Unit -1 Cryptography and Network Security

The OSI security architecture

The OSI security architecture provides the managers responsible for the security of an
organization in describing the necessity for security. The OSI security architecture was
introduced as an ‘international standard’ which allow the computer and communication
dealer produce the products that have security characteristics depends on this
architecture.
The OSI security architecture has a structure description of services and structure for
supporting security to the organization’s data. The OSI security architecture targets on
security attacks, structure, and services.
These can be represented concisely as follows
 Security attack − Security attack is any action that deal the security of data
owned by an organization.
 Security mechanism − A process (or a device assortment such a process) that is
designed to identify, avoid, or restore from a security attack.
 Security service − A processing or communication service that improves the
security of the data processing systems and the information assign of an
organization. The services are pre-determined to counter security attacks, and they
create need of one or more security structure to support the service.

Security Attacks
Security attacks refer to the sets of actions that the threats actors perform to gain any
unauthorized access, cause damage to systems/computers, steal data, or compromise the
computer networks.

Active attacks
 An Active attack attempts to alter system resources or affect their operations.
 Active attacks involve some modification of the data stream or the creation of
false statements.
 Active attacks involve an attacker intentionally altering or destroying data, or
disrupting the normal operation of a system.
 Examples of active attacks include denial of service (DoS), where an attacker
floods a system with traffic in an attempt to make it unavailable to legitimate
users, and malware, where an attacker installs malicious software on a system to
steal or destroy data.

1
 Unit -1 Cryptography and Network Security

Masquerade
 A masquerade attack takes place when one entity pretends to be a different entity.
 If an authorization procedure isn’t always absolutely protected, it is able to grow
to be extraordinarily liable to a masquerade assault.
 Masquerade assaults may be performed using the stolen passwords and logins

Modification of messages
 Some portion of a message is altered or that message is delayed or reordered to
produce an unauthorized effect.
 Modification is an attack on the integrity of the original data. It basically means
that unauthorized parties not only gain access to data but also spoof the data by
triggering, such as altering transmitted data packets or flooding the network with
fake data.

2
 Unit -1 Cryptography and Network Security

Replay Attack
 It involves the passive capture of a message and its subsequent transmission to
produce an authorized effect.
 In this attack, the basic aim of the attacker is to save a copy of the data originally
present on that particular network and later on use this data for personal uses.

Denial of Service
 Form of service denial is the disruption of an entire network either by disabling
the network or by overloading it with messages so as to degrade performance.
 It prevents the normal use of communication facilities. This attack may have a
specific target. For example, an entity may suppress all messages directed to a
particular destination.

3
 Unit -1 Cryptography and Network Security

Passive attacks
 A Passive attack attempts to learn or make use of information from the system
but does not affect system resources.
 Passive attacks involve an attacker passively monitoring or collecting data
without altering or destroying it.
 Examples of passive attacks include eavesdropping, where an attacker listens in
on network traffic to collect sensitive information, and sniffing, where an
attacker captures and analyzes data packets to steal sensitive information.

The release of message content

 Telephonic conversation, an electronic mail message, or a transferred file may
contain sensitive or confidential information. We would like to prevent an
opponent from learning the contents of these transmissions.

Traffic analysis –
 Suppose that we had a way of masking (encryption) information, so that the
attacker even if captured the message could not extract any information from the
message.
 The opponent could determine the location and identity of communicating host
and could observe the frequency and length of messages being exchanged.
 This information might be useful in guessing the nature of the communication
that was taking place
.

4
 Unit -1 Cryptography and Network Security

Active Attack Vs Passive Attack

Active Attack Passive Attack
In an active attack, Modification in While in a passive attack, Modification in
information takes place. the information does not take place.

Active Attack is a danger to Integrity as Passive Attack is a danger

well as availability. to Confidentiality.

In an active attack, attention is on While in passive attack attention is on

prevention. detection.

Due to active attacks, the execution system While due to passive attack, there is no
is always damaged. harm to the system.

In an active attack, Victim gets informed While in a passive attack, Victim does not
about the attack. get informed about the attack.

In an active attack, System resources can While in passive attack, System resources
be changed. are not changing.

While in a passive attack, information and

Active attack influences the services of the messages in the system or network are
system. acquired.

In an active attack, information collected While passive attacks are performed by

5
 Unit -1 Cryptography and Network Security

through passive attacks is used during collecting information such as passwords,

execution. and messages by themselves.

Can be easily detected. Very difficult to detect.

The duration of an active attack is short. The duration of a passive attack is long.

The prevention possibility of active attack The prevention possibility of passive

is High attack is low.

Complexity is High Complexity is low.

Security Services

6
 Unit -1 Cryptography and Network Security

Authentication: The assurance that the communicating entity is the one that it claims to
be

 Peer Entity Authentication: Used in association with a logical connection to

provide confidence in the identity of the entities connected.
 Data Origin Authentication: In a connectionless transfer, provides assurance that
the source of received data is as claimed.

Access Control

 The prevention of unauthorized use of a resource (i.e., this service controls that
can have access to a resource, under what conditions access can occur, and what
those accessing the resource are allowed to do).

Data Confidentiality: The protection of data from unauthorized disclosure.

 Connection Confidentiality: The protection of all user data on a connection.

 Connectionless Confidentiality: The protection of all user data in a single data
block.
 Selective-Field Confidentiality: The confidentiality of selected fields within the
user data on a connection or in a single data block.
 Traffic Flow Confidentiality: The protection of the information that might be
derived from observation of traffic flows

Data Integrity: Assurance that data received are exactly as sent by an authorized entity.

 Connection Integrity with Recovery: Provides for the integrity of all user data
on a connection and detects any modification, insertion, deletion, or replay of any
data within an entire data sequence, with recovery attempted.
 Connection Integrity without Recovery: As above, but provides only detection
without recovery.
 Selective-Field Connection Integrity: Provides for the integrity of selected fields
within the user data of a data block transferred over a connection and takes the
form of determination of whether the selected fields have been modified, inserted,
deleted, or replayed
 Connectionless Integrity: Provides for the integrity of a single connectionless
data block and may take the form of detection of data modification. Additionally,
a limited form of replay detection may be provided.
 Selective-Field Connectionless Integrity: Provides for the integrity of selected
fields within a single connectionless data block; takes the form of determination of
whether the selected fields have been modified.
7
 Unit -1 Cryptography and Network Security

Non-Repudiation: Provides protection against denial by one of the entities involved in a

communication of having participated in all or part of the communication

 Nonrepudiation Origin: Proof that the message was sent by the specified party.
 Nonrepudiation Destination: Proof that the message was received by the specified
party.

Security Mechanism

The mechanism that is built to identify any breach of security or attack on the
organization is called a security mechanism.
Security Mechanisms are also responsible for protecting a system, network, or device
against unauthorized access, tampering, or other security threats.
Security mechanisms can be implemented at various levels within a system or network
and can be used to provide different types of security, such as confidentiality, integrity,
or availability.
Some examples of security mechanisms include
 Encipherment (Encryption) involves the use of algorithms to transform data
into a form that can only be read by someone with the appropriate decryption
key. Encryption can be used to protect data it is transmitted over a network, or to
protect data when it is stored on a device.
 Digital signature is a security mechanism that involves the use of cryptographic
techniques to create a unique, verifiable identifier for a digital document or
message, which can be used to ensure the authenticity and integrity of the
document or message.
 Traffic padding is a technique used to add extra data to a network traffic stream
in an attempt to obscure the true content of the traffic and make it more difficult
to analyze.
 Routing control allows the selection of specific physically secure routes for
specific data transmission and enables routing changes, particularly when a gap
in security is suspected.

8
 Unit -1 Cryptography and Network Security

A Model for Network Security

 A security-related transformation of the information to be sent via some secure

channel
 Examples include the encryption of the message, which scrambles the message so
that it is unreadable by the opponent, and the addition of a code based on the
contents of the message, which can be used to verify the identity of the sender.

Symmetric Cipher Model

9
 Unit -1 Cryptography and Network Security

 Plain Text (x): This is the original data/message that is to be communicated to

the receiver by the sender. It is one of the inputs to the encryption algorithm.
 Secret Key (k): It is a value/string/textfile used by the encryption and decryption
algorithm to encode and decode the plain text to cipher text and vice-versa
respectively. It is independent of the encryption algorithm. It governs all the
conversions in plain text. All the substitutions and transformations done depend
on the secret key.
 Encryption Algorithm (E): It takes the plain text and the secret key as inputs
and produces Cipher Text as output. It implies several techniques such as
substitutions and transformations on the plain text using the secret key. E(x, k)
=y
 Cipher Text (y): It is the formatted form of the plain text (x) which is
unreadable for humans, hence providing encryption during the transmission. It is
completely dependent upon the secret key provided to the encryption algorithm.
Each unique secret key produces a unique cipher text.
 Decryption Algorithm (D): It performs reversal of the encryption algorithm at
the recipient’s side. It also takes the secret key as input and decodes the cipher
text received from the sender based on the secret key. It produces plain text as
output. D(y, k) = x

Requirements for Encryption

There are only two requirements that need to be met to perform encryption. They are,
1. Encryption Algorithm: There is a need for a very strong encryption algorithm that
produces cipher texts in such a way that the attacker should be unable to crack the
secret key even if they have access to one or more cipher texts.
2. Secure way to share Secret Key: There must be a secure and robust way to share
the secret key between the sender and the receiver. It should be leakproof so that the
attacker cannot access the secret key.

10
 Unit -1 Cryptography and Network Security

Cryptography

 Cryptography is a method of protecting information and communications

through the use of codes, so that only those for whom the information is intended
can read and process it.

Cryptanalysis
 It is the study of the cryptographic algorithm and the breaking of those secret
codes. The person practicing Cryptanalysis is called a Cryptanalyst.
 Cryptanalysis is the study of methods for obtaining the meaning of encrypted
information, without access to the secret information that is typically required to
do so. Typically, this involves knowing how the system works and finding a
secret key.

Cryptanalytic attacks
 The attacks rely on nature of the algorithm and also knowledge of the general
characteristics of the plaintext and some plaintext- cipher text pairs.
 It exploits the characteristics of the algorithm to attempt to derive specific
plaintext or derive the key.

Brute-force attack
 This attack involves trying every possible key until the correct one is found.
While this attack is simple to implement, it can be time-consuming and
computationally expensive, especially for longer keys.

Types of Cryptanalytic attacks / Attacks on Encrypted message

Known-Plaintext Analysis (KPA):

 In this type of attack, some plaintext-ciphertext pairs are already known.
Attacker maps them in order to find the encryption key. This attack is easier to
use as a lot of information is already available.

11
 Unit -1 Cryptography and Network Security

Chosen-Plaintext Analysis (CPA)

 In this type of attack, the attacker chooses random plaintexts and obtains the
corresponding cipher texts and tries to find the encryption key.

Ciphertext-Only Analysis (COA)

 In this type of attack, only some cipher-text is known and the attacker tries to
find the corresponding encryption key and plaintext.
 It’s the hardest to implement but is the most probable attack as only ciphertext is
required.

A chosen-ciphertext attack (CCA)

 Cryptanalyst gathers information, at least in part, by choosing a ciphertext and
obtaining its decryption under an unknown key.
 In the attack, an adversary has a chance to enter one or more known ciphertexts
into the system and obtain the resulting plaintexts.
 From these pieces of information the adversary can attempt to recover the hidden
secret key used for decryption
12
 Unit -1 Cryptography and Network Security

Substitution Techniques
Hiding some data is known as encryption. When plain text is encrypted it becomes
unreadable and is known as ciphertext. In a Substitution cipher, any character of plain
text from the given fixed set of characters is substituted by some other character from the
same set depending on a key.

Caesar Cipher
 This the simplest substitution cipher by Julius Caesar.

 In this substitution technique, to encrypt the plain text, each alphabet of the plain
text is replaced by the alphabet three places further it.

 To decrypt the cipher text each alphabet of cipher text is replaced by the alphabet
three places before it.

13
 Unit -1 Cryptography and Network Security

Example

Plain Text: meet me tomorrow

Cipher Text: phhw ph wrpruurz

Brute force attack on Casear Cipher

 Encryption and decryption algorithm are known
 There are only 25keys to try

Monoalphabetic Cipher
 Monoalphabetic cipher is a substitution cipher, where the cipher alphabet for each
plain text alphabet is fixed, for the entire encryption.

 In simple words, if the alphabet ‘p’ in the plain text is replaced by the cipher
alphabet ‘d’. Then in the entire plain text wherever alphabet ‘p’ is used, it will be
replaced by the alphabet ‘d’ to form the ciphertext.

 With 26 letters in the alphabet the possible permutation are 26!

Plain Text: meet me tomorrow

Cipher Text: pxxe pt erprvvrg

 Monoalphabetic ciphers are easy to break because they reflect the frequency data
of the original alphabet.

 If the crpyanalyst know the original language, and we know that a monoalphabetic
substitution was used, then we have a good chance of cracking the code
14
 Unit -1 Cryptography and Network Security

Playfair cipher

 Playfair cipher is an encryption algorithm to encrypt or encode a message. It is the same

as a traditional cipher. The only difference is that it encrypts a digraph (a pair of two
letters) instead of a single letter.

 It initially creates a key-table of 5*5 matrix. The matrix contains alphabets that act as the
key for encryption of the plaintext. Note that any alphabet should not be repeated.
Another point to note that there are 26 alphabets and we have only 25 blocks to put a
letter inside it. Therefore, one letter is excess so, a letter will be omitted (usually J) from
the matrix. Nevertheless, the plaintext contains J, then J is replaced by I. It means treat I
and J as the same letter, accordingly.

 First, split the plaintext into digraphs (pair of two letters). If the plaintext has the odd
number of letters, append the letter Z at the end of the plaintext. It makes the plaintext of
even For example, the plaintext MANGO has five letters. So, it is not possible to make a
digraph. Since, we will append a letter Z at the end of the plaintext, i.e. MANGOZ.

 After that, break the plaintext into digraphs (pair of two letters). If any letter appears
twice (side by side), put X at the place of the second occurrence. Suppose, the plaintext is
COMMUNICATE then its digraph becomes CO MX MU NI CA TE. Similarly, the
digraph for the plaintext JAZZ will be JA ZX ZX, and for plaintext GREET, the digraph
will be GR EX ET

 Fill the first row (left to right) with the letters of the given keyword. If the keyword has
duplicate letters (if any) avoid them. It means a letter will be considered only once. After
that, fill the remaining letters in alphabetical order.

Encryption Process

If a pair of letters (digraph) appears in the same row

 In this case, replace each letter of the digraph with the letters immediately to their right. If
there is no letter to the right, consider the first letter of the same row as the right letter.

If a pair of letters (digraph) appears in the same column

 In this case, replace each letter of the digraph with the letters immediately below them. If
there is no letter below, wrap around to the top of the same column.

If the alphabets are in different rows and columns, replace the pair with the alphabets on
the same row respectively but the corners of the rectangle defined by the original pair.
15
 Unit -1 Cryptography and Network Security

Key: Keyword

Plain Text: meet me tomorrow

Pair: me et me to mo rx ro wz

Cipher Text: kn ku kn kz ks ta kc yo

Example

1) Use playfair cipher to encrypt the word “greet” using the key “moon mission”= hqczdu
2) Use playfair cipher to encrypt the plaintext “why, don’t you? Using the key “keyword”=
yieaesvkez
3) Encrypt the message “surgical strike” with key “gujar” = paguudimtogamc

16
 Unit -1 Cryptography and Network Security

Hill Cipher

17
 Unit -1 Cryptography and Network Security

Key is distributed in horizontal fashion. For example view [ v i]

[e w]

n * n rectangle of a key then plaintext is converted into vector of length of n*1 (column wise/
vertical)

attack [a] [t] [c]

[t] [a] [k]

Example:

1) Encrypt the message “Exam” using the key” jdfh” = yzwg

2) Encrypt the message “DEF” using the hill cipher with the key 2 4 5 = VOY
9 2 1
3 8 7

18
 Unit -1 Cryptography and Network Security

Polyalphabetic Cipher

 Polyalphabetic cipher is far more secure than a monoalphabetic cipher.

 As monoalphabetic cipher maps a plain text symbol or alphabet to a ciphertext
symbol and uses the same ciphertext symbol wherever that plain text occurs in the
message. But polyalphabetic cipher, each time replaces the plain text with the
different ciphertext.

Vigenère Cipher

 The encryption of the original text is done using the Vigenère square or Vigenère
table.
 The table consists of the alphabets written out 26 times in different rows, each
alphabet shifted cyclically to the left compared to the previous alphabet,
corresponding to the 26 possible Caesar Ciphers.
 At different points in the encryption process, the cipher uses a different alphabet
from one of the rows.
 The alphabet used at each point depends on a repeating keyword.

19
 Unit -1 Cryptography and Network Security

Vernam Cipher

Vernam Cipher is a method of encrypting alphabetic text. It is one of the Substitution

techniques for converting plain text into cipher text. In this mechanism we assign a
number to each character of the Plain-Text, like (a = 0, b = 1, c = 2, … z = 25).

Method to take key: In the Vernam cipher algorithm, we take a key to encrypt the
plain text whose length should be equal to the length of the plain text.

Encryption Algorithm:
 Assign a number to each character of the plain-text and the key according to
alphabetical order.
 Bitwise XOR both the number (Corresponding plain-text character number and
Key character number).
 Subtract the number from 26 if the resulting number is greater than or equal to
26, if it isn’t then leave it.

Plaintext= HELLO

Key = NCBTA

H E L L O

7 4 11 11 14

N C B T A

13 2 1 19 0

SUM 20 6 12 30 14

if the value is greater than 26 than

subtract 26 form its

SUM 20 6 12 04 14

U G M E O

 For decryption subtract the key form cipher text if the answer is minus then add 26 into it
20
 Unit -1 Cryptography and Network Security

One time Pad

21
 Unit -1 Cryptography and Network Security

Transposition Techniques

Transposition Cipher is a cryptographic algorithm where the order of alphabets in the

plaintext is rearranged to form a cipher text. In this process, the actual plain text
alphabets are not included.

Rail fence cipher (Row by Row)

 In the rail fence cipher, the plain-text is written downwards and diagonally on
successive rails of an imaginary fence.
 When we reach the bottom rail, we traverse upwards moving diagonally, after
reaching the top rail, the direction is changed again. Thus the alphabets of the
message are written in a zig-zag manner.
 After each alphabet has been written, the individual rows are combined to obtain
the cipher-text.

Plain text: meet me at the park

Cipher text: memateaketethpr

Rail fence cipher (Column by Column)

 The message is written out in rows of a fixed length, and then read out again
column by column, and the columns are chosen in some scrambled order.
 Width of the rows and the permutation of the columns are usually defined by a
keyword.

22
 Unit -1 Cryptography and Network Security

Security Objectives

 Confidentiality: It refer about read access of any confidential data. Protecting

information from un-authorized access and disclosure
 Integrity: it refers about write or update of any data. Assuring the reliability and
accuracy of information and IT resources by guarding against unauthorized
information modification or destruction. Both confidentiality and availability
contribute to integrity. Integrity can be categorized further into Data Integrity and
system integrity.
 Availability: It is about availability of any data which can be access easily when
we requires. Defending information systems and resources to ensure timely and
reliable access and use of information. Key point of Availability means ensuring
that the data can be accessed by all authorized people.
 Authenticity: The property of being genuine and being able to be verified and
trusted, confidence in the validity of a transmission, a message or message
originator.
 Accountability: the security goal that generates the requirement for actions of an
entity to be traced uniquely to that entity.

23