UNIT-3

Cryptography and
Network Security
Key Security Concepts
 Key Security Concepts
 Confidentiality(covers both data confidentiality and privacy):

Authorized restrictions on information access and disclosure, I

Protection of personal privacy and proprietary information.

Loss of confidentiality is the unauthorized disclosure of information
 Integrity (covers both data and system integrity):

Guarding against improper information modification or destruction,

includes ensuring information non-repudiation and authenticity.

A loss of integrity is the unauthorized modification or destruction of information .
 Availability:

Ensuring timely and reliable access to and use of information.

A loss of availability is the disruption of access to or use of information or an
information system
 Authenticity:

The property of being genuine and being able to be verified and trusted

confidence in the validity of a transmission, a message, or message originator.
 Accountability:

The security goal that generates the requirement for actions of an entity to be
traced uniquely to that entity.
 cryptography
 cryptography refers to secure
information and communication
techniques derived from mathematical
concepts and a set of rule-based
calculations called algorithms, to
transform messages in ways that are
hard to decipher.
 Some Basic Terminology
 plaintext - original message
 ciphertext - coded message
 cipher - algorithm for transforming plaintext to ciphertext
 key - info used in cipher known only to sender/receiver
 encipher (encrypt) - converting plaintext to ciphertext
 decipher (decrypt) - recovering plaintext from ciphertext
 cryptography - study of encryption principles/methods
 cryptanalysis (codebreaking) - study of principles/
methods of deciphering ciphertext without knowing key
 cryptology - field of both cryptography and cryptanalysis
 Types of cryptography
 Symmetric Encryption or conventional /
private-key / single-key
 A Symmetric Encryption /public-key/
Two key
 Symmetric Encryption
 or conventional / private-key / single-key
 sender and recipient share a common key
 all classical encryption algorithms are
private-key
 was only type prior to invention of public-
key in 1970’s
 and by far most widely used (still)
 is significantly faster than public-key crypto
Symmetric Cipher Model
 Caesar Cipher
 earliest known substitution cipher
 by Julius Caesar
 first attested use in military affairs
 replaces each letter by 3rd letter on
 example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB
 Caesar Cipher
 can define transformation as:
a b c d e f g h i j k l m n o p q r s t u v w x y z = IN
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C = OUT

 mathematically give each letter a number

a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

 then have Caesar (rotation) cipher as:

c = E(k, p) = (p + k) mod (26)
p = D(k, c) = (c – k) mod (26)
 Cryptanalysis of Caesar
Cipher
 only have 26 possible ciphers

A maps to A,B,..Z
 could simply try each in turn
 a brute force search
 given ciphertext, just try all shifts of letters
 do need to recognize when have plaintext
 eg. break ciphertext "GCUA VQ DTGCM"
 Cryptanalysis of Caesar
Cipher
Three important characteristics of this problem enabled us to
use a brut force cryptanalysis:
1. The encryption and decryption algorithms are known.
2. There are only 25 keys to try.
3. The language of the plaintext is known and easily
recognizable.
We can counter the third point of known plain text by
compressing the plain text due to which the language of
plain text is unknown .
We can use ZIP algorithm to compress
Claude Shannon and Substitution-
Permutation Ciphers
 Claude Shannon introduced idea of substitution-
permutation (S-P) networks in 1949 paper
 form basis of modern block ciphers
 S-P nets are based on the two primitive
cryptographic operations seen before:

substitution (S-box)

permutation (P-box)
 provide confusion & diffusion of message & key
 Feistel Cipher Structure
 Horst Feistel devised the Feistel cipher

based on concept of invertible product cipher
 partitions input block into two halves

process through multiple rounds which

perform a substitution on left data half

based on round function of right half & subkey

then have permutation swapping halves
 implements Shannon’s S-P net concept
Feistel Cipher Structure
 Public-Key Cryptography
 probably most significant advance in the
3000 year history of cryptography
 uses two keys – a public & a private key
 asymmetric since parties are not equal
 uses clever application of number
theoretic concepts to function
 complements rather than replaces private
key crypto
 Public-Key Cryptography
 public-key/two-key/asymmetric cryptography
involves the use of two keys:

a public-key, which may be known by anybody, and can
be used to encrypt messages, and verify signatures

a related private-key, known only to the recipient, used
to decrypt messages, and sign (create) signatures
 infeasible to determine private key from public
 is asymmetric because

those who encrypt messages or verify signatures cannot
decrypt messages or create signatures
Public-Key Cryptography
Public-Key Cryptosystems
Symmetric vs Public-Key
 Message Authentication
 message authentication is concerned with:

protecting the integrity of a message

validating identity of originator

non-repudiation of origin (dispute resolution)
 will consider the security requirements
 then three alternative functions used:

hash function

message encryption

message authentication code (MAC)
 Hash Functions
 condenses arbitrary message to fixed size
h = H(M)
 usuallyassume hash function is public
 hash used to detect changes to message
 want a cryptographic hash function

computationally infeasible to find data mapping to
specific hash (one-way property)

computationally infeasible to find two data to same
hash (collision-free property)
Cryptographic Hash Function
 Hash Function Uses
 Message Integrity Check (MIC)

send hash of message (digest)

MIC always encrypted, message optionally
 Message Authentication Code (MAC)

send keyed hash of message

MAC, message optionally encrypted
 Digital Signature (non-repudiation)

Encrypt hash with private (signing) key

Verify with public (verification) key
 Message Authentication Code
(MAC)
 generated by an algorithm that creates a
small fixed-sized block

depending on both message and secret key

like encryption though need not be reversible
 appended to message as a “signature”
 receiver performs same computation on
message and checks it matches the MAC
 provides assurance that message is
unaltered and comes from sender
Message Authentication Code
asmall fixed-sized block of data
 generated from message + secret key
 MAC = C(K,M)
 appended to message when sent
 Message Authentication
Codes
 asshown the MAC provides authentication
 can also use encryption for secrecy

generally use separate keys for each

can compute MAC either before or after
encryption

is generally regarded as better done before, but
see Generic Composition
 Message Authentication
Codes
 why use a MAC?

sometimes only authentication is needed

sometimes need authentication to persist longer
than the encryption (e.g. archival use)
 note that a MAC is not a digital signature
• Does NOT provide non-repudiation
 MAC Properties
a MAC is a cryptographic checksum
MAC = CK(M)

condenses a variable-length message M

using a secret key K

to a fixed-sized authenticator
 is a many-to-one function

potentially many messages have same MAC

but finding these needs to be very difficult
 Requirements for MACs
 taking into account the types of attacks
 need the MAC to satisfy the following:
1. knowing a message and MAC, is infeasible
to find another message with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the
message
 Security of MACs
 like
block ciphers have:
 brute-force attacks exploiting
m/

strong collision resistance hash have cost 2 2

• 128-bit hash looks vulnerable, 160-bits better


MACs with known message-MAC pairs
• can either attack keyspace (cf. key search) or MAC
• at least 128-bit MAC is needed for security
 Security of MACs
 cryptanalytic attacks exploit structure

like block ciphers want brute-force attacks to
be the best alternative
 morevariety of MACs so harder to
generalize about cryptanalysis
 Digital Signature Definition
 A digital signature is an authentication
mechanism that enables the creator of a
message to attach a code that acts as a
signature.

 Typically the signature is formed by taking the

hash of the message and encrypting the
message with the creator’s private key.

 The signature guarantees the source and

integrity of the message.
 Digital Signatures
 have looked at message authentication

but does not address issues of lack of trust
 digital signatures provide the ability to:

verify author, date & time of signature

authenticate message contents

be verified by third parties to resolve disputes
 hence include authentication function with
additional capabilities
Digital Signature Model
 Digital
Signature
Model
Digital Signature Requirements
 must depend on the message signed
 must use information unique to sender

to prevent both forgery and denial
 must be relatively easy to produce
 must be relatively easy to recognize & verify
 be computationally infeasible to forge

with new message for existing digital signature

with fraudulent digital signature for given message
 be practical save digital signature in storage
Applications of Cryptography

 Secure communications

The most obvious use of cryptography, and the one that all of us use frequently,
is encrypting communications between us and another system.

This is most commonly used for communicating between a client program and a
server.

Examples are a web browser and web server, or email client and email server

The best example is web encryption, since here you can choose between a clear
or encrypted version of a website by switching between HTTP and HTTPS in the
URL
 End-to-end Encryption

When email moves from server to server, and from server to you, it is encrypted.

On the mail server and on your system, however, an administrator can read it.

There are options to implement “end-to-end” encryption for email ( use PGP) but
email systems are complex and these options are complex.

Truly secure messaging systems – where only the sender and receiver can read
the message – are those where encryption has been built in from the start.

Whatsapp is good; Signal is better.
Applications of Cryptography

 Storing Data

We all store a large amount of data, and any data is valuable to at least
the person who generated it.

A more notable use of encryption is to encrypt the entire drive, and require
correct credentials to access it.

UCL has recently implemented Microsoft’s Bitlocker on Desktop@UCL
machines, and this means that without the user logging in the data on the
drive is completely opaque.

A relatively recent development is software to create encrypted containers
on a drive.

Veracrypt can be used to create an encrypted volume which is completely
under user control.
Applications of Cryptography
 cryptographically hashed password

One of the main uses of this is to store passwords.

It is very risky to store passwords in an accessible way.

If stored in plaintext on a system, anyone who has access to the system
– legitimate or malicious – can read the password.

Encryption is only a partial answer to storing passwords.

If someone has access to the system storing the encrypted passwords,
they will probably have access to the encryption key to decrypt the
password.

Hashing, on the other hand, produces a relatively secure value for the
attacker.

A system will take the password on login, hash it, and compare to the
hashed value.

At no point will the system – or an attacker – have access to the
plaintext password.