Information Security

Encryption
 Encryption
• Encryption is a fundamental technique used in
information security to protect the confidentiality and
integrity of data.
• It involves the process of converting plain text or data
into an encoded form called cipher-text, which can only
be accessed and understood by authorized parties with
the corresponding decryption key.
• Plain text: Unencrypted, readable, plain message that
anyone can read
• Cipher text: Result of encryption
• Key: Series of character or bits injected into algorithm
along with original message to create the encrypted
message
• Algorithm: Mathematical formula or method used to
convert unencrypted message to an encrypted message
• Decryption: Process of converting an encoded or
enciphered message back to its original form
• Two important elements are required:
– Password
Secure Communication
Needs and Requirements
• Well established needs for secure
communication
– War time communication
– Business transactions
– Illicit Love Affairs
• Requirements of secure communication
1. Secrecy
– Only intended receiver understands the message
2. Authentication
– Sender and receiver need to confirm each others
identity
3. Message Integrity
– Ensure that their communication has not been
altered, either maliciously or by accident during
Cryptography
Basics
• Cryptography comes from Greek word:
kryptos meaning hidden and graphein
mean to write.
• Cryptography is the science of secret, or
hidden writing code
• It has two main Components:
1. Encryption
– Practice of hiding messages so that they can not
be read by anyone other than the intended
recipient
2. Authentication & Integrity
– Ensuring that users of data/resources are the
persons they claim to be and that a message has
not been surreptitiously altered
 Cipher
• Cipher is a method for encrypting messages
• Transformation of individual components of an
unencrypted message into encrypted component
and vice versa

Plain Text Encryption Cipher Text Decryption Plain Text

Algorithm Algorithm

Key A Key B

• Encryption algorithms are standardized &

published
• The key which is an input to the algorithm is secret
 Classification
• Cryptographic systems are generally classified along 3 independent
dimensions:
• Type of operations used for transforming plain text to cipher text
– Substitution
– Transposition
• The number of keys used
– Symmetric key (or) single key (or) conventional encryption.
– Public key encryption.
• The way in which the plain text is processed
– Block cipher.
– Stream cipher.
Encryption
Symmetric Algorithms
• Algorithms in which the key for
encryption and decryption are the same
are Symmetric
– Example: Caesar Cipher
• Types:
1. Block Ciphers
– Encrypt data one block at a time (typically 64 bits,
or 128 bits)
– Used for a single message
2. Stream Ciphers
– Encrypt data one bit or one byte at a time
– Used if data is a constant stream of information
Symmetric Encryption
Key Strength
• Strength of algorithm is determined by the size
of the key
– The longer the key the more difficult it is to crack
• Key length is expressed in bits
– Typical key sizes vary between 48 bits and 448 bits
• Set of possible keys for a cipher is called key
space
– For 40-bit key there are 240 possible keys
– For 128-bit key there are 2128 possible keys
– Each additional bit added to the key length doubles
the security
• To crack the key the hacker has to use brute-
force
(i.e. try all the possible keys till a key that works is
found)
Substitution Ciphers
Caesar Cipher
• Simplest method was developed by Julius
Caesar
• Caesar Cipher is a method in which each letter
inB the
A CDE alphabet
F G H I J Kis
LMrotated
N O P Qby
R Sthree
TUVW letters
X Y Z as
shown
DEFGHIJKLMNOPQRSTUVWXYZABC

• Let us try to encrypt the message

– Attack at Dawn
– Shift each letter forward by 3 places:
– A → D, T → W, T → W, A → D, C → F, K → N, A → D, T →
W,
D → G, A → D, W → Z, N → Q
– Final Encrypted Text:
Dwwdfn dw Gdzq
Substitution Ciphers
Caesar Cipher
Encryption
Plain Text Cipher Text
Cipher:
Message: Caesar Cipher Message:
Attack at Dawn Algorithm Dwwdfn Dw Gdyq

Key (3)
Decrypti
on
Cipher Text
Cipher:
Plain Text

Message: Caesar Cipher Message:

Dwwdfn Dw Gdyq Algorithm Attack at Dawn

Key (3)

How many different keys are possible?

Substitution Cipher
Monoalphabetic Cipher
• Any letter can be substituted for any other letter
– Each letter has to have a unique substitute

ABCDEFGH I JKLMNOPQRSTUVWXYZ

MNBVCXZASDFGHJ KLPO IUYTREWQ

• There are 26! pairing of letters (~1026)

• Brute Force approach would be too time consumin
– Statistical Analysis would make it feasible to crack the
key
Message: Encrypted
Cipher: Message:
Bob, I love you. Monoalphabetic Nkn, s gktc wky.
Alice Cipher mgsbc

Key
 Substitution Cipher
Polyalphabetic Caesar Cipher
• Developed by Blaise de Vigenere
– Also called Vigenere cipher
• Uses a sequence of monoalpabetic ciphers in
tandem
–e.g. C1, C2, C2, C1, C2
Plain Text A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

C1(k=6) FGH I JKLMNOPQRSTUVWXYZABCDE

C2(k=20) TUVWXYZABCDEFGH I JKLMNOPQRS

• Example
Message: Encrypted
Cipher: Message:
Bob, I love you. Monoalphabetic Gnu, n etox dhz.
Alice Cipher tenvj

Key
 Substitution Cipher
Using a key to shift alphabet
• Obtain a key to for the algorithm and then shift the
alphabets
– For instance if the key is word we will shift all the letters
by four and remove the letters w, o, r, & d from the
encryption
• We have to ensure that the mapping is one-to-one
– no single letter in plain text can map to two different
letters in cipher text
Plain Text
– ABC
no single D EinFcipher
letter G H text
I Jcan
K map
L MtoNtwo
O Pdifferent
Q R Sletters
TUV in W X text
plain YZ

C1(k=6) WORDABCEFGH I JKLMNPQSTUVXYZ

Message:
Encrypted
Cipher: Message:
Bob, I love you.
??
Alice

WORD
 Playfair Cipher
• not even the large number of keys in a
monoalphabetic cipher provides security
• one approach to improving security was to
encrypt multiple letters
• the Playfair Cipher is an example
• invented by Charles Wheatstone in 1854,
but named after his friend Baron Playfair
 Encrypting and Decrypting
• plaintext is encrypted two letters at a time
1. if a pair is a repeated letter, insert filler like 'X’
2. if both letters fall in the same row, replace each
with letter to right (wrapping back to start from
end)
3. if both letters fall in the same column, replace
each with the letter below it (again wrapping to
top from bottom)
4. otherwise each letter is replaced by the letter in
the same row and in the column of the other letter
of the pair M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
 Security of Playfair Cipher
• security much improved over monoalphabetic
• since have 26 x 26 = 676 digrams
• would need a 676 entry frequency table to
analyse (verses 26 for a monoalphabetic)
• and correspondingly more ciphertext
• was widely used for many years
– eg. by US & British military in WW1
• it can be broken, given a few hundred letters
• since still has much of plaintext structure
 Hill Cypher
• Hill Cipher is a classic encryption method
using matrices.
• A polyalphabetic substitution cipher based
on linear algebra.
• Invented by Lester S. Hill in 1929.Uses
matrix multiplication for encryption.
• Operates on blocks of letters rather than
individual characters.
• Requires an invertible key matrix for
decryption.
• Strength lies in linear transformations and
block-based encryption.
 Vernam/One-Time Pad
• An Army Signal Corp officer, Joseph Mauborgne
suggests if a truly random key as long as the
message is used, the cipher will be secure
• called a One-Time pad
• is unbreakable since ciphertext bears no statistical
relationship to the plaintext
• since for any plaintext & any ciphertext there
exists a key mapping one to other
• can only use the key once though
• problems in generation & safe distribution of key
Transposition Cipher
Columnar Transposition
• This involves rearrangement of characters on the plain
text into columns
• The following example shows how letters are
transformed
– If the letters are not exact multiples of the transposition
size there may be a few short letters in the last column
Plain Text Cipher Text
which can be padded with an infrequent letter such as x or
T Hz I S I T S S O H
S A M E S O A N I W
S A G E T H A A S O
O S H O W L R S T O
H O W A C I M G H W
O L U M N U T P I R
A R T R A S E E O A
N S P O S M R O O K
I T I O N I S T W C
W O R K S N A S N S
 Row transposition
• Row Transposition Cipher is a basic transposition
cipher.
• It arranges text in a grid and permutes column
order based on a key.
• While more secure than simple transposition, it is
still breakable with cryptanalysis.
• Often used as a learning tool in cryptography.
• Rule:
– Write row by row
– Read column by column
 Rail fence
• Rail Fence Cipher is a basic transposition
cipher.
• It arranges text in a zigzag pattern based on
depth.
• While historically significant, it is not secure
for modern encryption needs.
• Often used as an introductory cipher in
cryptographic learning
• sequence of diagonals and then read off as
a sequence of rows.
Ciphers
Shannon’s Characteristics of “Good” Ciphers
• The amount of secrecy needed should
determine the amount of labor
appropriate for the encryption and
decryption.
• The set of keys and the enciphering
algorithm should be free from
complexity.
• The implementation of the process
should be as simple as possible.
• Errors in ciphering should not
propagate and cause corruption of
further information in the message.
Encryption Systems
Properties of Trustworthy Systems
• It is based on sound mathematics.
– Good cryptographic algorithms are are
derived from solid principles.
• It has been analyzed by competent
experts and found to be sound.
– Since it is hard for the writer to envisage
all possible attacks on the algorithm
• It has stood the “test of time.”
– Over time people continue to review both
mathematical foundations of an algorithm
and the way it builds upon those
foundations.
– The flaws in most algorithms are
discovered soon after their release.
Cryptanalysis
Techniques
• Cryptanalysis is the process of breaking an
encryption code
– Tedious and difficult process
• Several techniques can be used to deduce the
algorithm
– Attempt to recognize patterns in encrypted
messages, to be able to break subsequent ones by
applying a straightforward decryption algorithm
– Attempt to infer some meaning without even
breaking the encryption, such as noticing an
unusual frequency of communication or
determining something by whether the
communication was short or long
– Attempt to deduce the key, in order to break
subsequent messages easily
– Attempt to find weaknesses in the implementation
or environment of use of encryption
– Attempt to find general weaknesses in an
Data Encryption Standard (DES)
Basics
• Goal of DES is to completely scramble
the data and key so that every bit of
cipher text depends on every bit of data
and ever bit of key
• DES is a block Cipher Algorithm
– Encodes plaintext in 64 bit chunks
– One parity bit for each of the 8 bytes thus
it reduces to 56 bits
• It is the most used algorithm
– Standard approved by US National Bureau
of Standards for Commercial and
nonclassified US government use in 1993
Data Encryption Standard (DES)
Basics
64-bit input 56-bit key

48-bit k1
L1 R1 • DES run in reverse
F(L1, R1, K1)
to decrypt
• Cracking DES
48-bit k2
L2 R2 – 1997: 140 days
– 1999: 14 hours
F(L2, R2, K2)
• TripleDES uses
48-bit k3
L3 R3 DES 3 times in
tandem
– Output from 1 DES
F(L16, R16, K16) is input to next DES
48-bit k16
L17 R17
Encryption Algorithm
Summary

Algorithm Type Key Size Features

DES Block 56 bits Most Common, Not

Cipher strong enough
TripleDES Block 168 bits Modification of DES,
Cipher (112 effective) Adequate Security
Blowfish Block Variable Excellent Security
Cipher (Up to 448 bits)

AES Block Variable Replacement for DES,

Cipher (128, 192, or Excellent Security
256 bits)

RC4 Stream Variable Fast Stream Cipher,

Cipher (40 or 128 bits) Used in most SSL
implementations
Symmetric Encryption
Limitations
• Any exposure to the secret key
compromises secrecy of ciphertext
• A key needs to be delivered to the
recipient of the coded message for it to
be deciphered
– Potential for eavesdropping attack during
transmission of key
Asymmetric Encryption
Basics
• Uses a pair of keys for encryption
– Public key for encryption
– Private key for decryption
• Messages encoded using public key can only be
decoded by the private key
– Secret transmission of key for decryption is not
required
– Every entity can generate a key pair and release its
public key
Plain Text Cipher Text Plain Text
Cipher Cipher

Public Key Private Key

Asymmetric Encryption
Types
• Two most popular algorithms are RSA & El
Gamal
– RSA
• Developed by Ron Rivest, Adi Shamir, Len Adelman
• Both public and private key are interchangable
• Variable Key Size (512, 1024, or 2048 buts)
• Most popular public key algorithm
– El Gamal
• Developed by Taher ElGamal
• Variable key size (512 or 1024 bits)
• Less common than RSA, used in protocols like PGP
Asymmetric Encryption
RSA
• Choose two large prime numbers p & q
• Compute n=pq and z=(p-1)(q-1)
• Choose number e, less than n, which has no
common factor (other than 1) with z
• Find number d, such that ed – 1 is exactly divisible
by z
• Keys are generated using n, d, e
– Public key is (n,e)
– Private key is (n, d)
• Encryption: c = me mod n
– m is plain text
– c is cipher text
• Decryption: m = cd mod n
• Public key is shared and the private key is hidden
Asymmetric Encryption
RSA
• P=5 & q=7
• n=5*7=35 and z=(4)*(6) = 24
• e=5
• d = 29 , (29x5 –1) is exactly divisible by 24
• Keys generated are
– Public key: (35,5)
– Private key is (35, 29)
• Encrypt the word love using (c = me mod n)
– Assume that the alphabets are between 1 & 26

Plain Text Numeric Representation me Cipher Text (c = me mod

n)
l 12 248832 17
o 15 759375 15
v 22 5153632 22
e 5 3125 10
Asymmetric Encryption
RSA
• Decrypt the word love using (m = cd mod n)
– n = 35, c=29

Cipher cd (m = me mod Plain

Text n) Text
17 481968572106750915091411825223072000 17 l
15 12783403948858939111232757568359400 15 o
22 85264331908653770195619449972111000000 22 v
0
10 100000000000000000000000000000 10 e
 Asymmetric Encryption
Weaknesses
• Efficiency is lower than Symmetric
Algorithms
– A 1024-bit asymmetric key is equivalent to
128-bit symmetric key
• Potential for man-in-the middle attack
• It is problematic to get the key pair
generated for the encryption
Asymmetric Encryption
Man-in-the-middle Attack
• Hacker could generate a key pair, give the
public key away and tell everybody, that it
belongs to somebody else. Now, everyone
believing it will use this key for encryption,
resulting in the hacker being able to read the
messages. If he encrypts the messages again
Bobwith the public key of the real recipient, he will
Trudeau’s Trudeau’s
Message Encrypted
not be recognized
David’s easily.
+ public key
Cipher Message
Public Key

David’s
Bob’s Bob’s
Trudeau Public Key
Message Encrypted
Cipher (Middle-man) David
+ Public key Message

Bob’s Attacker Trudeau’s

Public Key Public Key

Trudeau’s David’s
Trudeau’s Trudeau’s
New Message Message
Encrypted Encrypted
Cipher + public key Cipher + public key
Message Message
 Asymmetric Encryption
Session-Key Encryption
• Used to improve efficiency
– Symmetric key is used for encrypting data
– Asymmetric key is used for encrypting the
symmetric key
Plain Text Cipher Cipher Text
(DES)

Send to Recipient

Encrypted
Cipher Key
(RSA)
Session Key

Recipient’s Public Key

Asymmetric Encryption
Encryption Protocols
• Pretty Good Privacy (PGP)
– Used to encrypt e-mail using session key encryption
– Combines RSA, TripleDES, and other algorithms
• Secure/Multipurpose Internet Mail Extension
(S/MIME)
– Newer algorithm for securing e-mail
– Backed by Microsoft, RSA, AOL
• Secure Socket Layer(SSL) and Transport Layer
Socket(TLS)
– Used for securing TCP/IP Traffic
– Mainly designed for web use
– Can be used for any kind of internet traffic
Asymmetric Encryption
Key Agreement
• Key agreement is a method to create secret key by
exchanging only public keys.
• Example
– Bob sends Alice his public key
– Alice sends Bob her public key
– Bob uses Alice’s public key and his private key to generate
a session key
– Alice uses Bob’s public key and her private key to generate
a session key
– Using a key agreement algorithm both will generate same
key Alice’s
Private Key
– Bob and Alice do not need to transfer any key
Bob’s Cipher
Public Key (DES) Alice and Bob
Bob’s Session Key Generate Same
Private Key
Session Key!
Alice’s Cipher
Public Key
(DES)
Asymmetric Encryption
Key Diffie-Hellman Mathematical Analysis
Bob & Alice
agree on non-secret
Bob prime p and value a Alice

Generate Secret Generate Secret

Random Number x Random Number y

Bob & Alice

Compute Public Key exchange Compute Public Key
ax mod p public keys ay mod p

Compute Session Key Compute Session Key

(ay)x mod p (ax)y mod p

Identical Secret Key

Asymmetric Encryption
Key Agreement con’t.
• Diffie-Hellman is the first key agreement
algorithm
– Invented by Whitfield Diffie & Martin
Hellman
– Provided ability for messages to be
exchanged securely without having to have
shared some secret information previously
– Inception of public key cryptography which
allowed keys to be exchanged in the open
• No exchange of secret keys
– Man-in-the middle attack avoided
Authentication
Basics
• Authentication is the process of
validating the identity of a user or the
integrity of a piece of data.
• There are three technologies that
provide authentication
– Message Digests / Message Authentication
Codes
– Digital Signatures
– Public Key Infrastructure
• There are two types of user
authentication:
– Identity presented by a remote or
application participating in a session
Authentication
Message Digests
• A message digest is a fingerprint for a
document
• Purpose of the message digest is to provide
proof that data has not altered
• Process of generating a message digest from
data is called hashing
• Hash functions are one way functions with
following properties
– Infeasible to reverse the function
– Infeasible to construct two messages which hash to
same digest
• Commonly used hash algorithms are
– MD5 – 128 bit hashing algorithm by Ron Rivest of
RSA
– Message Message
SHA & SHA-1 – 162 bit hashing algorithm
Digest developed
Digest
by NIST Algorithm
Message Authentication Codes
Basics
• A message digest created with a key
• Creates security by requiring a secret
key to be possesses by both parties in
order to retrieve the message

Message
Message Digest Digest
Algorithm

Secret Key
Password Authentication
Basics
• Password is secret character string only known
to user and server
• Message Digests commonly used for password
authentication
• Stored hash of the password is a lesser risk
– Hacker can not reverse the hash except by brute
force attack
• Problems with password based authentication
– Attacker learns password by social engineering
– Attacker cracks password by brute-force and/or
guesswork
– Eavesdrops password if it is communicated
unprotected over the network
– Replays an encrypted password back to the
authentication server
Authentication Protocols
Basics
• Set of rules that governs the communication of data related to
authentication between the server and the user
• Techniques used to build a protocol are
– Transformed password
• Password transformed using one way function before
transmission
• Prevents eavesdropping but not replay
– Challenge-response
• Server sends a random value (challenge) to the client along with
the authentication request. This must be included in the
response
• Protects against replay
– Time Stamp
• The authentication from the client to server must have time-
stamp embedded
• Server checks if the time is reasonable
• Protects against replay
• Depends on synchronization of clocks on computers
– One-time password
• New password obtained by passing user-password through one-
way function n times which keeps incrementing
• Protects against replay as well as eavesdropping
 Authentication Protocols
Kerberos
• Kerberos is an authentication service that uses
symmetric key encryption and a key
distribution center.
• Kerberos Authentication server contains
symmetric keys of all users and also contains
information on which user has access privilege
to which services on the network
Authentication
Personal Tokens
• Personal Tokens are hardware devices that
generate unique strings that are usually used
in conjunction with passwords for
authentication
• Different types of tokens exist
– Storage Token: A secret value that is stored on a
token and is available after the token has been
unlocked using a PIN
– Synchronous one-time password generator: Generate
a new password periodically (e.g. each minute)
based on time and a secret code stored in the token
– Challenge-response: Token computes a number
based on a challenge value sent by the server
– Digital Signature Token: Contains the digital
signature private key and computes a computes a
digital signature on a supplied data value
Authentication
Biometrics
• Uses certain biological characteristics
for authentication
– Biometric reader measures physiological
indicia and compares them to specified
values
– It is not capable of securing information
over the network
• Different techniques exist
– Fingerprint Recognition
– Voice Recognition
– Handwriting Recognition
– Face Recognition
– Retinal Scan
Authentication
Iris Recognition
The scanning process takes
advantage of the natural patterns in
people's irises, digitizing them for
identification purposes

Facts
• Probability of two irises producing
exactly the same code: 1 in 10 to the
78th power
• Independent variables (degrees of
freedom) extracted: 266
• IrisCode record size: 512 bytes
• Operating systems compatibility: DOS
and Windows (NT/95)
• Average identification speed (database
of 100,000 IrisCode records): one to
two seconds
 Authentication
Digital Signatures
• A digital signature is a data item which
accompanies or is logically associated with a
digitally encoded message.
• It has two goals
– A guarantee of the source of the data
– Proof that the data has not been tampered with
Sender’s Sender’s
Private Key Public Key
Message Digest Message
Digest
Sent to Algorithm Digest
Algorithm
Receiver

Same?

Digital
Message Signature Signature Signature Message
Digest Algorithm Sent to Algorithm Digest
Receiver

Sender Receiver
Authentication
Digital Cerftificates
• A digital certificate is a signed statement by a trusted
party that another party’s public key belongs to them.
– This allows one certificate authority to be authorized by a
different authority (root CA)
• Top level certificate must be self signed
• Any one can start a certificate authority
– Name recognition is key to some one recognizing a
certificate authority
– Verisign is industry standard certificate authority
Identity
Information

Signature
Sender’s Certificate
Algorithm
Public Key

Certificate
Authority’s
Private Key
Authentication
Cerftificates Chaining
• Chaining is the practice of signing a certificate with
another private key that has a certificate for its public
key
– Similar to the passport having the seal of the government
• It is essentially a person’s public key & some identifying
information signed by an authority’s private key
verifying the person’s identity
• The authorities public key can be used to decipher the
certificate
• The trusted
Certificateparty is Signature
called the certificate
New Certificate authority
Algorithm

Certificate
Authority’s
Private Key
Cryptanalysis
Basics
• Practice of analyzing and breaking
cryptography
• Resistance to crypt analysis is directly
proportional to the key size
– With each extra byte strength of key doubles
• Cracking Pseudo Random Number Generators
– A lot of the encryption algorithms use PRNGs to
generate keys which can also be cracked leading to
cracking of algorithms
• Variety of methods for safe guarding keys (Key
Management)
– Encryption & computer access protection
– Smart Cards