Cryptography and System Security (CSC602)

• What is cryptography?
• It is the art (and sometimes science) of secret writing
• It is also used to guarantee other properties, e.g., authenticity of data
• This is an enormously deep and important field
• However, much of our trust in these systems is based on faith (particularly in
efficient secret key algorithms)

• Cryptographers create ciphers - Cryptography

• Cryptanalyst break ciphers – Cryptanalysis

• The history of cryptography is an arms race between cryptographers and

cryptanalysts
• Cryptosystem is a 5-tuple consisting of “E,D,M,K,C”
Where,
• E is an encryption algorithm
• D is an decryption algorithm
• M is the set of plaintexts
• K is the set of keys
• C is the set of ciphertexts
E : M ×K → C D : C ×K → M
• The Enigma machine is a cipher device

developed and used in the early- to mid-

20th century to protect commercial,

diplomatic, and military communication.

• It was employed extensively by Nazi

Germany during World War II, and used in

all branches of the German military.

• The Enigma machine was considered so

secure that it was used to encipher the most

• Military Model Enigma I, in use from
top-secret messages. 1930.
Security goals
• There are the major goals of information security which are as follows −
• Confidentiality − The goals of confidentiality is that only the sender and the predetermined recipient should
be adequate to approach the element of a message. Confidentiality have negotiate if an unauthorized person
is capable to create the message.
• This term covers two related concepts:
• Data confidentiality: Assures that private or confidential information is not made available or disclosed to
unauthorized individuals.
• Privacy: Assures that individuals control or influence what information related to them may be collected and
stored and by whom and to whom that information may be disclosed.

• Integrity − When the element of a message are transformed after the sender sends it, but since it reaches the
intended recipient, and it can said that the principle of the message is lost.
• This term covers two related concepts:
• Data integrity: Assures that information (both stored and in transmitted packets) and programs are changed
only in a specified and authorized manner.
• System integrity: Assures that a system performs its intended function in an unimpaired manner, free from
deliberate or inadvertent unauthorized manipulation of the system.

• Availability − The main goals of information security is availability. It is that resources must be available to
authorized parties at all times.
• Although the use of the CIA triad to
define security objectives is well
established, some in the security
field feel that additional concepts are
needed to present a complete picture
• Authenticity
• Accountability
• The OSI security architecture focuses on security attacks, mechanisms, and
services.
• These can be defined briefly as:

• Security attack: Any action that compromises the security of information owned
by an individual or organization.

• Security mechanism: A process that is designed to detect, prevent, or recover

from a security attack.

• Security service: A processing or communication service that enhances the

security of the data processing systems and the information transfers of an
organization.
• The services are intended to counter security attacks, and they make use of one
or more security mechanisms to provide the service.
Security Attacks
• A useful means of classifying security attacks is the terms of passive
attacks and active attacks.
• A passive attack attempts to learn or make use of information from the
system but does not affect system resources.
• An active attack attempts to alter system resources or affect their
operation.

• Passive Attacks
• They are in the nature of eavesdropping on, or monitoring of,
transmissions.
• The goal of the opponent is to obtain information that is being transmitted.
• Two types of passive attacks are the release of message contents and
traffic analysis.
• The release of message contents is A telephone conversation, an
electronic mail message, and a transferred file which may contain
sensitive or confidential information.
• We would like to prevent an opponent from learning the contents of
these transmissions.
• The traffic analysis is subtler.
• Suppose that we had a way of masking (encryption) the contents of
messages or other information traffic so that opponents, even if they
captured the message, could not extract the information from the message.
• The opponent could determine the location and identity of communicating
hosts and could observe the frequency and length of messages being
exchanged.
• This information might be useful in guessing the nature of the
communication that was taking place.
• The most useful protection against traffic analysis is encryption of SIP
traffic. To do this, an attacker would have to access the SIP proxy (or its
call log) to determine who made the call.
• SIP(Session Initiation Protocol)
• Active attacks
• An active attack attempts to alter system resources or affect their operation.
• It involve some modification of the data stream or the creation of a false stream
and can be subdivided into four categories:
• Masquerade,
• Replay,
• Modification of Messages, and
• Denial of Service.

• Masquerade
• A masquerade attack takes place when one entity pretends to be a different
entity.
• A masquerade attack usually includes one of the other forms of active attack.
• For example, authentication sequences can be captured and replayed after a
valid authentication sequence has taken place, thus enabling an authorized
entity with few privileges to obtain extra privileges by impersonating an entity
that has those privileges.
• Replay
• It involves the passive capture of a data unit and its subsequent retransmission
to produce an unauthorized effect (paths 1, 2, and 3 active).
• In this attack, the basic aim of the attacker is to save a copy of the data
originally present on that particular network and later on use this data for
personal uses.
• Once the data is corrupted or leaked it is insecure and unsafe for the users.
• Modification of messages
• It means that some portion of a legitimate message is altered, or that messages
are delayed or reordered, to produce an unauthorized effect.
• Denial of Service
• It prevents the normal use of communication facilities. This attack may have a
specific target.
• For example, an entity may suppress all messages directed to a particular
destination.
• Another form of service denial is the disruption of an entire network either by
disabling the network or by overloading it with messages so as to degrade
performance.
• DIFFERENCE BETWEEN ACTIVE AND PASSIVE ATTACK

On the basis of Active attack Passive attack

Definition In active attacks, the attacker intercepts the In passive attacks, the attacker observes the
connection and efforts to modify the messages, then copy and save them and can use it
message's content. for malicious purposes.

Modification In an active attack, the attacker modifies the In passive attacks, information remains
actual information. unchanged.
Victim In active attacks, the victim gets notified Unlike active attacks, in passive attacks, victims
about the attack. do not get informed about the attack.
System's impact The damage done with active attacks can be The passive attacks do not harm the system.
harmful to the system and its resources.

System resources In active attacks, the system resources can be In passive attacks, the system resources remain
changed. unchanged.
Dangerous for They are dangerous for the integrity and They can be dangerous for confidentiality of the
availability of the message. message.
Emphasis on In active attacks, attention is on detection. In active attacks, attention is on prevention.

Types Active attacks involve Masquerade, It involves traffic analysis, the release of a
Modification of message, Repudiation, message.
Replay, and Denial of service.

Prevention Active attacks are tough to restrict from Unlike active attacks, passive attacks are easy to
entering systems or networks. prohibit.
Security services
The classification of security services are as follows:
• Confidentiality: Ensures that the information in a computer system and transmitted information
are accessible only for reading by authorized parties. E.g. printing, displaying and other forms of
disclosure.
• Authentication: Ensures that the origin of a message or electronic document is correctly identified,
with an assurance that the identity is not false.
• Integrity: Ensures that only authorized parties are able to modify computer system assets and
transmitted information. Modification includes writing, changing status, deleting, creating and
delaying or replaying of transmitted messages.
• Non repudiation: Requires that neither the sender nor the receiver of a message be able to deny
the transmission.
• Access control: Requires that access to information resources may be controlled by or the target
system.
• Availability: Requires that computer system assets be available to authorized parties when needed.
Security Mechanism

• Encipherment:
• This security mechanism deals with hiding and covering of data which
helps data to become confidential.
• It is achieved by applying mathematical calculations or algorithms which
reconstruct information into not readable form.
• It is achieved by two famous techniques named Cryptography and
Encipherment.
• Level of data encryption is dependent on the algorithm used for
encipherment.
• Access Control:
• This mechanism is used to stop unattended access to data which you are sending.
• It can be achieved by various techniques such as applying passwords, using firewall, or just by
adding PIN to data.

• Notarization:
• This security mechanism involves use of trusted third party in communication.
• It acts as mediator between sender and receiver so that if any chance of conflict is reduced.
• This mediator keeps record of requests made by sender to receiver for later denied.

• Data Integrity:
• This security mechanism is used by appending value to data to which is created by data itself.
• It is similar to sending packet of information known to both sending and receiving parties and
checked before and after data is received.
• When this packet or data which is appended is checked and is the same while sending and receiving
data integrity is maintained.
• Authentication exchange:
• This security mechanism deals with identity to be known in communication.
• This is achieved at the TCP/IP layer where two-way handshaking mechanism is used to ensure
data is sent or not.

• Bit stuffing:
• This security mechanism is used to add some extra bits into data which is being transmitted.
• It helps data to be checked at the receiving end and is achieved by Even parity or Odd Parity.

• Digital Signature:
• This security mechanism is achieved by adding digital data that is not visible to eyes.
• It is form of electronic signature which is added by sender which is checked by receiver
electronically.
• This mechanism is used to preserve data which is not more confidential but sender’s identity is to
be notified.
Network Security Model
Network Access Security Model
SYMMETRIC / CONVENTIONAL ENCRYPTION
• Symmetric encryption, also referred to as conventional encryption or single-key
encryption.
• It was the only type of encryption in use prior to the development of publickey
encryption in the 1970s.
• Some basic terminologies used:
• Plaintext - the original message
• Cipher text - the coded message
• Encipher (Encrypt) - converting plaintext to cipher text
• Decipher (Decrypt) - recovering cipher text from plaintext
• Cryptography - study of encryption principles/methods
• Cipher - algorithm for transforming plaintext to cipher text
• Key - info used in cipher known only to sender/receiver
• Cryptanalysis (code breaking) - the study of principles/ methods of deciphering cipher text
without knowing key
• Here the original message, referred to as plaintext, is converted into apparently
random stream of data and, as it stands, is unintelligible, referred to as cipher
text.
• The encryption process consists of an algorithm and a key. The key is a value
independent of the plaintext.
• Changing the key changes the output of the algorithm.
• Once the cipher text is produced, it may be transmitted.
• Upon reception, the cipher text can be transformed back to the original plaintext
by using a decryption algorithm and the same key that was used for encryption.
• The security depends on several factors. First, the encryption algorithm must be
powerful enough that it is impractical to decrypt a message on the basis of cipher
text alone.
• Beyond that, the security depends on the secrecy of the key, not the secrecy of
the algorithm.
CLASSICAL ENCRYPTION TECHNIQUES
• There are two basic building blocks of all encryption techniques:
Substitution and Transposition.

• SUBSTITUTION TECHNIQUES
• Here the letters of plaintext are replaced by other letters or by
numbers or symbols.
• If the plaintext is viewed as a sequence of bits, then substitution
involves replacing plaintext bit patterns with cipher text bit patterns.
• Caesar cipher
• Monoalphabetic Ciphers
• Caesar cipher (or) shift cipher:
• The earliest known use of a substitution cipher and the simplest was by Julius
Caesar.
• The Caesar cipher involves replacing each letter of the alphabet with the letter
standing 3 places further down the alphabet.
• Plain text: meet me after the toga party
• Cipher text: PHHW PH DIWHU WKH WRJD SDUWB
• Note that the alphabet is wrapped around, so that the letter following Z is A.
• We can define the transformation by listing all possibilities, as follows:
• plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
• cipher: d e f g h i j k l m n o p q r s T u v w x y z a b c
• For each plaintext letter p, substitute the cipher text letter c such that
• C = E(p) = (p+3) mod 26
• A shift may be any amount, so that general Caesar algorithm is
• C = E (p) = (p+k) mod 26
• Where k takes on a value in the range 1 to 25. The decryption algorithm is simply
• P = D(C) = (C-k) mod 26
• Monoalphabetic Ciphers
• With only 25 possible keys, the Caesar cipher is far from secure.
• A dramatic increase in the key space can be achieved by allowing an arbitrary
substitution.
• There are n! permutations of a set of n elements
• Caesar cipher:
• plain: abcdefghijklmnopqrstuvwxyz
• cipher: d e f g h i j k l m n o p q r s t u v w x y z a b c
• The “cipher” line can be any permutation of the 26 alphabetic characters, then
there are 26! or greater than 4 * 10^26 possible keys.
• This is 10 orders of magnitude greater than the key space for DES and would
seem to eliminate brute-force techniques for cryptanalysis.
• Such an approach is referred to as a monoalphabetic substitution cipher
• Playfair Cipher
• It is the multiple-letter encryption cipher.
• Here it treats diagrams in the plaintext as single units and translates
these units into ciphertext diagrams.
• The Playfair algorithm is based on the use of a 5 * 5 matrix of letters
constructed using a keyword.
• An example, here the keyword is monarchy.
• The matrix is constructed by filling in the letters of the keyword (minus
duplicates) from left to right and from top
to bottom, and then filling in the remainder
of the matrix with the remaining letters in
alphabetic order.
• The letters I and J count as one letter.
• Plaintext encrypts two letters at a time, according to the following rules:
• 1. Repeating plaintext letters that are in the same pair are separated with a filler letter, such as
“x”.
• 2. Two plaintext letters that fall in the same row of the matrix are each replaced by the letter to
the right, with the first element of the row circularly following the last.
• For example, “ar” is encrypted as RM.
• 3. Two plaintext letters that fall in the same column are each replaced by the letter beneath, with
the top element of the column circularly following the last.
• For example, “mu” is encrypted as CM.
• 4. Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its own row and
the column occupied by the other plaintext letter. Thus, “hs” becomes “BP” and “ea” becomes
“IM” (or JM, as the encipherer wishes).

• Plaintext => meet me at the school house

• Splitting two letters as a unit => me et me at th es ch o x ol ho us ex
• Corresponding cipher text => CL KL CL RS PD IL HY AV MP HF XL IU
• Strength of playfair cipher is a great advance over simple mono alphabetic ciphers.
• Since there are 26 letters, 26x26 = 676 diagrams are possible, so identification of
• Hill Cipher
• It was developed by the mathematician Lester Hill in 1929.
• Hill cipher is a polygraphic substitution cipher based on linear algebra.
• Each letter is represented by a number modulo 26. Often the simple
scheme A = 0, B = 1, …, Z = 25 is used, but this is not an essential
feature of the cipher.
• To encrypt a message, each block of n letters (considered as an n-
component vector) is multiplied by an invertible n × n matrix, against
modulus 26.
• To decrypt the message, each block is multiplied by the inverse of the
matrix used for encryption.
• The matrix used for encryption is the cipher key, and it should be
chosen randomly from the set of invertible n × n matrices (modulo
26).
• Input : Plaintext: ACT
• Key: GYBNQKURP
• Output : Ciphertext: POH
• We have to encrypt the message ‘ACT’ (n=3).The key is ‘GYBNQKURP’
which can be written as the nxn matrix: .

• The message ‘ACT’ is written as vector:

• The enciphered vector is given as:

• Input : Plaintext: GFG

• Key: HILLMAGIC
• Output : Ciphertext: SWK
• Vigenère cipher
• The best known, and one of the simplest, polyalphabetic ciphers is
the Vigenère cipher.
• These are related to monoalphabetic substitution rules consists of
the 26 Caesar ciphers with shifts of 0 through 25.
• Each cipher is denoted by a key letter, which is the ciphertext letter
that substitutes for the plaintext letter a.
• Thus, a Caesar cipher with a shift of 3 is denoted by the key value 3.