CNS
CNS
CNS
Unit I:
Unit II:
Unit III:
Unit IV:
Web Security - Secure Socket Layer – Secure Electronic Transaction. System Security
– Intruders and Viruses – Firewalls– Password Security.
Unit V:
1
Unit – I
Introduction to Cryptography
If the sender and receiver use same key then it is said to be symmetric key (or)
single key (or) conventional encryption. If the sender and receiver use different keys
then it is said to be public key encryption.
• A block cipher processes the input and block of elements at a time, producing
output block for each input block.
• A stream cipher processes the input elements continuously, producing output
element one at a time, as it goes along
2
Types Of Cryptography
Symmetric Key cryptography is faster and simpler but the problem is that the
sender and receiver have to somehow exchange keys securely.
The most popular symmetric key cryptography systems are Data Encryption
Systems (DES) and Advanced Encryption Systems (AES).
3
Hash Functions
There is no usage of any key in this algorithm. A hash value with a fixed length
is calculated as per the plain text which makes it impossible for the contents of plain
text to be recovered. Many operating systems use hash functions to encrypt
passwords.
Security Attacks
Any action that compromises the security of information owned by an
organization.
The security attacks can be classified into two types
• Passive attacks
• Active attacks.
Passive attacks
A Passive attack attempts to learn or make use of information from the system
but does not affect system resources. Passive Attacks are in the nature of
eavesdropping on or monitoring transmission.
Passive attacks involve an attacker passively monitoring or collecting data without
altering or destroying it.
Examples of passive attacks include eavesdropping, where an attacker listens
in on network traffic to collect sensitive information.
4
Types of Passive attacks are as follows:
• The release of message content
• Traffic analysis
The release of message content –
Telephonic conversation, an electronic mail message, or a transferred file may
contain sensitive or confidential information. We would like to prevent an opponent
from learning the contents of these transmissions.
Traffic analysis
Suppose that we had a way of masking (encryption) information, so that the
attacker even if captured the message could not extract any information from the
message.
The opponent could determine the location and identity of communicating host
and could observe the frequency and length of messages being exchanged.
5
Active attacks
Active attacks are the type of attacks in which, The attacker efforts to change or
modify the content of messages.
Active Attack is dangerous to Integrity as well as availability. Due to active
attack system is always damaged and System resources can be changed.
6
Security Services
Perhaps a clearer definition is found in RFC 4949, which provides the following
definition: a processing or communication service that is provided by a system to give
a specific kind of protection to system resources; security services implement security
policies and are implemented by security mechanisms.
• Authentication
• Confidentiality
• Data Integrity
• Non repudiation
• Access control
• Availability
Authentication:
Authentication is the mechanism to identify the user or system or the entity. It
ensures the identity of the person trying to access the information.
The authentication is mostly secured by using username and password. The
authorized person whose identity is preregistered can prove his/her identity and can
access the sensitive information.
Two specific authentication services are defined in X.800:
Peer Entity Authentication Used in association with a logical connection to
provide confidence in the identity of the entities connected.
7
Confidentiality
The confidential information of the sender and receiver must be encrypted so
that no attacker can steal the information. The message sent must be intended for the
recipient, and only the recipient can understand the message sent by the sender.
We can achieve confidentiality in two ways:
• symmetric-key cryptography and
• asymmetric-key cryptography.
Symmetric-key cryptography: To achieve confidentiality with symmetric-key
cryptography, a sender and receiver must share a common key.
Integrity:
Integrity gives the assurance that the information received is exact and
accurate. If the content of the message is changed after the sender sends it but before
reaching the intended receiver, then it is said that the integrity of the message is lost.
A connection-oriented integrity service, one that deals with a stream of
messages, assures that messages are received as sent with no duplication, insertion,
modification, reordering, or replays. The destruction of data is also covered under this
service.
On the other hand, a connectionless integrity service, one that deals with
individual messages without regard to any larger context, generally provides
protection against message modification only.
Non repudiation:
Requires that neither the sender nor the receiver of a message be able to deny
the transmission.
Access control:
Requires that access to information resources may be controlled by or the target
system.
8
Availability:
Both X.800 and RFC 4949 define availability to be the property of a system or a
system resource being accessible and usable upon demand by an authorized system
entity, according to performance specifications for the system (i.e., a system is
available if it provides services according to the system design whenever users
request them).
Encryption:
For Encryption,
• Plain Text and Keystream produces Cipher Text (Same keystream will be
used for decryption.).
• The Plaintext will undergo XOR operation with keystream bit-by-bit and
produces the Cipher Text.
9
Example
Plain Text : 10011001
Keystream : 11000011
Cipher Text : 01011010
Decryption:
For Decryption,
• Cipher Text and Keystream gives the original Plain Text (Same keystream
will be used for encryption.).
• The Ciphertext will undergo XOR operation with keystream bit-by-bit and
produces the actual Plain Text.
Example –
Cipher Text : 01011010
Keystream : 11000011
Plain Text : 10011001
RC4 Algorithm
• RC4 is a stream cipher and variable length key algorithm. This algorithm
encrypts one byte at a time (or larger units on a time).
• A key input is pseudorandom bit generator that produces a stream 8-bit
number that is unpredictable without knowledge of input key.
• The output of the generator is called key-stream, is combined one byte at a
time with the plaintext stream cipher using X-OR operation.
Example:
RC4 Encryption
10011000 ? 01010000 = 11001000
RC4 Decryption
11001000 ? 01010000 = 10011000
10
Block cipher
Block cipher is an encryption algorithm that takes a fixed size of input say b
bits and produces a ciphertext of b bits again. If the input is larger than b bits it can
be divided further.
There are several modes of operations for a block cipher.
1. Electronic Code Book (ECB)
2. Cipher Block Chaining (CBC)
3. Cipher Feedback Mode (CFB)
4. Output Feedback Mode (OFM)
5. Counter Mode
Electronic Code Book (ECB) –
Electronic code book is the easiest block cipher mode of functioning. It is easier
because of direct encryption of each block of input plaintext and output is in form
of blocks of encrypted ciphertext.
Generally, if a message is larger than b bits in size, it can be broken down into
a bunch of blocks and the procedure is repeated.
11
block is produced by encrypting a XOR output of previous cipher block and present
plaintext block.
12
Output Feedback Mode –
The output feedback mode follows nearly the same process as the Cipher
Feedback mode except that it sends the encrypted output as feedback instead of the
actual cipher which is XOR output.
In this output feedback mode, all bits of the block are sent instead of sending
selected s bits. The Output Feedback mode of block cipher holds great resistance
towards bit transmission errors. It also decreases the dependency or relationship of
the cipher on the plaintext.
Counter Mode –
The Counter Mode or CTR is a simple counter-based block cipher
implementation. Every time a counter-initiated value is encrypted and given as input
to XOR with plaintext which results in ciphertext block.
13
Symmetric-key and Asymmetric-key Cryptosystem
Symmetric-key Cryptosystem:
Key Features:
• Uses a single key for both encryption and decryption.
• Fast and efficient for large volumes of data.
• Well-suited for real-time encryption/decryption applications.
Operation:
• Sender and receiver must both have the same key.
• Encryption: Plaintext is encrypted using the shared key.
• Decryption: Ciphertext is decrypted using the same shared key.
Examples:
• AES (Advanced Encryption Standard): Widely used for symmetric encryption.
• DES (Data Encryption Standard): Older standard, less secure now.
• Blowfish, Twofish: Other symmetric encryption algorithms.
Advantages:
• Efficiency: Encrypting and decrypting data is fast.
• Simplicity: Requires less computational overhead compared to asymmetric
encryption.
Challenges:
• Key Distribution: Securely sharing the key between sender and receiver can be
a challenge.
• Key Management: As the number of users increases, managing keys securely
becomes complex.
14
Asymmetric-key Cryptosystem (Public-key Cryptosystem):
Key Features:
• Uses a pair of keys (public key and private key) for encryption and decryption.
• Public key is widely distributed and known to everyone.
• Private key is kept secret by the owner.
Operation:
• Encryption: Sender uses the recipient's public key to encrypt the message.
• Decryption: Recipient uses their own private key to decrypt the message.
Examples:
• RSA (Rivest-Shamir-Adleman): A widely used asymmetric encryption
algorithm.
• DSA (Digital Signature Algorithm): Also includes digital signatures for
authentication.
Advantages:
• Security: Offers stronger security guarantees, especially in key distribution.
• Authentication: Supports digital signatures for verifying sender authenticity.
Challenges:
• Performance: Generally slower than symmetric encryption due to more
complex algorithms.
• Key Size: Typically requires larger key sizes for equivalent security compared
to symmetric keys.
15
Symmetric Asymmetric
One key used to encrypt and Different keys for encryption and
decrypt the message decryption
Single key is shared among all Public key is shared only to message
participants decreasing security senders. Recipient stores private key
secretly
Ciphertext size don’t differ much Ciphertext is bigger than the plaintext
from the original plaintext
Very fast Complex and slower
Usually uses 128- or 256-bits keys Uses key which are at least 1000 bits
long
Isn’t used in digital signatures It’s used in digital signatures
Scalability is an issue Easily scalable
Lack of non-repudiation Allows non-repudiation and
authenticity
16
DES Overview
DES takes a 64-bit plaintext and creates a 64-bit ciphertext; at the decryption site, DES
takes a 64-bit ciphertext and creates a 64-bit block of plaintext. The same 56-bit cipher
key is used for both encryption and decryption.
17
• Decryption Process:
The decryption process in DES is essentially the reverse of encryption. It
uses the same 16-round structure but applies the round keys in reverse order.
• Key Schedule:
The 56-bit key undergoes a key schedule process to generate 16 round keys,
one for each round of encryption.
DES STRUCTURE
DES is based on the two fundamental attributes of cryptography: substitution (also
called as confusion) and transposition (also called as diffusion). DES consists of 16
steps, each of which is called as a round. Each round performs the steps of substitution
and transposition.
1. In the first step, the 64-bit plain text block is handed over to an initial
Permutation (IP) function.
2. The initial permutation is performed on plain text.
18
3. Next, the initial permutation (IP) produces two halves of the permuted
block; saying Left Plain Text (LPT) and Right Plain Text (RPT).
4. Now each LPT and RPT go through 16 rounds of the encryption process.
5. In the end, LPT and RPT are rejoined and a Final Permutation (FP) is
performed on the combined block
6. The result of this process produces 64-bit ciphertext.
Triple DES
Triple DES is an encryption algorithm based on the original Data Encryption
Standard (DES). It is a symmetric encryption algorithm that uses multiple rounds of
the Data Encryption Standard (DES) to improve security.
It is also known as Triple DES because it uses the Data Encryption Standard
(DES) cypher which takes three times to encrypt its data. It is essentially a block
cypher used to encrypt data in 64-bit blocks.
Encryption Process
The Encryption process of Triple DES involves the following steps:-
Key Generation
This is the first step of the Encryption process of Triple DES. In this step, three
unique keys are generated using a key derivation algorithm.
Initial Permutation
This step comes after the process of Key Generation. It involves the
rearrangement of the bits of the plaintext according to a predefined permutation table.
Three Rounds of Encryption
This is regarded as the most important round of the encryption process of Triple
DES. It consists of multiple rounds typically 48 rounds in total. In this step, the
19
plaintext is processed three times and get encrypted, each time we take use of a
different key, to create three layers of encryption.
Final Permutation
It completes the Triple DES encryption process. In this step, the resulting
ciphertext block undergoes a final permutation (FP) operation, which is the inverse of
the initial permutation. It returns the bits of the ciphertext block to their original order.
20
Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES) is a specification for the encryption of
electronic data established by the U.S National Institute of Standards and Technology
(NIST) in 2001. AES is widely used today as it is a much stronger than DES and triple
DES
The features of AES
• Symmetric key symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• Encrypts data in blocks of 128 bits each.
It takes 128 bits as input and outputs 128 bits of encrypted cipher text as output.
AES structure
Encryption Process
Here, we restrict to description of a typical round of AES encryption. Each
round comprises of four sub-processes.
21
Byte Substitution (SubBytes)
The 16 input bytes are substituted by looking up a fixed table (S-box) given in
design. The result is in a matrix of four rows and four columns.
Shiftrows
Each of the four rows of the matrix is shifted to the left. Any entries that ‘fall
off’ are re-inserted on the right side of row. Shift is carried out as follows −
22
1. First row is not shifted.
2. Second row is shifted one (byte) position to the left.
3. Third row is shifted two positions to the left.
4. Fourth row is shifted three positions to the left.
5. The result is a new matrix consisting of the same 16 bytes but shifted with
respect to each other.
MixColumns :
This step is basically a matrix multiplication. Each column is multiplied with a
specific matrix and thus the position of each byte in the column is changed as a result.
AddRoundkey
The 16 bytes of the matrix are now considered as 128 bits and are XORed to the
128 bits of the round key. If this is the last round then the output is the ciphertext.
Otherwise, the resulting 128 bits are interpreted as 16 bytes and we begin another
similar round.
23
• The length of the key used is 32 bits.
• The key is also divided into 8 blocks of 4 bits each.
• This algorithm involves a series of 4 identical complete rounds and 1 half-
round. Each complete round involves a series of 14 steps that includes
operations like:
IDEA Architecture
Key Schedule: 6 subkeys of 4 bits out of the 8 subkeys are used in each complete
round, while 4 are used in the half-round. So, 4.5 rounds require 28 subkeys.
The given key, ‘K’, directly gives the first 8 subkeys. By rotating the main key
left by 6 bits between each group of 8, further groups of 8 subkeys are created,
implying less than one rotation per round for the key (3 rotations).
24
The 16-bit plaintext can be represented as X1 || X2 || X3 || X4, each of size 4
bits. The 32-bit key is broken into 8 subkeys denoted as K1 || K2 || K3 || K4 ||
K5 || K6 || K7 || K8, again of size 4 bits each.
Each round of 14 steps uses the three algebraic operation-Addition modulo (2^4),
Multiplication modulo (2^4)+1 and Bitwise XOR. The steps involved are as follows:
1. X1 * K1
2. X2 + K2
3. X3 + K3
4. X4 * K4
5. Step 1 ^ Step 3
6. Step 2 ^ Step 4
7. Step 5 * K5
8. Step 6 + Step 7
9. Step 8 * K6
10. Step 7 + Step 9
11. Step 1 ^ Step 9
12. Step 3 ^ Step 9
13. Step 2 ^ Step 10
14. Step 4 ^ Step 10
25
The input to the next round is Step 11 || Step 13 || Step 12 || Step 14, which
becomes X1 || X2 || X3 || X4. This swap between 12 and 13 takes place after each
complete round, except the last complete round (4th round), where the input to the
final half round is Step 11 || Step 12 || Step 13 || Step 14.
1. X1 * K1
2. X2 + K2
3. X3 + K3
4. X4 * K4
26