CNS Module 1
CNS Module 1
CNS Module 1
Security Concepts
This is the age of universal electronic connectivity, where the activities like hacking,
viruses, electronic fraud are very common. Unless security measures are taken, a network
conversation or a distributed application can be compromised easily.
Some simple examples are:
Online purchases using a credit/debit card.
A customer unknowingly being directed to a false website.
A hacker sending a message to a person pretending to be someone else.
Network Security has been affected by two major developments over the last several
decades. First one is introduction of computers into organizations and the second one being
introduction of distributed systems and the use of networks and communication facilities for
carrying data between users & computers. These two developments lead to ‘computer security’ and
‘network security’, where the computer security deals with collection of tools designed to protect
data and to thwart hackers. Network security measures are needed to protect data during
transmission. But keep in mind that, it is the information and our ability to access that information
that we are really trying to protect and not the computers and networks.
Computer Security - generic name for the collection of tools designed to protect data and to
thwart hackers
Internet Security - measures to protect data during their transmission over a collection of
interconnected networks
These are the objectives that should be kept in mind while securing a network.
1. Confidentiality :
Confidentiality means that only authorized individuals/systems can view sensitive or classified
information. The data being sent over the network should not be accessed by unauthorized
individuals. The attacker may try to capture the data using different tools available on the
Internet and gain access to your information. A primary way to avoid this is to use encryption
techniques to safeguard your data so that even if the attacker gains access to your data, he/she
will not be able to decrypt it. Encryption standards include AES(Advanced Encryption Standard)
and DES (Data Encryption Standard). Another way to protect your data is through a VPN tunnel.
VPN stands for Virtual Private Network and helps the data to move securely over the network.
2. Integrity :
The next thing to talk about is integrity. Well, the idea here is to make sure that data has not been
modified. Corruption of data is a failure to maintain data integrity. To check if our data has been
modified or not, we make use of a hash function.
We have two common types: SHA (Secure Hash Algorithm) and MD5(Message Direct 5). Now
MD5 is a 128-bit hash and SHA is a 160-bit hash if we’re using SHA-1. There are also other
SHA methods that we could use like SHA-0, SHA-2, SHA-3.
Let’s assume Host ‘A’ wants to send data to Host ‘B’ maintaining integrity. A hash function will
run over the data and produce an arbitrary hash value H1 which is then attached to the data.
When Host ‘B’ receives the packet, it runs the same hash function over the data which gives a
hash value H2. Now, if H1 = H2, this means that the data’s integrity has been maintained and the
contents were not modified.
3. Availability :
This means that the network should be readily available to its users. This applies to systems and
to data. To ensure availability, the network administrator should maintain hardware, make
regular upgrades, have a plan for fail-over, and prevent bottlenecks in a network. Attacks such as
DoS or DDoS may render a network unavailable as the resources of the network get exhausted.
The impact may be significant to the companies and users who rely on the network as a business
tool. Thus, proper measures should be taken to prevent such attacks.
OSI Security Architecture
The security of an organization is the greatest concern of the people working at the
organization. Safety and security are the pillars of cyber technology. It is hard to imagine the
cyber world without thinking about security. The architecture of security is thus a very important
aspect of the organization. The OSI (Open Systems Interconnection) Security Architecture
defines a systematic approach to providing security at each layer. It defines security services and
security mechanisms that can be used at each of the seven layers of the OSI model to provide
security for data transmitted over a network. These security services and mechanisms help to
ensure the confidentiality, integrity, and availability of the data. OSI architecture is
internationally acceptable as it lays the flow of providing safety in an organization.
OSI Security Architecture focuses on these concepts:
Security Attack:
Security mechanism: A security mechanism is a means of protecting a system, network, or
device against unauthorized access, tampering, or other security threats.
Security Service:
Classification of OSI Security Architecture
OSI Security Architecture is categorized into three broad categories namely Security Attacks,
Security mechanisms, and Security Services. We will discuss each in detail:
1. Security Attacks:
A security attack is an attempt by a person or entity to gain unauthorized access to disrupt or
compromise the security of a system, network, or device. These are defined as the actions that
put at risk an organization’s safety. They are further classified into 2 sub-categories:
A. Passive Attack:
Attacks in which a third-party intruder tries to access the message/ content/ data being shared by
the sender and receiver by keeping a close watch on the transmission or eave-dropping the
transmission is called Passive Attacks. These types of attacks involve the attacker observing or
monitoring system, network, or device activity without actively disrupting or altering it. Passive
attacks are typically focused on gathering information or intelligence, rather than causing damage
or disruption.
Here, both the sender and receiver have no clue that their message/ data is accessible to some
third-party intruder. The message/ data transmitted remains in its usual form without any
deviation from its usual behavior. This makes passive attacks very risky as there is no
information provided about the attack happening in the communication process. One way to
prevent passive attacks is to encrypt the message/data that needs to be transmitted, this will
prevent third-party intruders to use the information though it would be accessible to them.
Passive attacks are further divided into two parts based on their behavior:
Eavesdropping: This involves the attacker intercepting and listening to communications
between two or more parties without their knowledge or consent. Eavesdropping can be
performed using a variety of techniques, such as packet sniffing, or man-in-the-middle
attacks.
Traffic analysis: This involves the attacker analyzing network traffic patterns and metadata
to gather information about the system, network, or device. Here the intruder can’t read the
message but only understand the pattern and length of encryption. Traffic analysis can be
performed using a variety of techniques, such as network flow analysis, or protocol analysis.
B. Active Attacks:
Active attacks refer to types of attacks that involve the attacker actively disrupting or altering
system, network, or device activity. Active attacks are typically focused on causing damage or
disruption, rather than gathering information or intelligence. Here, both the sender and receiver
have no clue that their message/ data is modified by some third-party intruder. The message/ data
transmitted doesn’t remain in its usual form and shows deviation from its usual behavior. This
makes active attacks dangerous as there is no information provided of the attack happening in the
communication process and the receiver is not aware that the data/ message received is not from
the sender.
Active attacks are further divided into four parts based on their behavior:
Masquerade is a type of attack in which the attacker pretends to be an authentic sender in
order to gain unauthorized access to a system. This type of attack can involve the attacker
using stolen or forged credentials, or manipulating authentication or authorization controls in
some other way.
Replay is a type of active attack in which the attacker intercepts a transmitted message
through a passive channel and then maliciously or fraudulently replays or delays it at a later
time.
Modification of Message involves the attacker modifying the transmitted message and
making the final message received by the receiver look like it’s not safe or non-meaningful.
This type of attack can be used to manipulate the content of the message or to disrupt the
communication process.
Denial of service (DoS) attacks involve the attacker sending a large volume of traffic to a
system, network, or device in an attempt to overwhelm it and make it unavailable to
legitimate users.
2. Security Mechanism
The mechanism that is built to identify any breach of security or attack on the
organization, is called a security mechanism. Security Mechanisms are also responsible for
protecting a system, network, or device against unauthorized access, tampering, or other security
threats. Security mechanisms can be implemented at various levels within a system or network
and can be used to provide different types of security, such as confidentiality, integrity, or
availability.
Some examples of security mechanisms include:
Encipherment (Encryption) involves the use of algorithms to transform data into a form
that can only be read by someone with the appropriate decryption key. Encryption can be
used to protect data it is transmitted over a network, or to protect data when it is stored on a
device.
Digital signature is a security mechanism that involves the use of cryptographic techniques
to create a unique, verifiable identifier for a digital document or message, which can be used
to ensure the authenticity and integrity of the document or message.
Traffic padding is a technique used to add extra data to a network traffic stream in an
attempt to obscure the true content of the traffic and make it more difficult to analyze.
Routing control allows the selection of specific physically secure routes for specific data
transmission and enables routing changes, particularly when a gap in security is suspected.
3. Security Services:
Security services refer to the different services available for maintaining the security and
safety of an organization. They help in preventing any potential risks to security. Security
services are divided into 5 types:
Authentication is the process of verifying the identity of a user or device in order to grant or
deny access to a system or device.
Access control involves the use of policies and procedures to determine who is allowed to
access specific resources within a system.
Data Confidentiality is responsible for the protection of information from being accessed or
disclosed to unauthorized parties.
Data integrity is a security mechanism that involves the use of techniques to ensure that data
has not been tampered with or altered in any way during transmission or storage.
Non- repudiation involves the use of techniques to create a verifiable record of the origin
and transmission of a message, which can be used to prevent the sender from denying that
they sent the message.
Security approaches
In order to determine the safety of data from potential violations and cyber-attacks, the
implementation of the security model has an important phase to be carried out. In order to ensure
the integrity of the security model can be designed using two methods:
1. Bottom-Up Approach: The company’s security model is applied by system administrators or
people who are working in network security or as cyber-engineers. The main idea behind this
approach is for individuals working in this field of information systems to use their knowledge
and experience in cybersecurity to guarantee the design of a highly secure information security
model.
Key Advantages – An individual’s technical expertise in their field ensures that every system
vulnerability is addressed and that the security model is able to counter any potential threats
possible.
Disadvantage – Due to the lack of cooperation between senior managers and relevant
directives, it is often not suitable for the requirements and strategies of the organisation.
2. Top-Down Approach: This type of approach is initialized and initiated by the executives of
the organization.
They formulate policies and outline the procedures to be followed.
Determine the project’s priorities and expected results
Determine liability for every action needed
2. Authentication:
Authentication is the mechanism to identify the user or system or the entity. It ensures the
identity of the person trying to access the information. The authentication is mostly secured
by using username and password. The authorized person whose identity is preregistered can
prove his/her identity and can access the sensitive information.
3. Integrity:
Integrity gives the assurance that the information received is exact and accurate. If the
content of the message is changed after the sender sends it but before reaching the intended
receiver, then it is said that the integrity of the message is lost.
System Integrity: System Integrity assures that a system performs its intended function in an
unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the
system.
Data Integrity: Data Integrity assures that information (both stored and in transmitted
packets) and programs are changed only in a specified and authorized manner.
4. Non-Repudiation:
Non-repudiation is a mechanism that prevents the denial of the message content sent
through a network. In some cases the sender sends the message and later denies it. But
the non-repudiation does not allow the sender to refuse the receiver.
5. Access control:
The principle of access control is determined by role management and rule management.
Role management determines who should access the data while rule management
determines up to what extent one can access the data. The information displayed is dependent on
the person who is accessing it.
6. Availability:
The principle of availability states that the resources will be available to authorize party at
all times. Information will not be useful if it is not available to be accessed. Systems
should have sufficient availability of information to satisfy the user request.
7. Issues of ethics and law
The following categories are used to categorize ethical dilemmas in the security system.
Individuals’ right to access personal information is referred to as privacy.
Property: It is concerned with the information’s owner.
Accessibility is concerned with an organization’s right to collect information.
Accuracy: It is concerned with the obligation of information authenticity, fidelity, and
accuracy.
ASPECTS OF SECURITY
Security Attack
Security Mechanism
Security Service
SECURITY ATTACK
information security is about how to prevent attacks, or failing that, to detect attacks on
information-based systems
• Passive
• Active
Passive Attack
Active Attack
INTERRUPTION
An asset of the system is destroyed or becomes unavailable or unusable. It is an attack on
availability.
Examples:
Destruction of some hardware
Jamming wireless signals
Disabling file management systems
INTERCEPTION
An unauthorized party gains access to an asset. Attack on confidentiality.
Examples:
Wire tapping to capture data in a network.
Illicitly copying data or programs
Eavesdropping
MODIFICATION
When an unauthorized party gains access and tampers an asset. Attack is on Integrity.
Examples:
Changing data file
Altering a program and the contents of a message
FABRICATION
An unauthorized party inserts a counterfeit object into the system. Attack on Authenticity.
Also called impersonation
Examples:
Hackers gaining access to a personal email and sending message
Insertion of records in data files
Insertion of spurious messages in a network
SECURITY SERVICES
It is a processing or communication service that is provided by a system to give a specific
kind of production to system resources. Security services implement security policies and are
implemented by security mechanisms.
i) Confidentiality
The other aspect of confidentiality is the protection of traffic flow from analysis.
ii) Authentication
This service assures that a communication is authentic. For a single message transmission,
its function is to assure the recipient that the message is from intended source. For an ongoing
interaction two aspects are involved. First, during connection initiation the service assures the
authenticity of both parties. Second, the connection between the two hosts is not interfered
allowing a third party to masquerade as one of the two parties. Two specific authentication services
defines in X.800 are
Peer entity authentication: Verifies the identities of the peer entities involved in communication.
Provides use at time of connection establishment and during data transmission. Provides
confidence against a masquerade or a replay attack
Data origin authentication: Assumes the authenticity of source of data unit, but does not provide
protection against duplication or modification of data units. Supports applications like electronic
mail, where no prior interactions take place between communicating entities.
iii) Integrity
Integrity means that data cannot be modified without authorization. Like confidentiality, it
can be applied to a stream of messages, a single message or selected fields within a message. Two
types of integrity services are available. They are
SECURITY MECHANISMS
According to X.800, the security mechanisms are divided into those implemented in a
specific protocol layer and those that are not specific to any particular protocol layer or security
service. X.800 also differentiates reversible & irreversible encipherment mechanisms. A reversible
encipherment mechanism is simply an encryption algorithm that allows data to be encrypted and
subsequently decrypted, whereas irreversible encipherment include hash algorithms and message
authentication codes used in digital signature and message authentication applications
Specific Security Mechanisms
Incorporated into the appropriate protocol layer in order to provide some of the
OSI security services,
Encipherment: It refers to the process of applying mathematical algorithms for converting data
into a form that is not intelligible. This depends on algorithm used and encryption keys.
Digital Signature: The appended data or a cryptographic transformation applied to any data unit
allowing to prove the source and integrity of the data unit and protect against forgery.
Access Control: A variety of techniques used for enforcing access permissions to the system
resources.
Data Integrity: A variety of mechanisms used to assure the integrity of a data unit or stream of
data units.
Authentication Exchange: A mechanism intended to ensure the identity of an entity by means of
information exchange.
Traffic Padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis
attempts.
Routing Control: Enables selection of particular physically secure routes for certain data and
allows routing changes once a breach of security is suspected.
Notarization: The use of a trusted third party to assure certain properties of a data exchange
Pervasive Security Mechanisms
These are not specific to any particular OSI security service or protocol layer.
Trusted Functionality: That which is perceived to b correct with respect to some criteria
Security Level: The marking bound to a resource (which may be a data unit) that names or
designates the security attributes of that resource.
Event Detection: It is the process of detecting all the events related to network security. Security
Audit Trail: Data collected and potentially used to facilitate a security audit, which is an
independent review and examination of system records and activities. Security Recovery: It deals
with requests from mechanisms, such as event handling and management functions, and takes
recovery actions.
Ciphertext, or encrypted text, is a series of randomized letters and numbers which humans cannot
make any sense of. An encryption algorithm takes in a plaintext message, runs the algorithm on the
plaintext, and produces a ciphertext. The ciphertext can be reversed through the process
of decryption, to produce the original plaintext.
Example: We will encrypt a sentence using Caesar Cipher. The key is 7, which means the letter a
becomes h.
Encryption is the process of converting normal message (plaintext) into meaningless message
(Ciphertext).
Decryption is the process of converting meaningless message (Ciphertext) into its original form
(Plaintext).
The major distinction between secret writing associated secret writing is that the conversion of a
message into an unintelligible kind that’s undecipherable unless decrypted. whereas secret
writing is that the recovery of the first message from the encrypted information.
Let’s see that the difference between encryption and decryption:
S.N
O Encryption Decryption
Encryption is the process which While decryption is the process which take place at
2. take place at sender’s end. receiver’s end.
Its major task is to convert the plain While its main task is to convert the cipher text into
3. text into cipher text. plain text.
Any message can be encrypted Whereas the encrypted message can be decrypted
4. with either secret key or public key. with either secret key or private key.
The same algorithm with the same The only single algorithm is used for encryption-
key is used for the encryption- decryption with a pair of keys where each use for
6. decryption process. encryption and decryption.
CRYPTOGRAPHY
Cryptographic systems are generally classified along 3 independent dimensions:
Type of operations used for transforming plain text to cipher text
All the encryption algorithms are abased on two general principles: substitution, in which
each element in the plaintext is mapped into another element, and transposition, in which elements
in the plaintext are rearranged.
CRYPTANALYSIS
Known plaintext – The cryptanalyst has a copy of the cipher text and the corresponding plaintext.
Chosen plaintext – The cryptanalysts gains temporary access to the encryption machine. They
cannot open it to find the key, however; they can encrypt a large number of suitably chosen
plaintexts and try to use the resulting cipher texts to deduce the key.
Chosen cipher text – The cryptanalyst obtains temporary access to the decryption machine, uses it
to decrypt several strings of symbols, and tries to use the results to deduce the key.
SUBSTITUTION TECHNIQUES
A substitution technique is one in which the letters of plaintext are replaced by other letters or by
numbers or symbols. If the plaintext is viewed as a sequence of bits, then substitution involves
replacing plaintext bit patterns with cipher text bit patterns.
These techniques involve substituting or replacing the contents of the plaintext by other letters,
numbers or symbols. Different kinds of ciphers are used in substitution technique.
Substitution Techniques:
1. Caesar Cipher
2. Monoalphabetic Cipher
3. Playfair Cipher
4. Hill Cipher
5. Polyalphabetic Cipher
6. One-Time Pad
Caesar Ciphers:
It is the oldest of all the substitution ciphers. A Caesar cipher replaces each letter of the
plaintext with an alphabet. Two examples can be given:
ABCDEFGHIJKLMNOPQRSTUVWXY
Z Choose k, Shift all letters by k
For example, if k = 5
Or, using a common key which substitutes every letter of the plain text.
The key ABCDEFGH IJ KLMNOPQRSTUVWXYZ
OZIIOFAZIITKTYGKTOQD
But any attacker would simply break the cipher by using frequency analysis by observing the
number of times each letter occurs in the cipher text and then looking upon the English letter
frequency table. So, substitution cipher is completely ruined by these attacks. Monoalphabetic
ciphers are easy to break as they reflect the frequency of the original alphabet. A countermeasure is
to provide substitutes, known as homophones for a single letter.
Playfair Ciphers:
It is the best known multiple –letter encryption cipher which treats digrams in the plaintext as
single units and translates these units into ciphertext digrams. The Playfair Cipher is a digram
substitution cipher offering a relatively weak method of encryption. It was used for tactical
purposes by British forces in the Second Boer War and in World War I and for the same purpose
by the Australians and Germans during World War II. This was because Playfair is reasonably fast
to use and requires no special equipment. A typical scenario for Playfair use would be to protect
important but non-critical secrets during actual combat. By the time the enemy cryptanalysts could
break the message, the information was useless to them.
It is based around a 5x5 matrix, a copy of which is held by both communicating parties,
into which 25 of the 26 letters of the alphabet (normally either j and i are represented by the same
letter or x is ignored) are placed in a random fashion.
For example, the plain text is Shi Sherry loves Heath Ledger and the agreed key is sherry. The
matrix will be built according to the following rules.
in pairs,
without punctuation,
All Js are replaced with Is.
SH IS HE RR YL OV ES HE AT HL ED GE R
Double letters wh ich occur in a pair must be divided by an X or a Z.
E.g. LI TE RA LL Y LI TE RA LX LY
SH IS HE RX RY LO VE SH EA TH LE DG ER
The alphabet square is prepared using, a 5*5 matrix, no repetition letters, no Js and key is
written first followed by the remaining alphabets with no i and j.
SHERY
ABCDF
GIKLM
NOPQT
UVWXZ
For the generation of cipher text, there are three rules to be followed by each pair of letters.
letters appear on the same row: replace them with the letters to their immediate right
respectively
letters appear on the same column: replace them with the letters immediately below
respectively
not on the same row or column: replace them with the letters on the same row
respectively but at the other pair of corners of the rectangle defined by the original pair.
Based on the above three rules, the cipher text obtained for the given plain text is
HE GH ER DR YS IQ WH HE SC OY KR AL RY
Another example which is simpler than the above one can be given
as: Here, key word is playfair. Plaintext is Hellothere
f p l a y
hellothere becomes------------------------he lx lo th er ex . i r b c
e g h k d
Applying the rules again, for each pair,
n o q s
m u v w x
If they are in the same row, replace each with the letter to its right (mod 5) he t
KG
z
If they are in the same column, replace each with the letter below it (mod 5) lo
RV
Otherwise, replace each with letter we’d get if we swapped their column indices lx
YV
So the cipher text for the given plain text is KG YV RV QM GI KU
To decrypt the message, just reverse the process. Shift up and left instead of down
and right. Drop extra x’s and locate any missing I’s that should be j’s. The message will be
back into the original readable form. no longer used by military forces because of the advent
of digital encryption devices. Playfair is now regarded as insecure for any purpose because
modern hand-held computers could easily break the cipher within seconds.
Hill Cipher:
It is also a multiletter encryption cipher. It involves substitution of ‘m’ ciphertext letters
for ‘m’ successive plaintext letters. For substitution purposes using ‘m’ linear equations, each
of the characters are assigned a numerical values i.e. a=0, b=1, c=2, d=3,…….z=25.
For example if m=3, the system can be defined as:
c1 = (k11p1 + k12p2 + k13p3) mod 26
If we represent in matrix form, the above statements as matrices and column vectors:
c1 k11 k12 k13 p1
c2 = k21 k22 k23 p2 mod 26
c3 k31 k32 k33 p3
Polyalphabetic Ciphers
In order to make substitution ciphers more secure, more than one alphabet can be used. Such
ciphers are called polyalphabetic, which means that the same letter of a message can be
represented by different letters when encoded. Such a one-to-many correspondence makes
the use of frequency analysis much more difficult in order to crack the code. We describe one
such cipher named for Blaise de Vigenere a 16-th century Frenchman.
The Vigenere cipher is a polyalphabetic cipher based on using successively shifted
alphabets, a different shifted alphabet for each of the 26 English letters. The procedure is
based on the tableau shown below and the use of a keyword. The letters of the keyword
determine the shifted alphabets used in the encoding process.
For the message COMPUTING GIVES INSIGHT and keyword LUCKY we proceed by repeating the
keyword as many times as needed above the message, as follows.
Encryption is simple: Given a key letter x and a plaintext letter y, the ciphertext letter is at the
intersection of the row labeled x and the column labeled y; so for L, the ciphertext letter would
be N. So, the ciphertext for the given plaintext would be given as:
Decryption is equally simple: The key letter again identifies the row and position of
ciphertext letter in that row decides the column and the plaintext letter is at the top of that
column. The strength of this cipher is that there are multiple ciphetext letters for each
plaintext letter, one for each unique letter of the keyword and thereby making the letter
frequency information is obscured. Still, breaking this cipher has been made possible
because this reveals some mathematical principles that apply in cryptanalysis. To overcome
the drawback of the periodic nature of the keyword, a new technique is proposed which is
referred as an autokey system, in which a key word is concatenated with the plaintext itself
to provide a running key. For ex
In the above example, the key would be luckycomputinggivesin
Still, this scheme is vulnerable to cryptanalysis as both the key and plaintext
share the same frequency distribution of letters allowing a statistical technique to be
applied. Thus, the ultimate defense against such a cryptanalysis is to choose a keyword that
is as long as plaintext and has no statistical relationship to it. A new system which works on
binary data rather than letters is given as
pi = ith binary digit of plaintext ki =
Ci = p i i where,
ith binary digit of key
= exclusive-or operation.
Because of the properties of XOR, decryption is done by performing the same bitwise
operation.
pi = Ci i
A very long but, repeation key word is used making cryptanalysis difficult.
10
Pigpen Cipher
Pigpen cipher is a variation on letter substitution. Alphabets are arranged as follows:
TRANSPOSITION TECHNIQUES
All the techniques examined so far involve the substitution of a cipher text symbol for a plaintext
symbol. A very different kind of mapping is achieved by performing some sort of permutation on
the plaintext letters. This technique is referred to as a transposition cipher.
Transposition Techniques
Looking at the image, you would get it why it got named rail fence because it
appears like the rail fence.
Once you have written the message as a sequence of diagonals, to obtain the cipher
text out of it you have to read it as a sequence of rows. So, reading the first row the first
half of cipher text will be:
memtmro
reading the second row of the rail fence, we will get the second half of the cipher
text:
eteoorw
Now, to obtain the complete cipher text combine both the halves of cipher text and
the complete cipher text will be:
Cipher Text: M E M T M R O E T E O O R W
Rail fence cipher is easy to implement and even easy for a cryptanalyst to break this
technique. So, there was a need for a more complex technique.
Step 1: The plain text is written in the rectangular matrix of the initially defined
size in a row by row pattern.
Step 2: To obtain the cipher text read the text written in a rectangular matrix
column by column. But you have to permute the order of column before reading it column
by column. The obtained message is the cipher text message.
To understand the columnar transposition let us take an example:
Now, to obtain the cipher text we have to read the plain text column by column as
the sequence of permuted column order. So, the cipher text obtained by the columnar
transposition technique in this example is:
Step 1: The plain text is written in the rectangle of predetermined size row by row.
Step 2: To obtain the cipher text, read the plain text in the rectangle, column by
column. Before reading the text in rectangle column by column, permute the order of
columns the same as in basic columnar technique.
Step 3: To obtain the final cipher text repeat the steps above multiple time.
Let us discuss one example of a columnar transposition technique for better
understanding. We will consider the same example of a basic columnar technique which
will help in understanding the complexity of the method:
Plain Text: meet Tomorrow
Let us put this plain text in the rectangle of predefined size of 3×4. Proceeding with
the next step, the order of the columns of the matrix is permuted as you can see in the
image below:
Now after the first round the cipher text obtained is as follow:
So, the obtained cipher text for round 2 is MOOTRTREOEMW. In this way, we
can perform as many iterations as requires. Increasing the number of iterations increases
the complexity of the techniques.
Asymmetric Key Encryption was invented in the 20 th century to come over the necessity of
pre-shared secret key between communicating persons. The salient features of this
encryption scheme are as follows −
Every user in this system needs to have a pair of dissimilar keys, private key and public
key. These keys are mathematically related − when one key is used for encryption, the
other can decrypt the ciphertext back to the original plaintext.
It requires to put the public key in public repository and the private key as a well-guarded
secret. Hence, this scheme of encryption is also called Public Key Encryption.
Though public and private keys of the user are related, it is computationally not feasible to
find one from another. This is a strength of this scheme.
When Host1 needs to send data to Host2, he obtains the public key of Host2 from
repository, encrypts the data, and transmits.
Host2 uses his private key to extract the plaintext.
Length of Keys (number of bits) in this encryption is large and hence, the process of
encryption-decryption is slower than symmetric key encryption.
Processing power of computer system required to run asymmetric algorithm is higher.
Symmetric cryptosystems are a natural concept. In contrast, public-key cryptosystems are
quite difficult to comprehend.
You may think, how can the encryption key and the decryption key are ‘related’, and yet it
is impossible to determine the decryption key from the encryption key? The answer lies in
the mathematical concepts. It is possible to design a cryptosystem whose keys have this
property. The concept of public-key cryptography is relatively new. There are fewer
public-key algorithms known than symmetric algorithms.
Challenge of Public Key Cryptosystem
Public-key cryptosystems have one significant challenge − the user needs to trust that the
public key that he is using in communications with a person really is the public key of that
person and has not been spoofed by a malicious third party.
This is usually accomplished through a Public Key Infrastructure (PKI) consisting a trusted
third party. The third party securely manages and attests to the authenticity of public keys.
When the third party is requested to provide the public key for any communicating person
X, they are trusted to provide the correct public key.
The third party satisfies itself about user identity by the process of attestation, notarization,
or some other process − that X is the one and only, or globally unique, X. The most
common method of making the verified public keys available is to embed them in a
certificate which is digitally signed by the trusted third party.
Relation between Encryption Schemes
A summary of basic key properties of two types of cryptosystems is given below −
Due to the advantages and disadvantage of both the systems, symmetric key and public-key
cryptosystems are often used together in the practical information security systems.
Cryptography:
What Is Steganography?
Steganography is a means of concealing secret information within (or even on top of) an
otherwise mundane, non-secret document or other media to avoid detection. It comes from the
Greek words steganos, which means “covered” or “hidden,” and graph, which means “to write.”
Hence, “hidden writing.”
You can use steganography to hide text, video, images, or even audio data. It’s a helpful bit of
knowledge, limited only by the type of medium and the author’s imagination.
1. Text Steganography − There is steganography in text files, which entails secretly storing
information. In this method, the hidden data is encoded into the letter of each word.
Since the computer description of an image contains multiple bits, images are frequently used as
a cover source in digital steganography.
The various terms used to describe image steganography include:
Maintain communication
Aim security Enable data protection
Cryptographic Attacks
The basic intention of an attacker is to break a cryptosystem and to find the
plaintext from the ciphertext. To obtain the plaintext, the attacker only needs to find out the
secret decryption key, as the algorithm is already in public domain.
Hence, he applies maximum effort towards finding out the secret key used in the
cryptosystem. Once the attacker is able to determine the key, the attacked system is
considered as broken or compromised.
Based on the methodology used, attacks on cryptosystems are categorized as
follows −
Ciphertext Only Attacks (COA) − In this method, the attacker has access to a
set of ciphertext(s). He does not have access to corresponding plaintext. COA is said to be
successful when the corresponding plaintext can be determined from a given set of
ciphertext. Occasionally, the encryption key can be determined from this attack. Modern
cryptosystems are guarded against ciphertext-only attacks.
Known Plaintext Attack (KPA) − In this method, the attacker knows the
plaintext for some parts of the ciphertext. The task is to decrypt the rest of the ciphertext
using this information. This may be done by determining the key or via some other method.
The best example of this attack is linear cryptanalysis against block ciphers.
Chosen Plaintext Attack (CPA) − In this method, the attacker has the text of his
choice encrypted. So he has the ciphertext-plaintext pair of his choice. This simplifies his
task of determining the encryption key. An example of this attack is differential
cryptanalysis applied against block ciphers as well as hash functions. A popular public key
cryptosystem, RSA is also vulnerable to chosen-plaintext attacks.
Dictionary Attack − This attack has many variants, all of which involve
compiling a ‘dictionary’. In simplest method of this attack, attacker builds a dictionary of
ciphertexts and corresponding plaintexts that he has learnt over a period of time. In future,
when an attacker gets the ciphertext, he refers the dictionary to find the corresponding
plaintext.
Brute Force Attack (BFA) − In this method, the attacker tries to determine the
key by attempting all possible keys. If the key is 8 bits long, then the number of possible
keys is 28 = 256. The attacker knows the ciphertext and the algorithm, now he attempts all
the 256 keys one by one for decryption. The time to complete the attack would be very
high if the key is long.
Birthday Attack − This attack is a variant of brute-force technique. It is used
against the cryptographic hash function. When students in a class are asked about their
birthdays, the answer is one of the possible 365 dates. Let us assume the first student's
birthdate is 3rd Aug. Then to find the next student whose birthdate is 3 rd Aug, we need to
enquire 1.25*√365 ≈ 25 students.
Similarly, if the hash function produces 64 bit hash values, the possible hash values
are 1.8x1019. By repeatedly evaluating the function for different inputs, the same output is
expected to be obtained after about 5.1x109 random inputs.
If the attacker is able to find two different inputs that give the same hash value, it is
a collision and that hash function is said to be broken.
Man in Middle Attack (MIM) − The targets of this attack are mostly public key
cryptosystems where key exchange is involved before communication takes place.
o Host A wants to communicate to host B, hence requests public key of B.
o An attacker intercepts this request and sends his public key instead.
o Thus, whatever host A sends to host B, the attacker is able to read.
o In order to maintain communication, the attacker re-encrypts the data after
reading with his public key and sends to B.
o The attacker sends his public key as A’s public key so that B takes it as if it is
taking it from A.
Side Channel Attack (SCA) − This type of attack is not against any particular
type of cryptosystem or algorithm. Instead, it is launched to exploit the weakness in
physical implementation of the cryptosystem.
Timing Attacks − They exploit the fact that different computations take different
times to compute on processor. By measuring such timings, it is be possible to know about
a particular computation the processor is carrying out. For example, if the encryption takes
a longer time, it indicates that the secret key is long.
Power Analysis Attacks − These attacks are similar to timing attacks except that
the amount of power consumption is used to obtain information about the nature of the
underlying computations.
Fault analysis Attacks − In these attacks, errors are induced in the cryptosystem
and the attacker studies the resulting output for useful information.
The concept of key range and key-size are related to each other. Key Range is total
number of keys from smallest to largest available key. An attacker usually is armed with
the knowledge of the cryptographic algorithm and the encrypted message, so only the
actual key value remains the challenge for the attacker.
• If the key is found, the attacker can get original plaintext message. In the brute force
attack, every possible key in the key-range is tried, until we get the right key.
• In the best case, the right key is found in the first attempt, in the worst case, the key is
found in the last attempt. On an average, the right key is found after trying half of the
possible keys in the key-range. Therefore by expanding the key range to a large extent,
longer it will take for an attacker to find the key using brute-force attack.
• The concept of key range leads to the principle of key size. The strength of a
cryptographic key is measured with the key size
• Key size is measured in bits and is represented using binary number system. Thus if the
key range from 0 to 8, then the key size is 3 bits or in other words we can say if the size is
bits then the key range is 0 to 256. Key size may be varying, depending upon the
applications and the cryptographic algorithm being used, it can be 40 bits, 56 bits, 128 bits
& so on. In order to protect the cipher-text against the brute-force attack, the key-size
should be such that the attacker can not crack it within a specified amount of time.
• From a practical viewpoint, a 40-bit key takes about 3 hours to crack, however a 41-bit
key would take 6 hours and 42-bit key would take 12 hours & so on. This means every
additional bit doubles the amount of time required to crack the key. We can assume that
128 bit key is quite safe, considering the capabilities of today’s computers. However as the
computing power and techniques improve, these numbers will change in future.