Chanderprabhu Jain College of Higher Studies

&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE & Bar Council of India | Recognized by Govt. of NCT of Delhi)

E-Notes
Class : BCA III B

Paper Code : BCA 213

Subject : Cyber Security

Faculty Name : Mr. Prabhat

Unit – III

INTRODUCTION TO CRYPTOGRAPHY

Cryptography is the science of securing communication by transforming information into a secure

format. It enables the protection of data integrity, confidentiality, and authenticity. By using
cryptographic techniques, individuals and organizations can protect sensitive information from
unauthorized access, ensuring that it remains private and secure.

Cryptography, derived from the Greek words kryptos (meaning "hidden") and grapho (meaning "to
write"), is the practice of securing information by transforming it into an unreadable format, only to
be deciphered by someone who possesses the proper key or knowledge. In an age where data breaches,
identity theft, and cyberattacks are rampant, cryptography serves as a fundamental pillar of modern
cybersecurity.

Cryptography encompasses various techniques and algorithms designed to protect the confidentiality,
integrity, and authenticity of data, whether it is stored or transmitted. Its applications range from
securing online transactions to protecting sensitive information in corporate environments.

IMPORTANCE OF CRYPTOGRAPHY

The significance of cryptography in today's digital world cannot be overstated. It plays a crucial role
in various applications, including:

1
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE & Bar Council of India | Recognized by Govt. of NCT of Delhi)

• Data Security: Protecting sensitive data from unauthorized access. Data security is the primary
purpose of cryptography. By transforming data into an unreadable format, organizations can
protect sensitive information from unauthorized access and cyber threats. Whether it's financial
data, personal information, or intellectual property, cryptography plays a crucial role in
safeguarding these assets.

• Secure Communications: Enabling secure exchanges of information over insecure networks,

such as the Internet.

• Authentication: Verifying the identity of individuals and systems. Authentication establishes

the identity of individuals and systems involved in a transaction or communication.
Cryptographic techniques, such as digital signatures, enable the verification of identities,
ensuring that parties involved in communication are who they claim to be.

• Non-repudiation: Providing proof of the origin and integrity of data, preventing denial of
involvement in a communication. Non-repudiation is a critical aspect of cryptography that ensures
that a sender cannot deny having sent a message, and a recipient cannot deny having received it. Digital
signatures provide proof of the origin and integrity of a message, preventing any party from refuting
their involvement in a transaction.

• Confidentiality ensures that sensitive information is only accessible to authorized individuals.

Cryptography ensures that even if data is intercepted during transmission, it remains secure
and unreadable to unauthorized parties. For instance, secure communication channels such as
HTTPS utilize cryptographic protocols to protect data exchanged between users and websites.

• Integrity refers to the accuracy and completeness of data. Cryptographic techniques, such as
hashing, ensure that data remains unchanged during storage and transmission. If any alterations
are made, the hash will change, indicating potential tampering.

KEY CONCEPTS IN CRYPTOGRAPHY

2
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE & Bar Council of India | Recognized by Govt. of NCT of Delhi)

To understand the field of cryptography, it is essential to familiarize yourself with some key concepts:

• Plaintext: The original, readable message or data that is to be encrypted.

• Ciphertext: The transformed version of plaintext, which is unreadable without decryption.

• Encryption: The process of converting plaintext into ciphertext using a specific algorithm and
a key.

• Decryption: The process of converting ciphertext back into plaintext using the appropriate
key.

• Key: A piece of information used in cryptographic algorithms to encrypt and decrypt data.
Keys can be symmetric (the same for encryption and decryption) or asymmetric (different for
each process).

• Cryptographic Algorithm: A mathematical procedure for performing encryption and

decryption.

TYPES OF CRYPTOGRAPHY

Cryptography can be broadly classified into two main categories: symmetric key cryptography and
asymmetric key cryptography. Each type serves different purposes and employs distinct mechanisms
for data encryption and decryption.

Symmetric Key Cryptography

In symmetric key cryptography, the same key is used for both encryption and decryption. The sender
and receiver must share the secret key in a secure manner. The primary challenge lies in securely
exchanging the key. Symmetric key cryptography, also known as secret key cryptography, uses the
same key for both encryption and decryption. Both the sender and receiver must possess the same key,
which poses challenges for secure key distribution.

• Examples:

o Data Encryption Standard (DES): An older encryption standard that has been largely
replaced by more secure algorithms.
3
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE & Bar Council of India | Recognized by Govt. of NCT of Delhi)

o Advanced Encryption Standard (AES): A widely used symmetric encryption

algorithm that offers strong security.

Advantages:

• Faster encryption and decryption processes.

• Suitable for encrypting large amounts of data.

Disadvantages:

• Key management issues: Securely sharing and storing keys can be challenging.

• Vulnerable to interception if the key is compromised.

How Symmetric Key Cryptography Works

1. Encryption Process: The sender uses the agreed-upon symmetric key and a cryptographic
algorithm to encrypt the plaintext, producing ciphertext.

2. Decryption Process: The receiver uses the same key and algorithm to decrypt the ciphertext
back into plaintext.

Common Symmetric Key Algorithms

• Data Encryption Standard (DES): An older standard for symmetric encryption that encrypts
data in 64-bit blocks using a 56-bit key. Due to vulnerabilities, it has largely been replaced by
more secure algorithms.

• Triple DES (3DES): An enhancement of DES that applies the encryption process three times,
using multiple keys to increase security.

• Advanced Encryption Standard (AES): A widely accepted symmetric encryption standard

that supports key sizes of 128, 192, and 256 bits. AES is known for its strength and efficiency,
making it suitable for various applications.

4
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE & Bar Council of India | Recognized by Govt. of NCT of Delhi)

• Blowfish: A fast symmetric key block cipher that uses variable-length keys (32 to 448 bits)
and operates on 64-bit blocks. It is suitable for applications requiring high speed and low
memory usage.

3.3.2 Asymmetric Key Cryptography

Asymmetric key cryptography, also known as public-key cryptography, uses a pair of keys: a public
key for encryption and a private key for decryption. The public key can be shared openly, while the
private key must be kept secret.

• Examples:

o RSA (Rivest-Shamir-Adleman): One of the first public-key cryptosystems and widely

used for secure data transmission.

o Elliptic Curve Cryptography (ECC): A more modern form of asymmetric

cryptography that provides similar security with smaller key sizes.

Advantages:

• Improved security: The private key is never shared, reducing the risk of interception.

• Facilitates secure communication over untrusted networks.

Disadvantages:

• Slower than symmetric encryption.

• More computationally intensive, requiring more processing power.

How Asymmetric Key Cryptography Works

1. Public Key Encryption: The sender uses the recipient's public key to encrypt the plaintext,
creating ciphertext.

2. Private Key Decryption: The recipient uses their private key to decrypt the ciphertext back
into plaintext.

5
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE & Bar Council of India | Recognized by Govt. of NCT of Delhi)

Common Asymmetric Key Algorithms

• RSA (Rivest-Shamir-Adleman): One of the first and most widely used asymmetric
encryption algorithms. RSA relies on the mathematical difficulty of factoring large prime
numbers to secure data.

• Elliptic Curve Cryptography (ECC): A modern asymmetric encryption method that uses the
mathematics of elliptic curves to provide strong security with shorter key lengths compared to
RSA. ECC is particularly efficient for mobile devices and environments with limited
computational resources.

• Diffie-Hellman Key Exchange: While not an encryption algorithm itself, this method allows
two parties to securely exchange cryptographic keys over an insecure channel, facilitating
symmetric encryption.

Cryptographic Algorithms

Cryptographic algorithms are mathematical functions used to perform encryption and decryption. They
can be classified into two main categories: block ciphers and stream ciphers.

Block Ciphers

Block ciphers encrypt data in fixed-size blocks (e.g., 128 bits) and apply a series of transformations to
produce ciphertext. Examples include AES and DES.

• Modes of Operation: Block ciphers can operate in various modes to enhance security,
including:

o Electronic Codebook (ECB): Simplest mode where each block is encrypted

independently.

o Cipher Block Chaining (CBC): Each block is dependent on the previous one,
enhancing security against certain attacks.

Stream Ciphers

6
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE & Bar Council of India | Recognized by Govt. of NCT of Delhi)

Stream ciphers encrypt data one bit or byte at a time, making them suitable for scenarios where data
is transmitted in a continuous stream.

• Examples: RC4 and Salsa20.

Cryptographic Hash Functions

Hash functions produce a fixed-size output (hash) from variable-sized input data. They are widely used
in digital signatures, password storage, and data integrity verification.

• Properties of Hash Functions:

o Deterministic: The same input always produces the same hash.

o Collision-Resistant: It is difficult to find two different inputs that produce the same
hash.

o Preimage Resistance: Given a hash, it should be infeasible to find the original input.

• Examples: SHA-256 (part of the SHA-2 family) and MD5 (now considered weak and
insecure).

Digital Signatures

Digital signatures provide authentication and integrity by ensuring that a message has not been altered
in transit and confirming the sender's identity.

• How Digital Signatures Work:

1. The sender generates a hash of the message.

2. The sender encrypts the hash using their private key.

3. The recipient can decrypt the hash using the sender’s public key and compare it to their
own computed hash of the message.

Applications of Cryptography

Cryptography has numerous applications across various domains:

7
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE & Bar Council of India | Recognized by Govt. of NCT of Delhi)

• Secure Communication: Protecting emails, messages, and voice calls.

• Data Protection: Encrypting files, databases, and backups.

• Secure Transactions: Protecting online banking and e-commerce transactions.

• Authentication: Ensuring user identity through secure login processes.

USER AUTHENTICATION

User authentication is the process of verifying the identity of a user or entity attempting to access a
system, network, or application. It is a critical component of information security that helps protect
sensitive data and resources from unauthorized access. In an era where cyber threats are prevalent,
robust user authentication mechanisms are essential for safeguarding personal information, financial
data, and organizational assets.

Importance of User Authentication

User authentication serves several vital functions in information security:

Protecting Sensitive Information

By verifying user identities, organizations can prevent unauthorized access to confidential information,
reducing the risk of data breaches and information theft.

Ensuring Accountability

User authentication establishes accountability by ensuring that actions taken within a system can be
traced back to a specific individual. This is especially important for regulatory compliance and
auditing.

Enforcing Access Controls

Authentication mechanisms allow organizations to implement access controls, ensuring that users have
the appropriate permissions to access specific resources or perform certain actions based on their roles.

Preventing Fraud
8
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE & Bar Council of India | Recognized by Govt. of NCT of Delhi)

By verifying user identities, organizations can reduce the risk of fraudulent activities, such as identity
theft, financial fraud, and unauthorized transactions.

TYPES OF USER AUTHENTICATION

KNOWLEDGE-BASED AUTHENTICATION

Knowledge-based authentication requires users to provide information that only they should know.
This typically includes:

• Passwords: The most common form of knowledge-based authentication. Users create a secret
password that must be entered to gain access.

• Security Questions: Users answer pre-defined questions (e.g., "What is your mother’s maiden
name?") to verify their identity.

Advantages:

• Easy to implement and understand.

• Cost-effective.

Disadvantages:

• Vulnerable to social engineering attacks and guessing.

• Users may forget passwords or security question answers.

POSSESSION-BASED AUTHENTICATION

Possession-based authentication requires users to possess a specific object or device that verifies their
identity. This includes:

• Smart Cards: Physical cards embedded with chips that generate a unique code for
authentication.

• One-Time Password (OTP) Tokens: Devices that generate time-sensitive passwords that
users must enter during the login process.

9
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE & Bar Council of India | Recognized by Govt. of NCT of Delhi)

CHALLENGES IN USER AUTHENTICATION

Despite advancements in authentication technologies, challenges remain:

PHISHING ATTACKS

Attackers often use phishing techniques to trick users into revealing their credentials, posing a
significant risk to user authentication.

PASSWORD MANAGEMENT

Users frequently struggle to create and remember strong passwords, leading to weak password
practices that compromise security.

USER EXPERIENCE

Balancing security and user experience is a challenge. Complex authentication processes may deter
users, leading to poor adoption.

PASSWORD AUTHENTICATION

Password authentication is one of the most widely used methods for verifying user identities in digital
systems. It involves requiring users to enter a secret password or passphrase to gain access to a system,
application, or service. Despite its popularity, password authentication also poses several challenges
and vulnerabilities that must be addressed to ensure robust security. Password authentication is a
fundamental component of user authentication systems. While it provides a simple and effective means
of verifying user identities, it also poses several challenges and vulnerabilities. By implementing
robust security measures and best practices, organizations can enhance the security of password
authentication and protect sensitive information from unauthorized access.

MESSAGE AUTHENTICATION

Message authentication is the process of verifying the integrity and authenticity of a message to ensure
that it has not been altered during transmission and that it originates from a legitimate sender. It is a

10
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE & Bar Council of India | Recognized by Govt. of NCT of Delhi)

critical aspect of information security that helps prevent tampering, impersonation, and replay attacks.
Message authentication is a critical component of information security that ensures the integrity and
authenticity of communications. By employing cryptographic techniques such as MACs and hash
functions, organizations can protect their messages from tampering and impersonation, thereby
maintaining the trustworthiness of their communications.

MESSAGE AUTHENTICATION CODES (MACS)

A Message Authentication Code (MAC) is a cryptographic checksum that is used to verify both the
integrity and authenticity of a message. MACs are generated using a secret key and a cryptographic
hash function or symmetric encryption algorithm.

1. MAC Generation: The sender generates a MAC by combining the message with a secret key
using a MAC algorithm (e.g., HMAC).

2. MAC Transmission: The sender transmits both the original message and the MAC to the
recipient.

3. MAC Verification: The recipient uses the same secret key and MAC algorithm to generate a
MAC for the received message and compares it to the transmitted MAC. If they match, the
message is verified as authentic and intact.

DIGITAL SIGNATURES

Digital signatures are cryptographic techniques that provide authentication, integrity, and non-
repudiation for digital messages and documents. They serve as a digital equivalent of handwritten
signatures, enabling individuals and organizations to verify the authenticity of electronic
communications.

DIGITAL SIGNATURE STANDARDS

11
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE & Bar Council of India | Recognized by Govt. of NCT of Delhi)

SEVERAL STANDARDS AND PROTOCOLS GOVERN THE IMPLEMENTATION OF DIGITAL

SIGNATURES:

PUBLIC KEY INFRASTRUCTURE (PKI)

Public Key Infrastructure (PKI) provides the framework for managing digital certificates and public-
key encryption. It includes components such as Certificate Authorities (CAs) that issue digital
certificates to verify the identities of users and organizations.

X.509 CERTIFICATES

X.509 is a widely used standard for digital certificates that contain information about the certificate
holder and the public key. These certificates are used in various applications, including secure web
browsing (HTTPS) and email encryption.

DIGITAL SIGNATURE ALGORITHM (DSA)

The Digital Signature Algorithm (DSA) is a standard for digital signatures developed by the National
Institute of Standards and Technology (NIST). It uses asymmetric key cryptography to generate digital

IDENTITY MANAGEMENT

Identity Management (IdM) refers to the processes and technologies used to manage digital identities
within an organization. It encompasses the creation, maintenance, and deletion of user identities and
their access rights to various resources and services. In today's digital landscape, where organizations
increasingly rely on web services and cloud-based solutions, effective identity management is critical
for ensuring security, compliance, and operational efficiency. Identity management is a critical aspect
of organizational security, particularly in the context of web services and cloud computing. By
effectively managing user identities and access rights, organizations can enhance security, ensure
compliance, and improve operational efficiency.

IMPORTANCE OF IDENTITY MANAGEMENT

Security

12
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE & Bar Council of India | Recognized by Govt. of NCT of Delhi)

Identity management enhances security by ensuring that only authorized individuals can access
sensitive information and resources. By implementing strong authentication and access control
measures, organizations can mitigate the risk of data breaches and unauthorized access.

Compliance

Many regulations and standards (such as GDPR, HIPAA, and PCI-DSS) require organizations to
manage user identities and access controls diligently. Proper identity management helps organizations
demonstrate compliance with these regulations, reducing legal and financial risks.

Operational Efficiency

Effective identity management streamlines user onboarding and offboarding processes, improving
operational efficiency. Automated identity provisioning and deprovisioning reduce the administrative
burden on IT staff and ensure that access rights are granted and revoked promptly.

AUTHORIZATION

Authorization is the process of determining whether a user or entity has permission to access a resource
or perform a specific action within a system. It is a critical component of information security that
complements authentication and plays a vital role in protecting sensitive data and resources from
unauthorized access.

IMPORTANCE OF AUTHORIZATION

SECURITY

Authorization mechanisms ensure that only authorized users can access specific resources or perform
certain actions. This is essential for preventing data breaches and maintaining the integrity and
confidentiality of sensitive information.

ACCESS CONTROL

Authorization enables organizations to implement access control policies that dictate who can access
what resources based on their roles, responsibilities, and attributes. This helps enforce the principle of
least privilege, reducing the risk of unauthorized access.

13
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE & Bar Council of India | Recognized by Govt. of NCT of Delhi)

Compliance

Many regulatory frameworks (e.g., GDPR, HIPAA) require organizations to implement strict access
control measures to protect sensitive data. Effective authorization practices help organizations
demonstrate compliance with these regulations.

AUTHORIZATION MODELS

ROLE-BASED ACCESS CONTROL (RBAC)

Role-Based Access Control (RBAC) assigns permissions based on user roles within an organization.
Users are assigned roles that define their access rights, and permissions are granted to roles rather than
individual users.

Advantages:

• Simplifies access management by grouping users into roles.

• Facilitates easier management of access rights as roles change.

Disadvantages:

• Can become complex in large organizations with many roles.

• May not accommodate dynamic access needs.

ATTRIBUTE-BASED ACCESS CONTROL (ABAC)

Attribute-Based Access Control (ABAC) evaluates access rights based on user attributes (e.g., job title,
department), resource attributes (e.g., data classification), and environmental attributes (e.g., time of
access). ABAC provides more granular control compared to RBAC.

Advantages:

• Offers fine-grained access control based on contextual factors.

• Flexibility to adapt to changing access requirements.

Disadvantages:
14
 Chanderprabhu Jain College of Higher Studies
&
School of Law
An ISO 9001:2015 Certified Quality Institute
(Affiliated to GGS Indraprastha University, Delhi, Approved by AICTE & Bar Council of India | Recognized by Govt. of NCT of Delhi)

• Complexity in managing and evaluating attributes.

• May require additional infrastructure to support attribute evaluation.

DISCRETIONARY ACCESS CONTROL (DAC)

Discretionary Access Control (DAC) allows resource owners to determine who can access their
resources. Users have the authority to grant or revoke permissions to other users.

Advantages:

• Provides flexibility and control to resource owners.

• Simple to understand and implement.

Disadvantages:

• Can lead to security risks if resource owners do not manage permissions carefully.

• Difficult to enforce organizational policies consistently.

Gyan-awastha)

15