UNIT 2

Cryptography and Data Protection

Cryptography
Cryptography is the process of hiding or coding information so that only the person a message was
intended for can read it. The art of cryptography has been used to code messages for thousands of years
and continues to be used in bank cards, computer passwords, and ecommerce.

Modern cryptography techniques include algorithms and ciphers that enable the encryption and
decryption of information, such as 128-bit and 256-bit encryption keys. Modern ciphers, such as the
Advanced Encryption Standard (AES), are considered virtually unbreakable.

The Importance of Cryptography

Cryptography remains important to protecting data and users, ensuring confidentiality, and preventing
cyber criminals from intercepting sensitive corporate information. Common uses and examples of
cryptography include the following:

Privacy and confidentiality

Individuals and organizations use cryptography on a daily basis to protect their privacy and keep their
conversations and data confidential. Cryptography ensures confidentiality by encrypting sent messages
using an algorithm with a key only known to the sender and recipient. A common example of this is the
messaging tool WhatsApp, which encrypts conversations between people to ensure they cannot be
hacked or intercepted.

Integrity

Similar to how cryptography can confirm the authenticity of a message, it can also prove the integrity of
the information being sent and received. Cryptography ensures information is not altered while in storage
or during transit between the sender and the intended recipient. For example, digital signatures can
detect forgery or tampering in software distribution and financial transactions.

Nonrepudiation

Cryptography confirms accountability and responsibility from the sender of a message, which means they
cannot later deny their intentions when they created or transmitted information. Digital signatures are a
good example of this, as they ensure a sender cannot claim a message, contract, or document they created
to be fraudulent. Furthermore, in email nonrepudiation, email tracking makes sure the sender cannot
deny sending a message and a recipient cannot deny receiving it.
 Types of Cryptography
I) Classical Cryptography:
Classical cryptography is based on mathematics and it relies on the computational difficulty of
factorizing large numbers. The security of classical cryptography is based on the high complexity of the
mathematical problem for instance factorization of large numbers. In classical cryptography the original
data i.e., the plain text is transformed into the encoded format i.e. cipher text so that we can transmit
this data through insecure communication channels. A data string known as the key is used to control
the transformation of the data from plain text to cipher text. This arrangement helps to keep data safe
as it requires the key to extract the original information from the cipher text. Without the key, no one
can read the data. In this technique, it is assumed that the only authorized receiver has the key.

A) Substitution Methods

In a Substitution cipher, any character of plain text from the given fixed set of characters is substituted
by some other character from the same set depending on a key. For example, with a shift of 1, A would
be replaced by B, B would become C, and so on.

a) Monoalphabetic Cipher
b) Polyalphabetic Cipher
c) Playfair Cipher
d) Hill Cipher

B) Transposition Methods

Transposition Ciphers are an essential part of cryptography that uses systematic shuffling of plain text
characters or bits to secure data by altering their positions based on some defined way or algorithm.
Moreover, unlike substitutive codes where different letters substitute others, in these, you just shift
about original letters hence it does not at all look like any message.

a) Rail Fence Cipher

b) Row Transposition
c) Double Columnar Transposition Cipher

II) Modern Cryptography

A) Symmetric Key Cryptography

In symmetric cryptography, a single key is used to encrypt and decrypt data. This encryption key is
the private key. This is the limitation of this encryption technique that this private key must be
distributed only among the authorized sender and receiver.

a) DES Algorithm
DES stands for Data Encryption Standard. There are certain machines that can be used to crack the DES
algorithm. The DES algorithm uses a key of 56-bit size. Using this key, the DES takes a block of 64-bit
plain text as input and generates a block of 64-bit cipher text.

The DES process has several steps involved in it, where each step is called a round. Depending upon the
size of the key being used, the number of rounds varies. For example, a 128-bit key requires 10 rounds,
a 192-bit key requires 12 rounds, and so on.

Take a look at the video below which explains steps for encryption and decryption in detail, future of
the Data Encryption Standard in cryptography and live example to further highlight the characteristics
of DES encryption. After having gone through and understanding what is DES, let us look into ways to
improve our cybersecurity skills. The DES (Data Encryption Standard) algorithm is a symmetric-key block
cipher created in the early 1970s by an IBM team and adopted by the National Institute of Standards
and Technology (NIST). The algorithm takes the plain text in 64-bit blocks and converts them into
ciphertext using 48-bit keys.

Since it’s a symmetric-key algorithm, it employs the same key in both encrypting and decrypting the
data. If it were an asymmetrical algorithm, it would use different keys for encryption and decryption.

Initial Permutation (IP)

The plain text is divided into smaller chunks of 64-bit size. The IP is performed before the first round.
This phase describes the implementation of the transposition process. For example, the 58th bit
replaces the first bit, the 50th bit replaces the second bit, and so on. The resultant 64-bit text is split
into two equal halves of 32-bit each called Left Plain Text (LPT) and Right Plain Text (RPT).

Step 1: Key Transformation

We already know that the DES process uses a 56-bit key, which is obtained by eliminating all the bits
present in every 8th position in a 64-bit key. In this step, a 48-bit key is generated. The 56-bit key is split
into two equal halves and depending upon the number of rounds the bits are shifted to the left in a
circular fashion.

Due to this, all the bits in the key are rearranged again. We can observe that some of the bits get
eliminated during the shifting process, producing a 48-bit key. This process is known as compression
permutation.

Step 2: Expansion Permutation

Let's consider an RPT of the 32-bit size that is created in the IP stage. In this step, it is expanded from
32-bit to 48-bit. The RPT of 32-bit size is broken down into 8 chunks of 4 bits each and extra two bits
are added to every chunk, later on, the bits are permutated among themselves leading to 48-bit data.
An XOR function is applied in between the 48-bit key obtained from step 1 and the 48-bit expanded
RPT.

DES Algorithm Steps

To put it in simple terms, DES takes 64-bit plain text and turns it into a 64-bit ciphertext. And since we’re
talking about asymmetric algorithms, the same key is used when it’s time to decrypt the text.

The algorithm process breaks down into the following steps:

1. The process begins with the 64-bit plain text block getting handed over to an initial permutation
(IP) function.

2. The initial permutation (IP) is then performed on the plain text.

3. Next, the initial permutation (IP) creates two halves of the permuted block, referred to as Left
Plain Text (LPT) and Right Plain Text (RPT).

4. Each LPT and RPT goes through 16 rounds of the encryption process.

5. Finally, the LPT and RPT are rejoined, and a Final Permutation (FP) is performed on the newly
combined block.

6. The result of this process produces the desired 64-bit ciphertext.

The encryption process step (step 4, above) is further broken down into five stages:

1. Key transformation

2. Expansion permutation

3. S-Box permutation

4. P-Box permutation

5. XOR and swap

For decryption, we use the same algorithm, and we reverse the order of the 16 round keys.
Next, to better understand what is DES, let us learn the various modes of operation for DES.

Applications of DES Algorithm

In this section, we are going to learn about some of the applications of the DES Algorithm.

1. It is used in random number generation

2. It is deployed when not-so-strong encryption is needed

3. It is used to develop a new form of DES, called Triple DES (using a 168-bit key formed using three
keys)

b) Triple DES Algorithm

Triple DES is a symmetric key-block cipher which applies the DES cipher in triplicate. It encrypts with
the first key (k1), decrypts using the second key (k2), then encrypts with the third key (k3). There is also
a two-key variant, where k1 and k3 are the same keys.
c) AES Algorithm
The Advanced Encryption Standard (AES) is a symmetric encryption algorithm widely used
across the globe to secure data. Developed by Vincent Rijmen and Joan Daemen, it was adopted
by the U.S. National Institute of Standards and Technology (NIST) as a federal standard in 2001,
replacing the older Data Encryption Standard (DES).
Key Features of AES:
o AES uses the same key for both encryption and decryption, which requires the secure
exchange of the key between parties.

o AES encrypts data in fixed-size blocks of 128 bits (16 bytes). If the data is not a multiple
of the block size, padding is added.
o AES supports key sizes of 128, 192, or 256 bits. The key size determines the number of
rounds used in the encryption process:
▪ AES-128: 10 rounds
▪ AES-192: 12 rounds
▪ AES-256: 14 rounds

o Each round in the AES encryption process consists of several steps, including SubBytes,
ShiftRows, MixColumns, and AddRoundKey. The number of rounds increases with the
key size, making the algorithm more secure.
 o AES is considered highly secure and is used by governments, financial institutions, and
other organizations worldwide for securing sensitive data. As of now, no practical
attacks have been successful against AES when used with strong, random keys.
o AES is designed to be fast both in software and hardware implementations, making it
suitable for a wide range of applications, from securing communications to encrypting
data at rest.
Applications of AES:
• Data Encryption: Used in securing files, databases, and entire disk partitions.
• Secure Communications: Used in protocols like SSL/TLS, IPsec, and VPNs.
• Wireless Security: Used in WPA2 (Wi-Fi Protected Access) for securing wireless networks.
• Cryptographic Libraries: Incorporated in many cryptographic libraries and toolkits, such as
OpenSSL.
AES has become the encryption standard worldwide, thanks to its combination of speed,
security, and flexibility.

B) Asymmetric Key Cryptography

In the asymmetric cryptography a pair of key, i.e., public key and private key is used for encryption and
decryption. A sender can use its public key to encrypt the data and on receiver end receiver can decrypt
the data by using its private key. This technique overcomes the problem of key distribution.

a) RSA Algorithm (Rivest-Shamir-Adleman)

The RSA algorithm is named after Ron Rivest, Adi Shamir and Len Adleman, who invented it in 1977
[RIVE78].

The RSA cryptosystem is the most widely-used public key cryptography algorithm in the world. It can
be used to encrypt a message without the need to exchange a secret key separately.
The RSA algorithm can be used for both public key encryption and digital signatures. Its security is based
on the difficulty of factoring large integers.

RSA algorithm is asymmetric cryptography algorithm. Asymmetric actually means that it works on two
different keys i.e. Public Key and Private Key. As the name describes that the Public Key is given to
everyone and Private key is kept private.

An example of asymmetric cryptography:

1. A client (for example browser) sends its public key to the server and requests for some data.

2. The server encrypts the data using client’s public key and sends the encrypted data.

3. Client receives this data and decrypts it.

Since this is asymmetric, nobody else except browser can decrypt the data even if a third party has
public key of browser.

The idea! The idea of RSA is based on the fact that it is difficult to factorize a large integer. The public
key consists of two numbers where one number is multiplication of two large prime numbers. And
private key is also derived from the same two prime numbers. So if somebody can factorize the large
number, the private key is compromised. Therefore encryption strength totally lies on the key size and
if we double or triple the key size, the strength of encryption increases exponentially. RSA keys can be
typically 1024 or 2048 bits long, but experts believe that 1024 bit keys could be broken in the near
future. But till now it seems to be an infeasible task.

Let us learn the mechanism behind RSA algorithm :

>> Generating Public Key :

Select two prime no's. Suppose P = 53 and Q = 59.

Now First part of the Public key : n = P*Q = 3127.

We also need a small exponent say e :

But e Must be

o An integer.

o Not be a factor of n.

o 1 < e < Φ(n) [Φ(n) is discussed below],

o Let us now consider it to be equal to 3.

Our Public Key is made of n and e

>> Generating Private Key :

We need to calculate Φ(n) :

Such that Φ(n) = (P-1)(Q-1)

 so, Φ(n) = 3016

Now calculate Private Key, d :

d = (k*Φ(n) + 1) / e for some integer k

For k = 2, value of d is 2011.

Now we are ready with our – Public Key ( n = 3127 and e = 3) and Private Key(d = 2011)

Now we will encrypt “HI” :

Convert letters to numbers : H = 8 and I = 9

Thus Encrypted Data c = 89e mod n.

Thus our Encrypted Data comes out to be 1394

Now we will decrypt 1394 :

Decrypted Data = cd mod n.

Thus our Encrypted Data comes out to be 89

8 = H and I = 9 i.e. "HI".

b) Diffie-Hellman algorithm:
The Diffie-Hellman algorithm is being used to establish a shared secret that can be used for
secret communications while exchanging data over a public network using the elliptic curve to generate
points and get the secret key using the parameters.

• For the sake of simplicity and practical implementation of the algorithm, we will consider only 4
variables, one prime P and G (a primitive root of P) and two private values a and b.

• P and G are both publicly available numbers. Users (say Alice and Bob) pick private values a and b
and they generate a key and exchange it publicly. The opposite person receives the key and that
generates a secret key, after which they have the same secret key to encrypt.
 Difference between Symmetric Key Cryptography and Asymmetric Key
Cryptography
Symmetric Key Encryption Asymmetric Key Encryption

It only requires a single key for both encryption It requires two keys, a public key and a private
and decryption. key, one to encrypt and the other to decrypt.

The size of ciphertext is the same or smaller than The size of ciphertext is the same or larger than
the original plaintext. the original plaintext.

The encryption process is very fast. The encryption process is slow.

It is used when a large amount of data needs to be

It is used to transfer small amount of data.
transferred.

It provides confidentiality, authenticity, and non-

It only provides confidentiality.
repudiation.

The length of key used is 128 or 256 bits The length of key used is 2048 or higher
Symmetric Key Encryption Asymmetric Key Encryption

In symmetric key encryption, resource utilization is In asymmetric key encryption, resource

low compared to asymmetric key encryption. utilization is high.

It is efficient as it is used for handling large amount It is comparatively less efficient as it can handle a
of data. small amount of data.

Security is lower as only one key is used for both Security is higher as two keys are used, one for
encryption and decryption purposes. encryption and the other for decryption.

The Mathematical Representation is as follows-

The Mathematical Representation is as follows-
P = D(Kd, E (Ke,P))
P = D (K, E(K, P))
where Ke –> encryption key
where K –> encryption and decryption key
Kd –> decryption key
P –> plain text
D –> Decryption
D –> Decryption
E(Ke, P) –> Encryption of plain text using
E(K, P) –> Encryption of plain text using K
encryption key Ke. P –> plain text

Examples: Diffie-Hellman, ECC, El Gamal, DSA

Examples: 3DES, AES, DES and RC4
and RSA

C) Hash Functions
What is a Hash Function?

A hash function is a function that takes an input (or ‘message’) and returns a fixed-size string of bytes.
The output, typically a number, is called the hash code or hash value. The main purpose of a hash
function is to efficiently map data of arbitrary size to fixed-size values, which are often used as indexes
in hash tables.
Key Properties of Hash Functions

• Deterministic: A hash function must consistently produce the same output for the same input.

• Fixed Output Size: The output of a hash function should have a fixed size, regardless of the size
of the input.

• Efficiency: The hash function should be able to process input quickly.

• Uniformity: The hash function should distribute the hash values uniformly across the output
space to avoid clustering.

• Pre-image Resistance: It should be computationally infeasible to reverse the hash function, i.e.,
to find the original input given a hash value.

• Collision Resistance: It should be difficult to find two different inputs that produce the same
hash value.

• Avalanche Effect: A small change in the input should produce a significantly different hash
value.

Applications of Hash Functions

• Hash Tables: The most common use of hash functions in DSA is in hash tables, which provide an
efficient way to store and retrieve data.

• Data Integrity: Hash functions are used to ensure the integrity of data by generating checksums.

• Cryptography: In cryptographic applications, hash functions are used to create secure hash
algorithms like SHA-256.

• Data Structures: Hash functions are utilized in various data structures such as Bloom filters and
hash sets.

Popular Hashing Algorithms Explained

Many different types of programs can transform text into a hash, and they all work slightly differently.

Common hashing algorithms include:

• MD-5. This is one of the first algorithms to gain widespread approval. It was designed in 1991,
and at the time, it was considered remarkably secure.

Since then, hackers have discovered how to decode the algorithm, and they can do so in seconds. Most
experts feel it's not safe for widespread use since it is so easy to tear apart.

• RIPEMD-160. The RACE Integrity Primitives Evaluation Message Digest (or RIPEMD-160) was
developed in Belgium in the mid-1990s. It's considered remarkably secure, as hackers haven't
 quite figured out how to crack it.

• SHA. Algorithms in the SHA family are considered slightly more secure. The first versions were
developed by the United States government, but other programmers have built on the original
frameworks and made later variations more stringent and harder to break. In general, the
bigger the number after the letters "SHA," the more recent the release and the more complex
the program.

For example, SHA-3 includes sources of randomness in the code, which makes it much more difficult to
crack than those that came before. It became a standard hashing algorithm in 2015 for that reason.

• Whirlpool. In 2000, designers created this algorithm based on the Advanced Encryption
Standard. It's also considered very secure.

The government may no longer be involved in writing hashing algorithms. But the authorities do have
a role to play in protecting data. The Cryptographic Module Validation Program, run in part by the
National Institute of Standards and Technology, validates cryptographic modules. Companies can use
this resource to ensure that they're using technologies that are both safe and effective.

Key Management
Key Management Lifecycle

The key management lifecycle outlines the stages through which cryptographic keys are generated,
used, and eventually retired or destroyed. Proper management of these keys is critical to ensuring the
security of cryptographic systems. Here’s an overview of each stage:

1. Key Generation:

• Creation: Keys are created using secure algorithms to ensure randomness and strength.

• Initialization: Keys are initialized with specific parameters required for their intended use (e.g.,
length, algorithm).

2. Key Distribution:

• Sharing: For symmetric keys, secure methods must be used to share the key between parties.

• Publication: For asymmetric keys, the public key is shared openly, while the private key remains
confidential.

3. Key Storage:

• Protection: Keys must be stored securely, typically in hardware security modules (HSMs) or
encrypted key stores, to prevent unauthorized access.

• Access Control: Only authorized users or systems should be able to access keys.
4. Key Usage:

• Application: Keys are used for their intended cryptographic functions, such as
encrypting/decrypting data or signing/verifying messages.

• Monitoring: Usage is monitored to detect any unusual or unauthorized activities.

Key Management in Cryptography

5. Key Rotation:

• Updating: Keys are periodically updated to reduce the risk of exposure or compromise.

• Re-Keying: New keys are generated and distributed, replacing old ones while ensuring
continuity of service.

6. Key Revocation:

• Invalidation: Keys that are no longer secure or needed are invalidated.

• Revocation Notices: For public keys, revocation certificates or notices are distributed to inform
others that the key should no longer be trusted.

7. Key Archival:

• Storage: Old keys are securely archived for future reference or compliance purposes.

• Access Restrictions: Archived keys are kept in a secure location with restricted access.

8. Key Destruction:

• Erasure: When keys are no longer needed, they are securely destroyed to prevent any
possibility of recovery.
• Verification: The destruction process is verified to ensure that no copies remain.