Introduction to Information & N/W Security

OSI Security Architecture

▪ The OSI (Open Systems Interconnection) security architecture
focuses on Security Attacks, Mechanisms, and Services.
▪ Security Attack: Any action that compromises the security of
information owned by an organization.
▪ Security Mechanism: A process that is designed to detect,
prevent, or recover from a security attack.
▪ Security Service: A communication service that enhances the
security of the data processing systems and the information
transfers of an organization.
Security Attacks
▪ A passive attack attempts to learn or make use of information
from the system but does not affect system resources.
1. Release of message contents
2. Traffic analysis
▪ An active attack attempts to alter system resources or affect their
operation.
1. Masquerade
2. Replay
3. Modification of messages
4. Denial of service.
1) Release of message contents (Passive Attack)

▪ A telephone conversation, an electronic mail message, and a

transferred file may contain sensitive or confidential information.
▪ We would like to prevent an opponent from learning the contents
of these transmissions.
2) Traffic Analysis (Passive Attack)

▪ In such attacks, an adversary, capable of observing network traffic

statistics in several different networks, correlates the traffic
patterns in these networks.
1) Masquerade Attack (Active Attack)

▪ A masquerade takes place when one entity pretends to be a

different entity.
2) Replay Attack (Active Attack)

▪ Replay attack involves the passive capture of a data unit and its
subsequent retransmission to produce an unauthorized effect.
3) Modification of messages Attack (Active Attack)

▪ Modification of messages simply means that some portion of a

legitimate message is altered, or that messages are delayed or
reordered, to produce an unauthorized effect.
4) Denial of Service Attack (Active Attack)

▪ The denial of service attack prevents the normal use or

management of communications facilities.
Security Services (X.800)
▪ X.800 standard defines a security service as a service that is
provided by a protocol layer of communicating open systems and
that ensures security of the systems or of data transfers.
 Security Services

Data
Authentication Access Control Data Integrity Non Repudiation
Confidentiality

Connection
Peer Entity Connection Non Repudiation
Integrity with
Authentication Confidentiality Origin
recovery

Connection
Data Origin Connection less Non Repudiation
Integrity with
Authentication Confidentiality Destination
out recovery

Selective Field
Selective Repeat
Connection
Confidentiality
Integrity

Traffic Flow Connection less

Confidentiality Integrity

Selective Field
Connection less
Integrity
Authentication
▪ Authentication is the assurance that the communicating entity is
the one that it claims to be.
Who you are ?
1. Peer Entity Authentication: (biometrics)
Used in association with a
logical connection to provide
confidence in the identity of Physical
the entities connected. authentication
2. Data-Origin Authentication: In where you are ?
a connectionless transfer,
provides assurance that the What you know ?
source of received data is as Password
claimed. One-time Passwords
Network address
Access Control
▪ Access control is the prevention of unauthorized use of a resource
▪ This service controls who can have access to a resource, under
what conditions access can occur, and what those accessing the
resource are allowed to do).
Data Confidentiality
▪ Data confidentiality is the protection of data from unauthorized
disclosure.
1. Connection Confidentiality: The
protection of all user data on a
connection.
2. Connectionless Confidentiality: The
protection of all user data in a single
data block.
3. Selective-Field Confidentiality: The
confidentiality of selected fields
within the user data on a connection
or in a single data block.
4. Traffic-Flow Confidentiality: The
protection of the information that
might be derived from observation of
traffic flows.
Data Integrity
▪ Data integrity is the assurance that data received are exactly as
sent by an authorized entity (i.e., contain no modification,
insertion, deletion, or replay).
 Data Integrity (Cont…)
▪ Connection Integrity with Recovery: Provides integrity of all user
data on a connection and detects any modification, insertion,
deletion, or replay of any data with recovery attempted.
▪ Connection Integrity without Recovery: As above, but provides
only detection without recovery.
▪ Selective-Field Connection Integrity: Provides integrity of selected
fields within the user data and takes the form of determination of
whether the selected fields have been modified, inserted, deleted,
or replayed.
 Data Integrity (Cont…)
▪ Connectionless Integrity: Provides integrity of a single
connectionless data block and may take the form of detection of
data modification. Additionally, a limited form of replay detection
may be provided.
▪ Selective-Field Connectionless Integrity: Provides integrity of
selected fields within a single connectionless data block; takes the
form of determination of whether the selected fields have been
modified.
Non Repudiation
▪ Nonrepudiation is the assurance that someone cannot deny
something.
▪ Typically, nonrepudiation refers to the ability to ensure that a
communication cannot deny the authenticity of their signature on
a document or the sending of a message that they originated.

Transfer Rs. 1,00,000

To Bank
After few days
User A I have never
requested to transfer
Rs. 1,00,000
to Bank Bank
Non Repudiation (Cont…)
▪ Nonrepudiation-Origin: Proof that the message was sent by the
specified party.
▪ Nonrepudiation-Destination: Proof that the message was
received by the specified party.
Security Mechanisms (X.800)
▪ Specific security mechanisms: Integrated into the appropriate
protocol layer in order to provide some of the OSI security
services.
▪ Pervasive security mechanisms: Not integrated to any particular
OSI security service or protocol layer
Security Mechanism (Specific Security)
▪ Encipherment: Hiding or covering data using mathematical
algorithms.
▪ Digital Signature: The sender can electronically sign the data and
the receiver can electronically verify the signature.
▪ Access Control: A variety of mechanisms that enforce access rights
to resources.
▪ Data Integrity: A variety of mechanisms used to assure the
integrity of a data unit or stream of data units.
▪ Authentication Exchange: Two entities exchange some messages
to prove their identity to each other.
Security Mechanism (Specific security)
▪ Traffic Padding: The insertion of bits into gaps in a data stream to
frustrate traffic analysis attempts.
▪ Routing Control: Selecting and continuously changing routes
between sender and receiver to prevent opponent from
eavesdropping.
▪ Notarization: The use of a trusted third party to assure and
control the communication.
Model for Network Security
Trusted third party
(e.g., arbiter, distributer
of secret information)

Sender Recipient
Security -related Info. Security -related

Message

Message
Message
Message

Transformation Channel Transformation

Secure
Secure

Secret Secret
Information Opponent Information
Encryption and Decryption

Hello f7#er Hello

Sender Encryption Decryption Receiver
 Symmetric Cipher Model (Conventional Encryption)
Secret key shared by Secret key shared by
sender and recipient sender and recipient
K
K
Transmitted
cipher text
Y = E(K, X)
X X
Plaintext Encryption Algorithm Decryption Algorithm Plaintext
input (e.g. AES) (reverse of encryption output
algorithm)
▪ An original message is known as the plaintext, while the coded
message is called the ciphertext.
▪ The process of converting from plaintext to ciphertext is known as
enciphering or encryption; restoring the plaintext from the
ciphertext is deciphering or decryption.
▪ An opponent, observing Y but not having access to K or X, may
attempt to recover X or K or both X and K.
▪ If the opponent is interested in only this particular message, then
he will focus to recover X by generating a plaintext estimate 𝑋.෠
▪ Often, however, the opponent is interested in being able to read
future messages as well, in which case an attempt is made to
recover K by generating an estimate 𝐾. ෡
Substitution Techniques
▪ A substitution technique is one in which the letters of plaintext are
replaced by other letters or by numbers or symbols.
1) Caesar Cipher
2) Monoalphabetic Cipher
3) Playfair Cipher
4) Hill Cipher
5) Polyalphabetic Ciphers
6) One-Time Pad
1) Caesar Cipher
▪ The Caesar cipher involves replacing each letter of the alphabet
with the letter standing three places further down the alphabet.
▪ In encryption each plaintext letter P, substitute the ciphertext
letter C:
C = E(k, P) = (P + k) mod 26
C = E(3, P) = (P + 3) mod 26
▪ For decryption algorithm is:

P = D(k, C) = (C - k) mod 26
Caesar Cipher (Cont…)
▪ Let us assign a numerical equivalent to each letter
a b c d e f g h i j k l m
0 1 2 3 4 5 6 7 8 9 10 11 12
n o p q r s t u v w x y z
13 14 15 16 17 18 19 20 21 22 23 24 25

C = E(3, P) = (P + 3) mod 26
plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
cipher: d e f g h i j k l m n o p q r s t u v w x y z a b c

Example:
Plaintext: THE QUICK BROWN FOX
Ciphertext: WKH TXLFN EURZQ IRA
Brute force attack on Caesar Cipher
▪ The encryption and decryption algorithms are known.
▪ There are only 25 keys to try.
▪ The language of the plaintext is known and easily recognizable.
Brute force attack on Caesar Cipher
Ciphertext: ZNK WAOIQ HXUCT LUD
Key Transformed text Key Transformed text
1 YMJ VZNHP GWTBS KTC 14 LZW IMAUC TJGOF XGP
2 XLI UYMGO FVSAR JSB 15 KYV HLZTB SIFNE WFO
3 WKH TXLFN EURZQ IRA 16 JXU GKYSA RHEMD VEN
4 VJG SWKEM DTQYP HQZ 17 IWT FJXRZ QGDLC UDM
5 UIF RVJDL CSPXOGPY
18 HVS EIWQY PFCKB TCL
6 THE QUICK BROWN FOX
19 GUR DHVPX OEBJA SBK
7 SGD PTHBJ AQNVM ENW
8 RFC OSGAI ZPMUL DMV 20 FTQ CGUOW NDAIZ RAJ
9 QEB NRFZH YOLTK CLU 21 ESP BFTNV MCZHY QZI
10 PDA MQEYG XNKSJ BKT 22 DRO AESMU LBYGX PYH
11 OCZ LPDXF WMJRI AJS 23 CQN ZDRLT KAXFW OXG
12 NBY KOCWE VLIQH ZIR 24 BPM YCQKS JZWEV NWF
13 MAX JNBVD UKHPG YHQ 25 AOL XBPJR IYVDU MVE
Substitution Techniques
1) Caesar Cipher
2) Monoalphabetic Cipher
3) Playfair Cipher
4) Hill Cipher
5) Polyalphabetic Ciphers
6) One-Time Pad
2) Monoalphabetic Cipher (Simple substitution)
▪ It is an improvement to the Caesar Cipher.
▪ Instead of shifting the alphabets by some number, this scheme
uses some permutation of the letters in alphabet.
▪ The sender and the receiver decide on a randomly selected
permutation of the letters of the alphabet.
▪ With 26 letters in alphabet, the possible permutations are 26!
which is equal to 4x1026.

plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
cipher: y n l k x b s h m i w d p j r o q v f e a u g t z c
Substitution Techniques
1) Caesar Cipher
2) Monoalphabetic Cipher
3) Playfair Cipher
4) Hill Cipher
5) Polyalphabetic Ciphers
6) One-Time Pad
3) Playfair Cipher
▪ The Playfair algorithm is based on a 5 × 5 matrix (key) of letters.
▪ The matrix is constructed by filling in the letters of the keyword
(minus duplicates) from left to right and from top to bottom, and
then filling in the remainder of the matrix with the remaining
letters in alphabetic order. The letters I and J count as one letter.

O C U R E
Example: N A B D F
Keyword= OCCURRENCE
Plaintext= TALL TREES G H I/J K L
M P Q S T
V W X Y Z
Playfair Cipher - Encrypt Plaintext
▪ Playfair, treats digrams (two letters) in the plaintext as single units
and translates these units into ciphertext digrams.
▪ Make Pairs of letters add filler letter “X” if same letter appears in a
pair.
Plaintext= TALL TREES
Plaintext= TA LX LT RE ES
▪ If there is an odd number of letters, then add uncommon letter to
complete digram, a X/Z may be added to the last letter.
Playfair Cipher Examples
1. Key= “ engineering ” Plaintext=” test this process ”
2. Key= “ keyword ” Plaintext=” come to the window ”
3. Key= “ moonmission ” Plaintext=” greet ”
E N G I R Encrypted Message: K E Y W O Encrypted Message:
A B C D F pi tu pm gt ue lf gp xg R D A B C lc nk zk vf yo gq ce
H K L M O F G H I L bw
P Q S T U M N P Q S
V W X Y Z T U V X Z
M O N I S Encrypted Message:
A B C D E hq cz du
F G H K L
P Q R T U
V W X Y Z
Substitution Techniques
1) Caesar Cipher
2) Monoalphabetic Cipher
3) Playfair Cipher
4) Hill Cipher
5) Polyalphabetic Ciphers
6) One-Time Pad
4) Hill Cipher
▪ Hill cipher is based on linear algebra
▪ Each letter is represented by numbers from 0 to 25 and
calculations are done modulo 26.
▪ Encryption and decryption can be given by the following formula:
Encryption: C=PK mod 26

Decryption: P=CK-1 mod 26

𝑘11 𝑘12 𝑘13

𝑐1 𝑐2 𝑐3 = 𝑝1 𝑝2 𝑝3 𝑘21 𝑘22 𝑘23 mod 26
𝑘31 𝑘32 𝑘33
Hill Cipher Encryption
▪ To encrypt a message using the Hill Cipher we must first turn our
keyword and plaintext into a matrix (a 2 x 2 matrix or a 3 x 3
matrix, etc).
Example: Key = “HILL”, Plaintext = “EXAM”
a b c d e f g h i j k l m
0 1 2 3 4 5 6 7 8 9 10 11 12
n o p q r s t u v w x y z
13 14 15 16 17 18 19 20 21 22 23 24 25

H I 7 8
Key Matrix =
L L 11 11
E A 4 0
Plaintext =
X M 23 12
Hill Cipher Encryption (Cont…)
H I 7 8 E A 4 0
Key Matrix = = Plaintext =
L L 11 11 X M 23 12
C=PK mod 26
7 8 4 7 8 0
11 11 23 11 11 12
7 x 4 + 8 x 23 = 212 7 x 0 + 8 x 12 = 96
11 x 4 + 11 x 23 = 297 11 x 0 + 11 x 12 = 132
7 8 4 212 7 8 0 96
= =
11 11 23 297 11 11 12 132
212 4 E 96 18 S
= mod 26 = = mod 26 =
297 11 L 132 2 C
Ciphertext = “ELSC”
Hill Cipher Decryption
P=CK-1 mod 26

Step:1 Find Inverse of key matrix

Step:2 Multiply the Multiplicative Inverse of the Determinant by the
Adjoin Matrix
Step:3 Multiply inverse key matrix with ciphertext matrix to obtain
plaintext matrix
Step: 1 Inverse of key matrix
2 X 2 inverse of matrix
−1 1
a b d −b
=
c d ad − cb −c a

3 X 3 inverse of matrix
1
A−1 = ∙ adjoin(A)
determinant(A)
Step: 1 Inverse of key matrix
−1 1
7 8 11 −8
Inverse Key Matrix = =
11 11 77 − 88 −11 7
1 11 −8
=
−11 −11 7
▪ -11 mod 26 = 15
1 11 18 ▪ Because, modulo for negative
= mod 26
15 15 7 number is = N- (B%N)
= 26 – (11%26)
Step: 2 Modular (Multiplicative) inverse
▪ The inverse of a number A is 1/A since A * 1/A = 1
e.g. the inverse of 5 is 1/5
▪ In modular arithmetic we do not have a division operation.
▪ The modular inverse of A (mod C) is A-1
▪ (A * A-1) ≡ 1 (mod C)
Example:
▪ The modular inverse of A mod C is the A-1 value that makes
A * A-1 mod C = 1
A = 3, C = 11
Since (3*4) mod 11 = 1, 4 is modulo inverse of 3
A = 10, C = 17 , A-1 = ?12
Step 2: Modular (Multiplicative) inverse
Determinants’ multiplicative inverse Modulo 26

Determinant 1 3 5 7 9 11 15 17 19 21 23 25

Inverse Modulo 26 1 9 21 15 3 19 7 23 11 5 17 25

1 11 18
= mod 26
15 15 7
1
▪ Multiplicative inverse of is 7
15
Step 2: Multiply with adjoin of matrix
11 18 77 126 25 22
=7 = = mod 26
15 7 105 49 1 23

7 8 25 22
= thus, if K = then K −1 =
11 11 1 23
Hill Cipher Encryption (Cont…)
25 22 E S 4 18
Inverse Key Matrix = Ciphertext =
1 23 L C 11 2
P=CK-1 mod 26
25 22 4 25 22 18
1 23 11 1 23 2
25 x 4 + 22 x 11 = 342 25 x 18 + 22 x 2 = 494
1 x 4 + 23 x 11 = 257 1 x 18 + 23 x 2 = 64
25 22 4 342 7 8 0 494
= =
1 23 11 257 11 11 12 64
342 4 E 494 0 A
= mod 26 = = mod 26 =
257 23 X 64 12 M
Plaintext = “EXAM”
Substitution Techniques
1) Caesar Cipher
2) Monoalphabetic Cipher
3) Playfair Cipher
4) Hill Cipher
5) Polyalphabetic Ciphers
6) One-Time Pad
5) Polyalphabetic Cipher
▪ Monoalphabetic cipher encoded using only one fixed alphabet
▪ Polyalphabetic cipher is a substitution cipher in which the cipher
alphabet for the plain alphabet may be different at different
places during the encryption process.
1. Vigenere cipher
2. Vernam cipher
 Plaintext

K
e
y

PT = HELLO
KEY = GMGMG
CT = NQRXU
Vigenere Cipher
Keyword : DECEPTIVE
Key : DECEPTIVEDECEPTIVEDECEPTIVE
Plaintext : WEAREDISCOVEREDSAVEYOURSELF
Ciphertext : ZICVTWQNGRZGVTWAVZHCQYGLMGJ
C = P1 + K1 , P2 + K 2 , … Pm + K m mod 26
P = C1 − K1 , C2 − K 2 , … Cm − K m mod 26

An analyst looking at only the ciphertext would detect the repeated

sequences VTW at a displacement of 9 and make the assumption that the
keyword is either three or nine letters in length.
This system
Keyword : DECEPTIVE is referred as
Key : DECEPTIVEWEAREDISCOVEREDSAV an autokey
Plaintext : WEAREDISCOVEREDSAVEYOURSELF system
Vernam Cipher
▪ The ciphertext is generated by applying the logical XOR operation
to the individual bits of plaintext and the key stream.
Substitution Techniques
1) Caesar Cipher
2) Monoalphabetic Cipher
3) Playfair Cipher
4) Hill Cipher
5) Polyalphabetic Ciphers
6) One-Time Pad
One time pad
▪ The one-time pad, which is a provably secure cryptosystem,
was developed by Gilbert Vernam in 1918.
▪ The message is represented as a binary string (a sequence of 0’s
and 1’s using a coding mechanism such as ASCII coding.
▪ The key is a truly random sequence of 0’s and 1’s of the same
length as the message.
▪ message =‘IF’
▪ then its ASCII code =(1001001 1000110)
▪ key = (1010110 0110001)
▪ Encryption:
• 1001001 1000110 plaintext
• 1010110 0110001 key
• 0011111 1110110 ciphertext
Transposition Techniques
▪ A transposition cipher does not substitute one symbol for another,
instead it changes the location of the symbols.
▪ The simplest such cipher is the rail fence technique, in which the
plaintext is written down as a sequence of diagonals and then
read off as a sequence of rows.
▪ For example, to send the message “Meet me at the park” to Bob,
Alice writes

▪ She then creates the ciphertext “MEMATEAKETETHPR”.

Rail fence technique
▪ A more complex scheme is to write the message in a rectangle,
row by row, and read the message off, column by column, but
permute the order of the columns.
▪ The order of the columns then becomes the key to the algorithm.

Key: 4 3 1 2 5 6 7
Plaintext: a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ
Cryptography and Cryptanalysis
▪ Cryptography and Cryptanalysis
• Cryptography is the study of the design of techniques for
ensuring the secrecy and/or authenticity of information
• Cryptanalysis deals with the defeating such techniques to
recover information, or forging information that will be
accepted as authentic
Cryptographic Algorithms
▪ Cryptographic algorithms and protocols can be grouped into four
main areas
Cryptographic
algorithms and
protocols

Symmetric Asymmetric Data integrity Authentication

encryption encryption algorithms protocols
▪ Symmetric encryption used to secure the contents of blocks or
streams of data of any size, including messages, files, encryption
keys, and passwords
▪ Authentication Protocols are schemes based on the use of
cryptographic algorithms designed to authenticate the identity of
entities.
Security Objectives
▪ Security objectives for information and computing services are
Confidentiality, Integrity, Availability, Authenticity, Accountability.
1) Confidentiality:
• Data confidentiality: Assures that private or confidential
information is not made available or disclosed to unauthorized
individuals.
• Privacy: Assures that individuals control what information
related to them may be collected and stored and by whom and
to whom that information may be disclosed.
Security Objectives (Cont…)
2) Integrity:
• Data integrity: Assures that information and programs are
changed only in a specified and authorized manner.
• System integrity: Assures that a system performs its intended
function in an unimpaired manner, free from deliberate or
inadvertent unauthorized manipulation of the system.
3) Availability: Assures that systems work promptly and service is
not denied to authorized users.
Security Objectives (Cont…)
4) Authenticity:
• The property of being genuine and being able to be verified
and trusted; confidence in the validity of a transmission, a
message, or message originator.
• This means verifying that each input arriving at the system
came from a trusted source.
5) Accountability:
• The security goal that generates the requirement for actions of
an entity to be traced uniquely to that entity.
• This supports nonrepudiation, deterrence, fault isolation,
intrusion detection and prevention, and after-action recovery
and legal action.
Threat and Attack
▪ Threat: A potential for violation of security, which exists when
there is a circumstance, capability, action, or event that could
crack security and cause harm. That is, a threat is a possible
danger that might exploit a vulnerability.
▪ Attack: An violation on system security that derives from an
intelligent threat; that is, an intelligent act that is a calculated
attempt to avoid security services and violate the security policy
of a system.