Higher Nationals

Internal verification of assessment decisions – BTEC (RQF)

INTERNAL VERIFICATION – ASSESSMENT DECISIONS
Programme title BTEC HND in Cyber Security

Assessor Internal
Verifier
Unit 30: Applied Cryptography in the Cloud
Unit(s)

Assignment title

Student’s name
List which assessment criteria Pass Merit Distinction
the Assessor has awarded.

INTERNAL VERIFIER CHECKLIST

Do the assessment criteria awarded match

those shown in the assignment brief? Y/N

Is the Pass/Merit/Distinction grade awarded

justified by the assessor’s comments on the Y/N
student work?
Has the work been assessed Y/N
accurately?
Is the feedback to the student:
Give details:
• Constructive? Y/N
Y/N
• Linked to relevant assessment criteria?
Y/N
• Identifying opportunities for improved
performance? Y/N
• Agreeing actions?
Does the assessment decision need Y/N
amending?

Assessor signature Date

Internal Verifier signature Date

Programme Leader signature (if required)
Date
Confirm action completed
Remedial action taken
Give details:

Assessor signature Date

Internal Verifier
signature Date
Programme Leader
signature (if required) Date
 Higher Nationals - Summative Assignment Feedback Form
Student Name/ID

Unit Title
Assignment Number 1 Assessor
12/01/2025 Date Received
Submission Date 1st submission
Date Received 2nd
Re-submission Date submission

Assessor Feedback:
LO1 Analyse encryption ciphers and algorithms as methods to secure data in a cloud
environment
Pass, Merit & Distinction P1 P2 M1 D1
Descripts

LO2 Discuss security risks and issues related to public key encryption in practice
Pass, Merit & Distinction P3 M2 D2
Descripts

LO3 Demonstrate the use of cryptographic and cryptoanalysis tools for improving
security in a virtual private network
Pass, Merit & Distinction P4 P5 M3 M4 D3
Descripts

LO4 Evaluate advanced encryption protocols and their application for an organisation
considering a move to the cloud
Pass, Merit & Distinction P6 P7 M5 D4
Descripts

Grade: Assessor Signature: Date:

Resubmission Feedback:

Grade: Assessor Signature: Date:

Internal Verifier’s Comments:

Signature & Date:

* Please note that grade decisions are provisional. They are only confirmed once internal and external moderation has taken place
and grades decisions have been agreed at the assessment board.

Assignment Feedback
Formative Feedback: Assessor to Student

Action Plan

Summative feedback

Feedback: Student to Assessor

Assessor Date
signature

Student Date
signature
Pearson Higher Nationals in
Computing
Unit 30: Applied Cryptography in the Cloud
Assignment 01

General Guidelines

1. A Cover page or title page – You should always attach a title page to your assignment. Use
previous page as your cover sheet and make sure all the details are accurately filled.
2. Attach this brief as the first section of your assignment.
 3. All the assignments should be prepared using a word processing software.
4. All the assignments should be printed on A4 sized papers. Use single side printing.
5. Allow 1” for top, bottom , right margins and 1.25” for the left margin of each page.

Word Processing Rules

1. The font size should be 12 point, and should be in the style of Time New Roman.
2. Use 1.5 line spacing. Left justify all paragraphs.
3. Ensure that all the headings are consistent in terms of the font size and font style.
4. Use footer function in the word processor to insert Your Name, Subject, Assignment No, and
Page Number on each page. This is useful if individual sheets become detached for any reason.
5. Use word processing application spell check and grammar check function to help editing your
assignment.

Important Points:

1. It is strictly prohibited to use textboxes to add texts in the assignments, except for the compulsory
information. eg: Figures, tables of comparison etc. Adding text boxes in the body except for the
before mentioned compulsory information will result in rejection of your work.
2. Avoid using page borders in your assignment body.
3. Carefully check the hand in date and the instructions given in the assignment. Late submissions
will not be accepted.
4. Ensure that you give yourself enough time to complete the assignment by the due date.
5. Excuses of any nature will not be accepted for failure to hand in the work on time.
6. You must take responsibility for managing your own time effectively.
7. If you are unable to hand in your assignment on time and have valid reasons such as illness, you
may apply (in writing) for an extension.
8. Failure to achieve at least PASS criteria will result in a REFERRAL grade .
9. Non-submission of work without valid reasons will lead to an automatic RE FERRAL. You will
then be asked to complete an alternative assignment.
10. If you use other people’s work or ideas in your assignment, reference them properly using
HARVARD referencing system to avoid plagiarism. You have to provide both in-text citation and
a reference list.
11. If you are proven to be guilty of plagiarism or any academic misconduct, your grade could be
reduced to A REFERRAL or at worst you could be expelled from the course
Student Declaration

I hereby, declare that I know what plagiarism entails, namely to use another’s work and to
present it as my own without attributing the sources in the correct form. I further understand
what it means to copy another’s work.

1. I know that plagiarism is a punishable offence because it constitutes theft.

2. I understand the plagiarism and copying policy of Edexcel UK.
3. I know what the consequences will be if I plagiarise or copy another’s work in any of the
assignments for this program.
4. I declare therefore that all work presented by me for every aspect of my program, will be
my own, and where I have made use of another’s work, I will attribute the source in the
correct way.
5. I acknowledge that the attachment of this document signed or not, constitutes a binding
agreement between myself and Edexcel UK.
6. I understand that my assignment will not be considered as submitted if this document is
not attached to the assignment.

Student’s Signature: Date:

Higher National Diploma in Computing
Assignment Brief
Student Name /ID Number

Unit Number and Title Unit 30: Applied Cryptography in the Cloud

Academic Year 2022/23

Unit Tutor

Assignment Title LAN Design & Implementation for Enclave Films Company

Issue Date 21/11/2024

Submission Date 12/01/2025

IV Name & Date

Submission format

The submission is in the form of an individual technical report. This should be written in a
concise, formal business style using single spacing and font size 12. You are required to
make use of headings, paragraphs and subsections as appropriate, and all work must be
supported with research and referenced using the Harvard referencing system. Please also
provide an end list of references using the Harvard referencing system.
The recommended word count is 3,000–3,500 words for the report excluding
annexures, although you will not be penalised for exceeding the total word limit.
Unit Learning Outcomes:

LO1 Analyse encryption ciphers and algorithms as methods to secure data in a cloud
environment.

LO2 Discuss security risks and issues related to public key encryption in practice

LO3 Demonstrate the use of cryptographic and cryptoanalysis tools for improving
security in a virtual private network.

LO4 Evaluate advanced encryption protocols and their application for an organisation
considering a move to the cloud.

Assignment Brief and Guidance:

Scenario
ShipCargo is a freight forwarding company which uses an on-prem ERP
system and a database. However, the management decided to move to the
cloud for better availability, resiliency and to minimise the complexities and
cost of management. You have been appointed by the management to do a
technical report with the following tasks to support them so thar a better and
informed decision can be taken.

Activity
Write a technical report on the use of cryptography for the security on the
cloud as follows.

Task 1
Compare and critically analyse the fundamental differences, advantages and
drawbacks between stream cipher and block cipher. Simple examples can be
used in explanations. Discuss the improvements that can be introduced to
ShipCargo cloud by stream cipher. Justify your answer.
Ciphers like DES and AES use bitwise XOR operations in their algorithm.
Implement an algorithm to show how a 4-bit input can be encrypted with a 4-
bit key using XOR function. Provide screenshots of the code.

Task 2
Discus how public key algorithms can be used to provide authentication and
confidentiality to ShipCargo and discuss the security vulnerabilities of
encrypting with a single key. Analyse the benefits and importance of using
encryption techniques (Eg: KEMs, DEMs, PKEs) to secure a public key system
and provide justified recommendations suitable for securing public key
algorithms.

Task 3
Illustrate with diagrams, the encryption and decryption process in PKI
environment for the cloud solution proposed for ShipCargo. Identify and assess
the security risks and challenges likely to occur when using a cloud- hosted
PKI in the company’s private network.
Design a security case for an identified threat for ShipCargo and implement the
designed case using suitable cryptography and cryptoanalysis tools. Provide a
critical review of the implemented system and how it meets the intended
security objectives of the company with any suggestions for further
improvements.

Task 4

Evaluate the key benefits of using a range of cryptography and hybrid

cryptosystems to improve cloud security of ShipCargo. You also need to assess
common factors that may influence organization’s choice of cloud systems in
order to improve security. Use examples from the industry or the chosen
organization to support your answer.

Select and critically analyse the suitable cryptography and cryptosystems to

protect data within ShipCargo. Finally, justify the use of different
cryptographic applications that you think is suitable for its move to the cloud.
Grading Criteria Achieved Feedback

LO1 : Analyse encryption ciphers and algorithms as methods to secure d

P1
Analyse the functions of stream cipher and block cipher, using a range of
appropriate examples in practice.
P2
Produce code that implements mathematical ciphers and algorithms to
encrypt and decrypt data.
M1
Critically analyse the operational differences between stream cipher and
block cipher, using a range of appropriate examples in practice.
D1
Justify improvements introduced by stream ciphers compared to block
ciphers for public and private key encryption.
LO2 : Discuss security risks and issues related to public key encr

P3
Discuss risks and issues in security of public key encryption schemes,
using a range of appropriate examples in practice.
M2
Analyse key benefits of encryption techniques including KEMs, DEMs
and PKEs and the importance of securing public key systems
D2
Provide justified recommendations, synthesising different definitions of
provable security, suitable for securing public key systems.
LO3 : Demonstrate the use of cryptographic and cryptoanalysis tools for improving

P4
Illustrate, using a diagram, encryption and decryption process functions
in a PKI environment for a business scenario.
P5
Design a security case, representative of a business scenario, to solve a
security threat.
M3
Assess security risks and challenges of using cloud-hosted PKI in a
private network.
M4
Implement the system designed, in response to a security case, using
cryptographic and cryptanalysis methods or tools.
D3
Provide a critical review of the implemented system in terms of how it
meets defined security objectives and make suggestions for
improvement.
LO4 : Evaluate advanced encryption protocols and their application for an organis

P6
Evaluate the key benefits of using a range of cryptography and hybrid
cryptosystems to improve cloud security.
P7
Assess common factors influencing an organisations choice of cloud
solution(s) to improve security.
M5
Critically analyse the use of selected cryptography and hybrid
cryptosystems in protecting data within an organisation.
D4
Justify the use of different cryptographic applications, for an
organisation, that will inform their move to the cloud.
Grading Rubric
 Acknowledgement

Although it is not a formal act, acknowledgement server as a further obligation to all

those who contributed to the project’s successful completion. The opportunity to express
gratitude to everyone who successfully contributes to it is one of the most wonderful
aspects of gathering the necessary and important data. First off, I’d like to thank our
lecture Mr.Anjula kalum contribute his time despite his busy schedule in a specialized
mane.
 Table of Contents
Higher Nationals.................................................................................................................1
Acknowledgement............................................................................................................15
Figure Tables.................................................................................................................... 18
Task 01..............................................................................................................................20
1.1 analyse the function of stream ciphers and block ciphers using a variety of relevant
example from practice..................................................................................................20
1.2 write code that encrypts and decrypts data using mathematical cipher and
algorithms.................................................................................................................... 28
1.3Analyze the operational distinction between block and stream cipher critically,
drawing on a variety of relevant real-world examples.................................................34
1.4 Justify the enhancements in public and private key encryption that stream cipher
bring over block ciphers...............................................................................................48
1.5 Real World Example:...............................................................................................56
1.5.1 An illustration of a private key encryption algorithm is:..................................58
1.5.2 Resisting specific assaults................................................................................59
1.5.3 Key Management Complexity..........................................................................59
1.6 Justify the benefits of stream cipher over block cipher for possible use in ship
cargo regarding public and private key encryption......................................................60
Task 02..............................................................................................................................64
2. Examine the dangers and problems associated with public key encryption methods,
using several relevant real-world situations.................................................................64
2.1.1 Crucial administration......................................................................................64
2.1.2 Algorithmic Vulnerabilities...............................................................................66
2.1.3 Protocols for Key Exchange Are Inadequate....................................................70
2.2 Examine the main advantages of encryption methods, such as public key
infrastructure security and KEM, DEM, and PKE analysis.............................................73
2.2.1 Key Encapsulation Mechanisms (KEMs)...........................................................73
2.2.2 Data Encryption Mechanisms (DEMs)..............................................................78
2.2.3 Public key encryption (PKE).............................................................................83
2.3 Why protecting public key system is important.....................................................89
2.3.1 Give well-reasoned suggestions that combine several definitions of proven
security and are appropriate for protecting public key infrastructure.....................89
2.3.2 Adopt standardized cryptographic algorithms.................................................90
 2.3.3 Implement Key Rotation policies.....................................................................91
2.3.4 Conduct Penetration Test on a Regular Basis..................................................92
Task 03..............................................................................................................................95
3. Explain how the encryption and decryption processes work in a PKI environment for
a business situation using a diagram............................................................................95
3.1 Procedure for encryption........................................................................................96
3.2 Procedure for Decryption.......................................................................................98
3.2.1 How to encrypt and Decrypt Data in a public key infrastructure...................101
3.3 Security Regulator and Mitigation Strategies.......................................................102
3.4 A summary Of the Security Case...........................................................................103
3.5 Examine the Difficulties and Security danger associated with using Cloud-Hosted
PKI in a Private network............................................................................................. 103
3.6 Host Cloud............................................................................................................ 105
3.6.1 PKI on a Private network within the Cloud....................................................106
3.7 Using the following steps to implement the encryption and decryption techniques
in the security case.....................................................................................................110
3.8 Cryptanalysis Tools...............................................................................................111
3.8.1 Programs for Cryptology analysis..................................................................111
3.8.2 Tool for Brute force Attacks...........................................................................112
3.9 Give a Critical assessment of the system implementation of how well it satisfies
the established security goals and offer recommendations for development...........114
3.9.1 Goals for Security...........................................................................................114
Task 04............................................................................................................................117
4.1 Examine the Main advantages of enhancing cloud security with a variety of
cryptography and hybrid cryptosystems....................................................................117
4.2 Combination Cryptosystems.................................................................................118
4.3 Principal benefits of using a range of cryptography and hybrid cryptosystems to
improve Ship Cargo’s cloud security...........................................................................120
4.3.1 The Main Advantages of utilizing different encryption techniques, illustrated
................................................................................................................................121
4.4 Examine typical elements impacting an organization’s decision cloud solutions to
enhance security........................................................................................................ 122
4.5 Ship Cargo claims that cloud system will improve security..................................123
4.6 Examine critically how specific cryptography and hybrid cryptosystem are used in
an organization to protect data..................................................................................124
4.6.1 How Cryptography Operates.........................................................................124
 4.6.2 Advantages and Disadvantages of implementing cryptography in an enterprise
................................................................................................................................125
4.6.3 Within an organization, specific cryptography and hybrid cryptosystems are
used to secure data................................................................................................127
4.7 Data Protection on ship cargo..............................................................................127
4.8 The Suggestion of the Proper cryptosystem and cryptography to protect ship cargo
data............................................................................................................................ 129
4.9.1 Improvement of cryptography based on ship freight........................................131
4.9.2 Suggestion to the ship cargo company Regarding the Cloud platform..........132
References...................................................................................................................... 133

Figure Tables

Figure 1 Encryption............................................................................................................20
Figure 2 Caesar Cipher Code.............................................................................................29
Figure 3 Response for Caesar Cipher Code.......................................................................30
Figure 4 Vigenère Cipher Code 01.....................................................................................31
Figure 5 Vigenère Cipher Code 02.....................................................................................32
Figure 6 Vigenère Cipher Response...................................................................................32
Figure 7 Python how encrypt a 4-bit input with a 4-bit key...............................................33
Figure 8 Response for 4-Bit input with 4-bit key using.....................................................33
Figure 9 Public key infrastructure......................................................................................89
Figure 10 Encryption..........................................................................................................98
Figure 11 Asymmetric Encryption...................................................................................100
Figure 12 Decryption Process..........................................................................................100
Figure 13 Encrypt and Decrypt........................................................................................101
Figure 14 Cloud Hosting..................................................................................................105
 Task 01

1.1 analyse the function of stream ciphers and block ciphers using a variety of
relevant example from practice.

Encryption
Encryption can mess up information in such a way that it is only understandable by
those with proper authority. Technically, it's the process of changing human-readable
plaintext into a completely unreadable text called ciphertext. In simple terms, encryption
transforms readable data into a format that it no longer makes any sense, looking like
randomness. Encryption makes use of something called a cryptographic key-several
mathematical values agreed upon both by the sender and recipient of an encrypted
message. (cloudflare, n.d.)

Figure 1 Encryption

There are two types of encryption algorithms: stream ciphers and block ciphers. Each
has distinct characteristics, benefits, and drawbacks.

Stream cipher
Stream ciphers are symmetric keystreams that generate ciphertext bit by bit for a
plaintext communication of any length. The operation of a stream cipher performs
encryption on continuous strings of binary integers, changing the plain text data by
time-varying. Keystreams are generated from the cipher that is a pseudorandom integer
XORed with the plaintext to produce the ciphertext, using a combination of a key
(128/256 bits) and a digit nonce (64-128 bits). Although the key and the nonce can be
reused, in every round of encryption, a different keystream must be used for security.
Feedback shift registers are used in stream encryption ciphers to generate the unique
nonce number used once needed for keystream generation. The stream cipher is a kind
of encryption based on a sequence of pseudorandom cipher digits and plain text
integers. This stream of pseudorandom encryption digits is supplied one bit at a time to
each binary digit. For any given key, this encryption technique uses an infinite number
of pseudorandom cipher digits. (geeksforgeeks, 2024)

Advantages

 Speed and Efficiency: Stream ciphers are normally faster as compared to block
ciphers because they encrypt or decrypt one bit or byte at a time. Because of
their speed, they turn out to be very useful in real-time communications and
applications requiring low latency.

 Bit-Level Protection: Stream ciphers are more successful in encrypting

individual bits or bytes of data since they work at the granularity of bits. This
may be useful if the stream of data needs to be processed continuously.

 Suitable for Streaming Data: If there is a continuous flow of information that

needs immediate encryption and decryption, such as in the case of audio or video
transmission, then stream ciphers are eminently suitable for encrypting streaming
data.

 Synchronization: Stream ciphers, because they can encrypt unlimited plaintext,

in fact, get synchronized with the stream of data. This makes the process of
encryption and decryption much easier, especially in applications where data is
continuously sent or received.
  Less overhead: Stream ciphers generally have less computational, and memory
overhead compared to block ciphers. This can be utilized very well in scenarios
that demand limited resources, such as embedded systems or even Internet-of-
Things gadgets.

 Resistance to Loss of Data: Since stream ciphers operate on the data in a

continuous stream, they are immune to partial loss or corruption of data. The
effect is confined to the part of the ciphertext that is lost or corrupted.

 Key Stream Reusability: In many cases, the same key stream can be used
multiple times for different portions of the plaintext without compromising
security. This could simplify key management under certain conditions.

Disadvantages

 Stream ciphers: sensitive to synchronization issues, which might make them

misfire. If the encryption and decryption protocols are not followed correctly, the
decrypted data may contain substantial errors. This synchronization issue can
occur due to various reasons like transmission errors or network outages and thus
reduces the reliability of stream ciphers in certain scenarios.

 Key Management: A typical stream cipher would generate a key stream, which is
always very difficult to set and maintain properly. Since the key must be
genuinely random and unpredictable, generation of such a stream is required.
However, following the key management procedures correctly in practice—that
is, proper key distribution, storage, and rotation—could be either very difficult or
very error-prone.

 Vulnerability to Key Reuse: The reuse of a single key stream with multiple
messages can make stream ciphers prone to cryptographic attacks. Since the key
stream is reused, there is a tendency that the encryption mechanism is
compromised, and in the process, an adversary can retrieve plaintext data or
 initiate further cryptanalytic attacks. This shows that stream cipher security
depends on proper key management and prevention of key reuse.

 Limited Security Analysis: Compared to block ciphers, stream ciphers may

require less security analysis. Some stream ciphers can have flaws that have not
been properly analysed or found yet, while others may have undergone extensive
cryptanalysis and thus are considered secure. It is, therefore, of the essence to
choose a stream cipher with a proven track record of security to minimize risks.

 Possibility of Bit Flipping Attacks: An attacker might also cause predictable

changes to the plaintext by manipulating the ciphertext; this is known as a bit
flipping attack. That could happen, for example, if an attacker gained access to the
encrypted communication channel and flipped some of the bits in the ciphertext.
 Among the suitable authentication techniques that must be followed in a stream
cipher-based encryption system to mitigate the risk of bit flipping attacks are
message authentication codes (MACs).

 Less Parallelizable: In some applications—most noticeably, ones asking for high

throughput or the parallel encryption of vast numbers of data streams—stream
ciphers can be slower than block ciphers because the former are frequently less
parallelizable. For applications with serious performance requirements, block
ciphers are far better, as they can normally be parallelized in a far better way.

 Susceptibility to Specific Techniques: Some stream ciphers are vulnerable to

specific cryptanalytic attacks, such as related key, algebraic, or correlation attacks.
These exploit vulnerabilities in the design or deployment of the cipher, to obtain
plaintext data or otherwise defeat the security of the encryption scheme. To reduce
the risk, select stream ciphers that are well-studied and tested for possible
weaknesses.

Examples
1. RC4 is a popular stream cipher that is not recommended for use in secure
communications owing to vulnerabilities.
 2. Salsa20 is a cutting-edge, highly effective stream cipher that stresses both speed
and security.
3. A5/1: Used for GSM mobile phone encryption; however, security issues have
been identified.
4. One sort of stream encryption is the simple XOR cipher. The ciphertext for
encrypting the plaintext "110011" with a key stream (101010) is "011001"
(110011 XOR 101010).

Block Cipher
Encrypt a given fixed-size-data block by using a shared key and a symmetric
cryptographic technique called a block cipher. For the encryption process, we use
plaintext, and this encrypted output is what we call ciphertext. The same key is used to
encrypt the plaintext along with the ciphertext. (geeksforgeeks, 2024)

An example of such a processing is a block cipher, in which a given block size of data is
fed into the software. Blocks are smaller than the whole message. So a long message
will be fragmented in various successive blocks of messages on which the cipher
executes block function by block. (geeksforgeeks, 2024)

It uses a symmetric secret key shared with everyone who uses the block cipher. Each
block of input data will be fetched, and the entire operation will be performed using the
shared secret key as input and output. Because the size of the block is always known,
padding is not required. It is a symmetrical algorithm. The shared key will transform the
text into in-cypher text. It will retrieve the in-cypher text as plain text back into original
from decryption using the same key that was used. Input: output matches both
lengthwise. (geeksforgeeks, 2024)

Advantages
 Security Strength of Block Ciphers: Block ciphers are secured by repeatedly
encrypting the data.

 Error Propagation: The error tolerance is increased; these guarantee that a fault
in one block does not affect the decryption of subsequent blocks.
 Availability: Block ciphers are adaptable and hence can fulfil various security
and application demands. Some of the most common modes are Galois/counter
mode (GCM), cipher block chaining (CBC), and electronic codebook (ECB).

 Key Administration: This means that block ciphers usually have well-defined
forms for key management, since block ciphers usually have only one key
associated with each block. Thus, a well-defined structure concerning key
distribution, rotation, and updates can be used.

 Cryptographic primitives: such as hash functions and message authentication

codes (MACs) are built on the foundation of block ciphers. This is what
demonstrates how less adaptable block ciphers are and vital in modern
cryptographic systems.

 Performance of Hardware: Block ciphers are suitable in constrained resources

environments such as embedded computers or hardware security modules
(HSMs), allowing their design to be optimized when built in hardware.

 Consistency: Block ciphers are at the very foundation of numerous encryption

schemes, such as the Advanced Encryption Standard (AES). Thus, by
standardizing this, implementation across several platforms and systems can be
made consistent and inter-operable.

 Agility in Cryptography: Cryptographic agility is what block ciphers offer, i.e.,

several algorithms can be accommodated with varying key sizes to meet specific
security requirements. This flexibility is important in adapting to changing
threats in security.

 News of Resisting Known-Plaintext Attacks: Some attacker can use known-

plaintext attacks on very strong, block ciphers after they get hold of pairs of
plaintexts and ciphertext and known-plaintext attacks even greatly contribute to
its overall security.
Though block ciphers are advantageous, the use of them depends on how much they
consider key management, mode of operation, and other possible defects such as
padding schemes. The stream/block cipher also depends on the actual needs of the
application. (geeksforgeeks, 2024)

Disadvantages
 Now block size is quite fixed. For instance, the well-established Advanced
Encryption Standard (AES) allows block sizes that are fixed: 128 bits; hence, if
the input data's length is not a multiple of the block size, padding must be done,
and this adds to the inefficiency.

 Processing Fees for Brief Communications: Block ciphers may not always be
optimal in terms of encrypting short messages. One of the constraints that inhibit
encoding a tiny chunk of message is the overhead related to processing the entire
block.

 Nature's Determination: Block ciphers work in a deterministic manner, thus

producing the same ciphertext block, if the same plaintext block is encrypted
with an identical key. While this characteristic is desirable for proper decryption,
it may indicate problems in certain situations, particularly in the electronic
codebook (ECB) mode. Two identical plaintext blocks are always translated into
identical ciphertext blocks.

 Possibility of Block Designs: In some modes of operation of block ciphers,

especially those that use the same key to encrypt multiple blocks, patterns in the
plaintext may translate into patterns in the ciphertext. Attackers might use this to
their advantage to discover some structure in the plaintext.

 Significant Management Challenges: Cipher security mandates a very

advanced key management system. Just as with any cryptographic systems, if
keys aren't generated, stored, and distributed in a secure manner, the security of
the encryption system would be rendered useless.
  Weakness to Side Channel Attacks: Block ciphers can be vulnerable to side-
channel attacks whereby the attacker has a way of knowing the values of other
variables like power consumption, electromagnetic energy, and timing data to
gather more information on the encryption process.

 Problems with Cipher Block Chaining and Initialization Vector: The

initialization vector must be selected and managed so that certain modes like the
CBC are not rendered vulnerable. Reusing an IV with the same key could lead to
a security concern; generating random IVs could therefore be difficult in certain
situations.

Regardless of these pitfalls, it still stands that block ciphers are, and will remain, one of
the most crucial elements of modern encryption systems. Understanding weaknesses
permits the choice put into motion of the most-fitting block cipher for the specific needs
and characteristics of the intended application. (geeksforgeeks, 2024)

Examples
1. The older block cipher known as DES (Data Encryption Standard) is now
considered insecure because of its small key size.
2. The Advanced Encryption Standard, or AES, is a widely accepted standard that is
trusted and found in many different applications.
3. The Advanced Encryption Standard (AES) is one well-liked block cipher. If we
have a 128-bit key and a block of plaintext, AES will encrypt the block into
ciphertext over the course of several rounds.
4. Two fish: This symmetric key block cipher, which is well-known for its versatility
and security, was a finalist in the AES competition.
 1.2 write code that encrypts and decrypts data using mathematical cipher and
algorithms.

Caesar Cipher
Named after Julius Caesar, it is one of the simplest and oldest known encryption
techniques. According to reports, Caesar used it to communicate in secrecy. To perform
the cipher, a given number is added to or subtracted from the alphabet position of a letter
in the plaintext. An example would be changing the letter A into D, B into E, and so on,
with a shift of three. Because of this looping, Z would move to C. The message recipient,
knowing the shifting value, can decode the cipher by shifting the ciphered letters back the
same number of letters. (geeksforgeeks, 2024)

While strikingly simple to implement, the Caesar Cipher is one of the worst choices for
security. For the field of modern cryptography though, with 26-1=25 possible keys
(assuming the standard English alphabet), the difficulty here lies in performing a blind
brute-force attack whereby the various shift candidates could be put to test to find the one
that retrieves readable text. Moreover, frequency analysis exploits the knowledge that
different letters appear at different frequencies in natural language texts to break this
cipher even in the lack of the key. As simple as it gets with no protection, the Caesar
Cipher provides ground concepts in cryptography and is commonly used to introduce
basic concepts of encryption. (geeksforgeeks, 2024)

Code
 Figure 2 Caesar Cipher Code

Response

Figure 3 Response for Caesar Cipher Code

Cipher Vigenère

The polysyllabic substitution Vigenère Cipher, invented in the 16th century by French
cryptographer Blaise de Vigenère, is a notable improvement over the good old Caesar
Cipher. And whereas Julius Caesar's cipher practically had a unifying shift applied to
every letter, Vigenère's cipher employs a keyword or passphrase for determining the
shifting of the letters in the plaintext. Each letter in the plaintext is shifted in accordance
with its corresponding letter in the key; the key is cycled through as many times as
necessary until the entire plaintext has been provided a corresponding key letter. For
instance, if "KEY" is used as the keyword, then "K" would shift "H", "E" would shift "E",
"L" would shift "Y" and so on in reference to the word "HELLO". (geeksforgeeks, 2024)

Being a polyalphabetic substitution cipher, Vigenère provides much more security over
the simple Caesar Cipher because the shifts vary throughout the communication, making
frequency analysis even more challenging. Still, however, they are vulnerable to
cryptanalysis, especially if the plaintext reveals patterns or the key is not so long. Such
repetitive patterns in the ciphertext may be a Kasiski examination, which may lead to
determining the length and nature of the word used. (geeksforgeeks, 2024)

The Vigenère Cipher was withstood much use over the centuries until its vulnerabilities
to certain attacks ultimately stymied its survivability. Even with almost regular algorithms
for breaking it, before the introduction of the microcomputer with its ability to engage
more straightforward statistical analyses like frequency analysis of letter combinations,
weakness in[sic] the Vigenère Cipher had remained little known. Yet even as it came to
be recognized as a truly important historical landmark in cryptography, it still stands as a
testament to early encryption techniques, which are being studied even today.
(geeksforgeeks, 2024)

Code
Figure 4 Vigenère Cipher Code 01
 Response

Figure 6 Vigenère Cipher Response

These pieces of code encrypt and decrypt data using the Vigenère and Caesar ciphers,
respectively. Remember, these are classic ciphers and are not meant for use in security-
critical environments! Modern cryptographic libraries and algorithms (such as AES,
RSA, etc.) should be applied in practice for secure data encryption and decryption.

An Example in Python Showing how to encrypt a 4-bit input with a 4-bit key using
the XOR Function.

Figure 8 Response for 4-Bit input with 4-bit key using

Figure 7 Python how encrypt a 4-bit input with a 4-bit key

This code defines the xor_encrypt function, which bitwise XORs equivalent bits in a 4-
bit key and 4-bit input to produce the encrypted output.

The xor_encrypt function iterates through each byte of the input and key.

Each bit is transformed into an integer, the outcome is added to the encrypted string, and
the bits are then subjected to the same location's XOR operation.

In the end, the encrypted result is given back.

1.3Analyze the operational distinction between block and stream cipher critically,
drawing on a variety of relevant real-world examples.

Distinctions in operations

Stream Cipher

The encryption process on any stream cipher works bit-by-bit or byte-wise where each
bit or byte of the plaintext is combined with the pseudo randomly generated keystream.

Important stream production

Stream ciphers require keystream generation, which produces a pseudo-random stream

of bits to combine with the plaintext to form the ciphertext.

Ultimately, the main purpose of keystream generation is to yield a stream of bits that
would appear surprising and random to an opponent. Then, using bitwise logical
operations of exclusive or, the plaintext is combined with this pseudo-random stream to
form the ciphertext.

Principal elements:
  Key: Stream ciphers utilize a secret key to generate the keystream. Due to their
unpredictability and confidentiality, stream ciphers' algorithms are important for
enhancing their security.

 The pseudo-random number generator (PRNG): In a more technical way: A

pseudo-random number generator (PRNG) technique is necessary for generating
the keystream from a secret key. Its form should possess the following random-
seeming desirable traits: Independence of bits and uniform distribution.

Key stream generation process

 Initialization: The PRNG uses the encryption key for initialization. This
procedure blesses every encryption session with a distinct keystream.

 Creation of Keystreams: The PRNG generates the pseudo-random bit sequence,

whose keystream typically matches the length of the plaintext.

 Stream Refreshment some stream cipher designs, the PRNG may be periodically
refreshed or reseeded, thus enhancing security and countering cryptanalysis.

Examples

Keystream creation is demonstrated using the RC4 algorithm, one of the simplest
stream ciphers.

1. RC4 initializes a state array using the given secret key.

2. RC4 generates the keystream by pseudo-randomly shuffling the state array over
and over. A stream of pseudo-random bytes is produced as a result.

3. The plaintext and keystream are bitwise XORed to form the ciphertext.
Advantages

 Efficiency: Keystream creation can be computationally efficient, especially in

hardware designs.

 Adaptability: Integrating with stream ciphers, users get to choose freely the
PRNG algorithms of their choice. Adding this flexibility to the security selected
satisfies various security needs.

Disadvantages

 Risks to Security: Properly constructing the keys will be made into challenging
threats like predictable keystreams or possible key recovery attacks.

 Adaptability: To secure the keystream Generation process, key management is

compulsory.

The keystream generation forms a crucial component of stream ciphers, ensuring the
required randomness for security during encryption. Great attention is required to the
preservation of key secrecy and the efficiency of the PRNG algorithm to mitigate security
loopholes.

Bitwise XOR Processor

The simplest and most common applied cryptographic operation is bitwise XOR,
particularly in processes of encryption and decryption. For certain types of encryption
schemes, like stream ciphers and block ciphers, a bitwise XOR operation can be done
between the plaintext and key or keystream to arrive at the ciphertext. Thus, this ensures
an easy and unproblematic yet, at the same time, invertible masking of the plaintext in
order not to be read unauthorized. (geeksforgeeks, 2024)

Principal elements:
 Plain text: The original communication that need to be encrypted
 Key: The secret value, sometimes referred to as keystream, that is combined with
plaintext
 Ciphertext: The encrypted plain text after the XOR technique is applied.

Bitwise XOR operation process

 Binary Representation: The system turns the plaintext, key, and keystream into
binary code. It converts each character in the plaintext to its ASCII or Unicode
value before changing it to binary.

 Bitwise XOR: The process combines each bit of the plaintext with the matching
bit of the key or keystream using XOR. When one bit is 0 and the other is 1, it
results in 1. When both bits match, it gives 0.

This method creates an encrypted version called ciphertext. It uses a combining function
named XOR to apply bits to the plaintext.

Examples
 Plaintext:”101010”
 Keystream:”110011”
 Processor with bitwise XOR:
I. Simple text: 101010
II. 110011 is the key
III. Outcomes: 011001
Therefore, the ciphertext that would emerge would be “011001”
Advantages
 Low complexity of the Implementation: The XOR operation can be easily
realized both in hardware and in software.
 Reversibility: In this process, XORing the ciphertext again with the key or
keystream, which was applied to encrypt the information, reverses this process.

Disadvantages:
 Determinism: Given several encryptions using the same key or keystream, equal
parts of plaintext will result in the same sections of ciphertext. This may be
exploited by adversaries.
 Key management: Since the key could be used to decrypt the ciphertext, secure
key management will be necessary to prevent unauthorized access to the key or
keystream.
In a nutshell, encryption through the bitwise XOR operation is a simple cryptographic
technique that merges the plaintext with a key or keystream to form the ciphertext. Its
reversibility and simplicity make it very useful in securing data transfer and storage.
However, proper key management must be employed to ensure security regarding the
encrypted data.

Example of Stream Cipher: RC4(used in WEP and WPA for WI-FI encryption).

Block Cipher
encrypts fixed-size blocks of plaintext (64 or 128 bits in length) under a key and then
transforms the block into the corresponding ciphertext.

Block Dimensions
  One of the most integral elements of block cipher methods involves block size.
Block size refers to the regulation of block length for plaintext and ciphertext
through the encryption process.
 The block size denotes the block cipher's input amount it can process in a single
operation. It provides a guideline on how the blocks of plaintext are divided into
discrete pieces that can be independently encrypted and decrypted.

Principal Elements

 Blocks of Plaintext: The original message is first split into blocks of the same
size; each being defined by the block size.
 Blocks of Ciphertext: In the entire process of encryption, each block of plaintext
is transformed into a block of ciphertext of equal size.
 Padding: In cases where the block size does not go in multiple, plaintext might be
padded to complete each block.

The results of block size

 Security Strength: A larger block size could offer increased resistance to some
cryptographic attacks, if it is combined with more rounds of encryption.
 Performance: Larger blocks may be associated with extra processing overhead,
increasing the latency for completing the encryption and decryption processes.
 Data Integrity: Block size in encrypted communications changes the granularity
of data processing; therefore, affecting data integrity and error propagation.
 Padding Overhead: Smaller block sizes can result in more padding, which
increases the overhead for transmission and storage.
 Compatibility: To achieve interoperability and compatibility among a wide
variety of implementations and Systems often standardize block sizes for
cryptographic techniques.

Sample block size for practical applications:

  The advanced encryption standard, pr AES, provides block size of 192,128, and
256 bit the most popular and default block size is 128bits.
 The block size of the data encryption standard, or DES, is always 64bits.
 Triple DES (3DES): uses the same block size as DES and has 64bits per block.
 Supports block sizes for blowfish that range from 32 to 448 bits.

Advantages
 Flexibility in Security: It provides the capability to adjust the block size to suit an
application's needed security level with respect to the encryption algorithm.
 Standardization: Standard block sizes in cryptographic algorithms make
interoperability easier to achieve because, among other advantages, they have a
simpler way of incorporation into different systems and protocols.

Disadvantages:

 Performance Impact: This is because a larger block size will affect the
effectiveness and speed in which encryption and decryption processes may occur
since it uses more computational powers.
 Padding Overhead: More padding may be required for small block sizes,
increasing the ciphertext size. As such, this brings inefficiency to storage and
transmission.

Conclusion: The block size will seriously affect interoperability, security, and the
efficiency of a block cipher algorithm. The choice of block size therefore requires
considering operational constraints together with specific security requirements imposed
on the operation of the cryptographic system.

Important extension
Key expansion in block cipher techniques involves the process of expanding a very small
cryptographic key into a larger set of round keys used in several encryption rounds.
Key expansion aims at generating from the initial cryptographic key a set of round keys.
Round keys improve security over time through increasing the complexity and dispersion
of the encryption and decryption process.

Principal elements
 Cryptographic Key: Larger than the original key that the user provided.

 During each round of encryption or decryption, expanded keys known as round

keys are used. They may be derived from the original key.

 Key Schedule: It is the algorithm that is used to transform the original key into a
round key.

The Main process expansion

 Initialization: The cryptographic key is taken through an initialization phase to

ready it for expansion.

 Key Schedule Algorithm: Generally, the key schedule algorithm produces a

series of round keys out of the key. Generally, this would be a combination of
transformations, replacement, and permutations.

 Round Key Generation: From the key-scheduling technique, several round keys
are produced, each for use in a different encryption or decryption round.

 Round Key Size: The size of each round key is determined by the block cipher
method and its implementation specifications.
Repercussion of key extension
 Improved Security: Key expansion enhances security by increasing the
complexity and unpredictability of the encryption process.

 Resistance to Cryptanalysis: Strong key expansion techniques should resist

various cryptographic attacks, including any attempts of key recovery and
differential cryptanalysis.

 Performance cost: One possible cost of key expansion is computational;

algorithms with complex key scheduling algorithms or large sets of round keys
will have higher computational overhead.

 Key Sensitivity: The security of the encryption system is highly dependent upon
the secrecy and unpredictable nature of the original cryptographic key.

For instance:

 The Advanced Encryption Standard (AES) has been designed to expand the
original key into a set of round keys for every encryption round by using the
Rijndael key scheduling algorithm.

 DES, or Data Encryption Standard, on the other hand, generates round keys by
using a fixed key scheduling approach for each of the 16 rounds.

 Blowfish: It uses a key expansion technique that re-hashes the original key into
round keys in a recursive manner.

Advantages
  Improved Security: The process of encryption becomes more difficult and
unpredictable for the round keys due to key expansion.

 Cryptographic Agility: Provides the possibility to choose various key expansion

techniques and move with evolving key lengths.

Disadvantages

 Performance Overhead: Key expansion may introduce computational overhead,

thereby affecting the efficiency and speed of the encryption and decryption.

 The complexity of the implementation requires much care during development

and implementation, considering cryptographic properties and potential
weaknesses of key expansion schemes.

Key expansion, in general, enables block cipher schemes to be far more secure, creating a
set of round keys from the original cryptographic key. Key expansion techniques ensure
that encrypted data integrity and confidentiality are preserved by preventing
cryptographic attacks.

Round function
The round function is the heart of block cipher algorithms, which, utilizing some
cryptographic techniques, transforms the input plaintext block into ciphertext during
encryption and vice versa during decryption. The round function performs several
cryptographic operations on each block of plaintext or ciphertext during encryption or
decryption. Its main purpose is to enhance the cryptographic strength and security of the
algorithm by introducing confusion and then diffusing it.

Principal Elements:
  The plaintext/ciphertext block: The name of the data input block that the round
function processes.
 Round Key: A subkey that adds variation and unpredictability to the
plaintext/ciphertext block, derived from the principal cryptographic key.

In cryptography, a set of mathematical operations comprising substitutions, permutations,

mixing, and bitwise operations such as XOR are applied to the input block and the round
key.

The Round Function Process

 Initiation: This may either be an input of plaintext or a ciphertext block to

initialize the round function.

 Generation of Subkeys: By implementing key expansion procedures, a main

cryptographic key would obtain a round key.

 Cryptographic Operations: The following variety of cryptographic operations

might be carried out using the round function: bitwise XOR, substitution-
algorithm P-box permutation or S-box substitution-, permutation, key mixing,
such as addition of a round key.

Where applicable, this last block of ciphertext or decrypted plaintext-should the operation
just have exited its final cryptographic operation-or its equivalent in an iterated round
output serves as an input in another round in general.

Round functions consequences

 Security Strength: The round function directly influences the security of a block
cipher algorithm. A well-designed and efficient round function increases the
resistance against different types of cryptographic attacks, such as linear and
differential cryptanalysis.
  Confusion and Diffusion: Two most important principles lying at the heart of the
strength of cryptography are introduced by the round function, which makes sure
that every bit of the input block affects many bits of the output.
 Avalanche Effect: The round function should provide an avalanche effect, where,
with a small variation in input, there would come up a huge variation in output,
enhancing the security of the statistical attacks.

Example
 The rounds that are used by the Advanced Encryption Standard, or AES, are
mixing (AddRoundKey), substitution (SubBytes), permutation (ShiftRows), and
mixing (MixColumns).

 DES or Data Encryption Standard is a 16-round algorithm, each round of which

contains substitution (S-box substitution) and permutation (P-box permutation).

 Blowfish: This algorithm makes use of a Feistel network structure with numerous
rounds. Each round consists of complex S-box substitution operations along with
permutations that depend on the key.

Benefits

 Improved Security: High-quality round functions improve the general security

and cryptographic power of block cipher algorithms.
 Cryptographic Agility: Round functions can relatively easily be exchanged to
keep up with emerging security needs or new cyber-attacks.

Drawbacks:
 Performance Overhead: Complex round functions come at some computational
overhead regarding the efficiency of performing encryption and decryption
operations.
  Risk for Cryptanalysis: In the case of defects or weaknesses in the round
function, cryptanalysis attacks may compromise the security of the algorithm.

In a nutshell, the round function plays a major role in block cipher algorithms, as it
implements cryptographic operations, which transform the plaintext into ciphertext and
vice-versa. The design of the encryption algorithm, therefore, has a bearing on the
efficiency and robustness of the encryption. Care and research are needed while
developing and implementing secure round functions.

Benefits of a Steam cipher

 Law latency: this makes encryption suitable for real-time communication because
it is continuous.
 Speed: generally speaking, faster that block ciphers, especially for streaming data.
 Resource efficiency: usually requires less processing overhead and memory.
 Synchronization: the data streams inherent synchronization facilitated
encryption.

The drawback of the stream cipher

 Bit Flipping Vulnerability: If the keystream is compromised, then bit
manipulation attacks can be mounted.
 Restarting Vector (IV) Management: Stringent management of IVs is necessary
to avoid any vulnerability due to key reuse.
 Keystream generating: The effectiveness of the algorithm used for generating
keystream is a significant factor in security.

Benefits of a block cipher

 Security Strength: High security strength is possible with more rounds and
appropriate key management.
 Versatility: Offers versatility by operating in various environments and scenarios.
 Error Tolerance: One error in a block does not affect the decryption of all
subsequent blocks.
  Hardware Efficiency: It could be efficiently realized with hardware and is,
therefore, suitable for an environment where resources are limited.

The drawbacks of the block cipher

 Fixed Block Size: In the case of data whose size is not a multiple of the block
size, padding is necessary during the process.
 Slower for Shorter messages: Encryption of short messages is less efficient
because of Processing cost.
 Complexity in Key Management: The security should be provided through
effective key scheduling and management.

Useful illustrations
 RC4 is one example of a stream cipher that was once used to encrypt WiFi,
namely WEP, WPA.
I. Advantages: Suitable for streaming data applications like real time
communications.
II. Drawbacks: It is susceptible to attacks because of the improper IV handling and
key-scheduling.

 block cipher example; namely AES, finds widespread usage in TLS/SSL to

protect internet communication.

I. It offers better security robustness and flexibility for various types of encryption
needs.

II. Its need for appropriate key management and likely cost increase to obtain the
speed of communications are its drawbacks.

Some practical differences, advantages, and disadvantages are the basis for choosing
between block ciphers and stream ciphers. It is decided based on the type of data, security
requirements of the application, and performance requirements.
 1.4 Justify the enhancements in public and private key encryption that stream
cipher bring over block ciphers.

Real-time encryption is when the data, at the same instance it is being transported or used,
is immediately encrypted and decrypted without noticeable delay or buffering. This is
very critical in applications where integrity and secrecy of data are essential, such as
secure channels of communication, real-time data transmission, and video streaming.

Enhanced public key productivity and effectiveness

Important element:
 Encryption Algorithm: The cryptographic algorithm, such as block ciphers,
including but not limited to AES, stream ciphers like RC4, or authenticated
encryption schemes such as AES-GCM, which transform plaintext to ciphertext.

 Key Management: Provides secure generation, distribution, rotation, storage, and

destruction of the encryption keys. Stringent key management procedures will
ensure the security of the encrypted data.

 Data Buffering: Sometimes, it is possible to hold the data in a small-sized buffer

such that while being encrypted or decrypted in real time, it may be buffered to
reduce variations in data transfer speeds.

 Stream Processing: The most appropriate characteristic of real-time encryption is

the encryption and decryption performed on the fly during reception or delivery.
Here, proper data streams management in the form of adequate algorithms and
techniques of stream processing is performed.

 Performance Optimization: The algorithms for encryption and decryption

should be as quick and efficient as possible to enable real-time processing without
noticeable delays or latency. This may involve hardware acceleration, parallel
processing, or algorithmic enhancements.
Challenges
 Latency: Real-time encryption will introduce additional processing overhead,
possibly leading to delays or increased latency under circumstances where
resources are low or in very high-throughput applications.

 Throughput: It might be challenging to achieve good throughput when

encrypting or decrypting data in real time for large streams of data or
computationally intensive encryption algorithms.

 Resource Limitations: Insufficient memory, CPU power, or network bandwidth

may result in poor performance and low scalability of the encryption performed in
real time.

 Key Management Complexity: Besides the security aspect, this calls for added
key management complexity in real-time encryption deployments, especially over
distributed or decentralized systems.

 Ability to Adapt: Real-time encryption solutions must be capable of changing

with dynamic network requirements, data speeds, and encryption needs without
sacrificing security or introducing new vulnerabilities.

Decisions
 It is important to select an appropriate encryption technique or modes that give the
best possible speed in real time. Employ lightweight stream ciphers for
applications that require low latency, while AES-GCM for authenticated
encryption.
  Hardware Acceleration: Employ hardware cryptographic accelerators such as
dedicated encryption/decryption hardware or GPU acceleration to offload the
cryptography load and thereby increase the speed.

 Distribute the load of encryption and decryption across multiple CPU cores or
processing units, thus reducing the overall latency of processes. Increasing the
speed by up to tenfold, while a linear increase in performance will result from
parallelism.

 Data Compression: Compress data first before encrypting and reduce the size of
the stream to decrease the processing overhead and maximize throughput in
conditions with low bandwidth.

 QoS: In the event of competing demands in a network, real-time encrypted traffic

should be given priority and all the resources to allow for quick processing and
low latency.

Useful illustrations
 Secure Communication Protocols: TLS/SSL protocols allow for real-time
encryption of online email, web browsing, and other services, ensuring data
integrity and confidentiality.

 Live Video Streaming: Real-time encryption in live video streaming prevents

unauthorized access or interception by a streaming provider. Live videos are
safely delivered to the viewers' devices.

 VoIP: These applications encrypt voice calls in real time to prevent any
unauthorized party from listening in or tampering with the audio data being
transmitted.

Conclusion: Real-time encryption plays a very important role in various applications,

including IoT devices, communication, and multimedia streaming, for security in data
processing and transmission. Thorough security, latency, and performance evaluation is
required for an efficient It includes proper implementation along with appropriate use of
encryption and key management.

Minimal overhead
By the term "low overhead" encryption here means all additional processing time and
computer resources involved for doing encryption and decryption operations, keeping in
mind the requirement that-actually-for being excellent encryption techniques require
overhead to be extremely low, really when a good throughput is available or, normally,
when resources are scare.

Important elements
 Encryption: Choosing a lightweight encryption scheme that is reliable, such as an
authenticated encryption scheme, for example, AES-GCM, a block cipher with
lightweight properties, for example, AES-128, or a stream cipher, for example,
ChaCha20.

 Key Size: Whenever possible, shorter keys should be used without sacrificing
security. Smaller keys reduce both the memory and computational overhead of an
application while still providing a respectable level of security.

 Operational Mode: Selection of a low-overhead encryption mode such as CTR or

GCM that can be parallelized and efficient for high-volume data streams.

Challenges:
 Security vs. Performance-Trade-off: In general, this means striking a balance
between the need for strong cryptographic security and the need for low overhead.
Several of the lightweight encryption techniques have relaxed security for the sake
of speed; hence, trade-offs need to be carefully considered.

 Resource Constraints: In applications with very limited resources, such as

embedded systems, Internet of Things devices, and mobile platforms, CPU,
memory, and energy consumption is strictly limited.
  Besides, another essential feature is that encryption processes should be able to
keep up with the throughput requirements of data transmission rates, especially for
applications requiring high throughput, such as network communications or
storage systems.

 Key Management Complexity: Most of the encryption techniques become further

complex while securely handling the encryption keys with minimum overhead,
especially in systems that are distributed or decentralized.

 Algorithm Complexity: Certain encryption algorithms, especially those involving

complex round function operations or key scheduling, may incur a significant
overhead in terms of processing time and computational resources.

Decisions:
 At the selection of encryption itself, consider the selection of low-overhead, light
solutions that balance security with good performance-such as lightweight block
ciphers or stream ciphers.
 Hardware Acceleration: Consider hardware cryptographic accelerators in the
system. Examples are GPU acceleration or special processor-level
encryption/decryption technologies that cut the time and improve productivity.
 Algorithmic Optimizations: Apply efficiency improvements and algorithmic
optimizations whenever they are relevant for the specific demands of the program.
Examples are data movement minimization, reduction in memory footprint, and
optimization of route operations whenever necessary.
 Simplify Key Management: Use automatic key rotation, safe key storage
approaches, or centralized services for key management to simplify all related
activities and reduce the associated overhead of managing keys.

Useful illustrations:
 Embedded Systems: Internet of Things devices and most embedded systems use
lightweight encryption algorithms such as AES-CCM or ChaCha20/Poly1305,
since they require very low computational overhead and give efficient resource
utilization.
  Network Communication: The high-performance network encryption techniques
like IPsec or Wire Guard have a strong concentration on low overhead and
efficient packet processing to allow low latency and high throughput for secure
communication.

 Cloud Storage: The cloud storage providers encrypt the data while in transit or at
rest using encryption methods adjusted for minimum overhead without
appreciably reducing storage and retrieval speed.

In other words, lightweight encryption can be done with low overhead by the choice of
proper algorithms for lightweight encryption, optimizing key management processes, and
using hardware acceleration, together with algorithmic optimizations, which shall be
tuned to the requirements of an application and an underlying hardware platform. Strong
cryptographic security can be preserved while yielding significant reductions in
processing time and computer resources using effective optimization techniques.

Strengthened defence in public key cryptography

One of the most important properties of encryption algorithms is resistance to known-
plaintext attacks. That is, it should be computationally infeasible for an attacker to
decrypt other ciphertexts or get the encryption key from the ciphertext and corresponding
plaintext. In this section, let's consider an overview of known-plaintext attacks, why we
need protection from them, and how the techniques of encryption accomplish that
protection.

Attacks using known plaintexts: what are they

A known-plaintext attack could be made by an adversary who has the plaintext and
corresponding ciphertext. It would be easy to access the encrypted data of a compromised
system, use statistical analysis on well-known data patterns, or intercept the encrypted
conversation.

The importance of opposition

  Confidentiality Assurance: Encryption is about denying unauthorized access to
plaintext data through scrambling of sensitive data. In so doing, the protection
against known-plaintext attacks must be done, even in instances when an attacker
may have managed to decipher part of the encrypted data.

 Key secrecy: No information about the key used for such encryption should be
revealed through any known plaintext attack. If an attacker had recovered the
encryption key, and protection against such types of attacks did not exist, that may
jeopardize the security of the whole encryption system.

The development of resistant encryption algorithms

 Confusion and diffusion: The encryption algorithms make usage of

cryptographic techniques like confusion (complex mathematical operations) and
diffusion, so that small changes in plaintext could cause huge changes in the
ciphertext. This helps, if a certain attacker gets some matched plaintext-ciphertext
pairs, to somehow prevent deriving relations between them.
 Key dependency: The encryption scheme is purposely made very dependent on
the encryption key. Each single bit change in the key will tend to produce a
remarkably different ciphertext. In this regard, it helps to protect against the
problem of obtaining important information about the deciphering key when
plaintext-ciphertext pairs are available.
 Encryption algorithm complexity: Cryptographic schemes are conventionally
meant to design in such a way so that their confidentiality should be relatively
secure. It implies that the best attack techniques would leave recovery of the key
or backtracking of the encryption process impossible.
 Mathematical Properties: They rely on mathematical structures like one-way
functions, trapdoor functions, and hard mathematical problems like discrete
logarithm or integer factorization, since they are thought to be resistant to known-
plaintext attacks.

The development of resistant encryption algorithms

  Confusion and Diffusion: Cryptographic techniques such as confusion,
involving complex mathematical operations, and diffusion, dispersing input
changes through the output, ensure by encryption algorithms that small changes
in the plaintext will result in major modifications of the ciphertext. The feature
adequately prevents an attacker from inferring correlations between the known
plaintext and ciphertext, even though they may get pairs of plaintext and
ciphertext.
 Key Dependency: By design, the encryption scheme is highly dependent on the
encryption key. Slight changes in the key shall produce distinguishably different
ciphertexts. In this way, plaintext-ciphertext pairs should never provide useful
information about the key.

Examples of Algorithms resistant to known-Plaintext attacks

 Advanced Encryption Standard: AES is a much-admired block cipher due to its
complex round function, key scheduling technique, and diffusion properties, all of
which are making it withstand any known-plaintext attacks.
 Rivest Cipher RC4: despite all its weaknesses. Seemingly solid enough against
known plaintext attacks provided RC4 is used correctly, which really means with
a long key and proper initialization.
 Elliptic Curve Cryptography: Ecc-based encryption solutions, such as ECIES, due
to the intrinsic difficulty of solving the elliptic curve discrete logarithm problem,
are resistant to known-plaintext attacks at least.

Importance in utilization
 Secure Communication: Since an attacker can interrupt encrypted data thus
gaining access to plaintext-ciphertext combinations, it becomes important to
protect communication channels like email, encrypted messaging apps, and VPN
tunnels from known-plaintext attacks.
 Data Confidentiality: The encryption techniques need to achieve secrecy to protect
sensitive information stored on servers, databases, and cloud storage solutions
against attacks that provide plaintext-ciphertext pairs.
Thus, to protect encryption keys and ensure data confidentiality, encryption algorithms
must be resistant to known-plaintext attacks. To accomplish this, they are built through a
combination of some mathematical properties, cryptographic techniques, and algorithmic
complexity to make it almost impossible for attackers to deduce encryption keys or
decipher plaintexts from known sets of plaintexts and ciphertexts.

1.5 Real World Example:

Online banking:
Digital signature-the process of ensuring the authenticity of transactions-would rely on
block ciphers such as RSA or ECC, while the stream ciphers, RC4 or Salsa20, may find
their application in securing real-time communication channels in such online banking
applications where efficiency is coupled with security.

Encryption using private keys

In the cryptographic technique of private key encryption, or symmetric encryption, one
key is used for both data encryption and decryption. The knowledge of this private key is
only needed to be with the persons concerned in the communication.

How private key encryption works

 Key Generation: The sender and the recipient agree on a secret key that will be
used for both encryption and decoding.

 Encryption: The sender encrypts the communication with the help of a secret
key; it goes from plaintext to ciphertext.

 Transmission: The ciphertext is sent through the channel of communication.

 Decryption: The recipient decrypts the ciphertext with the same secret key used
for encryption and retrieves the actual plaintext communication.
Advantages of private key encryption
 Efficiency: The private key techniques of encryption are usually faster and more
efficient compared to methods of public key encryption.

 Simplicity: Because of fewer computational steps and overhead, private key

encryption is generally easier to use and implement.

 Secure Communication: Only the intended recipient with the proper secret key
can decrypt and access the data encrypted with private key encryption.

 Adequate under Equilibrium Conditions: Symmetric key encryption is good for

deployment in systems like two-way secure communications where there is a
secret key between parties.

The Disadvantages associated with private key encryption

 Key Distribution: Major challenges are how the secret key can be distributed to
the parties of communication securely without being intercepted.

 Key management includes updating and the safekeeping of the secrecy of the
secret key, which is critical in preventing unauthorized access to encrypted data.

 Scalability: Private key encryption does not scale well when there are numerous
communicating parties. This is because, for every pair of communicators, there
must be a different secret key.

 Limited Authentication: It does not offer authentication or verification of the

sender's identity due to its vulnerability to man-in-the-middle attacks.
 1.5.1 An illustration of a private key encryption algorithm is:

Advanced Encryption Standard is a block cipher symmetric encryption method that

performs under a fixed block size of data. It satisfies broad efficiency and security
requirements with significant versatility, suitable for a wide range of uses covering data
storage to encrypted sensitive data and secure communication. Key sizes of 128, 192, or
256 Bits are supported. (Dougherty, 2023)

Block Cipher
Block ciphers operate on fixed-size blocks of plaintext-one block at a time-with private
keys, which are inappropriate for large volumes of data or streaming applications.

Example: Private key encryption normally makes use of the block cipher known as AES,
for Advanced Encryption Standard; however, padding methods may be needed to
efficiently handle plaintexts of varying lengths.

Parallelization and random access:

Stream cipher
Because stream ciphers allow random access and parallelization, to decrypt a portion of
the encrypted stream, previous blocks do not have to be decrypted. Stream ciphers are
hence suitable for scenarios requiring random access to encrypted data.

Example: Stream ciphers can decrypt each packet independently, with no need for packet
synchronization; hence, they are sometimes used in telecommunications to encrypt audio
or video chats.

Block Cipher
Block ciphers operate on fixed-size blocks of plaintext, which can limit parallelization
and random access. This is a problem, for instance, with private key encryption of large
datasets or streaming applications.
As an example, full-disk encryption systems encrypt the data on disk as blocks using
ciphers like AES, but random access to individual sectors might require the decryption of
whole blocks, at some performance penalty.

1.5.2 Resisting specific assaults

Stream Cipher
Stream ciphers, when used effectively, are usually more resistant to certain kinds of
attacks such as ciphertext-only attack and certain types of cryptanalyses. They are
suitable for situations that call for protection against attacks and security.

Example: One-Time Pad (OTP) A theoretically unbreakable stream cipher inputting a key
stream of the same length as the plaintext and using it once. In real life, OTPs are never or
hardly applied due to the key management problem.

Block Cipher
Depending on the block cipher and mode of operation being used, block ciphers may be
vulnerable to such attacks as differential cryptanalysis and chosen-plaintext attacks.
Security issues could arise in scenarios where the encryption's strength is crucial.

Example: The Data Encryption Standard (DES) was found to be broken due to
differential cryptanalysis, which led to the adoption of the more secure AES technique in
its stead.

1.5.3 Key Management Complexity

Stream Encryptor
Stream ciphers may require less key management than block ciphers when it comes to
private key encryption, especially for devices with highly constrained resources or for
connections that are long term and encrypted.
Example: Because they are easy to implement and efficient on low-resource devices,
stream ciphers like the E0 algorithm are used in wireless communication protocols such
as Bluetooth. Block Cypher

Block Cipher
In most of the cases, block ciphers require more difficult key management, especially
with operating modes such as CBC that require IVs and padding schemes. Due to such
complexity, there can be additional security flaws.

For example, regarding key management and initialization vectors for block ciphers
operating in CBC mode, it is the very created complexity that could expose disk
encryption systems to potential security vulnerabilities.

Finally, stream ciphers are preferable for private key encryption compared to block
ciphers due to the efficiency, parallelization immunity against specific attack, and ease of
key management. In any case, since each of these cipher types has its merits and demerits,
the choice of one over the other depends on the requirements and constraints of the
application in which encryption is being used.

1.6 Justify the benefits of stream cipher over block cipher for possible use in ship
cargo regarding public and private key encryption.

The two major cryptography techniques for encryption are stream ciphers and block
ciphers; each has its certain advantages and disadvantages. Since public and private key
encryption have different natures, let's look at some advantages of stream ciphers over
block ciphers and how Ship Cargo’s cloud environment can make use of them:

Stream cipher for public key encryption

They find hardly any application for public key encryption, since, by nature, the stream
ciphers just happen to relate to symmetric key encryption methods. But sometimes the
stream ciphers find their application apart from the public key encryption for which they
supply many more advantages and benefits. They can be applied to generate the keys in
use with public key encryption systems. It enables the generation of random key streams
in a reliable way that could be directly used as an encryption key with public key
algorithms like RSA or elliptic curve cryptography. If the stream ciphers do produce
unexpected and quite random key material, then it would definitely assist an organization
in strengthening the security in its public-key encryption system and protect against brute
force and key enumeration cryptographic attacks.

Stream ciphers can also be used in public key encryption to establish secure channels
between entities. The addition of stream ciphers provides another layer of protection
against confidentiality and integrity violation in the data being exchanged via a
communication channel; this could be related to public key encryption methods. Most
applications involving public key encryption techniques involve key exchange and
asymmetric session key encryption. For instance, when using public key encryption, an
organization can use stream ciphers to authenticate and encrypt the streams of data moved
between clients and servers. It is a hybrid solution that combines the best of public key
encryption and stream ciphers to provide confidentiality, integrity, and legality of
communication in a public key environment.

It is also highly applicable to real-time applications and cases requiring very minimal
latency. While block ciphers operate on fixed-size blocks of data, stream ciphers encrypt
streams one bit or byte at a time. It is, therefore, possible to encrypt and decrypt data in an
efficient and timely manner. Since low latency is crucial for a seamless user experience,
stream ciphers naturally fit into applications such as VoIP services and secure messaging.
Companies can use stream ciphers to provide public key encryption for certain real-time
communication scenarios, allowing the business to have necessary security without
compromising responsiveness or efficiency. (Muhammad Rana, 2022)

While stream ciphers are helpful in certain scenarios, it is also worth noting that stream
ciphers do have their own disadvantages and flaws in security that should be considered.
Stream ciphers may, for instance, be vulnerable to the known-plaintext attack or key
stream reuse if used appropriately. What's more, stream ciphers require strict key
management to ensure the security of encrypted data streams. It is thus very important for
companies to follow the best protocols in key production, distribution, and storage to
reduce the possibility of cryptographic weaknesses or key compromise. Finally, while
stream ciphers sometimes offer increased security compared to public key encryption
systems, businesses should carefully investigate their suitability in each environment and
implement necessary security measures to mitigate possible risks. (Muhammad Rana,
2022)

Stream cipher for secret key encryption

Because stream ciphers are always associated with symmetric key encryption, they can
therefore be used in scenarios where private key encryption is concerned. In private key
encryption, one key is used for encryption and decryption processes, and stream ciphers
have several advantages concerning this. One of the main areas of application of stream
ciphers in private key encryption is the secure transmission of data across communication
channels. Stream ciphers provide immediate encryption of data streams allows
organizations to maintain data integrity and confidentiality of critical information
transmitted between parties. For example, Ship Cargo can use stream ciphers to encrypt
communication channels between on-premises systems and cloud-based servers to secure
shipping data, customer information, and financial transactions from unauthorized access
or eavesdropping.

Moreover, symmetric key systems can be further secured using stream ciphers. The cloud
environment data for Ship Cargo, which includes sensitive data, databases, or backups,
can be encrypted using stream ciphers to protect against unauthorized access or data
breaches. Once data is at rest, encryption and the use of appropriate decryption
Key, Ship Cargo ensures that, even in the event of an attacker gaining access to the
storage infrastructure, the data will still be unreadable. This adds an extra layer of security
to ensure that the occurrence of data loss or disclosure during a security breach or
unauthorized access is minimal.

This can be done to ensure that sensitive information is well protected with stream ciphers
not only for the secure storage and transmission of data but also in IoT and mobile
environments. Ship Cargo can track shipments, check inventories, and collect
environmental data using sensors via IoT devices or mobile applications. Ship Cargo can
ensure that data integrity and confidentiality are preserved, both sent from and to the
cloud platform, because the information streams emanating from those devices can be
encrypted with stream ciphers and private key encryption. It will ensure the
confidentiality and reliability of operations through the protection of sensitive data from
tampering or unauthorized access.

However, while making use of private key encryption, several disadvantages and
weaknesses that come along with stream ciphers should be considered. If used in an
inappropriate way, stream ciphers are vulnerable to known-plaintext attacks and other
cryptographic weaknesses, such as key stream reuse. Besides, appropriate key
management Protocols would be required to be implemented to securely keep the data
encrypted and not compromise a key. To minimize the risks of unauthorized access or
cryptographic failure, Ship Cargo should generate, store, and protect the keys correctly.
Given these limitations, stream ciphers can enable companies like Ship Cargo to enhance
the security of their cloud storage, transfer, and communication channels by providing
useful features for encrypting private keys.
 Task 02

2. Examine the dangers and problems associated with public key encryption
methods, using several relevant real-world situations.

2.1.1 Crucial administration

Key management, including generation, distribution, rotation, and destruction of keys,

forms the basis of information security and cryptography. Proper management of keys is
necessary to keep encrypted data secure and integral.

 Key Generation: Keys shall be generated by using secure RNGs and generated in
a manner such that they are unpredictable and random. Suitable key length and
robust keys could be generated using good cryptographic key generation
procedures. The creation of the key must be made in a secure environment to
avoid any manipulation or compromise.

 Key Storage: Keys must not fall into unauthorized hands, nor be disclosed.
Therefore, keys shall be stored in a secure way using either Hardware Security
Modules-HSMs or secure key vaults, providing protection against both physical
and logical attacks. Access controls and encryption shall be implemented to
ensure key access, based on the least privilege principle.

 Distribution of Keys: Only authorized individuals should receive keys via secure
means. Using key agreement procedures or key exchange protocols, like the
Diffie-Hellman key exchange, cryptographic keys can be securely established
 between communication participants. Public key infrastructure (PKI) is a means
of validating and distributing public keys in asymmetric encryption systems.

 Key Rotation: The key updating should be very frequent to minimize the chances
of any cryptographic attack or key compromise. Frequent key rotation will help to
ensure long-term security of encrypted data by minimizing breaches. Key rotation
policies must be cautiously thought out to avoid violations and to protect sensitive
information.

 Key destruction: A key is destroyed beyond recognition when its useful life has
expired, or it is no longer needed. Keys shall not be recoverable, including by
using methods such as cryptographic erasure or physical destruction of storage
media in a secure manner. It requires proper documentation and auditing to track
major destructive activities.

 Key escrow and recovery: Key escrow protocols allow copies of encryption keys
to be deposited securely with trusted third parties. To permit encrypted data to be
recovered in case of system failure or loss of keys, key recovery procedures need
to be implemented. Associated security and privacy issues with key escrow and
recovery systems must be carefully investigated.

 Observation and Investigation: The possibility of security incidences or the

violation of a policy is through regular audits or monitoring of Key Management
procedures. It is necessary for recordation and reporting system to monitor any
key usage and alteration and attempts for access. There are intrusion Detection
Systems and Security Information and Event Management systems, security
controls to implement observation in Key management. (geeksforgeeks, 2024)

Danger
Public key encryption techniques rely on the proper handling of public and private keys
for their security. With a lost or misused private key, encrypted data might fall into the
wrong hands.
For instance:
In 2015, a breach at the U.S. Office of Personnel Management gave hackers access to the
personal data of federal employees. Poor key management practices have been identified
as one of the contributing factors in the incident.

2.1.2 Algorithmic Vulnerabilities

Flaws or shortcomings exist in cryptographic algorithms, which are susceptible to some

form of attack that an intruder could execute to compromise security. These The defects
are known as algorithm vulnerabilities. Several security issues, such as the penetration of
the communication channel, decoding of encrypted data, and unauthorized sensitive
information access, may be caused by these weaknesses.

1. Poor Key Generation: Various cryptographic mechanisms produce weak or

predictable keys due to flaws in their key generation process.
For instance:
Recently, the newly discovered vulnerability within the Dual_EC_DRBG presents
a dangerous kind of backdoor through which an attacker could predict the keys
that will be generated for cryptographic applications.

2. Disadvantages of Encryption: Cryptographic algorithms could be subject to

attack due to potential weaknesses in their encryption processes.
For instance:
DES or Data Encryption Standard was once the widely used symmetric encryption
algorithm. However, it showed several weaknesses. It was based on a short key
length that may easily be subjected to brute-force attack.
3. Cryptanalysis: Cryptanalysis is based on researching cryptographic algorithms to
leverage any weakness inherent in the algorithm to be used for breaking
encryptions.
For instance:
RSA is one known public-key encryption method that, when based on factoring
large prime integers used within key creation, is susceptible to specific attacks.
The improvement of techniques within cryptanalysis has resulted in the
development of faster factoring algorithms, which may pose a threat to RSA-
based encryption systems.

4. Side-Channel Deployments: The idea here is to use timing, power consumption,

electromagnetic radiation, and other characteristics that are made public by
encryption implementations to deduce private information.
For instance:
The "Flush+Reload" side-channel technique-a cache access monitoring technique
applied for symmetric encryption operations-can be used for extracting RSA
private keys.

5. Random Number Generation: Random number generators, or RNGs, are

important for key generation and generation of nonces for different cryptographic
procedures. It is possible that RNG flaws might bring weaknesses in different
cryptographic schemes.
For instance:
A vulnerability in an insecure patch diminished entropy for a random number
generator, which generated predictable keys and later became subject to an attack.
This was the Debian OpenSSL problem of 2008.

6. Padding Oracle Attacks: Padding oracle attacks are a class of attacks through
which weaknesses in the cryptographic implementation may leak some
information about the padding included in encrypted communications.
For instance:
 The “POODLE” attack Padding Oracle on Downgraded Legacy Encryption-in
turn allowed attackers to decrypt encrypted data by using padding oracle
vulnerabilities in the SSL 3.0 protocol.

7. Backdoors: An attacker may create backdoors around encryption algorithms

either accidentally or intentionally to break through security checks.
For instance:
It was hypothetic that the National Security Agency actually introduced a
backdoor in the Dual_EC_DRBG algorithm which permitted attackers to possibly
compromise encryption.

8. Risk
Using vulnerabilities in cryptography techniques of public key Encryption,
attackers can successfully decrypt ciphertext.
For instance:
The attackers had the "Heartbleed" bug in the year 2014 in SSL/TLS protocol and
this bug had been exploited, it would allow them to get access to the OpenSSL
library as well as to the private keys of SSL/TLS encryption.

Attack with a Man in the Middle

Cyberattacks known as "man-in-the-middle" attacks occur when an attacker

surreptitiously intercepts and possibly modifies communications between two parties.
Examples of these are attacks against email correspondence, online banking, and secure
web browsing. These MitM attacks pose a big threat to confidentiality, integrity, and
validity between parties in a data exchange.

How the Attack Works: To achieve the level of intercepting and sometimes altering the
data moving between two parties, the attacker needs to somehow thwart their means of
communication. The offender will pose as either one or both victims to give the illusion
that they are speaking directly to each other. Attacks can, in some instances, enable the
 attacker to gain access to sensitive information like private messages passing between
victims, login passwords, and financial transactions. (Kinza Yasar, 2022)

MitM Attacks Explained

 Stealing communications between gullible people and legit Wi-Fi networks by

installing a fake Wi-Fi access point in a public Wi-Fi network, is called Wi-Fi
eavesdropping. An attacker can grab sensitive data that passes through the Wi-Fi
connection the victim used, like usernames and password.
 SSL Strip- Converting a secure HTTPS connection to HTTP traffic by SSL
stripping where the attacker sits in the middle and intercepts/ alters the traffic
between users’ browser and the webserver. This is how the attacker gets to see
decrypted data: session cookies, login credentials
 Hijacking Email: When a hacker goes by intercepting and modifying email
exchanges between two people; The attacker can alter what the emails say or
forward them to another recipient, which could result in data loss or financial
theft.
 DNS Spoofing: when the attacker alters the DNS responses to divert end-users to
attackers' own harmful domains in a DNS spoofing attack. It enables the attacker
to sniff and alter traffic bound for a site user approved. (Kinza Yasar, 2022)

Techniques for reduction

 Encryption: It is recommended that you use robust encryption like S/MIME for
emails and SSL/TLS for web traffic to ensure the data isn't being sniffed and
tampered by MitM attackers. If the message is accidentally caught, encryption
will keep it a secret from the bad guy who may have sniffed it out.
 Digital Signatures: MitM can be detected and protected against using digital
signatures to verify the identity of other communication partners. Digital
signatures allow the recipients to validate that the communication was issued from
the intended sender since they make sure who it is that sent, and that data
transmitted the accuracy of their paths.
 Assisted Certificate Pinning: To protect against the SSL stripping attacks, we use
assisted certificate pinning techniques to authenticate SSL/TLS certificates issued
 by the web servers that web browsers and apps can do in trust. With certificate
pinning you get secure (but smart) encryption and authentication happens.
 To reduce the probability of credential capturing man-of-man attacks (also known
as MitM) to occur, an enforced strong authentication like multi factor
authentication (MFA) & two-factor authentication (2FA) are needed. Before user
can get access to account that using strong authentication a valid option where it
requires the end user to enter another form of verification such as password +
One-Time-Code (OTC) sent to their mobile.

Danger

 Attackers can steal with sensitive information or perform crimes, when they
listen to conversations among participants and adopt the identity of one or both
sides.

For instance:
 Digi Notar, the Dutch certificate Authority got hacked in 2011 meaning attackers
could get fake SSL certificates. After that, the certificates were exploited in
MitM attacks to decrypt messages.

2.1.3 Protocols for Key Exchange Are Inadequate

Cryptographic systems with weak key exchange protocol are some of non-secure
implementations that an intruder can exploit to tap on encrypted communications privacy
or integrity. This exposed them to exploit the encryption keys, where result- attackers
decoding of slave messages and other such illicit actions. (docs.oracle, n.d.)

1. Diffie-Hellman Key Exchange:

  Vulnerability: Diffie-Hellman (DH) key exchange is subjected to Logjam and
small subgroup confinement (SSC) attacks that take advantage of protocol
vulnerabilities to force the key exchange down weaker paths.
 For instance: Logjam(2015) exploited weaknesses in the DH key exchange
through convincing servers to fall back from strong 1024-bit levels This enabled
man-in-the-middle to crack encrypted communications.
 Mitigation: To reduce the effect of Logjam and similar attacks, two methods are
to use modern cryptographic protocol such as Elliptic Curve Diffie-Hellman
(ECDH) and improve or extend parameters of strong defined length
(e.g.,2048bits+). (geeksforgeeks, 2024)

2. RSA Key Exchange:

 Vulnerability: The RSA key exchange is a potential target for attackers if weak
or malformed keys are used. Additionally, poorly implemented in the RSA key
exchange can be leveraged as source of security through wrong implementation
into SSL/TLS protocol.
 E.g.: The 2017 discovery of a vulnerability called RoCA impacted Infineon's RSA
key generation software. Through this flaw, attackers could break RSA numbers
and maybe decrypt stuff.
 Mitigation: There needs to be a practise within the organization to use strong,
properly generated RSA keys of an appropriate length to mitigate RSA key
exchange issues. Not forgetting to also patch regular upgrades and enhancements
for your SSL/TLS implementations to fix holes.

3. IPsec Key Exchange for IKEv1

 Vulnerability: It is evident that Weak DH groups and Aggressive mode weakness
are well-known concerns that affect Internet Key Exchange version 1 commonly
used in IPsec used VPNs, which can be attacked.
  Example: The vulnerability of IKEv1 known as PSK-IDENT could be exploited
to take control of the vulnerabilities used in the protocol to obtain entry into the
pre-shared keys that are used by IPsec VPNs.
 Mitigation: To mitigate weaknesses in IKEv1, two successful approaches are to
move to IKEv2 because it offsets most of the problems of IKEv1 and to set
textured authentication and encryption parameters in IKEv1 implementations.

4. Kerberos Key Distribution Centre (KDC)

 Vulnerability: However, it is necessary to mention that for the delivery of session
keys a Key Delivery Center (KDC) is needed in case with the usage of the
Kerberos network authentication protocol. KDC vulnerability can involve key
compromise and authentications bypass attack.
 Example: There are some technical details where Golden Ticket attack takes the
upper hand because it targets the KDCs’ flaws to produce authentic Kerberos
tickets and thereby gains illegitimate access to network resources.
 Mitigation: The following are some of the ways that have been employed to
manage Kerberos security threats; peer authentication, complexity requirements
on passwords and regular change to cryptographic keys, and monitoring of any
unusual Kerberos authentication attempts.

5. SSL/TLS Key exchange for TLS

 Vulnerability: Lack of entropy in generation of the keys used in formation of
cryptographic keys or use of worse cipher suites may lead to insecurity in
encrypted communications occasioned by vulnerability in the TLS key exchange
protocol.
 For instance, the 2015 FREAK (Factoring RSA Export Keys) attack targeted
vulnerabilities of SSL/TLS, where RSA cipher suites that are fit for exports were
supported. It meant that attackers had traditionally been able to crack encryption
and decipher the intercepted messages.
 mitigating: For TLS key exchange issues, some of the solutions that may be
implemented when implementing a TLS include disabling cipher suites that are
weak, use of strong cryptography and regular updates of SSL/TLS as a way of
eradicating the know vulnerabilities. (sematext, n.d.)
 2.2 Examine the main advantages of encryption methods, such as public key
infrastructure security and KEM, DEM, and PKE analysis.

2.2.1 Key Encapsulation Mechanisms (KEMs)

The Key Encapsulation Mechanisms (KEMs) are the most suitable cryptographic
techniques to be applied for the secure exchange of keying material in the asymmetric
encryption systems. They address the problem of transferring symmetric keys over
insecure links securely through the process of putting the symmetric key into a cipher that
has been encrypted using the recipient’s public key. Lastly, it means that keys may be
exchanged without previously shared secret keys at all. (geeksforgeeks, 2024)

 Important generating:
The very first thing that you need to do is generate a session key; this is a random
symmetric key you will use to encrypt the data.

 The encryption process:

The symmetric key is then encrypted with the recipient’s public key which could
store in a recipient’s public key certificate. Using encryption only the recipient
holding the private key can unlock the symmetric key and decrypt the converted
data.

 Summarization:
The encapsulated key where different types of data and configurations needed for
decryption are stored also holds the encrypted symmetric key. The encapsulated
key may also contain information on the encryption algorithm used apart from the
encrypted symmetric key.
  Transfer:
The encapsulated key is then transferred to the insecure channel of
communication to the receiver. The encapsulated key is then encrypted by the
sender’s public key with the recipient’s public key to prevent anyone from
intercepting or overhearing the transmission.

 Deciphering:
Upon getting the wrapped key, the receiver then uses their own private key to
decrypt the received ciphertext to give the symmetric key. The regained
symmetric key can be later used to encrypt/decrypt the actual data that was
conveyed/shipped between a sender and a recipient.

 Safe communication:
It is after KEM has been used to securely transport the symmetric key that the
sender and the recipient are able to talk securely about plaintexts. The Final
Concept The principal concept of symmetric keys is that of data encryption and
decryption whereas that of asymmetric keys is safe keying over an insecure
channel

Benefits of KEM
 Security: Because a level of security is needed for exchange keys, KEMs employ
asymmetric encryption. It is encrypted with the help of the recipient’s public key
so that the intended recipient having the corresponding private key for decryption
can only retrieve the symmetric key.
 Forward Confidentiality: Another feature which most KEMs provide is forward
security, which is referred to as perfect forward security (PFS). In forward
secrecy, a new symmetric key is created for any encryption process that is
employed. It as well means that every communication session has a private key
 and therefore, held or next conversation sessions cannot be distorted even if one or
perhaps two symmetric keys are breached.
 Efficiency: KEMs are efficient compared with other key exchange techniques.
Instead of exchanging the large symmetric keys directly, KEMs only encrypt such
a symmetric key within an asymmetric ciphertext. Consequently, there is
decreased data traffic and short and secure key exchange on the network.
 Adaptability: KEMs offer a great deal of freedom on how keys are distributed
and managed. As we know, a symmetric key is always encrypted and thus can be
transmitted in a clear text over such insecure lines without the probability of
someone intercepting or eavesdropping on the communication. This makes it
possible to have secure interaction between the communicating parties without
necessarily sharing prior agreed secret keys.
 Compatibility: KEMs are compatible with all existing schemes of cryptographic
protocols and algorithms. They can be included in currently in use cryptographic
systems and protocols like IPSec, SSL/TLS, and secure messaging protocols for
secure interchange of key in various applications.

 Defying Attacks: As the candidate mentioned, KEMs do not succumb to several

cryptographic attacks, such as eavesdropping, man-in-the-middle, as well as
attacks by brute force. The private key is kept devoid of disclosure using−
asymmetric encryption which prevents the attacker from gaining the symmetric
key while at the same time being used.
 Scalability: Therefore, the general nature and flexibility in scalability of KEMs
can be considered an advantage in large scale cryptography system. They enable
safe communication between several parties in distant situations through
simultaneous management of several key exchange activities. (stackexchange,
n.d.)

The drawback of KEM

 Processing Cost: A majority of KEMs incorporate asymmetric encryption
procedures, which are more computationally intensive than symmetric encryption
procedures. Asymmetric key encryption and decryption are likely to increase
 processing costs than symmetric due to its unique nature when implemented in
environments that have limited resources, or in massively used processes.
 Important Length limits: This could be based on the size limits of the method of
asymmetric encryption, but it means that the size of the symmetric key that safely
can be wrapped in a ciphertext may be restricted. This could reduce the length of
the symmetric key that can safely be transmitted through KEMs because, often,
asymmetric key techniques incorporate smaller key size than symmetric
encryption algorithms.
 Complexity of Key Distribution: Since KEMs consist of public keys, the latter
must be transmitted to all the members of the communicating parties. Distribution
of public key and management of such keys can be cumbersome especially in
large distributed system or an ecosystem where membership is ever dynamic.
 Potential for Key Management Issues: Realizing confidentiality of the
encrypted communication depends on managing the private key pairs with the
public key used in KEMs securely. The leakage of the private key brings out the
decoding of other symmetric keys held in the ciphertexts which puts data secrecy
at risk.
 One point of failure: In centralized systems problems like Key Distribution
Centre (KDC) which oversees the distribution and management of keys might
develop problems. An intrusion to the KDC could compromise the whole security
of the whole and any of the symmetric keys that have been KEM protected.
 Effects of Performance in High-Volume Environments: As it was seen, for
many the key exchange procedures that are performed in high volume
communicating environment at the same time, the essential computational and
timing overhead inherent in KEMs may immediately affect scalability and speed.
This may lead to the need of using optimization methods or resources to handle
the extra load in an efficient manner.
 Dependency on Algorithms for Cryptography: As the Card OS is designed for
key encapsulation and encryption, the level of security of KEMs is defined by the
protection of the algorithms applied in the OS. Cryptographic standards and
protocols should be reviewed with due frequency and altered since the algorithm’s
defects or vulnerabilities of KEMs can weaken the stated security assurances.
(stackexchange, n.d.)
KEM illustration

 The RSA-KEM, or RSA Key Encapsulation Mechanism: RSA-KEM is a

typical example of KEMs in developing with the RSA asymmetric encryption
technique. To encrypt a message, one has to have an RSA public key of the
recipient. Since, the additional parameters required for decoding must somehow
be part of the encrypted key at the transmitter’s end. RSA-KEM provides forward
secrecy as it develops a new key for each of the encryption transactions where the
key is used including a corresponding symmetric key.
For instance, on the secure key exchange part of an SSL/TLS communication
initial handshake phase RSA-KEM maybe made use of.

 DHIES, or the Diffie-Hellman Integrated Encryption System: DHIES is a

KEM that [does business] on the Diffie-Hellman key exchange protocol. In it,
there is the use of Diffie-Hellman key exchange phase to carry out key
encapsulation using symmetric encryption. In DHIES use of the Diffie Hellman
key exchange an expected secret is created. The shared secret is then used to form
a symmetric key which is then encrypted using the recipient’s public key.
For example, electronic health Record can be integrated with secure Email
communications technologies such as S MIME and PGP.

 Elliptic Curve Integrated Encryption Scheme (ECIES): ECIES is a KEM that

is based on elliptic curve cryptography known as ECC. It integrates the key
exchange phase in the ECC with symmetrical key encryption to perform key
encapsulation. ECIES comprises generation of an ephemeral elliptic curve key
pair, getting an agreement of the shared secret through an elliptic curve Diffie–
Hellman key exchange, identification of a symmetric key with reference to the
shared secret and encryption of the symmetric key with reference to the recipient’s
public key.
For instance: ECIES makes it possible to have end to end encryption of
communication in apps like signal used for encrypted messaging.
  NTRUEncrypt: NTRUEncrypt is a lattice-based encryption system and can be
used as a KEM for the proposed scheme. Employing the recipient’s public key, a
subset of a polynomial that generates a symmetric key is derived, and the
encrypted polynomial is encapsulated by further parameters. From the various
security parameterizations analysed, NTRUEncrypt presents attractive security
assurances against quantum assaults and is suitable for utilization in post quantum
cryptography systems.
Example: This algorithm can be employed to offer keying exchange and security
for Internet of Things (IoT) communications.

2.2.2 Data Encryption Mechanisms (DEMs)

The DEM means data encryption mechanisms referring to cryptographic methods of

encoding and decoding data. Most of DEMs concern symmetric encryption methods,
they use the same key for both encryption and decryption processes. In turn, KEMs in
asymmetric encryption systems are aimed at securely transferring symmetric keys.
(darktrace, n.d.)

 Advanced Encryption Standard (AES): It is a symmetric encryption technique

that has been popularized by world governments and big companies. It provides
fast data encryption with key size of 128-, 192- and 256-bits security. AES
applied substitution-permutation network (SPN) to decipher and encode the fixed
block size data (128-bits). (Rahul Awati, 2024)

 Blowfish: Blowfish is the method of symmetric encryption which was invented

by Bruce Schneier in 1993. The mode works on 64-bit data blocks and allows
 changing the key length from 32 to 448 bits. Blowfish is fast, easy to use, and
highly portable – characteristics that are useful in virtually any application area.
(geeksforgeeks, 2024)

 Two Fish: Two fish is an alternative developed by Bruce Schneier and associates
of Blowfish as the symmetric encryption technique. Data is processed in 128-bit
blocks and keys can be 128, 192 or 256 bits in length. Two fish is a competitor
that provides powerful secure and efficient AES for AES marketplace.
(geeksforgeeks, 2024)

 There exists information that person named Daniel J. Bernstein is the author of the
ChaCha20 symmetric encryption algorithm. It has an opportunity to work with
input data of any length and supports two key sizes – 128 and 256 bits. ChaCha20
comes with architecture that is both safe and fast and can therefore be used in any
protocol where performance is important this includes, encrypted messaging and
VPNs. (tutorialspoint, n.d.)

 Rivest Cipher 4 (RC4): RC4 is a symmetric encryption method, which was

created in 1987 by Ron Rivest with idea. It is used on variable length data and has
been designed for key lengths of 40 to 2048 bits. Even though it is applied in SSL
as well as WEP, RC4 has been removed due to problems with the key scheduling
mechanism. (okta, 2024)

DEM Benefits
 Efficiency: Maximum plaintext space and minimum computation and
communications requirements are usually higher in DEMs than in asymmetric
encryption techniques. Because symmetric encryption employs lesser
computational assets, it forms a perfect technique of encrypting and decrypting
huge numbers of-byte data rapidly.
 Speed: As for the organic symmetric encryption techniques, for example the
Advanced Encryption Standard (AES), are meant to provide fast processes of
encryption as well as decryption. Low latency and high frequency throughputs
require DEMs; systems that include data storage and secure networking protocols
benefit from DEMs.

 Scalability: As DEMs have shown to be easily scalable for any given situation, it
can be used for the defence of overall databases and network traffics, or for
protection of specific files and communications. Due to the symmetric encryption,
the encryption system may be easily designed to accommodate large amounts of
data, where the numbers of users are also high.

 Simplicity: While using symmetric encryption is easier and can be implemented

and managed compared to asymmetric encryption methods. It can therefore be
implemented without much difficulty hence minimizing on the occurrence of error
during implementation and can be applied in various systems and applications.

 Management of keys normally proves easier in the event of symmetric encryption

rather than asymmetric encryption. It eliminates the need for a distinct pair of
keys; the public key and private key as well as it dispenses with safe key exchange
approaches. This makes effectiveness of key distribution and overhead lower.

 Compatibility: Incorporation of DEMs with cryptographic libraries, frameworks

and, hardware acceleration techniques proved to be a smooth affair. These
compatibilities also imply that symmetric encryption can be used in existing and
planned hardware platforms, operating systems and application software without
major changes.

 Efficiency in Resource-Constrained Environments: DEMs are most suitable for

consideration in embedded systems, mobile devices and IoT devices etc such that
its compute capability and memory utilisation is optimised, while power
consumption is minimal. Such kinds of problems can have optimal performance
and resource utilization in symmetric encryption techniques.
  Channels for Secure Communication: To maintain privacy and authenticity of the
communication link DEMs employ the principles of symmetric encryption. This
also helps to block unauthorized access to some important information and secure
against changes, intercept and spying during data transfer.

DEM Drawbacks
 Key Distribution and Management: In case of DEMs symmetric key distribution
and management should be done in a secure manner. Relating to the secure
handling of keys, it can be difficult to define and uphold secure ways of
identifying and distributing key players when operating remotely or with a large
team.

 Overhead for Key Exchange: If there is use of secure channels or semi secure
channels for transfer of symmetric keys than there may be added overhead about
transfer of keys securely between two parties. Quite understandably, this overhead
can make things slightly more complicated and impact how well things operate.

 Restricted Transparency: Forward secrecy is, by and large, not given by DEMs,
contrary to asymmetric encryption schemes, which do in many cases. If the
symmetric key was discovered, then all further and further communications which
were previously encrypted with this key might be deciphered.

 One Point of Failure: All the symmetric keys which a system possesses could be
vulnerable to attack in case of breach of the central key repository as seen in
centralized KM systems like KDCs. What this does is it eliminates one level of
protection and introduces great risk to exposure at the worst possible moment.

 Important Length Restrictions: In fact, the reliability of symmetric encryption

techniques depends heavily on the string number with which encryption
techniques in question work. Nevertheless, the increase of the length of the key
entails more computational overload and consumption of the available resources.
 The ability to determine the right balance between security and performance may
have been difficult to achieve.

 Significant Storage Weaknesses: Due to the nature of symmetric keys, they need
to be protected, and this makes their storage a complicated affair. However, key
storage is not entirely easy, especially in the case of software systems that
incorporate the use of the symmetric key. Any break in security that affects crucial
storage methods, or illegal access to stores containing keys, could pose a threat to
the privacy of encrypted information.

 Rotating Keys Is Difficult: The use of a symmetric key presents a challenge since
keys need to be changed periodically to ensure high security minimizes the risks
arising from loss of keys. Sometimes it is not easy to implement a key rotation
process due to continuous connections or data encryption when the workstation is
idle. It may be cumbersome to communicate or require conducting of stopping
maintenance with main keys turned over.

 Limited Use Cases: The most suitable use cases for DEMs are data encryption in
transit and data warehousing in a secure environment. As a result, CAFs may not
be effective in cases where dictionary permission is not usable such as in secure
multi-tenancy or many party data sharing.

 Cryptography-Based Attacks: It is important to clarify that with symmetric

encryption algorithms certain types of attacks that involve cryptographic
mechanisms including but not limited to chosen plaintext attacks, brute force, and
ciphertext only attacks can be used. In fact, even in today’s high security
symmetric encryption techniques such as AES, attackers can take advantage of
implementation errors or flaws in cryptographic protocols.

DEM instances
 Standard for Advanced Encryption (AES)
 The Data Encryption Standard
 Standard for Triple Data Encryption
 Blowfish
 Two-Fish
 RC4

2.2.3 Public key encryption (PKE)

A cryptographic technique that protects data generated and passed between parties within
communication channel and interface using different encryption methodologies. Every
member of the PKE has two keys, one private and one public. The former is freely
distributable and used in encrypting a text, while the latter is to be kept secret, and is used
in decrypting the same text.

 Key Generation: The main idea is that each participant creates two large
numbers: The Public Key and the Private Key. While these keys are logically
connected, in the implementation process, one of them cannot be derived from the
other.

 Public Key Distribution: The public keys when required for further
communication can be exchanged between participants over the key server or held
in digital certificates, which can be made available to public. It means that only
the receiver can decipher messages through the help of their public key while
anyone can make messages encrypted for the receiver.

 Encryption: When encrypt a communication, what the sender does is to have the
recipient’s public key. The message thereby sent cannot be read by anyone but the
recipient who uses his or her own private key to decode it.

 Decryption: The means that the recipient uses their private key in order to
decipher the encrypted message that has been sent by the sender. The receiver
only, and only he who has the matching to the public key that was used for the
encryption of the communication, is the only person who can decipher the
communication.
  Authenticity and Confidentiality: The public key encryption maintains
confidentiality by making sure that the message encrypted might only be
understood by the intended user. It also offers means of authentication because a
corresponding private key can be utilized for decryption of the message as well as
the validation of the fact it was encrypted by the owner of a concurrent public key.
 Electronic Signatures: Our public key cryptography can also be applied in both
generation and verification of the digital signatures. Message integrity and non –
repudiation is done by creating a digital signature on a message digest that is
encrypted by the sender’s private key. To use this digital signature, any person
who can access the series of bytes that contains the sender’s public key can be
used to verify it.

 Safe Key Exchange: Public key encryption can also be used for safe key
exchange in hybrid encryption techniques. A symmetric encryption key, for
example, can be safely shared via public key encryption, and all subsequent
communications can be effectively encrypted using the key.

 Public key encryption changed cryptography by eliminating the core problem of

key distribution in symmetric encryption. It is a crucial part of secure
communication protocols, safe online transactions, and digital signatures because
it enables data interchange and secure communication over untrusted networks
without requiring pre-shared secret keys.

Public Key encryption Example

 RSA
 Diffie Hellman Key Distribution
 Cryptography using Elliptic Curves
 Algorithm for Digital Signatures
 Digital Signature Algorithm using Elliptic Curve

Public Key Encryption Benefits

 Secure Key Exchange: Public key encryption allows users to swap keys without
needing a shared secret key beforehand. Each person creates a pair of keys - one
public, one private - and shares the public one. This stops anyone from listening in
or grabbing messages letting people set up safe ways to talk. (Dougherty, 2023)

 Confidentiality: Public key encryption keeps things private by scrambling data

with the receiver's public key. the receiver has the private key to unscramble it.
This keeps secret info hidden while it moves around and sits in storage.

 Authentication: Public key encryption lets users check who's talking to them.
Anyone with the sender's public key can confirm digital signatures made with the
sender's private key. This means people can be sure messages are real and haven't
been changed while being sent.

 Non-Repudiation: Public key encryption ensures non-repudiation, which

prevents a sender from withdrawing from a message or transaction. Using the
sender's private key, digital signatures provide integrity and origin verification as
well as prevent senders from later reversing their actions.

 Scalability: Public key encryption for secure communication offers scalability.

The ability to generate asymmetric key pairs dynamically for every
communication session eliminates the need to generate distinct secret keys for
every participant, enabling secure communication with several parties.

 Simplifying Key Distribution: Public key encryption simplifies key distribution

by doing away with the need for communication parties to securely exchange
secret keys. Each party makes their public key publicly available, allowing any
other party to encrypt messages intended for them without compromising security.

 Flexibility of encryption and decryption: Public key encryption enables flexible

encryption and decryption procedures. The encrypted message can be opened with
the appropriate private key, regardless of who sent it. This adaptability allows for
 secure engagement with communication partners who are either unknown or
continually changing.

 Response to Key Exchange Risks: Public key encryption has no effect on key
exchange risks such as man-in-the-middle attacks. Since each party's public key is
publicly available and verified by all, enemies are unable to eavesdrop and change
conversations without being discovered.

 Help: Public key encryption algorithms and standards are widely used and
interoperable with a wide range of devices, operating systems, and applications.
This ensures compatibility with existing communication protocols and systems as
well as a seamless transition. (Dougherty, 2023)

Public Key Encryption Drawbacks

 Processing Overhead: Asymmetric encryption methods are computationally
intensive and demand a lot more resources compared to symmetric encryption
methods. Public key cryptography can affect performance because it consumes
additional computing power to generate keys, encrypt data and decrypt data. In
resource-constrained environments, especially so.

 Public Dimensions and Storage: In general, storing a public key encryption

algorithm requires larger key sizes to match the same level of protection as the
symmetric encryption algorithm. This can lead to larger key sizes, which can
increase the data to be encrypted, and more effort required to store the keys in key
management, particularly with many keys.

 Distribution and Administration Are Crucial: Two keys – one private and
another open – are used in public key encryption, and thus, its safety highly
depends on the proper key distribution and management. The problem of verifying
the authenticity and genuineness of public key and its scalability for managing
dynamic membership and key revocation in large scale distributed systems.
  Impact of Performance on Large Data: When it comes to the encryption of files
and records, then it is observed that the symmetric key encryption, performs better
than the public key encryption since records can, in most cases, be large. One of
the problems of public key cryptography in encrypting and decoding large data
collections is that it causes great overheads and longer time for processing than
that of the symmetric encryptions.
 Difficulties with Private Key Security: Symmetric encryption’s weakness is also
a need for public key encryption to work, and that’s the protection of the private
keys. Anyone who has or gets or breaching a private key can decode encrypted
data, spoof digital signatures and the attacker can impersonate the owner of the
key too. Safeguarding private keys from unauthorized access and misuse is pivotal
for maintaining security of the public key encryption.

 Deficiencies Against Quantum Attacks: Quantum attacks aimed at using

strategies of a quantum computer to factor big prime numbers or solving the
discrete logarithm problems can affect such PKESs as RSA and ECC. Some of the
behaviors posed by current public key encryption solutions might be at risk if
quantum computing technology comes into the limelight.

 Complexity of Key Management: It emerge that while making use of public key
encryption; the management of keys is more complex as compared to the
symmetric encryption. The strong control of the key materially to support and
address key revocation and expiration, to store and protect public and private keys
as well as to verify the genuineness and soundness of keys.

 Restricted Transparency: Forward secrecy is applied to several public key

encryption schemes, which implies that messages that had been decrypted already
if a long-term private key is breached. Used in public key encryption methods
forward secrecy can be a challenge to implement and the process involves
additional overhead.

Key attributes and benefits

 1. Key encapsulation Mechanism (KEM)
offers a method for secure exchange of symmetric keys in asymmetric encryption
systems and has forward secrecy because with each encryption key a new
symmetric key is used.

Example: RSA-KEM involves the encryption of a symmetric key using the

recipient’s public key to facilitate secure transfer of key.

2. Data Encryption Mechanism (DEM)

Many times, performing the task of encryption on a large data set may be possible
fast and efficient. very suitable for data that must be protected when stored or
transmitted.

Example: AES as one of the most favored symmetric encryption algorithms, it

supplies high encryption and reasonable speed.

3. Public Key Encryption (PKE)

Enables parties to communicate without use of secret keys; Enables digital
signatures and key exchange while in protocols for communication security.

Example: A method of using public key encryption, known as RSA, makes it

possible to communicate securely through insecure infrastructures

2.3 Why protecting public key system is important

Based on the public key systems, digital transactions and secured communications are
made possible. In such a case of compromised private keys, unauthorized decryption of
encrypted information and impersonation of good organizations might take place.

To maintain trust in and security in digital communications, public key infrastructure

(PKI) needs to be established and managed securely.
 Figure 9 Public key infrastructure

2.3.1 Give well-reasoned suggestions that combine several definitions of proven

security and are appropriate for protecting public key infrastructure.

Authenticate private information and communication channels and maintain integrity and
confidentiality, and that would also apply to public key systems, freight forwarding firms,
Ship Cargo in this instance. Provable security offers a very accurate basis for assessing
the security guarantees given by a cryptographic system.

2.3.2 Adopt standardized cryptographic algorithms

This step is very necessary for the freight forwarding organizations such as Ship Cargo: it
entails standardization of cryptographic algorithms as one of the main ensuring
components for the security and integrity of public key systems.

1. Select popular algorithms

Ship Cargo must adopt algorithms in preference for wherever, widely accepted
norms and standards from different highly reputable authorities; national bodies
such as the National Institute of Standards and Technology (NIST) in the US or
international standards such as those of the International Organization for
 Standardization (ISO). For example, this kitty includes hashing algorithm SHA-2
(Secure Hash Algorithm 2), the key exchange algorithm ECC (Elliptic Curve
Cryptography), and the encryption and digital signature algorithm RSA (Rivest-
Shamir Adleman). (Thakor & Razzaque, 2021)

2. Follow the Most Recent Algorithm Recommendation

In fact, many of the prominent cryptographic authorities are also continually
updating and recommending the security and appropriateness of specific
algorithms for use in cargo on ships. A case in point is NIST, which regularly
develops rules and recommendations dealing with the use of cryptographic
algorithms within its publications, particularly the NIST Special Publication 800
series. Thus, Ship Cargo is expected to continually monitor such publications for
compliance with modern industry standards. (Elaine Barker, 2013)

3. Analyse the Algorithms benefits and drawbacks.

Ship Cargo must consider all the advantages and disadvantages of every method
of cryptography. The consideration must also include various factors such as
computational efficiency, security guarantees, size of key, known threats, and
compatibility with current protocols and systems.

4. Use the key management best practices

Best practices in key management are very important for a freight forwarding
company such as Ship Cargo to maintain the security and integrity of its Public
Key Infrastructure.

5. Make sturdy and unique keys

Ship Cargo should use cryptographic secure processes to generate individual
public-private key pairs for every user or entity in the organization. By employing
secure random number generators, the keys should have sufficient entropy to
make brute-force attacks virtually impossible.

6. Key storage
 Ship Cargo must keep private keys under a secure, impenetrable manner to avoid
unauthorized access or exposure. The following are two secure methods of storing
private keys: hardware security modules (HSMs) and secure key vaults, which
prevent unauthorized access, theft, or tampering.

7. Utilize key encryption

When idle, ship cargo will encrypt its private keys with strong encryption
techniques within secure storage structures. The encryption of private keys
provides another layer of protection, in that if, by chance, the storage system is
compromised, the keys cannot be accessed unless the appropriate decryption is
provided. (Peter Loshin, 2021)

2.3.3 Implement Key Rotation policies

All-long-lived keys that might be used for digital signatures and encryption cryptographic
function should undergo periodic updating and replacement by a Ship Cargo key rotation
process. This reduces the probability of key compromise as years pass, hence fortifying
the security against cryptographic systems. (Shiftan, 2023)

1. Safe Key Distribution

Ship Cargo should send public keys to authorized parties securely and on
dependable channels to prevent manipulation or interception. This can mean using
safe key exchange methods like Diffie-Hellman key exchange or distributing keys
via digital certificates from reliable certificate authorities (CAs). (Meghanathan,
n.d.)

2. Significant Revocation and Death

Ship Cargo-specific policies concerning key revocation and expiration should
ensure that obsolete and compromised keys are rendered invalid. Revoked keys
should be sent promptly for removal from key repositories. Certificate revocation
 lists (CRLs) and online certificate status protocols (OCSP) notify users and
systems about the status of keys.

3. Role-Base Access Control (RBAC)

It is recommended that Ship Cargo apply role-based access control mechanisms to
limit private key access to user roles and privileges. Only users whose roles are
authorized will have access to private keys, and any access must be recorded and
monitored to detect attempts at unauthorized access.

4. Monitor Use and Behaviour That’s Important

Ship Cargo must install the logging and monitoring systems necessary to detect
the usage action, such as key manufacture, distribution, rotation, and revocation.
With such key tracking systems in place, Ship Cargo can maintain close
monitoring of the activities around its keys, hence the early detection and handling
of any suspicious activities or illegal activities related to keys.

2.3.4 Conduct Penetration Test on a Regular Basis

Besides conducting security audits Ship Cargo should carry out penetration testing on its
public key systems-it somehow evaluates the systems for resilience to real attacks.
Penetration testing works by simulating attack scenarios to discover possible breaches
and validate the security measures put in place.

1. Employ Skilled Penetration testing personnel

To Ship Cargo, penetration testing should be done by competent penetration
testers or ethical hacking firms. This might take preparation in terms of equipping
with appropriate skills, tools, and experiences to perform real-time security audits
and assess possible attack points.

2. Analyse Various Attack Circumstances

Penetration Testing needs to include a very wide arsenal of attack scenarios: brute
force attacks, man-in-the-middle attacks, key extraction attacks, insider threats,
 etc. It gives Ship Cargo an early assessment of the various vectors of threats with
which they can measure their security posture, thus prioritizing their remedial
actions.

3. Determine Any security holes and fix them

Ship Cargo must do away with any discovered security holes and vulnerabilities
during penetration tests and security audits very quickly. This may range from
doing security upgrades, improving encryption techniques, changing key
management policies and processes, or altering access restrictions.

4. Ongoing monitoring and advancement

Continuous to the security program, penetration and security audits are carried for
Ship Cargo, with regular improvements and reviews. To keep public key systems
resilient overtime, proactive risk mitigation and continuous
monitoring/enforcement of key management protocols are required.
5. Use Libraries and tools for cryptography
A freight forwarder, such as Ship Cargo, must use cryptographic libraries and
tools to create secure public key systems.

6. Select reputable collection of cryptography

Ship Cargo would then use reputable, well-known vendors who have a proven
track record for reliability and security for acquiring cryptographic libraries: Li
sodium, Bouncy Castle, Cryptography.io, and OpenSSL, to give a few examples.
These libraries include almost everything you need, such as digital signatures,
encryption and decryption, key management, and so forth.

7. Observe best practices and standards.

Using cryptographic libraries will be sufficient for Ship Cargo, however, they
must complement their practice through adherence to standards and industry best
practices regarding cryptography, particularly as embodied in NIST Special
Publication 800 series, IETF RFCs (Request for Comments), and the Open Web
Application Security Project (OWASP). Standards compliance increases security,
 compatibility, and interoperability of cryptographic systems. (Elaine Barker,
2013)

Implement Secure Coding Techniques

Ship cargo software developers need to practice safe coding techniques incorporating
cryptography library integration in their applications and systems. Such safe codes protect
sensitive elements, validate input parameters, manage cryptographic keys and secrets
well, and avoid typical cryptographic security issues such padding oracle timing attacks
and side-channel attacks. (Ghalleb, 2024)

1. It is recommended to employ Hardware security Modules (HSMs).

Using Hardware Security Modules (HSMs) is also recommended. Ship cargo
should make optimum use of HSMs, which are very much instrumental in
managing and storing cryptographic keys. HSMs protect the processing and
storage of cryptographic keys using hardware-based protection against theft,
tampering, and unauthorized access. The integration of HSMs with cryptographic
libraries augments the security and resilience level of public key systems.

2. Utilize cryptographic tools for testing and Validation

Use cryptographic tools for testing and validation Ship Cargo should adopt the use
of cryptographic tools for the testing, validation, and verification of the
cryptographic implementation. This would include testing on secure
communication protocols, digital signatures, encryption, and decryption using
software such as the Cryptographic Protocol Verification Tool (CPVT), GnuPG
(GNU Privacy Guard), Wireshark, and OpenSSL command-line tools.

3. Stay up to data with cryptographic developments

Ship Cargo should participate in working groups, conferences, and industry
forums that are focused on issues related to cryptography, vulnerabilities, and best
practices to keep up with all the new developments in those subjects. From there,
Ship Cargo would be in a better position to Mold their cryptographic solutions
 towards the shifting security needs and threats of new cryptographic developments
in time.

Best Forward Secrecy and Perfect Forward Secrecy need to be employed in a

freight forwarding company, such as Ship Cargo, to enhance the security and
resilience of public key systems.

4. Use the Diffie-Hellman Cryptosystem

Ship Cargo would require the ephemeral Diffie-Hellman key exchange protocol
(DHE) to maintain forward secrecy between participants. It allows session keys to
be established for all communication sessions, thus precluding the possibility of
earlier exchanges being compromised through the undermining of one or more
long-term keys. (Ghalleb, 2024)

Task 03

3. Explain how the encryption and decryption processes work in a PKI

environment for a business situation using a diagram.

3.1 Procedure for encryption

During the encryption process, unencrypted plaintext data is converted into encrypted
ciphertext data using an encryption algorithm and cryptographic key.

Data Entry
The encryption process begins with the data to be encrypted, commonly known as
plaintext. Text, files, multimedia, and other digital data that need to be protected from
unauthorized access or interception may all be categorized as plaintext.

Algorithm For Cryptography

An encryption algorithm is a mathematical operation or procedure that transforms
plaintext into ciphertext. Common encryption techniques Some of these techniques
include the Advanced Encryption Standard (AES), the Rivest Cipher (RC), and the Data
Encryption Standard (DES). These techniques, therefore, apply different cryptographic
techniques such as substitution, permutation, and mathematical operations to transform
the plaintext into a ciphertext.

The key for cryptography

A cryptographic key is a string of data that the encryption algorithm uses to direct the
encryption and decryption processes. There are mainly two types of cryptographic keys:
symmetric and asymmetric keys.

Symmetric Key Encryption: In this technique, the same key is used for both encryption
and decryption. The sender and the receiver must share this secret key in a secure manner.
Two examples of symmetric encryption techniques are AES and DES.

Asymmetric Key Encryption: This technique uses a pair of keys: a public key and a
private key. The public key is used for encryption,
where the private key must be used to decrypt it. The public key is publicly distributed,
while the private key is retained in secret by the owner. Two of the well-known
asymmetric encryption algorithms are RSA and Elliptic Curve Cryptography (ECC).

How the encryption Process Works?

Not by Encryption plain text makes it e.g. text-an octogenarian ciphertext-begin or end
for valuable process from unauthorized personalizing rights, as coverts it. It is an
algorithm and uses an encryption key for securing data.

The initial stage consists of the initial plain text entered an encryption algorithm. The key
to the algorithm, a unique string of characters, is then needed to transform text into
ciphertext. The strength of the encryption mostly relies on the length of the key and the
complexity of the algorithm. Classical encryption is symmetric encryption (the same key
used for encryption and decryption) or asymmetric encryption (different keys for the two
processes).

During transmission, it travels across networks in ciphertext. It remains unreadable

without the decryption key, even if intercepted. The receiver, on the other hand, reverses
the text using the appropriate key and algorithm, thus decryption will reverse the original
encryption process to retrieve the initial text.

Encryption serves confidentiality, integrity, and security. Thus, with this, it does not limit
modern cyber-security practices. (cloud, n.d.)

Output Data (Ciphertext)

Ciphertext is the result of the encryption process, the actual plaintext data that had been
transformed into an unreadable code. The resultant ciphertext almost certainly would
seem chunked,i.e., random to anyone without the proper decryption key.

As only legitimate users possessing the requisite decryption keys can decipher plaintext,
therefore, ciphertext is protected as it can be exchanged over unsecured channels like the
internet or kept in untrusted locations.

Figure 10 Encryption

Synopsis
 The data that must be sent in plain text will now be encrypted by the encryption
engine.
 Now it will encrypt the data with the recipient's public key that has been acquired
from PKI.
  For secure cloud communication, the encrypted data is constructed and ready in
ciphertext form.

3.2 Procedure for Decryption

Ciphertext, an encrypted form of a message, is transformed back into readable plaintext

with a decryption algorithm and a necessary cryptographic key. It is the opposite of
encryption.

1. Receiving Ciphertext: The intended recipient gets the encrypted message. It will
remain in such a format that is unreadable by anyone but him to maintain security
during the communications.

2. Choosing a Decryption Algorithm: The recipient uses the same algorithm that
was used for encryption. Suppose AES encryption; in that case, AES decryption is
applied.

3. Using the Decryption Key:

 Symmetric encryption requires that the same key that was used to encrypt
the data must be used to decrypt the data.
 Asymmetric systems use a private key to decrypt information that has been
encrypted by the corresponding public key.

4. Executing Decryption: The decryption algorithm processes the ciphertext along

with the key to recover the plaintext. The algorithm mathematically performs
reverse operations of the encryption.

5. Integrity Check: After decryption, the plaintext is checked for integrity to ensure
that data integrity is intact, and no pieces of information were lost during
transmission.

Decryption Method
Decryption of ciphertext is the recovery to plaintext through an algorithm with a certain
key. In this way, it enables secure communication by allowing the authorized user to
access the encrypted data. Decryption schemes can either be symmetric or asymmetric.

In symmetric decryption, the same key is used as was used for encryption. Some common
symmetric algorithms include DES, AES, Triple DES. Symmetric decryption is relatively
fast and has better data handling but requires key management.

Asymmetric involves the use of a public key encryption and private key decryption. Some
of the algorithms using asymmetric decryption are RSA and ECC. Asymmetric
decryption is much more secure for sharing information among groups but is slower to
execute.

In decryption, a specific algorithm is supposed to receive the ciphertext and the key for
turning the round towards an earlier stage. This ensures that only the authorized parties
using a certain information for decoding will de-manifest any information, keeping the
confidentiality and integrity of the data intact. (ibm, 2024)

Plaintext Data Output

The decryption yields what is called the plaintext, which is the original data first
encrypted during the encryption stage. After the plaintext was restored in its original
version, authorized parties may now have been able to view or make use of that
information as intended.

Utilizing or manipulating Information

Upon encryption of the data, the recipient can view or interpret the plaintext anyway they
need. Specifically, this could mean displaying the encrypted information to customers,
conducting more analyses and calculations, or appending the decrypted data into further
business processes.
 Figure 11 Asymmetric Encryption

Figure 12 Decryption Process

Synopsis
 Encrypted data downloaded from the cloud is then decrypted via the decryption
engine.

 The decryption engine uses the recipient's private key, which is an integral part of
the PKI-based infrastructure, for decoding the data.

 Using Ship Cargo technology, the plaintext encrypted data is extracted and made
available for further processing.

Commercial Situation
Since quality and preservation of confidential/bulk cargo data while being sent through an
online medium is at stake with Ship Cargo, a freight forwarding company, it follows a
policy of using a PKI environment for data encryption and decryption to maintain the
integrity and confidentiality of the data being sent.

3.2.1 How to encrypt and Decrypt Data in a public key infrastructure

Figure 13 Encrypt and Decrypt

Synopsis
 At the outset of the conceding process, Ship Cargo’s sensitive shipment specifics
(in plaintext) must be conveyed to safety.
 The encryption engine at Ship Cargo uses the public key of the intended
recipient (kindly acquired through the partner firm's PKI) to encrypt sensitive
cargo information.
 The encrypted data has been transformed into ciphertext, before being readied
for internet transmission.
 The encrypted data is securely sent over the internet to the partner company.
 Upon receipt of the encrypted data, the decryption engine of the partner
company will decrypt it with the help of its own private key—part of its PKI.
 The partner company now receives the decrypted sensitive shipping data in
plaintext form, for whatever further processing or utilization that may ensue.
 3.3 Security Regulator and Mitigation Strategies

 Encrypt Personal Data: It will encrypt critical information first before putting it
to the shipping database, again, to prevent unauthorized access to data. Guarantee
the confidentiality and integrity of the data in encrypting techniques.

 Install Access Control Measures: Focus on access to database: Track database

activities and audit so the shipping database is accessible. Watch out for
suspicious activities, such as password hack attempts or strange patterns of data
access.

 Pay attention to database access: To make sure the shipping database is

accessible, use tools for database activity tracking and auditing. Watch out for any
suspicious activities, such as unauthorized login attempts or odd data access
patterns.

 Conduct security audits on a regular basis: Conduct regular security audits and
vulnerability assessments of the shipping database to identify and address security
vulnerabilities or configuration problems.

3.4 A summary Of the Security Case

Unauthorized access to Ship Cargo’s cargo database presents risks, including financial
loss, loss of reputation, and legal consequences. To counter this risk: Ship Cargo should
implement access controls, encrypt sensitive data, monitor database access, perform
regular security audits, arrange education and training for its staff, and develop an
incident response plan. Through the implementation of a focused security controls and
countermeasures, Ship Cargo could improve its defence against unauthorized access and
safeguard the confidentiality, availability, and integrity of critical cargo data.
 3.5 Examine the Difficulties and Security danger associated with using Cloud-
Hosted PKI in a Private network

Cloud-Based Software
Cloud computing has opened the door to all sorts of services and applications for users,
thereby eliminating the need for equipment on premises. Cloud computing is a paradigm
for the allocation and utilization of computer resources over the internet. With cloud
computing, resources such as servers, storage, databases, networking, software, and
analytics are provided as services to users who can dynamically scale their IT
infrastructures in response to demand. (smartb, n.d.)

Important Features
 On-demand Self-service: This enables users to access server instances and storage
on demand without service provider intervention.
 Broad Network Access: Cloud services, accessible over the internet from a range
of platforms and devices, allow users to access applications and data anywhere an
internet connection is available.
 Resource Pooling: Cloud providers pool and share instances of computing
resources to offer efficient resource consumption and achieve cost optimization
amongst various clients and end-users.
 Rapid elasticity: Well, very adaptable. The resources can be resized readily, if the
need arose, so ease does not suffer.

Benefits Of Cloud Computing

 Scalability and Flexibility: Cloud computing allows a business to quickly and
easily increase or decrease very quickly the number of available resources needed
based on exigencies that arise to enhance agility and reduce costs.
 Cost Savings: The cloud eliminates up front hardware purchasing while operating
on premises equipment is associated with higher operational costs.
 Reliability and Availability: Cloud services are designed to provide high
availability, redundancy, and disaster recovery capabilities to deliver continuous
business operations and data resiliency.
  Global Reach: Cloud services allow access from any location with an internet
connection to remote work and collaboration through global teams. (cloud.google,
n.d.)

Cloud Computing Drawbacks

 Security: The most worrying concern regarding cloud computing is security. The
most drastic consequence could arise from having data, as well as software, stored
in remotely managed servers owned by third parties. With cloud computing, this is
open to threats from insiders, unauthorized access, and data breaches.
Organizations, hence, must develop proficient hierarchies of security measures
with up-to-date encryption, regulatory compliance frameworks, and access
governance mechanisms to limit these threats.

 Data Protection and Compliance: Complying with guidelines related to strict legal
standards for data privacy might seem inconsistent within the realm of what cloud
computing permits. Organizations face undue problems from many quarters, such
as data residency, jurisdiction (i.e., which country's laws will govern what
happens?), and industry legislation, such as compliance with GDPR, HIPAA, or
PCI-DASS. This ensures that data sovereignty and compliance with local
regulation laws are put as a priority while handling and storing sensitive data on
the cloud.

 Reliance on Service Providers: As organizations put out more and more cloud-
computing services, they become dependent on those companies as a one-stop
centre for their every infrastructure, software, and platform need. Any disruption,
outage, or change in service levels made by the cloud services provider could
affect the cloud services' reliability, efficiency, and availability. Besides that, the
inability to maintain service levels or come up with any changes, and vendor lock-
in, create significant pressures for organizations.

 Network Connectivity and Latency: Cloud computing requires that the process be
done over the Internet, but unfortunately, this is a poor transmission medium
riddled with capacity constraints, latency issues, and several points of failure. Poor
 connectivity or consumed latency resources may have a profound influence on the
responsiveness and performance of cloud-based applications and services,
especially for workloads that require immediacy, responsibility, or reasonable
latency. (cloud.google, n.d.)

3.6 Host Cloud

A cloud host is an organization that provides computing resources and services over the
internet. This is also known as a cloud service provider or cloud hosting company. These
resources, usually virtual servers, storage, networking, and some other infrastructure
components are rented by paying for their usage via a data centre which boosts customer
confidence that they are not procuring a lot of things every month. (amazon, n.d.)

Figure 14 Cloud Hosting

Cloud Hosting services

1. Infrastructure as a service (IaaS)

2. Platform As a Service (PaaS)
3. Software As a Service (SaaS)

Cloud Hosting Providers with Example.

 Amazon Web Services (AWS), which offers a range of IaaS, PaaS, and SaaS
solutions like Amazon EC2, Amazon S3, and Amazon RDS, is one of the leading
providers of cloud computing services.
  Azure: Microsoft's all-inclusive cloud platform that provides SaaS, PaaS, and IaaS
services, such as Azure Blob Storage, Azure Virtual Machines, and Azure SQL
Database.
 A few of the services offered by Google Cloud Platform (GCP), an online cloud
computing platform, are Google Compute Engine, Google Cloud Storage, and
Google Kubernetes Engine.
 IBM Cloud: IBM provides a range of cloud computing services on this platform,
including IBM Virtual Servers, IBM Cloud Object Storage, and IBM Cloud
Databases.
 Oracle Cloud: Oracle Corporation provides a range of cloud services on this cloud
infrastructure platform, including Oracle Compute, Oracle Object Storage, and
Oracle Database Cloud Service.

3.6.1 PKI on a Private network within the Cloud

Using a Public Key Infrastructure (PKI) hosted in the cloud within a private network has
advantages and disadvantages.

Benefits
 Scalability: Cloud-hosted public key infrastructure (PKI) systems can easily scale
to handle the increasing demand for certificate administration and issuance. This
scalability is beneficial for companies with fluctuating demand or rapid growth.
 Cost-Effectiveness: Cloud-based PKI minimizes personnel, software, and
hardware initiation and recurring costs by removing the requirement for on-
premises infrastructure and maintenance.
 Availability and Reliability: Cloud providers typically provide very high levels of
availability and redundancy with guaranteed availability of PKI services. As a
result of its reliability, there is less likelihood of downtime, and certificates are
constantly available to users and applications.
 Global Accessibility: Cloud-hosted public-key infrastructure (PKI) solutions can
be easily accessed from any internet-accessible location, providing seamless
certificate management and issuing across the geographically distributed systems.
Disadvantages
 There are a host of security and compliance-related issues born of keeping crucial
cryptographic keys and certificates on the cloud involving data secrecy, integrity,
and regulatory compliance. Organizations must ascertain that cloud providers
enforce stringent security measures and adherence to industry-centric compliance
regulations.
 Data Privacy and Sovereignty: Cloud-based PKI solutions may raise data privacy
and jurisdictional concerns usually involved where residency and jurisdictional
issues arise. Organizations must consider legal and regulatory ramifications of
housing PKI data in the cloud, particularly in places where data protection laws
are very strict.
 Depending on the Cloud Provider: Organizations using cloud-based PKIs must
generally fall upon the policies, infrastructure, and service standards of the cloud
provider. Any delays in the services or outages in the cloud facility will impact the
availability and performance of PKI services, causing business interruption.
 Network Latency and Connectivity: Organizations must ensure stable network
connectivity for users to access cloud-hosted PKI services. Network problems,
latency, or network bandwidth limitations may hinder PKI applications
performance, especially during real-time certificate validation and issuance.

The challenges and security risks of using PKI hosted in the cloud on a private
network
 Data privacy and confidentiality: As much as these measures protect against
information leakage, storing credential information, and cryptographic keys, in the
cloud may leave a soft spot against data privacy and confidentiality. Enterprises
will have to sift above other protocols for the protection of privileged PKI
information: encryption, access control, and encryption key management.

 Cloud Provider Security: The security of the hosted Public Key Infrastructure
(PKI) will depend on that of the systems, infrastructure, and services provided by
the cloud hosting company. Businesses will need to conduct rigorous security
evaluation of the cloud provider's security rules, certifications, and compliance
 requirements to evaluate whether the measures put in place are adequate against
insider attacks, cyber threats, or breaches.

 Network Security: Cloud-hosted PKI solutions need a connection to access the

cloud environment and any interaction from within. Companies need to ensure
strong and robust network security systems like security firewalls, intrusion
detection systems, and network segmentation to prevent unauthorized access,
network-based attacks, and data exfiltration.

 Identity and Access Management (IAM): The establishment of access control to

cloud-hosted PKI services as part of the wider framework of user identity and
privilege management, are necessary for the maintenance of security and
prevention of unauthorized access. Organizations must mandate strong
authentication policies, role-based access control (RBAC), and least privilege to
authorize active users based on their respective permissions to access PKI data
and services. (Karen Scarfone, 2022)

An all-encompassing strategy is required to tackle these security threats and obstacles.

This strategy should assess the security posture of the cloud provider, put in place
appropriate security controls and encryption methods, efficiently manage identities and
access, guarantee regulatory compliance, and audit and monitor PKI operations in the
cloud to find and fix security problems.

Utilizing cryptanalysis and cryptography techniques and tools, put into practice the
system that was created in response to a security case.

 Digital signatures. A security-scape implementation on a system requires using

cryptographic algorithms, which must fit into that usage and provide rigorous
security features. (geeksforgeeks, 2024)

 AES stands for Advanced Encryption Standard, widely considered one of the best.
Application: A method that uses symmetric key for the confidentiality of data.
AES is an important symmetric-key encryption design put forth to replace the
 aged DES. It is believed safe against known threats if it is used well enough. AES
can use key size length of 128, 192, or 256 bits. (Srėbaliūtė, 2024)

 RSA
Application: It employs asymmetric key encryption; it uses digital signatures and
key exchange. The RSA algorithm is a commonly used asymmetric-key technique
for encryption and digital signatures. Furthermore, the challenge of secure
communication and authentication relies mainly on factoring of large prime
numbers, which is a taxing computation. (securew2, 2024)

 Cryptography using Elliptic Curves, or ECC

Application: It employs asymmetric key encryption; it uses digital signatures and
key exchange. The algebraic structure of elliptic curves over finite fields forms the
basis of the asymmetric-key technique called ECC. Because it uses smaller key
sizes, it is of comparable security to RSA; hence it becomes a good candidate for
resource-constrained scenarios, such as mobile phones and the Internet of Things.

To select the appropriate cryptographic algorithms for a given use case, it is essential to
carefully consider the specific security requirements, performance constraints, and
compatibility difficulties while implementing the system developed in response to a
security scenario. It is also essential to follow best practices for key management,
algorithm parameter selection, and cryptographic protocol design to preserve the overall
security and integrity of the system.

3.7 Using the following steps to implement the encryption and decryption
techniques in the security case

We may create encryption and decryption protocols using symmetric-key encryption

techniques like AES (Advanced Encryption Standard) to address the security risk of
unauthorized access to Ship Cargo’s cargo database.

How the encryption process works

  Data that might expose sensitive information, such as shipping details, are secured
with a symmetric encryption technique, for example, AES (Advanced Encryption
Standard), prior to being placed into databases.
 Ship Cargo generates unique encryption/decryption keys for either each cargo or
their respective shipments.
 Ship Cargo encrypts the data with the key before submitting it into the database.
 Data is stored in the database after having been encrypted.
Method for Decryption
 Ship Cargo has a viable key management system responsible for generating,
storing, and protecting encryption keys.
 Extraction keys are communicated securely to those authorized users or systems
that require access to the encrypted data.
 Policies for key rotation are implemented to lessen the impacts of key compromise
and refresh encryption keys regularly.

Observation and Evaluation

 Ship Cargo assures compliance with relevant data encryption and security
regulations as well as industry standards.
 Regular audits take place to check compliance with the security parameters and
logical effectiveness of the encryption modules.
 In general, the encryption and decryption techniques provided above will greatly
reduce the instances of unauthorized access to confidential information and
protect the confidentiality of the cargo database, so that even if unauthorized
persons gain access to the database, they will be unable to read and understand the
contents of the encrypted data unless they are in possession of the correct
decryption keys.
 Log examinations for all anomalous activity related to encryption keys, decrypted
data, and unauthorized accesses are frequently conducted.

3.8 Cryptanalysis Tools

 3.8.1 Programs for Cryptology analysis

The cryptanalysis software is of utmost importance for establishing theories in

cryptography. This is because the utility of these tools and methods is to aid in the
assessment and comprehension of established cryptographic systems, algorithms, and
protocols.

Cryptool: An open-source general-purpose cryptography and cryptanalysis software.

Contains many different cryptographic algorithms and analysis tools for many algorithms.
Has a very user-friendly interface and supports many different crypto techniques,
including digital signatures, encryption, decryption, and key exchange.

John the Ripper: John the Ripper is a notorious open-source password cracker used for
auditing and cryptanalysis. It can work against several password hashing algorithms and
makes use of a broad variety of attack strategies, including hybrid or dictionary or brute-
force attacks. John the Ripper is a tool widely used by penetration testers and security
researchers to test the strength of password hashes and the effectiveness of password
restrictions.

Hashcat: Fast password recovery tool tooled for cracks using GPU acceleration—can
perform timed cracks of SHA-256, MD5, SHA-1, and bcrypt password hashes. An
arsenal of optimizations and attack methods is offered by Hashcat commonly used to
audit passwords from hashed data. (Tiwari, 2018)

3.8.2 Tool for Brute force Attacks

Brute-force attack tools are essential for assessing the security of passwords, encryption
keys, and other security measures in the field of cybersecurity. They work by carefully
trying every possible combination until the one that works.

 John the Ripper: John the Ripper is a very widely used and popular open-source
password cracker. It supports several attacks: hybrid, brute-force, and dictionary
attacks. It can decrypt password hashes generated by such cryptographic hash
techniques as SHA-256, MD5, SHA-1, and bcrypt. In addition, John the Ripper is
 very flexible and can be parallelized for maximum efficiency in password
cracking.

 Hashcat: Hashcat is capable of rapidly and efficiently cracking passwords,

utilizing the massive parallel computing capability of GPUs. It supports multiple
attack methods, including dictionary, rule-based, and brute-force. It can decode
password hashes produced by cryptography methods, including MD5, SHA-1,
bcrypt, and PBKDF2.

 Hydra: This is a very well-known password-cracking tool. It allows for brute-

force attacks against various network protocols, services, and applications.
Password guessing attacks can be directed against several protocols such as SMB,
SNMP, HTTP, FTP, SSH, Telnet, and FTP. Although Hydra is very flexible, it
also supports parallelized attacks, which permit faster password cracking.

 Medusa: Medusa is a command-line password-cracking tool like Hydra, putting

more emphasis on simplicity and usability. It allows attacks on various network
protocols and services through dictionary attacks, brute-force attacks, and custom
scripts. Medusa can perform parallelized attacks for rapid password recovery.
(imperva, n.d.)

Tool for network Analysis

These tools allow for monitoring, analysis, and troubleshooting of network traffic for the
identification of security threats, operational issues, and performance issues. These
technologies help network administrators and security practitioners in minimizing
downtime by providing insight into network activity, traffic patterns, and communication
protocols.

 TCPDUMP is a Command-Line packet capture and network traffic analysis tool

for Unix-like operating systems. It captures the contents of network packets from
specified network interfaces and outputs it in a human-readable form. TCPDUMP
 offers several filters and configuration options for capturing specific types of data
and analyzing network protocols. It is good for initiating network troubleshooting
and security monitoring, as well as traffic analysis.

 TShark: This is a command-line tool for network traffic analysis and capture like
Wireshark. It has the same features for packet capture and display filters that
Wireshark has, and it also allows you to export the captured packets as pcap,
JSON, or CSV files. It is very useful for scripting and automating network
analysis tasks as well as cooperating with other tools and systems.

 Zeek: An open-source network security monitoring tool used for spotting

anomalies and security problems by analyzing network data in real-time, Zeek
exploits traffic logging and event correlation to generate actionable insights into
TCP/IP network activity. Zeek incorporates a high-level programming language
that enables users to build security policies limiting access to the network and
customizing network analysis.

3.9 Give a Critical assessment of the system implementation of how well it satisfies
the established security goals and offer recommendations for development.

3.9.1 Goals for Security

1. Stop Unauthorized Entry:

It is imperative to prevent unauthorized access to the cargo database to ensure the
protection of sensitive data and the security posture of Ship Cargo.

 Account Authentication Mechanism: The strongest authentication may involve a

multi-factor authentication (MFA), biometric authentication, and
 username/password combination. MFA increases security because it requires
users to submit two forms of authentication, for example-by sending a one-time
code to the user's mobile device.

 Role-Based Access Control (RBAC): RBAC could limit database access

according to the roles and responsibilities users have within an organization. Grant
rights to authorized users in accordance with their job functions so that users can
only, access information needed to accomplish their work.

 Least Privileges: As per the principle of least privilege, the minimum required
access should be allocated to the user to perform his job. User permissions must
be reviewed and altered on a regular basis to ensure that activation capabilities
remain in sync with the current job position and duty.

 User management: The policies set in place for user management should include
versatile mention of account audits, account deletion, and prompt access negation
for those contractors or officials quit. Also, stern policies for password: complex
passwords and periodic password renewal.

 Network Segmentation: Isolate the shipping database within yet another part of a
network to enable unimpeded access to only approved individuals or devices.
Firewalls, VLANs, and other network security solutions can be used to apply
access policy and prevent the database from being accessed by unwanted traffic.
(Novikava, 2024)

2. Preserve Confidentiality of Data

 To keep sensitive shipping database information safe, encryption must be applied.
Data while at rest should be encrypted using strong encryption algorithms, such as
AES (Advanced Encryption Standard), so that there are no chances of reading
data even if the database is hacked because of the absence of a key.

 Access controls-Implement complementary access controls to provide limiting

database access to only those personnel with proper authorization, based on a
 particular requirement to perform their jobs. Implement role-based access control
(RBAC)-you may want to consider allowing users access to only the data relevant
to their jobs and responsibilities.

 Data-disguising: Data masking techniques hide sensitive information that is not of

concern to people who do not demand full access. Masking techniques may
include mask or partially redact particular fields or substitute fake values for the
sensitive data for concealment against unauthorized exposure.

 Protocols for secure transmission: Use secure transmission techniques such as

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) that secure data
in transit exchanged between client applications and database servers. Sensitive
data thus cannot be intercepted, or wire tapped when transmitted.

3. Keep your Data integral

 Hash Function: Cryptographic hash algorithms are utilized to generate hash values
or checksums for data stored in databases. Hashes need to be computed for
records regularly and compared to a previous value to check if unauthorized
modifications or manipulations have occurred. (geeksforgeeks, 2024)

 Digital Signatures: Digital signatures are used to authenticate the data and check
its integrity. Important data entries or digital transactions can be signed using
asymmetric cryptography techniques such as RSA and ECDSA. Verify digital
signatures when data is retrieved so that the data can be confirmed unchanged
since signing. (docusign, n.d.)

 Database Constraints: Implementation of database-level constraints and validation

checks for ensuring data integrity. These could be checking constraints, foreign
key constraints, and unique constraints to prevent invalid, false entry into the
database. (Fernigrini, 2022)

 Transaction Logs: Keep a thorough record of all changes to the database,

including all additions, deletions, and updates. Examine the transaction log
 regularly to monitor changes, identify abnormal changes in data, and secure
evidence against data tampering.

4. Maintain System Availability

 Redundancy and failover systems: Use redundancy and failover mechanisms to
reduce single points of failure while assuring the continuous availability of the
shipping database. It is important to have redundant servers, storage devices, and
network infrastructure to provide such resources in cases of disruption or
hardware failure.

 Load balancing: Use load balancing techniques for a more even distribution of
incoming traffic over multiple database servers or resources. Load balancers
perform health and performance checks of servers and automatically reroute
traffic to servers that are functioning well, to optimize resource usage and prevent
overloads that could result in downtime.

 High-Availability Architecture: Set up a high-availability architecture based on

redundant components, clustering, and automatic failover processes, so that the
shipping database can continuously operate. Create a clustering structure,
replication, and mirroring mechanism according to your requirement to maintain
data consistency and availability across several nodes.

 Monitoring and Alert: Use reliable monitoring and alerting systems for
anticipation of performance problems or potentials. Key performance indicators
that should be monitored include RAM, CPU, disk input/output, and network
traffic. Alerts should notify administrators anytime something seems peculiar.
(fiixsoftware, n.d.)

Task 04

4.1 Examine the Main advantages of enhancing cloud security with a variety of
cryptography and hybrid cryptosystems.
 Security and Efficiency
Hybrid encryption establishes secure communication channels by exchanging keys
asymmetrically, rather than transmitting vital symmetric keys
over unsecured networks. That is, asymmetric encryption provides the secure
way of transferring keys, while symmetric encryption allows for efficient and fast data
encryption.

Truthfulness and Secrecy

Hybrid encryption gives strong data transport confidentiality and integrity guarantees.
Asymmetric encryption ensures that only the
Only the intended recipient can decrypt the shared secret key, and symmetric encryption
protects data alteration or eavesdropping during data transport.

Scalability and performance

Hybrid encryption ensures better scalability and
performance since symmetric encryption can more efficiently encrypt a large quantity of
data. If the shared secret key is sent securely through asymmetric
encryption, then a bulk amount of data can be effectively and efficiently encrypted and
decrypted by using symmetric encryption.

Combination encryption
Hybrid encryption embodies the strengths of symmetric and asymmetric encryption to
prevent some of the weaknesses in either method. Under this, in hybrid encryption,
symmetric encryption of the data is done with a jointly agreed secret key; delivering the
secret key is done securely using asymmetric encryption. (A. Kousalya a, 2023)

4.2 Combination Cryptosystems

Hybrid cryptosystems minimize the shortcomings of each type of encryption while

maximizing the benefits of symmetric and asymmetric algorithms.
 1. Symmetric Encryption
In symmetric encryption, the same secret key is used to both encrypt and decrypt
the encrypted text. It is faster and more efficient. It would be perfect to encrypt
large volumes of text, images, videos, and documents, which would render
symmetric encryption computationally unfeasible. The major drawback that
symmetric encryption presents is the passing of the secret key securely between
the two communicating parties.

2. Asymmetric Encryption
In an asymmetric encryption, the private key decrypts the encrypted text, and the
public key encrypts it. This was initially proposed to solve the key-sharing
problem in symmetric encryption. However, in the real world, it is usually more
inefficient and sluggish while encrypting large volumes of data.

3. Key-Exchange
A hybrid cryptosystem normally makes use of asymmetric encryption for the
purpose of key exchange. The sender will encrypt the symmetric key using the
public key of the recipient together with the encrypted message. The recipient
then decrypts the communication and makes use of his private key to decode the
symmetric key. (Kime, 2023)

Advantages of the Cryptosystem

 Security: Hybrid cryptosystems ensure high security in improving symmetric

encryption with fast encryption of data and asymmetric encryption with secure
key exchange.

 Efficiency: Symmetric encryption works better than any asymmetric encryption

scheme for encrypting/communicating very large amounts of data. It overcomes
performance constraints imposed by asymmetric encryption.

 Flexibility: In hybrid cryptosystems, the choice of the key exchange and the
mechanism for data encryption could be freely chosen. One may use a common
 asymmetric encryption technique like RSA or ECC to exchange keys, while data
can then be encrypted with much stronger symmetric algorithms like AES.

 Scalability: Hybrid cryptosystems are flexible to suit a range of applications from

the security of communication channels to the protection of large databases and
cloud segmenting.

4.3 Principal benefits of using a range of cryptography and hybrid cryptosystems

to improve Ship Cargo’s cloud security

Using a range of encryption techniques and hybrid cryptosystems, which offer a

comprehensive way to safeguard sensitive data and ensure the integrity of connections,
may significantly increase Ship Cargo’s cloud security.

 Symmetric Encryption: Symmetric encryption is the encryption-decryption

process using a common shared key. Data, sometimes substantial amounts of it,
stored or transmitted to the cloud, can be dealt with quite easily because it is fast.
With symmetric encryption, Ship Cargo is protecting large-scale data transfers
from on-premises systems to the cloud, guaranteeing integrity and confidentiality.

 Asymmetric Encryption: Also known as public-key cryptography, asymmetric

encryption uses two different keys: a public key for encryption and a private key
for decryption. This gets around the problem of exchanging secret keys
beforehand, thus allowing for secure exchanges. This may provide Ship Cargo
with the means of ensuring secure conduits of information when exchanging data
with cloud service providers, while the asymmetric encryption ensures the transfer
of information between those parties.
  Digital Signatures: The use of digital signatures represents a method of verifying
the authenticity and integrity of digital documents or communications. Ship Cargo
has a mechanism for protecting against tampering in transit or storage in the
cloud, signing data with its private key, thus demonstrating authorship. Because
they cannot be invalidated, Ship Cargo can prove the authenticity of the data and
seek accountability of the parties that acted when the possibility of dispute arises.

 A hash function provides a potential for data integrity check and identification of
unauthorized alterations by producing fixed-length hash values from variable-
length data inputs. Ship Cargo can make checksums using hash functions for
governing cloud-stored files, facilitating periodic checks to ascertain the integrity
of data and make sure that it is not tempered with. Ship Cargo checks for
discrepancies that can indicate data modification by comparing hash values before
and after transit or storage.

4.3.1 The Main Advantages of utilizing different encryption techniques, illustrated

1. Data Confidentiality
For example, Ship Cargo can efficiently encrypt large volumes of data using
symmetric encryption schemes like AES (Advanced Encryption Standard). This
will ensure that highly sensitive information stored on cloud storage remains
confidential and cannot be accessed directly by any third party. Asymmetric
enciphering methods such as RSA could also provide key exchange and
transmission protection for symmetric encryption keys.

2. Data Correctness
For example, Ship Cargo may employ cryptographic hash functions such as SHA-
256 to create checksums for cloud-stored data. This enables Ship Cargo to
periodically check the current checksum against the stored checksum for
correctness and detection of unauthorized modifications or attempts to manipulate
the data. Digital signatures can be used to attest to data integrity through
 asymmetric cryptography by providing a means of verification of an origin and
authenticity of said data.

3. Authentication and Access Control

For example, in the Ship Cargo setting, digital certificates issued by a reputable
Certificate Authority (CA) can be used to establish the identity of people and
devices using cloud services. Public Key Infrastructure, or PKI, based on
asymmetric cryptography can be made secure to issue and manage digital
certificates. Ship Cargo may also utilize cryptography based on HMAC (Hash-
based Message Authentication Code) to authenticate data transfers among cloud
components so that only authorized enterprises gain access to vital resources.

4. Secure Data Transfer

For instance, Ship Cargo may be assisted by hybrid cryptosystems for encrypting
data transfers between client applications and cloud servers. Such systems might,
for instance, rely on symmetric and asymmetric encryption, where data is
encrypted by the client using a symmetric key, and afterwards, the server encodes
the symmetric key with its public key prior to transfer. After transfer, the server
will decrypt the received message using its private key to decode the symmetric
key. (shardsecure, 2023)

4.4 Examine typical elements impacting an organization’s decision cloud solutions

to enhance security

When choosing a cloud solution to boost security, an organization's decision-making

process is influenced by several factors.

1. Regulatory Compliance
Organizations must ensure compliance of the cloud solution with regulatory
requirements specific to the industry. A good example is METROPOLIS
 CAPITAL Bank, where the institution must comply with Central Bank
regulations, as well as ISO standards. Non-compliance can lead to legal penalties
and damage to an institution's reputation; thus, cloud solutions must provide
appropriate features such as data encryption, secure access controls, and auditing
capabilities.

2. Data Sensitivity
The sensitivity of the organization's data is a critical consideration. Financial
institutions handle highly sensitive customer information, requiring robust data
protection mechanisms such as encryption at rest and in transit, secure key
management, and advanced threat detection. A cloud solution should guarantee
these capabilities to maintain confidentiality and integrity.
3. Scalability and Flexibility
Cloud solutions provide scalability and flexibility, enabling organizations to adapt
to changing needs. For instance, expanding operations or transitioning to work-
from-home models requires scalable security measures. A cloud solution should
accommodate these demands without compromising security, ensuring seamless
integration with existing systems.

4. Cost Implication
Budget constraints often play a significant role. Cloud solutions can reduce
upfront costs associated with on-premises hardware and software while offering
predictable, subscription-based pricing. However, organizations must balance cost
savings with the need for comprehensive security features to avoid vulnerabilities
that could result in higher expenses later. (aimconsulting, n.d.)

4.5 Ship Cargo claims that cloud system will improve security

1. Criteria for Adherence

For companies like Ship Cargo in the shipping and logistics industry, protecting
personal data is a big deal. They're dealing with sensitive information about
customers and employees, and regulations like GDPR demand strong security
 measures. That's why selecting a cloud provider with the right certifications and a
proven track record of data protection is critical. It's all about responsible data
handling and keeping sensitive information safe

2. Data Sensitivity and Classification

ShipCargo deals with highly sensitive information—financial data, cargo
specifics, and customer details. This means their cloud provider needs top-notch
security. Protecting against breaches is paramount, so features like data encryption
both when stored (at-rest) and while being transmitted (in-transit) are essential for
ShipCargo.

3. Features and Security Measure

Ship Cargo’s cloud choice hinges on robust security. They need a provider with
top-tier features: network segmentation to isolate data, strong identity and access
controls (IAM), intrusion detection and prevention (IDPS), and comprehensive
security monitoring (SIEM). This layered approach minimizes risks and
strengthens their overall security.

4. Jurisdiction over Data and Residency

Ship Cargo’s choice of cloud provider must respect data location rules. They need
a provider that can store and manage data in specific places, meeting legal and
regulatory demands. A provider with global reach and strategically located data
centers lets Ship Cargo comply with data residency laws while maintaining
control over their data.

4.6 Examine critically how specific cryptography and hybrid cryptosystem are
used in an organization to protect data

4.6.1 How Cryptography Operates

Imagine a secret code, transforming everyday words into an indecipherable jumble. That's
essentially what cryptography does. It takes readable information (plaintext) and turns it
into a scrambled mess (ciphertext) using a secret key, like a special password. Only
someone with the matching key can unscramble the message.

The process begins by feeding the plaintext into a complex mathematical formula—the
encryption algorithm. This formula, guided by the secret key, shuffles and changes the
data, creating the ciphertext. This ciphertext looks like random gibberish, completely
hiding the original message's meaning. It can then travel safely across any communication
path, from email to a secure network.

The recipient, possessing the correct key, uses the same algorithm, but in reverse
(decryption). This reverses the scrambling, revealing the original message. The security
relies on the key's secrecy and the algorithm's strength—its resistance to unauthorized
decryption attempts.

There are different types of codes. Some use the same key for both scrambling and
unscrambling, requiring careful key sharing. Others use a pair of keys: a public key,
freely shared for scrambling, and a private key, kept secret for unscrambling. This clever
system avoids the need for risky key exchanges.

One-way functions, like hashing, also play a role. These create a unique fingerprint of
data, used to verify its authenticity and detect any changes made during transmission or
storage. These methods, combined with careful key management, form the backbone of
modern cryptography, protecting our digital world. (Ghimiray, 2023)

4.6.2 Advantages and Disadvantages of implementing cryptography in an

enterprise

Advantages
  Confidentiality of Information: Encryption ensures that only an authorized
individual has access to sensitive data under protection from being disclosed and
breached. This is particularly important in the health, finance, and government
industries, where breaches can result in severe consequence.
 Integrity of Information: Cryptographic techniques from hashing to digital
signatures enable data to remain unchanged during transmission or storage. This
serves to protect data from being tampered with and to ensure its authenticity.
 Authentication and Non-Repudiation: Cryptography makes possible secure
authentication, allowing identification of users while making sure
communications originate from perpetrating sources. Non-repudiation is made
possible with digital signatures, thereby preventing parties from denying their
actions or involvement in transactions.
 Able to Meet Regulatory Requirements: Industries require data protection
compliance regulations including HIPAA, PCI DSS, and GDPR. Use of
cryptography aids enterprises in complying with applicable statutes and
parameters, therefore reducing legal and financial risk in the confines of data
breaches.

Disadvantages

 Complexity and Management: Cryptographic systems can be complex to

implement and manage, requiring special knowledge and expertise. This poses an
enduring challenge to organizations with limited security resources or technical
skills.
 Key Management: Secure management of the keys used in cryptography is the
basis for the effectiveness of encryption. A compromise in key security can lead to
catastrophic data breaches; therefore, key management constitutes one of the most
critical and complex elements of cryptographic implementation.
 Performance Overhead: The processes of encryption and decryption can add
overhead that slows down data processing or network operations. This can be a
problem when either resources for processing are limited or real-time performance
is important.
  Vulnerabilities and Weaknesses: Cryptographic algorithms and implementations
are not impervious to attack but may be susceptible to breaches. The knowledge of
the latest threats and advisable actions is very important in counteracting such
threats.

4.6.3 Within an organization, specific cryptography and hybrid cryptosystems are

used to secure data

Inside an organization, data security takes precedence over others, with the usage of
various cryptographic techniques to safeguard sensitive information. A hybrid
cryptosystem combines the powers of symmetric and asymmetric encryption. Here, the
data are encrypted using symmetrical methods, with speed and efficiency enjoyed when
large amounts of data are involved. However, the symmetric key is securely exchanged
by using asymmetric encryption, allowing only authorized individuals holding the private
key associated with the symmetric key to decrypt it for accessing the data. In the end, this
coupling is a strong alternative for data protection, which has a balance between security
and performance. Other organizations may resort to specific cryptographic algorithms
like AES (Advanced Encryption Standard) or RSA (Rivest-Shamir-Adleman) for their
purposes. AES in coding might serve the encryption of data at rest while RSA could
accomplish the digital signature purpose to verify the underlying authenticity of
documents. The use of cryptography and hybrid cryptosystems should be proportionate to
the required security standards, data sensitivity issues, and organization resources.

4.7 Data Protection on ship cargo

Data protection in ship cargo operations is vital for protecting sensitive information,
controlling security compliance, and guarding against cyber threats. As the maritime
industry increasingly integrates digital systems, making sure that adequate data security is
fairly in place is imperative. Some of the considerations include:

1. Access Control and Authentication

Only authorized personnel should be able to access cargo-related data through strict
access control. In conjunction with multi-factor authentication (MFA) and role-based
access control (RBAC), unauthorized access to cargo operation management systems will
be adequately eliminated. (ibm, n.d.)

2. Encryption
Both sent and stored data should be encrypted so that the sender or recipient cannot
intercept them or access them unsolicitedly. Such secure means of communication can
include the likes of HTTPS, Transport Layer Security (TLS), or Virtual Private Networks
(VPNs) in transmitting data in between ship and shore-based systems.

3. Cybersecurity Measures
Protecting the cargo management system from cyber threats will be paramount. Security
measures will involve:
 Firewalls and Intrusion Detection Systems (IDS): suckless to kill malicious
activities.
 Endpoint protection: securing devices like on-board terminals and handheld
scanners.
 Regular patching and updates: guaranteeing that all systems are fixed and
regularly updated not to suffer from vulnerabilities. (nibusinessinfo, n.d.)

4. Backup and Disaster Recovery

Regular backing up of cargo-related data must be executed for rapid recovery in the event
of a system crash, ransomware attack, or data breach. Backups must be stored in safe
places in case of victim-by-victim damage and should be tested from time to time to show
their reliability.
 4.8 The Suggestion of the Proper cryptosystem and cryptography to protect ship
cargo data

To achieve better security for ship cargo data, the selected cryptosystem and
cryptographic techniques should be effective. The choice depends on the sensitivity of
data, operational requirements, and the threat landscape in the maritime operating
environment. Following are the recommended cryptosystem and cryptographic
techniques for ship cargo data protection:

1. Recommend Setting up a Hybrid Cryptosystem.

A hybrid cryptosystem combines the fast and efficient grounds of symmetric encryption
for encrypting data and the advantages of asymmetric encryption for secure key
exchange. This provides an optimal performance-security tradeoff and is therefore
suitable for protecting ship cargo data.

2. Recommended Cryptographic Techniques

A. Symmetric Encryption: AES (Advanced Encryption Standard)
Purpose: To ensure that cargo data can be securely encrypted.
Key Features:
 Strong in terms of speed and security.
 Widely adopted standard for encrypting sensitive data.
Implementation: It can be implemented in the form of AES-256 for encrypting data both
at rest and transit, i.e., cargo manifests, shipping schedules, etc.

B. Asymmetric Encryption: RSA (Rivest–Shamir–Adleman)

Purpose: For secure exchange of keys between multiple ship systems and shore-based
operations.
Key Features:
Strong secures small data elements like encryption keys or authentication tokens.
Recommended key lengths of 2048-bit for long-term security, or higher.
Implementation: RSA can encrypt session keys for AES, ensuring that the key exchange
is secured.

By implementing a hybrid cryptosystem with these cryptographic techniques, ship cargo

data can be effectively secured against unauthorized access, tampering, and cyberattacks.

For Ship Cargo’s cloud migration to be secure, a range of cryptographic

technologies must be used to safeguard data and communications.
A complete spectrum of cryptographic techniques should be adopted to ensure security
during the migration of Ship Cargo to the cloud. These will assure integrity,
confidentiality, and availability in data processing during and even after migration.

1. Data Encryption
The fundamental layer of security for cargo-sensitive information is encrypting data at
rest and in transit. This involves the use of AES-256 encryption for data in the cloud and
TLS 1.3 for secure communication in data transmission. These encryption standards will
assure that any unauthorized users cannot access or intercept the data.

2. Secure Key Management

The very essence of encryption requires a strong KMS for secure key handling. It will
depend on the cloud-native KMS or the HSM for generating, storing, and rotating the
keys. This key management procedure guarantees that the encryption keys remain
confidential and inaccessible to unauthorized users.

3. End-to-End Encryption (E2EE)

E2EE will ensure that the data remains encrypted during its complete lifecycle-from Ship
Cargo’s systems to the cloud and back. Hence, an intermediary, cloud service provider,
cannot access sensitive data.

4. Asymmetric Cryptography for Authentication

Use RSA or ECC to authenticate and exchange keys securely. Asymmetric systems
provide strong security for establishing trust between Ship Cargo’s systems and the cloud
environment, ensuring that only legitimate entities access it.

4.9.1 Improvement of cryptography based on ship freight

It is crucial to enhance the scope of cryptography in ship freight operations to cantilever

the security of sensitive cargo data with integrity of logistics systems. As digitalization is
transforming maritime logistics, future cryptographic traps can protect critical
information from increasing cyber threats during the shipping process.

Enhanced Encryption for Cargo Data

To be safe in the sensitive cargo data encryption after the implementation of AES-256 for
the storage of sensitive data, with that of TLS 1.3 for secured means of communication.
This way, all important information, including shipping manifests, invoices, and whole
tracking data, will be secured against unauthorized access at the time of transmission and
storage. Increasingly strict encryption standards along with the adoption of stronger keys
also help ensure protecting data from being intercepted, altered, or manipulated while
being transmitted over various digital platforms-all the way from onboard systems
through port authorities to logistics providers.

Secure IoT Communication and Data Integrity

The increased adoption of IoT devices for shipping like temperature sensors, GPS
trackers, and environmental monitoring systems necessitate better cryptographic defenses
for data being sent from these devices. ECC (Elliptical Curve Cryptography) is a good
way to secure essential IoT communications based on the requirement for good
cryptographic strength with minimal computational overhead. Generally, IoT systems in
freight operations can provide fine secure communication channels to accept
authenticated data in which integrity can be achieved through hash algorithms, for
example, SHA-256 with the help of secure communications for cloud-based or shore-
based systems.

Digital Signatures in Authentications and Validation

To further improve the rightful authenticity of ship freight operations, digital signatures
must be the harbinger for key documents like bills of lading, contracts, and shipment
receipts. Using temporary asymmetric encryption algorithms such as RSA or ECC, those
documents can be signed in order to validate the originality and virtue of the documents
by shipper, consignee, and other stakeholders. This process not only helps to prevent any
unauthorized changes on documents, but it also adds one more strand of security to
everything involved.

4.9.2 Suggestion to the ship cargo company Regarding the Cloud platform

AWS would be an apt cloud solutions provider for Ship Cargo due to its ability to store
sensitive data securely, facilitate communication, and guarantee scalability. AWS also
offers a rich catalog of services designed for scalable infrastructure, secure
communication, and various data encryption options that are suitable for Ship Cargo.

Some of the AWS services that Ship Cargo can utilize include Amazon S3 for secure
storage of customer and shipping records, Amazon RDS for managed databases for
holding transactional information, and AWS Key Management Service (KMS) for
dependable encryption key management. Most importantly, AWS provides secure
communication routes through services like AWS Direct Connect and Amazon Virtual
Private Cloud (VPC), ensuring confidentiality and integrity of data carried over the
network.

It is so easy to scale any of Ship Cargo's business with AWS's extensive offering of
compute resources, including virtual servers (Amazon EC2), containers (Amazon
ECS/EKS), and serverless computing (AWS Lambda). With its global data center
network, compliance certifications, and state-of-the-art security features, AWS guarantees
that you are always in compliance while allowing you to build resilient and uptime
solutions.

References
A. Kousalya a, N.-k. B. b., 2023. sciencedirect. [Online]
Available at: https://www.sciencedirect.com/science/article/pii/S2666603023000040
[Accessed 19 12 2024].
aimconsulting, n.d. aimconsulting. [Online]
Available at: https://aimconsulting.com/insights/evaluate-cloud-service-provider-
security-benefits-criteria/?utm_source=chatgpt.com
[Accessed 20 12 2024].
amazon, n.d. aws.amazon. [Online]
Available at: https://aws.amazon.com/what-is/cloud-hosting/
[Accessed 17 12 2024].
cloud.google, n.d. cloud.google. [Online]
Available at: https://cloud.google.com/learn/advantages-of-cloud-computing?hl=en
[Accessed 17 12 2024].
cloudflare, n.d. cloudflare. [Online]
Available at: https://www.cloudflare.com/learning/ssl/what-is-encryption/
[Accessed 10 12 2024].
cloud, n.d. cloud.google. [Online]
Available at: https://cloud.google.com/learn/what-is-encryption?hl=en
[Accessed 17 12 2024].
darktrace, n.d. darktrace. [Online]
Available at: https://darktrace.com/cyber-ai-glossary/data-encryption-explained?
utm_source=chatgpt.com
[Accessed 15 12 2024].
docs.oracle, n.d. docs.oracle. [Online]
Available at:
https://docs.oracle.com/cd/E95618_01/html/sbc_scz810_acliconfiguration/GUID-
63700646-0BDD-4F38-AAF7-EFD49ABCD13E.htm
[Accessed 15 12 2024].
docusign, n.d. docusign. [Online]
Available at: https://www.docusign.com/how-it-works/electronic-signature/digital-
signature/digital-signature-faq
[Accessed 19 12 2024].
Dougherty, R., 2023. kiteworks. [Online]
Available at: https://www.kiteworks.com/secure-file-sharing/public-vs-private-key-
encryption/
[Accessed 13 12 2024].
Dougherty, R., 2023. kiteworks. [Online]
Available at: https://www.kiteworks.com/secure-file-sharing/public-vs-private-key-
encryption/#:~:text=Secure%20Communication%3A%20Public%20key
%20encryption,recipient%20can%20read%20the%20message.
[Accessed 16 12 2024].
Elaine Barker, S. C. B. ,. S., 2013. A Framework for Designing, s.l.: NIST.
Fernigrini, L., 2022. vertabelo. [Online]
Available at: https://vertabelo.com/blog/database-constraints-types/
[Accessed 19 12 2024].
fiixsoftware, n.d. fiixsoftware. [Online]
Available at: https://fiixsoftware.com/glossary/system-availability/
[Accessed 19 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/difference-between-block-cipher-and-
stream-cipher/
[Accessed 10 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/caesar-cipher-in-cryptography/
[Accessed 11 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/vigenere-cipher/
[Accessed 11 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/bitwise-xor-operator-in-programming/
[Accessed 12 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/easy-key-management-in-cryptography/
[Accessed 14 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/implementation-diffie-hellman-algorithm/
[Accessed 15 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/introduction-to-key-encapsulation-
mechanism-api-in-java/
[Accessed 15 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/blowfish-algorithm-with-examples/
[Accessed 15 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/twofish-encryption-algorithm/
[Accessed 15 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/digital-signature-algorithm-dsa/
[Accessed 17 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/hash-functions-and-list-types-of-hash-
functions/
[Accessed 19 12 2024].
Ghalleb, Z., 2024. wiz. [Online]
Available at: https://www.wiz.io/academy/secure-coding-best-practices
[Accessed 16 12 2024].
Ghimiray, D., 2023. avast. [Online]
Available at: https://www.avast.com/c-cryptography#:~:text=Cryptography%20works
%20by%20taking%20plaintext,all%20except%20the%20intended%20recipient.
[Accessed 21 12 2024].
ibm, 2024. ibm. [Online]
Available at: https://www.ibm.com/docs/en/was/8.5.5?topic=apis-decryption-methods
[Accessed 17 12 2024].
ibm, n.d. ibm. [Online]
Available at: https://www.ibm.com/docs/en/wca/3.0.0?topic=security-authentication-
versus-access-control
[Accessed 21 12 2024].
imperva, n.d. imperva. [Online]
Available at: https://www.imperva.com/learn/application-security/brute-force-attack/
[Accessed 19 12 2024].
Karen Scarfone, 2022. techtarget. [Online]
Available at: https://www.techtarget.com/searchsecurity/tip/The-benefits-and-
challenges-of-managed-PKIs
[Accessed 17 12 2024].
Kime, C., 2023. esecurityplanet. [Online]
Available at: https://www.esecurityplanet.com/trends/types-of-encryption/
[Accessed 20 12 2024].
Kinza Yasar, M. C., 2022. techtarget. [Online]
Available at: https://www.techtarget.com/iotagenda/definition/man-in-the-middle-
attack-MitM#:~:text=(MitM)%20attack%3F-,A%20man%2Din%2Dthe%2Dmiddle
%20(MitM)%20attack,communicating%20directly%20with%20each%20other.
[Accessed 14 12 2024].
Meghanathan, D. N., n.d. Key Distribution and, s.l.: jsums.
Muhammad Rana, .. R. I. i., 2022. sciencedirect. [Online]
Available at: https://www.sciencedirect.com/topics/computer-science/stream-cipher
[Accessed 14 12 2024].
nibusinessinfo, n.d. nibusinessinfo. [Online]
Available at: https://www.nibusinessinfo.co.uk/content/common-cyber-security-
measures
[Accessed 21 12 2024].
Novikava, A., 2024. nordlayer. [Online]
Available at: https://nordlayer.com/blog/how-to-prevent-unauthorized-access/
[Accessed 19 12 2024].
okta, 2024. okta. [Online]
Available at:
https://www.okta.com/identity-101/rc4-stream-cipher/#:~:text=RC4%20(also
%20known%20as%20Rivest,very%20large%20pieces%20of%20data.
[Accessed 15 12 2024].
Peter Loshin, F. S. T., 2021. techtarget. [Online]
Available at: https://www.techtarget.com/searchsecurity/definition/key
[Accessed 16 12 2024].
Rahul Awati, C. B. C., 2024. techtarget. [Online]
Available at: https://www.techtarget.com/searchsecurity/definition/Advanced-
Encryption-Standard
[Accessed 15 12 2024].
securew2, 2024. securew2. [Online]
Available at: https://www.securew2.com/blog/what-is-rsa-asymmetric-encryption
[Accessed 18 12 2024].
sematext, n.d. sematext. [Online]
Available at: https://sematext.com/glossary/ssl-tls-handshake/
[Accessed 15 12 2024].
shardsecure, 2023. shardsecure. [Online]
Available at: https://shardsecure.com/blog/advantages-data-encryption
[Accessed 20 12 2024].
Shiftan, A., 2023. piiano. [Online]
Available at: https://www.piiano.com/blog/key-rotation?utm_source=chatgpt.com
[Accessed 16 12 2024].
smartb, n.d. smartb. [Online]
Available at: https://www.smartb.co/what-is-cloud-based-software/
[Accessed 17 12 2024].
Srėbaliūtė, A., 2024. nordlayer. [Online]
Available at: https://nordlayer.com/blog/aes-encryption/
[Accessed 17 12 2024].
stackexchange, n.d. rypto.stackexchange. [Online]
Available at: https://crypto.stackexchange.com/questions/111557/the-advantages-of-
using-kem-compared-to-applying-traditional-pke-approach
[Accessed 16 12 2024].
Thakor, V. A. & Razzaque, M. A., 2021. ieeexplore. [Online]
Available at: https://ieeexplore.ieee.org/abstract/document/9328432
[Accessed 16 12 2024].
Tiwari, Y., 2018. infosecinstitute. [Online]
Available at: https://www.infosecinstitute.com/resources/cryptography/cryptanalysis-
tools/
[Accessed 19 12 2024].
tutorialspoint, n.d. tutorialspoint. [Online]
Available at:
https://www.tutorialspoint.com/cryptography/cryptography_chacha20_encryption_algor
ithm.htm
[Accessed 15 12 2024].