing large prime numbers.
• ECC (Elliptic Curve Cryptography): Provides strong security with shorter key sizes
compared to RSA. A 256-bit ECC key is generally considered comparable to a 3072-
bit RSA key.
POSSIBLE TYPES OF ATTACKS
Cryptology has two parts namely, Cryptography which focuses on creating secret codes
and Cryptanalysis which is the study of the cryptographic algorithm and the breaking of
those secret codes. The person practicing Cryptanalysis is called a Cryptanalyst. It helps us
to better understand the cryptosystems and also helps us improve the system by finding any
weak point and thus work on the algorithm to create a more secure secret code. For example,
a Cryptanalyst might try to decipher a ciphertext to derive the plaintext. It can help us to
deduce the plaintext or the encryption key.
Types of attacks include ciphertext-only attacks, where only encrypted messages are
available, known-plaintext attacks, where both plaintext and ciphertext are known,
and chosen-plaintext/ciphertext attacks, where the attacker can encrypt or decrypt specific
data to expose the encryption scheme.

To determine the weak points of a cryptographic system, it is important to attack the system.
This attacks are called Cryptanalytic attacks. The attacks rely on nature of the algorithm
and also knowledge of the general characteristics of the plaintext, i.e., plaintext can be a
regular document written in English or it can be a code written in Java. Therefore, nature of
the plaintext should be known before trying to use the attacks.
Types of Cryptanalytic attacks :

The Five Types of Cryptanalytic Attacks

• Known-Plaintext Analysis (KPA) : In this type of attack, some plaintext-ciphertext
pairs are already known. Attacker maps them in order to find the encryption key. This
attack is easier to use as a lot of information is already available.
• Chosen-Plaintext Analysis (CPA) : In this type of attack, the attacker chooses
random plaintexts and obtains the corresponding ciphertexts and tries to find the
encryption key. Its very simple to implement like KPA but the success rate is quite
low.
• Ciphertext-Only Analysis (COA) : In this type of attack, only some cipher-text is
known and the attacker tries to find the corresponding encryption key and plaintext.
Its the hardest to implement but is the most probable attack as only ciphertext is
required.
• Man-In-The-Middle (MITM) attack : In this type of attack, attacker intercepts the
message/key between two communicating parties through a secured channel.
• Adaptive Chosen-Plaintext Analysis (ACPA) : This attack is similar CPA. Here, the
attacker requests the cipher texts of additional plaintexts after they have ciphertexts
for some texts.
 • Birthday attack: This attack exploits the probability of two or more individuals
sharing the same birthday in a group of people. In cryptography, this attack is used to
find collisions in a hash function.
• Side-channel attack: This type of attack is based on information obtained from the
physical implementation of the cryptographic system, rather than on weaknesses in
the algorithm itself. Side-channel attacks include timing attacks, power analysis
attacks, electromagnetic attacks, and others.
• Brute-force attack: This attack involves trying every possible key until the correct
one is found. While this attack is simple to implement, it can be time-consuming and
computationally expensive, especially for longer keys.
• Differential cryptanalysis: This type of attack involves comparing pairs of plaintexts
and their corresponding ciphertexts to find patterns in the encryption algorithm. It can
be effective against block ciphers with certain properties.

UNIT – 2 SYMMETRIC & ASYMETRIC KEY CIPHERS

PART – 1 SYMMETRIC KEY CIPHERS
BLOCK CIPHER PRINCIPLES
Block ciphers are built in the Feistel cipher structure. Block cipher has a specific number of
rounds and keys for generating ciphertext.Block cipher is a type of encryption algorithm that
processes fixed-size blocks of data, usually 64 or 128 bits, to produce ciphertext. The design
of a block cipher involves several important principles to ensure the security and efficiency of
the algorithm. Some of these principles are:
1. Number of Rounds – The number of Rounds is regularly considered in design
criteria, it just reflects the number of rounds to be suitable for an algorithm to make it
more complex, in DES we have 16 rounds ensuring it to be more secure while in AES
we have 10 rounds which makes it more secure.
2. Design of function F – The core part of the Feistel Block cipher structure is the
Round Function. The complexity of cryptanalysis can be derived from the Round
function i.e. the increasing level of complexity for the round function would be
greatly contributing to an increase in complexity. To increase the complexity of the
round function, the avalanche effect is also included in the round function, as the
change of a single bit in plain text would produce a mischievous output due to the
presence of avalanche effect.
3. Confusion and Diffusion: The cipher should provide confusion and diffusion to
make it difficult for an attacker to determine the relationship between the plaintext
and ciphertext. Confusion means that the ciphertext should be a complex function of
the key and plaintext, making it difficult to guess the key. Diffusion means that a
small change in the plaintext should cause a significant change in the ciphertext,
which makes it difficult to analyze the encryption pattern.
4. Key Size: The key size should be large enough to prevent brute-force attacks. A larger
key size means that there are more possible keys, making it harder for an attacker to
 guess the correct one. A key size of 128 bits is considered to be secure for most
applications.
5. Key Schedule: The key schedule should be designed carefully to ensure that the keys
used for encryption are independent and unpredictable. The key schedule should also
resist attacks that exploit weak keys or key-dependent properties of the cipher.
6. Block Size: The block size should be large enough to prevent attacks that exploit
statistical patterns in the plaintext. A block size of 128 bits is generally considered to
be secure for most applications.
7. Non-linearity: The S-box used in the cipher should be non-linear to provide
confusion. A linear S-box is vulnerable to attacks that exploit the linear properties of
the cipher.
8. Avalanche Effect: The cipher should exhibit the avalanche effect, which means that a
small change in the plaintext or key should cause a significant change in the
ciphertext. This ensures that any change in the input results in a complete change in
the output.
9. Security Analysis: The cipher should be analyzed for its security against various
attacks such as differential cryptanalysis, linear cryptanalysis, and brute-force attacks.
The cipher should also be tested for its resistance to implementation attacks, such as
side-channel attacks.
DES ALGORITHM
Data Encryption Standard (DES) is a block cipher with a 56-bit key length that has played a
significant role in data security. Data encryption standard (DES) has been found vulnerable to
very powerful attacks therefore, the popularity of DES has been found slightly on the decline.
DES is a block cipher and encrypts data in blocks of size of 64 bits each, which means 64
bits of plain text go as the input to DES, which produces 64 bits of ciphertext. The same
algorithm and key are used for encryption and decryption, with minor differences. The key
length is 56 bits.
The basic idea is shown below:
We have mentioned that DES uses a 56-bit key. Actually, The initial key consists of 64 bits.
However, before the DES process even starts, every 8th bit of the key is discarded to produce
a 56-bit key. That is bit positions 8, 16, 24, 32, 40, 48, 56, and 64 are discarded.

Thus, the discarding of every 8th bit of the key produces a 56-bit key from the original 64-bit
key.
DES is based on the two fundamental attributes of cryptography: substitution (also called
confusion) and transposition (also called diffusion). DES consists of 16 steps, each of which
is called a round. Each round performs the steps of substitution and transposition. Let us now
discuss the broad-level steps in DES.
• In the first step, the 64-bit plain text block is handed over to an
initial Permutation (IP) function.
• The initial permutation is performed on plain text.
• Next, the initial permutation (IP) produces two halves of the permuted block; saying
Left Plain Text (LPT) and Right Plain Text (RPT).
• Now each LPT and RPT go through 16 rounds of the encryption process.
• In the end, LPT and RPT are rejoined and a Final Permutation (FP) is performed on
the combined block
• The result of this process produces 64-bit ciphertext.

Initial Permutation (IP)

As we have noted, the initial permutation (IP) happens only once and it happens before the
first round. It suggests how the transposition in IP should proceed, as shown in the figure. For
example, it says that the IP replaces the first bit of the original plain text block with the 58th
bit of the original plain text, the second bit with the 50th bit of the original plain text block,
and so on.
This is nothing but jugglery of bit positions of the original plain text block. the same rule
applies to all the other bit positions shown in the figure.
As we have noted after IP is done, the resulting 64-bit permuted text block is divided into two
half blocks. Each half-block consists of 32 bits, and each of the 16 rounds, in turn, consists of
the broad-level steps outlined in the figure.

Step 1: Key transformation

We have noted initial 64-bit key is transformed into a 56-bit key by discarding every 8th bit
of the initial key. Thus, for each a 56-bit key is available. From this 56-bit key, a different 48-
bit Sub Key is generated during each round using a process called key transformation. For
this, the 56-bit key is divided into two halves, each of 28 bits. These halves are circularly
shifted left by one or two positions, depending on the round.
For example: if the round numbers 1, 2, 9, or 16 the shift is done by only one position for
other rounds, the circular shift is done by two positions. The number of key bits shifted per
round is shown in the figure.

After an appropriate shift, 48 of the 56 bits are selected. From the 48 we might obtain 64 or
56 bits based on requirement which helps us to recognize that this model is very versatile and
can handle any range of requirements needed or provided. for selecting 48 of the 56 bits the
table is shown in the figure given below. For instance, after the shift, bit number 14 moves to
the first position, bit number 17 moves to the second position, and so on. If we observe the
table , we will realize that it contains only 48-bit positions. Bit number 18 is discarded (we
will not find it in the table), like 7 others, to reduce a 56-bit key to a 48-bit key. Since the key
transformation process involves permutation as well as a selection of a 48-bit subset of the
original 56-bit key it is called Compression Permutation.

Because of this compression permutation technique, a different subset of key bits is used in
each round. That makes DES not easy to crack.
Step 2: Expansion Permutation
Recall that after the initial permutation, we had two 32-bit plain text areas called Left Plain
Text(LPT) and Right Plain Text(RPT). During the expansion permutation, the RPT is
expanded from 32 bits to 48 bits. Bits are permuted as well hence called expansion
permutation. This happens as the 32-bit RPT is divided into 8 blocks, with each block
consisting of 4 bits. Then, each 4-bit block of the previous step is then expanded to a
corresponding 6-bit block, i.e., per 4-bit block, 2 more bits are added.

This process results in expansion as well as a permutation of the input bit while creating
output. The key transformation process compresses the 56-bit key to 48 bits. Then the
expansion permutation process expands the 32-bit RPT to 48-bits. Now the 48-bit key
is XOR with 48-bit RPT and the resulting output is given to the next step, which is the S-Box
substitution.
AES ALGORITHM
Advanced Encryption Standard (AES) is a highly trusted encryption algorithm used to
secure data by converting it into an unreadable format without the proper key. Developed by
the National Institute of Standards and Technology (NIST), AES encryption uses
various key lengths (128, 192, or 256 bits) to provide strong protection against unauthorized
access. This data security measure is efficient and widely implemented in securing internet
communication, protecting sensitive data, and encrypting files. AES, a cornerstone of
modern cryptography, is recognized globally for its ability to keep information safe from
cyber threats.
Points to Remember
• AES is a Block Cipher.
• The key size can be 128/192/256 bits.
• Encrypts data in blocks of 128 bits each.
That means it takes 128 bits as input and outputs 128 bits of encrypted cipher text. AES relies
on the substitution-permutation network principle, which is performed using a series of
linked operations that involve replacing and shuffling the input data.
Working of The Cipher
AES performs operations on bytes of data rather than in bits. Since the block size is 128 bits,
the cipher processes 128 bits (or 16 bytes) of the input data at a time.
The number of rounds depends on the key length as follows :
• 128-bit key – 10 rounds
• 192-bit key – 12 rounds
• 256-bit key – 14 rounds
Creation of Round Keys
A Key Schedule algorithm calculates all the round keys from the key. So the initial key is
used to create many different round keys which will be used in the corresponding round of
the encryption.

Creation of Round Keys (AES)

Encryption
AES considers each block as a 16-byte (4 byte x 4 byte = 128 ) grid in a column-major
arrangement.
[ b0 | b4 | b8 | b12 |
| b1 | b5 | b9 | b13 |
| b2 | b6 | b10| b14 |
| b3 | b7 | b11| b15 ]
Each round comprises of 4 steps :
• SubBytes
• ShiftRows
• MixColumns
• Add Round Key
The last round doesn’t have the MixColumns round.
The SubBytes does the substitution and ShiftRows and MixColumns perform the permutation
in the algorithm.
Sub Bytes
This step implements the substitution.
In this step, each byte is substituted by another byte. It is performed using a lookup table also
called the S-box. This substitution is done in a way that a byte is never substituted by itself
and also not substituted by another byte which is a compliment of the current byte. The result
of this step is a 16-byte (4 x 4 ) matrix like before.
The next two steps implement the permutation.
Shift Rows
This step is just as it sounds. Each row is shifted a particular number of times.
• The first row is not shifted
• The second row is shifted once to the left.
• The third row is shifted twice to the left.
• The fourth row is shifted thrice to the left.
(A left circular shift is performed.)
[ b0 | b1 | b2 | b3 ] [ b0 | b1 | b2 | b3 ]
| b4 | b5 | b6 | b7 | -> | b5 | b6 | b7 | b4 |
| b8 | b9 | b10 | b11 | | b10 | b11 | b8 | b9 |
[ b12 | b13 | b14 | b15 ] [ b15 | b12 | b13 | b14 ]
Mix Columns
This step is a matrix multiplication. Each column is multiplied with a specific matrix and thus
the position of each byte in the column is changed as a result.
This step is skipped in the last round.
[ c0 ] [ 2 3 1 1 ] [ b0 ]
| c1 | = | 1 2 3 1 | | b1 |
| c2 | | 1 1 2 3 | | b2 |
[ c3 ] [ 3 1 1 2 ] [ b3 ]
Add Round Keys
Now the resultant output of the previous stage is XOR-ed with the corresponding round key.
Here, the 16 bytes are not considered as a grid but just as 128 bits of data.

Added Round Keys (AES)

After all these rounds 128 bits of encrypted data are given back as output. This process is
repeated until all the data to be encrypted undergoes this process.
Decryption
The stages in the rounds can be easily undone as these stages have an opposite to it which
when performed reverts the changes. Each 128 blocks goes through the 10,12 or 14 rounds
depending on the key size.
The stages of each round of decryption are as follows :
• Add round key
• Inverse MixColumns
 • ShiftRows
• Inverse SubByte
The decryption process is the encryption process done in reverse so I will explain the steps
with notable differences.
Inverse MixColumns
This step is similar to the Mix Columns step in encryption but differs in the matrix used to
carry out the operation.
Mix Columns Operation each column is mixed independent of the other.
Matrix multiplication is used. The output of this step is the matrix multiplication of the old
values and a
constant matrix
[b0] = [ 14 11 13 9] [ c0 ]
[b1]=[ 9 14 11 13 ] [ c1 ]
[b2] =[ 13 9 14 11] [ c2 ]
[ b3 ]=[ 11 13 9 14 ] [ c3 ]
Inverse SubBytes
Inverse S-box is used as a lookup table and using which the bytes are substituted during
decryption.
Function Substitute performs a byte substitution on each byte of the input word. For this
purpose,
it uses an S-box.
Applications
AES is widely used in many applications which require secure data storage and transmission.
Some common use cases include:
• Wireless security: AES is used in securing wireless networks, such as Wi-Fi
networks, to ensure data confidentiality and prevent unauthorized access.
• Database Encryption: AES can be applied to encrypt sensitive data stored in
databases. This helps protect personal information, financial records, and other
confidential data from unauthorized access in case of a data breach.
• Secure communications: AES is widely used in protocols such as internet
communications, email, instant messaging, and voice/video calls. It ensures that the
data remains confidential.
• Data storage: AES is used to encrypt sensitive data stored on hard drives, USB
drives, and other storage media, protecting it from unauthorized access in case of loss
or theft.
BLOWFISH ALGORITHM
Blowfish is an encryption technique designed by Bruce Schneier in 1993 as an alternative
to DES Encryption Technique. It is significantly faster than DES and provides a good
encryption rate with no effective cryptanalysis technique found to date. It is one of the first,
secure block cyphers not subject to any patents and hence freely available for anyone to use.
It is symmetric block cipher algorithm.
1. blockSize: 64-bits
2. keySize: 32-bits to 448-bits variable size
3. number of subkeys: 18 [P-array]
4. number of rounds: 16
5. number of substitution boxes: 4 [each having 512 entries of 32-bits each]
Blowfish Encryption Algorithm
The entire encryption process can be elaborated as:

Lets see each step one by one:

Step1: Generation of subkeys:
• 18 subkeys{P[0]…P[17]} are needed in both encryption as well as decryption process
and the same subkeys are used for both the processes.
• These 18 subkeys are stored in a P-array with each array element being a 32-bit entry.
• It is initialized with the digits of pi(?).
• The hexadecimal representation of each of the subkeys is given by:
P[0] = "243f6a88"
P[1] = "85a308d3"
.
.
.
P[17] = "8979fb1b"

• Now each of the subkey is changed with respect to the input key as:
P[0] = P[0] xor 1st 32-bits of input key
P[1] = P[1] xor 2nd 32-bits of input key
.
.
.
P[i] = P[i] xor (i+1)th 32-bits of input key
(roll over to 1st 32-bits depending on the key length)
.
.
.
P[17] = P[17] xor 18th 32-bits of input key
(roll over to 1st 32-bits depending on key length)
The resultant P-array holds 18 subkeys that is used during the entire encryption process
Step2: initialise Substitution Boxes:
• 4 Substitution boxes(S-boxes) are needed{S[0]…S[4]} in both encryption aswell as
decryption process with each S-box having 256 entries{S[i][0]…S[i][255],
0&lei&le4} where each entry is 32-bit.
• It is initialized with the digits of pi(?) after initializing the P-array. You may find
the s-boxes in here!
Step3: Encryption:
• The encryption function consists of two parts:
a. Rounds: The encryption consists of 16 rounds with each round(Ri) taking inputs
the plainText(P.T.) from previous round and corresponding subkey(Pi). The
description of each round is as follows:
The description of the function ” F ” is as follows:

Here the function “add” is addition modulo 2^32.

b. Post-processing: The output after the 16 rounds is processed as follows:
RC5 ALGORITHM
RC5 is a symmetric key block encryption algorithm designed by Ron Rivest in 1994. It is
notable for being simple, fast (on account of using only primitive computer operations like
XOR, shift, etc.) and consumes less memory. Example:
Key : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Plain Text : 00000000 00000000
Cipher Text : EEDBA521 6D8F4B15
RC5 is a block cipher and addresses two word blocks at a time. Depending on input plain text
block size, number of rounds and key size, various instances of RC5 can be defined and each
instance is denoted as RC5-w/r/b where w=word size in bits, r=number of rounds and b=key
size in bytes. Allowed values are:

Parameter Possible Value

block/word size (bits) 16, 32, 64

Number of Rounds 0 – 255

Key Size (bytes) 0 – 255

Note – Since at a time, RC5 uses 2 word blocks, the plain text block size can be 32, 64 or 128
bits. Notation used in the algorithm:

Symbol Operation

x <<< y Cyclic left shift of x by y bits

+ Two’s complement addition of words where addition is modulo 2w2w

^ Bit wise Exclusive-OR

Step-1: Initialization of constants P and Q. RC5 makes use of 2 magic constants P and Q
whose value is defined by the word size w.

Word Size (bits) P (Hexadecimal) Q (Hexadecimal)

16 b7e1 9e37
Word Size (bits) P (Hexadecimal) Q (Hexadecimal)

32 b7e15163 9e3779b9

64 b7e151628aed2a6b 9e3779b97f4a7c15

For any other word size, P and Q can be determined as:

P = Odd((e-2)2w2w) Q = Odd((ϕϕ-2)2w2w)
Here, Odd(x) is the odd integer nearest to x, e is the base of natural logarithms
and [Tex]\phi&nbsp;&nbsp;[/Tex]is the golden ratio. Step-2: Converting secret key K from
bytes to words. Secret key K of size b bytes is used to initialize array L consisting of c words
where c = b/u, u = w/8 and w = word size used for that particular instance of RC5. For
example, if we choose w=32 bits and Key k is of size 96 bytes then, u=32/8=4,
c=b/u=96/4=24. L is pre initialized to 0 value before adding secret key K to it.
for i=b-1 to 0
L[i/u] = (L[u/i] <<< 8) + K[i]
Step-3: Initializing sub-key S. Sub-key S of size t=2(r+1) is initialized using magic constants
P and Q.
S[0] = P
for i = 1 to 2(r+1)-1
S[i] = S[i-1] + Q)
Step-4: Sub-key mixing. The RC5 encryption algorithm uses Sub key S. L is merely, a
temporary array formed on the basis of user entered secret key. Mix in user’s secret key with
S and L.
i=j=0
A=B=0
do 3 * max(t, c) times:
A = S[i] = (S[i] + A + B) <<< 3
B = L[j] = (L[j] + A + B) <<< (A + B)
i = (i + 1) % t
j = (j + 1) % c
Step-5: Encryption. We divide the input plain text block into two registers A and B each of
size w bits. After undergoing the encryption process the result of A and B together forms the
cipher text block. RC5 Encryption Algorithm:
1. One time initialization of plain text blocks A and B by adding S[0] and S[1] to A and
B respectively. These operations are mod[Tex]2^w&nbsp;&nbsp;[/Tex].
2. XOR A and B. A=A^B
3. Cyclic left shift new value of A by B bits.
 4. Add S[2*i] to the output of previous step. This is the new value of A.
5. XOR B with new value of A and store in B.
6. Cyclic left shift new value of B by A bits.
7. Add S[2*i+1] to the output of previous step. This is the new value of B.
8. Repeat entire procedure (except one time initialization) r times.
A = A + S[0]
B = B + S[1]
for i = 1 to r do:
A = ((A ^ B) <<< B) + S[2 * i]
B = ((B ^ A) <<< A) + S[2 * i + 1]
return A, B
Alternatively, RC5 Decryption can be defined as:
for i = r down to 1 do:
B = ((B - S[2 * i + 1]) >>> A) ^ A
A = ((A - S[2 * i]) >>> B) ^ B
B = B - S[1]
A = A - S[0]
return A, B
IDEA ALGORITHM
IDEA uses a block cipher with a block size of 64 bits and a key size of 128 bits. It uses a
series of mathematical operations, including modular arithmetic, bit shifting, and exclusive
OR (XOR) operations, to transform the plaintext into ciphertext. The cipher is designed to be
highly secure and resistant to various types of attacks, including differential and linear
cryptanalysis. One of the strengths of IDEA is its efficient implementation in software and
hardware. The algorithm is relatively fast and requires only a small amount of memory and
processing power. This makes it a popular choice for use in embedded systems and other
applications where resources are limited.
IDEA has been widely used in various encryption applications, although it has been largely
replaced by newer encryption algorithms such as AES (Advanced Encryption Standard) in
recent years. However, IDEA is still considered to be a highly secure and effective encryption
algorithm, and it continues to be used in some legacy systems and applications.
Overview of Simplified International Data Encryption Algorithm (IDEA)
The Simplified IDEA presented here is a modified version of the original algorithm, designed
for educational purposes. While it maintains the core principles of IDEA, it uses smaller
block and key sizes to simplify understanding and implementation.
Block Cipher Structure
The Simplified International Data Encryption Algorithm (IDEA) is a symmetric
key block cipher that:
 • Plaintext block size: 16 bits (divided into 4-bit chunks)
• Key length: 32 bits
• Output: 16-bit ciphertext
• Processing: Four complete rounds plus one half-round
Subkey Generation Process
• Initial key division into eight 4-bit subkeys.
• Key schedule generation through left rotation.
• Production of 28 subkeys (24 for complete rounds, 4 for half-round).
• Systematic distribution across rounds.
Overview of Rounds and Operations
Each complete round consists of:
• 14 distinct steps using three core operations
• Systematic transformation of data blocks
• Inter-round data swapping
• Final half-round with 4 operations
Mathematical Foundations
Core Operations:
1. Bitwise XOR (^)
2. Addition modulo 2^4 (+)
3. Multiplication modulo (2^4+1) (*)
Key Mathematical Properties:
• Use of algebraic groups with complementary properties
• Exploitation of modular arithmetic for confusion
• Implementation of systematic diffusion through operation mixing
BLOCK CIPHER OPERATION
Encryption algorithms are divided into two categories based on the input type, as a block
cipher and stream cipher. Block cipher is an encryption algorithm that takes a fixed size of
input say b bits and produces a ciphertext of b bits again. If the input is larger than b bits it
can be divided further. For different applications and uses, there are several modes of
operations for a block cipher.
Electronic Code Book (ECB) –
Electronic code book is the easiest block cipher mode of functioning. It is easier because of
direct encryption of each block of input plaintext and output is in form of blocks of encrypted
ciphertext. Generally, if a message is larger than b bits in size, it can be broken down into a
bunch of blocks and the procedure is repeated.
Procedure of ECB is illustrated below:

Advantages of using ECB –

• Parallel encryption of blocks of bits is possible, thus it is a faster way of encryption.
• Simple way of the block cipher.
Disadvantages of using ECB –
• Prone to cryptanalysis since there is a direct relationship between plaintext and
ciphertext.
Cipher Block Chaining –
Cipher block chaining or CBC is an advancement made on ECB since ECB compromises
some security requirements. In CBC, the previous cipher block is given as input to the next
encryption algorithm after XOR with the original plaintext block. In a nutshell here, a cipher
block is produced by encrypting an XOR output of the previous cipher block and present
plaintext block.
The process is illustrated here:
Advantages of CBC –
• CBC works well for input greater than b bits.
• CBC is a good authentication mechanism.
• Better resistive nature towards cryptanalysis than ECB.
Disadvantages of CBC –
• Parallel encryption is not possible since every encryption requires a previous cipher.
Cipher Feedback Mode (CFB) –
In this mode the cipher is given as feedback to the next block of encryption with some new
specifications: first, an initial vector IV is used for first encryption and output bits are divided
as a set of s and b-s bits.The left-hand side s bits are selected along with plaintext bits to
which an XOR operation is applied. The result is given as input to a shift register having b-s
bits to lhs,s bits to rhs and the process continues. The encryption and decryption process for
the same is shown below, both of them use encryption algorithms.
Advantages of CFB –
• Since, there is some data loss due to the use of shift register, thus it is difficult for
applying cryptanalysis.
Disadvantages of using CFB –
• The drawbacks of CFB are the same as those of CBC mode. Both block losses and
concurrent encryption of several blocks are not supported by the encryption.
Decryption, however, is parallelizable and loss-tolerant.
Output Feedback Mode –
The output feedback mode follows nearly the same process as the Cipher Feedback mode
except that it sends the encrypted output as feedback instead of the actual cipher which is
XOR output. In this output feedback mode, all bits of the block are sent instead of sending
selected s bits. The Output Feedback mode of block cipher holds great resistance towards bit
transmission errors. It also decreases the dependency or relationship of the cipher on the
plaintext.

Advantages of OFB –
• In the case of CFB, a single bit error in a block is propagated to all subsequent blocks.
This problem is solved by OFB as it is free from bit errors in the plaintext block.
Disadvantages of OFB-
• The drawback of OFB is that, because to its operational modes, it is more susceptible
to a message stream modification attack than CFB.
Counter Mode –
The Counter Mode or CTR is a simple counter-based block cipher implementation. Every
time a counter-initiated value is encrypted and given as input to XOR with plaintext which
results in ciphertext block. The CTR mode is independent of feedback use and thus can be
implemented in parallel.
Its simple implementation is shown below:
Advantages of Counter –
• Since there is a different counter value for each block, the direct plaintext and
ciphertext relationship is avoided. This means that the same plain text can map to
different ciphertext.
• Parallel execution of encryption is possible as outputs from previous stages are not
chained as in the case of CBC.
Disadvantages of Counter-
• The fact that CTR mode requires a synchronous counter at both the transmitter and
the receiver is a severe drawback. The recovery of plaintext is erroneous when
synchronisation is lost.
Applications of Block Ciphers
1. Data Encryption: Block Ciphers are widely used for the encryption of private and
sensitive data such as passwords, credit card details and other information that is
transmitted or stored for a communication. This encryption process converts a plain
data into non-readable and complex form. Encrypted data can be decrypted only by
the authorised person with the private keys.
2. File and Disk Encryption: Block Ciphers are used for encryption of entire files and
disks in order to protect their contents and restrict from unauthorised users. The disk
encryption softwares such as BitLocker, TrueCrypt aslo uses block cipher to encrypt
data and make it secure.
3. Virtual Private Networks (VPN): Virtual Private Networks (VPN) use block cipher
for the encryption of data that is being transmitted between the two communicating
devices over the internet. This process makes sure that data is not accessed by
unauthorised person when it is being transmitted to another user.
STREAM CIPHERS
In stream cipher, one byte is encrypted at a time while in block cipher ~128 bits are
encrypted at a time. Initially, a key(k) will be supplied as input to pseudorandom bit generator
and then it produces a random 8-bit output which is treated as keystream. The resulted
keystream will be of size 1 byte, i.e., 8 bits. Stream ciphers are fast because they encrypt data
bit by bit or byte by byte, which makes them efficient for encrypting large amounts of data
quickly.Stream ciphers work well for real-time communication, such as video streaming or
online gaming, because they can encrypt and decrypt data as it’s being transmitted.
Key Points of Stream Cipher
1. Stream Cipher follows the sequence of pseudorandom number stream.
2. One of the benefits of following stream cipher is to make cryptanalysis more difficult,
so the number of bits chosen in the Keystream must be long in order to make
cryptanalysis more difficult.
3. By making the key more longer it is also safe against brute force attacks.
4. The longer the key the stronger security is achieved, preventing any attack.
5. Keystream can be designed more efficiently by including more number of 1s and 0s,
for making cryptanalysis more difficult.
6. Considerable benefit of a stream cipher is, it requires few lines of code compared to
block cipher.
Encryption
For Encryption,
• Plain Text and Keystream produces Cipher Text (Same keystream will be used for
decryption.).
• The Plaintext will undergo XOR operation with keystream bit-by-bit and produces the
Cipher Text.
Example:
Plain Text : 10011001
Keystream : 11000011
““““““““““`
Cipher Text : 01011010
Decryption
For Decryption,
• Cipher Text and Keystream gives the original Plain Text (Same keystream will be
used for encryption.).
• The Ciphertext will undergo XOR operation with keystream bit-by-bit and produces
the actual Plain Text.
Example:
Cipher Text : 01011010
Keystream : 11000011
“““““““““““
Plain Text : 10011001
Decryption is just the reverse process of Encryption i.e. performing XOR with Cipher Text.

Diagram of Stream Cipher

Common Stream Ciphers
When someone analyzes stream ciphers in general, they frequently bring up RC4.
Thoroughly used, this is the most extensively used stream cipher.
The RC4 cipher operates as follows:
There are many of alternative choices. Wikipedia provides a list of 25 distinct kinds of stream
ciphers with a range of costs, speeds, and complexity.
Creating a strong security system involves more than just selecting the appropriate encryption
technique. In addition, firewalls, appropriate keyword storage, and staff training are necessary
for data protection.
Advantages of Stream Ciphers
Stream ciphers have many advantages, such as:
• Speed: Generally, this type of encryption is quicker than others, such as block ciphers.
• Low complexity: Stream ciphers are simple to implement into contemporary software,
and developers don’t require sophisticated hardware to do so.
• Sequential in nature: Certain companies handle communications written in a
continuous manner. Stream ciphers enable them to transmit data when it’s ready
instead of waiting for everything to be finished because of their bit-by-bit processing.
• Accessibility: Using symmetrical encryption methods like stream ciphers saves
businesses from having to deal with public and private keys. Additionally, computers
are able to select the appropriate decryption key to utilize thanks to mathematical
concepts behind current stream ciphers.
Disadvantages of Stream Ciphers
• If an error occurs during transmission, it can affect subsequent bits, potentially
corrupting the entire message because stream ciphers rely on previously stored cipher
bits for decryption
 • Maintaining and properly distributing keys to stream ciphers can be difficult,
especially in large systems or networks.
• Some stream ciphers may be predictable or vulnerable to attack if their key stream is
not properly designed, potentially compromising the security of the encrypted data.
RC4 ALGORITHM
RC4 is a stream cipher and variable-length key algorithm. This algorithm encrypts one byte
at a time (or larger units at a time). A key input is a pseudorandom bit generator that produces
a stream 8-bit number that is unpredictable without knowledge of input key, The output of the
generator is called key-stream, is combined one byte at a time with the plaintext stream
cipher using X-OR operation.
Example:
RC4 Encryption
10011000 ? 01010000 = 11001000

RC4 Decryption
11001000 ? 01010000 = 10011000
Key-Generation Algorithm – A variable-length key from 1 to 256 bytes is used to initialize
a 256-byte state vector S, with elements S[0] to S[255]. For encryption and decryption, a byte
k is generated from S by selecting one of the 255 entries in a systematic fashion, then the
entries in S are permuted again.
Key-Scheduling Algorithm: Initialization: The entries of S are set equal to the values from
0 to 255 in ascending order, a temporary vector T, is created. If the length of the key k is 256
bytes, then k is assigned to T. Otherwise, for a key with length(k-len) bytes, the first k-len
elements of T as copied from K, and then K is repeated as many times as necessary to fill T.
Encrypt using X-Or():
Features of the RC4 encryption algorithm:
1. Symmetric key algorithm: RC4 is a symmetric key encryption algorithm, which
means that the same key is used for encryption and decryption.
2. Stream cipher algorithm: RC4 is a stream cipher algorithm, which means that it
encrypts and decrypts data one byte at a time. It generates a key stream of
pseudorandom bits that are XORed with the plaintext to produce the ciphertext.
3. Variable key size: RC4 supports variable key sizes, from 40 bits to 2048 bits, making
it flexible for different security requirements.
4. Fast and efficient: RC4 is a fast and efficient encryption algorithm that is suitable for
low-power devices and applications that require high-speed data transmission.
5. Widely used: RC4 has been widely used in various applications, including wireless
networks, secure sockets layer (SSL), virtual private networks (VPN), and file
encryption.
6. Vulnerabilities: RC4 has several vulnerabilities, including a bias in the first few bytes
of the keystream, which can be exploited to recover the key. As a result, RC4 is no
longer recommended for use in new applications.

PART – 2 ASYMMETRIC KEY CIPHERS

PRINCIPLES OF PUBLIC KEY CRYPTOSYSTEMS
Public key cryptography has become an essential means of providing confidentiality,
especially through its need of key distribution, where users seeking private connection
exchange encryption keys. It also features digital signatures which enable users to sign keys
to check their identities.
The approach of public key cryptography derivative from an attempt to attack two of the
most complex problems related to symmetric encryption. The first issue is that key
distribution. Key distribution under symmetric encryption needed such as −
• that two communicants already shared a key, which somehow has been shared to
them.
• the need of a key distribution center.
Public key Cryptosystem − Asymmetric algorithms depends on one key for encryption and
a distinct but related key for decryption. These algorithms have the following characteristics
which are as follows −
• It is computationally infeasible to decide the decryption key given only information of
the cryptographic algorithm and the encryption key.
• There are two related keys such as one can be used for encryption, with the other used
for decryption.
A public key encryption scheme has the following ingredients which are as follows −
 • Plaintext − This is the readable message or information that is informer into the
algorithm as input.
• Encryption algorithm − The encryption algorithm performs several conversion on
the plaintext.
• Public and Private keys − This is a set of keys that have been selected so that if one
can be used for encryption, and the other can be used for decryption.
• Ciphertext − This is scrambled message generated as output. It based on the plaintext
and the key. For a given message, there are two specific keys will create two different
ciphertexts.
• Decryption Algorithm − This algorithm get the ciphertext and the matching key and
create the original plaintext.
The keys generated in public key cryptography are too large including 512, 1024, 2048 and
so on bits. These keys are not simply to learn. Thus, they are maintained in the devices
including USB tokens or hardware security modules.
The major issue in public key cryptosystems is that an attacker can masquerade as a legal
user. It can substitutes the public key with a fake key in the public directory. Moreover, it can
intercepts the connection or alters those keys.
Public key cryptography plays an essential role in online payment services and ecommerce
etc. These online services are ensure only when the authenticity of public key and signature
of the user are ensure.
The asymmetric cryptosystem should manage the security services including confidentiality,
authentication, integrity and non-repudiation. The public key should support the security
services including non-repudiation and authentication. The security services of confidentiality
and integrity considered as an element of encryption process completed by private key of the
user.
RSA ALGORITHM
RSA algorithm is an asymmetric cryptography algorithm. Asymmetric means that it works
on two different keys i.e. Public Key and Private Key. As the name describes the Public Key
is given to everyone and the Private key is kept private.
An example of asymmetric cryptography:
1. A client (for example browser) sends its public key to the server and requests some
data.
2. The server encrypts the data using the client’s public key and sends the encrypted
data.
3. The client receives this data and decrypts it.
Since this is asymmetric, nobody else except the browser can decrypt the data even if a third
party has the public key of the browser.
The idea! The idea of RSA is based on the fact that it is difficult to factorize a large integer.
The public key consists of two numbers where one number is a multiplication of two large
prime numbers. And private key is also derived from the same two prime numbers. So if
somebody can factorize the large number, the private key is compromised. Therefore
encryption strength lies in the key size and if we double or triple the key size, the strength of
encryption increases exponentially. RSA keys can be typically 1024 or 2048 bits long, but
experts believe that 1024-bit keys could be broken shortly. But till now it seems to be an
infeasible task.
Advantages
• Security: RSA algorithm is considered to be very secure and is widely used for secure
data transmission.
• Public-key cryptography: RSA algorithm is a public-key cryptography algorithm,
which means that it uses two different keys for encryption and decryption. The public
key is used to encrypt the data, while the private key is used to decrypt the data.
• Key exchange: RSA algorithm can be used for secure key exchange, which means
that two parties can exchange a secret key without actually sending the key over the
network.
• Digital signatures: RSA algorithm can be used for digital signatures, which means
that a sender can sign a message using their private key, and the receiver can verify
the signature using the sender’s public key.
• Speed: The RSA technique is suited for usage in real-time applications since it is
quite quick and effective.
• Widely used: Online banking, e-commerce, and secure communications are just a
few fields and applications where the RSA algorithm is extensively developed.
Disadvantages
• Slow processing speed: RSA algorithm is slower than other encryption algorithms,
especially when dealing with large amounts of data.
• Large key size: RSA algorithm requires large key sizes to be secure, which means
that it requires more computational resources and storage space.
• Vulnerability to side-channel attacks: RSA algorithm is vulnerable to side-channel
attacks, which means an attacker can use information leaked through side channels
such as power consumption, electromagnetic radiation, and timing analysis to extract
the private key.
• Limited use in some applications: RSA algorithm is not suitable for some
applications, such as those that require constant encryption and decryption of large
amounts of data, due to its slow processing speed.
• Complexity: The RSA algorithm is a sophisticated mathematical technique that some
individuals may find challenging to comprehend and use.
 • Key Management: The secure administration of the private key is necessary for the
RSA algorithm, although in some cases this can be difficult.
• Vulnerability to Quantum Computing: Quantum computers have the ability to
attack the RSA algorithm, potentially decrypting the data.
ELGAMAL CRYTOGRAPHY
ElGamal Encryption is a public-key cryptosystem. It uses asymmetric key encryption for
communicating between two parties and encrypting the message. This cryptosystem is based
on the difficulty of finding discrete logarithms in a cyclic group that is even if we know
ga and gk, it is extremely difficult to compute gak. In this article, we will get to know about
the Elgamal algorithm, the components of its algorithm, its advantages & disadvantages, and
the implementation of the ElGamal cryptosystem in Python.
Elgamal Cryptographic Algorithm
The ElGamal cryptographic algorithm is an asymmetric key encryption scheme based on
the Diffie-Hellman key exchange. It was invented by Taher ElGamal in 1985. The algorithm
is widely used for secure data transmission and has applications in digital signatures and
encryption. Here’s an overview of its components and how it works:
Components of the ElGamal Algorithm
1. Key Generation:
• Public Parameters: Select a large prime number p and a generator g of the
multiplicative group Z*p.
• Private Key: Select a private key x such that 1 ≤ x ≤p −2.
• Public Key: Compute h=gx mod p. The public key is (p,g,h) and the private
key is x.
2. Encryption:
• To encrypt a message M:
o Choose a random integer k such that 1 ≤ k ≤ p−2.
o Compute C1 = gk mod p.
o Compute C2 =M⋅hk mod p.
o The ciphertext is (c1,c2).
3. Decryption:
• To decrypt the ciphertext (c1,c2) using the private key x:
o Compute the shared secret s= Cx1 mod p.
o Compute s−1 mod p (the modular inverse of s).
o Compute the original message M = C2⋅s−1 mod p.
ElGamal Encryption Flowchart
Idea of ElGamal Cryptosystem
Suppose Alice wants to communicate with Bob.
1. Bob generates public and private keys:

• Bob chooses a very large number q and a cyclic group Fq.

• From the cyclic group Fq, he choose any element g and
an element a such that gcd(a, q) = 1.
• Then he computes h = ga.
• Bob publishes F, h = ga, q, and g as his public key and retains an as a private
key.
2. Alice encrypts data using Bob’s public key :

• Alice selects an element k from cyclic group F

such that gcd(k, q) = 1.
• Then she computes p = gk and s = hk = gak.
• She multiples s with M.
• Then she sends (p, M*s) = (gk, M*s).
 3. Bob decrypts the message :

• Bob calculates s′ = pa = gak.

• He divides M*s by s′ to obtain M as s = s′.
Applications of ElGamal Encryption Algorithm
1. Encryption: ElGamal is used for encrypting messages where public key cryptography
is required.
2. Digital Signatures: A variant of ElGamal is used for creating digital signatures,
ensuring message authenticity and integrity.
Advantages
• Security: ElGamal is based on the discrete logarithm problem, which is considered to
be a hard problem to solve. This makes it secure against attacks from hackers.
• Key distribution: The encryption and decryption keys are different, making it easier
to distribute keys securely. This allows for secure communication between multiple
parties.
• Digital signatures: ElGamal can also be used for digital signatures, which allows for
secure authentication of messages.
Disadvantages
• Slow processing: ElGamal is slower compared to other encryption algorithms,
especially when used with long keys. This can make it impractical for certain
applications that require fast processing speeds.
• Key size: ElGamal requires larger key sizes to achieve the same level of security as
other algorithms. This can make it more difficult to use in some applications.
• Vulnerability to certain attacks: ElGamal is vulnerable to attacks based on the
discrete logarithm problem, such as the index calculus algorithm. This can reduce the
security of the algorithm in certain situations.
DIFFIE – HELLMAN KEY EXCHANGE
Diffie-Hellman algorithm:
The Diffie-Hellman algorithm is being used to establish a shared secret that can be used for
secret communications while exchanging data over a public network using the elliptic curve
to generate points and get the secret key using the parameters.
• For the sake of simplicity and practical implementation of the algorithm, we will
consider only 4 variables, one prime P and G (a primitive root of P) and two private
values a and b.
• P and G are both publicly available numbers. Users (say Alice and Bob) pick private
values a and b and they generate a key and exchange it publicly. The opposite person
 receives the key and that generates a secret key, after which they have the same secret
key to encrypt.

Step-by-Step explanation is as follows:

Alice Bob

Public Keys available = P, G Public Keys available = P, G

Private Key Selected = a Private Key Selected = b

Key generated = Key generated =

x=GamodPx=GamodP y=GbmodPy=GbmodP

Exchange of generated keys takes place

Key received = y key received = x

Generated Secret Key = Generated Secret Key =

ka=yamodPka=yamodP kb=xbmodPkb=xbmodP

Algebraically, it can be shown that

ka=kbka=kb

Users now have a symmetric secret key to encrypt

Example:
Step 1: Alice and Bob get public numbers P = 23, G = 9
Step 2: Alice selected a private key a = 4 and
Bob selected a private key b = 3
Step 3: Alice and Bob compute public values
Alice: x =(9^4 mod 23) = (6561 mod 23) = 6
Bob: y = (9^3 mod 23) = (729 mod 23) = 16
Step 4: Alice and Bob exchange public numbers
Step 5: Alice receives public key y =16 and
Bob receives public key x = 6
Step 6: Alice and Bob compute symmetric keys
Alice: ka = y^a mod p = 65536 mod 23 = 9
Bob: kb = x^b mod p = 216 mod 23 = 9
Step 7: 9 is the shared secret.
KNAPSACK ALGORITHM
Knapsack Encryption Algorithm is the first general public key cryptography algorithm. It
was developed by Ralph Merkle and Mertin Hellman in 1978. As it is a Public key
cryptography, it needs two different keys. One is the Public key which is used for the
Encryption process and the other one is the Private key which is used for the Decryption
process. In this algorithm, we will use two different knapsack problems one is easy and the
other one is hard.
The easy knapsack is used as the private key and the hard knapsack is used as the public key.
The easy knapsack is used to derive the hard knapsack. For the easy knapsack, we will
choose a super-increasing problem. Super increasing knapsack is a sequence in which every
next term is greater than the sum of all preceding terms.
Example –
{1, 2, 4, 10, 20, 40} is a super increasing as
1<2, 1+2<4, 1+2+4<10, 1+2+4+10<20 and 1+2+4+10+20<40.
Derive the Public key
• Step-1: Choose a super increasing knapsack {1, 2, 4, 10, 20, 40} as the private key.

• Step-2: Choose two numbers n and m. Multiply all the values of the private key by
the number n and then find modulo m. The value of m must be greater than the sum of
all values in the private key, for example, 110. The number n should have no common
factor with m, for example, 31.

• Step-3: Calculate the values of the Public key using m and n.

1x31 mod(110) = 31
2x31 mod(110) = 62
4x31 mod(110) = 14
10x31 mod(110) = 90
20x31 mod(110) = 70
40x31 mod(110) = 30
• Thus, our public key is {31, 62, 14, 90, 70, 30}
And Private key is {1, 2, 4, 10, 20, 40}.

Now take an example for understanding the process of encryption and decryption.
Example – Let our plain text be 100100111100101110.
1. Encryption : As our knapsacks contain six values, so we will split our plain text into
groups of six:
100100 111100 101110
Multiply each value of the public key with the corresponding values of each group and take
their sum.
100100 {31, 62, 14, 90, 70, 30}
1x31+0x62+0x14+1x90+0x70+0x30 = 121
111100 {31, 62, 14, 90, 70, 30}
1x31+1x62+1x14+1x90+0x70+0x30 = 197
101110 {31, 62, 14, 90, 70, 30}
1x31+0x62+1x14+1x90+1x70+0x30 = 205
So, our cipher text is 121 197 205.
2. Decryption : The receiver receives the cipher text which has to be decrypted. The receiver
also knows the values of m and n.
So, first, we need to find the n−1 n−1 , which is the multiplicative inverse of n mod m
i.e.,
n x n−1n−1 mod(m) = 131 xn−1n−1 mod(110) = 1n−1n−1 = 71
Now, we have to multiply 71 with each block of cipher text and take modulo m.
121 x 71 mod(110) = 11
Then, we will have to make the sum of 11 from the values of private key {1, 2, 4, 10, 20, 40}
i.e., 1+10=11 so make the corresponding bits 1 and others 0 which is 100100. Similarly,
197 x 71 mod(110) = 17
1+2+4+10=17 = 111100
And, 205 x 71 mod(110) = 35
1+4+10+20=35 = 101110
After combining them we get the decoded text.
100100111100101110 which is our plain text.

UNIT – 3 CRYPTOGRAPHIC HASH FUNCTIONS, MESSAGE

AUTHENTICATION CODES & KEY MANAGEMENT AND
DISTRIBUTION
PART – 1 CRYPTOGRAPHIC HASH FUNCTIONS
MESSAGE AUTHENTICATION
Data is prone to various attacks. One of these attacks includes message authentication. This
threat arises when the user does not have any information about the originator of the message.
Message authentication can be achieved using cryptographic methods which further make use
of keys.
Message Authentication Functions:
All message authentication and digital signature mechanisms are based on two functionality
levels:
• Lower level: At this level, there is a need for a function that produces an
authenticator, which is the value that will further help in the authentication of a
message.
• Higher-level: The lower level function is used here in order to help receivers verify
the authenticity of messages.
These message authentication functions are divided into three classes:
• Message encryption: While sending data over the internet, there is always a risk of a
Man in the middle(MITM) attack. A possible solution for this is to use message
encryption. In message encryption, the data is first converted to a ciphertext and then
sent any further. Message encryption can be done in two ways:
• Symmetric Encryption: Say we have to send the message M from a source P to
destination Q. This message M can be encrypted using a secret key K that both P and
Q share. Without this key K, no other person can get the plain text from the
ciphertext. This maintains confidentiality. Further, Q can be sure that P has sent the
message. This is because other than Q, P is the only party who possesses the key K
and thus the ciphertext can be decrypted only by Q and no one else. This maintains
authenticity. At a very basic level, symmetric encryption looks like this:

• Public key Encryption: Public key encryption is not as advanced as symmetric

encryption as it provides confidentiality but not authentication. To provide both
authentication and confidentiality, the private key is used.
• Message authentication code (MAC): A message authentication code is a security
code that the user of a computer has to type in order to access any account or portal.
These codes are recognized by the system so that it can grant access to the right user.
These codes help in maintaining information integrity. It also confirms the
authenticity of the message.
• Hash function: A hash function is nothing but a mathematical function that can
convert a numeric value into another numeric value that is compressed. The input to
 this hash function can be of any length but the output is always of fixed length. The
values that a hash function returns are called the message digest or hash values.
Measures to deal with these attacks:
Each of the above attacks has to be dealt with differently.
• Message Confidentiality: To prevent the messages from being revealed, care must be
taken during the transmission of messages. For this, the message should be encrypted
before it is sent over the network.

• Message Authentication: To deal with the analysis of traffic and deception issues,
message authentication is helpful. Here, the receiver can be sure of the real sender and
his identity. To do this, these methods can be incorporated:
o Parties should share secret codes that can be used at the time of identity
authentication.
o Digital signatures are helpful in the authentication.
o A third party can be relied upon for verifying the authenticity of parties.
• Digital Signatures: Digital signatures provide help against a majority of these issues.
With the help of digital signatures, content, sequence, and timing of the messages can
be easily monitored. Moreover, it also prevents denial of message transmission by the
source.
• Combination of protocols with Digital Signatures: This is needed to deal with the
denial of messages received. Here, the use of digital signature is not sufficient and it
additionally needs protocols to support its monitoring.
SECURE HASH ALGORITHM (SHA – 512)
SHA-512, or Secure Hash method 512, is a hashing technique that converts text of arbitrary
length into a fixed-size string. Each output has a SHA-512 length of 512 bits (64 bytes).
This algorithm is frequently used for email address hashing, password hashing, and digital
record verification. SHA-512 is also used in blockchain technology, with the BitShares
network becoming the most known example.
In this chapter we will look at the origins of SHA-512 and how it works with the application
of this algorithm.
What is SHA-512?
SHA-512 generates a hash value of 512 bits (64 bytes), making it one of the largest hash
functions in the SHA-2 family. SHA-512, like all cryptographic hash algorithms, has the
following basic properties −
• Deterministic − The same input will always get the same result.
• Fast to compute − The hash for any given data can be calculated very quickly.
• Irreversible − You can not determine the original input from its hash.
• Collision-resistant − It is computationally challenging to discover two distinct inputs
that generate the same hash.
• Avalanche effect − A small change in input (even flipping a single bit) results in a
significantly different hash.
How SHA-512 Works?
Without going too far into the mathematical concepts, SHA-512 operates as follows −
• Initialization − It starts with eight hash values calculated from the square roots of the
initial eight prime numbers.
• Pre-processing − The input message is padded so that it is a multiple of the Block
size. The original message's 128-bit length (before padding) is added to the very end
of the padded message.
• Parsing − The message is then separated into 1024-bit parts.
• Main Loop − The main loop analyses each 1024-bit block in 80 rounds, manipulating
the data via logical operations, bitwise shifts, and modular arithmetic.
• Output − After all of the blocks have been processed, the resulting 512-bit message
digest is output as the hash.
Algorithm
The SHA-512 algorithm consists of the following steps −
• Message Padding − First, your message is padded to ensure that it is the correct size
for the algorithm. This ensures that it can be broken down into blocks and processed.
• Initial hash values − The algorithm starts with eight initial hash values. These set
values serve as the basis for the hashing procedure.
• Message processing − The padded message is divided into blocks. Each block
progresses over a series of stages known as rounds. In each round, the block is mixed
and adjusted using specific techniques.
• Final hash value − After all blocks have been examined, the hash value is computed.
This hash value serves as a unique fingerprint for the original message.
• Output − The SHA-512 algorithm generates the final hash result, which is generally a
string of hexadecimal integers. This is the value returned after hashing your original
message.
Applications
SHA-512 and its siblings from the SHA-2 family are commonly used in a number of security
applications and protocols, including −
• Digital signatures are used to validate the integrity of a message or document.
• Certificate creation is a process used by Certificate Authorities (CAs) to assure the
security of digital certificates.
• Password hashing involves storing passwords in databases as hashes rather than plain
text.
• Blockchain and cryptocurrencies: Used to ensure data integrity and security.

PART – 2 MESSAGE AUTHENTICATION CODES

AUTHENTICATION REQUIREMENTS
Authentication Requirements:
• Revelation: It means releasing the content of the message to someone who does not
have an appropriate cryptographic key.
• Analysis of Traffic: Determination of the pattern of traffic through the duration of
connection and frequency of connections between different parties.
• Deception: Adding out of context messages from a fraudulent source into a
communication network. This will lead to mistrust between the parties
communicating and may also cause loss of critical data.
• Modification in the Content: Changing the content of a message. This includes
inserting new information or deleting/changing the existing one.
• Modification in the sequence: Changing the order of messages between parties. This
includes insertion, deletion, and reordering of messages.
 • Modification in the Timings: This includes replay and delay of messages sent
between different parties. This way session tracking is also disrupted.
• Source Refusal: When the source denies being the originator of a message.
• Destination refusal: When the receiver of the message denies the reception.
HMAC
HMAC (Hash-based Message Authentication Code) is a type of message authentication code
(MAC) that is acquired by executing a cryptographic hash function on the data that is to be
authenticated and a secret shared key. Like any of the MACs, it is used for both data integrity
and authentication.
What is HMAC?
HMAC (Hash-Based Message Authentication Code) is a cryptographic technique that
ensures data integrity and authenticity using a hash function and a secret key. Unlike
approaches based on signatures and asymmetric cryptography. Checking data integrity is
necessary for the parties involved in communication. HTTPS, SFTP, FTPS, and other transfer
protocols use HMAC. The cryptographic hash function may be MD-5, SHA-1, or SHA-256.
Digital signatures are nearly similar to HMACs i.e. they both employ a hash function and a
shared key. The difference lies in the keys i.e. HMAC uses a symmetric key(same copy)
while Signatures uses an asymmetric (two different keys).
Working of Hash-based Message Authentication Code
HMACs provides client and server with a shared private key that is known only to them. The
client makes a unique hash (HMAC) for every request. When the client requests the server, it
hashes the requested data with a private key and sends it as a part of the request. Both the
message and key are hashed in separate steps making it secure. When the server receives the
request, it makes its own HMAC. Both the HMACS are compared and if both are equal, the
client is considered legitimate.
The formula for HMAC:
HMAC = hashFunc(secret key + message)
There are three types of authentication functions. They are message encryption, message
authentication code, and hash functions. The major difference between MAC and hash
(HMAC here) is the dependence of a key. In HMAC we have to apply the hash function
along with a key on the plain text. The hash function will be applied to the plain text
message. But before applying, we have to compute S bits and then append it to plain text and
after that apply the hash function. For generating those S bits we make use of a key that is
shared between the sender and receiver.
Using key K (0 < K < b), K+ is generated by padding O’s on left side of key K until length
becomes b bits. The reason why it’s not padded on right is change(increase) in the length of
key. b bits because it is the block size of plain text. There are two predefined padding bits
called ipad and opad. All this is done before applying hash function to the plain text
message.
ipad - 00110110
opad - 01011100
Now we have to calculate S bits:
1. K+ is XORed with ipad and the result is S1 bits which is equivalent to b bits since
both K+ and ipad are b bits. We have to append S1 with plain text messages. Let P be
the plain text message.
2. S1, p0, p1 upto Pm each is b bits. m is the number of plain text blocks. P0 is plain text
block and b is plain text block size. After appending S1 to Plain text we have to apply
HASH algorithm (any variant). Simultaneously we have to apply initialization vector
(IV) which is a buffer of size n-bits. The result produced is therefore n-bit hashcode
i.e H( S1 || M ).
3. Similarly, n-bits are padded to b-bits And K+ is EXORed with opad producing output
S2 bits. S2 is appended to the b-bits and once again hash function is applied with IV
to the block. This further results into n-bit hashcode which is H( S2 || H( S1 || M )).
Summary of Calculation
• Select K.
o If K < b, pad 0’s on left until k=b. K is between 0 and b ( 0 < K < b )
 • EXOR K+ with ipad equivalent to b bits producing S1 bits.
• Append S1 with plain text M
• Apply SHA-512 on ( S1 || M )
• Pad n-bits until length is equal to b-bits
• EXOR K+ with opad equivalent to b bits producing S2 bits.
• Append S2 with output of step 5.
• Apply SHA-512 on step 7 to output n-bit hashcode.
Security in Hash-based Message Authentication Code
HMAC is more secure than MAC since the key and message are hashed in different steps:
HMAC(key, message) = H(mod1(key) || H(mod2(key) || message).
The data is initially hashed by the client using a private key before being sent to the server as
part of the request. The server then creates its own HMAC. This assures that the process is
not vulnerable to attacks, which could result in crucial data being disclosed as subsequent
MACs are generated. Additionally, once the procedure is completed, the delivered message
becomes irreversible and resistant to hackers. Even if a malicious party attempts to steal the
communication, they will be unable to determine its length or decrypt it because they do not
have the decryption key.
Advantages of HMAC
• HMACs are ideal for high-performance systems like routers due to the use of hash
functions which are calculated and verified quickly unlike the public key systems.
• Digital signatures are larger than HMACs, yet the HMACs provide comparably
higher security.
• HMACs are used in administrations where public key systems are prohibited.
Disadvantages of HMAC
• HMACs uses shared key which may lead to non-repudiation. If either sender or
receiver’s key is compromised then it will be easy for attackers to create unauthorized
messages.
• Securely managing and distributing secret keys can be challenging.
• Although unlikely, hash collisions (where two different messages produce the same
hash) can occur.
• The security of HMAC depends on the length of the secret key. Short keys are more
vulnerable to brute-force attacks.
• The security of HMAC relies on the strength of the chosen hash function (e.g., SHA-
256). If the hash function is compromised, HMAC is also affected.
Applications of HMAC
• Verification of e-mail address during activation or creation of an account.
• Authentication of form data that is sent to the client browser and then submitted back.
• HMACs can be used for Internet of things (IoT) due to less cost.
• Whenever there is a need to reset the password, a link that can be used once is sent
without adding a server state.
• It can take a message of any length and convert it into a fixed-length message digest.
That is even if you got a long message, the message digest will be small and thus
permits maximizing bandwidth.
CMAC
The Cipher-Based Message Authentication Code (CMAC) is a cryptographic technique used
for message authentication. It is designed to provide strong security against various types of
attacks, including message forgery and replay attacks. CMAC is a block cipher-based
algorithm that generates a fixed-length message authentication code (MAC) for a given
message.
In this article, we will explain in detail the working of CMAC, its features, advantages, and
limitations.
Working of CMAC:
CMAC is a block cipher-based algorithm that uses a secret key to generate a message
authentication code (MAC) for a given message. The algorithm works by dividing the input
message into fixed-length blocks, each of which is processed by the block cipher in a special
way.
The CMAC algorithm is based on the CBC-MAC (Cipher Block Chaining Message
Authentication Code) technique, which uses the block cipher in CBC mode to generate a
MAC for a given message. However, CMAC introduces some modifications to the CBC-
MAC technique to overcome its limitations.
The CMAC algorithm can be summarized in the following steps:
1. Key Generation: A secret key is generated by the user, which is used to generate the
MAC.
2. Padding: The input message is padded with zeros to ensure that its length is a
multiple of the block size.
3. Initialization: The algorithm initializes two block-sized vectors, denoted by L and R.
The L vector is used to generate the first MAC block, while the R vector is used for
the remaining blocks.
4. First Block Processing: The first block of the message is XORed with the L vector,
and the result is encrypted using the block cipher. The resulting ciphertext is then
XORed with the R vector.
 5. Intermediate Block Processing: The remaining blocks of the message are processed
in a similar way. Each block is XORed with the previous ciphertext, encrypted using
the block cipher, and XORed with the R vector.
6. Final Block Processing: After all the blocks have been processed, the resulting
ciphertext is encrypted once more using the block cipher, and the result is XORed
with the L vector to obtain the final MAC value.
7. Output: The final MAC value is the output of the CMAC algorithm.
Features of CMAC:
1. Strong Security: CMAC provides strong security against various types of attacks,
including message forgery, replay attacks, and substitution attacks.
2. Fixed-Length Output: The output of the CMAC algorithm is a fixed-length MAC,
which makes it easy to compare and verify.
3. Efficient: CMAC is an efficient algorithm that can generate a MAC for a given
message in a short amount of time.
4. Key Reuse: The same key can be reused for multiple messages without
compromising the security of the MAC.
5. Easy Implementation: CMAC is easy to implement in software and hardware,
making it a popular choice for many applications.
Advantages of CMAC:
1. Resistance to Attack: CMAC is resistant to various types of attacks, including
message forgery, replay attacks, and substitution attacks. This makes it a secure
choice for applications where data integrity is critical.
2. Fixed-Length Output: The fixed-length output of CMAC makes it easy to compare
and verify MAC values, which simplifies the implementation of security protocols.
3. Efficient: CMAC is an efficient algorithm that can generate MAC values for large
amounts of data in a short amount of time. This makes it a good choice for
applications that require fast authentication of data.
4. Key Reuse: CMAC allows for key reuse, which simplifies the implementation of
security protocols and reduces the risk of key management errors.
5. Easy Implementation: CMAC is easy to implement in software and hardware,
making it a popular choice for many applications.
Limitations of CMAC:
1. Limited Key Size: The security of CMAC depends on the key size used. If the key
size is too small, it can be easily brute-forced, compromising the security of the MAC.
Therefore, it is recommended to use a key size of at least 128 bits.
2. Vulnerability to Side-Channel Attacks: Like any cryptographic algorithm, CMAC
is vulnerable to side-channel attacks. Side-channel attacks are attacks that exploit
 weaknesses in the implementation of the algorithm rather than weaknesses in the
algorithm itself. Therefore, it is important to implement CMAC correctly to prevent
side-channel attacks.
3. Limited Block Size: CMAC has a limited block size, which means that it can only
generate MAC values for messages that are smaller than the block size. If a message
is larger than the block size, it must be divided into smaller blocks and processed
separately, which can be inefficient.
4. Key Management: The security of CMAC depends on the security of the key used.
Therefore, it is important to manage the keys properly to prevent unauthorized access
to the key.
Applications of CMAC:
CMAC is widely used in various applications that require message authentication, including:
1. Secure Communication: CMAC is used to authenticate messages in secure
communication protocols such as SSL/TLS, IPSec, and SSH.
2. File Integrity: CMAC is used to verify the integrity of files and ensure that they have
not been tampered with.
3. Digital Signatures: CMAC is used to generate digital signatures, which are used to
verify the authenticity of documents and messages.
4. Payment Systems: CMAC is used in payment systems such as credit cards and
electronic wallets to authenticate transactions and prevent fraud.
DIGITAL SIGNATURES
A digital signature is a mathematical technique used to validate the authenticity and integrity
of a message, software, or digital document.
1. Key Generation Algorithms: Digital signature is electronic signatures, which assure
that the message was sent by a particular sender. While performing digital
transactions authenticity and integrity should be assured, otherwise, the data can be
altered or someone can also act as if he was the sender and expect a reply.
2. Signing Algorithms: To create a digital signature, signing algorithms like email
programs create a one-way hash of the electronic data which is to be signed. The
signing algorithm then encrypts the hash value using the private key (signature key).
This encrypted hash along with other information like the hashing algorithm is the
digital signature. This digital signature is appended with the data and sent to the
verifier. The reason for encrypting the hash instead of the entire message or document
is that a hash function converts any arbitrary input into a much shorter fixed-length
value. This saves time as now instead of signing a long message a shorter hash value
has to be signed and moreover hashing is much faster than signing.
3. Signature Verification Algorithms : Verifier receives Digital Signature along with
the data. It then uses Verification algorithm to process on the digital signature and the
public key (verification key) and generates some value. It also applies the same hash
 function on the received data and generates a hash value. If they both are equal, then
the digital signature is valid else it is invalid.
The steps followed in creating digital signature are :
1. Message digest is computed by applying hash function on the message and then
message digest is encrypted using private key of sender to form the digital signature.
(digital signature = encryption (private key of sender, message digest) and message
digest = message digest algorithm(message)).
2. Digital signature is then transmitted with the message.(message + digital signature is
transmitted)
3. Receiver decrypts the digital signature using the public key of sender.(This assures
authenticity, as only sender has his private key so only sender can encrypt using his
private key which can thus be decrypted by sender’s public key).
4. The receiver now has the message digest.
5. The receiver can compute the message digest from the message (actual message is
sent with the digital signature).
6. The message digest computed by receiver and the message digest (got by decryption
on digital signature) need to be same for ensuring integrity.
Message digest is computed using one-way hash function, i.e. a hash function in which
computation of hash value of a message is easy but computation of the message from hash
value of the message is very difficult.

Assurances about digital signatures

The definitions and words that follow illustrate the kind of assurances that digital signatures
offer.
1. Authenticity: The identity of the signer is verified.
2. Integration: Since the content was digitally signed, it hasn’t been altered or
interfered with.
 3. Non-repudiation: demonstrates the source of the signed content to all parties. The act
of a signer denying any affiliation with the signed material is known as repudiation.
4. Notarization: Under some conditions, a signature in a Microsoft Word, Microsoft
Excel, or Microsoft PowerPoint document that has been time-stamped by a secure
time-stamp server is equivalent to a notarization.
Benefits of Digital Signatures
• Legal documents and contracts: Digital signatures are legally binding. This makes
them ideal for any legal document that requires a signature authenticated by one or
more parties and guarantees that the record has not been altered.
• Sales contracts: Digital signing of contracts and sales contracts authenticates the
identity of the seller and the buyer, and both parties can be sure that the signatures are
legally binding and that the terms of the agreement have not been changed.
• Financial Documents: Finance departments digitally sign invoices so customers can
trust that the payment request is from the right seller, not from a bad actor trying to
trick the buyer into sending payments to a fraudulent account.
• Health Data: In the healthcare industry, privacy is paramount for both patient records
and research data. Digital signatures ensure that this confidential information was not
modified when it was transmitted between the consenting parties.
Drawbacks of Digital Signature
• Dependency on technology: Because digital signatures rely on technology, they are
susceptible to crimes, including hacking. As a result, businesses that use digital
signatures must make sure their systems are safe and have the most recent security
patches and upgrades installed.
• Complexity: Setting up and using digital signatures can be challenging, especially for
those who are unfamiliar with the technology. This may result in blunders and errors
that reduce the system’s efficacy. The process of issuing digital signatures to senior
citizens can occasionally be challenging.
• Limited acceptance: Digital signatures take time to replace manual ones since
technology is not widely available in India, a developing nation.
ELGAMAL DIGITAL SIGNATURES
The ElGamal digital signature scheme is a cryptographic method used to provide
authentication and integrity for digital messages. It is based on the mathematical principles of
the discrete logarithm problem, which ensures security due to its computational difficulty.
Here’s how it works in context:
In the ElGamal digital signature, a key pair is generated: a private key used for signing and a
public key for verification. The private key is kept secret, while the public key is shared
openly. When a sender wants to sign a message, they create a signature using their private
key in a process involving modular arithmetic and random values to ensure variability. This
signature, alongside the original message, is sent to the recipient.
The recipient uses the sender’s public key to verify the authenticity of the signature. If the
verification is successful, the recipient can be confident that the message was indeed signed
by the holder of the private key and that it has not been tampered with during transmission.
The security of the ElGamal signature scheme relies on the infeasibility of solving the
discrete logarithm problem in a reasonable amount of time, thus protecting the signature from
forgery.
ElGamal digital signatures are known for their flexibility and high level of security, though
they may require more computational resources compared to some other algorithms like RSA
or DSA. This scheme forms the basis for certain cryptographic systems, including parts of
PGP (Pretty Good Privacy).

PART – 3 KEY MANAGEMENT AND DISTRIBUTION

SYMMETRIC KEY DISTRIBUTION USING SYMMETRIC AND
ASYMMETRIC ENCRYPTION
In cryptography, key distribution is the process of sharing encryption keys between parties
in a secure manner. Symmetric and asymmetric encryption can both play roles in this process,
and each has its own strengths and use cases.
1. Symmetric Key Distribution Using Symmetric Encryption
• Symmetric Encryption: In symmetric encryption, the same key is used for both
encryption and decryption. This method is fast and efficient but requires that the key
be securely shared between parties before communication can occur.
• Key Distribution Challenges: The main challenge with symmetric encryption is
securely transmitting the key to the intended recipient. If the key is intercepted during
transmission, the security of the encrypted data is compromised.
• Methods of Distribution:
o Pre-shared Keys: Keys are exchanged in person or through a secure channel
prior to communication.
o Key Distribution Centers (KDCs): A trusted third-party service generates
and distributes symmetric keys to parties who wish to communicate securely.
o Manual Exchange: The key can be distributed manually (e.g., through secure
physical delivery).
2. Symmetric Key Distribution Using Asymmetric Encryption
• Asymmetric Encryption: Asymmetric encryption involves two keys: a public key for
encryption and a private key for decryption. This method is more computationally
intensive but solves the problem of key distribution.
• Hybrid Approach for Symmetric Key Distribution:
o Key Exchange Protocols: Asymmetric encryption can be used to securely
exchange a symmetric key. The public key of the recipient is used to encrypt
 the symmetric key, which is then sent to the recipient. Only the recipient, with
their private key, can decrypt and access the symmetric key.
o Efficiency: Once the symmetric key is shared, communication can proceed
using the faster symmetric encryption.
o Example: TLS (Transport Layer Security) uses this hybrid approach. During
the initial handshake, asymmetric encryption secures the exchange of a
symmetric session key, after which symmetric encryption is used for the data
transfer.
Benefits of Combining Symmetric and Asymmetric Methods
• Security: Using asymmetric encryption for key distribution ensures that the
symmetric key can be securely shared over an insecure channel.
• Efficiency: Symmetric encryption is used for the main communication due to its
speed and lower computational requirements.
DISTRIBUTION OF PUBLIC KEYS
Distribution of Public Key
The public key can be distributed in four ways:
These are explained as following below:
1. Public Announcement: Here the public key is broadcast to everyone. The major weakness
of this method is a forgery. Anyone can create a key claiming to be someone else and
broadcast it. Until forgery is discovered can masquerade as claimed user.

2. Publicly Available Directory: In this type, the public key is stored in a public directory.
Directories are trusted here, with properties like Participant Registration, access and allow to
modify values at any time, contains entries like {name, public-key}. Directories can be
accessed electronically still vulnerable to forgery or tampering.
3. Public Key Authority: It is similar to the directory but, improves security by tightening
control over the distribution of keys from the directory. It requires users to know the public
key for the directory. Whenever the keys are needed, real-time access to the directory is made
by the user to obtain any desired public key securely.
4. Public Certification: This time authority provides a certificate (which binds an identity to
the public key) to allow key exchange without real-time access to the public authority each
time. The certificate is accompanied by some other info such as period of validity, rights of
use, etc. All of this content is signed by the private key of the certificate authority and it can
be verified by anyone possessing the authority’s public key.
First sender and receiver both request CA for a certificate which contains a public key and
other information and then they can exchange these certificates and can start communication.
KERBEROS
Kerberos provides a centralized authentication server whose function is to authenticate users
to servers and servers to users. In Kerberos Authentication server and database is used for
client authentication. Kerberos runs as a third-party trusted server known as the Key
Distribution Center (KDC). Each user and service on the network is a principal.
The main components of Kerberos are:
• Authentication Server (AS):
The Authentication Server performs the initial authentication and ticket for Ticket
Granting Service.
• Database:
The Authentication Server verifies the access rights of users in the database.
• Ticket Granting Server (TGS):
The Ticket Granting Server issues the ticket for the Server

Kerberos Overview:

• Step-1:
User login and request services on the host. Thus user requests for ticket-granting
service.
 • Step-2:
Authentication Server verifies user’s access right using database and then gives ticket-
granting-ticket and session key. Results are encrypted using the Password of the user.
• Step-3:
The decryption of the message is done using the password then send the ticket to
Ticket Granting Server. The Ticket contains authenticators like user names and
network addresses.
• Step-4:
Ticket Granting Server decrypts the ticket sent by User and authenticator verifies the
request then creates the ticket for requesting services from the Server.
• Step-5:
The user sends the Ticket and Authenticator to the Server.
• Step-6:
The server verifies the Ticket and authenticators then generate access to the service.
After this User can access the services.
Kerberos Limitations
• Each network service must be modified individually for use with Kerberos
• It doesn’t work well in a timeshare environment
• Secured Kerberos Server
• Requires an always-on Kerberos server
• Stores all passwords are encrypted with a single key
• Assumes workstations are secure
• May result in cascading loss of trust.
• Scalability
X.509 AUTHENTICATION SERVICE
X.509 is a digital certificate that is built on top of a widely trusted standard known as ITU or
International Telecommunication Union X.509 standard, in which the format of PKI
certificates is defined. X.509 digital certificate is a certificate-based authentication security
framework that can be used for providing secure transaction processing and private
information. These are primarily used for handling the security and identity in computer
networking and internet-based communications.
Working of X.509 Authentication Service Certificate:
The core of the X.509 authentication service is the public key certificate connected to each
user. These user certificates are assumed to be produced by some trusted certification
authority and positioned in the directory by the user or the certified authority. These directory
servers are only used for providing an effortless reachable location for all users so that they
can acquire certificates. X.509 standard is built on an IDL known as ASN.1. With the help of
Abstract Syntax Notation, the X.509 certificate format uses an associated public and private
key pair for encrypting and decrypting a message.
Once an X.509 certificate is provided to a user by the certified authority, that certificate is
attached to it like an identity card. The chances of someone stealing it or losing it are less,
unlike other unsecured passwords. With the help of this analogy, it is easier to imagine how
this authentication works: the certificate is basically presented like an identity at the resource
that requires authentication.

Public Key certificate use

Format of X.509 Authentication Service Certificate:

Generally, the certificate includes the elements given below:

• Version number: It defines the X.509 version that concerns the certificate.
• Serial number: It is the unique number that the certified authority issues.
• Signature Algorithm Identifier: This is the algorithm that is used for signing the
certificate.
 • Issuer name: Tells about the X.500 name of the certified authority which signed and
created the certificate.
• Period of Validity: It defines the period for which the certificate is valid.
• Subject Name: Tells about the name of the user to whom this certificate has been
issued.
• Subject’s public key information: It defines the subject’s public key along with an
identifier of the algorithm for which this key is supposed to be used.
• Extension block: This field contains additional standard information.
• Signature: This field contains the hash code of all other fields which is encrypted by
the certified authority private key.
Applications of X.509 Authentication Service Certificate:
Many protocols depend on X.509 and it has many applications, some of them are given
below:
• Document signing and Digital signature
• Web server security with the help of Transport Layer Security (TLS)/Secure Sockets
Layer (SSL) certificates
• Email certificates
• Code signing
• Secure Shell Protocol (SSH) keys
• Digital Identities
PUBLIC KEY INFRASTRUCTURE
Public key infrastructure or PKI is the governing body behind issuing digital certificates. It
helps to protect confidential data and gives unique identities to users and systems. Thus, it
ensures security in communications.
The public key infrastructure uses a pair of keys: the public key and the private key to
achieve security. The public keys are prone to attacks and thus an intact infrastructure is
needed to maintain them.
Managing Keys in the Cryptosystem:
The security of a cryptosystem relies on its keys. Thus, it is important that we have a solid
key management system in place. The 3 main areas of key management are as follows:
• A cryptographic key is a piece of data that must be managed by secure administration.
• It involves managing the key life cycle which is as follows:
 • Public key management further requires:
o Keeping the private key secret: Only the owner of a private key is
authorized to use a private key. It should thus remain out of reach of any other
person.
o Assuring the public key: Public keys are in the open domain and can be
publicly accessed. When this extent of public accessibility, it becomes hard to
know if a key is correct and what it will be used for. The purpose of a public
key must be explicitly defined.
PKI or public key infrastructure aims at achieving the assurance of public key.
Public Key Infrastructure:
Public key infrastructure affirms the usage of a public key. PKI identifies a public key along
with its purpose. It usually consists of the following components:
• A digital certificate also called a public key certificate
• Private Key tokens
• Registration authority
• Certification authority
• CMS or Certification management system
Challenges that a PKI Solves:
PKI owes its popularity to the various problems its solves. Some use cases of PKI are:
• Securing web browsers and communicating networks by SSL/TLS certifications.
• Maintaining Access Rights over Intranets and VPNs.
• Data Encryption
• Digitally Signed Software
 • Wi-fi Access Without Passwords
Other than these, one of the most important use cases of PKI is based around IoT(Internet of
Things). Here are two industries that are using PKI for IoT devices:
• Auto Manufacturers: Cars these days have features like GPS, call for services,
assistants, etc. These require communication paths where a lot of data is passed.
Making these connections secure is very important to avoid malicious parties hacking
into the cars. This is where PKI comes in.
• Medical device Manufacturers: Devices like surgical robots require high security.
Also, FDA mandates that any next-generation medical device must be updatable so
that bugs can be removed and security issues can be dealt with. PKI is used to issues
certificates to such devices.
Disadvantages of PKI:
• Speed: Since PKI uses super complex algorithms to create a secure key pair. So it
eventually slows down the process and data transfer.

• Private Key Compromise: Even though PKI can’t be hacked very easily but a
private key can be hacked by a professional hacker, since PKI uses Public and Private
key to encrypt and decrypt data so with user’s private key in hand and public key
which is easily available the information can be decrypted easily.

UNIT – 4 TRANSPORT-LEVEL SECURITY & WIRELESS

NETWORK SECURITY
PART – 1 TRANSPORT LEVEL SECURITY
WEB SECURITY CONSIDERATIONS
Web Security deals with the security of data over the internet/network or web or while it is
being transferred over the internet. Web security is crucial for protecting web applications,
websites, and the underlying servers from malicious attacks and unauthorized access. In this
article, we will discuss about web security.
What is Web Security?
Web Security is an online security solution that will restrict access to harmful websites, stop
web-based risks, and manage staff internet usage. Web Security is very important nowadays.
Websites are always prone to security threats/risks. For example- when you are transferring
data between client and server and you have to protect that data that security of data is your
web security.
What is a Security Threat?
A threat is nothing but a possible event that can damage and harm an information system.
A security Threat is defined as a risk that, can potentially harm Computer systems &
organizations. Whenever an individual or an organization creates a website, they are
vulnerable to security attacks. Security attacks are mainly aimed at stealing altering or
destroying a piece of personal and confidential information, stealing the hard drive space, and
illegally accessing passwords. So whenever the website you created is vulnerable to security
attacks then the attacks are going to steal your data alter your data destroy your personal
information see your confidential information and also it accessing your password.
Top Web Security Threats
• Cross-site scripting (XSS)
• SQL Injection
• Phishing
• Ransomware
• Code Injection
• Viruses and worms
• Spyware
• Denial of Service
Security Consideration
• Updated Software: You need to always update your software. Hackers may be aware
of vulnerabilities in certain software, which are sometimes caused by bugs and can be
used to damage your computer system and steal personal data. Older versions of
software can become a gateway for hackers to enter your network. Software makers
soon become aware of these vulnerabilities and will fix vulnerable or exposed areas.
That’s why It is mandatory to keep your software updated, It plays an important role
in keeping your personal data secure.
• Beware of SQL Injection: SQL Injection is an attempt to manipulate your data or
your database by inserting a rough code into your query. For e.g. somebody can send
a query to your website and this query can be a rough code while it gets executed it
can be used to manipulate your database such as change tables, modify or delete data
or it can retrieve important information also so, one should be aware of the SQL
injection attack.
• Cross-Site Scripting (XSS): XSS allows the attackers to insert client-side script into
web pages. E.g. Submission of forms. It is a term used to describe a class of attacks
that allow an attacker to inject client-side scripts into other users’ browsers through a
website. As the injected code enters the browser from the site, the code is reliable and
can do things like sending the user’s site authorization cookie to the attacker.
• Error Messages: You need to be very careful about error messages which are
generated to give the information to the users while users access the website and some
error messages are generated due to one or another reason and you should be very
careful while providing the information to the users. For e.g. login attempt – If the
user fails to login the error message should not let the user know which field is
incorrect: Username or Password.
 • Data Validation: Data validation is the proper testing of any input supplied by the
user or application. It prevents improperly created data from entering the information
system. Validation of data should be performed on both server-side and client-side. If
we perform data validation on both sides that will give us the authentication. Data
validation should occur when data is received from an outside party, especially if the
data is from untrusted sources.
• Password: Password provides the first line of defense against unauthorized access to
your device and personal information. It is necessary to use a strong password.
Hackers in many cases use complex software that uses brute force to crack passwords.
Passwords must be complex to protect against brute force. It is good to enforce
password requirements such as a minimum of eight characters long must including
uppercase letters, lowercase letters, special characters, and numerals.
SECURE SOCKET LAYER
Secure Socket Layer (SSL) provides security to the data that is transferred between web
browser and server. SSL encrypts the link between a web server and a browser which ensures
that all data passed between them remain private and free from attack. In this article, we are
going to discuss SSL in detail, its protocols, the silent features of SSL, and the version of
SSL.
What is a Secure Socket Layer?
SSL, or Secure Sockets Layer, is an Internet security protocol that encrypts data to keep it
safe. It was created by Netscape in 1995 to ensure privacy, authentication, and data integrity
in online communications. SSL is the older version of what we now call TLS (Transport
Layer Security).
Websites using SSL/TLS have “HTTPS” in their URL instead of “HTTP.”
How does SSL work?
• Encryption: SSL encrypts data transmitted over the web, ensuring privacy. If
someone intercepts the data, they will see only a jumble of characters that is nearly
impossible to decode.
• Authentication: SSL starts an authentication process called a handshake between two
devices to confirm their identities, making sure both parties are who they claim to be.
• Data Integrity: SSL digitally signs data to ensure it hasn’t been tampered with,
verifying that the data received is exactly what was sent by the sender.
Why is SSL Important?
Originally, data on the web was transmitted in plaintext, making it easy for anyone who
intercepted the message to read it. For example, if someone logged into their email account,
their username and password would travel across the Internet unprotected.
SSL was created to solve this problem and protect user privacy. By encrypting data between a
user and a web server, SSL ensures that anyone who intercepts the data sees only a scrambled
mess of characters. This keeps the user’s login credentials safe, visible only to the email
service.
Additionally, SSL helps prevent cyber attacks by:
• Authenticating Web Servers: Ensuring that users are connecting to the legitimate
website, not a fake one set up by attackers.
• Preventing Data Tampering: Acting like a tamper-proof seal, SSL ensures that the
data sent and received hasn’t been altered during transit.
Secure Socket Layer Protocols
• SSL Record Protocol
• Handshake Protocol
• Change-Cipher Spec Protocol
• Alert Protocol

SSL Record Protocol

SSL Record provides two services to SSL connection.
• Confidentiality
• Message Integrity
In the SSL Record Protocol application data is divided into fragments. The fragment is
compressed and then encrypted MAC (Message Authentication Code) generated by
algorithms like SHA (Secure Hash Protocol) and MD5 (Message Digest) is appended. After
that encryption of the data is done and in last SSL header is appended to the data.
Handshake Protocol
Handshake Protocol is used to establish sessions. This protocol allows the client and server to
authenticate each other by sending a series of messages to each other. Handshake protocol
uses four phases to complete its cycle.
• Phase-1: In Phase-1 both Client and Server send hello-packets to each other. In this IP
session, cipher suite and protocol version are exchanged for security purposes.
• Phase-2: Server sends his certificate and Server-key-exchange. The server end phase-
2 by sending the Server-hello-end packet.
• Phase-3: In this phase, Client replies to the server by sending his certificate and
Client-exchange-key.
• Phase-4: In Phase-4 Change-cipher suite occurs and after this the Handshake Protocol
ends.
Change-Cipher Protocol
This protocol uses the SSL record protocol. Unless Handshake Protocol is completed, the
SSL record Output will be in a pending state. After the handshake protocol, the Pending state
is converted into the current state.
Change-cipher protocol consists of a single message which is 1 byte in length and can have
only one value. This protocol’s purpose is to cause the pending state to be copied into the
current state.

Alert Protocol
This protocol is used to convey SSL-related alerts to the peer entity. Each message in this
protocol contains 2 bytes.

The level is further classified into two parts:

Warning (level = 1)
This Alert has no impact on the connection between sender and receiver. Some of them are:
• Bad Certificate: When the received certificate is corrupt.
• No Certificate: When an appropriate certificate is not available.
• Certificate Expired: When a certificate has expired.
• Certificate Unknown: When some other unspecified issue arose in processing the
certificate, rendering it unacceptable.
• Close Notify: It notifies that the sender will no longer send any messages in the
connection.
• Unsupported Certificate: The type of certificate received is not supported.
• Certificate Revoked: The certificate received is in revocation list.
Fatal Error (level = 2):
This Alert breaks the connection between sender and receiver. The connection will be
stopped, cannot be resumed but can be restarted. Some of them are :
• Handshake Failure: When the sender is unable to negotiate an acceptable set of
security parameters given the options available.
• Decompression Failure: When the decompression function receives improper input.
• Illegal Parameters: When a field is out of range or inconsistent with other fields.
• Bad Record MAC: When an incorrect MAC was received.
• Unexpected Message: When an inappropriate message is received.
TRANSPORT LAYER SECURITY
Transport Layer Securities (TLS) are designed to provide security at the transport layer. TLS
was derived from a security protocol called Secure Socket Layer (SSL). TLS ensures that no
third party may eavesdrop or tampers with any message.
There are several benefits of TLS:

• Encryption:
TLS/SSL can help to secure transmitted data using encryption.
• Interoperability:
TLS/SSL works with most web browsers, including Microsoft Internet Explorer and
on most operating systems and web servers.
• Algorithm flexibility:
TLS/SSL provides operations for authentication mechanism, encryption algorithms
and hashing algorithm that are used during the secure session.
• Ease of Deployment:
Many applications TLS/SSL temporarily on a windows server 2003 operating
systems.
• Ease of Use:
Because we implement TLS/SSL beneath the application layer, most of its operations
are completely invisible to client.

Working of TLS:
The client connect to server (using TCP), the client will be something. The client sends
number of specification:
1. Version of SSL/TLS.
2. which cipher suites, compression method it wants to use.

The server checks what the highest SSL/TLS version is that is supported by them both, picks
a cipher suite from one of the clients option (if it supports one) and optionally picks a
compression method. After this the basic setup is done, the server provides its certificate.
This certificate must be trusted either by the client itself or a party that the client trusts.
Having verified the certificate and being certain this server really is who he claims to be (and
not a man in the middle), a key is exchanged. This can be a public key, “PreMasterSecret” or
simply nothing depending upon cipher suite.
Both the server and client can now compute the key for symmetric encryption. The
handshake is finished and the two hosts can communicate securely. To close a connection by
finishing. TCP connection both sides will know the connection was improperly terminated.
The connection cannot be compromised by this through, merely interrupted.
Transport Layer Security (TLS) continues to play a critical role in securing data transmission
over networks, especially on the internet. Let’s delve deeper into its workings and
significance:
Enhanced Security Features:
TLS employs a variety of cryptographic algorithms to provide a secure communication
channel. This includes symmetric encryption algorithms like AES (Advanced Encryption
Standard) and asymmetric algorithms like RSA and Diffie-Hellman key exchange.
Additionally, TLS supports various hash functions for message integrity, such as SHA-256,
ensuring that data remains confidential and unaltered during transit.
Certificate-Based Authentication:
One of the key components of TLS is its certificate-based authentication mechanism. When a
client connects to a server, the server presents its digital certificate, which includes its public
key and other identifying information. The client verifies the authenticity of the certificate
using trusted root certificates stored locally or provided by a trusted authority, thereby
establishing the server’s identity.
Forward Secrecy:
TLS supports forward secrecy, a crucial security feature that ensures that even if an attacker
compromises the server’s private key in the future, they cannot decrypt past communications.
This is achieved by generating ephemeral session keys for each session, which are not stored
and thus cannot be compromised retroactively.
TLS Handshake Protocol:
The TLS handshake protocol is a crucial phase in establishing a secure connection between
the client and the server. It involves multiple steps, including negotiating the TLS version,
cipher suite, and exchanging cryptographic parameters. The handshake concludes with the
exchange of key material used to derive session keys for encrypting and decrypting data.
Perfect Forward Secrecy (PFS):
Perfect Forward Secrecy is an advanced feature supported by TLS that ensures the
confidentiality of past sessions even if the long-term secret keys are compromised. With PFS,
each session key is derived independently, providing an additional layer of security against
potential key compromise.
TLS Deployment Best Practices:
To ensure the effectiveness of TLS, it’s essential to follow best practices in its deployment.
This includes regularly updating TLS configurations to support the latest cryptographic
standards and protocols, disabling deprecated algorithms and cipher suites, and keeping
certificates up-to-date with strong key lengths.
Continual Evolution:
TLS standards continue to evolve to address emerging security threats and vulnerabilities.
Ongoing efforts by standards bodies, such as the Internet Engineering Task Force (IETF),
ensure that TLS remains robust and resilient against evolving attack vectors.
HTTPS
HTTPS establishes the communication between the browser and the web server. It uses
the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocol for
establishing communication. The new version of SSL is TLS(Transport Layer Security).
HTTPS uses the conventional HTTP protocol and adds a layer of SSL/TLS over it.
The workflow of HTTP and HTTPS remains the same, the browsers and servers still
communicate with each other using the HTTP protocol. However, this is done over a secure
SSL connection. The SSL connection is responsible for the encryption and decryption of the
data that is being exchanged to ensure data safety.

Advantage of HTTPS
• Secure Communication: HTTPS establishes a secure communication link between
the communicating system by providing encryption during transmission.
• Data Integrity: By encrypting the data, HTTPS ensures data integrity. This implies
that even if the data is compromised at any point, the hackers won’t be able to read or
modify the data being exchanged.
• Privacy and Security: HTTPS prevents attackers from accessing the data being
exchanged passively, thereby protecting the privacy and security of the users.
• Faster Performance: TTPS encrypts the data and reduces its size. Smaller size
accounts for faster data transmission in the case of HTTPS.
SECURE SHELL(SSH)
SSH(secure shell protocol) :
1. It is a scientific discipline network protocol for operative network services over an
unsecured network.
2. It is designed to replace the unsecured protocol like -telnet and insecure file transfer
methods(like FTP).
3. It uses a consumer server design.
4. It uses public-key cryptography/asymmetric key cryptography to demonstrate the
remote server. i.e. to verify its identity to the remote server.
SSH Architecture :
The SSH-2 protocol has an inside design (defined in RFC 4251) with well-separated layers,
namely as follows.

1. The transport layer (RFC 4253) –

It usually runs on the prime of TCP/IP. This layer handles the initial key exchange
between the supply and destination.

2. The user authentication layer (RFC 4252) –

This layer handles consumer authentication and provides a range of how for
authentication ways. Its consumer SSH consumer UN agency responds once a user
prompted for a watchword, not a server. The server simply responds to the client’s
authentication requests. Wide used user-authentication ways embrace the following.

3. Watchword –
A transparent means for password authentication, together with a facility permitting a
watchword to be modified. There are solely a few programs UN agencies implement
this methodology.

4. Public key –
A technique for public-key-based authentication, sometimes supporting a minimum of
DSA, ECDSA, or RSA key-pairs, with different implementations conjointly
supporting X.509 certificates.

5. Keyboard-interactive (RFC 4256) –

During this server sends one or additional prompts to enter the data and therefore the
consumer displays them and sends back responses keyed in by the user. Accustomed
offers one-time watchword authentication like S/Key or SecurID.

6. GSSAPI authentication –
This performs SSH authentication mistreatment external mechanisms like Kerberos
 five or NTLM, providing the single sign-on capability to SSH sessions. These ways
are sometimes enforced by industrial SSH implementations to be used in
organizations.

7. The association layer (RFC 4254) –

During this sort of idea of channels, channel requests, and international requests
mistreatment SSH services are provided. One SSH association will host several
channels at the same time, knowledge will be transferred in both directions. Channel
requests are accustomed to relaying out-of-band channel-specific knowledge, like the
modified size of a terminal window or the exit code of a server-side method.

8. The SSHFP DNS record (RFC 4255) –

It provides the public host key fingerprints to help corroboratory the legitimacy of the
host.

PART – 2 WIRELESS NETWORK SECURITY

WIRELESS SECURITY
Wireless Network provides various comfort to end users but actually they are very complex
in their working. There are many protocols and technologies working behind to provide a
stable connection to users. Data packets traveling through wire provide a sense of security to
users as data traveling through wire probably not heard by eavesdroppers.
To secure the wireless connection, we should focus on the following areas –
• Identify endpoint of wireless network and end-users i.e., Authentication.
• Protecting wireless data packets from middleman i.e., Privacy.
• Keeping the wireless data packets intact i.e., Integrity.
We know that wireless clients form an association with Access Points (AP) and transmit data
back and forth over the air. As long as all wireless devices follow 802.11 standards, they all
coexist. But all wireless devices are not friendly and trustworthy, some rogue devices may be
a threat to wireless security. Rogue devices can steal our important data or can cause the
unavailability of the network.
Wireless security is ensured by following methods-
• Authentication
• Privacy and Integrity
In this article, we talk about Authentication. There are broadly two types of Authentication
process: Wired Equivalent Privacy (WEP), and Extensible Authentication Protocol
(802.1x/EAP).
These are explained as following below.
1. Wired Equivalent Privacy (WEP) :
For wireless data transmitting over the air, open authentication provides no security.
WEP uses the RC4 cipher algorithm for making every frame encrypted. The RC4 cipher also
encrypts data at the sender side and decrypt data at the receiving site, using a string of bits as
key called WEP key.
WEP key can be used as an authentication method or encryption tool. A client can associate
with AP only if it has the correct WEP key. AP tests the knowledge of the WEP key by using
a challenge phrase. The client encrypts the phrase with his own key and send back to AP. AP
compares the received encrypted frame with his own encrypted phrase. If both matches,
access to the association is granted.

2. Extensible Authentication Protocol (802.1x/EAP) :

In WEP authentication, authentication of the wireless clients takes place locally at AP. But
Scenario gets changed with 802.1x. A dedicated authentication server is added to the
infrastructure. There is the participation of three devices –
1. Supplicant –
Device requesting access.
2. Authenticator –
Device that provides access to network usually a Wlan controller (WLC).
3. Authentication Server –
Device that takes client credentials and deny or grant access.

EAP is further of four types with some amendments over each other –
• LEAP
• EAP-FAST
• PEAP
• EAP-TLS
MOBILE DEVICE SECURITY
Mobile device security states that the protection set together to prevent hackers and other
unauthorized users from accessing smartphones, tablets, and other portable electronic
devices. It means implementing plans and employing instruments to protect private, sensitive,
and personal data on these devices. To ensure that users may use their mobile devices safely
and securely, mobile device security simply attempts to prevent unauthorized access, data
breaches, and virus attacks on mobile devices. Mobile device cybersecurity covers protecting
data on the device itself as well as on endpoints and networking hardware that are connected
to the device.
Why is Mobile Device Security Important?
Mobile device security is crucial for several reasons:
• Individual Information Insurance: Cell phones store an abundance of individual
data, including contacts, messages, photographs, and monetary subtleties. Getting
these gadgets safeguards delicate information from unapproved access and likely
abuse.
• Protection Worries: With applications and administrations getting to different
individual information, hearty security guarantees that this data isn't uncovered or
abused by vindictive gatherings.
• Counteraction of Unapproved Access: Cell phones frequently act as doors to
different frameworks, for example, email accounts and corporate organizations. Solid
safety efforts assist with forestalling unapproved admittance to these frameworks
through compromised gadgets.
• Relieving Malware and Assaults: Cell phones are vulnerable to malware, phishing
assaults, and different types of digital dangers. Safety efforts like antivirus
programming and customary updates help safeguard against these dangers.
• Monetary Insurance: Many individuals utilize their cell phones for banking and
shopping. Guaranteeing gadget security safeguards monetary exchanges and forestalls
false exercises.
• Consistence Prerequisites: Associations frequently need to conform to information
assurance guidelines (e.g., GDPR, CCPA). Secure cell phones assist with meeting
these legitimate and administrative necessities.
• Business Congruity: For organizations, cell phones frequently contain basic business
related information. Getting these gadgets is fundamental to guarantee business tasks
can proceed flawlessly without interferences because of safety breaks.
• Notoriety The Board: A security break can harm a person's or alternately
association's standing. Guaranteeing cell phone security keeps up with trust and
believability with clients, accomplices, and clients.
What are the Benefits of Mobile Device Security?
The benefits of mobile device security are significant and wide-ranging:
 • Insurance of Individual Data: Safety efforts assist with defending delicate
individual information, for example, contact subtleties, messages, photographs, and
monetary data, from unapproved access and likely abuse.
• Upgraded: Serious areas of strength for protection conventions guarantee that
individual and confidential data stays private and isn't presented to unapproved parties
or pernicious entertainers.
• Counteraction of Unapproved Access: Compelling security keeps unapproved
clients from getting to the gadget and its items, including delicate applications and
records.
IEEE 802.11 WIRELESS LAN
The IEEE 802.11 standard, commonly known as Wi-Fi, outlines the architecture and defines
the MAC and physical layer specifications for wireless LANs (WLANs). Wi-Fi uses high-
frequency radio waves instead of cables for connecting the devices in LAN. Given the
mobility of WLAN nodes, they can move unrestricted within the network coverage zone. The
802.11 structure is designed to accommodate mobile stations that participate actively in
network decisions. Furthermore, it can seamlessly integrate with 2G, 3G, and 4G networks.
The Wi-Fi standard represents a set of wireless LAN standards developed by the Working
Group of IEEE LAN/MAN standards committee (IEEE 802). The term 802.11x is also used
to denote the set of standards. Various specifications and amendments include 802.11a,
802.11b, 802.11e, 802.11g, 802.11n etc.
IEEE 802.1 LI WIRELESS LAN SECURITY
There are two characteristics of a wired LAN that are not inherent in a wireless LAN.
1. In order to transmit over a wired LAN, a station must be physically connected
to the LAN. On the other hand, with a wireless LAN, any station within radio
range of the other devices on the LAN can transmit. In a sense, there is a form
of authentication with a wired LAN in that it requires some
positive and presumably observable action to connect a station to a wired LAN.
2. Similarly, in order to receive a transmission from a station that is part of a
wired LAN, the receiving station also must be attached to the wired LAN. On the other hand,
with a wireless LAN, any station within radio
range can receive. Thus, a wired LAN provides a degree of privacy, limiting reception of data
to stations connected to the LAN.
These differences between wired and wireless LANs suggest the increased need for robust
security services and mechanisms for wireless LANs.
The_original specification included a set of security features for privacy and authentication th
at were quite weak. For privacy, 802.11 defined the Wired Equivalent Privacy (WEP) algor
ithm. The privacy portion of the 802.11 standard contained major weak- nesses. Subsequent t
o the development of WEP, the 802.11i task group has developed
a set of capabilities to address the WLAN security issues. In order to accelerate the
introduction of strong security into WLANs, the Wi-Fi Alliance promulgated Wi-
Fi Protected Access (WPA) as a Wi-Fi standard. WPA is a set of security mechanisms
that eliminates most 802.11 security issues and was based on the current state of the 802.11i
standard. The final form of the 802.11i standard is referred to
as Robust Security Network (RSN). The Wi-
Fi Alliance certifies vendors in compliance with the full 802.11i specification under the WPA
2 program.

UNIT – 5 E-MAIL SECURITY & CASE STUDIES ON

CRYPTOGRAPHY AND SECURITY
PART – 1 E-MAIL SECURITY
PRETTY GOOD PRIVACY
Pretty Good Privacy (PGP) is an encryption software program software designed to ensure
the confidentiality, integrity, and authenticity of virtual communications and information.
Developed with the aid of Phil Zimmermann in 1991, PGP has emerge as a cornerstone of
present-day cryptography, notably regarded as one of the best methods for securing digital
facts.
At its core, PGP employs a hybrid cryptographic method, combining symmetric-key and
public-key cryptography techniques. Symmetric-key cryptography entails the use of a single
mystery key to each encrypt and decrypt statistics. Conversely, public-key cryptography
utilizes a pair of mathematically associated keys: a public key, that is freely shared and used
for encryption, and a personal key, that is stored in mystery and used for decryption.
The following are the services offered by PGP:
1. Authentication
2. Confidentiality
3. Email Compatibility
4. Segmentation
Authentication in PGP
Authentication basically means something that is used to validate something as true or real.
To login into some sites sometimes we give our account name and password, that is an
authentication verification procedure.
In the email world, checking the authenticity of an email is nothing but to check whether it
actually came from the person it says. In emails, authentication has to be checked as there are
some people who spoof the emails or some spams and sometimes it can cause a lot of
inconvenience.
2. Confidentiality in PGP
Sometimes we see some packages labelled as ‘Confidential’, which means that those
packages are not meant for all the people and only selected persons can see them. The same
applies to the email confidentiality as well. Here, in the email service, only the sender and the
receiver should be able to read the message, that means the contents have to be kept secret
from every other person, except for those two.
Advantages of PGP
• The primary benefit of PGP encryption lies in its unbreakable algorithm.
• It is regarded as a top technique for improving cloud security and is frequently utilised
by users who need to encrypt their private conversations.
• This is due to PGP’s ability to prevent hackers, governments, and nation-states from
accessing files or emails that are encrypted with PGP.
Disadvantage of PGP
• The main drawback of PGP encryption is that it is usually not intuitive to use. PGP
requires time and effort to fully encrypt data and files, which might make messaging
more difficult for users. If an organisation is thinking about deploying PGP, it has to
train its employees.
• It is imperative that users comprehend the intricacies of the PGP system to prevent
unintentionally weakening their security measures. This may occur from using PGP
incorrectly or from losing or corrupting keys, endangering other users in situations
where security is at an extreme.
• Absence of anonymity: PGP encrypts user messages but does not provide users with
any anonymity. This makes it possible to identify the source and recipient of emails
sent using a PGP solution.
S/MIME IP SECURITY
Email is probably the most used mode of communication today not only for casual chat
purposes but for the transmission of very sensitive information. It could be business plans,
personal information, or other important documents, all of which you would want to be sure
are safe in your email.
S/MIME can do both symmetric encryption and digital signatures, which are two very
important functions for securing emails in the best possible way. Symmetric encryption
guarantees that only the addressee will be able to read your email, and digital signatures
identify who it came from and show that it wasn't changed on its way to your inbox. With
S/MIME, you will be able to protect your communication against unwanted readers and
establish trust with those receiving your emails.
What is S/MIME
S/MIME stands for Secure/Multipurpose Internet Mail Extensions. Through encryption,
S/MIME offers protection for business emails. S/MIME comes under the concept of
Cryptography. S/MIME is a protocol used for encrypting or decrypting digitally signed E-
mails. This means that users can digitally sign their emails as the owner(sender) of the e-mail.
Emails could only be sent in NVT 7-bit format in the past, due to which images, videos, or
audio were not a part of e-mail attachments. Bell Communications launched the MIME
standard protocol in 1991 to increase the email's restricted functionality. S/MIME is an
upgrade of MIME(Multipurpose Internet Mail Extensions). Due to the limitations of MIME,
S/MIME came into play. S/MIME is based on asymmetric cryptography which means that
communications can be encrypted or decrypted using a pair of related keys namely public and
private keys.
How S/MIME Works?
S/MIME enables non-ASCII data to be sent using Secure Mail Transfer Protocol (SMTP) via
email. Moreover, many data files are sent, including music, video, and image files. This data
is securely sent using the encryption method. The data which is encrypted using a public key
is then decrypted using a private key which is only present with the receiver of the E-mail.
The receiver then decrypts the message and then the message is used. In this way, data is
shared using e-mails providing an end-to-end security service using the cryptography method.
Advantages of S/MIME
1. It offers verification.
2. It offers integrity to the message.
3. By the use of digital signatures, it facilitates non-repudiation of origin.
4. It offers seclusion.
5. Data security is ensured by the utilization of encryption.
6. Transfer of data files like images, audio, videos, documents, etc. in a secure manner.
Services of S/MIME
1. Digital Signature, which can maintain data integrity.
2. S/MIME can be used in encrypting messages.
3. By using this we can transfer our data using an e-mail without any problem.
Versions of S/MIME Versions
• 1st Version: 1995
• 2nd Version: 1998
• 3rd Version: 1999
Microsoft products that support the third version of S/MIME:-
1. Microsoft Outlook 2000 and more ( SR-1 ).
2. Outlook Express 5.01 and later.
3. Microsoft Exchange version 5.5 and later.
IP SECURITY OVERVIEW & IP SECURITY ARCHITECTURE
IP Security (IPSec) refers to a collection of communication rules or protocols used to
establish secure network connections. Internet Protocol (IP) is the common standard that
controls how data is transmitted across the internet. IPSec enhances the protocol security by
introducing encryption and authentication. IPSec encrypts data at the source and then
decrypts it at the destination. It also verifies the source of the data. In this article we will see
IPSec in detail.
Why is IPSec Important?
IPSec (Internet Protocol Security) is important because it helps keep your data safe and
secure when you send it over the Internet or any network. Here are some of the important
aspects why IPSec is Important:
• IPSec protects the data through Data Encryption.
• IPSec provides Data Integrity.
• IPSec is often used in Virtual Private Networks (VPNs) to create secure, private
connections.
• IPSec protects from Cyber Attacks.
Features of IPSec
• Authentication: IPSec provides authentication of IP packets using digital
signatures or shared secrets. This helps ensure that the packets are not tampered with
or forged.
• Confidentiality: IPSec provides confidentiality by encrypting IP packets,
preventing eavesdropping on the network traffic.
• Integrity: IPSec provides integrity by ensuring that IP packets have not been
modified or corrupted during transmission.
• Key management: IPSec provides key management services, including key exchange
and key revocation, to ensure that cryptographic keys are securely managed.
• Tunneling: IPSec supports tunneling, allowing IP packets to be encapsulated within
another protocol, such as GRE (Generic Routing Encapsulation) or L2TP (Layer 2
Tunneling Protocol).
• Flexibility: IPSec can be configured to provide security for a wide range of network
topologies, including point-to-point, site-to-site, and remote access connections.
• Interoperability: IPSec is an open standard protocol, which means that it is
supported by a wide range of vendors and can be used in heterogeneous
environments.
IP Security Architecture
IPSec (IP Security) architecture uses two protocols to secure the traffic or data flow. These
protocols are ESP (Encapsulation Security Payload) and AH (Authentication Header). IPSec
Architecture includes protocols, algorithms, DOI, and Key Management. All these
components are very important in order to provide the three main services:
• Confidentiality
• Authenticity
 • Integrity

AUTHENTICATION HEADER, ENCAPSULATING SECURITY PAYLOAD &

INTERNET KEY EXCHANGE
Protocols Used in IPSec
IPSec (Internet Protocol Security) is a comprehensive suite of protocols designed to ensure
secure communication over IP networks. It provides various services such as data integrity,
authentication, encryption, and anti-replay protection. The main components of IPSec include
the Encapsulating Security Payload (ESP), Authentication Header (AH), and Internet Key
Exchange (IKE).
1. Encapsulating Security Payload (ESP)
Encapsulating Security Payload (ESP) is a crucial component of IPSec that offers a range of
security services for data packets transmitted across networks. ESP provides data integrity,
encryption, authentication, and anti-replay protection. The encryption feature ensures that
data confidentiality is maintained, preventing unauthorized users from accessing the contents
of a packet. ESP also supports payload authentication, which confirms that the data has not
been altered during transit and verifies the authenticity of the sender. This protection is
supplemented by anti-replay measures, which prevent attackers from intercepting and
retransmitting packets to disrupt communications. By incorporating these robust security
mechanisms, ESP secures data transmission between devices, enhancing the overall security
of network communications.
2. Authentication Header (AH)
The Authentication Header (AH) is another integral protocol within IPSec, primarily focused
on ensuring data integrity, authentication, and anti-replay protection. Unlike ESP, AH does
not provide data encryption, meaning that while it confirms that the data has not been
tampered with and verifies the sender’s identity, it does not safeguard the confidentiality of
the data. This protocol is valuable for scenarios where encryption is unnecessary but where
verifying the authenticity and integrity of data is essential. AH includes anti-replay protection
to guard against attackers attempting to resend captured packets. Through these capabilities,
AH helps maintain secure communications by confirming the legitimacy and accuracy of the
transmitted data without altering the data's readability.

3. Internet Key Exchange (IKE)

Internet Key Exchange (IKE) is a network security protocol that plays a pivotal role in the
dynamic exchange of encryption keys and the establishment of Security Associations (SAs)
between two devices. IKE facilitates secure communication by setting up and negotiating
security parameters that define how data will be protected during transmission. The Security
Association (SA) represents the shared security attributes that are used by the communicating
parties. IKE operates by leveraging the Key Management Protocol (ISAKMP) and the
Internet Security Association and Key Management Protocol (ISAKMP) framework, which
specifies the procedures for establishing, managing, and terminating SAs. IKE provides
message content protection and offers an open framework for implementing various
cryptographic algorithms such as SHA (Secure Hash Algorithm) and MD5 (Message-Digest
Algorithm). By using these algorithms, IKE generates unique identifiers for each packet,
allowing devices to detect whether a packet is legitimate or compromised. Unauthorized
packets are discarded, ensuring that only authenticated and validated packets are processed
by the receiver, thus enhancing the integrity and security of the network.
PART – 2 CASE STUDIES ON CRYPTOGRAPHY AND SECURITY
SECURE MULTIPARTY COMPUTATION (SMC)
Secure Multiparty Computation (SMC) is a cryptographic technique that enables multiple
parties to jointly compute a function over their inputs while keeping those inputs private. A
prominent case study illustrating SMC’s effectiveness is in the realm of collaborative data
analysis between financial institutions. For example, several banks may want to identify
fraudulent transactions without sharing their entire customer database due to privacy
concerns. By using SMC, each bank can participate in a computation that reveals only the
results of the analysis without disclosing individual customer data. This technology has
proven essential in fostering trust and cooperation between competitive entities by
safeguarding sensitive information.
VIRTUAL ELECTIONS
Virtual elections, or online voting systems, offer convenience but pose significant security
challenges. A notable case study is Estonia's implementation of e-voting, which became a
pioneer in secure online electoral processes. Estonia’s system ensures voter anonymity and
vote integrity through the use of advanced cryptographic protocols and blockchain
technology. The country’s system uses end-to-end encryption and secure digital ID
verification to authenticate voters, protect ballots, and confirm that votes remain untampered
throughout the process. Estonia’s success has shown that secure virtual elections are feasible,
but they require robust encryption, a strong national digital identity infrastructure, and
rigorous testing to guard against potential vulnerabilities.
SINGLE SIGN-ON (SSO)
Single Sign-On (SSO) systems simplify user authentication by allowing a single set of login
credentials to access multiple applications. A relevant case study in this area is Google’s SSO
implementation, which provides seamless access to various services such as Gmail, Google
Drive, and YouTube. Google’s SSO solution uses OAuth 2.0 for secure authorization,
ensuring that user data is protected during the authentication process. This approach
significantly improves user experience by reducing the need to remember multiple passwords
while maintaining high security standards through multi-factor authentication (MFA) and
token-based session management. The widespread adoption of Google’s SSO has
demonstrated the importance of balancing convenience and security.
SECURE INTER-BRANCH PAYMENT TRANSACTIONS
Secure inter-branch payment transactions involve ensuring the safe transfer of funds between
different branches of the same financial institution. A case study that highlights best practices
can be seen in the banking sector’s use of the SWIFT network. The SWIFT system employs
advanced encryption and stringent security protocols to secure financial messages exchanged
between branches across borders. Following a series of high-profile cyberattacks, SWIFT
introduced the Customer Security Programme (CSP), mandating that all member institutions
enhance their cybersecurity frameworks. This case demonstrated the critical need for rigorous
security practices, such as continuous monitoring, strong encryption standards, and multi-
layered authentication, to protect inter-branch financial transactions from fraud and data
breaches.
CROSS-SITE SCRIPTING (XSS) VULNERABILITY
Cross-site scripting (XSS) is a prevalent security vulnerability found in web applications
where attackers inject malicious scripts into trusted websites. A significant case study is the
vulnerability discovered in a major social media platform where attackers exploited a stored
XSS flaw to steal user session cookies, enabling unauthorized access to user accounts. The
response involved thorough code reviews, patching the affected code, and implementing
Content Security Policy (CSP) headers to prevent future exploits. This incident underscored
the importance of input validation, output encoding, and robust security policies as essential
measures to prevent XSS vulnerabilities and protect users from data theft and compromised
accounts.