CRYPTOGRAPHY AND

NETWORK SECURITY
VI SEM BCA

PREPARED BY PREETHA MAHESH

 Unit - I
Module 1
Introduction: Security Goals, Cryptographic
Attacks, Services and mechanism, Techniques.

Module 2
Mathematics of Cryptography: Integer Arithmetic,
Modular Arithmetic, Matrices, Linear Congruence.

PREPARED BY PREETHA MAHESH

 Module 1 Objectives
 To define three security goals.
 To define security attacks that threaten security goals
 To define security services and how they are related to the three security goals
 To define security mechanisms to provide security services
 To introduce two techniques, cryptography and steganography, to implement
security mechanisms.

PREPARED BY PREETHA
MAHESH
 INTRODUCTION
 Computer Security - generic name for the collection of tools designed to protect data and to
frustrate hackers
 Network Security - measures to protect data during their transmission .
 Internet Security - measures to protect data during their transmission over a collection of
interconnected networks

PREPARED BY PREETHA MAHESH

 Cryptography
 The art of protecting information by transforming it into an unreadable format
 the science of writing in secret code so that no other person except the intended recipient could
read.
 Method of protecting information and communications through the use of codes so that only those
for whom the information is intended, can read and process it.
 cryptography is about constructing and processing protocols that prevent third parties or the public
from reading private messages

PREPARED BY PREETHA MAHESH

PREPARED BY PREETHA
MAHESH
 SECURITY GOALS

 Data Privacy(confidentiality)
 Data Availability(accessibility and continuity of information)
 Data integrity(it has not been modified on the way)

PREPARED BY PREETHA
MAHESH
 Confidentiality
 Confidentiality is probably the most common aspect of
information security.
 An organization needs to guard against those malicious
actions that endanger the confidentiality of its information.
 The meaning of a message is concealed by encoding it.
 The sender encrypts the message using a cryptographic key.
 The recipient decrypts the message using a cryptographic
key that may or may not be the same as the one used by the
sender .

PREPARED BY PREETHA MAHESH

 Integrity
 Information needs to be changed constantly.
 Integrity means that changes need to be done only by authorized entities and
through authorized mechanisms.

PREPARED BY PREETHA MAHESH

 Availability
 The information created and stored by an organization needs to be available to authorized entities.
 Information needs to be constantly changed, which means it must be accessible to authorized
entities.

PREPARED BY PREETHA MAHESH

 Security Attacks
 The three goals of security confidentiality, integrity, and availability can be threatened by
security attacks.
1. Attacks Threatening Confidentiality
2. Attacks Threatening Integrity
3. Attacks Threatening Availability
4. Passive versus Active Attacks

PREPARED BY PREETHA MAHESH

Taxonomy of attacks with relation to security goals

PREPARED BY PREETHA MAHESH

 Attacks Threatening Confidentiality
 Interception by an unauthorized party and gains access to an asset. This is an attack on
confidentiality.
 Unauthorized party could be a person, a program or a computer .e.g., wire tapping to capture data
in the network, illicit copying of files.
 Two types:
 Snooping
 Traffic analysis

PREPARED BY PREETHA MAHESH

 Snooping
 refers to unauthorized access to or interception of data.
 Data transferred through internet may be intercepted by unauthorized entity and content may be used for
self benefit.
 To prevent snooping, the data can be made nonintelligible to the interceptor by using encipherment.

Snooping
PREPARED BY PREETHA MAHESH
 Traffic analysis
 It is the process of intercepting and examining messages in order to deduce information from patterns
in communication.
 The opponent could determine the location and identity of communication hosts and could observe the
frequency and length of messages being exchanged.
 This information might be useful in guessing the nature of communication that was taking place.
 For example she can find the electronic address( for eg email address)of the sender or receiver or she
can collect a pair of requests and responses to help her to guess the nature of transactions.

PREPARED BY PREETHA MAHESH

 Attacks Threatening Integrity
 Modification by an unauthorized party not only gains access to but tampers with an asset.
This is an attack on integrity. e.g., changing values in data file, altering a program,
modifying the contents of messages being transmitted in a network.
 Modification
 Masquerading or spoofing
 Replaying
 Repudiation

PREPARED BY PREETHA MAHESH

 Modification
 After intercepting or accessing information, the interceptor modifies the information to make it
beneficial to itself.
 Some portion of message is altered or the messages are delayed or recorded, to produce an
unauthorized effect.
 For example, a customer sends a message to a bank to do some transaction. The attacker
intercepts the message and changes the type of transaction to benefit itself.
 eg: “Allow John Smith” altered to “Allow Darth”.

PREPARED BY PREETHA MAHESH

 Masquerade
 One entity pretends to be a different entity.
 Obtain extra privileges by impersonating an entity.
 For example, a customer sends a message to a bank to do some transaction. The attacker intercepts the
message and changes the type of transaction to benefit itself.

PREPARED BY PREETHA MAHESH

 Replay
 the attacker obtains a copy of a message sent by a user and later tries to replay it.
 For example, a person sends a request to her bank to ask for payment to the attacker, which has
done a job for her. The attacker intercepts the message and sends it again to receive another
payment from bank.

PREPARED BY PREETHA MAHESH

Repudiation
 This type of attack is different from others because it is performed by one of the two parties in
communication: the sender or the receiver.
 The sender of the message might later deny that he has sent the message; the receiver of the
message might later deny that he has received the message

PREPARED BY PREETHA MAHESH

 Attacks Threatening Availability

 By interruption an asset of the system is destroyed or becomes unavailable or unusable.

This is an attack on availability • e.g., destruction of a piece of hardware, cutting of a
communication line or Disabling of file management system.
 Denial of service (DoS)
 It is an attempt to make a machine or network resource unavailable to its intended users.
 The denial may occur
 at the source (by preventing the server from obtaining the resources needed to perform its function)
 at the destination (by blocking the communications from the server)
 along the intermediate path (by discarding messages from either the client or the server, or both).
 The attacker may also intercept requests from the clients, causing the clients to send requests many
times and overload the system

PREPARED BY PREETHA MAHESH

 Denial of service
 Prevents or inhibits the normal use or management of communication facilities.
 Another form of service denial is the disruption of an entire network, either by disabling
the network or overloading it with messages so as to degrade performance.

PREPARED BY PREETHA MAHESH

 Passive vs Active attacks
 Passive Attacks
 the attacker’s goal is just to obtain information.
 This means that the attack does not modify or harm the system. The system continues with its
normal operation.
 Attacks that threaten confidentiality – snooping and traffic analysis – are passive attacks.
 Solution
 Mask content using encryption
 Prevention rather than detection

 Active Attacks
 may change the data or harm the system.
 Attacks that threaten the integrity and availability are active attacks.
 Active attacks are normally easier to detect than to prevent, because an attacker can launch them in
variety of ways.
PREPARED BY PREETHA MAHESH
Categorization of passive and active attacks

PREPARED BY PREETHA MAHESH

SERVICES AND MECHANISMS

 The International Telecommunication Union-Telecommunication Standardization Sector

(ITU-T ) provides some security services and some mechanisms to implement those
services.
 Security services and mechanisms are closely related because a mechanism or combination
of mechanisms are used to provide a service..
• Security Services
• Security Mechanism
• Relation between Services and Mechanisms

PREPARED BY PREETHA MAHESH

 Security service
 ITU-T has defined five services related to the security goals and attacks.

PREPARED BY PREETHA MAHESH

 Classification of security services
 Confidentiality: It is designed to protect data from disclosure attack. The service is very broad and
encompasses confidentiality of the whole message or part of a message and also protection against traffic
analysis.
 Integrity: Data integrity is designed to protect data from modification, insertion, deletion, and replaying by
an adversary. It may protect the whole message or part of the message.
 Authentication: This service provides the authentication of the party at the other end of the line. In
connection-oriented communication, it provides authentication of the sender or receiver during the
connection establishment (peer entity authentication). In connectionless communication, it authenticates
the source of the data (data origin authentication).
 Non repudiation: Non-repudiation service protects against repudiation by either the sender or the receiver of
the data. In non-repudiation with proof of origin, the receiver of the data can later prove the identity of the
sender if denied. In non-repudiation with proof of delivery, the sender of data can later prove that data were
delivered to the intended recipient.
 Access control: Access control provides protection against unauthorized access to data,. The term access can
involve reading, writing, modifying, executing programs, and so on.
PREPARED BY PREETHA MAHESH
 Security Mechanisms
 ITU-T also recommends some security mechanisms to provide the security services defined
earlier.

PREPARED BY PREETHA MAHESH

 contd..
 Encipherment – It is hiding or covering of data ( crypto and steganography)
• Data Integrity – This mechanism append to the data a short check value that has been created by a specific
process from data itself
• Digital signature – The sender electronically sign the data and receiver can electronically verify the signature
• Authentication Exchange – Two entities exchange some message to prove their identify to each other –
Something the user knows(unique secret) – Something the user has(security card) – Something the user
is(fingerprint, retina voice)
• Traffic padding – It means inserting some bogus data into a data traffic to thwart the adversary attempt to use the
traffic analysis
• Routing Control – It means selecting and continuously changing different available routes between the sender
and the receiver to prevent eavesdropping
• Notarization – It means selecting third trusted party to control the communication between two parties. This can
be done to prevent repudiation
• Access Control – It uses method to prove that user has to right to the data or resources owned by a system
PREPARED BY PREETHA MAHESH
Security Mechanisms
 Encipherment
Encipherment is hiding or covering data, can provide confidentiality Two techniques – cryptography and
steganography – are used for enciphering
 Data Integrity
The data integrity mechanism appends to the data a short checkvalue that has been created by a specific
process from the data itself. The receiver receives the data and checkvalue. He creates a new checkvalue
from the received data and compares the newly created checkvalue with the one received. If the two
checkvalues are same, then the integrity of data has been persevered.
 Digital Signature
A digital signature is a means by which the sender can electronically sign the data and the receiver can
electronically verify the signature. The sender uses a process that involves showing that she owns a
private key related to the public key that she has announced publicly. The receiver uses the sender’s
public key to prove that the message is indeed signed by the sender who claims to have sent the message.
 Authentication
Exchange In authentication exchange, two entities exchange some messages to prove their identity to each
other. For example, one entity can prove that she knows a secret that only she is supposed to know.
authentication.
PREPARED BY PREETHA MAHESH
Security Mechanisms
 Traffic Padding
Traffic padding means inserting some bogus data into the data traffic to thwart the interceptor’s attempt
to use the traffic analysis.
 Routing Control
Routing control means selecting and continuously changing different available routers between the
sender and the receiver to prevent the opponent from eavesdropping on a particular route.
 Notarization
Notarization means selecting a third trusted party to control the communication between two entities.
This can be done to prevent repudiation. The receiver can involve a trusted party to store the sender
request in order to prevent the sender from later denying that she has made such a request.
 Access Control
Access control uses methods to prove that a user has access right to the data or resources owned by a
system. Examples of proofs are passwords and PINs.

PREPARED BY PREETHA MAHESH

Relation between Services and Mechanisms

PREPARED BY PREETHA MAHESH

 TECHNIQUES
 Mechanisms discussed in the previous sections are only theoretical recipes to implement
security.
 The actual implementation of security goals needs some techniques. Two techniques are

 cryptography
 steganography.

PREPARED BY PREETHA MAHESH

 Cryptography

 Cryptography, a word with Greek origins, means “secret writing.”

 However, we use the term to refer to the science and art of transforming messages to make them secure
and immune to attacks.
 The cryptography can be understood by an example, where a sender sends a message which initially exists in
the plaintext. Before the transmission of the message over the network, it is encrypted and converted into the
ciphertext. When this message is received at the receiver’s end, it is again decrypted back into the plaintext.

PREPARED BY PREETHA MAHESH

 Types of the cryptography

 Symmetric key cryptography (Secret key cryptography)

 Asymmetric key cryptography (Public key cryptography)

 Hashing

PREPARED BY PREETHA MAHESH

 Symmetric-key Encipherment

 This type of cryptography uses a key for encrypting and decrypting the plain text and cipher text respectively.
 The only condition here is that it shares the same key for the encryption and decryption and it also consumes less
execution time.
 Symmetric-key encipherment uses a single secret key for both encryption and decryption.
 In symmetric-key enciphering, Alice puts the message in a box and locks the box using the shared secret key; Bob
unlocks the box with the same key and takes out the message

PREPARED BY PREETHA MAHESH

Asymmetric key cryptography
 This scheme uses two keys named as a private key and public key.
 The public key is provided by the receiver to the sender to encrypt the message while the private
key is applied by the receiver itself to decrypt the message.
 The keys can be reused with other entities.

PREPARED BY PREETHA MAHESH

 Hashing
 In hashing, a fixed-length message digest is created out of a variable-length message.
 The digest is normally much smaller than the message.
 To be useful, both the message and the digest must be sent to Bob.
 Hashing is used to provide check-values, which were discussed earlier in relation to providing
data integrity.

PREPARED BY PREETHA MAHESH

 Steganography
 a technique of hiding the communication by concealing the secret message into a fake message.
 The term steganography has Greek influences which means “covered writing”.
 Earlier, invisible ink, pencil impressions on the handwritten characters, small pin punctures are the
methods used to hide the message.
 Simplest technique of hiding a message is to create a message in which only a few significant
characters contains the secret message.
 The main disadvantage of using the steganography is a significant amount of overhead it produces for
hiding a small amount of information.
 Additionally, the system must not be discovered, otherwise it is useless.

PREPARED BY PREETHA MAHESH

 Forms of steganography 
 Text: In this steganography, the text can be used as a cover media. To hide the message a word
or line can be shifted; whitespaces can be used, even the number and position of the vowels are
utilised to conceal the secret message.
 Audio: Audio stenography can conceal the secret message in the audio file with the help of its
digital representation. It can be achieved easily as a typical 16-bit file has 216 sound levels, and
a few levels difference could not be detectable by the human ear.
 Video: Video steganography brings more possibilities of disguising a large amount of data
because it is a combination of image and sound. Therefore, image and audio steganography
techniques can also be employed on the video.
 Image: It is the most commonly used form of steganography, the reason behind this is that it
causes least suspicion.
 NOTE
 Watermarking, is a method to embed an identifier in some hidden way in a file (typically in
non text files) so that if you have the key you can authenticate the existence of the watermark.
The method is typically hidden to the naked eye, but may be detectable. It's goal is
authentication of the source of the data.
PREPARED BY PREETHA MAHESH
Steganography Vs Cryptography
Sl No Steganography Cryptography
1. means covered writing means secret writing.
2.  less popular than Cryptography. more popular than Steganography.

3. In steganography, structure of data is not usually While in cryptography, structure of data is

altered. altered.
4.
While cryptography
Steganography
supports Confidentiality and Authentication secur
supports Confidentiality and Authentication security
ity principles as well as Data integrity and Non-
principles.
repudiation.

5.
In steganography, the fact that a secret While in cryptography only secret message is
communication is taking place is hidden. hidden.

6.
In steganography, not much mathematical Cryptography involves the use of number theory,
transformations are involved. mathematics etc. to modify data

7. While in cryptography, Attack’s name

Attack’s name in Steganography is Steganalysis.
is Cryptanalysis.

PREPARED BY PREETHA MAHESH

END OF MODULE I

PREPARED BY PREETHA
MAHESH