CSS

Unit IV: Basic Cryptography

 Cryptography

The art or science Securing message. Cryptography is Greek word

means "secret writing“
o In computer science, cryptography refers to secure information and
communication techniques derived from mathematical concepts and a set of
rule-based calculations called algorithms, to transform messages in ways
that are hard to decipher.
o These deterministic algorithms are used for cryptographic key generation,
digital signing, verification to protect data privacy, web browsing on the
internet and confidential communications such as credit card transactions
and email.
Cryptosystem
 Cryptographic Parameters
 Privacy/confidentiality: Ensuring that no one can read the
message except the intended receiver.
 Authentication: The process of proving one's identity.
 Integrity: Assuring the receiver that the received message has not
been altered in any way from the original.
 Non-repudiation: A mechanism to prove that the sender really sent
this message or Sender and receiver or both cannot deny.
 RSA Public Key Cryptography

 This cryptosystem is one the initial system.

 It remains most employed cryptosystem even today.
 The system was invented by three scholars Ron Rivest, Adi Shamir, and
Len Adleman in 1978 and hence, it is termed as RSA cryptosystem.

 We will see two aspects of the RSA cryptosystem, firstly generation of key
pair and secondly encryption-decryption algorithms .

Key Generation
Encryption/Decryption Function
RSA Public Key Cryptography

Public
 1. Key Generation

 Select two large numbers p and q.

 Compute n=pXq.
 Compute ϕ(n)=(p−1)x(q−1) .
 Choose e such that 1<e<ϕ(n) and e should be co-prime to ϕ(n).
The pair (e, n) is public key.
 Compute d, such that
eXd=1 mod ϕ(n).
the pair (d, n) is private key.
 2.Encryption

 Given M (plaintext) and public key (e,n) find ciphertext(C) ?

 e
C=M mod n

3.Decryption

Given C (Ciphertext) and private key (d,n) find plain text(M) ?

d
M=C mod n
 Example on RSA

Alice generates her RSA keys by selecting two primes: p=11 and q=13. She
chooses e=7 for her public key. Compute her private key. Bob wants to send
Alice an encrypted message, M, so he obtains her RSA public key (n, e). His
plaintext message is just the number 9 and is encrypted into ciphertext, C, Find
Value of C.
 Solution

Key generation
 p=11 and q=13
 n=pxq=11*13=143
 ϕ(n)=(p−1)x(q−1)=10x12=120
 e=7 public key(e,n)=(7,143)
 exd=1 mod ϕ(n) or 7xd=1mod 120 or d=103
Encryption

M=9, public key(e,n)=(7,143), Find C?

So
e 7
C=M mod n C=9 mod 143 =48
 RSA

Based on some number-theoretic facts/results.

 Strength lies in the difficulty of determining the prime factors of a (large)
number.
It is secure because it is difficult to find d using only e and n.
Finding d is equivalent in difficulty to factoring n as p*q.
In hardware, RSA is about 1000 times slower than DES.
In software, it is about 100 times slower.
RSA encryption goes faster if e is chosen appropriately.
Most public key systems use at least 2048-bit key.
 Hash Functions
 A cryptographic hash function (CHF) is a mathematical algorithm
that maps data of arbitrary size (often called the "message") to a
bit array of a fixed size (the "hash value", "hash", or "message
digest").
 It is a one-way function, that is, a function which is practically
infeasible to invert.
 Ideally, the only way to find a message that produces a given
hash is to attempt a brute-force search of possible inputs to see if
they produce a match, or use a rainbow table of matched
hashes.
 Cryptographic hash functions are a basic tool of modern
cryptography.
 Properties of Hash Functions

 It can be applied to a block of data of any size Produces fixed

length output
 One-Way: that is for any given value h, it is computationally
infeasible to find x such that H(x) = h
 Collision Free: Output is collision free means no two inputs can
have same output
 It is deterministic, meaning that the same message always
results in the same hash
 It is quick to compute the hash value for any given message.
 Digital Signature
 Digital signature is a mathematical scheme for
demonstrating the authenticity of digital messages or
documents.
 A valid digital signature enables information integrity
(using hash algorithm) to ensure message is not
altered, message created by the known sender
(authentication)
 Sender r cannot deny having sent the message (non-
repudiation).
 The digital signature has to be authentic, unfalsifiable,
non-reusable, unalterable and irrevocable.
 When all this property are gathered, the authenticity
and the integrity of an information can verified.
 Digital Signature Continue--

 Digital signature is a mathematical scheme for demonstrating the

authenticity of digital messages or documents.
 A valid digital signature enables information integrity (using hash
algorithm) to ensure message is not altered, message created by the
known sender (authentication)
 Sender cannot deny having sent the message (non-repudiation).
 The digital signature has to be authentic, unfalsifiable, non-reusable,
unalterable and irrevocable.
 When all this property are gathered, the authenticity and the integrity of

an information can verified.

 Continue

 The signature operation is based on asymmetric cryptography.

 First a digest of the initial information is created and this last is
encrypted with the private key. This operation is called the signature.
 To validate the signature, the recipient extracts the encrypted digest
from the message and use his public key to unencrypt it.
 Next the recipient creates a digest from the received information and
compare it with the previously unencrypted digest. This is the signature
checking process.
 Distribution of Public Key

Public key can be distributed in 4 ways:

oPublic Key Announcement
oPublicly Available Directory
oPublic Certification
o Public Authority
 OSI Model
 OSI stands for Open System Interconnection is a reference model that
describes how information from a software application in one computer
moves through a physical medium to the software application in another
computer.
 OSI consists of seven layers, and each layer performs a particular network
function.
 OSI model was developed by the International Organization for
Standardization (ISO) in 1984, and it is now considered as an architectural
model for the inter-computer communications.
 Each layer is self-contained, so that task assigned to each layer can be
performed independently.
 Data-Link Layer
 This layer is responsible for the error-free transfer of data frames.
 It defines the format of the data on the network.
 It provides a reliable and efficient communication between two or
more devices.
 It is mainly responsible for the unique identification of each device
that resides on a local network.
 It contains two sub-layers:

Logical Link Control Layer

Media Access Control Layer

Functions of the Data-link layer

 Framing
 Physical Addressing
 Flow Control
 Error Control
 Access Control
 Network Layer
It is a layer 3 that manages device addressing, tracks the location of
devices on the network.
It determines the best path to move data from source to the
destination based on the network conditions, the priority of service, and
other factors.
The Data link layer is responsible for routing and forwarding the
packets.
Functions of Network Layer
Internetworking
Addressing
Routing
Packetizing
 Transport Layer
 The Transport layer is a Layer 4 ensures that messages are transmitted in the
order in which they are sent and there is no duplication of data.
 The main responsibility of the transport layer is to transfer the data
completely.
 It receives the data from the upper layer and converts them into smaller units
known as segments.
 This layer can be termed as an end-to-end layer as it provides a point-to-point
connection between source and destination to deliver the data reliably.
Functions of Transport Layer:
Service-point addressing
Segmentation and reassembly
Connection control
Flow control
Error control
 Presentation Layer
 A Presentation layer is mainly concerned with the syntax and
semantics of the information exchanged between the two
systems.
 It acts as a data translator for a network.
 The Presentation layer is also known as the syntax layer.
 Functions of Presentation layer

 Translation
 Encryption
 Compression
 Application Layer
 An application layer serves as a window for users and application
processes to access network service.
 It handles issues such as network transparency, resource
allocation, etc.
 An application layer is not an application, but it performs the
application layer functions.
 This layer provides the network services to the end-users.
Functions of Application layer
File transfer, access, and management (FTAM)
Mail services
TCP Model
Application Layer
Application layer interacts with an application program, which is the highest level
of OSI model. The application layer is the OSI layer, which is closest to the end-
user. It means the OSI application layer allows users to interact with other
software application.
Application layer interacts with software applications to implement a
communicating component. The interpretation of data by the application
program is always outside the scope of the OSI model.
Example of the application layer is an application such as file transfer, email,
remote login, etc.

The function of the Application Layers are:

•Application-layer helps you to identify communication partners, determining
resource availability, and synchronizing communication.
•It allows users to log on to a remote host
•This layer provides various e-mail services
•This application offers distributed database sources and access for global
information about various objects and services.
Transport Layer
Transport layer builds on the network layer in order to provide data transport from a process
on a source system machine to a process on a destination system. It is hosted using single or
multiple networks, and also maintains the quality of service functions.
It determines how much data should be sent where and at what rate. This layer builds on the
message which are received from the application layer. It helps ensure that data units are
delivered error-free and in sequence.
Transport layer helps you to control the reliability of a link through flow control, error control,
and segmentation or de-segmentation.
The transport layer also offers an acknowledgment of the successful data transmission and
sends the next data in case no errors occurred. TCP is the best-known example of the transport
layer.
Important functions of Transport Layers:
•It divides the message received from the session layer into segments and numbers them to
make a sequence.
•Transport layer makes sure that the message is delivered to the correct process on the
destination machine.
•It also makes sure that the entire message arrives without any error else it should be
retransmitted.
Internet Layer
An internet layer is a second layer of TCP/IP layes of the TCP/IP
model. It is also known as a network layer. The main work of this
layer is to send the packets from any network, and any computer
still they reach the destination irrespective of the route they take.
The Network Interface Layer
Network Interface Layer is this layer of the four-layer TCP/IP
model. This layer is also called a network access layer. It helps
you to defines details of how data should be sent using the
network.
It also includes how bits should optically be signaled by hardware
devices which directly interfaces with a network medium, like
coaxial, optical, coaxial, fiber, or twisted-pair cables.
TCP/IP OSI

TCP refers to Transmission Control Protocol. OSI refers to Open Systems Interconnection.

TCP/IP has 4 layers. OSI has 7 layers.

TCP/IP is more reliable OSI is less reliable

TCP/IP does not have very strict boundaries. OSI has strict boundaries

TCP/IP follow a horizontal approach. OSI follows a vertical approach.

TCP/IP uses both session and presentation layer in

OSI uses different session and presentation layers.
the application layer itself.

TCP/IP developed protocols then model. OSI developed model then protocol.
 Real-World Protocols

 Secure Socket Layer(SSL)

 Transport Layer Security(TLS)
 Internet Protocol Security(IP Sec)
 Domain Name System(DNS)
 E. Mail Security and PGP(Pretty Good Privacy)
 Secure Electronic Payment Protocol(SEPP)
 SSL

 It provides security to the data that is transferred

between web browser and server.
 SSL encrypts the link between a web server and a
browser which ensures that all data passed between
them remain private and free from attack.
 Secure Socket Layer Protocols

SSL record protocol

 Handshake protocol
Change-cipher spec protocol
 Alert protocol
 SSL Record Protocol

SSL Record provides two services to SSL connection.

Confidentiality
Message Integrity

 In the SSL Record Protocol application data is divided into fragments.

 The fragment is compressed and then encrypted MAC (Message
Authentication Code) generated by algorithms like SHA (Secure Hash
Protocol) and MD5 (Message Digest) is appended.
 After that encryption of the data is done and in last SSL header is
appended to the data.
Handshake Protocol
 Change-cipher Protocol
 This protocol uses the SSL record protocol.
 Unless Handshake Protocol is completed, the SSL record Output
will be in a pending state.
 After handshake protocol, the Pending state is converted into the
current state.
 Change-cipher protocol consists of a single message which is 1
byte in length and can have only one value.
 This protocol’s purpose is to cause the pending state to be copied
into the current state.
 Alert Protocol
 This protocol is used to convey SSL-related alerts to
the peer entity.
 Each message in this protocol contains 2 bytes.
 Difference between SSL and TLS
S. No. SSL TLS
1 SSL stands for Secure Socket Layer TLS stands for Transport Layer Security.

2 SSL (Secure Socket Layer) is less secured as TLS (Transport Layer Security) provides high security.
compared to TLS(Transport Layer Security).

3 SSL (Secure Socket Layer) is the 3.0 version TLS (Transport Layer Security) is the 1.0 version..

4 In SSL( Secure Socket Layer), Message digest In TLS(Transport Layer Security), Pseudo-random function
is used to create master secret. is used to create master secret.

5 In SSL( Secure Socket Layer), Message In TLS(Transport Layer Security), Hashed Message
Authentication Code protocol is used. Authentication Code protocol is used.

6 SSL (Secure Socket Layer) is complex than TLS (Transport Layer Security) is simple.
TLS(Transport Layer Security).
 IP security (IPSec)

 The IP security (IPSec) is an Internet Engineering Task Force (IETF)

standard suite of protocols between 2 communication points across
the IP network that provide data authentication, integrity, and
confidentiality.
 It also defines the encrypted, decrypted and authenticated packets.
 The protocols needed for secure key exchange and key
management are defined in it.
 Uses of IP Security

IPsec can be used to do the following things

 To encrypt application layer data.

 To provide security for routers sending routing data across
the public Internet
 To provide authentication without encryption, like to
authenticate that the data originates from a known sender.
 To protect network data by setting up circuits using IPsec
tunneling in which all data is being sent between the two
endpoints is encrypted, as with a Virtual Private
Network(VPN) connection.
 What is an Email Certificate?

 An email certificate is a digital file that is installed to your email application

to enable secure email communication.
 These certificates are known by many names — email security certificates,
email encryption certificates, S/MIME certificates, etc.
 S/MIME, which stands for “secure/multipurpose interned mail extension,”
is a certificate that allows users to digitally sign their email communications
as well as encrypt the content and attachments included in them.
 Not only does this authenticate the identity of the sender to the recipient,
but it also protects the integrity of the email data before it is transmitted
across the Internet
 PGP(Pretty Good Privacy)
 PGP stands for Pretty Good Privacy (PGP) which is invented by Phil
Zimmerman.
 PGP was designed to provide all four aspects of security, i.e., privacy, integrity,
authentication, and non-repudiation in the sending of email.
 PGP uses a digital signature (a combination of hashing and public key
encryption) to provide integrity, authentication, and non-repudiation. PGP uses
a combination of secret key encryption and public key encryption to provide
privacy. Therefore, we can say that the digital signature uses one hash function,
one secret key, and two private-public key pairs.
 PGP is an open source and freely available software package for email security.
 PGP provides authentication through the use of Digital Signature.
Disadvantages of PGP Encryption
 The Administration is difficult
 Compatibility issues
 Complexity.
 No Recovery
 Benefits of PGP Encryption
 Sensitive information is always protected. It cannot be stolen or viewed by others
on the Internet It assures that the information that is sent or received was not
modified in transmission and that files were not changed without your knowledge.
 Information can be shared securely with others including groups of users and
entire departments.
 You can be certain who the email is from and who it is for. PGP verifies the sender
of the information to ensure that the email was not intercepted by a third party.
 Your secure emails and messages cannot be penetrated by hackers or infected by
email attacks.
 Others cannot recover sensitive messages or files once you have deleted them.
 Easy to use
 Domain Name System Security (DNS)

 DNSSEC stands for Domain Name System Security

Extensions, and it is a technology used to protect
information on the Domain Name System (DNS)
which is used on IP networks.

 It provides authentication for the origin of the DNS

data, helping to safeguard against attacks and protect
data integrity.
 How DNSSEC works
 The DNS turns domain names, or website names, into
Internet protocol (IP) addresses.
 These are unique identifiers that help computers around
the world access the information quickly.
 DNS security adds a set of extensions for increased
protection
 These security extensions include:

 Origin authentication of DNS data: this ensures that the

recipient of the data can verify the source.
 Authenticated denial of existence: this tells a resolver
(responsible for translating the domain name into an IP
address) that a certain domain name does not exist.
 Data integrity: this assures the data recipient that the data has
not been changed in transit.
 Why do we need security in DNS

 A DNS helps point web traffic to the right destination. It is

used by everyone, everywhere and all Internet traffic flows
through it.

 For this reason, it is a highly sensitive system which is

exposed to many threats from cyber attackers that aim to
take control of a DNS, to infect and extract all data from it.
 Measures against DNS attacks

 Use digital signatures and certificates to authenticate sessions in

order to protect private data.
 Update regularly and use the latest software versions, such as BIND.
BIND is an open source software that resolves DNS queries for
users.
 Install appropriate patches and fix faulty bugs regularly.
 Replicate data in a few other servers, so that if data is corrupted/lost
in one server, it can be recovered from the others. This could also
prevent single point failure.