CS8792 Course File Format
CS8792 Course File Format
CS8792 Course File Format
ENGINEERING
COURSE FILE
(2017 REGULATION)
Prepared By
8. Time Table
9. Course Plan
10. Unit-1 Each topic based on that
Session Plan highlighted title present
Session Objectives
Session Prerequisite
Terms and Terminologies used
Lecture Notes
Session Outcomes
Session Appraisal
11. Unit-2
Session Plan
Session Objectives
Session Prerequisite
Terms and Terminologies used
Lecture Notes
Session Outcomes
Session Appraisal
12. Unit-3
Session Plan
Session Objectives
Session Prerequisite
Terms and Terminologies used
Lecture Notes
Session Outcomes
Session Appraisal
12. Unit-4
Session Plan
Session Objectives
Session Prerequisite
Terms and Terminologies used
Lecture Notes
Session Outcomes
Session Appraisal
13. Unit-5
Session Plan
Session Objectives
Session Prerequisite
Terms and Terminologies used
Lecture Notes
Session Outcomes
Session Appraisal
14. References
15. Course Outcomes
16. 20 years anna university Topic wise
previous year questions with answers
COURSE OBJECTIVES:
The student should be made to:
(2017 REGULATION)
SYLLABUS
3003
OBJECTIVES:
UNIT I INTRODUCTION 9
Security trends - Legal, Ethical and Professional Aspects of Security, Need for Security at
Multiple levels, Security Policies - Model of network security – Security attacks, services and
mechanisms – OSI security architecture – Classical encryption techniques: substitution
techniques, transposition techniques, steganography- Foundations of modern cryptography:
perfect security – information theory – product cryptosystem – cryptanalysis.
TOTAL : 45 PERIODS
OUTCOMES:
TEXT BOOK:
1.William Stallings, Cryptography and Network Security: Principles and Practice, PHI 3rd
Edition, 2006.
REFERENCES:
UNIT I INTRODUCTION
(I) SYLLABUS
PART-A
POSSIBLE QUESTIONS
1.Differentiate unconditionally secured and computationally secured?
2.Define Encryption?
3.Specify the components of encryption algorithm?
4.What are the different types of security needed?
5.What are the laws forced in cryptography?
6.What are the three main types of intellectual property for legal protection?
7.State the need for security at multiple levels.
8.Differentiate discretionary and non-discretionary access control?
9.Define covert channel.
10.Define three types of security policies.
PART-B
1.Explain the network security model and its parameter with a neat block diagram.(13) (R-13,
Apr/May 2019) (R-08 ,Nov/Dec 2013)
2.Discuss about the different types of security
polices? 3.Explain in detail about multiple levels of
security?
4.Discuss in detail about legal,ethical and professional aspects of security?
PART-B
1.Describe the various security Mechanism.(8) (R-13,Nov/Dec 2016)
2.Write short notes on different types of security attack and services in detail.(13) (R-13,
Nov/Dec 2019)
3.What are the different types of attack and explain.(8)(R-08, Nov/Dec 2013)(R-
08,Nov/Dec 2015)
4.Explain the OSI Architecture Model with neat diagram.(8) (R-13,Nov/Dec 2016)
5. Write short notes on
(i). Security attacks (8)
(ii). Security services. (8)
6.Explain OSI Security architecture along with the service available?(R-04, Nov/Dec 2009)
PART-B
1. What is monoalphabeticchiper? How it is differ from Ceaserchipher?(R-13, Apr/May2019)
2.Describe: (R-13, Apr/May
2017) a)playfair cipher
b)RailFence cipher
c)vignere cipher
3.Explain classical encryption technique using symmetric cipher and hill ciphermodel?(16)
(R-13, Apr/May 2018)
4.Encrypt the following cipher using play fair cipher using the keyword
MONARCHY.“SWARAJ IS MY BIRTH RIGHT”. Use X for blank space.
(16) (R-13,Nov/Dec 2017) (R-08, Nov/Dec 2011)
5.Perform the Encryption and Decryption using Hill cipher for the following message
PEN and Key: ACTIVATED.
6.Explain in detail about the entities in the symmetric cipher model with their
requirements for secure usage of the model. (6) (R-13, Nov/Dec 2019)
7.Explain any two types of cipher Technique in detail. (16) (May/June 2012)
8.Discuss classical cryptosystem and its types.(16) (R-08,Apr/May 2011)
9.Discuss about any two classical crypto system( Substitution and Transportation) with
its types (R-08,May/June 2013) (R-08,Nov/Dec 2015)
10.Explain any two classical ciphers and describe their security limitations.
(R-08 May/June 2014)
11.Expalin the cipher Feedback and Output Feedback Block Cipher mode of operation.(8)
(R-08 Nov/Dec 2014)
12.Encrpt a message “Behavior is a mirror in which everyone displays his own image”
with a keyword MONARCHY using playfair cipher.(8) (R-08,Nov/Dec 2014)
13.Explain substitution encryption technique in detail.(16) (R-08, Apr/May 2015)
14.(i)Discuss any four Substitution Technique and list their merits and demerits.
(10) (ii)Explain in detail Transposition Technique? (6)
15.(i)Convert “MEET ME” using Hill cipher with the key matrix
(ii)Convert the cipher text back to plaintext (8)
TOPIC 4: STEGANOGRAPHY
PART-A
POSSIBLE QUESTIONS
1.Define steganography?
2.How the message can be encrypted and hidden using
steganography? 3.What is character Marking?
4.What is pin puncture?
5.What are the advantages of steganography?
6.What is Type writer correction ribbon?
7.List the drawbacks of steganography?
8.What is Invisible ink?
PART-B
1.What is steganography? Describe the various techniques used in steganography? (7)(R-13,
Apr/May 2019) (R-08,May/June 2013)
2.Write short notes
on a)Steganography
(8)
b) Block cipher modes of operation(8)
4.Briefly explain about single key cryptosystem and two key cryptosystem?
3.Securityservices 1.Authentication
2.Accesscontrol
3.Dataconfidentiality
4.Dataintegrity
5.Nonrepudiation
6.Availabilityservice
SESSION – 9 1.Secrecy
3.Information Theory 2.Authentication
3.Secret sharing
TENT
TEXT/ HOUR
ATIV ACT
SL.No LECTURE REFER PAGE S
L/T E UAL
. TOPICS ENCE NO. REQUI
DAT DATE
BOOKS RED
E
UNIT I ITRODUCTION
Prerequisite work: Introduction, Basics of Cryptography
18
Security trends,Legal and ethical aspects of security,Need L 18 May 1
1 May
for security at multiple levels
T1
T1
Hill cipher, Polyalphabetic cipher, one Time pad L 32-34 1
5
T2
Stegnography L T1 52-54 1
7
Foundation of modern cryptography- Shanons secrecy, T1
L 1
8
perfect secrecy T2
Total 09
UNIT II SYMMETRIC KEY CRYPTOGRAPHY
27-33
SYMMETRIC KEY CIPHERS: SDES L T1 1
4
61-74
T1
Exponentiation and logarithm L 244-248 1
4
T2
Total
9
UNIT IV MESSAGE AUTHENTICATION AND INTEGRITY
Authentication requirement
T2
Kerberos L 18 Mar 1
8
T1 458-475
T2 435-442
X.509 L 19 Mar 1
9
T1
Total 9
L T1 590 1
1 Electronic Mail security
PGP L T1 591-598 1
2
S/MIME L T2 599-614 r 1
3
IP security L T2 626-632 1
4
L T1 Chp.22 1
6 SYSTEM SECURITY: Intruders
8 viruses Chp.23
Firewalls.
9 Chp.23
Total 9
CUMULATIVE 45
TOTAL
With the introduction of the computer, the need for automated tools for protecting files
and other information stored on the computer became evident. This is especially the case for a
shared system, such as a time-sharing system, and the need is even more acute for systems that
can be accessed over a public telephone network, data network, or the Internet. The generic name
for the collection of tools designed to protect data and to thwart hackers is computer security.
The second major change that affected security is the introduction of distributed systems and the
use of networks and communications facilities for carrying data between terminal user and
computer and between computer and computer.
Network security measures are needed to protect data during their transmission. In fact,
the term network security is somewhat misleading, because virtually all business, government,
and academic organizations interconnect their data processing equipment with a collection of
interconnected networks. Such a collection is often referred to as an internet,and the term internet
security is used.We use the term internet, with a lowercase "i," to refer to any interconnected
collection of networks. A corporate intranet is an example of an internet. The Internet with a
capital "I" may be one of the facilities used by an organization to construct its internet
Internet security, which consists of measures to deter, prevent, detect, and correct
security violations that involve the transmission of information. That is a broad statement that
covers a host of possibilities. examples of security violations:
1. User A transmits a file to user B. The file contains sensitive information (e.g., payroll
records) that is to be protected from disclosure. User C, who is not authorized to read the file, is
able to monitor the transmission and capture a copy of the file during its transmission.
4. An employee is fired without warning. The personnel manager sends a message to a server
system to invalidate the employee's account. When the invalidation is accomplished, the server is
to post a notice to the employee's file as confirmation of the action. The employee is able to
intercept the message and delay it long enough to make a final access to the server to retrieve
sensitive information. The message is then forwarded, the action taken, and the confirmation
posted. The employee's action may go unnoticed for some considerable time.
Although this list by no means exhausts the possible types of security violations, it illustrates the
range of concerns of network security.
1.Security involving communications and networks is not as simple as it might first appear to
the novice. The requirements seem to be straightforward; indeed, most of the major
requirements for security services can be given self-explanatory one-word labels:
confidentiality, authentication, nonrepudiation, integrity. But the mechanisms used to meet those
requirements can be quite complex, and understanding them may involve rather subtle
reasoning.
3. Because of point 2, the procedures used to provide particular services are often
counterintuitive: It is not obvious from the statement of a particular requirement that such
elaborate measures are needed. It is only when the various countermeasures are considered that
the measures used make sense.
5. Security mechanisms usually involve more than a particular algorithm or protocol. They
usually also require that participants be in possession of some secret information (e.g., an
encryption key), which raises questions about the creation, distribution, and protection of
that
secret information. There is also a reliance on communications protocols whose behavior may
complicate the task of developing the security mechanism. For example, if the proper
functioning of the security mechanism requires setting time limits on the transit time of a
message from sender to receiver, then any protocol or network that introduces variable,
unpredictable delays may render such time limits meaningless.
Thus, there is much to consider. This chapter provides a general overview of the subject matter
that structures the material in the remainder of the book. We begin with a general discussion of
network security services and mechanisms and of the types of attacks they are designed for. Then
we develop a general overall model within which the security services and mechanisms can be
viewed.
SECURITY TRENDS
In 1994, the Internet Architecture Board (IAB) issued a report entitled "Security in the
Internet Architecture" (RFC 1636). The report stated the general consensus that the Internet
needs more and better security, and it identified key areas for security mechanisms. Among these
were the need to secure the network infrastructure from unauthorized monitoring and control of
network traffic and the need to secure end-user-to-end-user traffic using authentication and
encryption mechanism.
These concerns are fully justified. As confirmation, consider the trends reported by the
Computer Emergency Response Team (CERT) Coordination Center (CERT/CC). Figure 1.1a
shows the trend in Internet-related vulnerabilities reported to CERT over a 10-year period. These
include security weaknesses in the operating systems of attached computers (e.g., Windows,
Linux) as well as vulnerabilities in Internet routers and other network devices. Figure 1.1b shows
the number of securityrelated incidents reported to CERT. These include denial of service
attacks; IP spoofing, in which intruders create packets with false IP addresses and exploit
applications that use authentication based on IP; and various forms of eavesdropping and packet
sniffing, in which attackers read transmitted information, including logon information and
database contents.
SECURITY POLICIES
Following are some pointers which help in setting u protocols for the security policy of an
organization.
User policies
IT policies.
User policies generally define the limit of the users towards the computer resources in a
workplace. For example, what are they allowed to install in their computer, if they can use
removable storages.
Whereas, IT policies are designed for IT department, to secure the procedures and functions of
IT fields.
General Policies − This is the policy which defines the rights of the staff and access
level to the systems. Generally, it is included even in the communication protocol as a
preventive measure in case there are any disasters.
Server Policies − This defines who should have access to the specific server and with
what rights. Which software’s should be installed, level of access to internet, how they
should be updated.
Firewall Access and Configuration Policies − It defines who should have access to the
firewall and what type of access, like monitoring, rules change. Which ports and
services should be allowed and if it should be inbound or outbound.
Backup Policies − It defines who is the responsible person for backup, what should be
the backup, where it should be backed up, how long it should be kept and the frequency
of the backup.
VPN Policies − These policies generally go with the firewall policy, it defines those
users who should have a VPN access and with what rights. For site-to-site connections
with partners, it defines the access level of the partner to your network, type of
encryption to be set.
When you compile a security policy you should have in mind a basic structure in order to make
something practical. Some of the main points which have to be taken into consideration are −
Types of Policies
The basic philosophy behind discretionary controls is that the users and the programs
they run are good guys, and it is up to the operating system to trust them and protect each user
from outsiders and other users. The basic philosophy behind nondiscretionary controls is that
users are careless and the programs they run can't be presumed to be carrying out their wishes.
The system must be ever vigilant to prevent the users from accidentally or intentionally giving
information to someone who shouldn't have it. Careless users might accidentally type the wrong
file name when including a file in a mail message, or might leave a message world-readable. The
concept is to confine information within a security perimeter, and thus not allow any
information to move from a more secure environment to a less secure environment. A secure
system would have both discretionary and nondiscretionary access controls, with the latter
serving as a backup mechanism with less granularity.
There really is no way for a computer system to prevent that. But the designers wanted to ensure
that no Trojan horse in software could transmit any information out of the perimeter, that nothing
a user did inadvertently could leak information, and that users couldn't spirit out larger amounts
of information than they could memorize.
Levels of Security.
The security label of something consists of two components:
A security level (also known as classification), which might be an integer in some range,
but in the U.S. DoD consists of one of the four ratings unclassified, confidential, secret,
and top secret, where _unclassified < confidential < secret < top secret.
A set of zero or more categories (also known as compartments), which describe kinds of
information. For instance, the name CRYPTO might mean information about cryptographic
algorithms, INTEL might mean information about military intelligence, COMSEC might
mean information about communications security, or NUCLEAR might mean information
about types of families.
Documents (or computer files) are marked with a security label saying how sensitive the
information is, and people are issued security clearances according to how trustworthy they are
perceived to be and what information they have demonstrated a "need to know."
Given two security labels, (X, S1) and (Y, S2 ), (X, S1) is defined as being "at least as sensitive as"
(Y, S2 ) iff X σ Y and S2 Õ S1. For example,
It is possible for two labels to be incomparable in the sense that neither is more sensitive than the
other. For example, neither of the following are comparable to each other:
A human can only run a process that has a security label below or equal to that of
the human's label.
A process can only read information marked with a security label below or equal to that
of the process.
A process can only write information marked with a security label above or equal to that
of the process. Note that if a process writes information marked with a security label above
that of the process, the process can't subsequently read that information.
The prevention of read-up and write-down is the central idea behind mandatory access controls.
The concepts of confinement within a security perimeter and a generalized hierarchy of security
classes were given a mathematical basis by Bell and La Padula in 1973 [BELL74]. There is
significant complexity associated with the details of actually making them work. There has been
significant subsequent research on more complex models that capture both the trustworthiness
and the confidentiality of data and programs.
A model for much of what we will be discussing is captured, in very general terms, in
Figure 1.2. A message is to be transferred from one party to another across some sort of Internet
service. The two parties, who are the principals in this transaction, must cooperate for the
exchange to take place. A logical information channel is established by defining a route through
the Internet from source to destination and by the cooperative use of communication protocols
(e.g., TCP/IP) by the two principals. Security aspects come into play when it is necessary or
desirable to protect the information transmission from an opponent who may present a threat to
confidentiality, authenticity, and so on. All the techniques for providing security have two
components:
A trusted third party may be needed to achieve secure transmission. For example, a third party
may be responsible for distributing the secret information to the two principals while keeping it
from any opponent. Or a third party may be needed to arbitrate disputes between the two
principals concerning the authenticity of a message transmission. This general model shows that
there are four basic tasks in designing a particular security service:
1. Design an algorithm for performing the security-related transformation. The algorithm should
be such that an opponent cannot defeat its purpose.
3. Develop methods for the distribution and sharing of the secret information.
4. Specify a protocol to be used by the two principals that makes use of the security algorithm
and the secret information to achieve a particular security service. the types of security
mechanisms and services that fit into the model shown in Figure 1.2. However, there are other
security-related situations of interest that do not neatly fit this model but are considered in this
book. A general model of these other situations is illustrated in Figure 1.3, which reflects a
concern for protecting an information system from unwanted access. Most readers are familiar
with the concerns caused by the existence of hackers, who attempt to penetrate systems that can
be accessed over a network. The hacker can be someone who, with no malign intent, simply gets
satisfaction from breaking and entering a computer system. The intruder can be a disgruntled
employee who wishes to do damage or a criminal who seeks to exploit computer assets for
financial gain (e.g., obtaining credit card numbers or performing illegal money transfers).
Another type of unwanted access is the placement in a computer system of logic that exploits
vulnerabilities in the system and that can affect application programs as well as utility programs,
such as editors and compilers. Programs can present two kinds of threats:
• Information access threats: Intercept or modify data on behalf of users who should
not have access to that data.
• Service threats: Exploit service flaws in computers to inhibit use by legitimate users.
Viruses and worms are two examples of software attacks. Such attacks can be introduced
into a system by means of a disk that contains the unwanted logic concealed in otherwise useful
software. They can also be inserted into a system across a network; this latter mechanism is of
more concern in network security. The security mechanisms needed to cope with unwanted
access fall into two broad categories (see Figure 1.3). The first category might be termed a
gatekeeper function. It includes password-based login procedures that are designed to deny
access to all but authorized users and screening logic that is designed to detect and reject worms,
viruses, and other similar attacks. Once either an unwanted user or unwanted software gains
access, the second line of defense consists of a variety of internal controls that monitor activity
and analyze stored information in an attempt to detect the presence of unwanted intruders.
• Security attack: Any action that compromises the security of information owned by
an organization.
Threat
Attack
An assault on system security that derives from an intelligent threat; that is, an intelligent
act that is a deliberate attempt (especially in the sense of a method or technique) to evade
security services and violate the security policy of a system.
SECURITY ATTACKS
A useful means of classifying security attacks, used both in X.800 and RFC 4949, is in
terms of passive attacks and active attacks (Figure 1.1). A passive attack attempts to learn or
make use of information from the system but does not affect system resources. An active attack
attempts to alter system resources or affect their operation. Passive Attacks Passive attacks
(Figure 1.1) are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of
the opponent is to obtain information that is being transmitted. Two types of passive attacks are
the release of message contents and traffic analysis.
tem resources or effect their operations. Active attack involve some modification of the data stream or creation of fal
odification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade
e a different entity (path 2 of Figure 1.1b is active).
nds to be different entity. A Masquerade attack involves one of the other form of active attacks.
1. Modification of messages –
It means that some portion of a message is altered or that message is delayed or
reordered to produce an unauthorised effect. For example, a message meaning “Allow
JOHN to read confidential file X” is modified as “Allow Smith to read confidential file X”.
2. Repudiation –
This attack is done by either sender or receiver. The sender or receiver can deny later
that he/she has send or receive a message. For example, customer ask his Bank “To
transfer an amount to someone” and later on the sender(customer) deny that he had
made such a request. This is repudiation.
3. Replay –
It involves the passive capture of a message and its subsequent the transmission to
produce an authorized effect.
4. Denial of Service –
It prevents normal use of communication facilities. This attack may have a specific
target. For example, an entity may suppress all messages directed to a particular
destination. Another form of service denial is the disruption of an entire network wither
by disabling the network or by overloading it by messages so as to degrade
performance.
Passive attacks: A Passive attack attempts to learn or make use of information from the
system but does not affect system resources. Passive Attacks are in the nature of
eavesdropping on or monitoring of transmission. The goal of the opponent is to obtain
information is being transmitted. Types of Passive attacks are as following:
1. The release of message content –
Telephonic conversation, an electronic mail message or a transferred file may contain
sensitive or confidential information. We would like to prevent an opponent from
learning the contents of these transmissions.
hat the attacker even if captured the message could not extract any information from the message.
ng host and could observe the frequency and length of messages being exchanged. This information might be usefu
A masquerade attack usually includes one of the other forms of active attack. For
example, authentication sequences can be captured and replayed after a valid authentication
sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra
privileges by impersonating an entity that has those privileges. Replay involves the passive
capture of a data unit and its subsequent retransmission to produce an unauthorized effect (paths
1, 2, and 3 active). Modification of messages simply means that some portion of a legitimate
message is altered, or that messages are delayed or reordered, to produce an unauthorized effect
(paths 1 and 2 active). For example, a message meaning “Allow John Smith to read confidential
file accounts” is modified to mean “Allow Fred Brown to read confidential file accounts.” The
denial of service prevents or inhibits the normal use or management of communications facilities
(path 3 active). This attack may have a specific target; for example, an entity may suppress all
messages directed to a particular destination (e.g., the security audit service). Another form of
service denial is the disruption of an entire network, either by disabling the network or by
overloading it with messages so as to degrade performance. Active attacks present the opposite
characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are
available to prevent their success. On the other hand, it is quite difficult to prevent active attacks
absolutely.because of the wide variety of potential physical, software, and network
vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or
delays caused by them. If the detection has a deterrent effect, it may also contribute to
prevention.
Can be intentional
1 or unintentional Is intentional
2 malicious Is malicious
Circumstance that
SECURITY SERVICES
• Peer entity authentication: Provides for the corroboration of the identity of a peer
entity in an association. Two entities are considered peers if they implement to same protocol in
different systems; for example two TCP modules in two communicating systems. Peer entity
authentication is provided for use at the establishment of, or at times during the data transfer
phase of, a connection. It attempts to provide confidence that an entity is not performing either a
masquerade or an unauthorized replay of a previous connection.
• Data origin authentication: Provides for the corroboration of the source of a data
unit. It does not provide protection against the duplication or modification of data units. This
type of service supports applications like electronic mail, where there are no prior interactions
between the communicating entities.
Access Control
In the context of network security, access control is the ability to limit and control the
access to host systems and applications via communications links. To achieve this, each
entity trying to gain access must first be identified, or authenticated, so that access rights can
be tailored to the individual.
Data Confidentiality
Confidentiality is the protection of transmitted data from passive attacks. With respect
to the content of a data transmission, several levels of protection can be identified. The broadest
service protects all user data transmitted between two users over a period of time. For example,
when a TCP connection is set up between two systems, this broad protection prevents the release
of any user data transmitted over the TCP connection. Narrower forms of this service can also
be defined, including the protection of a single message or even specific fields within a message.
These refinements are less useful than the broad approach and may even be more complex and
expensive to implement. The other aspect of confidentiality is the protection of traffic flow from
analysis. This requires that an attacker not be able to observe the source and destination,
frequency, length, or other characteristics of the traffic on a communications facility.
Data Integrity
Nonrepudiation
Nonrepudiation prevents either sender or receiver from denying a transmitted message. Thus,
when a message is sent, the receiver can prove that the alleged sender in fact sent the message.
Similarly, when a message is received, the sender can prove that the alleged receiver in fact
received the message.
Availability Service Both X.800 and RFC 4949 define availability to be the property of a
system or a system resource being accessible and usable upon demand by an authorized system
entity, according to performance specifications for the system (i.e., a system is available if it
provides services according to the system design whenever users request them). A variety of
attacks can result in the loss of or reduction in availability. Some of these attacks are amenable to
automated countermeasures, such as authentication and encryption, whereas others require some
sort of physical action to prevent or recover from loss of availability of elements of a distributed
system. X.800 treats availability as a property to be associated with various security services.
However, it makes sense to call out specifically an availability service. An availability service
is one that protects a system to ensure its availability. This service addresses the security
concerns raised by denial-of-service attacks. It depends on proper management and control of
system resources and thus depends on access control service and other security services.
Table 1.3 lists the security mechanisms defined in X.800. The mechanisms are
divided into those that are implemented in a specific protocol layer, such as TCP or an
application-layer protocol, and those that are not specific to any particular protocol layer or
security service. These mechanisms will be covered in the appropriate places in the book. So we
do not elaborate now, except to comment on the definition of encipherment. X.800 distinguishes
between reversible encipherment mechanisms and irreversible encipherment mechanisms. A
reversible encipherment mechanism is simply an encryption algorithm that allows data to be
encrypted and subsequently decrypted. Irreversible encipherment mechanisms
include hash algorithms and message authentication codes, which are used in digital signature
and message authentication applications.
Table 1.4, based on one in X.800, indicates the relationship between security services and
security mechanisms.
(X) SESSION OUTCOMES
Students can understand the OSI security architecture.
Students can able to answer the following questions:
What is the difference between active attack and passive attack?
How the security service are used to enhance the security of data processing?
Differentiate specific security mechanism to pervasive security mechanism?
• Plaintext: This is the original intelligible message or data that is fed into
the algorithm as input
• Secret key: The secret key is also input to the encryption algorithm. The key is
a value independent of the plaintext and of the algorithm. The algorithm will produce a
different output depending on the specific key being used at the time. The exact substitutions
and transformations performed by the algorithm depend on the key.
2. Sender and receiver must have obtained copies of the secret key in a secure fashion and
must keep the key secure. If someone can discover the key and knows the algorithm, all
communication using this key is readable. We assume that it is impractical to decrypt a message
on the basis of the ciphertext plus knowledge of the encryption/decryption algorithm. In other
words, we do not need to keep the algorithm secret; we need to keep only the key secret. This
feature of symmetric encryption is what makes it feasible for widespread use. The fact that the
algorithm need not be kept secret means that manufacturers can and have developed low-cost
chip implementations of data encryption algorithms. These chips are widely available and
incorporated into a number of products. With the use of symmetric encryption, the principal
security problem is maintaining the secrecy of the key. Let us take a closer look at the essential
elements of a symmetric encryption scheme, using Figure 2.2. A source produces a message in
plaintext, X = [X1, X2, c, XM]. The M elements of X are letters in some finite alphabet.
Traditionally, the alphabet usually consisted of the 26 capital letters. Nowadays, the binary
alphabet {0, 1} is typically used. For encryption, a key of the form K = [K1, K2, c, KJ] is
generated. If the key is generated at the message source, then it must also be provided to the
destination by means of some secure channel. Alternatively, a third party could generate the key
and securely deliver it to both source and destination. With the message X and the encryption
key K as input, the encryption algorithm forms the ciphertext Y = [Y1, Y2, c, Y N]. We can
write this as Y = E(K, X) This notation indicates that Y is produced by using encryption
algorithm E as a function of the plaintext X, with the specific function determined by the value
of the key K. The intended receiver, in possession of the key, is able to invert the transformation:
X = D(K, Y) An opponent, observing Y but not having access to K or X, may attempt to recover
X or K or both X and K. It is assumed that the opponent knows the encryption (E) and
decryption (D) algorithms. If the opponent is interested in only this particular message, then the
focus of the effort is to recover X by generating a plaintext estimate X n. Often, however, the
opponent is interested in being able to read future messages as well, in which case an attempt is
made to recover K by generating an estimate K n. Cryptography Cryptographic systems are
characterized along three independent dimensions:
1. The type of operations used for transforming plaintext to ciphertext. All encryption algorithms
are based on two general principles: substitution, in which each element in the plaintext (bit,
letter, group of bits or letters) is mapped into another element, and transposition, in which
elements in the plaintext are rearranged. The fundamental requirement is that no information be
lost (i.e., that all operations are reversible). Most systems, referred to as product systems, involve
multiple stages of substitutions and transpositions.
2. The number of keys used. If both sender and receiver use the same key, the system is
referred to as symmetric, single-key, secret-key, or conventional encryption. If the sender and
receiver use different keys, the system is referred to as asymmetric, two-key, or public-key
encryption.
3. The way in which the plaintext is processed. A block cipher processes the input one block of
elements at a time, producing an output block for each input block. A stream cipher processes
the input elements continuously, producing output one element at a time, as it goes
along.Cryptanalysis and Brute-Force Attack Typically, the objective of attacking an encryption
system is to recover the key in use rather than simply to recover the plaintext of a single
ciphertext. There are two general approaches to attacking a conventional encryption scheme:
• Cryptanalysis: Cryptanalytic attacks rely on the nature of the algorithm plus
perhaps some knowledge of the general characteristics of the plaintext or even some
sample plaintext–ciphertext pairs. This type of attack exploits the characteristics of the
algorithm to attempt to deduce a specific plaintext or to deduce the key being used.
• Brute-force attack: The attacker tries every possible key on a piece of ciphertext until
an intelligible translation into plaintext is obtained. On average, half of all possible keys must
be tried to achieve success. If either type of attack succeeds in deducing the key, the effect is
catastrophic: All future and past messages encrypted with that key are compromised. We first
consider cryptanalysis and then discuss brute-force attacks. Table 2.1 summarizes the various
types of cryptanalytic attacks based on the amount of information known to the cryptanalyst.
The most difficult problem is presented when all that is available is the ciphertext only. In some
cases, not even the encryption algorithm is known, but in general, we can assume that the
opponent does know the algorithm used for encryption. One possible attack under these
circumstances is the brute-force approach of trying all possible keys. If the key space is very
large, this becomes impractical. Thus, the opponent must rely on an analysis of the ciphertext
itself, generally applying various statistical tests to it. To use this approach, the opponent must
have some general idea of the type of plaintext that is concealed, such as English or French text,
an EXE file, a Java source listing, an accounting file, and so on. The ciphertext-only attack is the
easiest to defend against because the opponent has the least amount of information to work with.
In many cases, however, the analyst has more information. The analyst may be able to capture
one or more plaintext messages as well as their encryptions. Or the analyst may know that
certain plaintext patterns will appear in a message. For example, a file that is encoded in the
Postscript format always begins with the same pattern, or there may be a standardized header or
banner to an electronic funds transfer message, and so on.
If the analyst is able somehow to get the source system to insert into the system a message
chosen by the analyst, then a chosen-plaintext attack is possible. An example of this strategy is
differential cryptanalysis. In general, if the analyst is able to choose the messages to encrypt, the
analyst may deliberately pick patterns that can be expected to reveal the structure of the key.
Table 2.1 lists two other types of attack: chosen ciphertext and chosen text. These are less
commonly employed as cryptanalytic techniques but are nevertheless possible avenues of attack.
Only relatively weak algorithms fail to withstand a ciphertext-only attack. Generally, an
encryption algorithm is designed to withstand a known-plaintext attack. Two more definitions
are worthy of note.
An encryption scheme is unconditionally secure if the ciphertext generated by the scheme does
not contain enough information to determine uniquely the corresponding plaintext, no matter
how much ciphertext is available. That is, no matter how much time an opponent has, it is
impossible for him or her to decrypt the ciphertext simply because the required information is
not there. With the exception of a scheme known as the one-time pad, there is no encryption
algorithm that is unconditionally secure. Therefore, all that the users of an encryption algorithm
can strive for is an algorithm that meets one or both of the following criteria:
• The cost of breaking the cipher exceeds the value of the encrypted information.
• The time required to break the cipher exceeds the useful lifetime of the information. An
encryption scheme is said to be computationally secure if either of the foregoing two criteria
are met. Unfortunately, it is very difficult to estimate the amount of effort required to
cryptanalyze ciphertext successfully. All forms of cryptanalysis for symmetric encryption
schemes are designed to exploit the fact that traces of structure or pattern in the plaintext may
survive
encryption and be discernible in the ciphertext. This will become clear as we examine various
symmetric encryption schemes in this chapter. We will see in Part Two that cryptanalysis for
public-key schemes proceeds from a fundamentally different premise, namely, that the
mathematical properties of the pair of keys may make it possible for one of the two keys to be
deduced from the other. A brute-force attack involves trying every possible key until an
intelligible translation of the ciphertext into plaintext is obtained. On average, half of all possible
keys must be tried to achieve success. That is, if there are X different keys, on average an
attacker would discover the actual key after X>2 tries. It is important to note that there is more
to a brute-force attack than simply running through all possible keys. Unless known plaintext is
provided, the analyst must be able to recognize plaintext as plaintext. If the message is just plain
text in English, then the result pops out easily, although the task of recognizing English would
have to be automated. If the text message has been compressed before encryption, then
recognition is more difficult. And if the message is some more general type of data, such as a
numerical file, and this has been compressed, the problem becomes even more difficult to
automate. Thus, to supplement the brute-force approach, some degree of knowledge about the
expected plaintext is needed, and some means of automatically distinguishing plaintext from
garble is also needed.
SUBSTITUTION TECHNIQUES
In this section and the next, we examine a sampling of what might be called classical encryption
techniques. A study of these techniques enables us to illustrate the basic approaches to
symmetric encryption used today and the types of cryptanalytic attacks that must be anticipated.
The two basic building blocks of all encryption techniques are substitution and transposition. We
examine these in the next two sections. Finally, we discuss a system that combines both
substitution and transposition. A substitution technique is one in which the letters of plaintext
are
replaced by other letters or by numbers or symbols.1 If the plaintext is viewed as a sequence of
bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns.
Caesar Cipher
The earliest known, and the simplest, use of a substitution cipher was by Julius Caesar. The
Caesar cipher involves replacing each letter of the alphabet with the letter standing three places
further down the alphabet. For example,
Note that the alphabet is wrapped around, so that the letter following Z is A.
plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
cipher: D e f g H I J K l m n o P q R S T U v W x y z a B c
a b c d e f g h i j k l m 0 1 2 3 4 5 6 7 8 9 10 11 12
n o p q r s t u v w x y z 13 14 15 16 17 18 19 20 21 22 23 24 25
Then the algorithm can be expressed as follows. For each plaintext letter p, substitute the
ciphertext letter C:2 C = E(3, p) = (p + 3) mod 26
A shift may be of any amount, so that the general Caesar algorithm is C = E(k, p) = (p + k)
mod 26 (2.1) where k takes on a value in the range 1 to 25. The decryption algorithm is simply
p = D(k, C) = (C - k) mod 26 (2.2) If it is known that a given ciphertext is a Caesar cipher, then
a brute-force cryptanalysis is easily performed: simply try all the 25 possible keys. Figure 2.3
shows the results of applying this strategy to the example ciphertext. In this case, the plaintext
leaps out as occupying the third line. Three important characteristics of this problem enabled us
to use a bruteforce cryptanalysis:
In most networking situations, we can assume that the algorithms are known. What generally
makes brute-force cryptanalysis impractical is the use of an algorithm that employs a large
number of keys. For example, the triple DES algorithm, examined in Chapter 6, makes use of a
168-bit key, giving a key space of 2168 or greater than 3.7 * 1050 possible keys. The third
characteristic is also significant. If the language of the plaintext is unknown, then plaintext
output may not be recognizable. Furthermore, the input may be abbreviated or compressed in
some fashion, again making recognition difficult. For example, Figure 2.4 shows a portion of a
text file compressed using an algorithm called ZIP.
If this file is then encrypted with a simple substitution cipher (expanded to include more than just
26 alphabetic characters), then the plaintext may not be recognized when it is uncovered in the
brute-force cryptanalysis.
Monoalphabetic Ciphers
With only 25 possible keys, the Caesar cipher is far from secure. A dramatic increase in the key
space can be achieved by allowing an arbitrary substitution. Before proceeding, we define the
term permutation. A permutation of a finite set of elements S is an ordered sequence of all the
elements of S, with each element appearing exactly once. For example, if S = {a, b, c}, there are
six permutations of S: abc, acb, bac, bca, cab, cba In general, there are n! permutations of a set of
n elements, because the first element can be chosen in one of n ways, the second in n - 1 ways,
the third in n - 2 ways, and so on. Recall the assignment for the Caesar cipher:
plain: a b c d e f g h i j k l m n o p q r s t u v w x y z cipher: D e f g H I J K l m n o P q R S T U
vWxyzaBc
If, instead, the “cipher” line can be any permutation of the 26 alphabetic characters, then there
are 26! or greater than 4 * 1026 possible keys. This is 10 orders of magnitude greater than the
key space for DES and would seem to eliminate brute-force techniques for cryptanalysis. Such
an approach is referred to as a monoalphabetic substitution cipher, because a single cipher
alphabet (mapping from plain alphabet to cipher alphabet) is used per message.
There is, however, another line of attack. If the cryptanalyst knows the nature of the plaintext
(e.g., noncompressed English text), then the analyst can exploit the regularities of the language.
The ciphertext to be solved is
UzqSovUoHxmoPvgPozPevSgzWSzoPfPeSxUDBmeTSxaIz
vUePHzHmDzSHzoWSfPaPPDTSvPqUzWymxUzUHSx
ePyePoPDzSzUfPomBzWPfUPzHmDJUDTmoHmq
As a first step, the relative frequency of the letters can be determined and compared to a standard
frequency distribution for English, such as is shown in Figure 2.5. If the message were long
enough, this technique alone might be sufficient, but because this is a relatively short message,
we cannot expect an exact match. In any case, the relative frequencies of the letters in the
ciphertext (in percentages) are as follows:
Comparing this breakdown with Figure 2.5, it seems likely that cipher letters P and Z are the
equivalents of plain letters e and t, but it is not certain which is which. The letters S, U, O, M,
and H are all of relatively high frequency and probably correspond to plain letters from the set
{a, h, i, n, o, r, s}. The letters with the lowest frequencies (namely, A, B, G, Y, I, J) are likely
included in the set {b, j, k, q, v, x, z}. There are a number of ways to proceed at this point. We
could make some tentative assignments and start to fill in the plaintext to see if it looks like a
reasonable “skeleton” of a message. A more systematic approach is to look for other regularities.
For example, certain words may be known to be in the text. Or we could look for repeating
sequences of cipher letters /and try to deduce their plaintext equivalents. A powerful tool is to
look at the frequency of two-letter combinations, known as digrams. A table similar to Figure
2.5 could be drawn up showing the relative frequency of digrams. The most common such
digram is th. In our ciphertext, the most common digram is ZW, which appears three times. So
we make the correspondence of Z with t and W with h. Then, by our earlier hypothesis, we can
equate P with e. Now notice that the sequence ZWP appears in the ciphertext, and we can
translate that sequence as “the.” This is the most frequent trigram (three-letter combination) in
English, which seems to indicate that we are on the right track. Next, notice the sequence ZWSZ
in the first line. We do not know that these four letters form a complete word, but if they do, it is
of the form th_t. If so, S equates with a.So far, then, we have
UzqSovUoHxmoPvgPozPevSgzWSzoPfPeSxUDBmeTSxaIz
t a e e te a that e e a av
UePHzHmDzSHzoWSfPaPPDTSvPqUzWymxUzUHSx
e t ta t ha e ee a e th t a e
PyePoPDzSzUfPomBzWPfUPzHmDJUDTmoHmq
e e e tat e the t
Only four letters have been identified, but already we have quite a bit of the message. Continued
analysis of frequencies plus trial and error should easily yield a solution from this point. The
complete plaintext, with spaces added between words, follows:
it was disclosed yesterday that several informal but direct contacts have been made with
political representatives of the viet cong in moscow
Monoalphabetic ciphers are easy to break because they reflect the frequency data of the
original alphabet. A countermeasure is to provide multiple substitutes, known as
homophones, for a single letter. For example, the letter e could be assigned a number of
different cipher symbols, such as 16, 74, 35, and 21, with each homophone assigned to a
letter in rotation or randomly. If the number of symbols assigned to each letter is
proportional to the relative frequency of that letter, then single-letter frequency
information is completely obliterated. The great mathematician Carl Friedrich Gauss
believed that he had devised an unbreakable cipher using homophones. However, even
with homophones, each element of plaintext affects only one element of ciphertext, and
multiple-letter patterns (e.g., digram frequencies) still survive in the ciphertext, making
cryptanalysis relatively straightforward. Two principal methods are used in substitution
ciphers to lessen the extent to which the structure of the plaintext survives in the
ciphertext: One approach is to encrypt multiple letters of plaintext, and the other is to use
multiple cipher alphabets. We briefly examine each.
Playfair Cipher
The best-known multiple-letter encryption cipher is the Playfair, which treats digrams in
the plaintext as single units and translates these units into ciphertext digrams.3 The
Playfair algorithm is based on the use of a 5 * 5 matrix of letters constructed using a
keyword. Here is an example, solved by Lord Peter Wimsey in Dorothy Sayers’s Have
His Carcase:
In this case, the keyword is monarchy. The matrix is constructed by filling in the letters
of the keyword (minus duplicates) from left to right and from top to bottom, and then
filling in the remainder of the matrix with the remaining letters in alphabetic order. The
letters I and J count as one letter. Plaintext is encrypted two letters at a time, according to
the following rules: 1. Repeating plaintext letters that are in the same pair are separated
with a filler letter, such as x, so that balloon would be treated as ba lx lo on. 2. Two
plaintext letters that fall in the same row of the matrix are each replaced by the letter to
the right, with the first element of the row circularly following the last. For example, ar is
encrypted as RM.
3. Two plaintext letters that fall in the same column are each replaced by the letter
beneath, with the top element of the column circularly following the last. For
example, mu is encrypted as CM.
4. Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its own row
and the column occupied by the other plaintext letter. Thus, has becomes BP and ea
becomes IM (or JM, as the encipherer wishes). The Playfair cipher is a great advance
over simple monoalphabetic ciphers. For one thing, whereas there are only 26 letters,
there are 26 * 26 = 676 diagrams, so that identification of individual diagrams is more
difficult. Furthermore, the relative frequencies of individual letters exhibit a much greater
range than that of digrams, making frequency analysis much more difficult. For these
reasons, the Playfair cipher was for a long time considered unbreakable. It was used as
the standard field system by the British Army in World War I and still enjoyed
considerable use by the U.S. Army and other Allied forces during World War II. Despite
this level of confidence in its security, the Playfair cipher is relatively easy to break,
because it still leaves much of the structure of the plaintext language intact. A few
hundred letters of ciphertext are generally sufficient. One way of revealing the
effectiveness of the Playfair and other ciphers is shown in Figure 2.6. The line labeled
plaintext plots a typical frequency distribution of the 26 alphabetic characters (no
distinction between upper and lower case) in ordinary text. This is also the frequency
distribution of any monoalphabetic substitution cipher, because the frequency values for
individual letters are the same, just with different letters substituted for the original
letters. The plot is developed in the following way: The number of occurrences of each
letter in the text is counted and divided by the number of occurrences of the most
frequently used letter. Using the results of Figure 2.5, we see that
e is the most frequently used letter. As a result, e has a relative frequency of 1, t of
9.056/12.702 ≈ 0.72, and so on. The points on the horizontal axis correspond
to the letters in order of decreasing frequency. Figure 2.6 also shows the frequency
distribution that results when the text is encrypted using the Playfair cipher. To normalize
the plot, the number of occurrences of each letter in the ciphertext was again divided by
the number of occurrences of e in the plaintext. The resulting plot therefore shows the
extent to which the frequency distribution of letters, which makes it trivial to solve
substitution ciphers, is masked by encryption. If the frequency distribution
information were totally concealed in the encryption process, the ciphertext plot of
frequencies would be flat, and cryptanalysis using ciphertext only would be effectively
impossible. As the figure shows, the Playfair cipher has a flatter distribution than does
plaintext, but nevertheless, it reveals plenty of structure for a cryptanalyst to work with.
The plot also shows the Vigenère cipher, discussed subsequently.
Another interesting multiletter cipher is the Hill cipher, developed by the mathematician Lester
Hill in 1929.ConCepts from Linear aLgebra Before describing the Hill cipher, let us briefly
review some terminology from linear algebra. In this discussion, we are concerned with matrix
arithmetic modulo 26. For the reader who needs a refresher on matrix multiplication and
inversion.
We define the inverse M-1 of a square matrix M by the equation M(M -1) = M -1 M= I, where I is
the identity matrix. I is a square matrix that is all zeros except for ones along the main diagonal
from upper left to lower right. The inverse of a matrix does not always exist, but when it does, it
satisfies the preceding equation. For example,
To explain how the inverse of a matrix is computed, we begin with the concept of determinant.
For any square matrix (m * m), the determinant equals the sum of all the products that can be
formed by taking exactly one element from each row and exactly one element from each column,
with certain of the product terms preceded by a minus sign. For a 2 * 2 matrix,
the determinant is k11k22 - k12k21. For a 3 * 3 matrix, the value of the determinant is k11k22k33
+ k21k32k13 + k31k12k23 - k31k22k13 - k21k12k33 - k11k32k23. If a square matrix A has a nonzero
determinant, then the inverse of the matrix is computed as [A-1]ij = (det A)-1(-1)i+j(Dji), where
(Dji) is the subdeterminant formed by deleting the jth row and the ith column of A, det(A) is the
determinant of A, and (det A)-1 is the multiplicative inverse of (det A) mod 26.
We can show that 9-1 mod 26 = 3, because 9 * 3 = 27 mod 26 = 1.Therefore, we compute the
inverse of A as
the hiLL aLgorithm This encryption algorithm takes m successive plaintext letters and
substitutes for them m ciphertext letters. The substitution is determined by m linear equations in
which each character is assigned a numerical value (a = 0, b = 1, c, z = 25). For m = 3, the
system can be described as
where C and P are row vectors of length 3 representing the plaintext and ciphertext, and K is a 3
* 3 matrix representing the encryption key. Operations are performed mod 26. For example,
consider the plaintext “paymoremoney” and use the encryption key
The first three letters of the plaintext are represented by the vector (15 0 24). Then(15 0 24)K =
(303 303 531) mod 26 = (17 17 11) = RRL. Continuing in this fashion, the ciphertext for the
entire plaintext is RRLMWBKASPDH. Decryption requires using the inverse of the matrix K.
We can compute det K = 23, and therefore, (det K)-1 mod 26 = 17. We can then compute the
inverse as
It is easily seen that if the matrix K-1 is applied to the ciphertext, then the plaintext is recovered.
In general terms, the Hill system can be expressed as
C = E(K, P) = PK mod 26
Consider this example. Suppose that the plaintext “hillcipher” is encrypted using a 2 * 2
Hill cipher to yield the ciphertext HCRZSSXNSP. Thus, we know that (7 8)K mod 26 = (7 2);
(11 11)K mod 26 = (17 25); and so on. Using the first two plaintext–ciphertext pairs, we have
Polyalphabetic Ciphers
If, on the other hand, a Vigenère cipher is suspected, then progress depends on determining the
length of the keyword, as will be seen in a moment. For now, let us concentrate on how the
keyword length can be determined. The important insight that leads to a solution is the
following: If two identical sequences of plaintext letters occur at a distance that is an integer
multiple of the keyword length, they will generate identical ciphertext sequences. In the
foregoing example, two instances of the sequence “red” are separated by nine character
positions. Consequently, in both cases, r is encrypted using key letter e, e is encrypted using key
letter p, and d is encrypted using key letter t. Thus, in both cases, the ciphertext sequence is
VTW. We indicate this above by underlining the relevant ciphertext letters and shading the
relevant ciphertext numbers. An analyst looking at only the ciphertext would detect the repeated
sequences VTW at a displacement of 9 and make the assumption that the keyword is either three
or nine letters in length. The appearance of VTW twice could be by chance and may not reflect
identical plaintext letters encrypted with identical key letters. However, if the message is long
enough, there will be a number of such repeated ciphertext sequences. By looking for common
factors in the displacements of the various sequences, the analyst should be able to make a good
guess of the keyword length. Solution of the cipher now depends on an important insight. If the
keyword length is m, then the cipher, in effect, consists of m monoalphabetic substitution
ciphers. For example, with the keyword DECEPTIVE, the letters in positions 1, 10, 19, and so
on are all encrypted with the same monoalphabetic cipher. Thus, we can use the known
frequency characteristics of the plaintext language to attack each of the monoalphabetic ciphers
separately. The periodic nature of the keyword can be eliminated by using a nonrepeating
keyword that is as long as the message itself. Vigenère proposed what is referred to as an
autokey system, in which a keyword is concatenated with the plaintext itself to provide a running
key. For our example,
key: deceptivewearediscoveredsav plaintext: wearediscoveredsaveyourself
ciphertext: zIcvTWqngKzeIIgaSxSTSlvvWla
Even this scheme is vulnerable to cryptanalysis. Because the key and the plaintext share the same
frequency distribution of letters, a statistical technique can be applied. For example, e enciphered
by e, by Figure 2.5, can be expected to occur with a frequency of (0.127)2 ≈ 0.016, whereas t
enciphered by t would occur only about half as often. These regularities can be exploited to
achieve successful cryptanalysis.
Vernam Cipher The ultimate defense against such a cryptanalysis is to choose a keyword that is
as long as the plaintext and has no statistical relationship to it. Such a system was introduced by
an AT&T engineer named Gilbert Vernam in 1918
His system works on binary data (bits) rather than letters. The system can be expressed
succinctly as follows (Figure 2.7): ci = pi ⊕ ki where pi = ith binary digit of plaintext ki = ith
binary digit of key ci = ith binary digit of ciphertext ⊕ = exclusive-or (XOR) operation
Compare this with Equation (2.3) for the Vigenère cipher. Thus, the ciphertext is generated by
performing the bitwise XOR of the plaintext and the key. Because of the properties of the XOR,
decryption simply involves the same bitwise operation: pi= ci ⊕ ki which compares with
Equation (2.4).
The essence of this technique is the means of construction of the key. Vernam proposed the use
of a running loop of tape that eventually repeated the key, so that in fact the system worked with
a very long but repeating keyword. Although such a scheme, with a long key, presents
formidable cryptanalytic difficulties, it can be broken with sufficient ciphertext, the use of
known or probable plaintext sequences, or both.
One-Time Pad
An Army Signal Corp officer, Joseph Mauborgne, proposed an improvement to the Vernam
cipher that yields the ultimate in security. Mauborgne suggested using a random key that is as
long as the message, so that the key need not be repeated. In addition, the key is to be used to
encrypt and decrypt a single message, and then is discarded. Each new message requires a new
key of the same length as the new message. Such a scheme, known as a one-time pad, is
unbreakable. It produces random output that bears no statistical relationship to the plaintext.
Because the ciphertext contains no information whatsoever about the plaintext, there is simply no
way to break the code
An example should illustrate our point. Suppose that we are using a Vigenère scheme with 27
characters in which the twenty-seventh character is the space character, but with a one-time key
that is as long as the message. Consider the ciphertext
anKyoDKyURePfJByoJDSPlReyIUnofDoIUeRfPlUyTS
Suppose that a cryptanalyst had managed to find these two keys. Two plausible plaintexts are
produced. How is the cryptanalyst to decide which is the correct decryption (i.e., which is the
correct key)? If the actual key were produced in a truly random fashion, then the cryptanalyst
cannot say that one of these two keys is more likely than the other. Thus, there is no way to
decide which key is correct and therefore which plaintext is correct. In fact, given any plaintext
of equal length to the ciphertext, there is a key that produces that plaintext. Therefore, if you did
an exhaustive search of all possible keys, you would end up with many legible plaintexts, with
no way of knowing which was the intended plaintext. Therefore, the code is unbreakable. The
security of the one-time pad is entirely due to the randomness of the key. If the stream of
characters that constitute the key is truly random, then the stream of characters that constitute
the ciphertext will be truly random. Thus, there are no patterns or regularities that a cryptanalyst
can use to attack the ciphertext. In theory, we need look no further for a cipher. The one-time
pad offers complete security but, in practice, has two fundamental difficulties:
1. There is the practical problem of making large quantities of random keys. Any heavily used
system might require millions of random characters on a regular basis. Supplying truly random
characters in this volume is a significant task. 2. Even more daunting is the problem of key
distribution and protection. For every message to be sent, a key of equal length is needed by both
sender and receiver. Thus, a mammoth key distribution problem exists. Because of these
difficulties, the one-time pad is of limited utility and is useful primarily for low-bandwidth
channels requiring very high security. The one-time pad is the only cryptosystem that exhibits
what is referred to as perfect secrecy. This concept is explored in Appendix F.
mematrhtgpryetefeteoaat
MEMATRHTGPRYETEFETEOAAT
This sort of thing would be trivial to cryptanalyze. A more complex scheme is to write the
message in a rectangle, row by row, and read the message off, column by column, but permute
the order of the columns. The order of the columns then becomes the key to the algorithm. For
example,
Key: 4312567
Plaintext: attackp
ostpone
duntilt
woamxyz
ciphertext: TTnaaPTmTSUoaoDWcoIxKnlyPeTz
Thus, in this example, the key is 4312567. To encrypt, start with the column that is labeled 1, in
this case column 3. Write down all the letters in that column. Proceed to column 4, which is
labeled 2, then column 2, then column 1, then columns 5, 6, and 7. A pure transposition cipher is
easily recognized because it has the same letter frequencies as the original plaintext. For the type
of columnar transposition just shown, cryptanalysis is fairly straightforward and involves laying
out the ciphertext in a matrix and playing around with column positions. Diagram and trigram
frequency tables can be useful. The transposition cipher can be made significantly more secure
by performing more than one stage of transposition. The result is a more complex permutation
that is not easily reconstructed. Thus, if the foregoing message is reencrypted using the same
algorithm,
Key: 4 3 1 2 5 6 7
Input: t t n a a p t
mtsuoao
dwcoixk
nlypetz
output: nScyaUoPTTWlTmDnaoIePaxTToKz
To visualize the result of this double transposition, designate the letters in the original plaintext
message by the numbers designating their position. Thus, with 28 letters in the message, the
original sequence of letters is
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
which has a somewhat regular structure. But after the second transposition, we have
17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 13 04 23 19 14 11 01 26 21 18 08 06 28
This is a much less structured permutation and is much more difficult to cryptanalyze.
We conclude with a discussion of a technique that (strictly speaking), is not encryption, namely,
steganography. A plaintext message may be hidden in one of two ways. The methods of
steganography conceal the existence of the message, whereas the methods of cryptography
render the message unintelligible to outsiders by various transformations of the text
A simple form of steganography,but one that is time-consuming to construct, is one in which an
arrangement of words or letters within an apparently innocuous text spells out the real message.
For example, the sequence of first letters of each word of the overall message spells out the
hidden message. Figure 2.9 shows an example in which a subset of the words of the overall
message is used to convey the hidden message.See if you can decipher this;it’s not too hard.
Various other techniques have been used historically; some examples are the following
• Character marking: Selected letters of printed or typewritten text are overwritten in pencil.The
marks are ordinarily not visible unless the paper is held at an angle to bright light.
• Invisible ink: A number of substances can be used for writing but leave no visible trace until
heat or some chemical is applied to the paper.
• Pin punctures: Small pin punctures on selected letters are ordinarily not visible unless the paper
is held up in front of a light.
• Typewriter correction ribbon:Used between lines typed with a black ribbon,the results of typing
with the correction tape are visible only under a strong light.
Although these techniques may seem archaic,they have contemporary equivalents. proposes
hiding a message by using the least significant bits of frames on a CD.For example,the Kodak
Photo CD format’s maximum resolution is 2048 3072 pixels,with each pixel containing 24 bits
of RGB color information.The least significant bit of each 24-bit pixel can be changed without
greatly affecting the quality of the image.The result is that you can hide a 2.3-megabyte message
in a single digital snapshot.There are now a number of software packages available that take this
type of approach to steganography. Steganography has a number of drawbacks when compared
to encryption. It requires a lot of overhead to hide a relatively few bits of information,although
using a scheme like that proposed in the preceding paragraph may make it more effective.Also,
once the system is discovered,it becomes virtually worthless.This problem,too,can be overcome
if the insertion method depends on some sort of key. Alternatively,a message can be first
encrypted and then hidden using steganography. The advantage of steganography is that it can be
employed by parties who have something to lose should the fact of their secret communication
(not necessarily the content) be discovered.Encryption flags traffic as important or secret or may
identify the sender or receiver as someone with something to hide.
PRODUCT CRYPTOSYSTEMS
Another innovation introduced by Shannon in his 1949 paper was the idea of combining
cryptosystems by forming their “product.” This idea has been of fundamental importance in the
design of present-day cryptosystems such as the Data Encryption Standard.
For simplicity, we will confine our attention in this section to cryptosystems in which :
cryptosystems of this type are called endomorphic. Suppose
and are two endomorphic cryptosystems which have the same plaintext
(and ciphertext) spaces. Then the product of S1 and S2, denoted by S1 × S2, is defined to be the
cryptosystem
A key of the product cryptosystem has the form K = (K1, K2), where and .
The encryption and decryption rules of the product cryptosystem are defined as follows: For
each K = (K1, K2), we have an encryption rule eK defined by the formula
That is, we first encrypt x with , and then “re-encrypt” the resulting ciphertext with .
Decrypting is similar, but it must be done in the reverse order:
Recall also that cryptosystems have probability distributions associated with their keyspaces.
Thus we need to define the probability distribution for the keyspace of the product
cryptosystem. We do this in a very natural way:
Figure 2.2 Multiplicative Cipher
In other words, choose K1 using the distribution , and then independently choose K2 using
the distribution .
Suppose M is the Multiplicative Cipher (with keys chosen equiprobably) and S is the Shift
Cipher (with keys chosen equiprobably). Then it is very easy to see that M × S is nothing more
than the Affine Cipher (again, with keys chosen equiprobably). It is slightly more difficult to
show that S × M is also the Affine Cipher with equiprobable keys.
Let’s prove these assertions. A key in the Shift Cipher is an element , and the
corresponding encryption rule is eK(x) = x + K mod 26. A key in the Multiplicative Cipher is an
element such that gcd(a, 26) = 1; the corresponding encryption rule is ea(x) = ax mod
26. Hence, a key in the product cipher M × S has the form (a, K), where
But this is precisely the definition of a key in the Affine Cipher. Further, the probability of a
key in the Affine Cipher is 1/312 = 1/12 × 1/26, which is the product of the probabilities of the
keys a and K, respectively. Thus M × S is the Affine Cipher.
Now let’s consider S × M. A key in this cipher has the form (K, a), where
Thus the key (K, a) of the product cipher S × M is identical to the key (a, aK) of the Affine
Cipher. It remains to show that each key of the Affine Cipher arises with the same probability
1/312 in the product cipher S × M. Observe that aK = K1 if and only if K = a-1K1 (recall that
gcd(a, 26) = 1, so a has a multiplicative inverse). In other words, the key (a, K1) of the Affine
Cipher is equivalent to the key (a-1K1, a) of the product cipher S × M. We thus have a
bijection between the two key spaces. Since each key is equiprobable, we conclude that S × M
is indeed the Affine Cipher.
We have shown that M × S = S × M. Thus we would say that the two cryptosystems commute.
But not all pairs of cryptosystems commute; it is easy to find counterexamples. On the other
hand, the product operation is always associative: (S1 × S2) × S3 = S1 × (S2 × S3).
REMARK It is not hard to show that if S1 and S2 are both idempotent and they commute,
then S1 × S2 will also be idempotent. This follows from the following algebraic manipulations:
CRYPTANALYSIS
There are three major characteristics that separate modern cryptography from the classical
approach.
Context of Cryptography
Cryptography
Cryptanalysis
What is Cryptography?
Cryptography is the art and science of making a cryptosystem that is capable of providing
information security.
Cryptography deals with the actual securing of digital data. It refers to the design of
mechanisms based on mathematical algorithms that provide fundamental information security
services. You can think of cryptography as the establishment of a large toolkit containing
different techniques in security applications.
What is Cryptanalysis?
The art and science of breaking the cipher text is known as cryptanalysis.
Cryptanalysis is the sister branch of cryptography and they both co-exist. The cryptographic
process results in the cipher text for transmission or storage. It involves the study of
cryptographic mechanism with the intention to break them. Cryptanalysis is also used during
the design of the new cryptographic techniques to test their security strengths.
Note − Cryptography concerns with the design of cryptosystems, while cryptanalysis studies the
breaking of cryptosystems.
Cryptanalysts throughout history have used a number of different methods to break encryption
algorithms, including the following:
Known plain-text analysis If the analyst has a sample of decrypted text that was encrypted
using a particular cipher, he or she can sometimes deduce the key by studying the cipher text.
Differential cryptanalysis If the analyst can obtain cipher text from plain text but is unable to
analyze the key, it can be deduced by comparing the cipher text and the plain text.
Ciphertext-only analysis This is used when only the cipher text is available and the analyst has
no sample of plain text.
Timing/differential power analysis This is a means of measuring the differences in power
consumption over a period during which a computer chip is encrypting information to analyze
key computations.
Key interception (man in the middle) The analyst tricks two parties to an encrypted exchange
into sending their keys by making them think they're exchanging keys with each other.
CO2 An ability to apply various message authentication functions and secure algorithms.
CO3 An ability to analyze and compare different security mechanisms and services
CO5 An ability to explain the basics of number theory and to compare various encryption
techniques.
REFERENCES
Books Referred
Websites Referred
1. https://medium.com/cantors-paradise/shannon-ciphers-and-perfect-security-
d70c10379ac2
2. Information-theoretic Cryptography Hermann Gruber, papro.softGbR June 6, 2005
Abstract In 1949, Shannon published the paper ”Communication theory of secrecy
systems
3. https://link.springer.com/referenceworkentry/10.1007%2F0-387-23483-7_320
4. https://link.springer.com/chapter/10.1007/10718964_39
4. https://uomustansiriyah.edu.iq/media/lectures/6/6_2017_03_17!10_56_57_PM.pdf
5. http://www.engppt.com/2012/10/cryptography-and-network-security.htm l
6. https://flylib.com/books/en/3.230.1.29/1/
7. https://www.tutorialspoint.com/cryptography/modern_cryptography.htm
8. https://www.studocu.com/in/document/anna-university/cryptography-and-network-
security/other/1-cs6701-cryptography-and-network-security-question-bank-
2019/6410872/view
9. http://csunplugged.mines.edu/Activities/Cryptography/Cryptography.pdf
Video Lectures
1. http://nptel.ac.in/courses/106105031/lecture by Dr. Debdeep MukhopadhyayIIT Kharagpur
2. https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-033- computer-
system-engineering-spring-2009/video-lectures/ lecture by Prof. Robert Morris and Prof. Samuel
Madden MIT.