SFWR 4C03: Computer Networks and Computer Security Mar 1-4 2004

Lecturer: Kartik Krishnan Lectures 19-21

Information, Computer and Network Security:
Information security is the security of information. With the introduction of
the computer, the need for automated tools for the protection of les, and other
information stored on the computer has become evident. This is especially true
for a shared system, such as a time sharing system, and the need is even more
acute for systems that can be accessed over a public telephone network, data
network or the internet. The generic name for the collection of tools designed
to protect data and thwart hackers is computer security. Another nuisance
computer security tools have to guard against is the computer virus, which can
be introduced into the system when it arrives on a diskette, and is subsequently
loaded onto the computer.
In the course, we will be more interested in a second kind of security called
internet/network security. This deals with the security of information during its
transmission from user on one computer network to another. Of course, com-
puter security is important too, since if someone can access your computers re-
sources, he/she will have access to the network, and other computers attached to
this network. Thus, computer and network security measures go hand in hand.
However, we will discuss internet security rst and then return to computer
security.
Network security problems can be divided roughly into four intertwined ar-
eas: secrecy, authentication, nonrepudiation and integrity control.
1. Secrecy: This is also called condentiality, and has to do with keeping
information out of the hands of unauthorized users. This is what usually
comes to mind when people think about network security.
2. Authentication: This deals with determining whom you are talking to
before revealing sensitive information or entering into a business deal.
3. Nonrepudiation: This deals with signatures: How does amazon.ca prove
that Kartik indeed placed an order for a book, which Kartik claims he
never placed?.
4. Integrity of service: How does one ensure that the message received
was really the one sent, and not something that a malicious adversary
modied in transit or concocted?.
We will also classify the attacks that compromise network security as passive
attacks and active attacks.
19-21-1
1. Passive Attacks: These attacks are in the nature of eavesdropping on,
or monitoring of, transmissions. The goal of the opponent is to obtain
information that is being transmitted. Two types of passive attacks are
release of message contents where an eavesdropper tries to learn the con-
tents of what is being transmitted. This can be prevented by encryption
(see model for cryptography below). A second type of passive attack is
called trac analysis, where the opponent tries to observe the pattern,
frequency and length of messages being exchanged which could be used in
guessing the nature of the communication that is taking place. Passive at-
tacks are very dicult to detect since they do not involve the alteration of
the data. The emphasis, therefore, is on prevention via a good encryption
algorithm.
2. Active Attacks: Active attacks involve some modication of the data
stream or the creation of a false stream. These attacks present the op-
posite characteristics of passive attacks. It is dicult to prevent active
attacks absolutely because to do so would require physical protection of
all communications facilities and paths at all times. Instead, the goal is to
detect them and to recover from any disruption or delays caused by them.
A model for Network Security
The general model is shown in Figure 1. A message (plaintext) is to be trans-
ferred from one party (Alice) to another (Bob) across some sort of internet. The
two parties, who are the principals in this transaction, must cooperate for the
exchange to take place. A communication channel is established by dening
a route through the internet from source to destination and by the coopera-
tive use of communication protocols, e.g. TCP/IP by the two principals. As
shown in the gure, the communication channel is not secure since there is
an eavesdropper (opponent, Oscar/Trudy) who presents a threat to conden-
tiality, authenticity, and so on. All techniques for providing security have two
components.
1. A security related transformation on the information to be sent. Examples
include the encryption of the message, which scrambles the message (called
the ciphertext) so that it is unreadable by the opponent.
2. Some secret information shared by the two principals, and it is hoped
unknown to the opponent. An example is an encryption key used in
conjunction with the transformation to scramble (encrypt) the message
before transmission and unscramble (decrypt) it on reception.
A trusted third party (big brother) may be needed to achieve secure transmis-
sion. For example, big brother may be responsible for distributing the secret
information to the two principals while keeping it from any opponent. Else,
he/she may be needed to arbitrate disputes between the two principals concern-
ing the authenticity of a message transmission.
There are four tasks in designing a particular security service:
1. Design an algorithm for performing the security related transformation.
This algorithm is assumed to be known to the opponent (Kerckhos prin-
ciple), but it should be such that an opponent cannot defeat its purpose.
19-21-2
Information
Channel
Security-related
transformation
Sender
Secret
information
M
e
s
s
a
g
e
M
e
s
s
a
g
e
S
e
c
u
r
e
m
e
s
s
a
g
e
S
e
c
u
r
e
m
e
s
s
a
g
e
Recipient
Opponent
Trusted third party
(e.g., arbiter, distributer
of secret information)
Figure 1.1 Model for Network Security
Security-related
transformation
Secret
information
Figure 1: A general model for network security
19-21-3
2. Generate the secret information (key) to be used with the algorithm.
3. Develop methods for the distributing and sharing of the secret information.
4. Specify a protocol to be used by the two principals that makes use of
the security algorithm and the secret information to achieve a particular
security service.
Before we discuss these technicalities, we need to introduce some notation:
Denition 1 A cryptosystem is a ve tuple (P, C, K, E, D), where the following
conditions are satised:
1. P is the nite set of possible plaintexts.
2. C is a nite set of possible ciphertexts.
3. K, the keyspace, is a nite set of possible keys.
4. For each K K, there is an encryption rule e
K
E and a corresponding
decryption rule d
K
D. Each e
K
: P C and d
K
: C P are functions
such that d
K
(e
K
(x)) = x for every plaintext element x P.
Property 4 says that if a plaintext x is encrypted using e
K
, and the resulting
ciphertext is subsequently decrypted using d
K
, then the original plaintext x
results.
Alice and Bob employ the following protocol to use in a specic cryptosys-
tem. First, they choose a random key K K. This can be done when they are
in the same place and not being observed by Oscar, or, alternatively when they
do have access to a prior secure channel. At a later time, Alice wants to commu-
nicate a message to Bob over an insecure channel (as shown in the gure). We
suppose that this message is a string x = x
1
x
2
. . . x
n
, for some integer n 1,
where each plaintext symbol x
i
P, 1 i n. Each x
i
is encrypted using the
encryption rule e
K
specied by the predetermined key K (one can think as the
encryption as being a function of the algorithm e
K
and the key K). Hence, Alice
computes y
i
= e
K
(x
i
), 1 i n, and the resulting ciphertext y = y
1
y
2
. . . y
n
is
sent over the channel. When Bob receives y
1
y
2
. . . y
n
, he decrypts it using the
decryption function d
K
(once again decryption is a function of the algorithm
d
K
and the key K), obtaining the original text string x
1
x
2
. . . x
n
.
One of the requirements of the encryption function is that it has been one-
to-one (injective), i.e. if x
1
= x
2
, then it must be the case that y
1
= y
2
,
where y
1
, y
2
= e
K
(x
1
), e
K
(x
2
). Else, the message cannot be decrypted in an
unambiguous manner.
Here is an example of the cryptosystem called the shift cipher. Let Z
26
=
{A, . . . , Z}. We will use the following numbering scheme for the 26 alphabets,
where A = 0, B = 1, . . ., Z = 25 etc. The shift cipher can be formally dened
as follows:
Denition 2 Let P = C = K = Z
26
. For 0 K 25, dene
e
K
(x) = (x +K) mod 26
d
K
(y) = (y K) mod 26
19-21-4
Here (x + K) mod 26 is the remainder obtained after dividing (x + K) by 26;
(yK) mod 26 is dened in a similar fashion. Now suppose (yK) is a negative
number, the mod operation works as follows: (7) mod 31 = (1) 31 +24 =
24.
We consider an example for the shift cipher below. In the example we will
use upper case letters for ciphertext and lower case letters for plaintext, in order
to improve readability. We will do this elsewhere as well. Suppose the key for
the shift cipher is K = 11, and the plaintext is
wewillmeetatmidnight
Using the correspondence between alphabets and numbers, we obtain the fol-
lowing sequence of integers
22 4 22 8 11 11 12 4 4 19
0 19 12 8 3 13 8 6 7 19
Next, we add 11 to each value, reducing each sum modulo 26:
7 15 7 19 22 22 23 15 15 4
11 4 23 19 14 24 19 17 18 4
Finally, we convert the sequence of integers to alphabetic characters, obtaining
the ciphertext
HPHTWWXPPELEXTOY TRSE
To decrypt the text, Bob will rst convert the ciphertext to a sequence of inte-
gers, then subtract 11 from each value (reducing modulo 26), and nally convert
the sequence of integers to alphabetic characters. Id expect everyone to try de-
crypting the ciphertext using the key to see if you can recover the original text.
We will consider three other cryptosystems in this lecture.
Denition 3 Let P = C = Z
26
. Let K consist of all possible permutations of
the 26 symbols 0, 1, . . . , 25. For each permutation K, dene
e

(x) = (x)
d

(y) =
1
(y)
where
1
is the inverse permutation to .
Here is an example of a permutation , which could comprise an encryption
function. (As before, plaintext characters are written in lower case and cipher-
text characters are written in upper case). Thus, e

(a) = X etc. The decryption

a b c d e f g h i j k l m
X N Y A H P O G Z Q W B T
n o p q r s t u v w x y z
S F L R C V M U E K J D I
function is the inverse permutation. This is formed by writing the second lines
rst, and then sorting in alphabetical order. The following is obtained. Hence,
d

(A) = d etc. As an exercise, try encrypting and decrypting the previous

message using the substitution cipher.
A key for the substitution cipher consists of a permutation of all the 26
alphabetic characters. The number of possible permutations is 26!, which is
19-21-5
A B C D E F G H I J K L M
d l r y v o h e z x w p t
N O P Q R S T U V W X Y Z
b g f j q n m u s k a c i
more than 4 10
26
, a very large number. Thus, an exhaustive key search is
infeasible, even for a computer. This is better than the shift cipher where
K = 11 where there are only 25 possibilities (excluding K = 0).
The substitution cipher is a monoalphabetic cipher, since each alphabetic
character is mapped to a unique alphabetic character. Thus, although, the
keyspace is large the substitution cipher can be broken using the statistical
properties of the English language. This attack uses the relative frequencies of
the 26 letters of the English language; it is also useful to consider sequences
of two or three consecutive letters called digrams and trigrams and the relative
frequencies of their occurrence. I have a link on the course webpage which
illustrates the cryptanalysis of the substitution cipher; you are all encouraged
to see how this is done.
One way to improve the security of the substitution cipher is to use a polyal-
phabetic cipher, where each alphabet is mapped into more than one alphabet in
the ciphertext. One common example is the Vignere cipher.
Denition 4 Let m be a positive integer. Dene P = C = K = (Z
26
)
m
. For a
key K = (k
1
, . . . , k
m
), we dene
e
K
(x
1
, x
2
, . . . , x
m
) = ((x
1
+k
1
) mod 26, (x
2
+k
2
) mod 26, . . . , (x
m
+k
m
) mod 26)
d
K
(y
1
, y
2
, . . . , y
m
) = ((y
1
k
1
) mod 26, (y
2
k
2
) mod 26, . . . , (y
m
k
m
) mod 26)
The key is chosen randomly; using the correspondence A 0, . . . , Z 25
described earlier, we can associate each key K with an alphabetic string of
length m called a keyword. The Vignere cipher encrypts m alphabetic characters
at a time: each plaintext element is equivalent to m alphabetic characters. As
an instance, try decrypting the previous message with the keyword CIPHER.
Here m = 6.
The number of possible keywords of length m in a Vignere cipher is 26
m
,
so even for relatively small values of m, an exhaustive key search would require
a long time. This is large enough to preclude exhaustive key search by hand.
Also, note that in a Vignere cipher having keyword length m, an alphabetic
character can be mapped to one of m possible alphabetic characters (assuming
the keyword contains m distinct characters). Hence this cipher is an example
of a polyalphabetic cryptosystem. In general, cryptanalysis is more dicult for
polyalphabetic than for monoalphabetic cryptosystems.
All the cryptosystems we have discussed so far involve substitution: plaintext
characters are replaced by dierent ciphertext characters. The idea of a permu-
tation or transposition cipher is to keep the plaintext characters unchanged, but
to alter their positions by rearranging them using a permutation.
Denition 5 Let m be a positive integer. Let P = C = (Z
26
)
m
, and let K
consist of all permutations of {1, . . . , m}. For a key (i.e., a permutation) , we
dene
e

(x
1
, . . . , x
m
) = (x
(1)
, . . . , x
(m)
)
d

(y
1
, . . . , y
m
) = (y

1
(1)
, . . . , y

1
(m)
)
where
1
is the inverse permutation to pi.
19-21-6
Here is an example to illustrate the permutation cipher. Suppose m = 6 and
the key is the following permutation : The inverse permutation
1
is given
x 1 2 3 4 5 6
(x) 3 5 1 6 4 2
by Now, suppose we are given the plaintext
x 1 2 3 4 5 6

1
(x) 3 6 1 5 2 4
shesellsseashellsbytheseashore
We rst partition the plaintext into groups of six letters (since the keysize m =
6).
shesel|lsseas|hellsb|ythere|ashore
Now each group of six letters is rearranged according to the permutation ,
yielding the following
EESLSH|SALSES|LSHBLE|HSY EET|HRAEOS|
So, the ciphertext is
EESLSHSALSESLSHBLEHSY EETHRAEOS
The ciphertext can be decrypted in a similar fashion, using the inverse permu-
tation
1
; I urge you all to try this out.
Recommended Reading
1. Chapter 1 of Stallings [1] for an introduction to network and computer
security. The model for network security is also discussed here.
2. Chapter 1 of Stinson [2] provides a nice introduction to cryptography. The
discussion on the shift, substitution, Vignere, and permutation ciphers in
this lecture is taken from this reference. There is also a good discussion of
these ciphers in Chapter 2 of Stallings. Section 1.2 of Stinson illustrates
how the substitution and Vignere ciphers can be broken using a statistical
analysis on the ciphertext; there is also some discussion in Section 2.2 of
Stallings.
References
[1] W. Stallings, Cryptography and Network Security: Principles and Prac-
tices, 3rd edition, Prentice Hall, NJ, 2003.
[2] D.R. Stinson, Cryptography: Theory and Practice, 2nd edition, Chapman
& Hall/CRC, 2002.
19-21-7