Cryptography and

Information Security

Lecture 1
Background
■ Information Security requirements have changed in
recent times
■ traditionally provided by physical and administrative
mechanisms
■ computer use requires automated tools to protect
files and other stored information
■ use of networks and communications links requires
measures to protect data during transmission
Definitions
■ Computer Security - generic name for the collection
of tools designed to protect data and to thwart
hackers.

■ Network Security - measures to protect data during

their transmission.

■ Internet Security - measures to protect data during

their transmission over a collection of interconnected
networks.
 Security Goals

Information needs to be hidden from

■ Unauthorized access (Confidentiality)
■ Protected from unauthorized change (integrity)
■ Available to an authorized entity when it is needed
(availability)

Security Goals

Confidentiality Availability Integrity

Security Attacks
Attacks Threatening Confidentiality
■ Snooping
-Unauthorized access to or interception of data.

■ Traffic analysis
-Can find some other type information by
monitoring online traffic.
-He can find the electronic address (such as e-
mail address) of the sender or the receiver.
 Attacks Threatening Integrity
• Modification
- After intercepting or accessing information, the attacker
modifies the information to make it beneficial to himself
• Masquerading
- Masquerading or spoofing happens when the attacker
impersonates somebody else.
▪ Replaying
- The attacker obtains a copy of a message sent by a user
and later tries to replay it .
▪ Repudiation
- Performed by one of the two parties in the
communication: the sender or the receiver.
- - The sender of the message might later deny that she
has sent the message.
- - The receiver of the message might later deny that he
has received the message
Attacks Threatening Availability
▪ It may slow down or totally interrupt the service of a
system.
▪ He might send so many bogus requests to a server
that the server that the server crashes because of the
heavy load.
▪ The attacker might intercept and delete a server’s
response to a client, making the client to believe
that the server is not responding.
 Security Attack
■ any action that compromises the security of information
owned by an organization
■ information security is about how to prevent attacks, or
failing that, to detect attacks on information-based
systems
■ often threat & attack used to mean same thing
■ have a wide range of attacks
■ can focus of generic types of attacks
■ passive
■ active
Passive Attacks
Active Attacks
Security Service
■ enhance security of data processing systems and
information transfers of an organization
■ intended to counter security attacks
■ using one or more security mechanisms
■ often replicates functions normally associated
with physical documents
■ which, for example, have signatures, dates; need
protection from disclosure, tampering, or destruction;
be notarized or witnessed; be recorded or licensed
 Security Services
■ X.800:
“a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers”

■ RFC 2828:
“a processing or communication service provided
by a system to give a specific kind of protection to
system resources”
Security Services (X.800)
■ Authentication - assurance that the communicating
entity is the one claimed
■ Access Control - prevention of the unauthorized use
of a resource
■ Data Confidentiality –protection of data from
unauthorized disclosure
■ Data Integrity - assurance that data received is as
sent by an authorized entity
■ Non-Repudiation - protection against denial by one
of the parties in a communication
Security Mechanism
■ feature designed to detect, prevent, or
recover from a security attack
■ no single mechanism that will support all
services required
■ however one particular element underlies
many of the security mechanisms in use:
■ cryptographic techniques
■ hence our focus on this topic
 Security Mechanisms (X.800)
■ specific security mechanisms:
■ encipherment, digital signatures, access controls,
data integrity, authentication exchange, traffic
padding, routing control, notarization
■ pervasive security mechanisms:
■ trusted functionality, security labels, event
detection, security audit trails, security recovery
Model for Network Security
Model for Network Security
■ using this model requires us to:
1. design a suitable algorithm for the security
transformation
2. generate the secret information (keys) used
by the algorithm
3. develop methods to distribute and share the
secret information
4. specify a protocol enabling the principals to
use the transformation and secret
information for a security service
Model for Network Access Security
Model for Network Access Security
■ using this model requires us to:
1. select appropriate gatekeeper functions to
identify users
2. implement security controls to ensure only
authorised users access designated
information or resources
■ trusted computer systems may be useful to
help implement this model
Cryptography

■ Cryptography is the study of

■ Secret (crypto-) writing (-graphy)
■ Concerned with developing algorithms:
■ Conceal the context of some message from all
except the sender and recipient (privacy or
secrecy), and/or
■ Verify the correctness of a message to the
recipient (authentication)
■ Form the basis of many technological
solutions to computer and communications
security problems
Cryptography
■ Basic idea: convert clear text (also called plain
text – the original message) to ciphertext (the
encrypted message)
ciphertext = encrypt(plaintext, KE)
plaintext = decrypt(ciphertext, KC)

■ Can either make the encryption process hidden,

so that an intruder cannot know it
■ Or, can use a known technique and use a
hidden key
 Some Basic Terminology
● plaintext - original message

● ciphertext - coded message

● cipher - algorithm for transforming plaintext to ciphertext

● key - info used in cipher known only to sender/receiver

● encipher (encrypt) - converting plaintext to ciphertext

● decipher (decrypt) - recovering ciphertext from plaintext

● cryptography - study of encryption principles/methods

● cryptanalysis (codebreaking) - study of principles/ methods of

deciphering ciphertext without knowing key

● cryptology - field of both cryptography and cryptanalysis

 Cryptography
■ characterize cryptographic system by:
■ type of encryption operations used
■ substitution / transposition / product
■ number of keys used
■ single-key or private / two-key or public
■ way in which plaintext is processed
■ block / stream
Number of keys used (Secret-Key
Cryptography)
■ traditional secret/single key cryptography uses
one key
■ shared by both sender and receiver
■ if this key is disclosed communications are
compromised
■ also is symmetric, parties are equal
■ hence does not protect sender from receiver
forging a message & claiming is sent by sender
Symmetric Encryption
Public-Key Cryptography
■ probably most significant advance in the 3000
year history of cryptography
■ uses two keys – a public & a private key
■ asymmetric since parties are not equal
■ uses clever application of number theoretic
concepts to function
■ complements rather than replaces secret key
cryptography
Public-Key Cryptography
■ public-key/two-key/asymmetric cryptography
involves the use of two keys:
■ a public-key, which may be known by anybody, and
can be used to encrypt messages, and verify
signatures
■ a private-key, known only to the recipient, used to
decrypt messages, and sign (create) signatures
■ is asymmetric because
■ those who encrypt messages or verify signatures
cannot decrypt messages or create signatures
Public-Key Cryptography
Way in which plaintext is processed
●Simplest Stream Cipher

Key Key

Plaintext Ciphertext Plaintext

Ciphertext
Simple Secret-Key Example
■ P = “abra” which has the binary representation:
01100001011000100011100101100001
Choose a random string of bits as the key
■ 10011101010010001111010101011100

Can use a simple XOR of the binary to get C

■ 11111100001010101000011100111101

To get P back, use the same algorithm and key!

The most popular secret key encryption today is DES.
● Block Cipher
 Substitution Technique
Caesar Cipher
■ replaces each letter by 3rd letter on
■ can define transformation as:
a b c d e f g h i j k l m n o p q r s t u v w
x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z
A B C
■ mathematically give each letter a
number
a b c d e f g h i j k l m n o p q r s t u v w x
y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24 25

■ then have Caesar cipher as:

c = E(p) = (p + k) mod (26)
p = D(c) = (c – k) mod (26)
Playfair Cipher

s i/j m p l
e a b c d
f g h k n
o q r t u
v w x y z

Key: simple
Playfair Cipher
■ Use filler letter to separate repeated letters
■ Encrypt two letters together
■ Same row– followed letters
■ ac--bd
■ Same column– letters under
■ qw--wi
■ Otherwise—square’s corner at same row
■ ar--bq
 Hill Cipher
■ takes m successive plaintext letters and substitutes
for them m ciphertext letters
■ substitution determined by m liner equations,
C=KP mod 26
■ This example will rely on some linear algebra and
some number theory. The 'key' for a hill cipher is a
matrix e.g.
•In the above case, we have taken the size to be
3x3, however it can be any size (as long as it is
square).
• We now take 3 characters from our plaintext
e.g. 'DEF' and create a vector that corresponds to
the letters (replace 'A' with 0, 'B' with 1 etc.) to
get: [3 4 5] (this is ['D' 'E' 'F']).

• To get our ciphertext we perform a matrix

multiplication
e.g. for m = 3
c1=(k11p1+k12p2+k13p3) mod 26
c2=(k21p1+k22p2+k23p3) mod 26
c3=(k31p1+k32p2+k33p3) mod 26
 Polyalphabetic Ciphers
■ Basically multiple Caesar ciphers
■ key is multiple letters long
■ K = k1 k2 ... kd
■ ith letter specifies ith alphabet to use
■ mathematically give each letter a
number
a b c d e f g h i j k l m n o p q r s t u v w x
y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24 25

■ Plaintext THISPROCESSCANALSOBEEXPRESSED
Keyword CIPHERCIPHERCIPHERCIPHERCIPHE
Ciphertext VPXZTIQKTZWTCVPSWFDMTETIGAHLH
 Autokey Cipher
■ An autokey cipher, or self-synchronizing
stream cipher, is a cipher which incorporates
the message into the key.
■ In order to encrypt a letter, one locates the line
starting with the letter to be encrypted, and the
column beginning with the next letter of the key.
The letter where the line and column cross is the
ciphertext letter.
 For example, if the plaintext is MEET ME FOR LUNCH and the key is
RESTAURANT, the first letter of the ciphertext is D, because the M
and R intersect at D. The second ciphertext character is I, where the E
from MEET and the E from RESTAURANT intersect in the table.
more secure way to generate the key is to append the plaintext to
it. This method makes frequency counting more difficult, as the key
does not follow a simple repeating pattern:

a b c d e f g h i j k l m n o p q r s t u
v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
21 22 23 24 25
•
Plaintext: MEETMEFORLUNCH
• Key: RESTAURANTMEET
• Ciphertext: DIWMMYWOEEGRGA
 One-Time Pad
■ In cryptography, the one-time pad (OTP) is
an encryption algorithm in which the plaintext
is combined with a secret random key or pad,
which is used only once.
■ The key is truly random, as large as the
plaintext, never reused in whole or part, and
kept secret.
■ You have a message M, and you compute
the ciphertext C by XORing the message with
the OTP:
■ C = M xor OTP