CRYPTOGRAPHY AND NETWORK SECURITY

Module 1

1. Introduction to OSI Security Architecture

The OSI (Open Systems Interconnection) Security Architecture is a framework that
helps define security needs and solutions for communication systems. It provides
a systematic way to classify and organize security requirements, attacks, services,
and mechanisms.
Key Components of OSI Security Architecture
1. Security Attacks: Actions that compromise the security of data.
2. Security Services: Functions designed to counteract security attacks.
3. Security Mechanisms: Techniques and tools used to implement security
services.

2. Security Attacks
A security attack is an attempt to compromise the security of a system.
Types of Attacks:
1. Passive Attacks:
o Focus on monitoring and gathering data without modifying it.
o Difficult to detect but do not affect the system's functioning.
o Examples:
▪ Eavesdropping: Listening to private communication.
▪ Traffic Analysis: Observing data patterns, like frequency or size,
to gather insights.
2. Active Attacks:
 o Attempt to alter or disrupt data and system resources.
o Easier to detect but cause more damage.
o Examples:
▪ Masquerade: Pretending to be someone else.
▪ Replay: Resending captured data to deceive the receiver.
▪ Modification of Messages: Tampering with the data.
▪ Denial of Service (DoS): Overloading systems to make them
unavailable.

3. Security Services
Security services are measures that ensure secure communication by protecting
data and resources.
Types of Security Services:
1. Confidentiality: Ensures that only authorized parties can access data.
o Example: Encrypting sensitive information during transmission.
2. Authentication: Verifies the identity of users and systems.
o Example: Login credentials.
3. Data Integrity: Ensures data is not altered during transmission.
o Example: Using checksums to detect tampering.
4. Non-repudiation: Prevents parties from denying their actions.
o Example: Digital signatures.
5. Access Control: Restricts unauthorized access to resources.
o Example: Firewalls and access permissions.

4. Security Mechanisms
These are the methods used to achieve security services.
Common Security Mechanisms:
1. Encryption: Encodes data to prevent unauthorized access.
o Example: AES (Advanced Encryption Standard).
2. Digital Signatures: Authenticate the sender and ensure data integrity.
3. Firewalls: Filter incoming and outgoing traffic to block unauthorized access.
4. Intrusion Detection Systems (IDS): Monitor networks to identify potential
threats.

5. Model for Network Security

This model explains the basic steps required to secure data during transmission.
Steps in the Model:
1. Sender: The person or system sending the data.
2. Encryption Algorithm: Converts plaintext (readable data) into ciphertext
(encoded data).
3. Secure Channel: Transmits the ciphertext to the receiver.
4. Decryption Algorithm: Converts ciphertext back into plaintext.
5. Receiver: The intended recipient of the data.

2. Classical Encryption Techniques

1. Symmetric Cipher Model
• In this model, the same key is used for encryption (to encode data) and
decryption (to decode data).
• Advantages: Fast and efficient for large datasets.
• Disadvantages: Requires secure key sharing between sender and receiver.
Example: Caesar Cipher
• Shifts each letter of the plaintext by a fixed number of positions.
• Example:
o Plaintext: HELLO
o Key: 3
o Ciphertext: KHOOR

2. Substitution Techniques
These methods replace the characters in plaintext with other characters or
symbols.
Types of Substitution Techniques:
1. Caesar Cipher:
o Shifts the letters by a fixed number.
o Example: Plaintext: ABC, Key: 1 → Ciphertext: BCD
2. Monoalphabetic Cipher:
o Each character in the plaintext is replaced with a different character.
o Example: Plaintext: HELLO → Ciphertext: QEXXE (based on a
substitution table).
3. Playfair Cipher:
o Encrypts digraphs (pairs of letters) using a 5x5 grid of letters.
o Steps:
▪ Create a grid with a keyword (e.g., MONARCHY).
▪ Pair the plaintext letters (e.g., MEET ME → ME ET ME).
▪ Encrypt based on grid positions.
4. Vigenère Cipher:
 o A polyalphabetic cipher that uses a keyword to determine the shift
for each letter.
o Example:
▪ Plaintext: ATTACK
▪ Keyword: LEMON
▪ Ciphertext: LXFOPV

3. Transposition Techniques
These methods rearrange the characters of the plaintext without altering the
actual characters.
Types of Transposition Techniques:
1. Rail Fence Cipher:
o Letters are written in a zigzag pattern across multiple rows.
o Example:
▪ Plaintext: ATTACK AT DAWN
▪ Rows:

▪ Ciphertext: ATADWTCKTAN
2. Columnar Transposition Cipher:
o Plaintext is written into rows under column headings (keys) and then
read column by column.
o Example:
 ▪ Plaintext: ATTACKATDAWN
▪ Key: 3 1 4 2
▪ Arrange in rows:

▪ Read by column: TTAATCADWKN.

Key Differences:
• Substitution Techniques: Change the characters.
• Transposition Techniques: Rearrange the characters.
 Module 2

1. Block Ciphers
A block cipher is a method of encrypting data in fixed-size blocks, where each
block is processed independently.
Key Features:
• Fixed Block Size: Data is divided into blocks of a specific size (e.g., 64 bits or
128 bits).
• Symmetric Key: A single key is used for both encryption and decryption.
• Secure Transformation: The encryption process involves substitution
(replacing bits) and permutation (rearranging bits).
Example of Block Cipher Process:
• Plaintext: "HELLOALL"
• Block size: 4 characters
• Steps:
1. Divide the plaintext into blocks: [HELL] [OALL].
2. Encrypt each block separately using a key.

2. Data Encryption Standard (DES)

DES is a symmetric block cipher introduced in the 1970s. It encrypts data in 64-bit
blocks using a 56-bit key.
How DES Works:
1. Initial Permutation (IP): Rearranges the bits of the plaintext in a fixed
pattern.
2. 16 Rounds of Encryption:
 o Key Generation: A 56-bit key is divided into subkeys, one for each
round.
o Each round includes:
▪ Substitution (S-boxes): Replace bits based on predefined
tables.
▪ Permutation: Rearrange the bits for diffusion.
▪ XOR with Key: Combine the bits with the round key.
3. Final Permutation (FP): Rearranges the bits again to produce the ciphertext.
Simplified DES (S-DES):
A smaller, 8-bit version of DES for learning purposes.
• Example:
o Input: 8-bit plaintext, e.g., 10101011.
o Key: 10-bit key, e.g., 1010000010.
o Process: Apply initial permutation → XOR with key → Substitution
and permutation → Final permutation → Ciphertext.

3. Block Cipher Principles

Block ciphers work on two main principles:
1. Substitution-Permutation Network (SPN):
• Substitution: Replace bits with new values (using S-boxes).
• Permutation: Rearrange bits to ensure that changes spread across the
ciphertext.
2. Multiple Rounds:
• Security increases with the number of rounds. Each round applies
substitution, permutation, and key mixing.
4. Differential and Linear Cryptanalysis
1. Differential Cryptanalysis:
A method to analyze block ciphers by studying how differences in plaintext affect
differences in ciphertext.
• Example:
o Plaintext 1: 10101010 → Ciphertext: 11001100
o Plaintext 2: 10101110 → Ciphertext: 11100101
o Observation: The difference in the plaintext affects certain bits of the
ciphertext, revealing patterns.
2. Linear Cryptanalysis:
This method analyzes block ciphers by finding linear relationships between
plaintext, ciphertext, and keys.

5. Modes of Operation
Modes of operation define how block ciphers handle plaintext longer than one
block.
Common Modes:
1. ECB (Electronic Codebook Mode):
o Each block is encrypted independently.
o Advantage: Simple and fast.
o Disadvantage: Repeated plaintext blocks produce repeated
ciphertext blocks.
2. CBC (Cipher Block Chaining Mode):
o Each plaintext block is XORed with the previous ciphertext block
before encryption.
o Advantage: Patterns in plaintext are hidden.
 3. CTR (Counter Mode):
o Each block is XORed with an encrypted counter value.
o Advantage: Supports parallel processing for faster encryption.

6. Advanced Encryption Standard (AES)

AES is a block cipher designed to replace DES. It uses blocks of 128 bits and
supports key sizes of 128, 192, or 256 bits.
AES Process:
1. Input: A 128-bit plaintext and a key.
2. Rounds:
o Key Expansion: Generate round keys from the original key.
o SubBytes: Substitute bytes using a predefined S-box.
o ShiftRows: Rearrange rows in the state matrix.
o MixColumns: Perform a mathematical transformation to mix
columns.
o AddRoundKey: XOR the state with the round key.
3. Output: Encrypted ciphertext.
Example of AES with 128-bit Key:
• Plaintext: HELLO123
• Key: 0010101011100101...
• Process: Perform rounds → Encrypted ciphertext.

7. Triple DES (3DES)

Triple DES improves upon DES by applying the DES algorithm three times with
three different keys.
Steps:
1. Encrypt plaintext with Key 1 (K1).
2. Decrypt the result with Key 2 (K2).
3. Encrypt the output with Key 3 (K3).
Example:
• Plaintext: "HELLO"
• Key 1: K1 = 1010...
• Key 2: K2 = 0110...
• Key 3: K3 = 1100...
• Process: Encrypt → Decrypt → Encrypt → Secure ciphertext.

8. Blowfish
Blowfish is a symmetric block cipher designed to be fast and secure.
Key Features:
• Block Size: 64 bits.
• Key Length: 32 to 448 bits.
• Rounds: 16 rounds.
Steps in Blowfish Encryption:
1. Divide plaintext into 64-bit blocks.
2. Apply 16 rounds of encryption.
o Each round uses key-dependent S-boxes.
o Perform permutations and substitutions.
3. Combine the blocks to produce the ciphertext.
Advantages:
 • Free to use.
• Faster than many other encryption algorithms.

Key Takeaways for Exams:

1. Block Ciphers: Encrypt fixed-size blocks of data using symmetric keys.
2. DES: Uses 64-bit blocks and 56-bit keys; simpler version is S-DES.
3. AES: Replaced DES, more secure, uses 128-bit blocks and larger keys.
4. Modes of Operation: ECB is basic; CBC and CTR add security and flexibility.
5. Triple DES: Encrypts data three times for better security.
6. Blowfish: Fast, secure, and supports variable key lengths.
 Module 3
Public Key Cryptography and Key Management
Public key cryptography, also known as asymmetric cryptography, uses two keys:
1. Public Key: Known to everyone.
2. Private Key: Kept secret by the owner.
The encryption is done with the public key, and decryption is performed using the
private key (or vice versa for digital signatures).

Principles of Public Key Cryptosystem

Key Features of Public Key Cryptography:
1. Two-Key Pair: A public key and a private key are mathematically related.
2. Encryption and Decryption:
o Data encrypted with the public key can only be decrypted with the
private key.
o Data signed with the private key can be verified with the public key.
3. Key Distribution: Public keys can be shared openly without compromising
security.
Uses:
1. Confidentiality: Ensures only the intended recipient can decrypt.
2. Authentication: Verifies the identity of the sender.
3. Digital Signatures: Used to verify the integrity and origin of messages.

RSA Algorithm
The RSA algorithm is one of the most widely used public key cryptosystems. It is
based on the difficulty of factoring large numbers.
Steps in RSA:
1. Key Generation:
1. Choose two large prime numbers, p and q.
.
2. Compute n=p×qn = p \times qn=p×q.

2. Encryption:

3. Decryption:
Key Management
Key management ensures secure creation, distribution, and storage of
cryptographic keys.
Key Management Tasks:
1. Key Generation: Keys should be generated securely using algorithms like
RSA or ECC.
2. Key Distribution: Public keys are distributed openly; private keys must
remain confidential.
3. Key Storage: Keys are stored in secure hardware or software systems.
4. Key Revocation: In case of compromise, keys must be revoked and
replaced.

Diffie-Hellman Key Exchange

The Diffie-Hellman Key Exchange (DHKE) allows two parties to securely share a
secret key over an insecure channel.
Steps:
1. Agree on Public Parameters:
• Both parties agree on:
o A prime number p.
o A primitive root g of p.
2. Exchange Keys:
1. Alice:
o Chooses a private key a.

2. Bob:
o Chooses a private key b.
3. Compute the Shared Secret:

Example:

Elliptic Curve Cryptography (ECC)

ECC is a public key cryptosystem based on the mathematical structure of elliptic
curves.
Why ECC?
• Provides the same security as RSA with smaller key sizes.
• Faster and uses less computational power.
Elliptic Curve Equation:
ECC Key Exchange Example:

Key Takeaways for Exams:

1. Public Key Cryptography: Uses a key pair for secure communication.
2. RSA Algorithm: Based on factoring large numbers; key generation,
encryption, and decryption are essential.
3. Diffie-Hellman Key Exchange: Enables secure key sharing over an insecure
channel.
4. Elliptic Curve Cryptography: Offers strong security with smaller keys and
faster operations.
 Module 4
IP Security (IPSec)
IPSec is a protocol suite designed to secure communications over IP networks. It
ensures confidentiality, integrity, and authentication of data while traveling over
potentially insecure networks like the internet.

1. Overview of IP Security
Why Do We Need IPSec?
1. Untrusted Networks: Internet traffic is vulnerable to eavesdropping,
tampering, and spoofing.
2. Secure Communication: Protects sensitive data, such as banking
transactions and corporate communications.
Main Features of IPSec:
• Confidentiality: Encrypts data to prevent unauthorized access.
• Integrity: Ensures that data is not altered during transmission.
• Authentication: Confirms the sender's identity.
• Replay Protection: Prevents attackers from reusing captured packets to
disrupt communication.

2. IPSec Modes of Operation

IPSec works in two modes:
1. Transport Mode
• What It Protects: Encrypts only the payload (data) of the IP packet.
• Use Case: End-to-end communication between two devices.
• Example: Encrypting communication between a client and a server.
 o Before Encryption:
| IP Header | Payload |
o After Encryption (Transport Mode):
| IP Header | Encrypted Payload |
2. Tunnel Mode
• What It Protects: Encrypts the entire IP packet (header + payload).
• Use Case: Secure communication between two networks (e.g., VPNs).
• Example: Protecting communication between two branch offices over the
internet.
o Before Encryption:
| IP Header | Payload |
o After Encryption (Tunnel Mode):
| New IP Header | Encrypted Original IP Packet |

3. IP Security Architecture
The architecture of IPSec consists of:
1. Security Protocols:
• Authentication Header (AH): Provides integrity and authentication.
• Encapsulating Security Payload (ESP): Provides confidentiality, integrity,
and authentication.
2. Security Associations (SAs):
• Defines how data is encrypted, authenticated, and transmitted.
3. Key Management:
• Handles the generation, exchange, and management of cryptographic keys.
4. Policy Database:
• Contains rules for applying IPSec to specific types of traffic.
4. Authentication Header (AH)
Authentication Header (AH) ensures the data’s integrity and authenticity but does
NOT provide encryption.
Features of AH:
• Protects against tampering.
• Authenticates the origin of the data.
How It Works:
• Adds a header containing an Integrity Check Value (ICV) to the IP packet.
• The ICV is computed using a shared key and ensures data is untampered.
Example:
• Original IP Packet:
| IP Header | Payload |
• After Adding AH:
| IP Header | AH | Payload |

5. Encapsulating Security Payload (ESP)

Encapsulating Security Payload (ESP) ensures:
1. Confidentiality by encrypting data.
2. Integrity by protecting against tampering.
3. Authentication by verifying the sender.
How It Works:
• Adds an ESP header, ESP trailer, and an optional authentication tag.
Example (Tunnel Mode):
• Original Packet:
| IP Header | Payload |
 • After Applying ESP:
| New IP Header | ESP Header | Encrypted Original IP Packet | ESP Trailer |
Auth Tag |
ESP is often used in scenarios like secure Virtual Private Networks (VPNs).

6. Combining Security Associations (SAs)

Security Association (SA):
• A one-way relationship that defines the parameters (encryption,
authentication, etc.) for secure communication.
Combining SAs:
Multiple SAs can be combined to enhance security.
• Example:
o First SA uses AH for integrity and authentication.
o Second SA uses ESP for confidentiality.

7. Key Management
Key management is essential to ensure secure and efficient cryptographic
operations.
Two Approaches:
1. Manual Keying:
• Cryptographic keys are manually configured by administrators.
• Disadvantage: Not scalable for large networks.
2. Automated Keying (Internet Key Exchange - IKE):
• Automates the generation, distribution, and management of keys.

Steps in IKE (Internet Key Exchange):

 1. Authentication: Verifies the identities of the communicating parties.
2. Negotiation: Agrees on encryption and authentication methods.
3. Key Exchange: Generates and securely exchanges keys.

IPSec in Action: Secure Communication Between Two Offices

1. Scenario:
Two company offices (Office A and Office B) want to securely exchange data
over the internet.
2. Solution:
o Use IPSec in Tunnel Mode.
o Combine AH and ESP to provide full security.
3. Process:
o Office A:
▪ Encrypts the entire IP packet using ESP.
▪ Authenticates the packet using AH.
o Office B:
▪ Verifies the packet’s authenticity (AH).
▪ Decrypts the packet to access the original data (ESP).

Key Takeaways for Exams:

1. Modes of Operation:
o Transport Mode: Protects the payload only.
o Tunnel Mode: Protects the entire IP packet.
2. Protocols:
o AH: Ensures integrity and authentication.
 o ESP: Provides encryption, integrity, and authentication.
3. Security Associations (SAs):
o Define how data is secured.
o Multiple SAs can be combined for enhanced protection.
4. Key Management:
o Manual keying is suitable for small setups.
o Automated keying (IKE) is better for large networks.
5. Use Case:
o IPSec is commonly used in VPNs to ensure secure communication
between networks.
 Module 5
Web Security
Web security ensures that communication between users and web servers is
secure and that systems are protected from various types of internet threats.

1. Web Security Considerations

Key Elements of Web Security:
1. Data Confidentiality:
o Definition: Ensuring that the data exchanged between users and
servers remains private and is not intercepted by unauthorized
parties.
o Example: When you log into a website using your username and
password, SSL/TLS encryption ensures that the data cannot be
intercepted by attackers.
2. Data Integrity:
o Definition: Ensuring that the data remains unaltered during
transmission from one party to another.
o Example: If you're downloading a file from a website, data integrity
ensures that the file you receive is exactly what the server intended
to send, without being tampered with.
3. Authentication:
o Definition: Verifying the identity of the parties involved in the
communication.
o Example: SSL certificates authenticate that the website you are
visiting is indeed the legitimate one, not a fake site created to steal
your information.
4. Availability:
 o Definition: Ensuring that the services provided by the website or
application are available and accessible to users.
o Example: Preventing Distributed Denial of Service (DDoS) attacks that
overload servers and make the website unavailable.
5. User Privacy:
o Definition: Ensuring that personal data (e.g., credit card numbers,
personal information) is protected.
o Example: A secure e-commerce site ensures that your payment
information is encrypted and not exposed to malicious parties.

2. Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Overview:
SSL (Secure Socket Layer) and TLS (Transport Layer Security) are cryptographic
protocols used to secure communication over the internet. TLS is the successor to
SSL, providing more robust encryption methods.
How SSL/TLS Works:
1. Encryption: SSL/TLS encrypts the data transmitted between a client (such as
a web browser) and a server to ensure that unauthorized parties cannot
access it.
o Example: If you're shopping online, SSL/TLS encryption will protect
your credit card details when you make a payment.
2. Authentication: The server provides a digital certificate to prove its identity.
This helps ensure that users are communicating with the correct website
and not an imposter.
o Example: When you visit a bank's website, the SSL certificate proves
that you're indeed visiting the legitimate bank website, not a fake
one.
3. Integrity: SSL/TLS ensures that the data has not been tampered with during
transit by using message digests and hash functions.
 o Example: If someone tries to alter the content of a message between
a user and a website, SSL/TLS will detect it and prevent the
transaction from going through.
SSL/TLS Handshake Process:
The handshake is the process of establishing a secure connection between a client
and a server.
1. Client Hello:
o The client sends a "hello" message to the server, proposing
encryption algorithms and sending a random number.
o Example: "Hello, I’d like to communicate securely using AES
encryption, and here's a random number for encryption."
2. Server Hello:
o The server responds with a “hello,” agreeing on encryption methods,
sending its digital certificate, and another random number.
o Example: "Hello, I accept your AES encryption proposal, here's my
certificate and a random number."
3. Authentication:
o The server sends its SSL certificate to the client. The client verifies the
certificate to ensure that the server is authentic.
o Example: The client checks the certificate to verify the bank’s
website, ensuring that it is not an imposter.
4. Key Exchange:
o Both the client and server generate shared encryption keys using the
random numbers exchanged.
o Example: The client and server create a shared secret key, which they
will use to encrypt and decrypt the messages.
5. Secure Communication:
 o After the handshake, data can now be securely transmitted between
the client and server using the shared encryption keys.
o Example: Once the SSL/TLS connection is established, the customer’s
payment details are securely sent to the server.

3. Secure Electronic Transaction (SET)

Secure Electronic Transaction (SET) is a protocol designed to secure credit card
transactions over the internet. It provides three key features:
1. Confidentiality: Ensures that the credit card data is encrypted during
transmission.
2. Authentication: Verifies the identities of both the cardholder and the
merchant.
3. Integrity: Ensures that the transaction data is not tampered with during
transmission.
How SET Works:
1. Cardholder Initiates Transaction: The cardholder selects items to buy and
proceeds to checkout.
2. Merchant Sends Transaction Request: The merchant sends a request for
payment, including the encrypted credit card details.
3. Bank Verification: The bank verifies the transaction, checking for fraud or
errors.
4. Secure Transaction: If the transaction is approved, the merchant sends
confirmation to the cardholder, and the goods are delivered.
Example: When purchasing items online, SET ensures that your credit card
information is securely transmitted and validated before the payment is
processed.

System Security
System security involves protecting computers and networks from threats such as
hackers, viruses, and other malicious activities.

1. Intruders, Viruses, and Related Threats

Intruders (Hackers):
Intruders are individuals or groups who attempt to access systems without
authorization. They may use different techniques to exploit system vulnerabilities.
• Types of Intruders:
1. Crackers: Malicious hackers who break into systems to steal or
damage data.
2. Script Kiddies: Inexperienced hackers using pre-written software
tools to attack systems.
3. Hacktivists: Hackers who target systems for political or social causes.
Common Intrusion Techniques:
1. Brute Force Attacks: Trying all possible combinations of passwords until the
correct one is found.
o Example: A hacker tries millions of combinations of username and
password to gain access to a secure account.
2. Phishing: Deceptive emails or websites designed to trick users into
revealing their personal information (e.g., passwords).
o Example: A fake bank email asking you to click a link and enter your
bank account details.
3. Denial of Service (DoS) Attacks: Overloading a server with requests so that
legitimate users cannot access it.
o Example: A hacker sends a flood of requests to a website, causing it
to crash.
2. Viruses and Malicious Software (Malware)
A virus is a type of malicious software (malware) designed to replicate itself and
spread to other systems, often causing damage in the process.
Types of Malware:
1. Viruses: Programs that infect files or programs and spread to other systems
when executed.
o Example: A virus that attaches itself to a program and spreads when
the program is shared or run.
2. Worms: Malware that spreads independently over networks without
needing to attach to a program.
o Example: A worm that automatically replicates and spreads across
computers on the same network.
3. Trojan Horses: Malicious programs that disguise themselves as legitimate
software.
o Example: A game download that secretly installs a keylogger to steal
personal data.
4. Ransomware: Malware that locks or encrypts data, demanding a ransom
for its release.
o Example: A ransomware attack that locks a company’s data and
demands payment for the decryption key.

3. Protecting Against Intruders and Malware:

1. Firewalls: Monitor and control incoming and outgoing network traffic to
prevent unauthorized access.
2. Antivirus Software: Detects and removes viruses and other malware from
your system.
3. Strong Passwords: Using complex and unique passwords for each account
to prevent brute force attacks.
 4. Regular Software Updates: Keeping systems and applications updated to fix
vulnerabilities that can be exploited by attackers.

Key Takeaways for Exams:

1. Web Security: Ensures secure communication through SSL/TLS and protects
user privacy with protocols like SET.
2. SSL/TLS: Encrypts and authenticates communication between clients and
servers, securing sensitive data (e.g., payment details).
3. System Security: Protects systems from malicious attacks, such as viruses,
hackers, and phishing, using firewalls, antivirus software, and strong
authentication.