CHAPTER#1:

Introduction to Cryptography
Chapter5- Sections & Objectives

security goals

To define three security goals

security attacks

To define security attacks that threaten security goals

security services

To define security services and how they are related to the three
security goals

cryptography and steganography

To introduce two techniques, cryptography and steganography, to

implement security mechanisms.
Security Goals
 Security Goals

 The C.I.A. triangle has been considered the industry standard for computer security since the

development of the mainframe. It was solely based on three characteristics that described the utility

of information:
 Confidentiality.

 Integrity.

 Availability.

 The C.I.A. triangle has expanded into a list of critical characteristics of information.
 Security Goals

The Principle of Confidentiality Authorized Access Only

 Confidentiality: Preserving authorized restrictions on information access and

disclosure, including means for protecting personal privacy and proprietary information.

• A loss of confidentiality is the unauthorized disclosure of information.

• Confidentiality: This term covers two related concepts:

— Data confidentiality : 1 Assures that private or confidential information is not made available or disclosed to unauthorized individuals.

—Privacy : Assures that individual's control or influence what information related to them may be collected and stored and by whom and

to whom that information may be disclosed.

 Security Goals

The Principle of Confidentiality

Confidentiality prevents the disclosure of information to unauthorized people, resources and processes. Another term for
confidentiality is privacy.

Organizations need to train employees about best practices in safeguarding sensitive information to protect themselves and
the organization from attacks.

Methods used to ensure confidentiality include data encryption, authentication, and access control.
 Security Goals

The Principle of integrity

 Integrity: Guarding against improper information modification or destruction,
including ensuring information non-repudiation and authenticity. A loss of integrity is
the unauthorized modification or destruction of information.

o Integrity is the accuracy, consistency, and trustworthiness of data during its entire life cycle.
o Another term for integrity is quality .

o Methods used to ensure data integrity include hashing, data validation checks, data consistency checks,
and access controls.
 Security Goals

The Principle of integrity

 Integrity: This term covers two related concepts:

o Data integrity : Assures that information and programs are changed only in a specified and authorized
manner.

o System integrity : Assures that a system performs its intended function in an unimpaired manner, free
from deliberate or inadvertent unauthorized manipulation of the system.
 Security Goals

The Principle of Availability

 Availability: Ensuring timely and reliable access to and use of information.

 A loss of availability is the disruption of access to or use of information or
an
information system.
o • Availability: Assures that systems work promptly, and service is not denied to
authorized users.

o Methods used to ensure availability include system redundancy, system backups, increased system
resiliency (flexibility), equipment maintenance, up-to-date operating systems and software,
and
plans in place to recover quickly from unforeseen disasters.
 Security Goals

The Principle of Availability

 High availability systems typically include three design principles:

Eliminate single points of failure

Provide for reliable crossover

Detect failures as they occur.

Security Services
Security Services
Security Attacks
Security Attacks
 Security Attacks

Snooping refers to unauthorized access to or interception of

data.

Traffic analysis refers to obtaining some other

type of information by monitoring online traffic.
 Security Attacks

Modification means that the attacker intercepts the message and

changes it.
Masquerading or spoofing happens when the
attacker impersonates somebody else.

Replaying means the attacker obtains a copy of a message

sent by a user and later tries to replay it.
Repudiation means that sender of the message might later
deny that she has sent the message; the receiver of the
message might later deny that he has received the message.
 Security Attacks

Denial of service (DoS) is a very common attack. It may slow

down or totally interrupt the service of a system.
Security Attacks
Security Mechanism
Security Mechanism
Security Mechanism
Cryptography
 What Is Cryptography?

 Cryptography -- from the Greek for "secret writing" -- is the mathematical "scrambling" of data so that only
someone with the necessary key can "unscramble" it.

 Cryptology is the science of making and breaking secret codes. Cryptography is a way to store and transmit data
so only the intended recipient can read or process it.

 Cryptography allows secure transmission of private information over insecure channels

(for example packet-switched networks).

 Cryptography also allows secure storage of sensitive data on any computer.

 What Is Cryptography?

 It refers to the science of transforming information into a secure form while it is being transmitted or stored so
that unauthorized users cannot access it

 Cryptography allows secure transmission of private information over insecure channels (for example packet-
switched networks).

 Cryptography allows secure transmission of private information over insecure channels

(for example packet-switched networks).

 Cryptography also allows secure storage of sensitive data on any computer.

 What Is Cryptography?

Secure communication
 What Is Cryptography?

Secure storage
Cryptography Components
Cryptography Components

• The original message

Plaintext (P) • Original unencrypted information.

• The coded message

Ciphertext (C)
• The information after being encrypted by an encryption algorithm.

Enciphering or • Process of converting from plaintext to ciphertext

encryption (E)

Deciphering or • Restoring the plaintext from the ciphertext

decryption (D) • Reverse process of encryption
 Cryptography Components

• Science of Studying encryption and decryption.

Cryptography

• Techniques used for deciphering a message without any knowledge of the

Cryptanalysis
enciphering details (codebreaking)

Cryptology • Areas of cryptography and cryptanalysis together

Cryptographic system • Algorithm/scheme used for encryption

or • Encryption or decryption algorithm tool used to create encrypted or decrypted a text.
cipher
 Services Provided by Cryptography

Goal Description

Confidentiality Keeping information secret and allow only authorized parties to access it .

Authentication Verifying an entity’s identity (e.g: user, computer) .

Integrity Ensuring that information is correct and has not been altered by unauthorized person or
a malicious software .

Non-repudiation Proving that a user performed an action and preventing him/her from denying the
performed action (e.g: sender/receiver sent/received a message) .
Basic Cryptographic Scheme

Encryption algorithm often relay on a mechanism known as a key, such that the relationship between
plaintext and ciphertext depends upon the algorithm and the key.
 Cryptographic system characteristics

We Can characterize cryptographic system by:

type of encryption way in which plaintext is

number of keys used
operations used processed

• substitution • single-key or private • block

• transposition • two-key or public • stream
• product • Keyless
 Cryptographic system characteristics

Cryptographic systems can be characterized along these three independent dimensions.

The type of operations used for transforming plaintext to ciphertext.
All encryption algorithms are based on two general principles: substitution, in which each
element in the plaintext (bit, letter, group of bits or letters) is mapped into another element,
and transposition, in which elements in the plaintext are rearranged. The fundamental
requirement is that no information be lost (that is, that all operations are reversible). Most
systems, referred to as product systems, involve multiple stages of substitutions and
transpositions.
The number of keys used.
If both sender and receiver use the same key, the system is referred to as symmetric, single-key,
secret-key, or conventional encryption. If the sender and receiver use different keys, the system is
referred to as asymmetric, two-key, or public-key encryption. Also sender and receiver may use
encoding algorithm without any key .
Categories of Cryptography

Ciphers

Keyed Keyless

Asymmetric Symmetric

Classical Stream

Transposition

Substitution
 Cryptanalysis

 Techniques used for deciphering a message without any knowledge of the enciphering details

Goals of cryptanalysis :

Break a single message.

Deduce the key(or equivalent) so that future messages can be easily broken.

Find vulnerabilities in the encryption algorithm.

 Cryptanalysis

 Objective

 to recover key not just message

 General approaches:

• cryptanalytic attack

• brute-force attack
Cryptanalytic Attacks

ciphertext only : only know algorithm & ciphertext, is statistical, know or can identify plaintext

known plaintext: know/suspect plaintext & ciphertext

chosen plaintext: select plaintext and obtain ciphertext

chosen ciphertext: select ciphertext and obtain plaintext

 Brute Force Search

• Always possible to simply try every key

• Most basic attack, proportional to key size
• Assume either know / recognise plaintext
Brute Force Search
Categories of Cryptography
 Symmetric-Key Cryptography

* In symmetric-key cryptography, the same key is

used by the sender (for encryption)

and the receiver (for decryption).

* The key is shared ( PRE-SHARED ) ( SECULRE _DISTRIBUTED )

Simplified Model of Symmetric-Key Cryptography
Model of Symmetric Cryptosystem
 Classical Cryptography

Classical cryptography algorithms can be divided into two main categories:

substitution and transposition.

Substitution Cipher is one in which the classical transposition or permutation

letters of plaintext are replaced by other ciphers
letters, numbers or symbols. these hide the message by rearranging
Examples for this type of cipher are the letter order without altering the actual
monoalphabetic (e.g. Caesar) and letters used can recognize these since
Polyalphabetic. have the same frequency distribution as
the original text
Substitution Technique

Is one in which the letters of plaintext are replaced by other letters or by numbers or symbols

If the plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext

bit patterns with ciphertext bit patterns

Substitution cipher can be divided into

 Monoalphabetic Ciphers: one by one
 Polyalphabatic Ciphers : one by more than one
Monoalphabetic Cipher

Is a substitution cipher in which each plaintext letter is replaced by one and only one

ciphertext character.

Monoalphabetic Ciphers :
 Caesar Cipher.
 Playfair Cipher.
 Hill Cipher.
Modern Symmetric-key Ciphers

• Symmetric-key:
•A shared secret key is used for both encryption and decryption.

• Block Ciphers:
• Each block of data is encrypted at once
• Examples: DES, AES
• Stream Ciphers:
• Small unit of data (bit, byte, character) is encrypted individually.
• Examples: RC4, A5/1
 Data Encryption Standard (DES)

• DES: was published by NIST in 1975

• Block size: 64 bits
• Key size: 56 bits
• Phase-out: NIST adopted 3DES in 1999
• Triple DES encrypts data three times and uses a different key for at least one
of the three passes, giving it a cumulative key size of 112-168 bits.
• Encryption and decryption with DES:
 Advanced Encryption Standard (AES)

• AES: adopted by NIST in 2001 to replace 3DES.

• Block size: 128 bits
• Key sizes: 128/192/256 bits
• AES Security:
• More secure than DES and 3DES due to larger blocks and keys.
• Most of the known attacks on DES were already tested on AES.
• AES Implementation:
o Can be implemented in software, hardware, and firmware.
o Implementation can use table lookup process or routines.
• Simplicity and Cost:
o AES is design to run efficiently on an 8-bit processor.
 The International Data Encryption Algorithm (IDEA)

• uses 64-bit blocks and 128-bit keys.

• IDEA performs eight rounds of transformations on each of the 16 blocks that
results from dividing each 64-bit block.
• IDEA was the replacement for DES, and now PGP (Pretty Good Privacy) uses
it.
 Asymmetric-Key Cryptography

• Asymmetric encryption, also called public-key encryption, uses one key for encryption
that is different from the key used for decryption. A criminal cannot calculate the
decryption key based on knowledge of the encryption key, and vice versa, in any
reasonable amount of time.

• Uses two separate keys:

1. Public: for encryption (receiver’s public key)
2. Private: for decryption (receiver’s private key).
Asymmetric-Key Cryptography
 Asymmetric-Key Cryptography

The asymmetric algorithms include:

RSA (Rivest_Shamir-Adleman) ElGamal

 uses the product of two very large prime  uses the U.S. government standard for digital
numbers with an equal length of between 100 signatures. This algorithm is free to use
and 200 digits. Browsers use RSA to establish because no one holds the patent.
a secure connection.
 Asymmetric-Key Cryptography

The asymmetric algorithms include:

Diffie-Hellman Elliptic Curve Cryptography (ECC)

 provides an electronic exchange method to  uses elliptic curves as part of the algorithm.
share the secret key. Secure protocols, In the U.S., the National Security Agency
such as Secure Sockets Layer (SSL), uses E C C for digital signature generation
Transport Layer Security (TLS), Secure and key exchange.
Shell (SSH), and Internet Protocol Security
(IPsec), use Diffie- Hellman.
 Asymmetric-Key Cryptography

Basis Symmetric Key Encryption Asymmetric Key Encryption

Only one symmetric key is used for the Two different public and private keys are used for
Usage of Keys
encryption and decryption. encryption and decryption.

Based on the security requirement, the key size This encryption technique uses large-sized keys. The
Length of Keys
can range between 128 to 256 bits. recommended key size for RSA is 2048 bits or higher.

As the process requires only a single key for both

Due to complex mathematical processing, this technique
Speed of Execution its operation, it is much faster than asymmetric
usually takes more execution time.
encryption.
It is mostly used for smaller transactions. Basically, it is first
It is mostly used to transmit or transfer large
Purpose used to establish a secure connection and then transfer files
chunks of data.
over it.

It is less secure than asymmetric encryption as It is safer than symmetric key encryption as there is no need
Security
the secret key is shared in it. for key distribution.

The algorithms used in symmetric encryption are The algorithms used in asymmetric encryption are RSA,
Algorithms
AES, DES, 3DES, and IDEA, TLS/SSL. DSA, E C C , Diffie-Hellman, and TLS/SSL
Steganography
 Steganography

Steganography conceals data (the message) in another file such as a graphic, audio, or other text file.

The advantage of steganography over cryptography is that the secret message does not attract any
special attention. No one would ever know that a picture contained a secret message by viewing the
file either electronically or in hardcopy.
 Steganography

There are several components involved in hiding data:

 The embedded data, which is the secret message.

 Cover-text (or cover-image or cover-audio) hides the

embedded data producing the stego-text (or stego-

image or stego-audio).

 A stego-key controls the hiding process.

 Data Obfuscation

o Data obfuscation - is the use and practice of data masking and steganography techniques in the
cybersecurity and cyber intelligence profession:
o Obfuscation is the art of making the message confusing, ambiguous, or harder to understand.
o A system may purposely scramble messages to prevent unauthorized access to sensitive
information.
o Software watermarking protects software from unauthorized access or modification.
o Software watermarking inserts a secret message into the program as proof of ownership.
o The secret message is the software watermark. If someone tries to remove the watermark, the result is
nonfunctional code.
End O F Chapter