Chapter 4

CONVENTIONAL ENCRYPTION
Introduction, Types of attacks, Steganography, Data Encryption Standard, Block Cipher
Principle, S-box design, triple DES with two three keys, introduction to international data
encryption algorithm and key distribution

Introduction:
With the introduction of the computer, the need for automatic tools for protecting files and
other information stored on the computer became evident. This is especially the case for a shared
system, such as a time-sharing system, and the need is even more acute for systems that can be
accessed over a public telephone network, data network, or the Internet. The generic name for the
collection of tools designed to protect data and to thwart hackers is computer security. The second
major change that affected security is the introduction of distributed systems and the use of
networks and communications facilities for carrying data between terminal user and computer and
between computer and computer.
Network security measures are needed to protect data during their transmission. internet
security, which consists of measures to deter, prevent, detect, and correct security violations that
involve the transmission of information. Consider the following example of security violations: User
A transmits a file to user B. The file contains sensitive information (e.g., payroll records) that is to be
protected from disclosure. User C, who is not authorized to read the file, is able to monitor the
transmission and capture a copy of the file during its transmission.
1.1 The OSI Security Architecture
To assess effectively the security needs of an organization and to evaluate and choose
various security products and policies, the manager responsible for security needs some systematic
way of defining the requirements for security and characterizing the approaches to satisfying those
requirements. ITU-T Recommendation X.800, Security Architecture for OSI, defines such a
systematic approach. The OSI security architecture is useful to managers as a way of organizing the
task of providing security.
The OSI security architecture focuses on security attacks, mechanisms, and services. These
can be defined briefly as follows:
Security attack: Any action that compromises the security of information owned by an
organization.
Security mechanism: A process (or a device incorporating such a process) that is designed to
detect, prevent, or recover from a security attack.
Security service: A processing or communication service that enhances the security of the data
processing systems and the information transfers of an organization. The services are intended to
counter security attacks, and they make use of one or more security mechanisms to provide the
service.
Threat: A potential for violation of security, which exists when there is a circumstance, capability, action, or
event that could breach security and cause harm. That is, a threat is a possible danger that might exploit
vulnerability.
Attack: An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a
deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the
security policy of a system.

1.2 Security Attacks

A useful means of classifying security attacks, is in terms of passive attacks and active attacks. A
passive attack attempts to learn or make use of information from the system but does not affect
system resources. An active attack attempts to alter system resources or affect their operation.
Passive Attacks: Passive attacks are in the nature of eavesdropping on, or monitoring of,
transmissions. The goal of the opponent is to obtain information that is being transmitted. Two
types of passive attacks are release of message contents and traffic analysis.
The release of message contents is easily understood. A telephone conversation, an
electronic mail message, and a transferred file may contain sensitive or confidential information.
We would like to prevent an opponent from learning the contents of these transmissions. A second
type of passive attack, traffic analysis, is subtler. Suppose that we had a way of masking the
contents of messages or other information traffic so that opponents, even if they captured the
message, could not extract the information from the message. The common technique for masking
contents is encryption. If we had encryption protection in place, an opponent might still be able to
observe the pattern of these messages. The opponent could determine the location and identity of
communicating hosts and could observe the frequency and length of messages being exchanged.
This information might be useful in guessing the nature of the communication that was taking
place.
Passive attacks are very difficult to detect because they do not involve any alteration of the
data. Typically, the message traffic is sent and received in an apparently normal fashion and neither
the sender nor receiver is aware that a third party has read the messages or observed the traffic
pattern. However, it is feasible to prevent the success of these attacks, usually by means of
encryption. Thus, the emphasis in dealing with passive attacks is on prevention rather than
detection.
Active Attacks: Active attacks involve some modification of the data stream or the creation of a
false stream and can be subdivided into four categories:
1. masquerade,
2. replay,
3. modification of messages, and
4. denial of service.
A masquerade takes place when one entity pretends to be a different entity. A masquerade
attack usually includes one of the other forms of active attack. For example, authentication
sequences can be captured and replayed after a valid authentication sequence has taken place, thus
enabling an authorized entity with few privileges to obtain extra privileges by impersonating an
entity that has those privileges.
Replay involves the passive capture of a data unit and its subsequent retransmission to
produce an unauthorized effect.
Modification of messages simply means that some portion of a legitimate message is
altered, or that messages are delayed or reordered, to produce an unauthorized effect.
The denial of service prevents or inhibits the normal use or management of
communications facilities. This attack may have a specific target; for example, an entity may
suppress all messages directed to a particular destination (e.g., the security audit service). Another
form of service denial is the disruption of an entire network, either by disabling the network or by
overloading it with messages so as to degrade performance.
Active attacks present the opposite characteristics of passive attacks. Whereas passive
attacks are difficult to detect, measures are available to prevent their success. On the other hand, it
is quite difficult to prevent active attacks absolutely, because of the wide variety of potential
physical, software, and network vulnerabilities. Instead, the goal is to detect active attacks and to

recover from any disruption or delays caused by them. If the detection has a deterrent effect, it may
also contribute to prevention. Figure 1 shows the passive and active attack types.

Figure 1: Active and passive threats

1.3 Security Services
X.800 defines a security service as a service provided by a protocol layer of communicating open
systems, which ensures adequate security of the systems or of data transfers. Perhaps a clearer
definition is: a processing or communication service that is provided by a system to give a specific kind
of protection to system resources; security services implement security policies and are implemented
by security mechanisms.
1.3.1 Authentication
The authentication service is concerned with assuring that a communication is authentic. In
the case of a single message, such as a warning or alarm signal, the function of the authentication
service is to assure the recipient that the message is from the source that it claims to be from. In the
case of an ongoing interaction, such as the connection of a terminal to a host, two aspects are
involved. First, at the time of connection initiation, the service assures that the two entities are
authentic, that is, that each is the entity that it claims to be. Second, the service must assure that the
connection is not interfered with in such a way that a third party can masquerade as one of the two
legitimate parties for the purposes of unauthorized transmission or reception. Two specific
authentication services are defined in X.800:
Peer entity authentication: Provides for the corroboration of the identity of a peer entity in an
association. It is provided for use at the establishment of, or at times during the data transfer phase
of, a connection. It attempts to provide confidence that an entity is not performing either a
masquerade or an unauthorized replay of a previous connection.
Data origin authentication: Provides for the corroboration of the source of a data unit. It does
not provide protection against the duplication or modification of data units. This type of service
supports applications like electronic mail where there are no prior interactions between the
communicating entities.

1.3.2 Access Control

In the context of network security, access control is the ability to limit and control the access
to host systems and applications via communications links. To achieve this, each entity trying to gain
access must first be identified, or authenticated, so that access rights can be tailored to the
individual.
1.3.3 Data Confidentiality
Confidentiality is the protection of transmitted data from passive attacks. With respect to the
content of a data transmission, several levels of protection can be identified. The broadest service
protects all user data transmitted between two users over a period of time. For example, when a TCP
connection is set up between two systems, this broad protection prevents the release of any user
data transmitted over the TCP connection. Narrower forms of this service can also be defined,
including the protection of a single message or even specific fields within a message. These
refinements are less useful than the broad approach and may even be more complex and expensive
to implement.
The other aspect of confidentiality is the protection of traffic flow from analysis. This
requires that an attacker not be able to observe the source and destination, frequency, length, or
other characteristics of the traffic on a communications facility.
1.3.4 Data Integrity
As with confidentiality, integrity can apply to a stream of messages, a single message, or
selected fields within a message. Again, the most useful and straightforward approach is total stream
protection. A connection-oriented integrity service, one that deals with a stream of messages, assures
that messages are received as sent, with no duplication, insertion, modification, reordering, or replays.
The destruction of data is also covered under this service. Thus, the connection-oriented integrity
service addresses both message stream modification and denial of service. On the other hand, a
connectionless integrity service, one that deals with individual messages without regard to any larger
context, generally provides protection against message modification only.
We can make a distinction between the service with and without recovery. Because the
integrity service relates to active attacks, we are concerned with detection rather than prevention.
If a violation of integrity is detected, then the service may simply report this violation, and some
other portion of software or human intervention is required to recover from the violation.
Alternatively, there are mechanisms available to recover from the loss of integrity of data, as we
will review subsequently. The incorporation of automated recovery mechanisms is, in general, the
more attractive alternative.
1.3.5 Nonrepudiation
Nonrepudiation prevents either sender or receiver from denying a transmitted message. Thus,
when a message is sent, the receiver can prove that the alleged sender in fact sent the message.
Similarly, when a message is received, the sender can prove that the alleged receiver in fact
received the message.
1.4 Security Mechanisms
Following is the list of the security mechanisms defined in X.800. As can be seen the mechanisms
are divided into those that are implemented in a specific protocol layer and those that are not specific
to any particular protocol layer or security service.
X.800 distinguishes between reversible encipherment mechanisms and irreversible
encipherment mechanisms. A reversible encipherment mechanism is simply an encryption algorithm
that allows data to be encrypted and subsequently decrypted. Irreversible encipherment mechanisms

include hash algorithms and message authentication codes, which are used in digital signature and
message authentication applications.
A. Specific Security Mechanisms
May be incorporated into the appropriate protocol layer in order to provide some of the OSI
security services.
1. Encipherment: The use of mathematical algorithms to transform data into a form that is not
readily intelligible. The transformation and subsequent recovery of the data depend on an algorithm
and zero or more encryption keys.
2. Digital Signature: Data appended to, or a cryptographic transformation of, a data unit that
allows a recipient of the data unit to prove the source and integrity of the data unit and protect
against forgery (e.g., by the recipient).
3. Access Control: A variety of mechanisms that enforce access rights to resources.
4. Data Integrity: A variety of mechanisms used to assure the integrity of a data unit or stream of
data units.
5. Authentication Exchange: A mechanism intended to ensure the identity of an entity by means of
information exchange.
6. Traffic Padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis
attempts.
7. Routing Control: Enables selection of particular physically secure routes for certain data and
allows routing changes, especially when a breach of security is suspected.
8. Notarization: The use of a trusted third party to assure certain properties of a data exchange.
B. Pervasive Security Mechanisms
Mechanisms that are not specific to any particular OSI security service or protocol layer.
1. Trusted Functionality: That which is perceived to be correct with respect to some criteria (e.g., as
established by a security policy).
2. Security Label: The marking bound to a resource (which may be a data unit) that names or
designates the security attributes of that resource.
3. Event Detection: Detection of security-relevant events.
4. Security Audit Trail: Data collected and potentially used to facilitate a security audit, which is an
independent review and examination of system records and activities.
5. Security Recovery: Deals with requests from mechanisms, such as event handling and
management functions, and takes recovery actions.

1.5 A Model for Network Security

A model for much of what we will be discussing is captured, in very general terms, in Figure
2. A message is to be transferred from one party to another across some sort of internet. The two
parties, who are the principals in this transaction, must cooperate for the exchange to take place. A
logical information channel is established by defining a route through the internet from source to
destination and by the cooperative use of communication protocols (e.g., TCP/IP) by the two
principals.
Security aspects come into play when it is necessary or desirable to protect the information
transmission from an opponent who may present a threat to confidentiality, authenticity, and so on.
All the techniques for providing security have two components:
A security-related transformation on the information to be sent. Examples include the encryption
of the message, which scrambles the message so that it is unreadable by the opponent, and the
addition of a code based on the contents of the message, which can be used to verify the identity of

the sender.

Figure 2: Model for network security

Some secret information shared by the two principals and, it is hoped, unknown to the opponent.
An example is an encryption key used in conjunction with the transformation to scramble the
message before transmission and unscramble it on reception.
A trusted third party may be needed to achieve secure transmission. For example, a third
party may be responsible for distributing the secret information to the two principals while keeping
it from any opponent. Or a third party may be needed to arbitrate disputes between the two
principals concerning the authenticity of a message transmission.
This general model shows that there are four basic tasks in designing a particular security service:
1. Design an algorithm for performing the security-related transformation. The algorithm
should be such that an opponent cannot defeat its purpose.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of the secret information.
4. Specify a protocol to be used by the two principals that makes use of the security algorithm
and the secret information to achieve a particular security service.
The hacker can be someone who, with no malign intent, simply gets satisfaction from breaking
and entering a computer system. Or, the intruder can be a disgruntled employee who wishes to do
damage, or a criminal who seeks to exploit computer assets for financial gain (e.g., obtaining credit
card numbers or performing illegal money transfers). Another type of unwanted access is the
placement in a computer system of logic that exploits vulnerabilities in the system and that can
affect application programs as well as utility programs, such as editors and compilers. Programs
can present two kinds of threats:
Information access threats intercept or modify data on behalf of users who should not have
access to that data.
Service threats exploit service flaws in computers to inhibit use by legitimate users.

Viruses and worms are two examples of software attacks. Such attacks can be introduced
into a system by means of a disk that contains the unwanted logic concealed in otherwise useful
software. They can also be inserted into a system across a network; this latter mechanism is of
more concern in network security.
The security mechanisms needed to cope with unwanted access fall into two broad
categories. The first category might be termed a gatekeeper function. It includes password-based
login procedures that are designed to deny access to all but authorized users and screening logic
that is designed to detect and reject worms, viruses, and other similar attacks. Once either an
unwanted user or unwanted software gains access, the second line of defense consists of a variety
of internal controls that monitor activity and analyze stored information in an attempt to detect the
presence of unwanted intruders.

2. Classical Encryption Techniques

The various classical encryption techniques are classified as
1. Symmetric encryption: It is a form of cryptosystem in which encryption and decryption are
performed using the same key. It is also known as conventional encryption. Symmetric
encryption transforms plaintext into ciphertext using a secret key and an encryption
algorithm. Using the same key and a decryption algorithm, the plaintext is recovered from
the ciphertext. The two types of attack on an encryption algorithm are cryptanalysis, based
on properties of the encryption algorithm, and brute-force, which involves trying all
possible keys.
2. Substitution techniques: Substitution techniques map plaintext elements (characters, bits)
into ciphertext elements.
3. Transposition techniques systematically transpose the positions of plaintext elements.
4. Rotor machines are sophisticated precomputer hardware devices that use substitution
techniques.
5. Steganography is a technique for hiding a secret message within a larger one in such a way
that others cannot discern the presence or contents of the hidden message.
2.1. Symmetric Cipher Model
A symmetric encryption scheme has five ingredients:
Plaintext: This is the original intelligible message or data that is fed into the algorithm as input.
Encryption algorithm: The encryption algorithm performs various substitutions and
transformations on the plaintext.
Secret key: The secret key is also input to the encryption algorithm. The key is a value
independent of the plaintext and of the algorithm. The algorithm will produce a different output
depending on the specific key being used at the time. The exact substitutions and transformations
performed by the algorithm depend on the key.
Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and
the secret key. For a given message, two different keys will produce two different ciphertexts. The
ciphertext is an apparently random stream of data and, as it stands, is unintelligible.
Decryption algorithm: This is essentially the encryption algorithm run in reverse. It takes the
ciphertext and the secret key and produces the original plaintext.

Figure 3. Simplified Model of Conventional Encryption

3. Cryptography
Cryptographic systems are characterized along three independent dimensions:
1. The type of operations used for transforming plaintext to ciphertext. All encryption
algorithms are based on two general principles: substitution, in which each element in the plaintext
(bit, letter, group of bits or letters) is mapped into another element, and transposition, in which
elements in the plaintext are rearranged. The fundamental requirement is that no information be
lost (that is, that all operations are reversible).
2. The number of keys used. If both sender and receiver use the same key, the system is referred
to as symmetric, single-key, secret-key, or conventional encryption. If the sender and receiver use
different keys, the system is referred to as asymmetric, two-key, or public-key encryption.
3. The way in which the plaintext is processed. A block cipher processes the input one block of
elements at a time, producing an output block for each input block. A stream cipher processes the
input elements continuously, producing output one element at a time, as it goes along.
4. Cryptanalysis
Typically, the objective of attacking an encryption system is to recover the key in use rather then
simply to recover the plaintext of a single ciphertext. There are two general approaches to attacking
a conventional encryption scheme:
Cryptanalysis: Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some
knowledge of the general characteristics of the plaintext or even some sample plaintext-ciphertext
pairs. This type of attack exploits the characteristics of the algorithm to attempt to deduce a specific
plaintext or to deduce the key being used.
Brute-force attack: The attacker tries every possible key on a piece of ciphertext until an
intelligible translation into plaintext is obtained. On average, half of all possible keys must be tried
to achieve success.

4.1 Types of Cryptanalytic attacks: These are classified based on the amount of information
known to the cryptanalyst. The most difficult problem is presented when all that is available is the
ciphertext only.
1. ciphertext only: only know algorithm & ciphertext, is statistical, know or can identify
plaintext
2. known plaintext: know/suspect plaintext & ciphertext
3. chosen plaintext: select plaintext and obtain ciphertext
4. chosen ciphertext: select ciphertext and obtain plaintext
5. chosen text: select plaintext or ciphertext to en/decrypt
The ciphertext-only attack is the easiest to defend against because the opponent has the least
amount of information to work with. For example, a file that is encoded in the Postscript format
always begins with the same pattern, or there may be a standardized header or banner to an
electronic funds transfer message, and so on. All these are examples of known plaintext. If the
analyst is able somehow to get the source system to insert into the system a message chosen by the
analyst, then a chosen-plaintext attack is possible.
There are two other types of attack: chosen ciphertext and chosen text. These are less
commonly -employed as cryptanalytic techniques but are nevertheless possible avenues of attack.
Only relatively weak algorithms fail to withstand a ciphertext-only attack. Generally, an encryption
algorithm is designed to withstand a known-plaintext attack.
Two more definitions are worthy of note. An encryption scheme is unconditionally secure
if the ciphertext generated by the scheme does not contain enough information to determine uniquely
the corresponding plaintext, no matter how much ciphertext is available. All that the users of an
encryption algorithm can strive for is an algorithm that meets one or both of the following criteria:
The cost of breaking the cipher exceeds the value of the encrypted information.
The time required to break the cipher exceeds the useful lifetime of the information.
An encryption scheme is said to be computationally secure if either of the foregoing two
criteria are met. A brute-force attack involves trying every possible key until an intelligible
translation of the ciphertext into plaintext is obtained. On average, half of all possible keys must be
tried to achieve success.
5. Substitution Techniques
In this section, we examine a sampling of what might be called classical encryption
techniques. The two basic building blocks of all encryption techniques are substitution and
transposition.
Substitution technique is one in which the letters of plaintext are replaced by other letters
or by numbers or symbols. If the plaintext is viewed as a sequence of bits, then substitution
involves replacing plaintext bit patterns with ciphertext bit patterns.
5.1 Caesar Cipher
The earliest known use of a substitution cipher, and the simplest, was by Julius Caesar. The
Caesar cipher involves replacing each letter of the alphabet with the letter standing three
places further down the alphabet. For example,
plain: meet
me after
the
toga party
cipher: PHHW PH DIWHU WKH WRJD SDUWB
Note that the alphabet is wrapped around, so that the letter following Z is A. We can define
the transformation by listing all possibilities, as follows:

plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Let us assign a numerical equivalent to each letter:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
abcdefghij k l m n o p q r s t u v w x y z
Then the algorithm can be expressed as follows. For each plaintext letter p, substitute the ciphertext
letter C:
We define a mod n to be the remainder when a is divided by n. For example, 11 mod 7 = 4.
C = E(3, p) = (p + 3) mod 26
A shift may be of any amount, so that the general Caesar algorithm is
C = E(k, p) = (p + k) mod 26
where k takes on a value in the range 1 to 25. The decryption algorithm is simply
p = D(k, C) = (C - k) mod 26
If it is known that a given ciphertext is a Caesar cipher, then a brute-force cryptanalysis is
easily performed: Simply try all the 25 possible keys.
5.2 Monoalphabetic Ciphers
With only 25 possible keys, the Caesar cipher is far from secure. A dramatic increase in the key
space can be achieved by allowing an arbitrary substitution. If, instead, the "cipher" line can be any
permutation of the 26 alphabetic characters, then there are 26! or greater than 4 x 1026 possible
keys. This is 10 orders of magnitude greater than the key space for DES and would seem to
eliminate brute-force techniques for cryptanalysis. Such an approach is referred to as a
monoalphabetic substitution cipher, because a single cipher alphabet (mapping from plain
alphabet to cipher alphabet) is used per message.
There is, however, another line of attack. If the cryptanalyst knows the nature of the
plaintext (e.g., noncompressed English text), then the analyst can exploit the regularities of the
language. As a first step, the relative frequency of the letters can be determined and compared to a
standard frequency distribution for English. If the message were long enough, this technique alone
might be sufficient, but because this is a relatively short message, we cannot expect an exact match.
Letters are not equally commonly used. In English E is by far the most common letter followed by
T,R,N,I,O,A,S other letters like Z,J,K,Q,X are fairly rare.
Monoalphabetic ciphers are easy to break because they reflect the frequency data of the
original alphabet. A countermeasure is to provide multiple substitutes, known as homophones, for a
single letter. For example, the letter e could be assigned a number of different cipher symbols, such
as 16, 74, 35, and 21, with each homophone used in rotation, or randomly. If the number of symbols
assigned to each letter is proportional to the relative frequency of that letter, then single-letter
frequency information is completely obliterated.
5.3 Playfair Cipher
The best-known multiple-letter encryption cipher is the Playfair, which treats diagrams in the
plaintext as single units and translates these units into ciphertext diagrams.

The Playfair algorithm is based on the use of a 5 x 5 matrix of letters constructed using a keyword.
Here is an example, solved by Lord Peter Wimsey in Dorothy Sayers's Have His Carcase:
M

I/J

In this case, the keyword is monarchy. The matrix is constructed by filling in the letters of
the keyword (minus duplicates) from left to right and from top to bottom, and then filling in the
remainder of the matrix with the remaining letters in alphabetic order. The letters I and J count as
one letter. Plaintext is encrypted two letters at a time, according to the following rules:
1. Repeating plaintext letters that are in the same pair are separated with a filler letter, such as x, so
that balloon would be treated as ba lx lo on.
2. Two plaintext letters that fall in the same row of the matrix are each replaced by the letter to the
right, with the first element of the row circularly following the last. For example, ar is encrypted as
RM.
3. Two plaintext letters that fall in the same column are each replaced by the letter beneath, with
the top element of the column circularly following the last. For example, mu is encrypted as CM.
4. Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its own row and the
column occupied by the other plaintext letter. Thus, hs becomes BP and ea becomes IM (or JM, as
the encipherer wishes).
The Playfair cipher is a great advance over simple monoalphabetic ciphers. For one thing,
whereas there are only 26 letters, there are 26 x 26 = 676 digrams, so that identification of
individual digrams is more difficult. Furthermore, the relative frequencies of individual letters
exhibit a much greater range than that of digrams, making frequency analysis much more difficult.
5.4 Hill Cipher
Another interesting multiletter cipher is the Hill cipher, developed by the mathematician
Lester Hill in 1929. The encryption algorithm takes m successive plaintext letters and substitutes
for them m ciphertext letters. The substitution is determined by m linear equations in which each
character is assigned a numerical value (a = 0, b = 1 ... z = 25). For m = 3, the system can be
described as follows:
c1 = (k11P1 + k12P2 + k13P3) mod 26
c2 = (k21P1 + k22P2 + k23P3) mod 26
c3 = (k31P1 + k32P2 + k33P3) mod 26
This can be expressed in term of column vectors and matrices:

or

C = KP mod 26
where C and P are column vectors of length 3, representing the plaintext and ciphertext, and K is a
3 x 3 matrix, representing the encryption key. Operations are performed mod 26.
For example, consider the plaintext "paymoremoney" and use the encryption key

The first three letters of the plaintext are represented by the vector

the ciphertext for the entire plaintext is LNSHDLEWMTRW.

Decryption requires using the inverse of the matrix K. The inverse K1 of a matrix K is defined by the
equation KK1 = K1K = I, where I is the matrix that is all zeros except for ones along the main
diagonal from upper left to lower right. The inverse of a matrix does not always exist, but when it
does, it satisfies the preceding equation.
5.5 Polyalphabetic Ciphers
Another way to improve on the simple monoalphabetic technique is to use different
monoalphabetic substitutions as one proceeds through the plaintext message. The general name for
this approach is polyalphabetic substitution cipher. All these techniques have the following
features in common:
1. A set of related monoalphabetic substitution rules is used.
2. A key determines which particular rule is chosen for a given transformation.
The best known, and one of the simplest, such algorithm is referred to as the Vigenre cipher. In
this scheme, the set of related monoalphabetic substitution rules consists of the 26 Caesar ciphers,
with shifts of 0 through 25. Each cipher is denoted by a key letter, which is the ciphertext letter that
substitutes for the plaintext letter a. Thus, a Caesar cipher with a shift of 3 is denoted by the key
value d.
To aid in understanding the scheme and to aid in its use, a matrix known as the Vigenre
tableau is constructed. Each of the 26 ciphers is laid out horizontally, with the key letter for each
cipher to its left. A normal alphabet for the plaintext runs across the top. The process of encryption
is simple: Given a key letter x and a plaintext letter y, the ciphertext letter is at the intersection of
the row labeled x and the column labeled y; in this case the ciphertext is V.
To encrypt a message, a key is needed that is as long as the message. Usually, the key is a
repeating keyword. For example, if the keyword is deceptive, the message "we are discovered save
yourself" is encrypted as follows:
key: deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
Decryption is equally simple. The key letter again identifies the row. The position of the
ciphertext letter in that row determines the column, and the plaintext letter is at the top of that
column. The strength of this cipher is that there are multiple ciphertext letters for each plaintext
letter, one for each unique letter of the keyword. Thus, the letter frequency information is obscured.
However, not all knowledge of the plaintext structure is lost.

Example of Vigenre cipher

1. write the plaintext out
2. write the keyword repeated above it
3. use each key letter as a caesar cipher key
4. encrypt the corresponding plaintext letter
eg using keyword deceptive
key:

deceptivedeceptivedeceptive

plaintext: wearediscoveredsaveyourself
ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ

5.6 Autokey Cipher:

The periodic nature of the keyword can be eliminated by using a nonrepeating keyword
that is as long as the message itself. Vigenre proposed what is referred to as an autokey system, in
which a keyword is concatenated with the plaintext itself to provide a running key. For our
example,
key: deceptivewearediscoveredsav
plaintext: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGKZEIIGASXSTSLVVWLA
Even this scheme is vulnerable to cryptanalysis. Because the key and the plaintext share the
same frequency distribution of letters, a statistical technique can be applied.
5.7 One-Time Pad
An Army Signal Corp officer, Joseph Mauborgne, proposed an improvement to the Vernam
cipher that yields the ultimate in security. Mauborgne suggested using a random key that is as long
as the message, so that the key need not be repeated. In addition, the key is to be used to encrypt
and decrypt a single message, and then is discarded. Each new message requires a new key of the
same length as the new message. Such a scheme, known as a one-time pad, is unbreakable. It
produces random output that bears no statistical relationship to the plaintext. Because the
ciphertext contains no information whatsoever about the plaintext, there is simply no way to break
the code.
The one-time pad offers complete security but, in practice, has two fundamental difficulties:
1. There is the practical problem of making large quantities of random keys. Any heavily used
system might require millions of random characters on a regular basis. Supplying truly
random characters in this volume is a significant task.
2. Even more daunting is the problem of key distribution and protection. For every message to
be sent, a key of equal length is needed by both sender and receiver. Thus, a mammoth key
distribution problem exists.
Because of these difficulties, the one-time pad is of limited utility, and is useful primarily for
low-bandwidth channels requiring very high security.

6. Transposition Techniques
All the techniques examined so far involve the substitution of a ciphertext symbol for a
plaintext symbol. A very different kind of mapping is achieved by performing some sort of
permutation on the plaintext letters. This technique is referred to as a transposition cipher.
The simplest such cipher is the rail fence technique, in which the plaintext is written down
as a sequence of diagonals and then read off as a sequence of rows. For example, to encipher the
message "meet me after the toga party" with a rail fence of depth 2, we write the following:
mematrhtgpry
etefeteoaat
The encrypted message is
MEMATRHTGPRYETEFETEOAAT
This sort of thing would be trivial to cryptanalyze. A more complex scheme is to write the
message in a rectangle, row by row, and read the message off, column by column, but permute
the order of the columns. The order of the columns then becomes the key to the algorithm. For
example,
Key: 4 3 1 2 5 6 7
Plaintext: a t t a c k p
ostpone
duntilt
woamxyz
Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ
A pure transposition cipher is easily recognized because it has the same letter frequencies
as the original plaintext. For the type of columnar transposition just shown, cryptanalysis is fairly
straightforward and involves laying out the ciphertext in a matrix and playing around with column
positions. Digram and trigram frequency tables can be useful. The transposition cipher can be made
significantly more secure by performing more than one stage of transposition. The result is a more
complex permutation that is not easily reconstructed.
7. Rotor Machines
The example just given suggests that multiple stages of encryption can produce an
algorithm that is significantly more difficult to cryptanalyze. This is as true of substitution
ciphers as it is of transposition ciphers. Before the introduction of DES, the most important
application of the principle of multiple stages of encryption was a class of systems known as rotor
machines.
The rotor machine consists of a set of independently rotating cylinders through which
electrical pulses can flow. Each cylinder has 26 input pins and 26 output pins, with internal
wiring that connects each input pin to a unique output pin. If we associate each input and output
pin with a letter of the alphabet, then a single cylinder defines a monoalphabetic substitution.
For example, if an operator depresses the key for the letter A, an electric signal is applied to
the first pin of the first cylinder and flows through the internal connection to the twenty-fifth
output pin. Consider a machine with a single cylinder. After each input key is depressed, the
cylinder rotates one position, so that the internal connections are shifted accordingly. Thus, a
different monoalphabetic substitution cipher is defined. After 26 letters of plaintext, the cylinder
would be back to the initial position. Thus, we have a polyalphabetic substitution algorithm with a
period of 26.
A single-cylinder system is trivial and does not present a formidable cryptanalytic task. The
power of the rotor machine is in the use of multiple cylinders, in which the output pins of one
cylinder are connected to the input pins of the next.

A period of that length thwarts any practical possibility of a straightforward solution on the
basis of letter frequency. This general solution would need about 50 letters per cipher alphabet,
meaning that all five rotors would have to go through their combined cycle 50 times. The ciphertext
would have to be as long as all the speeches made on the floor of the Senate and the House of
Representatives in three successive sessions of Congress. No cryptanalyst is likely to bag that kind
of trophy in his lifetime; even diplomats, who can be as verbose as politicians, rarely scale those
heights of loquacity. The significance of the rotor machine today is that it points the way to the most
widely used cipher ever: the Data Encryption Standard (DES).
8. Steganography
A plaintext message may be hidden in one of two ways. The methods of steganography
conceal the existence of the message, whereas the methods of cryptography render the message
unintelligible to outsiders by various transformations of the text.
A simple form of steganography, but one that is time-consuming to construct, is one in
which an arrangement of words or letters within an apparently innocuous text spells out the real
message. For example, the sequence of first letters of each word of the overall message spells out
the hidden message.
Various other techniques have been used historically; some examples are the following:
Character marking: Selected letters of printed or typewritten text are overwritten in pencil. The
marks are ordinarily not visible unless the paper is held at an angle to bright light.
Invisible ink: A number of substances can be used for writing but leave no visible trace until heat
or some chemical is applied to the paper.
Pin punctures: Small pin punctures on selected letters are ordinarily not visible unless the paper
is held up in front of a light.
Typewriter correction ribbon: Used between lines typed with a black ribbon, the results of
typing with the correction tape are visible only under a strong light.
One of the method is hiding a message by using the least significant bits of frames on a CD.
For example, the Kodak Photo CD format's maximum resolution is 2048 by 3072 pixels, with each
pixel containing 24 bits of RGB color information. The least significant bit of each 24-bit pixel can be
changed without greatly affecting the quality of the image. The result is that you can hide a 2.3megabyte message in a single digital snapshot.
Steganography has a number of drawbacks when compared to encryption. It requires a lot
of overhead to hide a relatively few bits of information, although using some scheme like that
proposed in the preceding paragraph may make it more effective. Also, once the system is
discovered, it becomes virtually worthless. This problem, too, can be overcome if the insertion
method depends on some sort of key. Alternatively, a message can be first encrypted and then
hidden using steganography.
The advantage of steganography is that it can be employed by parties who have something
to lose should the fact of their secret communication (not necessarily the content) be discovered.
Encryption flags traffic as important or secret or may identify the sender or receiver as someone
with something to hide.