Cryptography and

Cyber Security

Ebey S.Raj
Introduction
The art of war teaches us to rely not on the likelihood of the
enemy's not coming, but on our own readiness to receive him;
not on the chance of his not attacking, but rather on the fact
that we have made our position unassailable.
—The Art of War, Sun Tzu
Background
• Information Security requirements have changed in recent
times
• Traditionally provided by physical and administrative
mechanisms
• Computer use requires automated tools to protect files
and other stored information
• Use of networks and communication links requires
measures to protect data during transmission.
Definitions
• Computer Security - generic name for the
collection of tools designed to protect data and to
thwart hackers
• Network Security - measures to protect data
during their transmission
• Internet Security - measures to protect data
during their transmission over a collection of
interconnected networks
Aim of Course
• Our focus is on Internet Security
• Consists of measures to deter, prevent, detect, and correct
security violations that involve the transmission & storage
of information
Security Goals
Security Goals
• Confidentiality
• Most common aspect of information security.
• Protect our confidential information
• Applies to the storage of the information as well as to
the transmission of information.
Security Goals
• Integrity
• Changes need to be done only by authorized entities
and through authorized mechanisms.
• Assurance that data received are exactly as sent by an
authorized entity.
Security Goals
• Availability
• Information created and stored by an organization
needs to be available to authorized entities.
• Information is useless if it is not available.
Security Trends
Security Trends
Security Trends
Security Trends
Security Trends
Security Trends
Security Trends
Security Trends
OSI Security Architecture
• ITU-T X.800 “Security Architecture for OSI”
• Defines a systematic way useful for managers as a way of
organizing the task of providing security.
Aspects of Security
• Security attack
• Any action that compromises the security of information
owned by an organization
• Security mechanism
• A process that is designed to detect, prevent or recover from a
security attack.
• Security service
• A processing or communication service that enhances the
security of the data processing systems and the information
transfers of an organization.
THREATS AND ATTACKS
• Threats
• A potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach
security and cause harm.
• A threat is a possible danger that might exploit a vulnerability.
• Attack
• An assault on system security that derives from an intelligent
threat
• An intelligent act that is a deliberate attempt to evade security
services and violate the security policy of a system
Security Attacks
• Any action that compromises the security of information
owned by an organization
• Information security is about how to prevent attacks, or
failing that, to detect attacks on information-based
systems
• Have a wide range of attacks
• Can focus of generic types of attacks
• passive
• active
Security Attacks
• Passive Attacks
• A passive attack attempts to learn or make use of information from
the system but does not affect system resources.
• Active Attacks
• An active attack attempts to alter system resources or affect their
operation.
Security Attacks
• Passive Attacks
• Opponents could not extract information from the message.
• Only determine the location, identity of communicating hosts,
frequency and length of messages being transmitted
• Two types
• Release of Message Contents
• Traffic Analysis
Passive Attacks

Snooping: Release of message contents

Passive Attacks
Passive Attacks
• Very difficult to detect.
• Encryption can be used to prevent passive attacks.
Active Attacks
• Involve some modification of the data stream or creation of a
false stream.
• Four categories
• Masquerade
• Replay
• Modification of messages
• Denial of Service
Active Attacks

One entity pretends to be a different entity

Active Attacks

Capture of a data unit and its subsequent retransmission

 Active Attacks

A legitimate message may be altered, delayed or reordered

 Active Attacks

Suppress all messages to a particular destination or disruption of entire

network either by disabling the network or by overloading with messages
Active Attacks
• Repudiation
• Performed by either sender or receiver
• Sender might later deny that she has sent the message or Receiver
might later deny that he has received the message.
Active Attacks
• Difficult to prevent active attacks absolutely
• Can detect active attacks and recover from any disruption or
delays caused.
Taxonomy of Attacks with relation to security
goals
References
• Behrouz A. Forouzan and Debdeep Mukhopadhyay,
Cryptography & Network Security, Second Edition, Tata
McGraw Hill, New Delhi, 2010
• W. Stallings, “Cryptography and Network Security Principles
and practice”, 3/e, Pearson Education Asia, 2003.
• https://www.symantec.com/content/dam/symantec/docs/reports
/istr-22-2017-en.pdf
 Security
Services and Mechanisms

Ebey S.Raj
OSI Security Architecture
• ITU-T X.800 “Security Architecture for OSI”
• Defines a systematic way useful for managers as a way of
organizing the task of providing security.
Security Services
• Enhance security of data processing systems and information
transfers of an organization
• Intended to counter security attacks
• Using one or more security mechanisms
• often replicates functions normally associated with physical
documents
• which, for example, have signatures, dates; need protection from
disclosure, tampering, or destruction; be notarized or witnessed; be
recorded or licensed
Security Services
• X.800:
“a service provided by a protocol layer of communicating open systems,
which ensures adequate security of the systems or of data transfers”

• RFC 2828:
“a processing or communication service provided by a system to give a
specific kind of protection to system resources”
Security Services
• Security services implement security policies and are
implemented by Security mechanisms.
• X.800 has defined five services, related to the security goals
and attacks.
Security Services (X.800)
• Data Confidentiality –protection of data from
unauthorized disclosure
• Data Integrity - assurance that data received is as
sent by an authorized entity
• Authentication - assurance that the communicating
entity is the one claimed
• Non-Repudiation - protection against denial by one
of the parties in a communication
• Access Control - prevention of the unauthorized use
of a resource
Data Confidentiality
• Designed to protect data from disclosure attack.
• Encompasses
• Confidentiality of the whole message or part of a message (Prevent
snooping).
• Protection against traffic analysis (Prevent traffic analysis attack).
Data Integrity
• Designed to protect data from modification, insertion,
deletion and replaying by an adversary.
• May protect the whole message or part of the message.
Authentication
• Provides authentication of the party at the other end of the
line.
• In connection-oriented communication,
• Provides authentication of the sender or receiver during the
connection establishment.(Peer entity Authentication)
• In connection less communication,
• Provides authentication of the source of the data(Data origin
authentication).
Non-Repudiation
• Protects against repudiation by either the sender or the receiver
of the data.
• Nonrepudiation with proof of the origin
• Receiver of the data can later prove the identity of the sender if
denied.
• Nonrepudiation with proof of delivery
• Sender of the data can later prove that data were delivered to the
intended recepient.
Access Control
• Provides protection against unauthorized access.
• Ability to limit and control the access to host systems and
applications via communications links.
• Each entity trying to gain access must first be identified, or
authenticated.
Security Mechanism
• Mechanisms designed to detect, prevent, or recover from a
security attack
• No single mechanism will support all services required.
Security Mechanism
Security Mechanisms
• Encipherment
• Hiding or covering data for providing confidentiality
• Use of mathematical algorithms to transform data into a form
that is not readily intelligible.
• Two techniques
• Cryptography
• Steganography
Security Mechanisms
• Data integrity
• Mechanisms used to assure the integrity of a data unit or
stream of data units.
• Appends to the data, a short check value that has been created
from the data itself using a specific process.
• Receiver, upon receiving data and the check value, creates new
check value from the data and compare it with the received
check value.
• If the two check values are same, the integrity of the data has
been preserved.
Security Mechanisms
• Digital signatures
• Means by which the sender can electronically sign the data and
the receiver can electronically verify the signature.
• Sender owns a public key, which was already publicly
announced, and a related private key.
• Sender uses its private key for signing the data and the receiver
uses the sender’s public key for verifying the data.
Security Mechanisms
• Authentication exchange
• Two communicating entities exchange some messages to prove
their identity to each other.
• Eg: one entity can prove that she knows a secret that only she
is supposed to know.
• Traffic padding
• Insertion of some bogus data into the data traffic to prevent
adversary’s attempt to use the traffic analysis.
Security Mechanisms
• Routing control
• Selecting and continuously changing different available routes
between the sender and the receiver to prevent the opponent
from eavesdropping on a particular route.
• Notarization
• Use of a trusted third party to control the communication
between two entities, to prevent repudiation.
• Access Control
• Use methods to prove that a user has access right to the data or
resources owned by a system.
• Eg: Passwords and PINs
Relation between services and mechanisms
Security Services Security Mechanisms
Data Encipherment and Routing control
Confidentiality
Data Integrity Encipherment, Digital signature and Data integrity
Authentication Encipherment, Digital signature and Authentication
Exchange
Nonrepudiation Digital signature, Data integrity and Notarization
Access control Access control mechanisms
References
• Behrouz A. Forouzan and Debdeep Mukhopadhyay,
Cryptography & Network Security, Second Edition, Tata
McGraw Hill, New Delhi, 2010
• W. Stallings, “Cryptography and Network Security Principles
and practice”, 3/e, Pearson Education Asia, 2003.
Cryptography
Ebey S.Raj
Introduction
• Human being from ages had two inherent needs
• to communicate and share information and
• to communicate selectively.
• Only the intended people could have access to the information.

Prepared by Ebey S.Raj

The art and science of concealing the messages to introduce
secrecy in information security is recognized as cryptography.

• The word „cryptography‟ was coined by combining two Greek

words, „Krypto‟ meaning hidden and „graphene‟ meaning
2
writing.
Cryptosystem
• A cryptosystem is an implementation of cryptographic
techniques and their accompanying infrastructure to provide
information security services.
• A cryptosystem is also referred to as a cipher system.

Prepared by Ebey S.Raj

3
Basic Model of a Cryptosystem

Prepared by Ebey S.Raj

4
Some Basic Terminology
• Plain text (P)
• Original intelligible message or data that is fed into the algorithm as input.
• Encryption Algorithm (Ek(x))
• Performs various substitutions and transformations on the plaintext. .
• Cipher text (C)

Prepared by Ebey S.Raj

• Scrambled message produced as output. It depends on the plaintext and the
secret key.
• It is unintelligible.
• Decryption Algorithm (Dk(x))
• Encryption algorithm run in reverse.
• It takes the cipher text and the secret key and produces the original plaintext
• Interceptor
5
• An unauthorized entity who attempts to determine the plaintext.
Some Basic Terminology
• Encryption Key
• It is a value that is known to the sender.
• The sender inputs the encryption key into the encryption algorithm
along with the plaintext in order to compute the ciphertext.

Prepared by Ebey S.Raj

• Decryption Key
• It is a value that is known to the receiver.
• The decryption key is related to the encryption key.
• The receiver inputs the decryption key into the decryption
algorithm along with the ciphertext in order to compute the
plaintext. 6
Kerckhoff’s Principle

Kerckhoffs‟ Principle states that the security of a

cryptosystem must lie in the choice of its keys only;

Prepared by Ebey S.Raj

everything else (including the algorithm itself) should
be considered public knowledge.

7
Classification of Cryptosystems
• Fundamentally, there are two types of cryptosystems
• Symmetric Key Cryptosystem
• Asymmetric Key Cryptosystem

Prepared by Ebey S.Raj

8
Symmetric Key Cryptosystem
• Conventional/ Private-key/ Single-key encryption
• Sender and recipient share a common secret key
• Only type prior to invention of public-key in 1970‟s

Prepared by Ebey S.Raj

• Most widely used.

9
Symmetric Key Cryptosystem
• General idea of Symmetric Key Cryptosystem

Prepared by Ebey S.Raj

10
Symmetric Key Cryptosystem
• The symmetric key encipherment uses a single key for both
encryption and decryption.
• The key itself may be a set of values.
• The Encryption and Decryption algorithms are inverses of each other.

Prepared by Ebey S.Raj

• If P is the plain text, C is the cipher text and K is the secret key,
The encryption algorithm Ek(x) creates the cipher text from the
plain text.
The decryption algorithm Dk(x) creates the plain text from the
cipher text.
11
Symmetric Key Cryptosystem
• The Encryption algorithm Ek(x) and Decryption algorithm
Dk(x) are inverses of each other.
• They cancel the effect of each other if they are applied one

Prepared by Ebey S.Raj

after the other on the same input.

Encryption: C = Ek(P) Decryption: P = Dk(C)

In which Dk(Ek(x)) = Ek(Dk(x)) = x

• Alice: C = Ek(P) Bob: Dk(C) = Dk(Ek(P)) = P

12
Symmetric Key Cryptosystem
• Alice and Bob need another secure channel to exchange the
secret key.
• Alice and Bob can use the same key for communication on

Prepared by Ebey S.Raj

either direction. This is why it is called symmetric.
• If there are m people in the communication group, then there is
a need of m(m – 1)/2 keys.

13
Asymmetric Key Cryptosystems
• Most significant advance in the 3000 year history of
cryptography
• Encryption key and Decryption key are different.

Prepared by Ebey S.Raj

• Uses two keys – a public & a private key
• Asymmetric since parties are not equal
• Uses clever application of number theoretic concepts to
function
• Public key schemes are neither more nor less secure than
private key schemes, rather they complement them. 14
Asymmetric Key Cryptosystems
• Public-key/Two-key/Asymmetric cryptography involves the
use of two keys:
• a public-key, which may be known by anybody, and can be used to
encrypt messages.

Prepared by Ebey S.Raj

• a related private-key, known only to the recipient, used to decrypt
messages.
• Computationally infeasible to determine private key from
public key.
15
Asymmetric Key Cryptosystems

Prepared by Ebey S.Raj

16
Symmetric vs Asymmetric
• Symmetric Key Systems • Asymmetric Key Systems
• Needed to Work • Needed to Work
• The same algorithm with • One algorithm is used for

Prepared by Ebey S.Raj

the same key is used for encryption and decryption,
encryption and decryption with a pair of keys, one for
encryption and one for
• The sender and receiver decryption
must share the algorithm • The sender and receiver must
and the key each have one of the matched
pair of keys. 17
 • Symmetric Key Systems • Asymmetric Key Systems

• Needed for Security • Needed for Security

• The key must be kept secret. • One of the two keys must be kept
secret.
• Impossible or at least
impractical to decipher a • Impossible or at least impractical

Prepared by Ebey S.Raj

to decipher a message if no other
message if no other information
information is available.
is available.
• Knowledge of the algorithm plus
• Knowledge of the algorithm one of the keys plus samples of
plus samples of ciphertext must ciphertext must be insufficient to
be insufficient to determine the determine the other key.
key. • . 18
Cryptanalysis
Cryptography is the science and art of creating secret codes.
Cryptanalysis is the science and art of breaking those codes.

Prepared by Ebey S.Raj

Cryptology: Field of both cryptography and cryptanalysis

• The study of cryptanalysis helps to create better secret codes.

19
Cryptanalysis Attacks
• There are four common types of Cryptanalysis attacks

Prepared by Ebey S.Raj

20
Ciphertext-only Attack
• Attacker only knows the cipher text and algorithm.
• Most probable attack.
• A cipher must be very resisting to this type of attack.

Prepared by Ebey S.Raj

21
Ciphertext-only Attack
• Various methods in Ciphertext-only Attack are
• Bruteforce attack
• Attacker tries to decrypt the cipher text with every possible key until
the plain text makes sense.

Prepared by Ebey S.Raj

• To prevent it, the no: of possible keys must be large.
• Statistical attack
• Attacker can benefit from some inherent characteristics of the plain
text language. Eg: Attacker finds the mostly used character in the
cipher text as „E‟, which is the most frequently used letter in English.
• Pattern attack.
• Attacker may use some patterns in the cipher text, to decrypt the 22
message.
Known-plaintext Attack
• Attacker knows algorithm, ciphertext and some plaintext –
ciphertext pairs.
• Less likely to happen

Prepared by Ebey S.Raj

23
Chosen-plaintext Attack
• Attacker knows algorithm, cipher text and some chosen
plaintext - ciphertext pairs.
• Plaintext - ciphertext pairs have been chosen by the attacker

Prepared by Ebey S.Raj

himself.
• Much less likely to happen.

24
Chosen-plaintext Attack

Prepared by Ebey S.Raj

25
Chosen ciphertext Attack
• Attacker knows algorithm, cipher text and some chosen
ciphertext and its corresponding decrypted plaintext.

Prepared by Ebey S.Raj

26
Cipher Properties
• Shannon suggests two properties for frustrating statistical
cryptanalysis: diffusion and confusion.
• Cipher needs to completely obscure statistical properties of

Prepared by Ebey S.Raj

original message
• Diffusion
• Hides the relationship between the cipher text and the plain text.
• Confusion
• Hides the relationship between the cipher text and the key.
27
Diffusion
• Statistical structure of the plaintext is dissipated into long-
range statistics of the ciphertext.
• Diffusion implies that each ciphertext symbol is dependent on

Prepared by Ebey S.Raj

some or all symbols in the plaintext.
• If a single symbol in the plaintext is changed, several or all
symbols in the cipher text will also be changed.

28
Confusion
• Makes relationship between the statistics of the cipher text and
the value of the encryption key as complex as possible.
• It should be difficult to deduce the key, even if the attacker gets

Prepared by Ebey S.Raj

the statistics of the cipher text.
• If a single bit in the key is changed, most or all bits in the
ciphertext will also be changed.
• Achieved by the use of a complex substitution algorithm.

29
References
• Behrouz A. Forouzan and Debdeep Mukhopadhyay,
“Cryptography & Network Security”, Second Edition, Tata
McGraw Hill, New Delhi, 2010
• https://www.tutorialspoint.com/cryptography/cryptosystems.ht

Prepared by Ebey S.Raj

m
• https://link.springer.com/referenceworkentry/10.1007%2F978-
1-4419-5906-
5_487#:~:text=Definition,should%20be%20considered%20pu
blic%20knowledge. 30