Chapter 3:

Cryptography and Encryption Techniques

3.1. Basic cryptographic terms

Cryptography is an automated mathematical tool that plays an important role in network

security. It supports the confidentiality and integrity of information and provide authentication
and non-repudiation to the users.
Cryptography is frequently used in distributed applications to transfer recognition and
authentication information from one system to another over a network. Cryptographic
authentication systems validate a user based on the awareness or control of a cryptographic key.
Cryptographic authentication systems can be based on private key cryptosystems or public key
cryptosystems.
Cryptographic approach can encrypt the biometric templates or images which are saved in a
database. It can enhance the level of system security as an intruder should gain access to the
encryption keys first.
There are some privacy issues linked with an extensive database remain, because the keys and,
thus, the biometric information, are controlled by a custodian.
There are some basic terms used in cryptography are as follows:

1. Plaintext
Let's start with the most basic encryption term, which is simple but just as important as the
others: plaintext is an unencrypted, readable, plain message that anyone can read.

2. Ciphertext
Ciphertext is the result of the encryption process. The encrypted plaintext appears as apparently
random strings of characters, rendering them useless. A cipher refers to the encryption algorithm
that transforms the plaintext, hence the term ciphertext.

3. Encryption
Encryption is the process of applying a mathematical function to a file that renders its contents
unreadable and inaccessible—unless you have the decryption key.

4. Decryption

If encryption locks the file, then decryption reverses the process, turning ciphertext back to
plaintext. Decryption requires two elements: the correct password and the corresponding
decryption algorithm.
5. Keys

The encryption process requires a cryptographic key that tells the algorithm how to transform
the plaintext into ciphertext. Kerckhoffs's principle states that "only secrecy of the key provides
security," while Shannon's maxim continues "the enemy knows the system."

These two statements influence the role of encryption and keys within that.

Keeping the details of an entire encryption algorithm secret is extremely difficult; keeping a
much smaller key secret is easier. The key locks and unlocks the algorithm, allowing the
encryption or decryption process to function.

Is a Key a Password?

No. Well, at least not entirely. Key creation is a result of using an algorithm, whereas a password
is usually a user choice. The confusion arises as we rarely specifically interact with a
cryptographic key, whereas passwords are part of daily life.

Passwords are at times part of the key creation process. A user enters their super-strong password
using all manner of characters and symbols, and the algorithm generates a key using their input.

6. Hash
When a website encrypts your password, it uses an encryption algorithm to convert your
plaintext password to a hash. A hash is different from encryption in that once the data is hashed,
it cannot be unhashed. Or rather, it is extremely difficult.

Hashing is really useful when you need to verify something's authenticity, but not have it read
back. In this, password hashing offers protection against brute-force attacks (where the attacker
tries every possible password combination).

You might have even heard of some of the common hashing algorithms, such as MD5, SHA,
SHA-1, and SHA-2. Some are stronger than others, while some, such as MD5, are outright
vulnerable. For instance, if you head to the site MD5 Online, you'll note they have
1,154,870,291,783 words in their MD5 hash database. Go ahead, give it a try.

 Select MD5 Encrypt from the top menu.

  Type your password, hit Encrypt, and view the MD5 hash.
 Select the hash, press Ctrl + C to copy the hash, and select MD5 Decrypt from the top
menu.
 Select the box and press Ctrl + V to paste the hash.
 Complete the CAPTCHA, and press Decrypt.

As you see, a hashed password doesn't automatically mean it is secure (depending on the
password you chose, of course). But there are additional encryption functions that boost security.

7. Salt

When passwords are part of key creation, the encryption process requires additional security
steps. One of those steps is salting the passwords. At a basic level, a salt adds random data to a
one-way hash function. Let's examine what that means using an example.

There are two users with the exact same password: hunter2.

We run hunter2 through an SHA256 hash generator and receive

f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7.

Someone hacks the password database, and they check this hash; each account with the
corresponding hash is immediately vulnerable.

This time, we use an individual salt, adding a random data value to each user password:

 Salt example #1: hunter2 + sausage:

3436d420e833d662c480ff64fce63c7d27ddabfb1b6a423f2ea45caa169fb157
 Salt example #2: hunter2 + bacon:
728963c70b8a570e2501fa618c975509215bd0ff5cddaf405abf06234b20602c

Quickly compare the hashes for the same passwords with and without the (extremely basic) salt:

 Without salt: f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7

 Salt example
#1: 3436d420e833d662c480ff64fce63c7d27ddabfb1b6a423f2ea45caa169fb157
  Salt example
#2: 728963c70b8a570e2501fa618c975509215bd0ff5cddaf405abf06234b20602c

You see that the addition of the salt sufficiently randomizes the hash value that your password
remains (almost) completely safe during a breach. And better yet, the password still links to your
username, so there is no database confusion when you sign into the site or service.

8. Symmetric and Asymmetric Algorithms

In modern computing, there are two primary encryption algorithm types: symmetric and
asymmetric. They both encrypt data but function in a slightly different manner.

 Symmetric algorithm: Uses the same key for both encryption and decryption. Both
parties must agree on the algorithm key before commencing communication.
 Asymmetric algorithm: Uses two different keys: a public key and a private key. This
enables secure encryption while communicating without previously establishing a mutual
algorithm. This is also known as public-key cryptology (see the following section).

The overwhelming majority of online services we use in our daily lives implement some form of
public-key cryptology.

9. Public and Private Keys

Now we understand more about the function of keys in the encryption process, we can look at
public and private keys.

An asymmetric algorithm uses two keys: a public key and a private key. The public key can be
sent to other people, while the private key is only known by the owner. So what's the purpose of
this?

Well, anyone with the intended recipient's public key can encrypt a private message for them,
while the recipient can only read the contents of that message provided they have access to the
paired private key. Check out the below image for more clarity.

Public and private keys also play an essential role in digital signatures, whereby a sender can
sign their message with their private encryption key. Those with the public key can then verify
the message, safe in the knowledge that the original message came from the sender's private key.

A key pair is the mathematically linked public and private key generated by an encryption
algorithm.

10. End-to-End Encryption

One of the biggest encryption buzzwords is that of end-to-end encryption. Social messaging
platform service WhatsApp began offering its users end-to-end encryption (E2EE) in 2016,
making sure their messages are private at all times.

In the context of a messaging service, EE2E means that once you hit the send button, the
encryption remains in place until the recipient receives the messages. What is happening here?
Well, this means that the private key used for encoding and decoding your messages never leaves
your device, in turn ensuring that no one but you can send messages using your moniker.

WhatsApp isn't the first or even the only messaging service to offer end-to-end encryption.
However, it moved the idea of mobile message encryption further into the mainstream—much to
the ire of government agencies around the world.

11. Backdoor
Encryption is excellent and will keep your data and accounts secure—unless there is
a backdoor. So, what is an encryption backdoor?

An encryption backdoor is a way to bypass encryption, be that an authorized user or not. An

encryption backdoor could exist for a few reasons, such as faulty implementation of an
encryption algorithm or a purposeful vulnerability or error to give certain users, agencies, or
otherwise, access to an otherwise secure service.

No matter how secure the encryption is, someone can negate the security if someone inserts a
backdoor in the code. Encryption backdoors are a constant talking point for governments
worldwide, becoming an especially hot topic after any terrorist attack

12. Cryptography - study of encryption principles/methods

13. cryptanalysis (code breaking) - study of principles/ methods of deciphering cipher text
without knowing key
14. Cryptology - field of both cryptography and cryptanalysis
3.2.Historical Background
Cryptography dates back to ancient times, with early examples like the Caesar Cipher used by
Julius Caesar. Classical cryptography focused on ciphers like substitution and transposition
methods. Modern cryptography began in the 20th century with the development of computers,
introducing more complex algorithms, key management, and cryptanalysis techniques.

3.3.Cipher Techniques
Both Substitution cipher technique and Transposition cipher technique are the types of
Traditional cipher which are used to convert the plain text into cipher text.
3.3.1. SUBSTITUTION TECHNIQUES

where letters of plaintext are replaced by other letters or by numbers or symbols or if

plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit
patterns with cipher text bit patterns
Example: i) Caesar cipher
ii) Monoalphabetic Cipher
iii) Playfair Cipher
iv) Hill Cipher
v) Polyalphabetic Cipher
 Caesar Cipher
The earliest known, and the simplest, use of a substitution cipher was by Julius Caesar. The
Caesar cipher involves replacing each letter of the alphabet with the letter standing three places
further down the alphabet. For example,

PLAIN: MEET ME AFTER THE TOGA PARTY

CIPHER: PHHW PH DIWHU WKH WRJD SDUWB

Note that the alphabet is wrapped around, so that the letter following Z is A. We can define the
transformation by listing all possibilities, as follows:
plain: a b c d e f g h i j k l m n o p q r s t u v w x y z

cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

Let us assign a numerical equivalent to each letter:

Then the algorithm can be expressed as follows. For each plaintext letter, substitute the
ciphertext letter C

A shift may be of any amount, so that the general Caesar algorithm is

where takes on a value in the range 1 to 25.The decryption algorithm is simply

3.3.2. TRANSPOSITION TECHNIQUES

All the techniques examined so far involve the substitution of a ciphertext symbol for a plaintext
symbol. A very different kind of mapping is achieved by performing some sort of permutation on
the plaintext letters. This technique is referred to as a transposition cipher.
The simplest such cipher is the rail fence technique, in which the plaintext is written down as a
sequence of diagonals and then read off as a sequence of rows. For example, to encipher the
message ―meet me after the toga party‖ with a rail fence of depth 2, we write the following:

m e m a t r h t g p r y
e t e f e t e o a a t
The encrypted message is
 MEMATRHTGPRYETEFETEOAAT

3.4.Conventional encryption algorithms

Conventional encryption is a cryptographic system that uses the same key used by the sender
to encrypt the message and by the receiver to decrypt the message. It was the only type of
encryption in use prior to the development of public-key encryption.
It is still much preferred of the two types of encryption systems due to its simplicity. It is a
relatively fast process since it uses a single key for both encryption and decryption In this
encryption model, the sender encrypts plaintext using the receiver‘s secret key, which can be
later used by the receiver to decrypt the ciphertext. Below is a figure that illustrates this
concept.
3.5.Cryptanalysis

Cryptanalysis is the study of analyzing and breaking cryptographic algorithms and encrypted
data. Techniques include brute force attacks, frequency analysis, and linear cryptanalysis.
Cryptanalysis helps identify weaknesses in cryptographic systems.

3.6. Cryptographic Systems

A cryptosystem is an implementation of cryptographic techniques and their accompanying
infrastructure to provide information security services. A cryptosystem is also referred to as
a cipher system.
Let us discuss a simple model of a cryptosystem that provides confidentiality to the information
being transmitted. This basic model is depicted in the illustration below –
The illustration shows a sender who wants to transfer some sensitive data to a receiver in such a
way that any party intercepting or eavesdropping on the communication channel cannot extract
the data.
The objective of this simple cryptosystem is that at the end of the process, only the sender and
the receiver will know the plaintext.
Types of Cryptosystems
Fundamentally, there are two types of cryptosystems based on the manner in which encryption-
decryption is carried out in the system −

 Symmetric Key Encryption

 Asymmetric Key Encryption
The main difference between these cryptosystems is the relationship between the encryption and
the decryption key. Logically, in any cryptosystem, both the keys are closely associated. It is
practically impossible to decrypt the ciphertext with the key that is unrelated to the encryption
key.
3.6.1 Symmetric Key Cryptography
Symmetric key cryptography uses the same key for both encryption and decryption.

3.6.1.1 DES (Data Encryption Standard)

DES is a symmetric key algorithm that uses a 56-bit key. It encrypts data in 64-bit blocks and
was widely used until weaknesses were found.

3.6.1.2 3DES (Triple DES)

3DES applies the DES algorithm three times to each data block to enhance security, using either
one, two, or three keys.

3.6.1.3 AES (Advanced Encryption Standard)

AES is a widely used symmetric algorithm that replaced DES, known for its speed and security.
AES operates on 128-bit blocks and supports key sizes of 128, 192, or 256 bits.

3.6.1.4 Block Cipher Modes

Block cipher modes enhance the security of block ciphers like AES and DES by applying
different techniques for each block. Common modes include:

 ECB (Electronic Codebook): Encrypts each block separately.

 CBC (Cipher Block Chaining): Uses the previous ciphertext block for encryption,
introducing dependency.
 CFB (Cipher Feedback) and OFB (Output Feedback): Converts block ciphers into
stream ciphers.
 GCM (Galois/Counter Mode): Provides both encryption and message integrity.
3.6.2 Public Key Cryptography
Public key cryptography, also known as asymmetric cryptography, uses a pair of keys: a public
key for encryption and a private key for decryption.

3.6.2.1 Diffie-Hellman
The Diffie-Hellman key exchange allows two parties to securely share a secret key over a public
channel, enabling encrypted communication.

3.6.2.2 RSA (Rivest-Shamir-Adleman)

RSA is a widely used public key encryption algorithm that enables secure data transmission by
using large prime numbers. RSA encryption relies on the difficulty of factoring large numbers.

3.6.3 Digital Signature

Digital signatures authenticate the origin and integrity of a message or document.

3.6.3.1 Using Public Key

Digital signatures generated with private keys can be verified by anyone with the corresponding
public key, ensuring message integrity and authenticity.

3.6.3.2 Using Message Digest

Message digests are hashed representations of data, ensuring data integrity by checking if the
hash changes.

3.6.3.2.1 MD4 Family

The MD4 family includes hash algorithms like MD4 and MD5, designed for producing fixed-
size hash values. However, MD5 is now considered insecure for sensitive applications.

3.6.3.2.2 SHA Family

The Secure Hash Algorithm (SHA) family includes SHA-1, SHA-2, and SHA-3, designed for
secure hashing with larger bit sizes (e.g., SHA-256).

3.6.3.2.3 RIPEMD
RIPEMD (RACE Integrity Primitives Evaluation Message Digest) is a hash function developed
as an alternative to MD5 and SHA, with improved security.

3.6.4 Public Key Infrastructure (PKI)

PKI manages and validates digital certificates, enabling secure data exchange over networks.

3.6.4.1.1 Trusted Third Party

A trusted third party, usually a Certificate Authority (CA), is responsible for issuing, renewing,
and revoking digital certificates.

3.6.4.1.2 Certification
Certification binds a public key to an entity using a digital certificate, signed by a CA.
3.6.4.1.3 Key Distribution
Key distribution ensures secure delivery of cryptographic keys to authorized users.

3.6.4.1.4 PKI Topology

PKI topology refers to the hierarchical or mesh structure of trust in the PKI, determining how
certificates are managed and distributed.

3.6.4.1.5 Enrollment and Revocation Procedures

Enrollment procedures involve requesting and obtaining a digital certificate, while revocation
procedures remove compromised or expired certificates.

Prior to 1970, all cryptosystems employed symmetric key encryption. Even today, its relevance
is very high and it is being used extensively in many cryptosystems. It is very unlikely that this
encryption will fade away, as it has certain advantages over asymmetric key encryption.
The salient features of cryptosystem based on symmetric key encryption are −
 Persons using symmetric key encryption must share a common key prior to exchange of
information.
 Keys are recommended to be changed regularly to prevent any attack on the system.
 A robust mechanism needs to exist to exchange the key between the communicating
parties. As keys are required to be changed regularly, this mechanism becomes expensive
and cumbersome.
 In a group of n people, to enable two-party communication between any two persons, the
number of keys required for group is n × (n – 1)/2.
  Length of Key (number of bits) in this encryption is smaller and hence, process of
encryption-decryption is faster than asymmetric key encryption.
 Processing power of computer system required to run symmetric algorithm is less.

Challenge of Symmetric Key Cryptosystem

There are two restrictive challenges of employing symmetric key cryptography.
 Key establishment − Before any communication, both the sender and the receiver need
to agree on a secret symmetric key. It requires a secure key establishment mechanism in
place.
 Trust Issue − Since the sender and the receiver use the same symmetric key, there is an
implicit requirement that the sender and the receiver ‗trust‘ each other. For example, it
may happen that the receiver has lost the key to an attacker and the sender is not
informed.
These two challenges are highly restraining for modern day communication. Today, people need
to exchange information with non-familiar and non-trusted parties. For example, a
communication between online seller and customer. These limitations of symmetric key
encryption gave rise to asymmetric key encryption schemes.
Asymmetric Key Encryption
The encryption process where different keys are used for encrypting and decrypting the
information is known as Asymmetric Key Encryption. Though the keys are different, they are
mathematically related and hence, retrieving the plaintext by decrypting ciphertext is feasible.
The process is depicted in the following illustration –
Asymmetric Key Encryption was invented in the 20th century to come over the necessity of pre-
shared secret key between communicating persons. The salient features of this encryption
scheme are as follows −
 Every user in this system needs to have a pair of dissimilar keys, private key and public
key. These keys are mathematically related − when one key is used for encryption, the
other can decrypt the ciphertext back to the original plaintext.
 It requires to put the public key in public repository and the private key as a well-guarded
secret. Hence, this scheme of encryption is also called Public Key Encryption.
 Though public and private keys of the user are related, it is computationally not feasible
to find one from another. This is a strength of this scheme.
 When Host1 needs to send data to Host2, he obtains the public key of Host2 from
repository, encrypts the data, and transmits.
 Host2 uses his private key to extract the plaintext.
 Length of Keys (number of bits) in this encryption is large and hence, the process of
encryption-decryption is slower than symmetric key encryption.
 Processing power of computer system required to run asymmetric algorithm is higher.
Symmetric cryptosystems are a natural concept. In contrast, public-key cryptosystems are quite
difficult to comprehend.
You may think, how can the encryption key and the decryption key are ‘related’, and yet it is
impossible to determine the decryption key from the encryption key? The answer lies in the
mathematical concepts. It is possible to design a cryptosystem whose keys have this property.
The concept of public-key cryptography is relatively new. There are fewer public-key algorithms
known than symmetric algorithms.
Challenge of Public Key Cryptosystem
Public-key cryptosystems have one significant challenge − the user needs to trust that the public
key that he is using in communications with a person really is the public key of that person and
has not been spoofed by a malicious third party.
This is usually accomplished through a Public Key Infrastructure (PKI) consisting a trusted third
party. The third party securely manages and attests to the authenticity of public keys. When the
third party is requested to provide the public key for any communicating person X, they are
trusted to provide the correct public key.
The third party satisfies itself about user identity by the process of attestation, notarization, or
some other process − that X is the one and only, or globally unique, X. The most common
method of making the verified public keys available is to embed them in a certificate which is
digitally signed by the trusted third party.

Relation between Encryption Schemes

A summary of basic key properties of two types of cryptosystems is given below −

Symmetric Cryptosystems Public Key Cryptosystems

Relation between Keys Same Different, but mathematically related

Encryption Key Symmetric Public

Decryption Key Symmetric Private

Due to the advantages and disadvantage of both the systems, symmetric key and public-key
cryptosystems are often used together in the practical information security systems.