What is Network Security?

Network security is the process of taking preventative measures to protect the

underlying networking infrastructure from unauthorized access, misuse,
malfunction, modification, destruction or improper disclosure.

The Internet has undoubtedly become a huge part of our lives. Many people in today’s
generation rely on the Internet for many of their professional, social and personal
activities. But are you sure your network is secure?

There are many people who attempt to damage our Internet-connected computers,
violate our privacy and make it impossible to the Internet services. Given the frequency
and variety of existing attacks as well as the threat of new and more destructive future
attacks, network security has become a central topic in the field of cybersecurity.
Implementing network security measures allows computers, users and programs to
perform their permitted critical functions within a secure environment.

How can we ensure network security?

We must ensure that the passwords are Strong and Complex everywhere- within the
network too, not just on individual computers within an org. These passwords cannot
be simple , default and easily guessable ones. This simple step can go a long way
toward securing your networks.

Why is security so important?

Information security performs key roles such as:

 The organisation’s ability to function without any hindrance

 Enabling the safe operation of applications implemented on the organisation’s
IT systems
 Protecting the data the organisation collects and its uses

 Computer Network Security

 Computer network security consists of measures taken by business or some
organizations to monitor and prevent unauthorized access from the outside
attackers.
 Different approaches to computer network security management have different
requirements depending on the size of the computer network. For example, a
home office requires basic network security while large businesses require high
maintenance to prevent the network from malicious attacks.
  Network Administrator controls access to the data and software on the network.
A network administrator assigns the user ID and password to the authorized
person.

Aspects of Network Security:

Following are the desirable properties to achieve secure communication:

o Privacy: Privacy means both the sender and the receiver expects confidentiality.
The transmitted message should be sent only to the intended receiver while the
message should be opaque for other users. Only the sender and receiver should
be able to understand the transmitted message as eavesdroppers can intercept
the message. Therefore, there is a requirement to encrypt the message so that
the message cannot be intercepted. This aspect of confidentiality is commonly
used to achieve secure communication.
o Message Integrity: Data integrity means that the data must arrive at the
receiver exactly as it was sent. There must be no changes in the data content
during transmission, either maliciously or accident, in a transit. As there are
more and more monetary exchanges over the internet, data integrity is more
crucial. The data integrity must be preserved for secure communication.
o End-point authentication: Authentication means that the receiver is sure of
the sender?s identity, i.e., no imposter has sent the message.
o Non-Repudiation: Non-Repudiation means that the receiver must be able to
prove that the received message has come from a specific sender. The sender
must not deny sending a message that he or she send. The burden of proving
the identity comes on the receiver. For example, if a customer sends a request
to transfer the money from one account to another account, then the bank must
have a proof that the customer has requested for the transaction.
Threat can be anything that can take advantage of a vulnerability to
breach security and negatively alter, erase, harm object or objects of
interest.

Vulnerabilities are weaknesses in a system that gives threats the

opportunity to compromise assets. All systems have vulnerabilities. Even
though the technologies are improving but the number of vulnerabilities are
increasing such as tens of millions of lines of code, many developers, human
weaknesses, etc. Vulnerabilities mostly happened because of Hardware,
Software, Network and Procedural vulnerabilities.

Privacy
The concept of how to achieve privacy has not been changed for thousands of years:
the message cannot be encrypted. The message must be rendered as opaque to all
the unauthorized parties. A good encryption/decryption technique is used to achieve
privacy to some extent. This technique ensures that the eavesdropper cannot
understand the contents of the message.

Encryption/Decryption
Encryption: Encryption means that the sender converts the original information into
another form and sends the unintelligible message over the network.

Decryption: Decryption reverses the Encryption process in order to transform the

message back to the original form.

The data which is to be encrypted at the sender site is known as plaintext, and the
encrypted data is known as ciphertext. The data is decrypted at the receiver site.

Backward Skip 10sPlay VideoForward Skip 10s

There are two types of Encryption/Decryption techniques:

o Privacy with secret key Encryption/Decryption

o Privacy with public key Encryption/Decryption
Secret Key Encryption/Decryption technique

o In Secret Key Encryption/Decryption technique, the same key is used by both

the parties, i.e., the sender and receiver.
o The sender uses the secret key and encryption algorithm to encrypt the data;
the receiver uses this key and decryption algorithm to decrypt the data.
o In Secret Key Encryption/Decryption technique, the algorithm used for
encryption is the inverse of the algorithm used for decryption. It means that if
the encryption algorithm uses a combination of addition and multiplication,
then the decryption algorithm uses a combination of subtraction and division.
o The secret key encryption algorithm is also known as symmetric encryption
algorithm because the same secret key is used in bidirectional communication.
o In secret key encryption/decryption algorithm, the secret code is used by the
computer to encrypt the information before it is sent over the network to
another computer.
o The secret key requires that we should know which computers are talking to
each other so that we can install the key on each computer.

Data Encryption Standard (DES)

 o The Data Encryption Standard (DES) was designed by IBM and adopted by the
U.S. government as the standard encryption method for nonmilitary and
nonclassified use.
o The Data Encryption Standard is a standard used for encryption, and it is a form
of Secret Key Cryptography.

Advantage
Efficient: The secret key algorithms are more efficient as it takes less time to encrypt
the message than to encrypt the message by using a public key encryption algorithm.
The reason for this is that the size of the key is small. Due to this reason, Secret Key
Algorithms are mainly used for encryption and decryption.

Disadvantages of Secret Key Encryption

The Secret Key Encryption/Decryption has the following disadvantages:

o Each pair of users must have a secret key. If the number of people wants to use
this method in the world is N, then there are N(N-1)/2 secret keys. For example,
for one million people, then there are half billion secret keys.
o The distribution of keys among different parties can be very difficult. This
problem can be resolved by combining the Secret Key Encryption/Decryption
with the Public Key Encryption/Decryption algorithm.

Public Key Encryption/Decryption technique

o There are two keys in public key encryption: a private key and a public key.
o The private key is given to the receiver while the public key is provided to the
public.
In the above figure, we see that A is sending the message to user B. 'A' uses the public
key to encrypt the data while 'B' uses the private key to decrypt the data.

o In public key Encryption/Decryption, the public key used by the sender is

different from the private key used by the receiver.
o The public key is available to the public while the private key is kept by each
individual.
o The most commonly used public key algorithm is known as RSA.

Advantages of Public Key Encryption

o The main restriction of private key encryption is the sharing of a secret key. A
third party cannot use this key. In public key encryption, each entity creates a
pair of keys, and they keep the private one and distribute the public key.
o The number of keys in public key encryption is reduced tremendously. For
example, for one million users to communicate, only two million keys are
required, not a half-billion keys as in the case of secret key encryption.

Disadvantages of Public Key Encryption

o Speed: One of the major disadvantage of the public-key encryption is that it is

slower than secret-key encryption. In secret key encryption, a single shared key
is used to encrypt and decrypt the message which speeds up the process while
in public key encryption, different two keys are used, both related to each other
by a complex mathematical process. Therefore, we can say that encryption and
decryption take more time in public key encryption.
 o Authentication: A public key encryption does not have a built-in
authentication. Without authentication, the message can be interpreted or
intercepted without the user's knowledge.
o Inefficient: The main disadvantage of the public key is its complexity. If we
want the method to be effective, large numbers are needed. But in public key
encryption, converting the plaintext into ciphertext using long keys takes a lot
of time. Therefore, the public key encryption algorithms are efficient for short
messages not for long messages.

There are various security services which are as

follows −

 Message Confidentiality − The principle of confidentiality defines that only the sender
and the intended recipient should be capable to create the element of the message. It protects
the transmitted data from passive attack.
Confidentiality can be used at several levels on the basis of content of an information to be
transmitted. There are the following types of confidentiality which are as follows −
o Connection Confidentiality − The protection of all user information on a
connection.
o Connectionless Confidentiality − The security of all user data in an individual
data block.
o Traffic-flow Confidentiality − The protection of the information that can be
derived from observation of traffic flows.
 Authentication − The authentication service is concerned with likely that a connection is
authentic. In the case of a single message, including a warning or alarm signal, the function
of the authentication service is to persuade the recipient that the message is from the source
that it declare to be from.
 Non-repudiation − Nonrepudiation avoids either sender or receiver from adverse a
transmitted message. Therefore, when a message is sent, the receiver can validate that the
asserted sender actually sent the message.
Likewise, when a message is received, the sender can validate that the asserted receiver
actually received the message.
 Access Control − The principle of access control decides who should be capable to access
information or system through communication link. It supports the avoidance of
unauthorized use of a resource.
  Data Integrity − Data integrity is designed to secure information from modification,
insertion, deletion and rehashing by any entity. Data integrity can be used to a flow of
message, an individual message or a selected portion inside a message. Data integrity can
be used to support total stream protection.
There are various types of data integrity which are as follows −
o Connection integrity with recovery − It supports for the integrity of all user
information on a connection and identify any modification, insertion, deletion or
replay of any information within a whole data sequence, with recovery attempted.
o Connection integrity without recovery − It supports only detection without
recovery.
o Selective-field connection integrity − It supports for the principle of selected areas
within the user information of a data block shared over a connection and creates the
form of decision of whether the selected fields have been changed, inserted,
removed or replayed.
o Connectionless integrity − It supports for the integrity of an individual
connectionless data block and can take the form of detection of data modification.
Moreover, it is a limited form of replay detection can be provided.
o Selective-field connectionless integrity − It supports for the integrity of selected
fields within an individual connectionless data block and takes the form of
determination of whether the selected areas have been changed.

Classification of security
Additionally divisions C, B and A are broken into a series of hierarchical subdivisions called
classes: C1, C2, B1, B2, B3, and A1.[6]
Each division and class expands or modifies as indicated the requirements of the immediately
prior division or class.[7]

D – Minimal protection[edit]
 Reserved for those systems that have been evaluated but that fail to meet the requirement
for a higher division.[8]
C – Discretionary protection[edit]
 C1 – Discretionary Security Protection[9]
o Identification and authentication
o Separation of users and data
o Discretionary Access Control (DAC) capable of enforcing access limitations on an
individual basis
o Required System Documentation and user manuals
 C2 – Controlled Access Protection
o More finely grained DAC
o Individual accountability through login procedures
o Audit trails
 o Object reuse
o Resource isolation
o An example of such as system is HP-UX
B – Mandatory protection[edit]
 B1 – Labeled Security Protection[10]
o Informal statement of the security policy model
o Data sensitivity labels
o Mandatory Access Control (MAC) over selected subjects and objects
o Label exportation capabilities
o Some discovered flaws must be removed or otherwise mitigated
o Design specifications and verification
 B2 – Structured Protection
o Security policy model clearly defined and formally documented
o DAC and MAC enforcement extended to all subjects and objects
o Covert storage channels are analyzed for occurrence and bandwidth
o Carefully structured into protection-critical and non-protection-critical elements
o Design and implementation enable more comprehensive testing and review
o Authentication mechanisms are strengthened
o Trusted facility management is provided with administrator and operator segregation
o Strict configuration management controls are imposed
o Operator and Administrator roles are separated.
o An example of such a system was Multics
 B3 – Security Domains
o Satisfies reference monitor requirements
o Structured to exclude code not essential to security policy enforcement
o Significant system engineering directed toward minimizing complexity
o Security administrator role defined
o Audit security-relevant events
o Automated imminent intrusion detection, notification, and response
o Trusted path to the TCB for the user authentication function
o Trusted system recovery procedures
o Covert timing channels are analyzed for occurrence and bandwidth
o An example of such a system is the XTS-300, a precursor to the XTS-400
A – Verified protection[edit]
 A1 – Verified Design[11]
o Functionally identical to B3
o Formal design and verification techniques including a formal top-level specification
o Formal management and distribution procedures
o Examples of A1-class systems are Honeywell's SCOMP, Aesec's GEMSOS, and
Boeing's SNS Server. Two that were unevaluated were the production LOCK platform
and the cancelled DEC VAX Security Kernel.
 Beyond A1
o System Architecture demonstrates that the requirements of self-protection and
completeness for reference monitors have been implemented in the Trusted Computing
Base (TCB).
o Security Testing automatically generates test-case from the formal top-level specification
or formal lower-level specifications.
o Formal Specification and Verification is where the TCB is verified down to the source
code level, using formal verification methods where feasible.
 o Trusted Design Environment is where the TCB is designed in a trusted facility with only
trusted (cleared) personnel.

Cryptography
Cryptography comes from the Greek words for ‘‘secret writing.’’Professionals make a
distinction between ciphers and codes. A cipher is a character-for-character or bit-for-bit
transformation, without regard to the linguistic structure of the message. In contrast, a code
replaces one word with another word or symbol.

The messages to be encrypted, known as the plaintext, are transformed by a function that is
parameterized by a key. The output of the encryption process, known as the ciphertext, is
then transmitted, often by messenger or radio. We assume that the enemy, or intruder, hears
and accurately copies down the complete ciphertext. However, unlike the intended recipient,
he does not know what the decryption key is and so cannot decrypt the ciphertext easily.
Sometimes the intruder can not only listen to the communication channel (passive intruder)
but can also record messages and play them back later, inject his own messages, or modify
legitimate messages before they get to the receiver (active intruder).
The art of breaking ciphers, known as cryptanalysis, and the art of devising them
(cryptography) are collectively known as cryptology. It will often be useful to have a notation
for relating plaintext, ciphertext, and keys. We will use C = EK(P) to mean that the
encryption of the plaintext P using key K gives the ciphertext C. Similarly, P = DK(C)
represents the decryption of C to get the plaintext again. It then follows that DK(EK(P)) = P
This notation suggests that E and D are just mathematical functions, which they are. The only
tricky part is that both are functions of two parameters, and we have written one of the
parameters (the key) as a subscript, rather than as an argument, to distinguish it from the
message.

Encryption Method
 substitution technique is a classical encryption technique where the characters
present in the original message are replaced by the other characters or numbers
or by symbols. If the plain text (original message) is considered as the string of
bits, then the substitution technique would replace bit pattern of plain text with the
bit pattern of cipher text.
We will discuss some of the substitution techniques which will help us to
understand the procedure of converting plain text o cipher text. In this section, we
will study the following substitution techniques:

Substitution Technique:
1. Caesar Cipher
2. Monoalphabetic Cipher
3. Playfair Cipher
4. Hill Cipher
5. Polyalphabetic Cipher
6. One-Time Pad

Caesar Cipher
This the simplest substitution cipher by Julius Caesar. In this substitution
technique, to encrypt the plain text, each alphabet of the plain text is replaced by
the alphabet three places further it. And to decrypt the cipher text each alphabet of
cipher text is replaced by the alphabet three places before it.

Let us take a simple example:

Plain Text: meet me tomorrow

Cipher Text: phhw ph wrpruurz

Look at the example above, we have replaced, ‘m’ with ‘p’ which occur three
places after, ‘m’. Similarly, ‘e’ is replaced with ‘h’ which occurs in three places
after ‘e’.

Note: If we have to replace the letter ‘z’ then the next three alphabets counted after
‘z’ will be ‘a’ ‘b’ ‘c’. So, while counting further three alphabets if ‘z’ occurs it
circularly follows ‘a’.

There are also some drawbacks of this simple substitution technique. If the hacker
knows that the Caesar cipher is used then to perform brute force cryptanalysis, he
has only to try 25 possible keys to decrypt the plain text.
The hacker is also aware of the encryption and decryption algorithm.

Monoalphabetic Cipher
Monoalphabetic cipher is a substitution cipher, where the cipher alphabet for each
plain text alphabet is fixed, for the entire encryption.

In simple words, if the alphabet ‘p’ in the plain text is replaced by the cipher
alphabet ‘d’. Then in the entire plain text wherever alphabet ‘p’ is used, it will be
replaced by the alphabet ‘d’ to form the ciphertext.

Playfair Cipher
Playfair cipher is a substitution cipher which involves a 5X5 matrix. Let us discuss
the technique of this Playfair cipher with the help of an example:

Plain Text: meet me tomorrow

Key: KEYWORD

Now, we have to convert this plain text to ciphertext using the given key. We will
discuss the further process in steps.

Step 1: Create a 5X5 matrix and place the key in that matrix row-wise from left to
right. Then put the remaining alphabet in the blank space.
 Note: If a key has duplicate alphabets, then fill those alphabets only once in the
matrix, and I & J should be kept together in the matrix even though they occur in
the given key.

Step 2: Now, you have to break the plain text into a pair of alphabets.

Plain Text: meet me tomorrow

Pair: me et me to mo rx ro wz

Note

 Pair of alphabets must not contain the same letter. In case, pair has the same letter
then break it and add ‘x’ to the previous letter. Like in our example letter ‘rr’
occurs in pair so, we have broken that pair and added ‘x’ to the first ‘r’.
 In case while making pair, the last pair has only one alphabet left then we add ‘z’
to that alphabet to form a pair as in our above example, we have added ‘z’ to ‘w’
because ‘w’ was left alone at last.
 If a pair has ‘xx’ then we break it and add ‘z’ to the first ‘x’, i.e. ‘xz’ and ‘x_’.

Step 3: In this step, we will convert plain text into ciphertext. For that, take the
first pair of plain text and check for cipher alphabets for the corresponding in the
matrix. To find cipher alphabets follow the rules below.

Note

 If both the alphabets of the pair occur in the same row replace them with the
alphabet to their immediate right. If an alphabet of the pair occurs at extreme right
then replace it with the first element of that row, i.e. the last element of the row in
the matrix circularly follows the first element of the same row.
 If the alphabets in the pair occur in the same column, then replace them with the
alphabet immediate below them. Here also, the last element of the column
circularly follows the first element of the same column.
 If the alphabets in the pair are neither in the same column and nor in the same
row, then the alphabet is replaced by the element in its own row and the
corresponding column of the other alphabet of the pair.

Pair: me et me to mo rx ro wz

Cipher Text: kn ku kn kz ks ta kc yo

So, this is how we can convert a plain text to ciphertext using Playfair cipher.
When compared with monoalphabetic cipher Playfair cipher is much more
advanced. But still, it is easy to break.
Hill Cipher
Hill cipher is a polyalphabetic cipher introduced by Lester Hill in 1929. Let us
discuss the technique of hill cipher.

Plain text: Binary

Key: HILL

Choose the key in such a way that it always forms a square matrix. With HILL as
the key, we can form a 2×2 matrix.

Now, of plain text, you have to form a column vector of length similar to the key
matrix. In our case, the key matrix is 2×2 then the column vectors of plain text
would be 2×1.

The general equation to find cipher text using hill cipher is as follow:

C = KP mod 26

For our example, our key matrix would be:

And our plain text matrices of 2×1 will be as follow:

Now, we have to convert the key matrix and plain text matrices into numeric
matrices. For that number the alphabets such as A=0, B=1, C=2, …………, Z=25.
So, considering the alphabet numbering:

Key matrix will be:

Plain text matrices would be:

 In the first calculation, we would get two cipher alphabets for

plain text alphabet ‘B’ & ‘I’.

So, the cipher alphabet for plain text alphabet ‘B’ & ‘I’ is ‘T’ & ‘V’. Similarly, we
have to calculate ciphertext for remaining plain text. And then accumulate them to
form the ciphertext.

The calculated ciphertext for ‘Binary’ using hill cipher is ‘TVNNZJ’.

Polyalphabetic Cipher
Polyalphabetic cipher is far more secure than a monoalphabetic cipher. As
monoalphabetic cipher maps a plain text symbol or alphabet to a ciphertext symbol
and uses the same ciphertext symbol wherever that plain text occurs in the
message.
But polyalphabetic cipher, each time replaces the plain text with the different
ciphertext.

One-Time Pad
The one-time pad cipher suggests that the key length should be as long as the
plain text to prevent the repetition of key. Along with that, the key should
be used only once to encrypt and decrypt the single message after that the key
should be discarded.
Onetime pad suggests a new key for each new message and of the same length as a
new message. Now, let us see the one-time pad technique to convert plain text into
ciphertext. Assume our plain text and key be:

Plain text: Binary

Key: Cipher

Now again convert the plain text and key into the numeric form. For that number
the alphabets such as A=0, B=1, C=2, …………, Z=25. So, our plain text and key
in numeric form would be:

Plain text: 1 8 13 0 17 24

Key: 2 8 15 7 4 17

Now, you have to add the number of the plain text alphabet, to the number of its
corresponding key alphabet. That means, for this example, we will add:

B+C = 1+2 = 3

I+I = 8+8 = 16

N+P = 13+15 = 28

A+H = 0+7 = 7

R+E = 17+4 = 21

Y+R = 24+17 = 41

The resultant ciphertext numbers we get are (3, 16, 28, 7, 21, 41)

If the addition of any plain text number and the key number is >26, then subtract
only that particular number from 26. We have the addition of two pair of plain text
number and a key number, greater than 26, i.e. N+P=28 & Y+R=41.

Subtract them by 26.

N+P = 28 – 26 = 2

Y+R = 41 – 26 = 15

So, the final ciphertext numbers are (3, 16, 2, 7, 21, 15). Now convert this
number to alphabets assuming A to be numbered 0 and B to be 1…..Z to 25.
 Ciphertext: dqchvp.

In this way, we can convert plain text to cipher text using a one-time pad.

So, this is all about the substitution cipher techniques. It has a monoalphabetic
cipher and polyalphabetic cipher technique. Substitution technique is also called
classical substitution technique.

Transposition technique

Transposition technique is an encryption method which is achieved by

performing permutation over the plain text. Mapping plain text into cipher text
using transposition technique is called transposition cipher.

In this section, we will discuss variations of transposition technique, and we will

also observe how the transposition technique is different from the substitution
technique.

On the one hand, the substitution technique substitutes a plain text symbol with a
cipher text symbol. On the other hand, the transposition technique executes
permutation on the plain text to obtain the cipher text.

Transposition Techniques
1. Rail Fence Transposition
2. Columnar Transposition
3. Improved Columnar Transposition
4. Book Cipher/Running Key Cipher

Rail Fence Cipher

The rail fence cipher is the simplest transposition cipher. The steps to obtain cipher
text using this technique are as follow:

Step 1: The plain text is written as a sequence of diagonals.

Step 2: Then, to obtain the cipher text the text is read as a sequence of rows.

To understand this in a better way, let us take an example:

Plain Text: meet me Tomorrow

Now, we will write this plain text sequence wise in a diagonal form as you can see
below:

Looking at the image, you would get it why it got named rail fence because it
appears like the rail fence.

Once you have written the message as a sequence of diagonals, to obtain the cipher
text out of it you have to read it as a sequence of rows. So, reading the first row the
first half of cipher text will be:

memtmro

reading the second row of the rail fence, we will get the second half of the cipher
text:

eteoorw

Now, to obtain the complete cipher text combine both the halves of cipher text and
the complete cipher text will be:

Cipher Text: M E M T M R O E T E O O R W

Rail fence cipher is easy to implement and even easy for a cryptanalyst to break
this technique. So, there was a need for a more complex technique.

Columnar Transposition Technique

The columnar transposition cipher is more complex as compared to the rail fence.
The steps to obtain cipher text using this technique are as follow:

Step 1: The plain text is written in the rectangular matrix of the initially defined
size in a row by row pattern.

Step 2: To obtain the cipher text read the text written in a rectangular matrix
column by column. But you have to permute the order of column before reading it
column by column. The obtained message is the cipher text message.

To understand the columnar transposition let us take an example:

Plain text: meet Tomorrow

Now, put the plain text in the rectangle of a predefined size. For our example, the
predefined size of the rectangle would be 3×4. As you can see in the image below
the plain text is placed in the rectangle of 3×4. And we have also permuted the
order of the column.

Now, to obtain the cipher text we have to read the plain text column by column as
the sequence of permuted column order. So, the cipher text obtained by the
columnar transposition technique in this example is:

Cipher Text: MTREOREMOTOW.

Similar to the rail fence cipher, the columnar cipher can be easily broken. The
cryptanalyst only has to try few permutation and combination over the order of
column to obtain the permuted order of column and the get the original message.
So, a more sophisticated technique was required to strengthen the encryption.

Columnar Transposition Technique with Multiple Rounds

It is similar to the basic columnar technique but is introduced with an
improvement. The basic columnar technique is performed over the plain text but
more than once. The steps for columnar technique with multiple rounds are as
follow:

Step 1: The plain text is written in the rectangle of predetermined size row by row.

Step 2: To obtain the cipher text, read the plain text in the rectangle, column by
column. Before reading the text in rectangle column by column, permute the order
of columns the same as in basic columnar technique.

Step 3: To obtain the final cipher text repeat the steps above multiple time.
Let us discuss one example of a columnar transposition technique for better
understanding. We will consider the same example of a basic columnar technique
which will help in understanding the complexity of the method:

Plain Text: meet Tomorrow

Let us put this plain text in the rectangle of predefined size of 3×4. Proceeding
with the next step, the order of the columns of the matrix is permuted as you can
see in the image below:

Now after the first round the cipher text obtained is as follow:

Cipher Text round 1: MTREOREMOTOW

Now, again we have to put the cipher text of round 1 in the rectangle of size 3×4
row by row and permute the order of columns before reading the cipher text for
round 2. In the second round, the permuted order of the column is 2, 3, 1, 4.

So, the obtained cipher text for round 2 is MOOTRTREOEMW. In this way, we
can perform as many iterations as requires. Increasing the number of iterations
increases the complexity of the techniques.

Book Cipher or Running Key Cipher

The book cipher or the running key cipher works on the basic principle of one-time
pad cipher. In onetime pad cipher the key is taken as long as the plain text and is
discarded after the use. Every time a new key is taken for a new message.

The improvement to the onetime pad in Book cipher is that the key or the onetime
pad is taken from the book. Let us discuss the steps:

Step 1: Convert the plain text in numeric form consider A=0, B=1, C=3 …, Z=25.
Step 2: Take an onetime pad or key from any of the books and convert it in the
numeric form also. But the key must be as long as the length of plain text.

Step 3: Now add the numeric form of both plain text and key, each plain text letter
with corresponding key text letter. If the addition of any plain text letter with
corresponding key text letter is >26, then subtract it with 26.

Let us understand with the example:

Plain text: Meet Tomorrow

Key taken from the book: ANENCRYPTION.

Now we have to convert this plain text and key text in numeric form and add them
to get cipher text as shown in the image below:

Encryption Principles

Redundancy
For example, if order messages are extended to 12 bytes, the first 9 of which must
be zeros, this attack no longer works because the ex-employee can no longer
generate a large stream of valid messages. The moral of the story is that all
messages must contain considerable redundancy so that active intruders cannot
send random junk and have it be interpreted as a valid message.However, adding
redundancy makes it easier for cryptanalysts to break messages. Suppose that the
mail-order business is highly competitive, and The Couch Potato’s main
competitor, The Sofa Tuber, would dearly love to know how many sandboxes TCP
is selling so it taps TCP’s phone line. In the original scheme with 3-byte messages,
cryptanalysis was nearly impossible because after guessing a key, the cryptanalyst
had no way of telling whether it was right because almost
every message was technically legal. With the new 12-byte scheme, it is easy for
the cryptanalyst to tell a valid message from an invalid one. Thus, we have
Cryptographic principle 1: Messages must contain some redundancy

Freshness
The second cryptographic principle is that measures must be taken to ensure that
each message received can be verified as being fresh, that is, sent very recently.
This measure is needed to prevent active intruders from playing back old
messages. If no such measures were taken, our ex-employee could tap TCP’s
phone line and just keep repeating previously sent valid messages. Thus
Cryptographic principle 2: Some method is needed to foil replay attacks One such
measure is including in every message a timestamp valid only for, say,10 seconds.
The receiver can then just keep messages around for 10 seconds and compare
newly arrived messages to previous ones to filter out duplicates. Messages older
than 10 seconds can be thrown out, since any replays sent more than10 seconds
later will be rejected as too old.

DES stands for Data Encryption Standard. There are certain machines that
can be used to crack the DES algorithm. The DES algorithm uses a key of
56-bit size. Using this key, the DES takes a block of 64-bit plain text as
input and generates a block of 64-bit cipher text

The cipher text obtained is MRIGVFKDKZDJ.

So, this is all about the Transposition technique, which involves the

permutation over the plain text for converting plain text into the cipher text.

Symmetric Key Algorithm

Modern cryptography uses the same basic ideas as traditional cryptography (transposition
and substitution), but its emphasis is different. Traditionally, cryptographers have used
simple algorithms. Nowadays, the reverse is true: the object SEC. 8.2 SYMMETRIC-KEY
ALGORITHMS 779 is to make the encryption algorithm so complex and involuted that even if
the cryptanalyst acquires vast mounds of enciphered text of his own choosing, he will not be
able to make any sense of it at all without the key. The first class of encryption algorithms
we will study in this chapter are called symmetric-key algorithms because they use the same
key for encryption and decryption In particular, we will focus on block ciphers, which take
an n-bit block of plaintext as input and transform it using the key into an n-bit block of
ciphertext. Cryptographic algorithms can be implemented in either hardware (for speed) or
software (for flexibility). Although most of our treatment concerns the algorithms and
protocols, which are independent of the actual implementation, a few words about building
cryptographic hardware may be of interest. Transpositions and substitutions can be
implemented with simple electrical circuits.

Figure 8- 6(a) shows a device, known as a P-box (P stands for permutation), used to effect a
transposition on an 8-bit input. If the 8 bits are designated from top to bottom as 01234567,
the output of this particular P-box is 36071245. By appropriate internal wiring, a P-box can
be made to perform any transposition and do it at practically the speed of light since no
computation is involved, just signal propagation. This design follows Kerckhoff’s principle:
the attacker knows that the general method is permuting the bits. What he does not know
is which bit goes where. S1 S2 P1 P2 P3 P4 S3 S4 S5 S6 S7 S8 Product cipher (c) S-box
Decoder: 3 to 8 Encoder: 8 to 3 (b) P-box (a) S9 S10 S11 S12 Figure 8-6. Basic elements of
product ciphers. (a) P-box. (b) S-box. (c) Product. Substitutions are performed by S-boxes, as
shown in Fig. 8-6(b). In this example, a 3-bit plaintext is entered and a 3-bit ciphertext is
output. The 3-bit input selects one of the eight lines exiting from the first stage and sets it to
1; all the other lines are 0. The second stage is a P-box. The third stage encodes the selected
input line in binary again. With the wiring shown, if the eight octal numbers 01234567 were
input one after another, the output sequence would be 24506713. In other words, 0 has
been replaced by 2, 1 has been replaced by 4, etc. Again, by appropriate wiring of the P-box
inside the S-box, any substitution can be accomplished. Furthermore, such a device can be
built in hardware to achieve great speed, since encoders and decoders have only one or two
(subnanosecond) gate delays and the propagation time across the P-box may well be less
than 1 picosec. 780 NETWORK SECURITY CHAP. 8 The real power of these basic elements
only becomes apparent when we cascade a whole series of boxes to form a product cipher,
as shown in Fig. 8-6(c). In this example, 12 input lines are transposed (i.e., permuted) by the
first stage (P1). In the second stage, the input is broken up into four groups of 3 bits, each of
which is substituted independently of the others (S1 to S4). This arrangement shows a
method of approximating a larger S-box from multiple, smaller S-boxes. It is useful because
small S-boxes are practical for a hardware implementation (e.g., an 8-bit S-box can be
realized as a 256-entry lookup table), but large Sboxes become unwieldy to build (e.g., a 12-
bit S-box would at a minimum need 212 = 4096 crossed wires in its middle stage). Although
this method is less general, it is still powerful. By inclusion of a sufficiently large number of
stages in the product cipher, the output can be made to be an exceedingly complicated
function of the input
DES (Data Encryption Standard)
DES (Data Encryption Standard), was widely adopted by the industry for use in security
products. It is no longer secure in its original form, but in a modified form it is still useful.
We will now explain how DES works. An outline of DES is shown in Fig. 8-7(a). Plaintext is
encrypted in blocks of 64 bits, yielding 64 bits of cipher text. The algorithm, which is
parameterized by a 56-bit key, has 19 distinct stages. The first stage is a key-independent
transposition on the 64-bit plaintext. The last stage is the exact inverse of this transposition.
The stage prior to the last one exchanges the leftmost 32 bits with the rightmost 32 bits. The
remaining 16 stages are functionally identical but are parameterized by different functions
of the key. The algorithm has been designed to allow decryption to be done with the same
key as encryption, a property needed in any symmetric-key algorithm. The steps are just run
in the reverse order. The operation of one of these intermediate stages is illustrated in Fig.
8-7(b). Each stage takes two 32-bit inputs and produces two 32-bit outputs. The left output
is simply a copy of the right input. The right output is the bitwise XOR of the left input and a
function of the right input and the key for this stage, Ki. Pretty much all the complexity of
the algorithm lies in this function.

The function consists of four steps, carried out in sequence. First, a 48-bit number, E, is
constructed by expanding the 32-bit Ri − 1 according to a fixed transposition and duplication
rule. Second, E and Ki are XORed together. This output is then partitioned into eight groups
of 6 bits each, each of which is fed into a different S-box. Each of the 64 possible inputs to
an S-box is mapped onto a 4- bit output. Finally, these 8 × 4 bits are passed through a P-box.
In each of the 16 iterations, a different key is used. Before the algorithm starts, a 56-bit
transposition is applied to the key. Just before each iteration, the key is partitioned into two
28-bit units, each of which is rotated left by a number of bits dependent on the iteration
number. Ki is derived from this rotated key by applying yet another 56-bit transposition to
it. A different 48-bit subset of the 56 bits is extracted and permuted on each round.

What is the International Data Encryption Algorithm (IDEA)?

The International Data Encryption Algorithm (IDEA) is a symmetric key block
cipher encryption algorithm designed to encrypt text to an unreadable format for
transmission via the internet. It uses a typical block size of 128 bits and takes 64
bits as an input, i.e., 64-bit data. IDEA performs 8.5 identical encryption and
decryption rounds using six different subkeys. It uses four keys for output
transformation.

First published in 1991 to replace the Data Encryption Standard (DES), IDEA was
originally called Proposed Encryption Standard. The name was changed to
Improved Proposed Encryption Standard and eventually to IDEA.

Understanding IDEA
IDEA was developed at ETH, a research university in Zurich, Switzerland, and is
generally considered to be secure. The IDEA cipher encrypts text with the
assumption that security in IDEA is not predicated on keeping the algorithm a
secret, but rather on ignorance of the secret key.

IDEA uses a 128-bit key and operates on 64-bit blocks. Essentially, it encrypts a
64-bit block of plaintext into a 64-bit block of ciphertext. This input plaintext
block is divided into four subblocks of 16 bits each. It consists of a series of eight
identical transformations, where each transformation is known as a round, as well
as an output transformation, which is known as a half-round. Similar to the 16-bit
plaintext block, the ciphertext block is also the exact same size.

A block cipher operates in round blocks, with part of the encryption key, known
as round key, applied to each round, followed by other mathematical operations.
After a certain number of rounds, the ciphertext for that block is generated.
Encryption in IDEA
IDEA derives most of its security from multiple interleaved mathematical
operations:

 modular addition

 modular multiplication

 bitwise exclusive-OR (XOR)

By using a 128-bit key, IDEA encrypts a 64-bit block of plaintext into a 64-bit
block of ciphertext. One process partitions the plaintext block into four 16-bit
subblocks for each of the eight complete rounds, namely X1, X2, X3 and X4.

Another process produces six 16-bit key subblocks for each of the encryption
rounds, namely Z1, Z2, Z3, Z4, Z5 and Z6. For subsequent output transformation,
a further four 16-bit key subblocks are required. Thus, from a 128-bit key, a total
of 52 16-bit subblocks are generated.

In each complete round, three algebraic operations are performed: bitwise XOR,
addition modulo 216 and multiplication modulo 216+1.

The 14 steps for a complete round are the following:

1. Multiply X1 with Z1.

2. Add X2 to Z2.

3. Add X3 to Z3.

4. Multiply X4 with Z4.

5. Bitwise XOR the results of steps 1 and 3.

6. Bitwise XOR the results of steps 2 and 4.

7. Multiply the result of step 5 with Z5.

8. Add the results of steps 6 and 7.

9. Multiply the result of step 8 with Z6.

10. Add the results of steps 7 and 9.

11. Bitwise XOR the results of steps 1 and 9.

12. Bitwise XOR the results of steps 3 and 9.

13. Bitwise XOR the results of steps 2 and 10.

14. Bitwise XOR the results of steps 4 and 10.

Six subkeys are used in each of the eight rounds, and the final 4 subkeys are used
in the ninth half-round final transformation.

Swapping occurs for every round until the final complete round (round 8). After
eight complete rounds, the final half-round transformation occurs. The steps
involved are the following:

1. Multiply X1 with the first subkey.

2. Add X2 with the second subkey.

3. Add X3 with the third subkey.

4. Multiply X4 with the fourth subkey.

The concatenation of the four blocks is the encrypted output.

Decryption in IDEA
The decryption process uses the same steps as the encryption process. However,
different 16-bit key subblocks are generated. Each of the 52 16-bit key subblocks
used for decryption is the inverse of the key subblock used during encryption with
respect to applied algebraic operations.

Also, these subblocks are used in reverse order during decryption. Decryption in
IDEA works on the shoes and socks principle, i.e., the last encryption is the first to
be removed.

Cipher Block Chaining

Encryption algorithms are divided into two categories based on the input
type, as a block cipher and stream cipher. Block cipher is an encryption
algorithm that takes a fixed size of input say b bits and produces a ciphertext
of b bits again. If the input is larger than b bits it can be divided further. For
different applications and uses, there are several modes of operations for a
block cipher.
Electronic Code Book (ECB) –
Electronic code book is the easiest block cipher mode of functioning. It is
easier because of direct encryption of each block of input plaintext and
output is in form of blocks of encrypted ciphertext. Generally, if a message is
larger than b bits in size, it can be broken down into a bunch of blocks and
the procedure is repeated.
Procedure of ECB is illustrated below:

Advantages of using ECB –

 Parallel encryption of blocks of bits is possible, thus it is a faster way of
encryption.
 Simple way of the block cipher.
Disadvantages of using ECB –
 Prone to cryptanalysis since there is a direct relationship between
plaintext and ciphertext.

Cipher Block Chaining –
Cipher block chaining or CBC is an advancement made on ECB since ECB
compromises some security requirements. In CBC, the previous cipher block
is given as input to the next encryption algorithm after XOR with the original
plaintext block. In a nutshell here, a cipher block is produced by encrypting
an XOR output of the previous cipher block and present plaintext block.
The process is illustrated here:

Advantages of CBC –
 CBC works well for input greater than b bits.
 CBC is a good authentication mechanism.
 Better resistive nature towards cryptanalysis than ECB.
Disadvantages of CBC –
 Parallel encryption is not possible since every encryption requires a
previous cipher.

*Location Of Encryption Devices*

The most powerful and most common approach to countering the threats is
encryption. If encryption is used to counter these threats, then we need to decide
what to encrypt and where the encryption gear should be located. There are two
fundamental alternatives link encryption and end to end encryption.
link encryption
With link encryption, each vulnerable communications link is equipped on both
ends with an encryption device. Thus, all traffic over all communications links is
secured. Although this requires a lot of encryption devices in a larger network, the
value of this approach is clear. One disadvantage of the approach is that the
message must be decrypted each time it enters a packet switch; description is
necessary because the switch must read the address in the packet header to route
the packet. Thus, the message is vulnerable at each switch. If it is a public packet-
switching network, the user has no control over the security of the nodes.
end to end encryption
With end to end encryption, the encryption process is carried out at the two end
systems. The source host or terminal encrypts the data. The data is encrypted form
are then transmitted unaltered across the network to the destination terminal, or
host. The destination shares a key with the source and so is able to decrypt the
data. This approach would seem to secure the transmission against attacks on the
network links or switches.
Thus, with the end to end encryption, the user data are secure. However, the traffic
pattern is not because packet headers are transmitted in the clear. To achieve
greater security, both link and end to end encryption are needed.
*Key Distribution *