Information Security and

Cryptography
Courtesy:
Behrouz A Forouzan, Debdeep Mukhopadhyay
and William Stallings

CS302 Information Security and Cryptography

1
Dr. Balu L. Parne
CS302 Information Security and Cryptography
2
Dr. Balu L. Parne
CS302 Information Security and Cryptography
3
Dr. Balu L. Parne
Security Goals

Standalone
Earlier Days: Physical file storage Computer
Distributed or Network
CS302 Information Security and Cryptography
4
Dr. Balu L. Parne
 Taxonomy of Security Goals
Information needs to be changed constantly. Integrity means
that changes need to be done only by authorized entities and
through authorized mechanisms.
• In a bank, when a customer deposits or withdraws money,
the balance of his account needs to be changed
• Integrity violation is not necessarily the result of a
malicious act, an interruption to the system, such as power
surge, may also create unwanted changes in the system.
Confidentiality is probably the most common aspect of
information security. We need to protect our confidential The information created and stored by an organization needs
information. An organization needs to guard against those to be available to authorized entities. Information needs to be
malicious actions that endanger the confidentiality of its constantly changed, which means it must be accessible to
information. authorized entities.
• In military, concealment of sensitive information is the • Information is useless if it is not available.
major concern. • The unavailability of information is just as harmful for an
• In Industry, hiding some information from competitors is organization as the lack of confidentiality and integrity.
crucial to the operations of the organization. • Imagine in a bank, if a customer couldn’t access his
• In banking, customer information need to be kept account for transactions.
secret.

CS302 Information Security and Cryptography

5
Dr. Balu L. Parne
Cryptographic attacks:
• Two distinct types
• Cryptanalytic
• Non-cryptanalytic
• Cryptanalytic Attacks
• Combinations of statistical and algebraic techniques to find secret key of a
cipher.
• Inspects the mathematical properties of cryptographic algorithms – aim at
finding distinguishers of the output distribution of cryptographic algorithms
from uniform distributions.
• Efficient attacks will try to adopt a “D and C” approach to reduce the
complexity of guessing the key from Brute force search complexity.

CS302 Information Security and Cryptography

6
Dr. Balu L. Parne
• Non-cryptanalytic attacks
• Do not exploit the mathematical weakness of the cryptographic
algorithm.
• However our goals can be very much threatened by this class of
attacks.
Security Attacks

Passive Active

CS302 Information Security and Cryptography

7
Dr. Balu L. Parne
 Attacks Threatening Confidentiality

• For example, a file transferred through the internet

may contain confidential information.
• An unauthorized entity may intercept the
transmission and use the contents for her own
benefit.
• To prevent snooping, the data can be made non-
intelligible to the intercepter by using
encipherment techniques.

CS302 Information Security and Cryptography

8
Dr. Balu L. Parne
• Though, encipherment may make the data non-
intelligible, but interceptor can obtain different kind of
information.
• Ex: Interceptor can find the email address of the sender
or the receiver, then collect pairs of requests and
responses to help her guess the nature of transaction.

CS302 Information Security and Cryptography

9
Dr. Balu L. Parne
Attacks Threatening Integrity

• Ex: A customer sends a message to a bank to do

some transaction. The attacker intercepts the
message and changes the type of transaction to
benefit him self.
• The attacker simply deletes or delays the message
to harm the system or to benefit from it.

CS302 Information Security and Cryptography

10
Dr. Balu L. Parne
• Ex: An attacker might steal the bank card and PIN of
a bank customer and pretend that he is the
customer.
• Some times the attacker pretends to be as receiver
entity. For ex., a user tries to contact the bank, but
another site pretends that it is the bank and obtains
some information from the user.

CS302 Information Security and Cryptography

11
Dr. Balu L. Parne
• For ex., a person sends a request to the bank to ask
for a payment to the attacker, who has done a job
for him.
• The attacker intercepts the message and sends it
again to receive another payment from the bank.

CS302 Information Security and Cryptography

12
Dr. Balu L. Parne
CS302 Information Security and Cryptography
13
Dr. Balu L. Parne
Attacks Threatening Availability

CS302 Information Security and Cryptography

14
Dr. Balu L. Parne
Passive Versus Active Attacks
• are in the nature of • involve some modification of the
eavesdropping on, or monitoring data stream or the creation of a
of, transmissions. false stream.
• goal of the opponent is to obtain • it is quite difficult to prevent
information that is being active attacks absolutely,
transmitted. because of the wide variety of
• are very difficult to detect potential physical, software, and
because they do not involve any network vulnerabilities.
alteration of the data. • Thus, the emphasis is to detect
• However, it is feasible to prevent active attacks and to recover
the success of these attacks, from any disruption or delays
usually by means of encryption. caused by them.
• Thus, the emphasis in dealing • If the detection has a deterrent
with passive attacks is on effect, it may also contribute to
prevention rather than detection prevention.

CS302 Information Security and Cryptography

15
Dr. Balu L. Parne
Passive Versus Active Attacks

CS302 Information Security and Cryptography

16
Dr. Balu L. Parne
• Define the type of security attack in each of the following
cases:
• A student breaks into a professor’s office to obtain a copy of the next
day’s test.
• A student gives a check for $10 to buy a book. Later she finds the
check was cashed for $100.
• A student sends hundreds of e-mails per day to another student using
a phony return e-mail address.

CS302 Information Security and Cryptography

17
Dr. Balu L. Parne
SERVICES AND MECHANISMS
• The international Telecommunication Union- Telecommunication
Standarization Sector (ITU-T) provides some security services and
some mechanisms to implement those services.
• Security services and mechanisms are closely related because a
mechanism or combination of mechanisms are used to provide a
service.
• A mechanism can also be used in more than one service.

CS302 Information Security and Cryptography

18
Dr. Balu L. Parne
• Data confidentiality
• Is designed to protect data from disclosure attack.
• Defined by X.800, encompasses confidentiality of the whole message
or part of a message, protect against traffic analysis.
• Data Integrity
• Is designed to protect data from modification, insertion, deletion,
and replaying by an adversary.
• Authentication
• Provides authentication of the party at the other end of the line.
• Connection oriented – authentication done prior establishment of
connection
• Connection less – authenticates source of data.(data origin
authentication)

CS302 Information Security and Cryptography

19
Dr. Balu L. Parne
• Nonrepudiation
• Protects against repudiation by either the sender or receiver of the
data.- maintain proof of origin and proof of delivery.
• Access control
• Provides protection against unauthorized access to data;
• Access means, reading, writing, modifying, executing programs,….

CS302 Information Security and Cryptography

20
Dr. Balu L. Parne
Security Mechanisms Encipherment, hiding or covering data, can provide
confidentiality. It is also used as part of other mechanism
to provide other services. – cryptography and
steganography.
Data integrity – includes calculation of checksum value –
at both sender or receiver - comparison
Digital Signature – the sender can electronically sign the
data and the receiver can electronically verify the
signature. – Using PKC.
Authentication Exchange – two entities exchange some
messages to prove their identity to each other – such as
secret info known only to them.
Traffic padding - inserting some bogus data into the data
traffic to stop the attempt to perform traffic analysis
Routing control – selecting and continuously changing
different available routes – Tx & Rx – to prevent
eavesdropping on a particular route.
Access control – to prove that a user has Notarization – selecting a trusted third party to control
access right to the data or resources owned the communication between two entities – prevent
by a system – passwords or PIN repudiation.
CS302 Information Security and Cryptography
21
Dr. Balu L. Parne
Relation between Services and Mechanisms

CS302 Information Security and Cryptography

22
Dr. Balu L. Parne
• Which security mechanism(s) are provided in each of the following
cases?
• A school demands student identification and a password to let students log
into the school server.
• A school server disconnects a student if she is logged into the system for
more than two hours.
• A professor refuses to send students their grades by email unless they
provide student identification they were preassigned by the professor.
• A bank requires the customer’s signature for a withdrawal.
• A corporate network restricts access to certain resources based on the user's
job role.
• An online store encrypts customers' credit card details during transactions
• A company implements a policy where employees must change their
passwords every 90 days.

CS302 Information Security and Cryptography

23
Dr. Balu L. Parne
Techniques for implementing Security Goals
• Mechanisms discussed in the previous sections are only
theoretical recipes to implement security.
• The actual implementation of security goals needs some
techniques.
• Two techniques are prevalent today:
• cryptography and
• steganography.

CS302 Information Security and Cryptography

24
Dr. Balu L. Parne
Cryptography
◼ Cryptography, a word with Greek origins, means “secret writing.”
◼ However, we use the term to refer to the science and art of
transforming messages to make them secure and immune to attacks.

CS302 Information Security and Cryptography

25
Dr. Balu L. Parne
Cryptography – secret writing
➢ Symmetric-Key (Secret-Key) Encipherment
➢ Uses a single secret key for both Encryption and Decryption.

➢ Asymmetric Key (Public-Key) Encipherment

➢ Uses two keys: a Public Key and a Private Key
➢ Public Key is used for Encryption and Private Key is used for Decryption.

➢ Hashing
➢ A fixed-length message digest is created out of a variable-length message.

CS302 Information Security and Cryptography

26
Dr. Balu L. Parne
Steganography – Covered writing
➢ Historical Use
➢ In China, war messages were written on thin pieces of silk and rolled into a
ball and swallowed by the messenger.
➢ In Rome and Greece, messages were carved on pieces of wood, and dipped
into wax to cover the writing.
➢ Invisible inks (lemon juice, onion juice or ammonia salts) were used to write

secret messages between the lines of the covering message or on the back of
the paper; the secret message was exposed when heated or treated with another
substance.

CS302 Information Security and Cryptography

27
Dr. Balu L. Parne
◼ Modern Use
Any form of data (text, image, audio, or video) can be digitized and it is
possible to insert binary information in to the data during digitization
process.
◼ Text Cover

◼ Image Cover

◼ Other Covers

• Such hidden information is not necessarily used for secrecy; it can also be
used to protect copyright, prevent tampering, or add extra information.

CS302 Information Security and Cryptography

28
Dr. Balu L. Parne
◼ Text Cover

CS302 Information Security and Cryptography

29
Dr. Balu L. Parne
◼ Text Cover (using Dictionary)
◼ Let us consider a dictionary containing 2 articles, 8 verbs, 32 nouns and 4
prepositions.
◼ We agree to use the cover (secret) text that always use sentences with the
pattern article-noun-verb-article-noun.
◼ The secret binary data can be divided into 16-bit chunks.
◼ The first bit can be represented by an article (0-a/an, 1-the), next 5 bits by a
noun, next 4 bits by a verb, next bit by second article and last 5 bits by
another noun.

CS302 Information Security and Cryptography

30
Dr. Balu L. Parne
➢ Image Cover
➢ Secret data can also be covered under a colour image.
➢ Digital images are made of pixels where each pixel uses 24 bits (R,G,B-8bits
each).
➢ A binary data can be hidden by changing or keeping the LSB (least
significant bit) of pixel values.

CS302 Information Security and Cryptography

31
Dr. Balu L. Parne
➢ Other Covers
➢ Secret messages are covered under
➢ Audio (sound and music)

➢ Video

➢ Both audio and video can be compressed.

➢ The secret data can be embedded during or before the compression.

➢ Applications: Piracy control, Copyright, etc.

CS302 Information Security and Cryptography

32
Dr. Balu L. Parne
References
• Chapter 1 - Behrouz A Forouzan, Debdeep Mukhopadhyay,
Cryptography and Network Security, Mc Graw Hill, 3rd Edition, 2015
• Chapter 1 - William Stallings, Cryptography and Network Security
Principles and Practices, 7th Edition, Pearson Education, 2017.

CS302 Information Security and Cryptography

33
Dr. Balu L. Parne