INS- UNIT 1.pdf

Full Transcript

Information and Network
Security

Asst. Prof. Jesica D
 Security Trends
Remote Social
working engineering
cybersecurity
attacks
risks
Multi-factor
Internet of authentication
Things (IoT) improving

Rise of AI
Ransomware

Cloud computing Mobile security
 1. Remote working cybersecurity risks
Working from home poses new cybersecurity risks and is one of the most talked-about new
trends in cyber security. Home offices are often less protected than centralized offices,
which tend to have more secure firewalls, routers, and access management run by IT
security teams. In the rush to keep things operational, traditional security vetting may not
have been as rigorous as usual – with cybercriminals adapting their tactics to take
advantage. Therefore, a critical cyber security trend is for organizations to focus on the
security challenges of distributed workforces.

2. Internet of Things (IoT)
The expanding Internet of Things (IoT) creates more opportunities for cybercrime. Examples
of IoT devices include wearable fitness trackers, smart refrigerators, smartwatches, and
voice assistants like Amazon Echo and Google Home. So many additional devices change
the dynamics and size of what is sometimes called the cyber-attack surface – that is, the
number of potential entry points for malicious actors. Compared to laptops and
smartphones, most IoT devices have fewer processing and storage capabilities. This can
make it harder to employ firewalls, antivirus, and other security applications to safeguard
them.
3. Ransomware
Extortion attacks involve criminals stealing a company’s data and then encrypting it so they
can’t access it. Afterward, cybercriminals blackmail the organization, threatening to release
its private data unless a ransom is paid. The burden of this cyberthreat is significant given
the sensitive data at stake as well as the economic impact of paying the ransom.
4. Cloud services and cloud security threats
Cloud vulnerability continues to be one of the biggest cyber security industry trends. Cloud
services offer a range of benefits – scalability, efficiency, and cost savings. But they are also
a prime target for attackers. Misconfigured cloud settings are a significant cause of data
breaches and unauthorized access, insecure interfaces, and account hijacking.
5. Mobile Security
Mobile threats such as spyware, vulnerabilities with android operating system, DDOS
attacks, spam SMS, stealing of data causing harm to individual as well as organization
which is continuously evolving. Specialized spyware designed to spy on encrypted
messaging applications. Criminals exploiting critical security vulnerabilities within Android
devices.
6. Social engineering attacks
Social engineering attacks like phishing are not new threats but have become more
troubling amid the widespread remote workforce. SMS phishing – sometimes known as
‘smishing’.Attackers use these platforms(messenger apps) to try to trick users into
downloading malware onto their phones. Another variation is voice phishing – also called
‘vishing’.Hackers posing as IT staff called customer service representatives and tricked
them into providing access to an important internal tool.There is also SIM jacking, where
fraudsters contact the representatives of the mobile operator of a particular client and
convince them that their SIM card is hacked. This makes it necessary to transfer the phone
number to another card. If the deception is successful, the cybercriminal gains access to
the digital contents of the target’s phone.
7. Rise of Artificial Intelligence
The use of Machine Learning and Artificial Intelligence is growing rapidly in the industries as it
plays very important role in network security. AI has been paramount in building automated
security systems, natural language processing, face detection, and automatic threat detection. AI
also makes it possible to analyze massive quantities of risk data at a much faster pace. Though
practical implementation of AI and ML is a paramount in developing automated security systems
and threat detection, there is a risk as ML and AI may get exploited by attackers as attacker are
getting smarter.
 THE OSI SECURITY ARCHITECTURE
OSI Security Architecture was developed as an international standard for
computer and communications vendors to develop security features for their
products and services that relate to this structured definition of services and
mechanisms.
OSI security architecture is a systematic way of defining and providing
requirements of the security and it emphasises on following concepts:-
 SECURITY ATTACKS
Security attack is an unauthorized access to sensitive data to expose, steal or
damage it.
 PASSIVE ATTACKS
Passive attacks are in the nature of eavesdropping on, or monitoring of,
transmissions.
The goal of the opponent is to obtain information that is being transmitted.
Use encryption for data masking so that information is Introduction unreadable
by an intruder.
Two types of passive attacks
1. Release of message contents: A telephone conversation, an electronic mail
message, and a transferred file may contain sensitive or confidential information.
2. Traffic analysis: Data is encrypted so the opponent may not know the exact
contents. An opponent might still be able to observe the pattern of these
messages. The opponent could determine the location and identity of
communicating hosts and could observe the frequency and length of messages
being exchanged. This information might be useful in guessing the nature of the
communication that was taking place.
 ACTIVE ATTACKS
Active attacks involve some modification of the data stream or the creation of a
false stream.
Classified into four types :-
1. Masquerading
2. Replay attack
3. Modification of messages
4. Denial of Service (DOS)

Masquerading
➔ A system or a user posing as a false
identity to gain access or to modify
information
➔ Also known as spoofing
 ACTIVE ATTACKS
Replay attack
Passive capturing of data packet and its transmission to produce authorized effect

Modification of messages
Some portion of a legitimate message is altered, or that messages are delayed or
reordered, to produce an authorized effect
For example, a message meaning “Allow John Smith to read confidential file
accounts” is modified to mean “Allow Fred Brown to read confidential file
accounts.”
 ACTIVE ATTACKS
Denial of Service (DOS)
Prevents or inhibits the normal use or management of communications facilities
May have a specific target; for example, an entity may suppress all messages
directed to a particular destination
Another form of service denial is the disruption of an entire network, either by
disabling the network or by overloading it with messages so as to degrade
performance.
 SECURITY SERVICES
A processing or communication service that is provided by a system to give a
specific kind of protection to system resources
Security services implement security policies and are implemented by security
mechanisms.
Provided by a protocol layer of communicating open systems and that ensures
adequate security of the systems or of data transfers.
These services are defined by x.800.
X.800 divides these services into five categories
1. AUTHENTICATION
2. ACCESS CONTROL
3. DATA CONFIDENTIALITY
4. DATA INTEGRITY
5. NONREPUDIATION
AUTHENTICATION
The assurance that the communicating entity is the one that it claims to be.
Peer Entity Authentication
1. Used in association with a logical connection to provide confidence in the identity of
the entities connected.
2. Two entities are considered peers if they implement to same protocol in different
systems; e.g., two TCP modules in two communicating systems.
3. Peer entity authentication is provided for use at the establishment of, or at times
during the data transfer phase of, a connection.
4. It attempts to provide confidence that an entity is not performing either a masquerade
or an unauthorized replay of a previous connection.
Data-Origin Authentication
1. In a connectionless transfer, provides assurance that the source of received data is as
claimed.
2. It does not provide protection against the duplication or modification of data units.
This type of service supports applications like electronic mail, where there are no prior
interactions between the communicating entities.
ACCESS CONTROL
1. The prevention of unauthorized use of a resource (i.e., this service controls who can
have access to a resource, under what conditions access can occur, and what those
accessing the resource are allowed to do).
2. To achieve this, each entity trying to gain access must first be identified, or
authenticated, so that access rights can be tailored to the individual(eg ACL).

DATA CONFIDENTIALITY
1. The protection of data from unauthorized disclosure.
2. Confidentiality is the protection of transmitted data from passive attacks.
3. Connection Confidentiality: The protection of all user data on a connection
4. Connectionless Confidentiality: The protection of all user data in a single data block
5. Selective-Field Confidentiality: The confidentiality of selected fields within the user
data on a connection or in a single data block.
6. Traffic-Flow Confidentiality: The protection of the information that might be derived
from observation of traffic flows.
DATA INTEGRITY
1. The assurance that data received are exactly as sent by an authorized entity (i.e.,
contain no modification, insertion, deletion, or replay)
2. Connection Integrity with Recovery
Provides for the integrity of all user data on a connection and detects any
modification, insertion, deletion, or replay of any data within an entire data sequence,
with recovery attempted.
3. Connection Integrity without Recovery
As above, but provides only detection without recovery
4. Selective-Field Connection Integrity
Provides for the integrity of selected fields within the user data of a data block
transferred over a connection and takes the form of determination of whether the
selected fields have been modified, inserted, deleted, or replayed.
5. Selective-Field Connectionless Integrity
Provides for the integrity of selected fields within a single connectionless data block;
takes the form of determination of whether the selected fields have been modified.
NONREPUDIATION
1. Nonrepudiation prevents either sender or receiver from denying a transmitted
message.
2. Nonrepudiation, Origin:
Proof that the message was sent by the specified party
3. Nonrepudiation, Destination:
Proof that the message was received by the specified party
 SECURITY MECHANISMS
Security mechanisms are set of processes designed to detect, prevent and
recover from various types of threats and attacks.
Security mechanisms are the techniques or tools to implement security principles
or security services in an organization
They are divided into 2 categories based upon dependency on protocol
layer/services or independent of them:
1. Specific security mechanism: May be incorporated into the appropriate
protocol layer in order to provide some of the OSI security services.
2. Pervasive security mechanism: Mechanisms that are not specific to any
particular OSI security service or protocol layer.
Categories of Specific Security Mechanism
★ Encipherment
1. Converting data to unreadable format through encryption to maintain
confidentiality.
2. For data transformation various mathematical algorithms are used.
3. Data transformation and recovery depends on encryption keys.
4. Difficulty level of encryption is dependent on mathematical algorithm and no of
keys used.
5. Techniques which are used in encipherment are steganography and cryptography

★ Access Control
1. Enforcing access permission for resources
2. Controls unauthorized access of data
3. Example is passwords, Pin numbers, usage of firewall
4. Defining role of the users and their permissions
Categories of Specific Security Mechanism
★ Digital Signature
1. Security achievement by appending original data with invisible digital data.
2. Form of an electronic signature
3. Digital signature is added to document by sender and verified by receiver
4. Sender uses his own private key and corresponding public key will be share with
receiver. Receiver on the other side uses this public key to assure authenticity of
the sender who has claimed data has been sent by him
5. Authenticity and integrity of the data is been proved.

★ Traffic padding
1. Adding additional data in your network traffic to make it more difficult to identify
the sender, receiver, and/or the data being transmitted.
2. It's designed to make the traffic look more random, or at least less identifiable.
Categories of Specific Security Mechanism
★ Data Integrity
1. Assurance of keeping data intact during transmission
2. Original data is appended with a code which needs to be same during
transmission and verified by sender and receiver to prove data integrity.
3. Original data contents and appended check value is shared with receiver.
4. Receiver at the other end also computes new check value based on some
predefined algorithm.
5. This newly created check value and the value which shared by sender is then
compared.
6. If these both are same then data integrity is maintained.
7. If these both values do not match then there is considered to be data
modification while transmission of data.
8. Detects unauthorized modification of data.
Categories of Specific Security Mechanism
★ Authentication Exchange
1. Entities involved in communication proves their identity to each other
2. Example is two-way handshaking mechanism used to establish connection.

★ Routing control
1. Selection of specific secure routes for data transmission.
2. Enables routing changes when security breach is suspected
3. Choosing and continuously changing various available routes between communicating
entities.
4. Preventing traffic analysis attack on a specific route

★ Notarization
1. The use of a trusted third party to assure certain properties of a data exchange.
2. Record maintenance of request from sender and receiver in case later denied.
3. Prevents repudiation
Categories of Pervasive Security Mechanism
★ Trusted Functionality
1. Supposed to be correct with respect to some criteria like as per security policies

★ Security Label
1. The marking bound to a resource (which may be a data unit) that names or
designates the security attributes of that resource.

★ Event Detection
1. Security related events detection
2. Detecting events associated with security violation

★ Security Recovery
Deals with requests from mechanisms, such as event handling and management functions,
and takes recovery actions.
Categories of Pervasive Security Mechanism
★ Security Audit Trail
1. Data collected and potentially used to facilitate a security audit, which is an
independent review and examination of system records and activities
2. Ensuring compliance with existing policies and operational procedures.
3. Discovering security breaches
4. Suggests changes in policies, controls and procedures if needed
Relationship Between Security Services and
Mechanisms
Classical Encryption Techniques
 Symmetric Cipher Model
Symmetric encryption or one key encryption or conventional encryption is a type of
cryptosystem where encryption and decryption process is done using same key.
Symmetric Cipher Model contains five components.
1. Plain text – Original data that is to be feed as input to the algorithm.
2. Encryption algorithm – Various algorithms used to convert plain text into cipher text.
These algorithms are classified as substitution and transposition algorithms
3. Secret key – The secret key is also input to the encryption algorithm. The key is a value
independent of the plaintext and of the algorithm. The exact substitutions and
transformations performed by the algorithm depend on the key.
4. Cipher text – Converted data that is received as output. Output is based on plain text
and secret key used for algorithm.
5. Decryption algorithm – Reverse of an encryption algorithm. It used cipher text and
secret key and generates plain text.
 Characteristics of cryptography
Techniques used in encryption
1. Substitution – Each character of plain text is replaced by other character or symbol
2. Transposition – Rearrangement of characters of plain text
3. Multiple rounds of substitution and transposition is possible

Number of Keys used
1. If same key is used for encryption and decryption process by sender and receiver then process is
called as - Symmetric key cryptography/Single key cryptography/ Secret key
cryptography/Conventional cryptography
2. If different keys are used for encryption and decryption process by sender and receiver then
process is called as - Asymmetric key cryptography/ Two key cryptography/ Public key
cryptography

Processing of plain text
1. Block cipher - Processing one block of input at a time and producing corresponding output block
for each input block
2. Stream cipher - Processing input in continuous format and producing corresponding output one
element at a time as long as it goes.
 Attack Approaches for Symmetric Key Cryptography
The objective of attacking an encryption system is to recover the key in use rather than
simply to recover the plaintext of a single ciphertext
1. Cryptanalysis
Rely on the nature of the algorithm + Knowledge of basic features of plain text or
some sample plaintext–ciphertext pairs
Exploits the characteristics of the algorithm to attempt to deduce a specific plaintext
or to deduce the key being used.

2. Brute Force
Attacker tries every possible key on a piece of ciphertext until an intelligible
translation into plaintext is obtained.
On average, half of all possible keys must be tried to achieve success.
Cryptography Techniques
 SUBSTITUTION TECHNIQUES
The techniques in which letters of plain text are replaced by other characters, symbols or
numbers are called as substitution techniques.

1. Caesar cipher
Involves replacing each letter of the alphabet with the letter standing three places
further down the alphabet.
Note that the alphabet is wrapped around, so that the letter following Z is A. We can
define the transformation by listing all possibilities, as follows:
2. Monoalphabetic cipher
A substitution cipher where each letter of the plain text is replaced with another letter
of the alphabet.
It uses a fixed key which consist of the 26 letters of a “shuffled alphabet”.
Example

With the above key, all “A” letters in the plain text will be encoded to an “M”.
This type of cipher is a form of symmetric encryption as the same key can be used to both
encrypt and decrypt a message.
Frequency in ciper text Decryption of cipher by attacker

Frequency in plain text
 Decryption of cipher by attacker
Cipher

plain
2. Playfair cipher
Best-known multiple-letter encryption cipher
which treats digrams in the plaintext as single
units and translates these units into ciphertext
digrams
Based on the use of a 5 × 5 matrix of letters
constructed using a keyword
Matrix Rules
★ Characters in keyword are arranged in 5x5
matrix row wise from left to right and from top
to bottom
★ Repeated characters from keyword have to be
written only once in matrix
★ Fill the rest spaces in matrix with remaining characters from A – Z which are not a
part of keyword.
★ I and J can not be written separately. They need to write in same cell of matrix
Encryption process
Encryption process
Encryption
process
Encryption
process
example:
Hill Cipher
Multi-letter cipher, developed by the mathematician Lester Hill in 1929.
The algorithm uses matrix calculations used in Linear Algebra. It is easier to
understand if we have the basic knowledge of matrix multiplication, modulo
calculation, and the inverse calculation of matrices.
In hill cipher algorithm every letter (A-Z) is represented by a number moduli 26.
Usually, the simple substitution scheme is used where A = 0, B = 1, C = 2…Z = 25 in order
to use 2x2 key matrix.
The complexity of the Hill cipher increases with the size of the key matrix.
To encrypt the text using hill cipher, we need to perform the following operation.
E(K, P) = (K * P) mod 26
Where K is the key matrix and P is plain text in vector form. Matrix multiplication of K
and P generates the encrypted ciphertext.
Hill Cipher - Steps For Encryption
Step 1:
Let's say our key text (2x2) is DCDF. Convert this key using a substitution scheme into a 2x2
key matrix as shown below:
Hill Cipher - Steps For Encryption
Step 2:
Now, we will convert our plain text into vector form. Since the key matrix is 2x2, the vector
must be 2x1 for matrix multiplication. (Suppose the key matrix is 3x3, a vector will be a 3x1
matrix.)
In our case, plain text is TEXT that is four letters long word; thus we can put in a 2x1 vector
and then substitute as:
Hill Cipher - Steps For Encryption
Step 3:
Multiply the key matrix with each 2x1 plain text vector, and take the modulo of result (2x1
vectors) by 26. Then concatenate the results, and we get the encrypted or ciphertext as
RGWL.
Vigenere Cipher / Polyalphabetic cipher
A polyalphabetic cipher is any cipher based on substitution, using multiple
substitution alphabets.
The best known, and one of the simplest, polyalphabetic ciphers is the Vigenère
cipher.
The encryption of the original text is done using the Vigenère square or Vigenère table.
1. The table consists of the alphabets written out 26 times in different rows, each
alphabet shifted cyclically to the left compared to the previous alphabet,
corresponding to the 26 possible Caesar Ciphers.
2. At different points in the encryption process, the cipher uses a different alphabet from
one of the rows.
3. The alphabet used at each point depends on a repeating keyword.
Vigenere Cipher / Polyalphabetic cipher
A more easy implementation could be to visualize Vigenère algebraically by converting
[A-Z] into numbers [0–25].

Note: Di denotes the offset of the i-th character of the plaintext. Like offset of A is 0 and of
B is 1 and so on.
Vigenère square or
Vigenère table
Vigenere Cipher - Example
1. Plain text : STAY HOME Keyword : TYCS
2. For generating key, the given keyword is repeated in a circular manner until it matches
the length of the plain text.
3. The keyword "TYCS" generates the key "TYCSTYCS"
4. The plain text is then encrypted using the process explained below.
➔ The first letter of the plaintext, S is paired with T, the first letter of the key. So use row
S and column T of the Vigenère square, namely L.
➔ Similarly, for the second letter of the plaintext, the second letter of the key is used, the
letter at row T, and column Y is R.
➔ The rest of the plaintext is enciphered in a similar fashion.
Vernam Cipher /One Time Pad Cipher
An improvement to the Vernam cipher that yields the ultimate in security proposed by
Army Signal Corp officer, Joseph Mauborgne
Uses a random key that is as long as the message, so that the key need not be
repeated.
The key is to be used to encrypt and decrypt a single message, and then is discarded.
Each new message requires a new key of the same length as the new message.
It produces random output that bears no statistical relationship to the plaintext.
Because the ciphertext contains no information whatsoever about the plaintext, there
is simply no way to break the code.
The security of the one-time pad is entirely due to the randomness of the key
The one-time pad is the only cryptosystem that exhibits what is referred to as perfect
secrecy.
One Time Pad Cipher- Challenges
In theory, we need look no further for a cipher. The one-time pad offers complete security
but, in practice, has two fundamental difficulties:
There is the practical problem of making large quantities of random keys. Any heavily
used system might require millions of random characters on a regular basis. Supplying
truly random characters in this volume is a significant task.
Even more daunting is the problem of key distribution and protection. For every
message to be sent, a key of equal length is needed by both sender and receiver. Thus,
a mammoth key distribution problem exists.
Because of these difficulties, the one-time pad is of limited utility and is useful primarily
for low-bandwidth channels requiring very high security.
One Time Pad Cipher- Encryption algorithm
Assign a number to each character of the plain text and the key according to
alphabetical order.
Bitwise XOR both the number (Corresponding plain-text character number and
Key character number).
Subtract the number from 26 if the resulting number is greater than or equal to
26, if it isn’t then leave it.

Note: For the Decryption apply the just reverse process of encryption.
One Time Pad Cipher- Example
Plain text : O A K Keyword : S O N

1.
Since the resulting number is greater than 26, subtract 26 from it. Then convert the
Cipher-Text character number to the Cipher-Text character.

2.
One Time Pad Cipher- Example
Plain text : O A K Keyword : S O N
Similarly, do the same for the other corresponding characters,
 TRANSPOSITION TECHNIQUES
The techniques in which letters of plain text are rearranged or jumbled are called as
transposition techniques.

1. Rail fence cipher
Plain text is represented as sequence of diagonals
And then read as rows
Plain text :- GOOD MORNING

Cipher text :- GOMRIG ODONN
Columnar cipher
Keyed Transposition Cipher
Columnar Transposition builds in a keyword to order the way we read the columns, as
well as to ascertain how many columns to use.
Write the plaintext out in a grid where the number of columns is the number of letters
in the keyword.
Title each column with the respective letter from the keyword.
Take the letters in the keyword in alphabetical order, and read
down the columns in this order.
If a letter is repeated, we do the one that appears first,
then the next and so on
Example:
Keyword: TOMATO
Plaintext: The tomato is a plant in the nightshade family
Ciphertext: TINESAXEOAHTFXHTLTHEYMAIIAIXTAPNGDLOSTNHMX
Multicolumnar cipher
Plain text is written in columns
Order of the columns to read characters need to be finalized
Read columns accordingly
Write cipher text again in columns
And repeat above process multiple times by keeping order of columns same.
 Steganography is the technique of hiding data within an ordinary, nonsecret file or
message to avoid detection; the hidden data is then extracted at its destination.
Steganography use can be combined with encryption as an extra step for hiding or
protecting data.
Steganography can be used to conceal almost any type of digital content, including
text, image, video or audio content.
Example:
One of the most prevalent techniques is called ‘least significant bit’ (LSB) steganography.
This involves embedding the secret information in the least significant bits of a media file.
For example, In an image file, each pixel is made up of three bytes of data corresponding to
the colors red, green, and blue. Some image formats allocate an additional fourth byte to
transparency, or ‘alpha’.LSB steganography alters the last bit of each of those bytes to hide
one bit of data. So, to hide one megabyte of data using this method, you would need an
eight-megabyte image file.Modifying the last bit of the pixel value doesn’t result in a
visually perceptible change to the picture, which means that anyone viewing the original
and the steganographically-modified images won’t be able to tell the difference.
 Other steganography methods include hiding an entire partition on a hard drive or
embedding data in the header section of files and network packets.
The practice of adding a watermark -- a trademark or other identifying data hidden in
multimedia or other content files -- is a common use of steganography.
Online publishers often use watermarking to identify the source of media files that are
being shared without permission. Example NFT(non fungible tokens)
From a cybersecurity perspective, threat actors can use steganography to embed
malicious data within seemingly unharming files
 Block Cipher Principles
A block cipher is an encryption/decryption scheme in which a block of
plaintext is treated as a whole and used to produce a ciphertext block of
equal length

Many symmetric block encryption algorithms in current use are based on
a structure referred to as a Feistel block cipher
Stream Ciphers And Block Ciphers
Stream Cipher Block Cipher
In a stream cipher, encryption and decryption are In a block cipher, a group of plaintext symbols of
done one symbol (such as a character or a bit) at size m (m > 1) are encrypted together creating a
a time group of ciphertext of the same size.

Consists of a plaintext stream, a ciphertext stream, Consists of a plaintext block, a ciphertext block,, a
and a key stream single key is used to encrypt the whole block even
if the key is made of multiple values.

Uses only confusion Uses confusion and diffusion

Reverse process is easy Reverse process is difficult

Works on substitution techniques Works on transposition techniques

Fast process Slow process

Eg. monoalphabetic substitution ciphers, Vigenere Eg. Fiestel Cipher, Playfair ciphers, Hill Cipher
ciphers, Vernam cipher
Confusion And Diffusion Ciphers
Confusion Diffusion
Make the statistical relationship between the Make the relationship between the statistics
plaintext and ciphertext as complex as of
possible in order to thwart attempts to the ciphertext and the value of the
deduce the key encryption key as complex as possible,
again to thwart attempts to discover the key

It is used in block and stream cipher method. It is used in block cipher method.

If a single bit in the key is; changed, all the In case a symbol in the plaintext is changed,
bits in the ciphertext will also have to be several or all symbols in the cipher text will
changed. also have to be changed.

Example Substitution Eg. Transposition
DES (DATA ENCRYPTION STANDARD)
The Data Encryption Standard (DES) is a symmetric-key block cipher published by the
National Institute of Standards and Technology (NIST).
DES is block cipher
At the encryption site, DES takes a 64-bit plaintext and creates a 64-bit ciphertext; at
the decryption site, DES takes a 64-bit ciphertext and creates a 64-bit block of
plaintext.
The same 56-bit cipher key is used for both encryption and decryption.
Working of DES
The encryption process is made of two
permutations (P-boxes), which we
call initial and final permutations,
and sixteen Feistel rounds.

Each round uses a different 48-bit
round key generated from the cipher
key according to a predefined algorithm.
Initial and Final Permutations
Each of these permutations takes a 64-bit input and permutes them according to a
predefined rule.
Keyless straight permutations that are the inverse of each other.
The permutation rules for these P-boxes are shown in Table 6.1. Each side of the table
can be thought of as a 64-element array.
Rounds
DES uses 16 rounds. Each round of DES is
a Feistel cipher.
Each round performs the steps of
substitution and transposition.
After IP is completed, the resultant 64-bit
permuted text block is separated into two
half blocks.
Each block consists of 32 bits.Left block is
called LI-1 and right block is called RI-1.
16 rounds are performed on these two
blocks each.
Key Generation
A 64-bit key is used as input
to the algorithm.
The bits of the key are
numbered from 1 through 64;
every eighth bit is ignored, as
indicated by the lack of
shading in Table a.
The key is first subjected to a
permutation governed by a
table labeled Permuted
Choice One (Table b).
The resulting 56-bit key is
then treated as two 28-bit
quantities, labeled Co and Do.
Key Generation
These parts are shifted towards left by one or two positions.
For round number 1,2,9 or 16, shifting is done by one position and for rest of
rounds shifting is done by two positions.
After shifting random 48 bits are selected.
This process is also known as compression permutation.
DES Function
The heart of DES is the DES function.
The DES function applies a 48-bit key to the rightmost 32 bits (RI−1) to
produce a 32-bit output.
This function is made up of four sections:
1. an expansion P-box
2. a whitener (that adds key)
3. a group of S-boxes
4. a straight P-box
1. Expansion P-box
Since RI−1 is a 32-bit input and KI is a 48-bit key, we first need to expand RI−1 to 48 bits.
RI−1 is divided into 8 4-bit sections. Each 4-bit section is then expanded to 6 bits
This input is first expanded to 48 bits by using a table that defines a permutation plus
an expansion that involves duplication of 16 of the bits (Table 6.2)
2. Whitener (XOR)
After the expansion permutation, DES uses the XOR operation on the expanded right
section and the round key.
Note that both the right section and the key are 48-bits in length. Also note that the
round key is used only in this operation.
3. S-Boxes
The S-boxes do the real mixing (confusion). DES uses 8 S-boxes, each with a 6-bit input
and a 4-bit output.
The 48-bit data from the second operation is divided into eight 6-bit chunks, and each
chunk is fed into a box.
The result of each box is a 4-bit chunk; when these are combined the result is a 32-bit
text.
4. Straight P-box (Straight Permutation)
The last operation in the DES function is a straight permutation with a 32-bit input and a 32-bit
output.
For example, the seventh bit of the input becomes the second bit of the output.

XOR and Swap:
– LPT, which is of 32 bits, which we have not processed at all.
– LPT is XORed with output of RPT.
– Result of this XOR operation becomes the new RPT.
– The old value of RPT becomes new LPT in process of swapping.

Final Permutation:
– Finally, at the end of all 16 rounds, Final Permutation is performed only once.
– A simple transposition is based on Final Permutation Table.
– Output of the Final permutation is 64-bit encrypted block.
MULTIPLE ENCRYPTION AND TRIPLE DES
MULTIPLE ENCRYPTION AND TRIPLE DES

Variations of DES:
1. Double DES
2. Triple DES
Triple DES with 2 keys
Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) is a symmetric-key block cipher published by
the National Institute of Standards and Technology (NIST) in December 2001.
AES is a block cipher intended to replace DES for commercial applications.
It uses a 128-bit block size and a key size of 128, 192, or 256 bits.
AES has defined three versions (AES-128, AES-192, and AES-256) , with 10, 12, and 14
rounds.
Each version uses a different cipher key size (128, 192, or 256), but the round keys are
always 128 bits.
AES does not use a Feistel structure.
This algorithm can be implemented on software and hardware both, so it seems to be
the strongest security protocol.
Rounds
AES is a non-Feistel cipher that encrypts
and decrypts a data block of 128 bits.
Each full round consists of four separate
functions:
1. Substitute bytes: Uses an S-box to
perform a byte-by-byte substitution of
the block
2. ShiftRows: A simple permutation
3. MixColumns: A substitution that makes
use of arithmetic over
4. AddRoundKey: A simple bitwise XOR of
the current block with a portion of the
expanded key.
AES Encryption process
AES processes the entire data block as a single matrix during each round using substitutions
and permutation.
The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i].
Four distinct words (128 bits) serve as a round key for each round
For both encryption and decryption, the cipher begins with an AddRoundKey stage, followed
by nine rounds that each includes all four stages, followed by a tenth round of three stages
Only the AddRoundKey stage makes use of the key.
For this reason, the cipher begins and ends with an AddRoundKey stage. Any other stage,
applied at the beginning or end, is reversible without knowledge of the key and so would
add no security
The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be
formidable.
The other three stages together provide confusion, diffusion, and nonlinearity, but by
themselves would provide no security because they do not use the key
AES Encryption process
The cipher as alternating operations
of XOR encryption (AddRoundKey) of
a block, followed by scrambling of
the block (the other three stages),
followed by XOR encryption, and so
on.
Block Cipher Modes of Operation
In real life applications, the text to be enciphered is of variable size and normally
much larger than 64 or 128 bits.
Modes of operation have been devised to encipher text of any size employing either
DES or AES.
Electronic Codebook (ECB) Mode
The simplest mode of operation is called the electronic codebook (ECB) mode.
The plaintext is divided into N blocks. The block size is n bits(mostly 64 bits).
If the plaintext size is not a multiple of the block size, the text is padded to make the
last block the same size as the other blocks.
The same key is used to encrypt and decrypt each block.
The term codebook is used because, for a given key, there is a unique ciphertext for
every n-bit block of plaintext.

Advantages
The ECB method is ideal for a short amount of data, such as an encryption key. Thus, if
you want to transmit a DES or AES key securely, ECB is the appropriate mode to use.
Faster and easy implementation.
Electronic Codebook (ECB) Mode
Disadvantages:
The most significant characteristic of ECB is that if the same n-bit block of plaintext appears
more than once in the message, it always produces the same ciphertext.
For lengthy messages, the ECB mode may not be secure. If the message is highly structured,
it may be possible for a cryptanalyst to exploit these regularities
Electronic Codebook (ECB) Mode
Cipher Block Chaining (CBC) Mode
To overcome the security deficiencies of ECB, we would like a technique in which the
same plaintext block, if repeated, produces different ciphertext blocks
In this scheme, the input to the encryption algorithm is the XOR of the current
plaintext block and the preceding ciphertext block; the same key is used for each
block.
In effect, we have chained together the processing of the sequence of plaintext blocks.
The input to the encryption function for each plaintext block bears no fixed
relationship to the plaintext block. Therefore, repeating patterns of bits are not
exposed.
As with the ECB mode, the CBC mode requires that the last block be padded to a full
bits if it is a partial block.
For decryption, each cipher block is passed through the decryption algorithm. The
result is XORed with the preceding ciphertext block to produce the plaintext block.
Cipher Block Chain (CBC) Mode
The first step of encryption receives 2 inputs :-
➔ First block of plaintext
➔ Random block of text called Initialization vector (IV)
Initialization vectors is a randomly produced set of characters used to make each message
unique.
The IV must be known to both the sender and receiver but be unpredictable by a third party
The second step makes use of second plaintext block XORed with the cipher text block
generated in step 1 and uses the key for encryption to produce ciphertext block 2 an so on.
Advantages:
Suitable for large amount of data
Maintains confidentiality
Supports authentication
Security enhancement as compared with ECB due to use of XOR and IV
Cipher Feedback (CFB) Mode
For AES, DES, or any block cipher, encryption is performed on a block of bits. In the case of
DES b=64, and in the case of AES b=128.
However, it is possible to convert a block cipher into a stream cipher, using one of the three
modes: cipher feedback (CFB) mode, output feedback (OFB) mode, and counter (CTR) mode.
A stream cipher eliminates the need to pad a message to be an integral number of blocks. It
also can operate in real time.
Thus, if a character stream is being transmitted, each character can be encrypted and
transmitted immediately using a character-oriented stream cipher.
In CFB mode, encipherment and decipherment use the encryption function of the
underlying block cipher.
In this mode, like CBC, 64-bit Initialization vector(IV) is used and a shift register as well.
Cipher Feedback (CFB) Mode
The following four steps are used for this cipher mode
Assume that there are i-bits of plaintext taken at a time
Step 1:
Initially, shift register is filled with 64-bit initialization vector (IV), and encryption algorithm is
executed once to create 64 bits IV ciphertext.
Step 2:
The left-most i-bits of encrypted IV is then XOR'ed with i-bits of plaintext which generates first
portion of ciphertext (say C) and then C is transmitted to receiver.
Step 3:
Contents of shift register including IV are shifted left by i positions and empty rightmost i places
of shift register are then filled with C.
Step 4:
Steps 1 to 3 are repeated until all the plaintext units are encrypted.
Output Feedback (OFB) Mode
The output feedback (OFB) mode is similar in structure to that of CFB.
It is the output of the encryption function that is fed back to the shift register in OFB,
whereas in CFB, the ciphertext unit is fed back to the shift register
The other difference is that the OFB mode operates on full blocks of plaintext and
ciphertext, not on an s-bit subset.
As with CBC and CFB, the OFB mode requires an initialization vector.
In the case of OFB, the IV must be a nonce; that is, the IV must be unique to each execution
of the encryption operation.
Changing of IV in same plaintext block produces different ciphertext.
One advantage of the OFB method is that bit errors in transmission do not propagate
The disadvantage of OFB is that it is more vulnerable to a message stream modification
attack than is CFB.
Counter (CTR) Mode
In the counter (CTR) mode, there is no feedback.
A counter equal to the plaintext block size is used. The counter value must be different for
each plaintext block that is encrypted.
The counter is initialized to some value(IV) and then incremented by 1 for each subsequent
block (modulo 2b , where b is the block size)
For encryption, the counter is encrypted and then XORed with the plaintext block to
produce the ciphertext block; there is no chaining.
For the last plaintext block, which may be a partial block of bits, the most significant bits of
the last output block are used for the XOR operation; the remaining bits are discarded.
Unlike the ECB, CBC, and CFB modes, we do not need to use padding because of the
structure of the CTR mode.
As with the OFB mode, the initial counter value must be a nonce; that is, must be different
for all of the messages encrypted using the same key
Any other plaintext blocks that are encrypted using the same counter value can be easily
recovered from their associated ciphertext blocks.
Counter (CTR) Mode
Advantages:
Hardware efficiency: Unlike the three chaining modes, encryption (or decryption) in CTR
mode can be done in parallel on multiple blocks of plaintext or ciphertext. In CTR mode, the
throughput is only limited by the amount of parallelism that is achieved. Unlike chaining
modes maximum throughput of the algorithm to the reciprocal of the time for one
execution of block encryption or decryption
Software efficiency: Similarly, because of the opportunities for parallel execution in CTR
mode, processors that support parallel features can be effectively utilized.
Random access: The th block of plaintext or ciphertext can be processed in random-access
fashion. With the chaining modes, block cannot be computed until the – 1 prior block are
computed.
Public-Key Cryptography
and RSA
 Asymmetric encryption is a form of cryptosystem in which encryption and
decryption are performed using the different keys—one a public key and one
a private key.
It is also known as public-key encryption.
Asymmetric encryption transforms plaintext into ciphertext using a one of
two keys and an encryption algorithm. Using the paired key and a decryption
algorithm, the plaintext is recovered from the ciphertext.
Asymmetric encryption can be used for confidentiality, authentication, or
both.
The most widely used public-key cryptosystem is RSA.
The difficulty of attacking RSA is based on the difficulty of finding the prime
factors of a composite number.
Components of Public Key Cryptosystem
1. Plain Text
A normal readable message which is considered as input for the process of encryption
2. Encryption Algorithm
Sequence of steps which are used to convert plain text into cipher text
3. Public key and private key
Key pair which is selected for asymmetric key cryptography. One key is used in
encryption process and other will be used for decryption process.
4. Cipher Text
The resultant text which is produced after implementing encryption algorithm.
5. Decryption Algorithm
Sequence of steps which are used to convert cipher text back into plain text with the
help of matching key
Steps involved in Asymmetric key cryptography
Steps involved in Asymmetric key cryptography
Symmetric and Asymmetric cryptography / Conventional and Public-Key Encryption

Symmetric / Conventional Asymmetric / Public-key

The same algorithm with the same key is One algorithm is used for encryption and
used for encryption and decryption. decryption with a pair of keys, one for
encryption and one for decryption.

The sender and receiver must share the The sender and receiver must each have
algorithm and the key one of the matched pair of keys (not the
same one).

The key must be kept secret. One of the two keys must be kept secret.

Knowledge of the algorithm plus samples of Knowledge of the algorithm plus one of the
ciphertext must be insufficient to determine keys plus samples of ciphertext must be
the key. insufficient to determine the other key.
Applications for Public-Key Cryptosystems
Depending on the application, the sender uses either the sender’s private key or the
receiver’s public key, or both, to perform some type of cryptographic function.
In broad terms, we can classify the use of public-key cryptosystems into three
categories
Applications for Public-Key Cryptosystems
Depending on the application, the sender uses either the sender’s private key or the
receiver’s public key, or both, to perform some type of cryptographic function.
In broad terms, we can classify the use of public-key cryptosystems into three
categories
RSA ALGORITHM
Developed in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at MIT
Use of two keys :- Public and private key
One key which is known to be as public key is sent to other who are involved in
communication and other key is kept secret.
Based on block cipher. Plain text is encrypted in blocks.
Public and private key are based on random prime numbers.
Encryption and decryption are of the following form, for some plaintext block M and
ciphertext block C.
RSA ALGORITHM
Both sender and receiver must know the value of n.
The sender knows the value of e, and only the receiver knows the value of d.
Thus, this is a public-key encryption algorithm with a public key of PU = {e, n} and a
private key of PR = {d, n}.
To implement RSA the following things are required
RSA ALGORITHM
RSA ALGORITHM - Example

1. p=15 & q=17
2. n=p*q =15*17=255
3. phi(n) = 14*16 = 224
4. e= 3
RSA ALGORITHM - Example

d= ((224*1)+1)/3 =75

Stop the process when you get a absolute value of d for some value of i
RSA ALGORITHM - Example

6. Public key ={3,255} , Private key= {75,255}

7. let’s say M=13
C = 13 ^ 3 mod 255 => 157

8. M = 157 ^ 75 mod 255 =>13
RSA ALGORITHM - Exercise