CNS

Download as pdf or txt
Download as pdf or txt
You are on page 1of 26

Network Security and Cryptography

Unit I:

Introduction to Cryptography – Security Attacks – Security Services –Security


Algorithm- Stream cipher and Block cipher - Symmetric and Asymmetric-key
Cryptosystem- Symmetric Key Algorithms: Introduction – DES – Triple DES – AES –
IDEA – Blowfish – RC5.

Unit II:

Public-key Cryptosystem: Introduction to Number Theory - RSA Algorithm – Key


Management - Diffie-Hell man Key exchange – Elliptic Curve Cryptography Message
Authentication and Hash functions – Hash and Mac Algorithm – Digital Signatures
and Authentication Protocol.

Unit III:

Network Security Practice: Authentication Applications – Kerberos – X.509


Authentication services and Encryption Techniques. E-mail Security – PGP – S /
MIME – IP Security.

Unit IV:

Web Security - Secure Socket Layer – Secure Electronic Transaction. System Security
– Intruders and Viruses – Firewalls– Password Security.

Unit V:

Case Study: Implementation of Cryptographic Algorithms – RSA – DSA – ECC (C /


JAVA Programming). Network Forensic – Security Audit - Other Security
Mechanism: Introduction to: Stenography – Quantum Cryptography – Water
Marking - DNA Cryptography

1
Unit – I

Introduction to Cryptography

Cryptography is a technique of securing communication by converting plain


text into ciphertext. It involves various algorithms and protocols to ensure data
confidentiality, integrity, authentication.

Cryptographic systems are generally classified along 3 independent dimensions:

1. Type of operations used for transforming plain text to cipher text.

All the encryption algorithms are based on two general principles:


substitution, in which each element in the plaintext is mapped into another element,
and transposition, in which elements in the plaintext are rearranged.

2. The number of keys used

If the sender and receiver use same key then it is said to be symmetric key (or)
single key (or) conventional encryption. If the sender and receiver use different keys
then it is said to be public key encryption.

3. The way in which the plain text is processed

• A block cipher processes the input and block of elements at a time, producing
output block for each input block.
• A stream cipher processes the input elements continuously, producing output
element one at a time, as it goes along

2
Types Of Cryptography

1. Symmetric Key Cryptography

It is an encryption system where the sender and receiver of a message use a


single common key to encrypt and decrypt messages.

Symmetric Key cryptography is faster and simpler but the problem is that the
sender and receiver have to somehow exchange keys securely.

The most popular symmetric key cryptography systems are Data Encryption
Systems (DES) and Advanced Encryption Systems (AES).

Asymmetric Key Cryptography

In Asymmetric Key Cryptography, a pair of keys is used to encrypt and


decrypt information. A receiver’s public key is used for encryption and a receiver’s
private key is used for decryption. Public keys and Private keys are different.

The most popular asymmetric key cryptography algorithm is the RSA


algorithm.

3
Hash Functions
There is no usage of any key in this algorithm. A hash value with a fixed length
is calculated as per the plain text which makes it impossible for the contents of plain
text to be recovered. Many operating systems use hash functions to encrypt
passwords.

Security Attacks
Any action that compromises the security of information owned by an
organization.
The security attacks can be classified into two types
• Passive attacks
• Active attacks.
Passive attacks
A Passive attack attempts to learn or make use of information from the system
but does not affect system resources. Passive Attacks are in the nature of
eavesdropping on or monitoring transmission.
Passive attacks involve an attacker passively monitoring or collecting data without
altering or destroying it.
Examples of passive attacks include eavesdropping, where an attacker listens
in on network traffic to collect sensitive information.

4
Types of Passive attacks are as follows:
• The release of message content
• Traffic analysis
The release of message content –
Telephonic conversation, an electronic mail message, or a transferred file may
contain sensitive or confidential information. We would like to prevent an opponent
from learning the contents of these transmissions.

Traffic analysis
Suppose that we had a way of masking (encryption) information, so that the
attacker even if captured the message could not extract any information from the
message.
The opponent could determine the location and identity of communicating host
and could observe the frequency and length of messages being exchanged.

5
Active attacks
Active attacks are the type of attacks in which, The attacker efforts to change or
modify the content of messages.
Active Attack is dangerous to Integrity as well as availability. Due to active
attack system is always damaged and System resources can be changed.

Types of active attacks are as follows:


• Masquerade
• Replay
• Modification of Messages
• Denial of Service
A masquerade takes place when one entity pretends to be a different entity. A
masquerade attack usually includes one of the other forms of active attack.
Replay involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect.
Modification of messages simply means that some portion of a legitimate message
is altered, or that messages are delayed or reordered, to produce an unauthorized
effect
The denial of service prevents or inhibits the normal use or management of
communications facilities.

6
Security Services

X.800 defines security services as a service that is provided by a protocol layer


of communicating open systems and that ensures adequate security of the system or
of a data transfer.

Perhaps a clearer definition is found in RFC 4949, which provides the following
definition: a processing or communication service that is provided by a system to give
a specific kind of protection to system resources; security services implement security
policies and are implemented by security mechanisms.

X.800 divides these services in to following categories

• Authentication
• Confidentiality
• Data Integrity
• Non repudiation
• Access control
• Availability
Authentication:
Authentication is the mechanism to identify the user or system or the entity. It
ensures the identity of the person trying to access the information.
The authentication is mostly secured by using username and password. The
authorized person whose identity is preregistered can prove his/her identity and can
access the sensitive information.
Two specific authentication services are defined in X.800:
Peer Entity Authentication Used in association with a logical connection to
provide confidence in the identity of the entities connected.

Data-Origin Authentication In a connectionless transfer, provides assurance


that the source of received data is as claimed

7
Confidentiality
The confidential information of the sender and receiver must be encrypted so
that no attacker can steal the information. The message sent must be intended for the
recipient, and only the recipient can understand the message sent by the sender.
We can achieve confidentiality in two ways:
• symmetric-key cryptography and
• asymmetric-key cryptography.
Symmetric-key cryptography: To achieve confidentiality with symmetric-key
cryptography, a sender and receiver must share a common key.

Asymmetric-key cryptography: The problem in symmetric-key was the key


distribution. In asymmetric-key cryptography, there is no key distribution scheme.
The sender and receiver use two keys for encryption and decryption.

Integrity:
Integrity gives the assurance that the information received is exact and
accurate. If the content of the message is changed after the sender sends it but before
reaching the intended receiver, then it is said that the integrity of the message is lost.
A connection-oriented integrity service, one that deals with a stream of
messages, assures that messages are received as sent with no duplication, insertion,
modification, reordering, or replays. The destruction of data is also covered under this
service.
On the other hand, a connectionless integrity service, one that deals with
individual messages without regard to any larger context, generally provides
protection against message modification only.

Non repudiation:
Requires that neither the sender nor the receiver of a message be able to deny
the transmission.
Access control:
Requires that access to information resources may be controlled by or the target
system.
8
Availability:
Both X.800 and RFC 4949 define availability to be the property of a system or a
system resource being accessible and usable upon demand by an authorized system
entity, according to performance specifications for the system (i.e., a system is
available if it provides services according to the system design whenever users
request them).

Stream cipher and Block cipher


Stream Cipher
Stream ciphers are a type of encryption algorithm that process an individual
bit, byte, or character of plaintext at a time. Stream ciphers are often faster than block
ciphers.
In stream cipher, one byte is encrypted at a time while in block cipher 128 bits
are encrypted at a time.
Initially, a key(k) will be supplied as input to pseudorandom bit generator and
then it produces a random 8-bit output which is treated as keystream

Encryption:
For Encryption,
• Plain Text and Keystream produces Cipher Text (Same keystream will be
used for decryption.).
• The Plaintext will undergo XOR operation with keystream bit-by-bit and
produces the Cipher Text.
9
Example
Plain Text : 10011001
Keystream : 11000011
Cipher Text : 01011010

Decryption:
For Decryption,
• Cipher Text and Keystream gives the original Plain Text (Same keystream
will be used for encryption.).
• The Ciphertext will undergo XOR operation with keystream bit-by-bit and
produces the actual Plain Text.
Example –
Cipher Text : 01011010
Keystream : 11000011
Plain Text : 10011001

RC4 Algorithm
• RC4 is a stream cipher and variable length key algorithm. This algorithm
encrypts one byte at a time (or larger units on a time).
• A key input is pseudorandom bit generator that produces a stream 8-bit
number that is unpredictable without knowledge of input key.
• The output of the generator is called key-stream, is combined one byte at a
time with the plaintext stream cipher using X-OR operation.

Example:
RC4 Encryption
10011000 ? 01010000 = 11001000
RC4 Decryption
11001000 ? 01010000 = 10011000

10
Block cipher
Block cipher is an encryption algorithm that takes a fixed size of input say b
bits and produces a ciphertext of b bits again. If the input is larger than b bits it can
be divided further.
There are several modes of operations for a block cipher.
1. Electronic Code Book (ECB)
2. Cipher Block Chaining (CBC)
3. Cipher Feedback Mode (CFB)
4. Output Feedback Mode (OFM)
5. Counter Mode
Electronic Code Book (ECB) –
Electronic code book is the easiest block cipher mode of functioning. It is easier
because of direct encryption of each block of input plaintext and output is in form
of blocks of encrypted ciphertext.
Generally, if a message is larger than b bits in size, it can be broken down into
a bunch of blocks and the procedure is repeated.

Cipher Block Chaining


Cipher block chaining or CBC is an advancement made on ECB since ECB
compromises some security requirements. In CBC, previous cipher block is given as
input to next encryption algorithm after XOR with original plaintext block. a cipher

11
block is produced by encrypting a XOR output of previous cipher block and present
plaintext block.

Cipher Feedback Mode (CFB)


In this mode the cipher is given as feedback to the next block of encryption with
some new specifications: first an initial vector IV is used for first encryption and
output bits are divided as set of s and b-s bits. The left-hand side s bits are selected
and are applied an XOR operation with plaintext bits.
The result given as input to a shift register and the process continues. The
encryption and decryption process for the same is shown below, both of them use
encryption algorithm

12
Output Feedback Mode –
The output feedback mode follows nearly the same process as the Cipher
Feedback mode except that it sends the encrypted output as feedback instead of the
actual cipher which is XOR output.
In this output feedback mode, all bits of the block are sent instead of sending
selected s bits. The Output Feedback mode of block cipher holds great resistance
towards bit transmission errors. It also decreases the dependency or relationship of
the cipher on the plaintext.

Counter Mode –
The Counter Mode or CTR is a simple counter-based block cipher
implementation. Every time a counter-initiated value is encrypted and given as input
to XOR with plaintext which results in ciphertext block.

13
Symmetric-key and Asymmetric-key Cryptosystem
Symmetric-key Cryptosystem:

Key Features:
• Uses a single key for both encryption and decryption.
• Fast and efficient for large volumes of data.
• Well-suited for real-time encryption/decryption applications.
Operation:
• Sender and receiver must both have the same key.
• Encryption: Plaintext is encrypted using the shared key.
• Decryption: Ciphertext is decrypted using the same shared key.
Examples:
• AES (Advanced Encryption Standard): Widely used for symmetric encryption.
• DES (Data Encryption Standard): Older standard, less secure now.
• Blowfish, Twofish: Other symmetric encryption algorithms.
Advantages:
• Efficiency: Encrypting and decrypting data is fast.
• Simplicity: Requires less computational overhead compared to asymmetric
encryption.
Challenges:
• Key Distribution: Securely sharing the key between sender and receiver can be
a challenge.
• Key Management: As the number of users increases, managing keys securely
becomes complex.

14
Asymmetric-key Cryptosystem (Public-key Cryptosystem):

Key Features:
• Uses a pair of keys (public key and private key) for encryption and decryption.
• Public key is widely distributed and known to everyone.
• Private key is kept secret by the owner.
Operation:
• Encryption: Sender uses the recipient's public key to encrypt the message.
• Decryption: Recipient uses their own private key to decrypt the message.
Examples:
• RSA (Rivest-Shamir-Adleman): A widely used asymmetric encryption
algorithm.
• DSA (Digital Signature Algorithm): Also includes digital signatures for
authentication.
Advantages:
• Security: Offers stronger security guarantees, especially in key distribution.
• Authentication: Supports digital signatures for verifying sender authenticity.
Challenges:
• Performance: Generally slower than symmetric encryption due to more
complex algorithms.
• Key Size: Typically requires larger key sizes for equivalent security compared
to symmetric keys.

15
Symmetric Asymmetric
One key used to encrypt and Different keys for encryption and
decrypt the message decryption
Single key is shared among all Public key is shared only to message
participants decreasing security senders. Recipient stores private key
secretly
Ciphertext size don’t differ much Ciphertext is bigger than the plaintext
from the original plaintext
Very fast Complex and slower
Usually uses 128- or 256-bits keys Uses key which are at least 1000 bits
long
Isn’t used in digital signatures It’s used in digital signatures
Scalability is an issue Easily scalable
Lack of non-repudiation Allows non-repudiation and
authenticity

Data Encryption Standard (DES)


• The Data Encryption Standard (DES) was developed in the 1970s by the
National Bureau of Standard (NBS) with the help of National Security Agency
(NSA).
• DES is a 64-bit block cipher which means that it encrypts data 64 bits at a time,
and key is 56 bits in length. This is contrasted to a stream cipher in which only
one bit at a time (or sometimes small groups of bits such as a byte) is encrypted
• Same algorithm and key are used for encryption and decryption.
• Consists of 16 steps, each of which is called as round. Each round performs the
step of substitution and transposition.

16
DES Overview

DES takes a 64-bit plaintext and creates a 64-bit ciphertext; at the decryption site, DES
takes a 64-bit ciphertext and creates a 64-bit block of plaintext. The same 56-bit cipher
key is used for both encryption and decryption.

Key characteristics of DES include:


• Symmetric-Key Encryption: Both the sender and the receiver use the same
secret key for encryption and decryption.
• Block Cipher: DES processes data in blocks of 64 bits at a time.
• Feistel Cipher Structure: DES employs a Feistel cipher structure, where the
plaintext block undergoes a series of transformations (substitution and
permutation) through multiple rounds before producing the ciphertext.
• Key Length: The key length is 56 bits, but the effective key length is 64 bits
due to the parity bits in each byte of the key.
• Encryption Process:
• Initial Permutation (IP): The 64-bit plaintext block undergoes an initial
permutation to rearrange its bits.
• Rounds: DES consists of 16 rounds of encryption, each involving a
combination of substitution (S-box) and permutation (P-box) operations.
• Feistel Structure: In each round, the block is split into two halves, with one
half being processed through a function that depends on the round key
derived from the main key.

17
• Decryption Process:
The decryption process in DES is essentially the reverse of encryption. It
uses the same 16-round structure but applies the round keys in reverse order.
• Key Schedule:
The 56-bit key undergoes a key schedule process to generate 16 round keys,
one for each round of encryption.

DES STRUCTURE
DES is based on the two fundamental attributes of cryptography: substitution (also
called as confusion) and transposition (also called as diffusion). DES consists of 16
steps, each of which is called as a round. Each round performs the steps of substitution
and transposition.

Broad-level steps in DES

1. In the first step, the 64-bit plain text block is handed over to an initial
Permutation (IP) function.
2. The initial permutation is performed on plain text.

18
3. Next, the initial permutation (IP) produces two halves of the permuted
block; saying Left Plain Text (LPT) and Right Plain Text (RPT).
4. Now each LPT and RPT go through 16 rounds of the encryption process.
5. In the end, LPT and RPT are rejoined and a Final Permutation (FP) is
performed on the combined block
6. The result of this process produces 64-bit ciphertext.

Triple DES
Triple DES is an encryption algorithm based on the original Data Encryption
Standard (DES). It is a symmetric encryption algorithm that uses multiple rounds of
the Data Encryption Standard (DES) to improve security.
It is also known as Triple DES because it uses the Data Encryption Standard
(DES) cypher which takes three times to encrypt its data. It is essentially a block
cypher used to encrypt data in 64-bit blocks.

Encryption Process
The Encryption process of Triple DES involves the following steps:-
Key Generation
This is the first step of the Encryption process of Triple DES. In this step, three
unique keys are generated using a key derivation algorithm.
Initial Permutation
This step comes after the process of Key Generation. It involves the
rearrangement of the bits of the plaintext according to a predefined permutation table.
Three Rounds of Encryption
This is regarded as the most important round of the encryption process of Triple
DES. It consists of multiple rounds typically 48 rounds in total. In this step, the
19
plaintext is processed three times and get encrypted, each time we take use of a
different key, to create three layers of encryption.

Final Permutation
It completes the Triple DES encryption process. In this step, the resulting
ciphertext block undergoes a final permutation (FP) operation, which is the inverse of
the initial permutation. It returns the bits of the ciphertext block to their original order.

The encryption-decryption process is as follows −


1. Encrypt the plaintext blocks using single DES with key K1.
2. Now decrypt the output of step 1 using single DES with key K2.
3. Finally, encrypt the output of step 2 using single DES with key K3.
4. The output of step 3 is the ciphertext.
5. Decryption of a ciphertext is a reverse process. User first decrypt using K3, then
encrypt with K2, and finally decrypt with K1.

20
Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES) is a specification for the encryption of
electronic data established by the U.S National Institute of Standards and Technology
(NIST) in 2001. AES is widely used today as it is a much stronger than DES and triple
DES
The features of AES
• Symmetric key symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• Encrypts data in blocks of 128 bits each.
It takes 128 bits as input and outputs 128 bits of encrypted cipher text as output.

AES structure

Encryption Process
Here, we restrict to description of a typical round of AES encryption. Each
round comprises of four sub-processes.

21
Byte Substitution (SubBytes)
The 16 input bytes are substituted by looking up a fixed table (S-box) given in
design. The result is in a matrix of four rows and four columns.

Shiftrows
Each of the four rows of the matrix is shifted to the left. Any entries that ‘fall
off’ are re-inserted on the right side of row. Shift is carried out as follows −

22
1. First row is not shifted.
2. Second row is shifted one (byte) position to the left.
3. Third row is shifted two positions to the left.
4. Fourth row is shifted three positions to the left.
5. The result is a new matrix consisting of the same 16 bytes but shifted with
respect to each other.

MixColumns :
This step is basically a matrix multiplication. Each column is multiplied with a
specific matrix and thus the position of each byte in the column is changed as a result.

AddRoundkey
The 16 bytes of the matrix are now considered as 128 bits and are XORed to the
128 bits of the round key. If this is the last round then the output is the ciphertext.
Otherwise, the resulting 128 bits are interpreted as 16 bytes and we begin another
similar round.

International Data Encryption Algorithm (IDEA)


The International Data Encryption Algorithm (IDEA) is a symmetric-key block
cipher that was first introduced in 1991.
It was designed to provide secure encryption for digital data and is used in a
variety of applications, such as secure communications, financial transactions, and
electronic voting systems.
IDEA uses a block cipher with a block size of 64 bits and a key size of 128 bits.
It uses a series of mathematical operations, including modular arithmetic, bit shifting,
and exclusive OR (XOR) operations, to transform the plaintext into ciphertext.

The Simplified International Data Encryption Algorithm (IDEA) is a symmetric key


block cipher that:
• uses a fixed-length plaintext of 16 bits and
• encrypts them in 4 chunks of 4 bits each
• to produce 16 bits ciphertext.

23
• The length of the key used is 32 bits.
• The key is also divided into 8 blocks of 4 bits each.
• This algorithm involves a series of 4 identical complete rounds and 1 half-
round. Each complete round involves a series of 14 steps that includes
operations like:

IDEA Architecture

Key Schedule: 6 subkeys of 4 bits out of the 8 subkeys are used in each complete
round, while 4 are used in the half-round. So, 4.5 rounds require 28 subkeys.
The given key, ‘K’, directly gives the first 8 subkeys. By rotating the main key
left by 6 bits between each group of 8, further groups of 8 subkeys are created,
implying less than one rotation per round for the key (3 rotations).

24
The 16-bit plaintext can be represented as X1 || X2 || X3 || X4, each of size 4
bits. The 32-bit key is broken into 8 subkeys denoted as K1 || K2 || K3 || K4 ||
K5 || K6 || K7 || K8, again of size 4 bits each.
Each round of 14 steps uses the three algebraic operation-Addition modulo (2^4),
Multiplication modulo (2^4)+1 and Bitwise XOR. The steps involved are as follows:

1. X1 * K1
2. X2 + K2
3. X3 + K3
4. X4 * K4
5. Step 1 ^ Step 3
6. Step 2 ^ Step 4
7. Step 5 * K5
8. Step 6 + Step 7
9. Step 8 * K6
10. Step 7 + Step 9
11. Step 1 ^ Step 9
12. Step 3 ^ Step 9
13. Step 2 ^ Step 10
14. Step 4 ^ Step 10

25
The input to the next round is Step 11 || Step 13 || Step 12 || Step 14, which
becomes X1 || X2 || X3 || X4. This swap between 12 and 13 takes place after each
complete round, except the last complete round (4th round), where the input to the
final half round is Step 11 || Step 12 || Step 13 || Step 14.

After last complete round, the half-round is as follows:

1. X1 * K1
2. X2 + K2
3. X3 + K3
4. X4 * K4

26

You might also like