CRYPTOGRAPHY & NETWORK SECURITY

SEM PREP
UNIT 1 : CRYPTOGRAPHY CONCEPTS & TECHNIQUES
The Need for Security & Principles of Security & Security Services :
• Confidentiality & Integrity
• Authentication & Authorization
• Availability & Accountability
• Non Repudation
• Compilance with Regulations
• Protection Against Cyber Threats
• Risk Management and Business Continuity
• Least Privilege
• Defense in Depth
• Segregation of Duties
• Auditing and Monitoring
• Access Control

Security Approaches :
1. Preventive Security :
• Preventive security focuses on reducing the chances of security incidents by
implementing safeguards and controls before an attack occurs.
• Key Methods : Firewall , Encryption & Antivirus.
2. Detective Security :
• Detective security focuses on identifying and detecting security incidents after
they occur, allowing for quicker response and mitigation.
• Key Methods : IDS & Log Managemet
3. Physical Security :
• Physical security involves protecting hardware, data storage, and other physical
assets from theft, vandalism, or natural disasters.
• Key Methods : Biometric Scanners & Surveillance
4. Network Security :
• Network security involves securing an organization's network infrastructure
from unauthorized access, misuse, or attacks.
• Key Methods : VPN & Firewalls
5. Identity and Access Management (IAM) :
• IAM controls who can access resources, how they are authenticated, and what
permissions they have.
• Key Method : Multi-Factor Authentication
6. End-User Education and Training :
• Educating users about cybersecurity threats and best practices reduces the risk
of human errors, which are often exploited in attacks.
• Key Methods : Phishing Awareness Training & Regular Security Updates
Types of Security Attacks :
1. Malware Attacks : Malware (malicious software) is any software intentionally designed
to damage, disrupt, or gain unauthorized access to systems and Collects information
from a system without the user’s knowledge.
Example : Virus , Worm , Spyware …
2. Phishing Attacks : Phishing is a social engineering attack where attackers attempt to
deceive users into revealing sensitive information, such as passwords or credit card
details.
Example : Email Phishing , Vishing
3. Denial of Service (DoS) : These attacks aim to overwhelm a system or network with
traffic, causing it to become unavailable to legitimate users.
4. Man-in-the-Middle (MITM) Attack : In a MITM attack, an attacker intercepts
communication between two parties to eavesdrop, alter, or steal data.
5. SQL Injection Attack : SQL Injection is an attack where attackers insert malicious SQL
code into a query, manipulating a database to access or alter data.
6. Password Attacks : These attacks attempt to crack or steal passwords to gain
unauthorized access.
7. Insider Threats : Insider threats are attacks initiated by individuals within an
organization, such as employees or contractors, who misuse their access.

Security Mechanisms :
1. Encryption : It is the process of converting plaintext into a coded form (ciphertext) to
protect data confidentiality.
• To prevent unauthorized access to information by making it unreadable to
anyone without the decryption key.
• Types : Symmetric & Asymmetric
2. Digital Signature : A digital signature is a cryptographic mechanism used to verify the
authenticity and integrity of a digital message or document.
• To provide non-repudiation, ensuring that the sender of a message cannot deny
having sent it, and that the message hasn’t been altered in transit.
• The sender creates a hash of the message and encrypts it with their private key.
• The recipient decrypts the hash using the sender's public key and compares it to
the message hash to verify authenticity.
3. Access Control : Access control mechanisms restrict access to resources based on user
roles, permissions, or policies. To ensure only authorized users can access or modify
data and resources.
4. Data Integrity : Data integrity mechanisms ensure that data remains unaltered from its
original form unless modified by authorized users.
• Example : Hask Functions & Checksums
5. Authentication : Authentication mechanisms verify the identity of users, devices, or
systems. To ensure that only legitimate users or systems can access information or
perform actions.
• Example : Two Factor Authentication & Biometric
 6. Audit and Monitoring : Audit and monitoring mechanisms track and record system
activities for review and analysis. To detect, investigate, and respond to security
incidents by maintaining a record of actions within a system.
7. Cryptographic Hash Functions : Cryptographic hash functions produce a fixed-length
output from an input of any length, making it virtually impossible to reverse-engineer.
• To provide a unique digital fingerprint for data, helping ensure integrity and
authentication.
8. Secure Communication Protocols : Secure communication protocols provide encrypted
and authenticated connections for data transmission.
• To protect data in transit from interception, modification, or unauthorized
access.
• Example : TLS , SSH
9. Anomaly Detection : Anomaly detection identifies unusual patterns or deviations from
normal behavior in systems, which may indicate security incidents. To detect potential
security threats, such as intrusions or malware, that do not match typical behavior
patterns.
10. Firewalls : Firewalls are network security devices or software that monitor and control
incoming and outgoing network traffic.

This diagram illustrates a general model for network security, which focuses on
securing the communication between a sender and a recipient over an information channel
that is potentially vulnerable to attacks by an opponent (e.g., an unauthorized party trying to
intercept or manipulate the message).
Key Componets :
• Sender & Recipient : The sender is the party that originates the message, while the
recipient is the intended receiver.
• Message : This is the information that the sender wants to communicate to the recipient.
• Security-Related Transformation : The sender transforms the message using a security
algorithm before sending it through the information channel. The recipient then
reverses the transformation to retrieve the original message.
• Secret Information : Secret information, such as cryptographic keys, is required for the
transformations.
• Information Channel : This is the medium through which the message travels from the
sender to the recipient.
• Opponent : The opponent represents any unauthorized entity that tries to compromise
the message or interfere with communication.
• Trusted Third Party : The TTP might serve as an arbiter or distributor of secret
information like cryptographic keys or digital certificates, ensuring that both the sender
and the recipient can securely communicate.
Process :
• The sender creates a message that they wish to send to the recipient.
• The sender applies a security-related transformation to the message, typically by
encrypting it using a cryptographic key (shared or public key) to ensure confidentiality.
• The transformed (encrypted) message is then transmitted over the information channel,
where it could be vulnerable to attacks.
• Upon receiving the message, the recipient applies the appropriate security-related
transformation (e.g., decryption) to recover the original message.
• The recipient may also perform integrity and authenticity checks to ensure the message
has not been altered and originated from the correct sender.
Plain Text :
Plaintext is the original, readable form of data that has not yet been encrypted. It can be
any message, document, or file that needs protection to prevent unauthorized access.
• Plaintext is human-readable and does not have any cryptographic protection.
• Since it’s in an unprotected form, plaintext can be easily intercepted and read by anyone
who has access to it.
Example : Sensitive information like passwords, emails, or bank account details before they
are encrypted. Documents, images, or data stored on a system in an unencrypted form.

Cipher Text :
Ciphertext is the scrambled, encrypted form of data that cannot be easily understood
without a decryption key. It is the output of an encryption algorithm applied to plaintext.
• Ciphertext appears as a random sequence of characters and is not human-readable
without decryption.
• It’s designed to protect the underlying information from unauthorized access. Even if
intercepted, it cannot be interpreted without the decryption key.
Example : A password or message encrypted with a cryptographic algorithm will appear as
ciphertext. Encrypted files, images, or data that can only be accessed by decrypting them.
Relationship Between Plaintext and Ciphertext :
The process of converting plaintext to ciphertext is called encryption, while the process of
converting ciphertext back to plaintext is called decryption. Here's a step-by-step view:
1. Encryption:
• The encryption process uses an encryption algorithm (e.g., AES, RSA) and an
encryption key.
• Plaintext + Encryption Algorithm + Key = Ciphertext
• The result is ciphertext, which is sent or stored securely.
2. Decryption:
• The decryption process uses a decryption algorithm and a decryption key (which
may or may not be the same as the encryption key, depending on the encryption
type).
• Ciphertext + Decryption Algorithm + Key = Plaintext
• This retrieves the original plaintext, making the data readable to authorized
users.
Types of Encryption: Symmetric and Asymmetric :
Depending on the type of encryption, the relationship between plaintext and ciphertext differs:
1. Symmetric Encryption:
• The same key is used for both encryption and decryption.
• Examples: AES (Advanced Encryption Standard), DES (Data Encryption
Standard).
• In this case: Plaintext is encrypted using the key to produce ciphertextCiphertext
is decrypted using the same key to retrieve the plaintext.
• Symmetric encryption is fast and is commonly used for encrypting large
amounts of data.
2. Asymmetric Encryption:
• Different keys are used for encryption and decryption: a public key for
encryption and a private key for decryption.
• Examples: RSA (Rivest–Shamir–Adleman), ECC (Elliptic Curve
Cryptography).
• In this case: Plaintext is encrypted using the recipient’s public key to produce
ciphertext and Ciphertext is decrypted using the recipient’s private key to
retrieve the plaintext.
• Asymmetric encryption is slower but provides stronger security, especially for
securing smaller amounts of data like encryption keys.
Features : Data Confidentiality , Data Integrity , Authentication & Non Repudation
Example
Suppose Alice wants to send a sensitive message to Bob:
• Plaintext Message: "The package will arrive at noon."
• Encryption: Alice uses an encryption algorithm and a key to encrypt her message.
Output: Ciphertext (e.g., "3f5b1a7c9...")
• Transmission: The ciphertext is sent to Bob.
• Decryption: Bob uses the decryption algorithm and key to transform the ciphertext back
into plaintext.
Output: Plaintext (e.g., "The package will arrive at noon.")
Without encryption, anyone intercepting the message in transit would read "The
package will arrive at noon," but with encryption, they would only see the scrambled ciphertext
"3f5b1a7c9...," which is meaningless without the key.
Substitution Techniques :
Substitution techniques are a type of cryptographic algorithm in which elements of the
plaintext (such as letters or groups of letters) are systematically replaced with other elements
to produce ciphertext.
Key Concepts of Substitution Techniques
• Plaintext Characters: In a substitution cipher, each character or group of characters in
the plaintext is replaced with a corresponding character or set of characters in the
ciphertext.
• Fixed Substitution Pattern: In most substitution techniques, the pattern for substitution
is fixed for the entire message. Each character in the plaintext has a predetermined
substitute in the ciphertext.
• Encryption and Decryption Keys: A key may determine the substitution pattern. To
decrypt the message, the receiver must know the key or substitution pattern.
Types of Substitutiom Techniques :
1. Caesar Cipher
• Description: One of the simplest and most well-known substitution ciphers. Each letter
in the plaintext is shifted a fixed number of positions in the alphabet.
• Example:
o If the shift is 3, then A becomes D, B becomes E, and so on.
o Plaintext: HELLO
o Ciphertext with a shift of 3: KHOOR
• Decryption: To decrypt, shift each letter backward by the same number.
• Strength: Very low security, as there are only 25 possible shifts (1–25), making it easy
to break with brute force.
2. Monoalphabetic Cipher
• Description: Each letter in the plaintext is replaced by a fixed, unique letter from
another alphabet. Unlike the Caesar cipher, the substitution pattern is random rather
than a shift.
• Example:
o Plain alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ
o Cipher alphabet: QWERTYUIOPASDFGHJKLZXCVBNM
o Plaintext: HELLO
o Ciphertext: ITSSG (using the mapping above).
 • Decryption: The recipient uses the reverse mapping from the cipher alphabet back to
the plain alphabet.
• Strength: More secure than Caesar because it has 26! (factorial) possible substitutions,
but vulnerable to frequency analysis, as certain letters and patterns in English (like E,
T, A) are more common.
3. Polyalphabetic Cipher (e.g., Vigenère Cipher)
• Description: Uses multiple cipher alphabets to encrypt the message, reducing the
impact of frequency analysis by cycling through different substitution alphabets.
• Example:
o Vigenère Cipher: Uses a keyword to determine which of several Caesar ciphers
to use for each letter in the plaintext.
o Plaintext: HELLO
o Key: KEY (repeated as KEYKE to match the length of the plaintext)
o Ciphertext: Each letter in HELLO is shifted according to the corresponding
letter in KEYKE.
• Decryption: The recipient repeats the key and reverses the shifts based on the key
letters.
• Strength: More secure than monoalphabetic ciphers, but still breakable with techniques
like the Kasiski examination or frequency analysis, especially if the key is short.
4. Playfair Cipher
• Description: A digraph substitution cipher that encrypts pairs of letters instead of
individual letters.
• Procedure:
o A 5x5 matrix of letters is created using a keyword (e.g., "MONARCHY").
o Plaintext letters are paired, and each pair is encrypted based on its position in
the matrix, following specific rules.
• Example:
o Plaintext: HELLO
o Pairs: HE, LL, OX (X is often added if a letter is repeated or if there's an odd
number of letters)
o Encrypt each pair based on the matrix and rules.
• Decryption: The recipient uses the same matrix and reverse process.
• Strength: More secure than monoalphabetic and simple polyalphabetic ciphers due to
the digraph system, but still susceptible to frequency analysis of pairs.
5. Hill Cipher
• Description: A polygraphic substitution cipher that uses linear algebra and matrix
multiplication to substitute multiple letters simultaneously.
• Procedure:
o The plaintext is divided into blocks of letters, and each block is represented as
a vector.
o A matrix (key matrix) is used to multiply the plaintext vector, producing a
ciphertext vector.
• Example:
o Key matrix: A 2x2 or 3x3 matrix with numbers representing letter shifts.
o Plaintext: HI (represented in numerical form, e.g., H=7, I=8).
o Ciphertext: Multiply the plaintext vector by the key matrix.
• Decryption: Requires the inverse of the key matrix.
• Strength: More secure and complex due to the matrix operations, but vulnerable if the
key matrix is known or can be derived.
6. One-Time Pad
• Description: A theoretically unbreakable substitution cipher if used correctly. It uses a
random key (pad) that is as long as the plaintext and only used once.
• Procedure:
o Each letter in the plaintext is encrypted by adding a random letter from the key
(mod 26 if using letters).
• Example:
o Plaintext: HELLO
o Key: Randomly generated string, such as XMCKL.
o Ciphertext: Each letter in HELLO is shifted according to the corresponding
letter in XMCKL.
• Decryption: The recipient uses the exact same key to shift back each letter.
• Strength: Provably secure if the key is truly random, as long as the key is kept secret
and only used once.
Strengths of Substitution Techniques : Efficiency & Simplicity
Weakness of Substitution Techniques ; Limited Security & Key Management
Applications : Educational Purpose & Military Applications.
Transposition Techniques :
In cryptography, transposition techniques are methods that alter the positions of
characters within plaintext to produce ciphertext, without changing the actual characters
themselves. Unlike substitution techniques, where each character is replaced with another,
transposition techniques involve shuffling or rearranging characters according to a specific rule
or pattern.
• In transposition, the plaintext characters are simply rearranged rather than replaced. The
same characters remain in the ciphertext, but in a different order.
• The transposition follows a particular rule or key, which must be known by both the
sender and receiver for proper encryption and decryption.
• Transposition techniques do not change the frequency of individual characters, unlike
substitution. Hence, frequency analysis is less effective against transposition.
Types of Transposition Techniques :
1. Rail Fence Cipher : A simple form of transposition, where plaintext characters are
written in a zigzag or "rail fence" pattern across multiple rows.
• Choose a number of "rails" or rows to write the
message.
• Write each character in a zigzag pattern across the
rails, then read the message horizontally, row by row,
to create the ciphertext.
• Decryption: Write the ciphertext in the same zigzag
pattern and read it vertically to retrieve the original
message.
• Strength: Simple but provides minimal security as it
can be easily deciphered by pattern recognition.
2. Columnar Transposition Cipher : In this method, the plaintext is written into a grid (or
matrix) column by column, and the ciphertext is created by reading the columns in a
specific order.
• Choose a keyword to determine the number
and order of columns.
• Write the plaintext horizontally in rows
under each column.
• Sort the columns based on the alphabetical
order of the keyword, then read each column
in order to produce the ciphertext.
• Decryption: Write the ciphertext back into
the grid based on the keyword and retrieve
the plaintext by reading horizontally.
• Strength: More secure than Rail Fence due to the complexity of rearrangement,
but can be broken with enough ciphertext and analysis.
3. Double Transposition Cipher : A more secure method that applies the columnar transposition
cipher twice with two different keywords or arrangements.
• Encrypt the plaintext using a columnar transposition with the first keyword.
• Take the resulting ciphertext and encrypt it again with a second columnar transposition
using a different keyword.
• Example:
o First Keyword: CAT
o Second Keyword: DOG
o Apply the columnar transposition cipher twice using these keywords.
• Strength: Significantly more secure than a single transposition, as it effectively
increases the complexity of the cipher and makes it harder to break with traditional
cryptanalysis.

Encryption :
Encryption is the process of converting plaintext (original, readable data) into
ciphertext (encoded, unreadable data) using an algorithm and a key. The purpose of encryption
is to ensure data confidentiality, making sure that only authorized parties can access the
information.
Components : Plain Text , Cipher Text , Encryption Algorithm & Encryption Key
Types :
a) Symmetric Encryption:
• In symmetric encryption, the same key is used for both encryption and decryption.
• This method is faster and is generally used for encrypting large amounts of data.
• Example Algorithms: AES (Advanced Encryption Standard), DES (Data Encryption
Standard), 3DES.
b) Asymmetric Encryption:
• In asymmetric encryption, there are two keys: a public key and a private key.
• The public key is used for encryption, while the private key is used for decryption.
• Asymmetric encryption is generally slower but provides a higher level of security, and
it is often used for securely transmitting keys or small data amounts.
• Example Algorithms: RSA (Rivest-Shamir-Adleman), ECC (Elliptic Curve
Cryptography).
Decryption :
Decryption is the reverse process of encryption. It converts the unreadable ciphertext
back into plaintext so that it becomes readable and understandable again. Only authorized users
with the correct key should be able to decrypt and access the original data.
Components : Ciphertext , Decryption Algorithm & Decryption Key
• For Symmetric Encryption: The same key used for encryption is used to decrypt the
data.
• For Asymmetric Encryption: The private key is used to decrypt data that was encrypted
with the corresponding public key.
Applications of Encryption & Decryption :
• Secure Communication
• Data Storage
• Authentication
• Secure Web Browsing
• Banking & Financial Transactions
• Digital Signatures

Symmetric Key Cryptography :

Symmetric Key Cryptography (also known as Secret Key Cryptography) is a type of
encryption where the same key is used for both encryption and decryption of data. This means
that both the sender and receiver must have access to the same secret key and keep it
confidential.
Advantages :
• Faster and more efficient for large datasets.
• Suitable for encrypting large files and data.
• Easier to implement than asymmetric encryption.
Disadvantages :
• Requires secure sharing of the secret key.
• If the key is compromised, data can be decrypted.
• Doesn’t support digital signatures or authentication.
Usecases :
• Data Storage Encryption
• VPN & Network Security
• File & Disk Encryption
Asymmetric Key Cryptography :
Asymmetric Key Cryptography (also known as Public Key Cryptography) uses a pair
of keys: a public key and a private key. These two keys are mathematically related, but it is
practically impossible to derive the private key from the public key.
• Public Key: Used to encrypt data and is shared openly.
• Private Key: Used to decrypt data and must be kept secret.
• The public and private keys serve different roles, which enables asymmetric encryption
to support both encryption for confidentiality and digital signatures for authentication.
• Asymmetric encryption also allows for digital signatures, where a sender can sign a
message with their private key, and recipients can verify the sender's authenticity using
the sender's public key.
Advantages :
• Supports secure key distribution over insecure channels.
• Enables digital signatures for authentication.
• No need to share private keys, enhancing security.
Disadvantages :
• Slower and computationally intensive for large data.
• Complex implementation compared to symmetric encryption.
• Public and private key management can be challenging.
Usecases : Digital Certificates & Email Encryption
Steganography :
Steganography is the practice of concealing a secret message, file, or information within
another file or medium to prevent detection. Unlike encryption, where data is scrambled to
make it unreadable without a key, steganography hides the existence of the data itself, often
making it difficult for an observer to even realize that a hidden message exists.
Key Concepts in Steganography
1. Cover Medium: The original, innocent-looking medium that will carry the hidden
message. It could be an image, audio file, video, text, or any digital file.
2. Secret Message: The data or message to be concealed within the cover medium.
3. Stego Medium: The resulting file after embedding the secret message into the cover
medium. Ideally, it should appear similar to the original cover medium.
4. Embedding: The process of inserting the secret message into the cover medium.
5. Extraction: The process of retrieving the hidden message from the stego medium.
Types of Steganogtraphy :
1. Image Staganography :
• Hides data within an image file by modifying its pixel values.
• Least Significant Bit (LSB) Technique: This is the most common method for
image steganography, where the least significant bits of the pixels are altered to
store the secret message.
• The changes are so subtle that they’re generally imperceptible to the human eye.
• For example, in an 8-bit image, the last bit of each pixel can be replaced with
part of the secret message.
2. Audio Steganography :
• Hides data within audio files by slightly altering the sound waves.
• Techniques include LSB encoding (similar to image steganography), phase
coding, and echo hiding.
• Changes are made in the audio signal, but they are subtle enough that human
listeners typically cannot detect them.
3. Video Staganography :
• Embeds hidden data into video files.
• Combines techniques used in both image and audio steganography, as videos
are essentially a combination of images (frames) and audio.
• Common techniques include modifying the LSBs of video frames or adjusting
colors slightly.
Example: Least Significant Bit (LSB) Steganography in Images :
Consider a grayscale image where each pixel is represented by 8 bits. For example, if
the pixel value is 11001011, changing the least significant bit to 0 or 1 only slightly alters the
pixel's appearance to the human eye but can encode a bit of the secret message.
Step-by-Step Process
• Convert the Secret Message: Convert the secret message (e.g., "Hello") into binary.
• Choose the Cover Image: Select an image file to use as the cover medium.
• Embed the Message: Replace the least significant bits of the image pixels with the bits
of the secret message.
• Create Stego Image: The image with the embedded secret message is called the stego
image. Visually, it looks almost identical to the original cover image.

Key Range :
The key range refers to the total number of possible keys that can be used in a cryptographic
system. It is essentially the "space" of potential keys that an attacker would need to search
through to break the encryption via brute-force.
• The key range depends on the key size. For a given key size of nnn bits, the key range
is 2n2^n2n, meaning there are 2n2^n2n possible keys.
• If the key size is 3 bits, the key range is 23=82^3 = 823=8, meaning there are 8 possible
keys.
• If the key size is 128 bits, the key range is 21282^{128}2128, which is a vast number
(approximately 3.4×10383.4 \times 10^{38}3.4×1038 possible keys).
• A larger key range makes brute-force attacks impractical, as the attacker would need to
try an enormous number of combinations to find the correct key.

Key Size :
Key size is the length of the encryption key, typically measured in bits. It directly affects
the key range and, consequently, the security level of the cryptographic algorithm.
• A larger key size generally means stronger security because it increases the number of
possible keys, making it harder for an attacker to guess or brute-force the key.
• However, larger key sizes may also increase computational requirements, making
encryption and decryption slower and more resource-intensive.
• 128 bits, 192 bits, or 256 bits are common key sizes for Symmetric Encryption
• 1024 bits, 2048 bits, and 4096 bits are common key sizes for Asymmetric Encryption.
Types of Attacks :
In cryptography, various attacks target the security of cryptographic algorithms,
protocols, or systems. These attacks exploit vulnerabilities to gain unauthorized access, decrypt
data, or compromise the integrity and authenticity of information.
1. Brute Force Attack : This attack involves systematically trying every possible key until the
correct one is found. The feasibility of this attack depends on the key length; longer keys
provide higher resistance against brute force attacks.
2. Cryptanalysis : This refers to the study of techniques for obtaining the plaintext from the
ciphertext without knowing the key. Cryptanalysis methods can exploit weaknesses in
algorithms.
3. Man-in-the-Middle (MitM) Attack : An attacker intercepts and potentially alters the
communication between two parties without their knowledge. The attacker can read, modify,
or inject messages into the communication stream.
4. Side-Channel Attack : These attacks exploit information leaked during the execution of
cryptographic algorithms, such as timing information, power consumption, electromagnetic
leaks, or even sound. An attacker might analyze the power usage of a device to extract the
encryption key.

5. Chosen-Plaintext Attack (CPA) : The attacker has the capability to choose arbitrary
plaintexts and obtain their corresponding ciphertexts. If an attacker can encrypt known data,
they may find patterns that can help in decrypting other ciphertexts.
6. Chosen-Ciphertext Attack (CCA) : Similar to CPA, but here the attacker can choose
ciphertexts to be decrypted and obtain the corresponding plaintexts. An attacker could exploit
the decryption of a ciphertext to learn information about the encryption algorithm or key.
UNIT 2 : SYMMETRIC KEY CIPHER & ASYMMETRIC KEY CIPHERS
Block Cipher Principles :
A block cipher is a symmetric key cipher that operates on fixed-size blocks of data,
typically 64 bits or 128 bits at a time. It transforms plaintext into ciphertext using a secret key,
ensuring that only authorized parties can reverse the process (decrypt) using the same key.
• Symmetric Key Encryption : Both the encryption and decryption processes use the
same key. This means that the key must be kept secret and shared securely between the
communicating parties.
• Substitution: This involves replacing elements of the plaintext with other elements. The
most common approach is through a substitution box (S-box), which maps input bits to
output bits.
• Permutation : This involves rearranging the bits or groups of bits in the plaintext. The
permutation process helps in spreading the influence of each plaintext bit across the
ciphertext.
• Feistel Structure : Many block ciphers, such as DES (Data Encryption Standard), use a
Feistel structure, which divides the block into two halves and applies a series of rounds
of processing.
• In each round, one half is transformed using a function that depends on the key, and
then the two halves are swapped.
Block ciphers can only encrypt data in fixed-size blocks, so modes of operation determine how
to encrypt data longer than the block size.
• Electronic Codebook (ECB) : Each block of plaintext is encrypted independently using
the same key.
• Cipher Block Chaining (CBC) : Each block of plaintext is XORed with the previous
ciphertext block before encryption.
• Cipher Feedback (CFB) : The previous ciphertext block is encrypted, and the output is
XORed with the current plaintext block.
 Various Symmetric Key Ciphers
Data Encryption Standard (DES) :
• DES uses a single key to encrypt and decrypt data and a 56-bit key for encryption
• The 56-bit key is derived from a 64-bit input key (8 bits used for parity).
• DES follows a Feistel structure, consisting of 16 rounds of processing.
• The key is transformed into 16 subkeys, each 48 bits long, for each round of encryption.
• The 64-bit block is split into two halves: the left half and the right half
• The 32-bit right half is expanded to 48 bits using an expansion permutation, preparing
it for the XOR operation with the round key.
• The expanded right half is XORed with the 48-bit round subkey.
• The result is fed into 8 S-boxes, which each take 6 bits of input and produce 4 bits of
output, resulting in a 32-bit output.
• The 32 bits are permuted to enhance diffusion.
• The output of the round function is XORed with the left half, and the halves are
swapped for the next round.
• This process is repeated for all 16 rounds.
• After 16 rounds, the final permutation is applied, which is the inverse of the initial
permutation. The output is the ciphertext.
Disadvantages : The 56-bit key length is considered too short by modern standards, making it
vulnerable to brute-force attacks.
Advanced Encryption Standard (AES) :
AES is a symmetric encryption algorithm that encrypts and decrypts data in fixed-size
blocks using a secret key.
• AES operates on 128-bit blocks of data, meaning it processes 16 bytes at a time.
• The overall structure consists of several rounds of processing, with the number of
rounds depending on the key length
• 10 rounds for 128 bit keys , 12 rounds for 192 bit keys and 14 rounds for 256 bits
• The first operation involves an XOR (exclusive OR) of the plaintext block with the first
round key.
Main Rounds :
• SubBytes : This step applies a non-linear substitution step, where each byte in the block
is replaced with a corresponding byte from a fixed substitution table called the S-box.
• ShiftRows : This step shifts the rows of the state array. The first row remains
unchanged, the second row is shifted left by one byte, the third row by two bytes, and
som on This operation provides diffusion by spreading the influence of individual bytes
across the output.
• MixColumns : In this step, each column of the state array is transformed through matrix
multiplication with a fixed polynomial matrix. This operation mixes the bytes in each
column, further enhancing diffusion.
• AddRoundKey : Similar to the initial round, this step involves XORing the state with
the current round key.
BlowFish :
Blowfish is a symmetric-key block cipher that was designed by Bruce Schneier in 1993.
It is notable for its speed and effectiveness in encrypting data. Blowfish is often used in
applications where a fast encryption algorithm is required, especially for securing data at rest
and data in transit.
• Blowfish is a symmetric-key block cipher that encrypts data in fixed-size blocks of 64
bits (8 bytes) using a variable-length key that operates on 64-bit blocks of data.
• Blowfish supports key sizes ranging from 32 bits to 448 bits, allowing for flexibility.
• Blowfish employs a Feistel structure, which divides the data block into two halves and
processes them through multiple rounds of transformations.
• Blowfish begins with the key expansion phase
• The key expansion creates 18 subkeys, each 32 bits long, from the input key.
• The 64-bit input block is split into two halves: the left half (L) and the right half (R),
each 32 bits long.
• The right half is combined with a subkey using the XOR operation.
• The result is fed into a series of S-boxes, which substitute parts of the input to produce
a non-linear output.
• The output of the S-boxes is combined with another subkey and subjected to further
transformations, ultimately producing a 32-bit output.
• The output of the round function is XORed with the left half (L), and then the two
halves are swapped for the next round. The process is repeated for a total of 16 rounds.
• After the last round, the left and right halves are combined to produce the final 64-bit
ciphertext.
RC5 :
It is notable for its simplicity, flexibility, and efficiency, allowing it to adapt to a wide
range of applications. RC5 has gained popularity due to its unique design and performance
characteristics.
• RC5 is a symmetric-key block cipher that encrypts data in fixed-size blocks using a
variable-length key.
• RC5 can operate on block sizes of 32, 64, or 128 bits.
• The key length can vary from 0 to 2040 bits, though practical implementations typically
use key sizes of 128, 192, or 256 bits.
• The number of encryption rounds can also be adjusted, with common configurations
using 12, 16, or 20 rounds.
• RC5 is based on a simple and elegant Feistel structure. It utilizes a combination of
bitwise operations, modular addition, and XOR operations for its transformations.
• A key array is created, consisting of 2 * (r + 1) words, where r is the number of rounds.
Each word is 32 bits long (if using a 32-bit block size).
• The 64-bit input block (for example) is divided into two halves: L (left half) and R
(right half), each 32 bits long.
• Round Function in Feistel Structure is performed
International Data Encryption Algorithm (IDEA) :
IDEA is a symmetric-key block cipher that encrypts and decrypts data in fixed-size
blocks using a variable-length key.
• IDEA operates on 64-bit blocks of data and The key length is 128 bits, making it
relatively secure against brute-force attacks.
• IDEA employs a Feistel-like structure and consists of multiple rounds of
transformations. It has a simple yet effective design that integrates various arithmetic
operations.
• The key expansion phase generates a series of subkeys from the original 128-bit key
and A total of 52 subkeys, each 16 bits long, are derived from the original key through
a straightforward rotation and extraction process.
• The 64-bit input block is divided into four 16-bit halves, labeled X0, X1, X2 and X3.
• Each round of IDEA involves a series of transformations applied to these four halves
• The first and third halves X0 and X2 are added modulo 216 to their corresponding
subkeys.
• The second and fourth halves X1 and X3 are multiplied modulo 216+1 with their
corresponding subkeys.
• After the addition and multiplication, XOR operations are performed between the
results to further mix the data.
• The outputs from the transformations are combined to produce new values for X0, X1,
X2, and X3 for the next round.

Block Cipher Operation :

Block cipher operation modes are essential methods that define how block ciphers
encrypt and decrypt data blocks in cryptography. Since block ciphers work on fixed-size data
blocks (e.g., 64 or 128 bits), these modes allow them to handle larger data by specifying ways
to link blocks during encryption or decryption, enhancing security and flexibility.
• Electronic Codebook (ECB) Mode : In ECB mode, each block of plaintext is
encrypted independently with the same key, resulting in individual ciphertext blocks.
• Cipher Block Chaining (CBC) Mode : In CBC mode, each plaintext block is XORed
with the previous ciphertext block before encryption, introducing inter-block
dependency.
• Cipher Feedback Mode (CFB) : CFB mode turns a block cipher into a self-
synchronizing stream cipher, enabling encryption of plaintext in smaller segments (like
bits or bytes).
• Output Feedback Mode (OFM) : OFB mode also turns a block cipher into a stream
cipher, producing a keystream independent of the plaintext.
• Counter Mode (CTR) : CTR mode also converts a block cipher into a stream cipher,
but it uses a counter value as input instead of feedback from previous outputs.
StreamCiphers :
Stream ciphers are symmetric key encryption algorithms that encrypt data one bit or
one byte at a time, unlike block ciphers, which process fixed-sized blocks of data.
• Stream ciphers are particularly suited to applications where data must be processed in
a continuous stream, such as real-time communications (e.g., voice and video calls).
• Stream ciphers are generally faster and more efficient in certain hardware or
constrained environments, like embedded systems.
• Stream ciphers encrypt data by generating a keystream that is XORed with the plaintext
bits or bytes to create the ciphertext

RC4 :
RC4 (Rivest Cipher 4) is one of the most well-known and widely used stream cipher
symmetric key algorithm, meaning the same key is used for both encryption and decryption
• RC4 operates in two main phases: the Key Scheduling Algorithm (KSA) and the
Pseudo-Random Generation Algorithm (PRGA).
• Key Scheduling Algorithm (KSA): Initializes a 256-byte state array by shuffling it
based on the encryption key to create an initial permutation.
• Pseudo-Random Generation Algorithm (PRGA): Uses the shuffled state array to
generate a keystream by swapping values and selecting bytes, which are XORed with
plaintext to produce ciphertext.
• Each byte of plaintext is XORed with a keystream byte to produce the ciphertext byte.
• Each byte of ciphertext is XORed with the same keystream byte to retrieve the original
plaintext.

Principles of Public Key Cryptosystems :

• Key Pair
• Asymmetric Encryption and Decryption
• Confidentiality
• Authentication & Integrity
• Non Repudation
• Mathematical Hardness
RSA Algorithm :
The RSA algorithm is a widely used public key cryptosystem for secure data
transmission and It is based on the mathematical difficulty of factoring large prime numbers,
which provides security for the encryption and decryption process.
ElGamal Cryptography :
ElGamal cryptography is an asymmetric key encryption algorithm used in public-key
cryptography.
 UNIT 3 : Cryptography Hash Functions & Key Management
Message Authentication :
Message authentication provides assurance that a message is from the claimed sender
and has not been tampered with during transit.
Message Authentication Techniques :
• A MAC is a short piece of information used to authenticate a message and ensure its
integrity. It is generated using a secret key and the message itself.
• Digital signatures combine a hash function with asymmetric encryption to provide
authentication and integrity.
• Checksum values are used to ensure data integrity but are less secure than MACs and
digital signatures.
• Hash functions (e.g., SHA-256) produce a fixed-size hash from variable-size input data.

Requirements of Authentication :
• Uniqueness
• Confidentiality
• Integrity
• Availability
• Security
• Non Repudation
• Usability
• Scalability
• Flexibility
• Session Management
Secure Hash Algorithm SHA-512 :
Secure Hash Algorithm (SHA-512) is a member of the SHA-2 family of cryptographic
hash functions, designed by the National Security Agency (NSA) and published by the National
Institute of Standards and Technology (NIST) in 2001.
Overview of SHA-512
• SHA-512 produces a fixed-size output of 512 bits (64 bytes).
• It can accept inputs of any size, ranging from zero up to 2128−12^{128}-12128−1 bits
(about 2^38 bytes).
• It processes the input data in blocks of 1024 bits (128 bytes) at a time.
• SHA-512 is considered secure against pre-image attacks, second pre-image attacks, and
collision attacks.
Process :
• The original message is padded to ensure its length is congruent to 896 modulo 1024.
This is achieved by appending a '1' bit followed by '0' bits until the length is 896 bits,
leaving space for a 128-bit representation of the original message length.
• This ensures that the final padded message is a multiple of 1024 bits.
• The padded message is divided into blocks of 1024 bits (128 bytes).
• SHA-512 uses a set of eight initial hash values, each 64 bits in size, derived from the
square roots of the first 64 prime numbers.
• For each 1024-bit block , A message schedule is created, consisting of 80 words (64
bits each). The first 16 words are derived from the current block, while the remaining
64 words are generated using specific bitwise operations.
• The main loop of SHA-512 iterates 80 times, mixing the current hash values with the
message schedule and a series of constants (derived from the first 80 prime numbers).
• After processing all blocks, the final hash is produced by concatenating the eight hash
values (H0 to H7) to create a 512-bit (64-byte) output.

HMAC (Hash-based Message Authentication Code) :

HMAC (Hash-based Message Authentication Code) is a cryptographic technique used
for message authentication.
• HMAC combines a hash function (e.g., SHA-256, SHA-512) with a secret key to create
a unique message authentication code.
• The message and the secret key are prepared. If the key is longer than the block size of
the hash function, it is hashed to produce a shorter key.
• The key is padded with zeros to match the block size of the hash function, and an inner
padding is created by appending the key to the message.
• The inner hash is computed by hashing the inner padded key and the message
• The outer hash is computed by hashing the outer padded key and the inner hash
• The output is the HMAC, which can be used to verify the integrity and authenticity of
the message.
CMAC (Cipher-based Message Authentication Code) :
CMAC is a message authentication code derived from a block cipher, such as AES
(Advanced Encryption Standard). It is designed to provide message integrity and authenticity,
similar to HMAC but based on symmetric key cryptography.
• CMAC utilizes a block cipher algorithm to produce a message authentication code.
• A secret key is generated or provided for the block cipher. This key must be kept
confidential.
• The message is divided into blocks. If the final block is less than the block size, it is
padded to reach the required size.
• Each block of the message is encrypted using the block cipher with the secret key.
• The final block is processed to produce the CMAC output, which involves using the
block cipher in a specific manner to derive the MAC.
• The final CMAC value is produced, which is used to verify message integrity and
authenticity.

Digital Signatures :
Digital signatures are cryptographic tools that provide a secure way to verify the
authenticity and integrity of digital messages or documents. They serve as a digital equivalent
of handwritten signatures or stamped seals, but they offer far more inherent security and can
be used in various applications to ensure trust in electronic communications.
• Digital signatures rely on asymmetric cryptography, which uses a pair of keys: a public
key and a private key
• The signer creates a hash of the message using a cryptographic hash function. This
produces a fixed-size hash value (digest) that uniquely represents the content of the
message.
• The hash value is then encrypted using the signer’s private key to create the digital
signature.
• The digital signature is attached to the original message, forming the signed document.
Symmetric Key Distribution Using Symmetric & Asymmetric Encryption :
Symmetric Key Distribution is a crucial aspect of cryptography, enabling secure
communication between parties using symmetric encryption (where the same key is used for
both encryption and decryption) and asymmetric encryption (which uses a key pair: a public
key for encryption and a private key for decryption).
Process :
• The sender generates a symmetric key, which will be used for encryption.
• The symmetric key is encrypted using the recipient's public key. This ensures that only
the recipient, who possesses the corresponding private key, can decrypt and access the
symmetric key.
• The encrypted symmetric key is sent to the recipient along with any additional data or
messages.
• Upon receiving the encrypted symmetric key, the recipient uses their private key to
decrypt it, obtaining the original symmetric key.
• Now that both parties possess the symmetric key, they can communicate securely by
encrypting and decrypting messages using this key.

Public Key Distribution :

Public key distribution is the process of securely sharing public keys within a network,
allowing parties to encrypt messages and verify digital signatures.
• Public keys can be shared openly, but the integrity and authenticity of these keys must
be ensured to prevent attacks like man-in-the-middle (MitM).
• Public Key Infrastructure (PKI): A framework that includes hardware, software,
policies, and standards for managing digital certificates and public-key encryption.

Kerberos :
Kerberos is a network authentication protocol designed to provide secure authentication
over an insecure network. It uses a ticket-based system to allow users to prove their identity
and access resources without transmitting passwords over the network.
Process :
• Authentication Server (AS): When a user (client) wants to access a service, they first
authenticate with the AS by providing their username.
• Ticket Granting Ticket (TGT): If the credentials are valid, the AS issues a TGT, which
includes a session key and is encrypted with the TGT secret key.
• Service Request: The client uses the TGT to request access to a specific service from
the Ticket Granting Server (TGS).
• Service Ticket: The TGS verifies the TGT and issues a service ticket, which the client
presents to the target service (server).
• Access: The server decrypts the service ticket using its secret key, allowing the client
to access the requested resource.
X.509 Authentication Service :
X.509 is a standard that defines the format of public key certificates, widely used for
establishing secure connections over networks, particularly in SSL/TLS protocols. X.509
certificates are integral to the Public Key Infrastructure (PKI).
• When establishing an HTTPS connection, the server presents its X.509 certificate to
the client.
• The client checks the certificate's validity and whether it is signed by a trusted CA. If
valid, the client can safely establish a secure connection with the server.
• Key Componets : Version, Serial Number, Signature Algorithm, Issuer Name, Validity
Period, Subject Name, Public Key

Public Key Infrastucture :

Public Key Infrastructure (PKI) is a framework that enables secure communications over
networks by managing digital certificates and public-key encryption. A framework that
includes hardware, software, policies, and standards for managing digital certificates and
public-key encryption.
• A user or entity generates a pair of keys (public and private) using a secure method.
• The user submits a certificate signing request (CSR) to a Registration Authority (RA)
that includes the user’s public key and identity information.
• The RA verifies the identity of the requester based on established policies and
procedures
• Upon successful verification, the RA forwards the request to a Certificate Authority
(CA), which issues a digital certificate containing the user’s public key and other
relevant information, digitally signed by the CA.
• The digital certificate is provided to the user, who can then share it with others as
needed.
• When a party receives a digital certificate, they can validate it by checking the CA’s
signature, the certificate’s validity period, and whether it is listed on a CRL or queried
via OCSP.
• Parties can now securely communicate using the public keys contained in the
certificates.
UNIT 4 : TRANSPORT LEVEL & WIRELESS NETWORK SECURITY
Web Security Considerations :
As more sensitive information is transmitted over the internet, understanding and
implementing security measures becomes essential for both developers and users.
Common Threats :
• Cross Site Scripting : Attackers inject malicious scripts into web pages viewed by other
users.
• SQL Injection
• Man in the middle Attack
• DoS Attack
• Session Hijaking
Best Practices for Web Security :
• Use HTTPS
• Keep Software Updated
• Limit User Permissions
• Secure Cookies
• Use Strong Authentication
• Conduct Security Testing
• Monitor & Log Acticity
Techniques for Securing Web Applications :
• Web Application Firewall
• Data Encryption
• Use Education
• Security Audits

Secure Socket Layer [ SSL ] & Transport Layer Security [ TLS ] :

Secure Socket Layer (SSL) and Transport Layer Security (TLS) are cryptographic
protocols designed to provide secure communication over a computer network. While SSL was
the original protocol developed by Netscape in the 1990s, TLS is its successor, offering
enhanced security and performance.
• SSL Versions : SSL 1.0 , 2.0 , 3.0
• It uses a certificate-based approach to authenticate servers and, optionally, clients.
• SSL provides encryption and integrity through a combination of symmetric and
asymmetric cryptography.
• SSL operates between the transport layer (TCP) and the application layer (HTTP, FTP)
• The SSL handshake is a process that establishes a secure connection between the client
and the server
SSL Handshake Protocol Process :
• Client Hello
• Server Hello
• Server Certificate
• Key Exchange
• Client Key Exchange
• Session Key Generation
• Finished Messages
Transport Layer Security :
TLS employs stronger encryption algorithms and provides a more robust mechanism
for negotiating cryptographic parameters between clients and servers. TLS supports both
asymmetric and symmetric encryption, and it can utilize various hashing algorithms for
message integrity.
• TLS Versions : 1.0 , 1.1 , 1.2 , 1.3
• Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure
communication over a computer network.
HTTPS ( Hyper Text Transfer Protocol ) :
HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP, the
foundational protocol used for data communication on the World Wide Web. HTTPS encrypts
the data exchanged between a user's web browser and a web server to prevent unauthorized
access and tampering, ensuring secure communication.
• HTTPS works by combining the Hypertext Transfer Protocol (HTTP) with Transport
Layer Security (TLS). TLS (previously SSL) is a cryptographic protocol that provides
security for data in transit over the network.
• The user enters an HTTPS URL in the browser (for example, https://example.com).
• The browser initiates a secure connection by connecting to port 443, the default port
for HTTPS.
• TLS Handshake will be done here in order to build connection
• With the session key established, all data exchanged between the client and server is
encrypted using symmetric encryption, which is faster and ideal for data transfer.
• HTTPS uses Message Authentication Codes (MACs) to ensure data integrity. If any
data is modified during transmission, the MAC will not match, alerting the client or
server to potential tampering.
Secure Shell [ SSH ] :
Secure Shell is primarily used for secure remote access to servers and networking
devices, providing encrypted data transfer, remote command execution, and secure file
transfers over an insecure network.
• SSH includes its own transport layer, which is designed to provide a secure
communication channel. It is a distinct protocol from TLS/SSL but achieves similar
outcomes in terms of encryption, integrity, and authentication.
• The SSH transport layer begins with a key exchange process
• SSH keys allow clients to verify the server’s identity based on a trusted public key.
• After the key exchange, SSH establishes a session where all data is encrypted using
symmetric encryption algorithms
• Message Authentication Codes (MACs) are used alongside encryption to detect any
tampering with transmitted data.
SSH’s transport layer facilitates establishing multiple sessions over a single SSH connection,
allowing parallel operations such as command execution and file transfers without initiating
separate connections.

Wireless Security :
Wireless Security refers to the practices and technologies used to protect wireless
networks and data transmitted over them from unauthorized access, misuse, and attacks.
• Wireless networks, particularly Wi-Fi, are inherently more vulnerable than wired
networks because they transmit data through the air, making it easier for attackers to
intercept and exploit.
• Protocols : WPA , WPA2 & WPA 3 ( Wifi Protected Access )
Authentication & Access Control Methods :
• Pre Shared Key : All users share a common password to connect to the network.
• 802.1X Authentication : Enterprise setups for organizations & Espicially Combined
with Certificates or 2 Factor Authentications
• MAC Address Filtering : Restricts network access based on the MAC
Common Wireless Attacks : Man in the Middle , Password Cracking
Best Practices : Strong Passwords , Update Firmware , Disable WPS & Use VPN
Mobile Device Security :
Mobile Device Security is the practice of safeguarding mobile devices (such as
smartphones, tablets, and laptops) and the sensitive data they contain from unauthorized access,
malware, loss, theft, and various forms of cyber attacks.
Common Security Attacks : Man in The Middle , Malware , Phishing , Data Leakage , Unsecure
Wifi Connections , Lost or Stolen Devices , Outdated Software
Best Practices :
• Use Strong Authentication
• Keep Spftware Updated
• Install Apps from Trusted Sources Only
• Limit App Permissions
• Enable Device Encryption
• Avoid Public Wi-Fi or Use VPNs
• Regular Backups
• Disable Bluetooth and Wi-Fi When Not in Use
• Awareness and Education
Emerging Technologies :
• Behavioral Biometrics
• AI & ML
• BlockChain
• Zero Trust Architecture

IEEE802.11 Wireless LAN :

The IEEE 802.11 standard, commonly known as Wi-Fi, defines a set of protocols for
implementing wireless local area network (WLAN) communications in various frequencies,
primarily within the 2.4 GHz and 5 GHz bands.
Components :
• Frequency Bands
• Channel Widths
• Modulation Techniques
Applications :
• Home Networking
• Business and Enterprise Networks
• Public Hotspots
• Smart City & IoT
• Education & Healthcare
 UNIT 5 : Email Security & IP Security
Pretty Good Privacy :
Pretty Good Privacy (PGP) is a data encryption and decryption program used to provide
cryptographic privacy and authentication for data communication.
• PGP employs a hybrid approach by combining symmetric encryption (for speed) and
asymmetric encryption (for secure key distribution).
• Each user generates a public-private key pair. The private key is kept secret, while the
public key is shared with others.
• A random symmetric session key is generated to encrypt the actual message. This is
done with symmetric encryption
• The symmetric session key itself is then encrypted with the recipient’s public key
(asymmetric encryption) and attached to the message.
• The encrypted message and the encrypted session key are sent to the recipient.
• The recipient first decrypts the session key using their private key.
• Using the decrypted session key, they then decrypt the actual message.
• PGP supports digital signatures for authentication and integrity.

S/MIME :
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a widely used protocol for
secure email communications. It provides authentication, message integrity, and encryption by
using digital signatures and public-key encryption. S/MIME is often used by businesses and
organizations to secure sensitive email communication.
• S/MIME uses asymmetric encryption for authentication and key exchange and
symmetric encryption for the actual message content
• When a sender wants to send an authenticated email, they generate a hash of the
message.
• This hash is then encrypted with the sender’s private key, creating a digital signature.
• The digital signature is attached to the email and sent to the recipient.
• The sender generates a symmetric session key for encrypting the email content.
• The session key is then encrypted with the recipient's public key.
• The encrypted message and encrypted session key are sent to the recipient.
• Upon receiving the email, the recipient first decrypts the session key using their private
key
• They then use the decrypted session key to decrypt the message content.
To verify the digital signature, the recipient decrypts the signature using the sender's public
key. They then hash the original message and compare it to the decrypted hash. If they match,
the message is authenticated as coming from the claimed sender and is unchanged.
IP Security Architecture :
1. Authentication Header (AH)
The Authentication Header (AH) is a key component of the IPsec protocol suite that
provides data integrity, authentication, and anti-replay protection for IP packets.
Key Features of AH:
• Integrity Protection: AH ensures that the
data within the packet has not been altered
during transmission. It does this by
calculating a hash over the packet's contents
(including the header and payload) using a
cryptographic hash function.
• Authentication: The sender generates a
Message Authentication Code (MAC) using
a shared secret key and includes this MAC
in the AH header. The receiver can then
verify the MAC to ensure the packet’s
authenticity.
• Anti-Replay Protection: AH includes a
sequence number in its header, which helps
prevent replay attacks. The receiver can
check the sequence number to ensure that each packet is unique and has not been resent
maliciously.
• No Encryption: Unlike ESP, AH does not provide encryption. Therefore, the payload
remains visible, making it suitable for scenarios where confidentiality is not a concern
but integrity and authenticity are critical.
AH Header Format:
• The AH header includes several fields:
o Next Header: Indicates the type of protocol following the AH header (e.g., TCP,
UDP).
o Payload Length: Specifies the length of the AH header.
o Reserved: Reserved for future use.
o Security Parameters Index (SPI): Identifies the security association in use.
o Sequence Number: Prevents replay attacks.
o Integrity Check Value (ICV): The result of the hash function used for integrity
protection
2. Encapsulating Security Payload (ESP)
The Encapsulating Security Payload (ESP) is another essential component of IPsec that
provides confidentiality, integrity, and authentication for IP packets.
Key Features of ESP:
• Confidentiality: ESP encrypts the payload of the IP packet, ensuring that unauthorized
parties cannot read the data. This is achieved using symmetric encryption algorithms
like AES or 3DES.
• Integrity and Authentication: Similar to AH, ESP provides integrity and authentication
by using a MAC. This ensures that the packet has not been tampered with during
transmission.
• Flexible: ESP can be configured to provide only encryption, only authentication, or
both. This flexibility allows for different security needs depending on the application.
• Header and Trailer: ESP adds its own header and trailer to the packet. The header
contains fields such as the Security Parameters Index (SPI) and sequence number, while
the trailer includes padding and an integrity check value (ICV).
ESP Header and Trailer Format:
• ESP Header:
o SPI: Identifies the security association.
o Sequence Number: Used for anti-replay protection.
• ESP Payload: The original payload data, which is encrypted.
• ESP Trailer:
o Padding: Added to ensure the payload aligns with the block size of the
encryption algorithm.
o Padding Length: Indicates the length of the padding.
o Next Header: Indicates the type of protocol following the ESP header.
3. Combining Security Associations
In IPsec, security associations (SAs) define the parameters and keys used for securing
communication between two endpoints. A combination of SAs is often necessary to provide
comprehensive security.
Key Aspects of Combining Security Associations:
• SA Types: There are two types of SAs in IPsec:
o Inbound SA: Defines the parameters for incoming traffic.
o Outbound SA: Defines the parameters for outgoing traffic.
 • Multiple Protocols: An IPsec connection may use multiple SAs simultaneously,
allowing for different protocols (e.g., AH and ESP) to be applied to the same
communication session.
• Security Policy Database (SPD): This database specifies the rules for how packets
should be handled, indicating which SAs should be used for particular types of traffic.
• Establishing SAs: Security associations can be established manually (static) or
automatically through protocols like IKE.
4. Internet Key Exchange (IKE)
Internet Key Exchange (IKE) is a crucial protocol used in IPsec for establishing secure
communications by creating and managing security associations (SAs).
Key Features of IKE:
• Two Phases: IKE operates in two phases:
o Phase 1: Establishes a secure, authenticated channel between the peers. This
phase can use either main mode (more secure but slower) or aggressive mode
(faster but less secure). A temporary keying material is established, which is
used for subsequent communication.
o Phase 2: Negotiates the security associations for IPsec. This phase uses the
secure channel established in Phase 1 to negotiate the parameters and keys used
for actual data encryption.
• Authentication: IKE supports various authentication methods, including pre-shared
keys, digital certificates, and public key authentication.
• Key Management: IKE automates the key management process, ensuring that keys are
generated, exchanged, and refreshed securely without manual intervention.

Authentication Header (AH) provides integrity, authentication, and anti-replay

protection for IP packets but does not encrypt the payload.
Encapsulating Security Payload (ESP) offers confidentiality, integrity, and
authentication, encapsulating the original payload for secure transmission.
Combining Security Associations allows for flexible and comprehensive security
solutions by using multiple SAs for different types of traffic.
Internet Key Exchange (IKE) automates the secure establishment and management
of security associations, facilitating encrypted communications through robust key
management practices.