BCA603T

CRYPTOGRAPHY AND NETWORK SECURITY

UNIT – I CONTENTS Text Book:

Introduction:
Security Goals,
Cryptographic Attacks,
Services and Mechanism, Techniques.
Mathematics of Cryptography:
Integer Arithmetic,
Modular Arithmetic,
Matrices,
Linear Congruence.
1.Behrouz A. Forouzan, Debdeep Mukhopadhyay:
Cryptography and Network Security, 2nd Edition, Special
Indian Edition, Tata McGraw-Hill, 2011.
Reference Books:
1.Michael E. Whitman and Herbert J. Mattord: Principles of
Information Security, 2nd Edition, Thomson, Cengage Delmar
Learning India Pvt., 2012.
2.William Stallings: Network Security Essentials: Applications
and Standards, 4th Edition, Pearson Education, 2012.
Introduction:
Security is a state of well being of information and
infrastructure in which the possibility of successful
yet undetected theft, tampering and disruption of
information and services is kept
low or tolerable.
OR
Security is freedom from risk or danger i.e. safety
and also security mean freedom from doubt,
anxiety or fear i.e. confidentiality.
It is impossible to talk about computer networks
without security and it is impossible to talk about
computer security without networks. The two are
interconnected with each other.
Most Businesses use “data systems” to
store sensitive company information.
To secure an information system today,
you should able to balance authorized
access needs with system and data
protection.
Because too much of security prevents
access, while too little security leaves the
system vulnerable to data theft or attack,
controlling access to information systems
will help you ensure a proper balance of
security and access.
A threat is: a person,
thing, event or idea
which poses some
danger to an asset
(in terms of
confidentiality, integrity,
availability or legitimate
use).

An attack is a realisation
of a threat.
Many network security threats today are spread
over the Internet. The most common include:

 Viruses, worms, and Trojan horses

 Spyware and adware
 Zero-day attacks, also called zero-hour attacks
 Hacker attacks
 Denial of service attacks
 Data interception and theft
 Identity theft
 SECURITY MODELS
An organization can take several approaches to implement its security
model.

No Security: In this simplest case, the approach

could be a decision to implement no security at
all.
Security through obscurity: In this model, a
system is secure simply because nobody knows
about its existence and contents. This approach
cannot work for too long, as there are many ways
an attacker can come to know about it.
SECURITY MODELS Contd…

Hot Security: In this scheme, the security for each host is

enforced individually. This is a very safe approach, but the
trouble is that it cannot scale well. The complexity and diversity
of modern sites/organizations makes the task even harder.

Network Security: Host security is tough to achieve as

organizations grow and become more diverse. In this technique,
the focus is to control network access to various hosts and their
services, rather than individual host security. This is a very
efficient and scalable model.
 SECURITY GOALS

There are three primary goals in any security service.

These are :
1. Confidentially,
2. Integrity and
3. Availability.
 Confidentiality
The principle of confidentiality is that only the sender and the intended
recipient should be able to access the contents of a message.

Confidentiality gets compromised if an unauthorized person

is able to access the message.
Example of this could be a confidential email message sent by
user A to user B, which is accessed by user C without the
permission or knowledge of A and B.
This type of attack is called interception.
 Integrity
When the contents of a message are changed after the sender sends it,
but before it reaches the intended recipient, we say that the integrity of
the message is lost.

For example, consider that user A sends message to user B. User C

tampers with a message originally sent by user A, which is actually
destined for user B. User C somehow manages to access it, change
its contents and send the changed message to user B. User B has no
way of knowing that the contents of the message changed after user
A had sent it. User A also does not know about this change.

This type of attack is called modification.

 Availability
The principle of availability is that resources
should be available to authorized parties at all
times.

For example, due to the intentional actions of

an unauthorized user C, an authorized user
A may not be able to contact a server B. This
would defeat the principle of availability.

Such an attack is called interruption.

 OSI SECURITY ARCHITECTURE

The OSI security architecture focuses on security attacks,

mechanisms, and services.
These can be defined briefly as follows:

Security attack
Security mechanism
Security service
Security attack
Security attack is any action
that compromises the security
of information owned by an
organization.
Security mechanism
A process (or a device
incorporating such a process)
that is designed to detect,
prevent, or recover from a
security attack.
Security service
A processing or communication
service that enhances the security
of the data processing systems
and the information transfers of
an organization.
The services are intended to
counter security attacks, and they
make use of one or more security
mechanisms to provide the
service.
 TYPES OF ATTACKS
Attacks are classified as passive and active.

A passive attack is an an active attack is an

attempt to learn or
make use of information
from the system without
affecting system
resources
attempt to alter system
resources or affect their
operation.
 Passive attacks are in the nature of
Passive Attacks eavesdropping on, or monitoring of,
transmissions.
The goal of the opponent is to obtain
information that is being
transmitted.

Two types of Release of message contents and

passive attacks Traffic analysis
Release of message contents A telephone conversation, an
electronic mail message, and a
transferred file may contain
sensitive or confidential
information.
We would like to prevent an
opponent from learning the
contents of these transmissions.
 Traffic Analysis
Suppose that we had a way of masking the contents
of messages or other information traffic so that
opponents, even if they captured the message, could
not extract the information from the message. The
common technique for masking contents is
encryption. If we had encryption protection in
place, an opponent might still be able to observe the
pattern of these messages. The opponent could
determine the location and identity of
communicating hosts and could observe the
frequency and length of messages being exchanged.
This information might be useful in guessing the
nature of the communication that was taking place.
Passive attacks Contd…

Passive attacks are very difficult to detect because they

do not involve any alteration of the data. Typically, the
messages are sent and received in seemingly normal
fashion. Neither the sender nor receiver is aware that a
third party has read the messages or observed the
traffic pattern. However, it is feasible to prevent the
success of these attacks. Message encryption is a
simple solution to thwart passive attacks. Thus, the
emphasis in dealing with passive attacks is on
prevention rather than detection.
Active Attacks Active attacks involve some
.
modification of the data stream or the
creation of a false stream and can be
subdivided into four categories:
masquerade,
replay,
modification of messages, and
denial of service
 Replay involves the passive capture
of a data unit and its
subsequent retransmission to
produce an unauthorized
effect

Masquerade
A takes place when one entity pretends to be a
different entity.
A masquerade attack usually includes one of the
other forms of active attack.
For example,
authentication sequences can be captured and
replayed after a valid authentication sequence has
taken place, thus enabling an authorized entity
with few privileges to obtain extra privileges by
impersonating an entity that has those privileges.
 Modification of messages
simply means that some portion of a legitimate message
is altered, or that messages are delayed or reordered, to
produce an unauthorized effect .
For example, a message meaning "Allow John Smith to
read confidential file accounts" is modified to mean
"Allow Fred Brown to read confidential file accounts."

Denial of service
The prevents or inhibits the normal use or management of
communications facilities .This attack may have a specific
target;
for example, an entity may suppress all messages directed to a
particular destination (e.g., the security audit service).
Another form of service denial is the disruption of an entire
network, either by disabling the network or by overloading it
with messages so as to degrade performance.
SECURITY SERVICES. The basic security services are
following:
Security Services is the  Authentication
services to implement security
policies and implemented by  Access control
security mechanism.
Enhances the security of data  Confidentiality
processing and transferring.
 Integrity

 Nonrepudiation

 Availability
 Authentication
Authentication relates to ensuring
that users and computers are who
they claim to be by establishing proof
of identity. Authentication can be
accomplished for example through
biometric identifiers, use of smart
cards, tokens, or password or a
combination of the above.
Confidentiality Confidentiality is the act of limiting disclosure of
private information maintaining the trust that an
individual has placed in one which has been
entrusted with private matters.

There are two types of confidentiality components,

one relating to Data and the other to Traffic flow.

Data confidentiality safeguards the contents of data

from unauthorised disclosure, by using for example
encryption.

Traffic flow confidentiality prevents the exploitation

of information relating to traffic flow, by again using
encryption or traffic padding.
 Integrity is the property that information is changed only in
Integrity specified and authorized manner.
There are several components to integrity, these are:

data integrity,
program integrity,
System integrity, and
network integrity.

Data integrity refers to the accuracy, consistency and

completeness of data.
Program integrity refers to the quality of the software
design and protection against changes.
System integrity is the capability of an automated system
to perform its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized
manipulation. Network integrity extends system integrity
to networks.
Non-repudiation
Non-repudiation assures that
information and/or actions that purport to
be from (or purport not to be from) a
user or system are as claimed.

In other words, it provides evidence to

prevent a person from unilaterally
modifying or terminating obligations
arising out of a transaction effected by
computer-based means.
Availability Availability, require that computer
system assets be available to
authorized parties when needed.

A variety of attacks can result in the

loss of or reduction in availability.

These attacks are challenged by way

of countermeasures, such as
authentication and encryption to
safeguard the information.
Access Control
Access Control is the means by which
the ability to use a computer resource is
explicitly enabled or restricted.

This protects against the unauthorized

use and manipulation of resources.

This should protect confidentiality,

integrity and legitimate use of a system.
Security Mechanisms
These may be incorporated into the
appropriate protocol layer in order
to provide some of the OSI security
services. Some techniques for
realizing security are listed here.
1. Encipherment (Confidentiality)
This is the process of using mathematical
algorithms to transform data into a form that
is not readily intelligible. The transformation
and subsequent recovery of the data depend
on an algorithm and zero or more encryption
keys.
2. Digital Signature
Data or cryptographic transformation of a
data unit is appended to the data, so that the
recipient of the data unit is convinced of the
source and integrity of the data unit and this
can also serve to protect the data against
forgery (e.g., by the recipient).
 Security Mechanisms Contd…
3. Access Control
A variety of mechanisms are available that
enforce access rights to resources.
4. Data Integrity
A variety of mechanisms may be used to
assure the integrity of a data unit or stream of
data units.
5. Authentication Exchange
This is a mechanism intended to ensure the
identity of an entity by means of information
exchange.
6. Traffic Padding
The insertion of bits into gaps in a data stream
is called traffic padding. This helps to thwart
traffic analysis attempts.
7. Routing Control
Routing control enables selection of
particular physically secure routes for
certain data transmission and allows
routing changes, especially when a breach
of security is suspected.
8. Notarization
This is the use of a trusted third party to
assure certain properties of a data
exchange.
INTEGER ARITHMETIC Binary Operations
In cryptography, we are interested in three binary
operations applied to the set of integers.
Set of Integers A binary operation takes two inputs and creates one
The set of integers, denoted by Z, contains all output. Three common binary operations defined for
integral numbers (with no fraction) from negative integers are:
infinity to positive infinity. addition,
Z = { . . . , −2, −1, 0, 1, 2, . . . } Subtraction and
multiplication
Each of these operations takes two inputs (a and b ) and
creates one output ( c ).

Integer Division
In integer arithmetic, if we divide a by n ,
we can get q and r. The relationship between these four
integers can be shown as: a = q × n + r
Example :
Assume that a = 255 and n =11. We can find q = 23 and r = 2
using the division algorithm we have learned in arithmetic:
Two Restrictions
When we use the above division relationship in
cryptography,
we impose two restrictions.
First, we require that the divisor be a positive integer
(n>0).
Second, we require that the remainder be a
nonnegative integer (r ≥ 0) shows this relationship
with the two above-mentioned restrictions:
Greatest Common Divisor
One integer often needed in cryptography is the
greatest common divisor of two positive integers.
Two positive integers may have many common
divisors, but only one greatest common divisor.
For example, the common divisors of 12 and 140 are
1, 2, and 4. However, the greatest common divisor is 4.
Example:
Euclidean Algorithm
Finding the greatest common divisor (gcd) of two
positive integers by listing all common divisors is
not practical when the two integers are large.
Fortunately, more than 2000 years ago a
mathematician named Euclid developed an
algorithm that can find the greatest common divisor
of two positive integers.
The Euclidean algorithm is based on the following
two facts.
Euclidean algorithm We use two variables, r1 and r2, to hold the
changing values during the process of
reduction.

They are initialized to a and b. In each step, we

calculate the remainder of r1 divided by r2 and
store the result in the variable r.

We then replace r1 by r2 and r2 by r.

The steps are continued until r2 becomes 0. At

this moment, we stop. The gcd (a, b) is r1.

Find the greatest common divisor

of 2740 and 1760.
 The Extended Euclidean Algorithm
Given two integers a and b, we often need to find other
two integers, s and t, such that s × a + t × b = gcd (a, b).

Given a = 161 and b = 28, find gcd (a, b) and the values of
s and t.

The variables s1 and s2 are initialized to 1 and 0,

respectively. We get gcd (161, 28) = 7, s = -1 and t = 6.
The variables t1 and t2 are initialized to 0 and 1,
respectively
MODULAR ARITHMETIC
Modulo Operator
In modular arithmetic, we are interested in The above-mentioned binary operator is called
only one the modulo operator and is shown as
of the outputs, the remainder r. We don’t mod. The second input (n) is called the
modulus. The output r is called the residue.
care about the quotient q.
In other words, we want to know what is the
value of r when we divide a by n.
This implies that we can change the above
relation into a binary operator with two
inputs a and n and one output r.
Division relation and modulo operator

As Figure shows, the modulo operator (mod) takes

an integer (a) from the set Z and a positive
modulus (n).
The operator creates a nonnegative residue (r).
We can say a mod n = r
 Set of Residues: Zn
The result of the modulo operation with modulus n is
always an integer between 0 and n -1.

In other words, the result of a mod n is always a

nonnegative integer less than n.

We can say that the modulo operation creates a set,

which in modular arithmetic is referred to as the set
of least residues modulo n, or Zn.

However, we need to remember that although we

have only one set of integers (Z), we have infinite
instances of the set of residues (Zn), one for each
value of n.

Figure shows the set Zn and three instances, Z2,

Z6, and Z11.
 Congruence
In cryptography, we often used the concept of congruence instead of equality.
Mapping from Z to Zn is not one-to-one.
Infinite members of Z can map to one member of Zn.
For example, the result of 2 mod 10 = 2, 12 mod 10 = 2, 22 mod 2 = 2, and so on.
In modular arithmetic, integers like 2, 12, and 22 are called congruent mod 10.
To show that two integers are congruent, we use the congruence operator (≡).
We add the phrase (mod n) to the right side of the congruence to define the value of
modulus that makes the relationship valid. For example, we write:

The congruence operator looks like the equality operator, but there are
differences.
First, an equality operator maps a member of Z to itself; the congruence operator
maps a member from Z to a member of Zn.
Second, the equality operator is one-to-one; the congruence operator is many-to-
one.
MATRICES Multiplication of a row matrix by a column matrix

In cryptography we need to handle

matrices. Although this topic belongs to a
special branch of algebra called linear
algebra, the following brief review of
matrices is necessary preparation for the
study of cryptography. Calculating the determinant of a 3 X 3 matrix