UNIT – 1 INTRODUCTION

Security trends - Legal, Ethical and Professional Aspects of Security, Need for Security at
Multiple levels, Security Policies - Model of network security – Security attacks, services and
mechanisms – OSI security architecture – Classical encryption techniques: substitution
techniques, transposition techniques, steganography- Foundations of modern cryptography:
perfect security – information theory – product cryptosystem – cryptanalysis.

Computer data often travels from one computer to another and once the data is out of hand,
people with bad intention could modify or forge the data, either for amusement or for their own
benefit or for any other reasons. Cryptography can reformat and transform our data, making it safer
on its travel between computers. Cryptographic technology is based on the essentials of secret
codes, powered by modern mathematics that protects our data in powerful ways. It is very essential
to know the following higher level security terminologies.
Computer Security – It is the generic name for the collection of tools designed to protect data
and to thwart hackers
Network Security – It measures to protect data during their transmission
Internet Security – It measures to protect data during their transmission over a collection of
interconnected networks

1.1 SECURITY TRENDS

1
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
1.2 LEGAL, ETHICAL AND PROFESSIONAL ASPECTS OF
SECURITY

Ethics: Rules that define socially acceptable behavior, not necessarily criminal, not
enforced (via authority/courts)

• Laws: Rules that mandate or prohibit behavior, enforced by governing authority (courts)

– Laws carry sanctions of governing authority, ethics do not

• Policy: “Organizational laws”

– Expectations that define acceptable workplace behavior

– General and broad, not aimed at specific technologies or procedures

– To be enforceable, policy must be distributed, readily available, easily understood, and

acknowledged by employees

Law and Ethics in Information Security

 Laws are rules that mandate / prohibit certain behavior in society. Laws are drawn from
ethics, which define socially acceptable behavior.

 Key difference between laws and ethics is that laws carry the sanction of a governing
authority and ethics do not. In turn ethics are based on cultural values – the fixed moral
attitudes / customs of a particular group.

 Some ethics are recognized as universal.

Types of Law

• Civil Law – Represents a wide variety of laws that govern a nation / state.

• Criminal Law – Addresses violations harmful to society, actively enforced thru

prosecution by the state.

• Tort Law – Enables individuals to seek recourse against others in the event of personal,
physical or financial injury.

• Private Law – Regulates relationship between the individual and the organization and
includes family law, commercial law and labor law.
2
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 • Public Law – Regulates the structure and administration of govt agencies and their
relationship with citizens, employees and other govt, providing careful checks and
balances. Includes criminal, administrative, constitutional laws

Relevant Federal Laws (General)

• Computer Fraud and Abuse Act of 1986 (CFAA)

• National Information Infrastructure Protection Act of 1996

• USA PATRIOT Act of 2001 (made permanent in 2006)

– Broadens reach of law enforcement agencies

– Broadens “protected” information regarding open records law

– Increased accountability, sanctions against money laundering

– National Security Letters: administrative subpoenas with permanent gag orders

• Telecommunications Deregulation and Competition Act of 1996

• Communications Decency Act of 1996 (CDA) (partly struck down)

• Computer Security Act of 1987: sets minimal federal government security standards

Relevant Federal Laws (Privacy)

• Federal Privacy Act of 1974: Federal government

• Electronic Communications Privacy Act of 1986: Regulates interception of electronic

communications

• Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley Act
of 1999 (GLBA):

Requires privacy policies in healthcare and financial industries, restricts sharing & use of customer
info

• Family Education Rights and Privacy Act (FERPA):

Restricts distribution of “student academic records” (including names and grades)

• Freedom of Information Act of 1966: can request info from gov’t, some info is protected

3
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
• FACTA Red Flag regulation of 2009 (ID theft)

Relevant Federal Laws (Copyright)

• Intellectual property (IP) protection in U.S., other countries

• Copyright law extends to electronic formats

• With citations, you can include brief portions of others’ work as reference (“fair use”)

• Digital Millennium Copyright Act of 1998 (DMCA):

criminalizes circumvention of technological copyright protection measures (some exceptions)

Export and Espionage Laws

 The need to ensure national security and to protect trade secrets and a variety of other state
and pvt assets, has led to several laws restricting what info and info mgmt and resources
may be exported from USA.

 The Economic Espionage Act was passed in 1996 to prevent trade secrets from being
illegally shared. The Security and Freedom Through Encryption Act of 1999, provides
guidance in the use of encryption and provides measures of protection from govt
intervention.

Policy Versus Law

 Policies are a body of expectations that describe acceptable & unacceptable employee
behaviors in workplace.

 Policy functions as organizational laws, complete with penalties, judicial practices and
sanctions to require compliance.

 Since policies functions are laws, they must be crafted with the same care, to ensure that
the policies are complete, appropriate and fairly applied to everyone in workplace.

 A policy differs from law, as the ignorance of a policy is an acceptable defense where as a
law cannot be treated so.

 For a policy to become enforceable, it must be:

- Distributed to all individuals who are expected to comply with it.

- Readily available for employee reference.

4
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
- Easily understood with multi-language translations and translations for visually impaired,
or literacy-impaired employees.

- Acknowledged by the employee, usually by means of a signed consent form.

 Only when all conditions are met, does the organization have a reasonable expectation of
effective policy and can go ahead in penalizing employees violating them without fear of
legal attritions.

Ethical Concepts in Information Security

The Ten Commandments of Computer Ethics from The Computer Ethics Institute :

1. Thou shalt not use a computer to harm other people.

2. Thou shalt not interfere with other people's computer work.

3. Thou shalt not snoop around in other people's computer files.

4. Thou shalt not use a computer to steal.

5. Thou shalt not use a computer to bear false witness.

6. Thou shalt not copy or use proprietary software for which you have not paid.

7. Thou shalt not use other people's computer resources without authorization or proper
compensation.

8. Thou shalt not appropriate other people's intellectual output.

9. Thou shalt think about the social consequences of the program you are writing or the system
you are designing.

10. Thou shalt always use a computer in ways that insure consideration and respect for your
fellow humans.

Cultural Differences in Ethical Concepts

 Differences in cultures cause problems in determining what is ethical and what is not
ethical, when considering the use of computer.

 Studies of ethical sensitivity to computer use reveal different nationalities have different
perspectives; difficulties arise when one nationality’s ethical behavior contradicts that of
another nation.
5
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
Ethics and Education

 Differences in the ethics of computer use are found among individuals within the same
country, within the same social class, and within the same company.

 Employees must be trained and kept aware of a number of topics related to information
security, not the least of which is the expected behaviors of an ethical employee.

 This is especially important in areas of information security, as many employees may not
have the formal technical training to understand that their behavior is unethical or even
illegal.

 Proper ethical and legal training is vital to creating an informed, well prepared, and low-
risk system user.

Deterrence to Unethical and Illegal Behavior

 It is the responsibility of info security professionals to do everything in their power to deter

illegal, immoral or unethical behavior thru the use of policy, education and training and
technology aspect of info and systems.

 The value of technology aspect of protection is well understood but value of policy is often
under estimated.

 Three general categories of unethical and illegal behavior are:

1. Ignorance: Ignorance of law is of no excuse but ignorance of policy & procedure

is acceptable. The first method of deterrence is education. This is accomplished thru
designing, publishing, and disseminating organization policies and relevant laws.

2. Accident: Individuals with authorization and privileges to manage info within the
organization most likely cause harm / damage by accident.

3. Intent: Criminal / unethical intent goes to the state of the individual performing
the act. Intent is often the cornerstone of legal defense, when it becomes necessary to
determine whether or not the offender acted out of ignorance, by accident or with specific
intent to cause harm / damage.

Deterrence

6
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
  Deterrence is the best method for preventing an illegal or unethical activity. Laws, policies,
and technical controls are all examples of deterrents.

 Laws and policies and their associated penalties only deter if three conditions are present:

- Fear of penalty – Individual intending to commit the act must fear the penalty. Threats of
informal reprimand or verbal warnings may not have the same impact as the threat of imprisonment
/ forfeiture of pay.

- Probability of being caught – Individual has to believe there is strong probability of being
caught performing the illegal / unethical act. Penalties can be severe, but the penalty will not deter
the behavior unless there is an expectation of being caught.

- Probability of penalty being administered – Individual must believe that the penalty will in
fact be administered.

Codes of Ethics, Certifications, and Professional Organizations

 Many organizations have codes of conduct and/or codes of ethics that members are
expected to follow.

 Codes of ethics can have a positive effect on an individual’s judgment regarding computer
use. Unfortunately, many employers do not encourage their employees to join these
professional organizations.

 Individuals who have earned some level of certification or professional accreditation can
be deterred from ethical lapses by the threat of loss of accreditation or certification due to
violation of a code of conduct.

 It is the responsibility of security professionals to act ethically and according to the policies
and procedures of their employer, their professional organization, and the laws of society.

Ethical Codes of Major Professional Organization for IT

i. Association of Computing Machinery:

- The ACM (www.acm.org) is a respected professional society

originally established in 1947 as “the world's first educational and scientific computing
society”.

7
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 - The ACM’s code of ethics requires members to perform their duties in a
manner befitting an ethical computing professional.

ii. International Information Systems Security Certification Consortium, Inc. (ISC)2 :

 The (ISC)2 (www.isc2.org) is a non-profit organization that focuses on the development

and implementation of information security certifications and credentials.

 It manages a body of knowledge on info security and administers and evaluates

examinations for info security certifications.

ii. System Administration, Networking, and Security Institute :

 The System Administration, Networking, and Security Institute, or SANS (www.sans.org),

is a professional organization with a large membership dedicated to the protection of
information and systems.

1.3 NEED FOR SECURITY AT MULTIPLE LEVELS

Business Needs First, Technology Needs Last

Information security performs four important functions for an organization:

– Protects the organization’s ability to function.

– Enables the safe operation of applications implemented on the organization’s IT

systems.

– Protects the data, the organization collects and uses.

– Safeguards the technology assets in use at the organization.

Protecting the Functionality of Organization

 Both general mgmt & IT mgmt are responsible for implementing info security that protects
the organization’s ability to function.

 Decision makers must set policy and operate their organization in compliance with
complex, shifting legislation that controls the use of technology.

 Implementing info security has more to be done from mgmt side than from technological
side i.e., info security has more to do with policy and its enforcement than with technology
for its implementation.
8
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
  Communities of interest, with in organization must address info security in terms of
business impact and cost of business interruption, rather than focusing on security as a
technical problem.

Enabling Safe Operation

 Organizations must create integrated, efficient, and capable applications and such
applications should be guarded by using organization’s IT systems.

 Those applns that serve as important elements of infrastructure for the organization are OS
platforms, e-mail, instant messaging etc.

 Such applns can be outsourced or developed in-house by the mgmt. Once acquired and put
in place, management must continue to oversee it, and not abdicate the responsibility for
the entire infrastructure to the IT department.

Protecting Data that Org collects & Uses

 One of the most valuable assets to an organization is data. Without data, an organization
loses its record of transactions and/or its ability to deliver value to its customers.

 Any business, educational institution or govt agency that functions within in the modern
context of connected and responsive services relies on info systems to support these
transactions.

 Even if transaction is not done online, it involves creation and movement of goods &
services. Therefore protecting data in motion and data at rest are both critical.

 The value of data lures attackers. Therefore an effective information security program is
essential to the protection of the integrity and value of the organization’s data.

Safeguarding Technology Assets in Organization

 Organizations must have secure infrastructure services based on the size and scope of the
enterprise.

 For eg., a small business may utilize e-mail facility of an ISP and augment it with an
encryption tool. As it grows, it must develop additional security services.

9
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
  For eg., a larger organization may use Public Key Infrastructure (PKI), an integrated system
of s/w, encryption methodologies, legal agreements that can be used to support the entire
info infrastructure of an organization.

 More robust solutions may be needed to replace security programs the organization has
outgrown. Eg., for robust technology could be a firewall.

1.4 SECURITY POLICIES

• Communities of interest need to consider policies as starting point for security efforts

• Policies direct how issues should be addressed and technologies used

• Security policies are least expensive controls to execute but most difficult to implement

• Shaping policy is difficult

Policy Management

• Policies management needed due to change

• To remain viable, security policies must have:

– People responsible for reviews

– A schedule of reviews

–Method for recommending reviews

– Specific policy issuance and revision date

10
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
Information Classification

• Information classification an important aspect of policy (e.g., public, internal, classified)

• Specific company policies may be classified, but general guidelines shared among companies

• A clean desk policy stipulates that at end of business day, classified information is properly
secured

1.5 THE NETWORK SECURITY MODEL

A message is to be transferred from one party to another across some sort of internet. The
two parties, who are the principals in this transaction, must cooperate for the exchange to take
place.
A logical information channel is established by defining a route through the internet from source
to destination and by the cooperative use of communication protocols (e.g., TCP/IP) by the two
principal parties.
Using this model requires us to:
– design a suitable algorithm for the security transformation
– generate the secret information (keys) used by the algorithm
– develop methods to distribute and share the secret information
– specify a protocol enabling the principals to use the transformation and secret information
for a security service

11
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 Fig 1.9Network security model

MODEL FOR NETWORK ACCESS SECURITY

By using this model requires us to:
1. Select appropriate gatekeeper functions to identify users
2. Implement security controls to ensure only authorised users access designated
information or resources
The trusted computer systems may be useful to help implement this model

Fig 1.10 Network Access Security

TERMINOLOGIES

Cryptography The art or science encompassing the principles and methods of transforming an
intelligible message into one that is unintelligible, and then retransforming that message back to
its original form
Plaintext The original message
Cipher text The transformed message
Cipher An algorithm for transforming an intelligible message into one that is unintelligible by
transposition and/or substitution methods
Key Some critical information used by the cipher, known only to the sender& receiver

12
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 Encipher (encode) The process of converting plaintext to cipher text using a cipher using a key
Decipher (decode) The process of converting cipher text back into plaintext using a cipher and
using a key
Cryptanalysis The study of principles and methods of transforming an unintelligible message
back into an intelligible message without knowledge of the key. Also called code breaking
Cryptology Both cryptography and cryptanalysis
Code An algorithm for transforming an intelligible message into an unintelligible one using a
code-book.

1.6 SECURITY, MECHANISM AND ATTACKS – THE OSI SECURITY

ARCHITECTURE
ITU-T X.800 Security Architecture for OSI defines a systematic way of defining and
providing security requirements.

OSI SECURITY
ARCHITECTURE

Security Security
Security Services
Attacks Mechanisms

Fig1.1 OSI Security Architecture

1.6.1 SECURITY ATTACKS

Any action that is carried out in a system that compromises the information owned by an
individual or an organization is called as security attack. Sometimes it is also referred as a threat
possibly there is a difference between a threat and an attack.
THREAT
A threat is a possible danger that might exploit a vulnerability. A potential for violation of
security, which exists when there is a circumstance, capability, action, or event that could breach
security and cause harm.
ATTACK

13
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 An assault on system security that derives from an intelligent threat; that is, an intelligent
act that is a deliberate attempt (especially in the sense of a method or technique) to evade security
services and violate the security policy of a system.
Computer security is generally protecting the computer. Information security is about how to
prevent attacks and detect attacks on information-based systems.
TWO TYPES OF ATTACKS

 Passive Attacks

 Active Attacks

SECURITY ATTACKS

ACTIVE ATTACK
PASSIVE ATTACK 1. Masquerade
1. Release of message contents 2. Replay
2. Traffic Analysis 3. Modification of message contents
4. Denial of Service (DoS)

Fig1.2 Security Attacks

PASSIVE ATTACK:

Passive attacks are unauthorized reading of message. In this type of attack the
message contents are not modified and hence passive attacks are very difficult to detect. The main
aim of the attacker is to obtain the information that is being transmitted between the sender and
the receiver. Eavesdropping is a well known passive attack. Monitoring the transmission is also a
familiar passive attack as the attacker could gain confidential and sensitive information that are
transmitted. This attack can be feasibly prevented by encrypting the message i.e converting the

14
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
original message into unreadable message during transmission using the keys known to sender and
receiver only.

TWO TYPES OF PASSIVE ATTACKS

1. Release of message contents

2. Traffic analysis

RELEASE OF MESSAGE CONTENTS

Example : A telephone conversation, an electronic mail message.

The transmitted message may contain sensitive or confidential information and hence
preventing an opponent from learning the contents of these transmissions becomes very important.

Fig1.3 Release of message contents

TRAFFIC ANALYSIS:
Suppose that we had a way of masking the content of messages or other information traffic
so that opponents, even if they captured the message, could not extract the information from the
message. The common technique for masking contents is encryption. If we had encryption
protection in place, an opponent might still be able to observe the pattern of these messages. The
opponent could determine the location and identity of communicating hosts and could observe the
frequency and length of messages being exchanged. This information might be useful in guessing
the nature of the communication that was taking place.

15
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 Fig1.4 Traffic Analysis

ACTIVE ATTACKS

Active attacks involve modification of the message contents or the creation of a false
message contents. Active attacks are subdivided into four categories:
1. Masquerade
2. Replay
3. Modification of messages and
4. Denial of service.

MASQUERADE
A masquerade takes place when one entity pretends to be a different entity (Figure 1.5).
A masquerade attack usually includes one of the other forms of active attack. For example,
authentication sequences can be captured and replayed after a valid authentication sequence has
taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by
impersonating an entity that has those privileges.

16
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 Fig1.5 Masquerading

REPLAY
It involves the passive capture of a data unit and its subsequent retransmission to produce
an unauthorized effect (Figure 1.6).

Fig1.6 Replay

MODIFICATION OF MESSAGES
This simply means that some portion of a legitimate message is altered, or that messages
are delayed or reordered, to produce an unauthorized effect (Figure 1.7). For example, a message

17
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
meaning "Allow John Smith to read confidential file accounts" is modified to mean "Allow Fred
Brown to read confidential file accounts."

Fig1.7 Modification of messages

THE DENIAL OF SERVICE

This prevents or inhibits the normal use or management of communications facilities
(Figure 1.8). This attack may have a specific target; for example, an entity may suppress all
messages directed to a particular destination (e.g., the security audit service). Another form of
service denial is the disruption of an entire network, either by disabling the network or by
overloading it with messages so as to degrade performance by putting the legitimate user getting
denied from servicing.

Fig1.8 Denial of service

18
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
1.6.2 SECURITY MECHANISMS

The following are the mechanisms to achieve security.

1. Specific security mechanisms
2. Pervasive security mechanisms

SPECIFIC SECURITY MECHANISMS:

May be incorporated into the appropriate protocol layer in order to provide some of the OSI
security services.
 Encipherment – Transforming readable data into unreadable form.
 Digital signatures – This allows the recipient of the data to prove the source and
integrity of the data unit and protect against forgery.
 Access control – A variety of mechanisms that enforces access rights to
resources.
 Data integrity - A variety of mechanisms used to assure the integrity of a data
unit or stream of data units
 Authentication exchange – A mechanism intended to ensure the identity of an
entity by means of information exchange
 Traffic padding - The insertion of bits into gaps in a data stream to frustrate
traffic analysis attempts.
 Routing control - Enables selection of particular physically secure routes for
certain data and allows routing changes,especially when a breach of security is
suspected.
 Notarization - The use of a trusted third party to assure certain properties of a
data exchange

PERVASIVE SECURITY MECHANISMS:

Mechanisms that are not specific to any particular OSI security service or protocol layer.

 Trusted functionality – That which is perceived to be correct with respect to

some criteria (e.g., as established by a security policy).
 Security labels - The marking bound to a resource (which may be a data unit) that
names or designates the security attributes of that resource.

19
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
  Event detection- Detection of security-relevant events.
 Security audit trails - Data collected and potentially used to facilitate a security
audit, which is an independent review and examination of system records and
activities.
 Security recovery - Deals with requests from mechanisms, such as event
handling and management functions, and takes recovery actions.

1.6.3 SECURITY SERVICES

X.800 defines a security service as a service that is provided by a protocol layer of

communicating open systems and that ensures adequate security of the systems or of data transfers.

RFC 2828, defines as a processing or communication service that is provided by a system

to give a specific kind of protection to system resources; security services implement security
policies and are implemented by security mechanisms.
X.800 divides these services into five categories.

1. Authentication
2. Access control
3. Data confidentiality
4. Data integrity
5. Non-repudiation
AUTHENTICATION

The assurance that the communicating entity is the one that it claims to be.
Two types
1.Peer Entity Authentication - Used in association with a logical connection to
provide confidence in the identity of the entities connected.
2. Data-Origin Authentication - In a connectionless transfer, provides assurance
that the source of received data is as claimed.

ACCESS CONTROL

The prevention of unauthorized use of a resource. Policies must be set for users or systems
that what they can access and what they cannot access.

20
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
DATA CONFIDENTIALITY

The protection of data from unauthorized disclosure.

Four Types
1. Connection Confidentiality - The protection of all user data on a connection.
2. Connectionless Confidentiality - The protection of all user data in a single data block
3. Selective-Field Confidentiality - The confidentiality of selected fields within the user
data on a connection or in a single data block.
4. Traffic-Flow Confidentiality - The protection of the information that might be derived
from observation of traffic flows.

DATA INTEGRITY

The assurance that data received are exactly as sent by an authorized entity (i.e.,
contain nomodification, insertion, deletion, or replay).

Simply, message sent = message received exactly as sent

Five types
1. Connection Integrity with Recovery - Provides for the integrity of all user data on a connection
and detects any modification, insertion, deletion, or replay of any data within an entire data
sequence, with recovery attempted.

2. Connection Integrity without Recovery - provides only detection without recovery

3. Selective-Field Connection Integrity - Provides for the integrity of selected fields within the
user data of a data block transferred over a connection and takes the form of determination of
whether the selected fields have been modified, inserted, deleted, or replayed.

4. Connectionless Integrity - Provides for the integrity of a single connectionless data block and
may take the form of detection of data modification. Additionally, limited form of replay
detection may be provided.
5. Selective-Field Connectionless Integrity - Provides for the integrity of selected fields within
a single connectionless data block; takes the form of determination of whether the selected fields
have been modified.
NONREPUDIATION

It provides protection against denial by one of the entities involved in a communication of

having participated in all or part of the communication.

21
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 Two types
1. Nonrepudiation at source - Proof that the message was sent by the specified
party(source)
2. Nonrepudiation at destination - Proof that the message was received by the specified
party(destination).

1.7 CLASSICAL ENCRYPTION TECHNIQUES

 Here both sender and recipient share a common key
 All classical encryption algorithms are private-key
 This encryption schemes was only type prior to invention of public-key in 1970’s
and by far most widely used.
Classical encryption techniques is classified as follows
1. Symmetric cipher model
2. Substitution cipher
3. Transposition cipher
4. Steganography
1.7.1 SYMMETRIC CIPHER MODEL
Here both the sender and receiver uses the same key for encryption and decryption.
Since the key is shared between the sender and the receiver, disputes may arise between
them if the key is compromised or revealed to any other parties.

Fig 1.11Symmetric Cipher Model

22
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 The two requirements for secure use of symmetric encryption:
 A strong encryption algorithm
 A secret key known only to sender / receiver
We can mathematically denote
C = EK(P)
P = DK(C)
where C is the cipher text, P is the plain text(message) and K is the Key
This scheme implies a secure channel to distribute key
Advantages of Symmetric Model
1. Very simple method
2. Same key is used by the sender and receiver and key management is easier.
Disadvantages of Symmetric Model
1. Same key is used by the sender and receiver leads to loss of privacy and disputes.

CRYPTOGRAPHY
The cryptographic system can be characterized by:
 Type of encryption operations used
• Substitution / transposition / product
 Number of keys used
• Single-key or private / two-key or public
 Way in which plaintext is processed
• Block / Stream
Stream cipher . Block cipher
Processes the input stream Processes the input one block of elements at a
continuously one element at a time. time producing an output block for each input
block.
Example: Caesar cipher Example: DES.
•
CRYPTANALYSIS
 It is the objective to recover key not just message
 General approaches:
 Cryptanalytic attack
 Brute-force attack

23
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 1.8 SUBSTITUTION TECHNIQUES
A substitution technique is one in which the letters of plaintext are replaced by other
letters or by numbers or symbols or if plaintext is viewed as a sequence of bits, then substitution
involves replacing plaintext bit patterns with cipher text bit patterns. The following are the various
substitution techniques
1. Caesar cipher
2. Monoalphabetic Cipher
3. Playfair cipher
4. Polyalphabetic cipher
5. Hill Cipher
6. One Time Pad

1.8.1 CAESAR CIPHER

It is also called as Julius Caesar cipher.

This technique replaces each letter of the alphabet with the letter standing three places further
down the alphabet as per the key.

The alphabet is wrapped around, so that the letter following Z is A. Mathematically assign each
alphabet a number as mentioned below.

a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

Then we can have Caesar cipher as:

C = EK(P) = (P + K) mod (26) // C- Cipher text

P = DK(C) = (C – K) mod (26) // P – Plain text

Example:

Plain Text : university

Key :3

24
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 u: C=(20+3) mod(26) = 23 mod 26 = 23 = X

n: C=(13+3) mod(26) = 16 mod 26 = 16 = Q

i: C=(8+3) mod(26) = 11 mod 26 = 11 = L.

…………………..

y: C=(24+3) mod(26) = 27 mod 26 = 1 = B

Plain u n i V e r s i t y
Text
Cipher X Q L Y H U V L W B
Text

Plain Text : university

Cipher Text : XQLYHUVLWB (Key=3)

ADVANTAGES OF CAESAR CIPHER:

1. Simple encryption method

DISADVANTAGES OF CAESAR CIPHER:

1. It can be easily hacked.

2. Brute force attack can be easily performed as it involves trying all possible combinations
of 25 keys only.

1.8.2 MONO ALPHABETIC SUBSTITUTION

It is also called as single alphabetic cipher

Every alphabet will have a different key in a random fashion.

a b c d e f g h i j K l M n o p q R s t u v w x y z
J Q L P B U Z C A K M T I F W Y R X V O S G H E N D

Precisely, rather than just shifting the alphabet (as like in Caesar cipher), shuffle (jumble)
the letters arbitrarily.

25
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 Here each plaintext letter maps to a different random cipher text letter hence key is 26 letters
long.
Advantages of Caesar Cipher:
1. Brute force attack become more difficult when compared to Caesar cipher.
Disadvantages of Caesar Cipher:
1. Key management is difficult.
2. The attacker can compare the occurrence of letters in cipher text with standard frequency
of English letters and break the code.
3. Prone to guessing attack using the English letter frequency of occurrence of letters.
1.8.3 PLAYFAIR CIPHER
Not even the large number of keys in a mono alphabetic cipher provides security.
One approach to improve security was to encrypt multiple letters.
Playfair Cipher is an example for encrypting multiple letters. The plain text is broken into
digrams.
 This technique was invented by Charles Wheatstone in 1854, but named after his friend
Baron Playfair
Playfair Key Matrix

 A 5X5 matrix of letters based on a keyword is constructed for encryption and decryption
purpose.

 Fill in letters of keyword (remove duplicates if any in the keyword) in the 5x5 matrix and
fill the rest of the matrix with other alphabets.

 Example of filling the matrix using the keyword PLAYFAIR is shown below

P L A Y F

I R B C D

E G H K M

N O Q S T

U V W X Z

26
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 Rules for encryption:

1. If the plain text letters are repeated in the digram they are separated with a filler character
“x”.

Example : plain text is “balloon”

Digrams : ba lx lo on

3. Two plain letters that fall in the same column are replaced by the letter below it.

Ex: PT: de is replaced as OD

PT: ed is replaced as DO

PT: lu is replaced as RL

4. 2 plain text letters that fall in same row are replaced by the letter right to it.

PT: ex is replaced as XM

PT: ns is replaced as OK

27
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 5. if the plain text letter are in different row and column, then they are replaced by the
opposite letter in the row and column (Hint: Draw a rectangle for doing this
operation)

PT: hi is replaced as BM

PT: rw is replaced as XU

ADVANTAGES OF PLAY FAIR CIPHER:

1. Identification of individual of digram is more difficult.

2. Frequency analysis is difficult.

DISADVANTAGES OF PLAY FAIR CIPHER:

1. It is easy to break because the plain text structure remains the same or remains intact.

Example: Encrypting the message "Hide the gold in the tree stump" (note the null "X" used to
separate the repeated "E"s) using the keyword “Playfair” gives the cipher text shown below.

Digrams : HI DE TH EG OL DI NT HE TR EX ES TU MP (with filler “X”)

28
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 1. The pair HI
forms a rectangle,
replace it with BM

2. The pair DE is
in a column,
replace it with OD

3. The pair TH
forms a rectangle,
replace it with ZB

29
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 4. The pair EG
forms a rectangle,
replace it with XD

5. The pair OL
forms a rectangle,
replace it with NA

6. The pair DI forms a rectangle, replace it with BE

7. The pair NT forms a rectangle, replace it with KU

8. The pair HE forms a rectangle, replace it with DM

9. The pair TR forms a rectangle, replace it with UI

30
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 10. The pair EX (X
inserted to split
EE) is in a row,
replace it with XM

11. The pair ES forms a rectangle, replace it with MO

12. The pair TU is in a row, replace it with UV

13. The pair MP forms a rectangle, replace it with IF

CIPHER TEXT: BM OD ZB XD NA BE KU DM UI XM MO UV IF

1.8.4 HILL CIPHER

31
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

Example 1: Plain text = AT

Key Matrix given : 2*2 ( so 2 letters are encrypted at a time)

The Cipher text obtained after encryption is FK

Example 2:

Given Plain Text : PAY MORE MONEY

32
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
Key Matrix given : 3*3( so 3 letters are encrypted at a time)

ADVANTAGES OF HILL CIPHER

1. It hides single letter frequency.

2. This technique is stronger against known cipher text attack

DISADVANTAGES OF HILL CIPHER

1. It can be broken easily with a known plain text attack.

1.8.5 POLYALPHABETIC CIPHER

This technic uses polyalphabetic substitution. Ex: vignere cipher based on vignere table.

33
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 Fig 1.12 Vigenere table

EXAMPLE 1:

EXAMPLE 2:

If the plain text is longer than the key, then repeat the key till it fits to the plain text.

ADVANTAGES OF VIGNERE CIPHER

1. Simple encryption

2. Same plain text will not produce same cipher text

34
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
DISADVANTAGES OF VIGNERE CIPHER

1. Length of the key is long as the message

1.8.6 ONE TIME PAD

A random key is used.

It is used once and discarded

Every plain text message uses a new key.

ADVANTAGES OF ONE TIME PAD

1. Strongest encryption technique as there is no patterns or regularities to attack the cipher

text.

DISADVANTAGES OF ONE TIME PAD

1. Practical problem of making large quantities of random keys.

2. Problems of key distribution, protection and managing the keys.

1.9 TRANSPOSITION TECHNIQUES

 The classical transposition or permutation ciphers hides the message by rearranging the
letter order without altering the actual letters used

 It can recognise these since have the same frequency distribution as the original text

1. Rail fence
2. Row transposition ciphers
1.9.1 RAIL FENCE

 This technique writes the message letters out diagonally over a number of rows and then
read off cipher row by row

 Example:

Generation of cipher text for the plain text “meet me after toga party” (depth: 2)

m e m a t r h t g p r y
e t e f e t e o a a t

35
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
 CIPHER TEXT: MEMATRHTGPRYETEFETEOAAT

Example 2

Plain Text: meet me after toga party (depth: 3)

M m t h g r
e T e f e t e o a a t
e a r t p y

Cipher Text: MMTHGRETEFETEOAATEARTPY

1.9.2 ROW TRANSPOSITION CIPHERS

A MORE COMPLEX TRANSPOSITION

Write letters of message out in rows over a specified number of columns

then reorder the columns according to some key before reading off the rows
Key: 3421567
Plaintext:
3 4 2 1 5 6 7

a t t a c k p

o s t p o n e

d u n t i l t

w o a m x y z

Cipher Text: APTMTTNAAODWTSUOCOIXKNLYPETZ

36
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
1.10 STEGANOGRAPHY
A plaintext message may be hidden so as to conceal the existence of the message. Various
ways to conceal the message

1. Arrangement of words or letters within an apparently innocuous text spells out the real
message
2. Character marking
Selected letters of printed or typewritten text are overwritten in pencil.
The marks are ordinarily not visible unless the paper is held at an angle to
bright light.

3. Invisible ink
A number of substances can be used for writing but leave no visible trace until heat
or some chemical is applied

4. Pin punctures
Small pin punctures on selected letters are ordinarily not visible unless the paper is
held up in front of a light.

5. Typewriter correction ribbon

Used between lines typed with a black ribbon, the results of typing with the
correction tape are visible only under a strong light

6. Use an audio to hide message

Advantage of steganography

1. It can be employed by parties who have something to lose should the fact of their secret
communication bediscovered
2. Encryption flags traffic as important or secret or may identify the sender or receiver as
someone with something to hide

Drawbacks of steganography

1. Lot of overhead to hide a relatively few bits of information.

2. Once the system is discovered, it becomes virtually worthless.
3. The insertion method depends on some sort of key. Alternatively, a message can be first
encrypted and then hidden using steganography

37
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
1.11 FOUNDATIONS OF MODERN CRYPTOGRAPHY
In cryptography we have two types of security:

1. Concrete security: measures the security of protocols against current attacks and tries to predict
how long an adversary will take to break the system. These numbers are very hard to obtain for a
new protocol and should be judged conservatively.

2. Asymptotic security: considers a sequence of protocols and asks that the adversary gets work
at breaking the protocols as the sequence proceeds (even with additional resources). The standard
here is that when the adversary is given time that is a polynomial function of the sequence position
their success in breaking the protocol should shrink faster than any inverse polynomial function.
1.12 PERFECT SECURITY

“Perfect security” is a special case of information-theoretic security wherein for an

encryption algorithm, if there is ciphertext produced that uses it, no information
about the message is provided without knowledge of the key.

(We want the ciphertext to provide no additional information about the message)

38
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
1.13 INFORMATION THEORY

 Information security is the process of protecting information from unauthorized access,

use, disclosure, destruction, modification, or disruption

 The protection of computer systems and information from harm, theft, and unauthorized
use.

 Protecting the confidentiality, integrity and availability of information

 Information security is an essential infrastructure technology to achieve successful

information-based society

39
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
  "Ensures that only authorized users have access to accurate and complete information
when required." (ISACA, 2008)

 What kind of protection?

 Protecting important document / computer

 Protecting communication networks

 Protecting Internet

 Protection in ubiquitous world

1.14 PRODUCT CRYPTOSYSTEM

Composing different kind of simple and insecure ciphers(Substitution and Transposition) to

create complex and secure cryptosystems is called “product cipher”

 Incorporate confusion and diffusion

 Substitution-Permutation Network
 Confusion (substitution) :
 The ciphertext statistics should depend on the plaintext statistics in a
manner too complicated to be exploited by the enemy cryptanalyst
 Makes relationship between ciphertext and key as complex as possible
 Diffusion (permutation/transposition) :
 Each digit of the plaintext should influence many digits of the
ciphertext, and/or
 Each digit of the secret key should influence many digits of the the
ciphertext.
 Dissipates statistical structure of plaintext over bulk of ciphertext
 Substitution-Permutation network

 Substitution (S-box) : secret key is used

 Permutation (P-box) : no secret key, fixed topology

 Provide confusion and diffusion

 S-P networks are expected to have

 Avalanche property: a single input bit change should force the complementation
of approximately half of the output bits

40
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
  Completeness property: each output bit should be a complex function of every
input bits

 Theoretical basis of modern block ciphers

In order to make the job of breaking the cryptosystem more di cult, we could use the product
of two cryptosystems to encode the messages. Here, we encrypt the given message rst with
one cryptosystem and then encrypt the resultant ciphertext using the next cryptosystem. We
consider only Endo-morphic cryptosystems i.e., those where C = P.
Given two cryptosystems S1 = (P; P; K1; E1; D1) and S2 = (P; P; K2; E2; D2),
we then do the product cryptosystem S1 S2 as (P; P; K1 K2; E; D).
The encryption and decryption functions are de ned as e(k1 ;k2 )(x) = ek2 (ek1 (x)) and,
d(k1 ;k2 )(y) = dk1 (dk2 (y)). The probability distribution of keys in the product
cryptosystem is given by pK(k1; k2) = pK1 (k1)pK2 (k2).

The product operation on cryptosystems need not always be commutative, but is always
associative. A cryptosystem S is said to be idempotent if S2 = S. Many common ciphers
like the Shift Cipher, the A ne Cipher and the Vignere Cipher are all idempotent. If a
cryptosystem S is idempotent then there is no point in using S2 to encrypt instead of S since
each extra key is a waste. Otherwise, we could iterate the encryption process to use S2
rather than S. For example, the Data Encryption standard uses 16 iterations.
If S1 and S2 are both idempotent and they commute, then S1 S2 is also idempotent
(since (S1 S2) (S1 S2) = S1 (S2 S1) S2 = (S1 S1) (S2 S2) = S1 S2).
Therefore to get a simple non-idempotent cryptosystem, we can simply take the product of
two different cryptosystems which don't commute.

1.15 CRYPTANALYSIS
Objective: to recover the plaintext of a ciphertext or, more typically, to recover the secret key.
Kerkhoff’s principle: the adversary knows all details about a cryptosystem except the secret key.
Two general approaches:
brute-force attack
non-brute-force attack (cryptanalytic attack)
• May be classified by how much information needed by the attacker:
– Ciphertext-only attack
– Known-plaintext attack
– Chosen-plaintext attack
– Chosen-ciphertext attack
– Chosen text attack

41
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College
  Ciphertext only
 only know algorithm & ciphertext, is statistical, know or can identify plaintext
 Known plaintext
 know/suspect plaintext &ciphertext
 Chosen plaintext
 select plaintext and obtain ciphertext
 Chosen ciphertext
 select ciphertext and obtain plaintext
 Chosen text
 select plaintext or ciphertext to en/decrypt
BRUTE FORCE ATTACK
 It is always possible to simply try every key
 Brute force attack is the most basic attack, proportional to key size by assuming either
know / recognise plaintext

42
CS 8792-CNS UNIT I Dr.R.Geetha /Professor & HoD / Department of CSE, S.A. Engineering College