Cryptography and System

Security
module*1

Prof .Uma Ade

module*1 – Introduction

The art of war teaches us to rely not on the

likelihood of the enemy's not coming, but
on our own readiness to receive him; not
on the chance of his not attacking, but
rather on the fact that we have made our
position unassailable.
—The Art of War, Sun Tzu

Prof. Uma Ade

Background
• Information Security requirements have changed
in recent times
• traditionally provided by physical and
administrative mechanisms
• computer user requires automated tools to
protect files and other stored information
• use of networks and communications links
requires measures to protect data during
transmission

Prof. Uma Ade

Whole syllabus divided into two parts
1. Cryptographic algorithm and protocols
2. Network and Internet security
 1.Cryptographic algorithm and protocols is grouped

in 4 main area
 Symmetric Encryption :Only one key eg. Caeser’s

cipher
 Asymmetric Encryption: Two cryptographic keys

eg. Diffie*Hellman, RSA algorithm

Prof. Uma Ade

  Data integrity algorithm : used to protect block of
data eg.msg
 Authentication protocol:design to authenticate the
identity entities.

 2.Network and Internet Security:

◦ It consist of measures to deter, prevent,
detect,correct the security violations which involves
in information transmission.

Prof. Uma Ade

Definitions
• Computer Security – to preserving the integrity,
availability and confidentiality of information system
resources (includes hardware, software, firmware,
information/data, and telecommunications).
Or
generic name for the collection of tools designed to
protect data and to thwart hackers.

Prof. Uma Ade

• Network Security * measures to protect data during
their transmission

• Internet Security * measures to protect data during

their transmission over a collection of interconnected
networks

Prof. Uma Ade

Aim of Course
• our focus is on Internet Security
• which consists of measures to deter, prevent,
detect, and correct security violations that
involve the transmission & storage of
information

Prof. Uma Ade

What is Computer Security?
• for some it is controlling access to hardware, software and
data of a computerized system.
• A large measure of it is simply keeping the computer systems
information secure.
• In broader terms, it can be thought of as the protection of the
computer and its resources against accidental or intentional
disclosure of confidential data, unlawful modification of data
or programs, the destruction of data, software or hardware.
• It is also includes the denial of use of one’s computer facilities
for criminal activities including computer related fraud and
blackmail.
• Finally, it involves the elimination of weaknesses or
vulnerabilities that might be exploited to cause loss or harm.
Prof. Uma Ade
The Need for Computer Security
 Why the need for Computer Security? –
To value the computer assets and services
 What is the new IT environment? –
Networks and distributed applications/services
 Electronic Commerce (E*commerce, E*business)

Prof. Uma Ade

Security Goals

Prof. Uma Ade

Key Security Concepts

Prof. Uma Ade

Assets in Relation to the
CIA Triad

Prof. Uma Ade

The heart of
Security Goals the computer
security are
• Integrity
• Availability
• Confidentiality

Prof. Uma Ade

1. Integrity:
1. Data Integrity :Assures that information and data
are changed only in Specified and authorized
manner.
2. System Integrity: Assures that system should
perform its intended function in an unimpaired
manner.

Prof. Uma Ade

2. Availability: Assures
that system should
work promptly and service is not denied to
authorized user.
 3.Confidentiality:
 Data Confidentiality: It Assures private and
confidential information is not made available or
disclosed to unauthorized.
 Privacy: Assures that individuals control or
influence what information related to them maybe
collected or stored and by whom and to whom that
information is disclosed.

Prof. Uma Ade

OSI Security Architecture International tlecommunica

• ITU*T X.800 recommends “Security Architecture for

OSI” Open system interconnection(OSI)
• OSI defines a systematic way of defining and
providing security requirements(attacks, services,
mechanism)
• OSI Security Architecture focusses on the attacks,
services, mechanism
• for us it provides a useful, if abstract, overview of
concepts we will study

Prof. Uma Ade

Aspects of Security
• consider 3 aspects of information security:
– security attack
– security mechanism
– security service
• note terms
– threat – a potential for violation of security
– vulnerability –(weakness) a way by which loss can
happen
– attack – an assault on system security, a deliberate
attempt to evade security services

Prof. Uma Ade

• Security Attack: Any action that compromises the
security of information.
• Security Mechanism: A mechanism(process) that is
designed to detect, prevent, or recover from a security
attack.
• Security Service: A communication service that
enhances the security of data processing systems and
information transfers of an organization. A security
service makes use of one or more security
mechanisms.

Prof. Uma Ade

Security Threats
• Interruption: An asset of the system
become lost,unavailable,unusable.
– This is an attack on availability
– Eg. destuction of h/w, DOS, Cutting
communication line
• Interception: An unauthorized person gain
access to asset of the system
– This is an attack on confidentiality
– Stealing data, evesdroping,wiretaping
• modification: An unauthorized person not
only gain access to asset but modify it.
– This is an attack on integrity.
Prof. Uma Ade
• Fabrication: An unauthorized person insert
the counterfeit object into the system
– This is an attack on authenticity
– Eg. Insertion of spurious msg in N/W or addition
of record to a file.

Prof. Uma Ade

Security Attacks/Threats

Prof. Uma Ade

Security Attack
 any action that compromises the security of
information owned by an organization
 information security is about how to prevent attacks,

or failing that, to detect attacks on information*based

systems
 often threat & attack used to mean same thing
 have a wide range of attacks
 can focus of generic types of attacks

◦ passive
◦ active
Prof. Uma Ade
Categorization of passive and active attacks

Prof. Uma Ade

 Passive attack: attempts to learn or make use of
information from the system but does not affect system
resources. Eavesdropping on or monitoring of
transmission.
1. Release of message contents
2. Traffic analysis
 These attacks are difficult to detect.
 Why?

Prof. Uma Ade

 Attacks Threatening Confidentiality

Snooping refers to unauthorized access to or interception of

data.

Traffic analysis refers to obtaining some other type of

information by monitoring online traffic.

Prof. Uma Ade

Passive Attack:Release of Message
Contents
Hi, I am Bob

Hi, I am Bob
Hi, I am Bob

Prof. Uma Ade

Passive Attack: Traffic Analysis

Observe traffic pattern

Prof. Uma Ade

Passive Attack:Traffic Analysis

Meet me at Meet me
Cinemax at
Cinemax

Phhw ph dw
flqhpda

Prof. Uma Ade

Active attack
• Active attacks involve some modification of the data
stream or the creation of a false stream and can be
subdivided into four categories:
• Masquerade(Spoofing),
• Replay,
• Moodification of messages,
• Repudiation
• and denial of service(DOS)

Prof. Uma Ade

 Attacks Threatening Integrity
Masquerading or spoofing happens when the attacker
impersonates somebody else.
modification means that the attacker intercepts the message
and changes it.

Replaying means the attacker obtains a copy

of a message sent by a user and later tries to replay it.

Repudiation means that sender of the message might later

deny that she has sent the message; the receiver of the
message might later deny that he has received the message.
Denial of service (DoS) is a very common attack. It may
slow down or totally interrupt the service of a system.
Prof. Uma Ade
 Masquerade/Spoofing
A masquerade is a type of attack where the attacker act as an
authorized user system in order to gain access to it or to gain greater
privileges than they are authorized for.

Prof. Uma Ade

 Masquerade/Spoofing
Eg
1. an attacker might steal the bank card and PIN of bank customer and
pretend that he/she is that customer

2. Sometimes the attacker pretends instead to be the receiver entity.

i.e.A user tries to contact a nbank but another site pretends that
bank it is bank and obtains some information fro the user.

Prof. Uma Ade

 modification
In which some portion of message is altered or that message are
delayed or reordered to produce an unauthorized affect.
Transfer
Rs.10,000
to Darth.
Transfer Rs.1,000
to Darth. Transfer Rs.10,000
to Darth

Prof. Uma Ade

 Replay
It involves passive capture of data unit and its
subsequent retransmission to produce an unauthorized
effect.
Transfer Rs.1000
Transfer Rs.1000 to Darth.
to Alice.

Mr. Gopal Sakarkar

Prof. Uma Ade
Repudiation
• This types of attacks are different from others.
• why?
– this is performed by the one of the parities in the communication
– 1.sender deny
– 2.receiver deny
• eg
– 1.A bank customer asking his bank to transfer money to third
party but later denying that he has made such request.
– 2.Person buys product from manufactures and pays for it
elecctronicaly but the manufacturer later denies having received
payment.

Prof. Uma Ade

 Denial of service
It have a specific target (Server), in which prevents or
inhabits the normal use or management of communication
facilities.
Security Service
– Enhance security of data processing systems and
information transfers of an organization
– Intended to counter security attacks
– Using one or more security mechanisms
– Often replicates functions normally associated
with physical documents
• i.e.
– have signatures, dates;
– need protection from disclosure, tampering, or
destruction;
– be notarized or witnessed; be recorded or licensed

Prof. Uma Ade

Security Services
• X.800:
“a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers”

• RFC 2828:
“a processing or communication service provided by
a system to give a specific kind of protection to
system resources”

Prof. Uma Ade

Security Services

Prof. Uma Ade

Security Services (X.800)
 Data Confidentiality –protection of data from
unauthorized disclosure.

 Data Integrity -assurance that data received is as

sent by an authorized entity(i.e. Contain no
modification, insertion, deletion, replay)

Prof. Uma Ade

 Authentication -assurance that the communicating
entity is the one claimed.
 ie. receipient should be able to identify the sender.
1. Peer entity: Provides confidence in the identity of
the entities connected.used in association with
logical connection.
2. Data origin: Provides assurance that the source of
received data is as claimed(inconnectionless
transfer).

Prof. Uma Ade

 Non-Repudiation - protection against denial by one
of the parties in a communication(either sender or
receiver).
1. Non-Repudiation Origin(Proof of Origin):
Proof that the msg was sent by the specified party.
2. Non-Repudiation Destination(Proof of
Delivery): Proof that the msg was received by the
specified party.

Prof. Uma Ade

• Access Control * prevention of the
unauthorized use of a resource.
– i.e.this service controls who can have access to a
resource, under what conditions access can occur,
and what those accessing the resource are allowed
to do.

Prof. Uma Ade

Security Mechanism
• feature designed to detect, prevent, or
recover from a security attack
• no single mechanism that will support all
services required
• however one particular element underlies
many of the security mechanisms in use:
– cryptographic techniques
• hence our focus on this topic

Prof. Uma Ade

Security Mechanism

Prof. Uma Ade

• Encipherment: Converting data into form that is not
readable. It is achieved by applying mathematical
calculations or algorithms which reconstruct
information into not readable form.
• Digital signatures: To check authenticity and integrity
of data.
– This security mechanism is achieved by adding digital data
that is not visible to eyes. It is form of electronic signature
which is added by sender which is checked by receiver
electronically.
– This mechanism is used to preserve data which is not more
confidential but sender’s identity is to be notified.

• Prof. Uma Ade

• Access controls: Enforcing access rights to
resources.
– This mechanism is used to stop unattended access
to data which you are sending.
– It can be achieved by various techniques such as
applying passwords, using firewall, or just by
adding PIN to data.
• Data integrity:This security mechanism is used by
appending value to data to which is created by data
itself.

Prof. Uma Ade

• Authentication exchange:This security
mechanism deals with identity to be known in
communication.
– This is achieved at the TCP/IP layer where
two*way handshaking mechanism is used to
ensure data is sent or not.
• Traffic padding: Insertion of bits to frustrate
traffic analysis.
• Routing control: Selection of secure routes
• Notarization: Use of trusted third party for
data exchange
Prof. Uma Ade
model for Network Security

Prof. Uma Ade

model for Network Security
• Using this model requires us to:
1. design a suitable algorithm for the security
transformation.
2. generate the secret information (keys) used by
the algorithm.
3. develop methods to distribute and share the
secret information.
4. specify a protocol enabling the principals to use
the transformation and secret information for a
security service.

Prof. Uma Ade

model for Network Access Security

Prof. Uma Ade

model for Network Access Security
• Using this model requires us to:
1. select appropriate gatekeeper functions to
identify users
2. implement security controls to ensure only
authorised users access designated information
or resources
• trusted computer systems may be useful to help
implement this model

Prof. Uma Ade

modular Arithmetic

• A simple way of doing arithmetic in a finite

set of integers.
• All modern crypto algorithma are based on
modular arithmetic.
• Holds commutative, associative,
distributive laws
• Identities and additive inverse.

Prof. Uma Ade

Modular Arithmetic

1. Congruence property:
2. modular Operation on Negative numbers:
3. modular Addition:
4. modular Subtraction:
5. modular Multiplication:
6. modular Inverse:
7. Prime Number

Prof. Uma Ade

Modular Arithmetic

8. Co*Prime Number/coprime/relatively
prime/mutually prime:
9. Euclid's algo (Euclidean algorithm)
(GCD(Greatest common Divisor):
10. Extended euclids algorithm(for
multiplicative inverse)

Prof. Uma Ade

Congruence property:
• Two numbers said to be congruence modulo if
they give out the same remainder.
• a and b are congruent modulo of n,
• if a mod n = b mod n; and is denoted as
a ≡ b (mod n); OR b ≡ a( mod n)
• 13 mod 2=1 and 17 mod 2=1
– then 13 ≡17 (mod 2)
– i.e 2 devides (17-13)
• 24 mod 6 and 14 mod 6 ?

Prof. Uma Ade

Modular Operation on Negative numbers:

• -9 mod 2
– -9 +(2 * ? )= +ve no
-9 +(2 *5)= 1
– 9 ≡ 5(mod 2)
–i.e (-9 mod 2)=(5mod 2)

Prof. Uma Ade

Modular Addition:
• (A + B) mod C=((A mod C) +(B mod C))mod C
• Eg.
1. (16 + 5) mod 2

Prof. Uma Ade

Modular Subtraction:
• (A - B) mod C=((A mod C) - (B mod C))mod C
• Eg.
1. (26 - 5) mod 2

Prof. Uma Ade

Modular Multiplication:
• (A * B) mod C=((A mod C) * (B mod C))mod C
• Eg.
1. (13 * 5) mod 2

Prof. Uma Ade

Modular Inverse:
• A-1 mod C
A *( ) mod c = 1
1. 3-1 mod 26 i.e.3*( ) mod 26= 1
2. 15-1 mod 26
3. 4-1 mod 15

Prof. Uma Ade

Prime Number
 Prime numbers only have divisors of 1 and self.
• They cannot be written as a product of other
numbers.
• eg. 2,3,5,7 are prime, 4,6,8,9,10 are not
prime numbers are central to number theory.
list of prime number less than 100 is:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67
71 73 79 83
89 97

Prof. Uma Ade

Co*Prime Number/coprime/relatively prime/mutually
prime:

 two numbers a, b are relatively prime if have no

common divisors apart from 1
• eg. 8 & 15 are relatively prime since factors of 8 are
1,2,4,8 and of 15 are 1,3,5,15
• and 1 is the only common factor
• conversely can determine the greatest common
divisor by comparing their
• prime factorizations and using least powers
• eg. 300=21 ×31 ×52 18=21 ×32 hence GCD(18,300)=21
×31 ×50 =6
Prof. Uma Ade
 Euclid's algo (Euclidean algorithm)(GCD(Greatest
common Divisor):

Prof. Uma Ade

• find GCD(308,42)
• GCD(308,42)
• GCD(42,14)
• GCD(14,0)
• GCD=14

Prof. Uma Ade

Prof. Uma Ade
Extended euclids algorithm(for multiplicative inverse)

1. A1,A2,A3<-- (1,0,m)
B1,B2,B3<-- (0,1,b)
2. IF B3=0-->GCD(m,b)=A3 (no inverse exist)
3. IF B3=1-->GCD(m,b)=B3 ,B -1=B2
4. Q=A3/B3
5. (T1,T2,T3)=((A1-(Q*B1),((A2-(Q*B2)),((A3-(Q*B3)))
6. (A1,A2,A3)=(B1,B2,B3)
7. (B1,B2,B3)=(T1,T2,T3)
8. Goto Step2

Prof. Uma Ade

EX1-->3-1 mod 26

Prof. Uma Ade

3-1 mod 26
A1 A2 A3 B1 B2 B3 Q T1 T2 T3

Prof. Uma Ade

3-1 mod 26
A1 A2 A3 B1 B2 B3 Q T1 T2 T3

1 0 26 0 1 3 8 1 -8 2

Prof. Uma Ade

3-1 mod 26
A1 A2 A3 B1 B2 B3 Q T1 T2 T3

1 0 26 0 1 3 8 1 -8 2

0 1 3 1 -8 2 1 -1 9 1

Prof. Uma Ade

3-1 mod 26
A1 A2 A3 B1 B2 B3 Q T1 T2 T3

1 0 26 0 1 3 8 1 -8 2

0 1 3 1 -8 2 1 -1 9 1

1 -8 2 -1 9 1

Prof. Uma Ade

3-1 mod 26
A1 A2 A3 B1 B2 B3 Q T1 T2 T3

1 0 26 0 1 3 8 1 -8 2

0 1 1 -8 2 1 -1 9 1

1 -8 2 -1 9 1

Prof. Uma Ade

• B3=1 STOP
• B -1=B2 B2=9
• B2=9
• 3-1 mod 26=9

Prof. Uma Ade

EX2-->35-1 mod 3

Prof. Uma Ade

35 -1 mod 3
A1 A2 A3 B1 B2 B3 Q T1 T2 T3

Prof. Uma Ade

35 -1 mod 3
A1 A2 A3 B1 B2 B3 Q T1 T2 T3

1 0 3 0 1 35 0 1 0 3

Prof. Uma Ade

35 -1 mod 3
A1 A2 A3 B1 B2 B3 Q T1 T2 T3

1 0 3 0 1 35 0 1 0 3

0 1 35 1 0 3 11 -11 1 2

Prof. Uma Ade

35 -1 mod 3
A1 A2 A3 B1 B2 B3 Q T1 T2 T3

1 0 3 0 1 35 0 1 0 3

0 1 35 1 0 3 11 -11 1 2

1 0 3 -11 1 2 1 12 -1 1

Prof. Uma Ade

35 -1 mod 3
A1 A2 A3 B1 B2 B3 Q T1 T2 T3

1 0 3 0 1 35 0 1 0 3

0 1 35 1 0 3 11 -11 1 2

1 0 3 -11 1 2 1 12 -1 1

-11 1 2 12 -1 1

Prof. Uma Ade

35 -1 mod 3
• B3=1 STOP
• B -1=B2 B2=-1
• B2=-1+3
• B2=2
• 35 -1 mod 3=2

Prof. Uma Ade

EX3-->37 -1 mod 49
A1 A2 A3 B1 B2 B3 Q T1 T2 T3

1 0 49 0 1 37 1 1 -1 12

0 1 37 1 -1 12 3 -3 4 1

1 -1 12 -3 4 1

Prof. Uma Ade

Fermat's Theorem

• If p is prime and a is a positive integer

not divisible by p, then
• a p-1 ≡ 1 (mod p)
• eg. p=7 a=3
• where p is prime and gcd(a,p)=1
• also known as Fermat‟s Little Theorem
• useful in public key and primality testing

Prof. U84ma Ade

Euler Totient Function ø(n)
• when doing arithmetic modulo n ,complete set of
residues is: 0..n-1
• reduced set of residues is those numbers (residues)
which are relatively prime to n
• eg for n=10,
• complete set of residues is {0,1,2,3,4,5,6,7,8,9}
• reduced set of residues is {1,3,7,9}
• Def: ø(n) is the no of positive integers less than n
and relatively prime to n.
• ø(1)=1 predefined
Prof. Uma Ade
Euler Totient Function ø(n)
• if n=10 then ø(10)=(4)
• if n=5 then ø(n) ?
• ø(65)?
• ø(12)?
• ø(12)=4

Prof. Uma Ade

• number of elements in reduced set of residues is called the
Euler Totient Function ø(n)
• but for n (n prime)
• ø(n) = n-1
• if n=p *q (where p and q both are prime )
• then ø(n) = (p-1 ) *(q-1)
• eg.
• ø(37) = 36
• ø(21) = (3–1)×(7–1) = 2×6 = 12
• If P is prime and a is an integer a>=1 then
ø(Pa) =Pa-1 X (P-1)
• ø(49),ø(343 )
Prof. Uma Ade
Euler Totient Function ø(n)
• If P is prime and a is an integer a>=1 then
a-1
ø(P ) =P X (P-1)
a

2-1
ø(49)=(7 X(7-1)
=7 X6
=42
-1
ø(343 )=(73 X(7-1)
=49 X6
=294
Prof. Uma Ade
Euler's Theorem

• a generalisation of Fermat's Theorem

• a and n are relatively prime.
• aø(n)mod n = 1 , aø(n)≡ 1(mod n)
• where gcd(a,n)=1
• eg. a=3;n=10; ø(10)=4;
• 3ø(10)mod 10 = 1
• hence 34 = 81 = 1 mod 10
• a=2;n=11; ø(11)=10;
• hence 210 = 1024 = 1 mod 11

Prof. Uma Ade

Affine cipher:
• If x, y, a, b ∈ Z26, then

• y = Ek(x) ≡(a.x)+b mod 26

• x = Dk(y) ≡ a−1.(y − b) mod 26

EX1.If (a, b) = (3, 10) and
plaintext is CRYPTO = x1, x2, x3, x4, x5, x6
= 2, 17, 24, 15, 19, 14
then cipher text = y1, y2, y3, y4, y5, y6
= 16, 9, 4, 3, 15, 0
= QJEDPA

Prof. Uma Ade

Summary
• have considered:
– definitions for:
• computer, network, internet security
• X.800 standard
• security attacks, services, mechanisms
• models for network (access) security

Prof. Uma Ade