Is Combined

Introduction
Information security: Ensures that both physical and

digital data is protected.
Cyber security: Subset of information security,

protects organizations networks, computer and data.
Network Security: Subset of cyber security, protects

data sent through devices in network.
Field of network and Internet security: measures to

deter, prevent, detect and correct security violations.
Introduction
•
• Definition of Computer Security from NIST:
Confidentiality-Data and privacy

Integrity- Data and System
Availability
Introduction
CIA Triad as per NIST standard FIPS 199:
Confidentiality, Integrity, Availability
• Confidentiality: preserving authorized
restrictions on information access and
disclosure-protects personal privacy
– Loss of confidentiality: unauthorized
disclosure of information
• Integrity: guarding against improper
information destruction and modification
– Loss of Integrity- unauthorized modification.
• Availability: ensures timely and reliable
access of information
– Loss of availability: disruption of service.
• Authenticity: property being genuine and
able to verify and trust.
• Accountability: Security goal that

generates the requirement for actions of
an entity to be traced uniquely.
– Supports non repudiation, fault isolation, IDS.
Cryptographic algorithms and
protocols
• Four categories
– Symmetric encryption
– Asymmetric encryption
– Data integrity algorithms
– Authentication protocols
OSI Security Architecture
• The OSI (open systems interconnection) security architecture provides a
systematic framework for defining security attacks, mechanisms, and
services
• Security attacks any action compromises security of information owned

by the organization.
• A security mechanism is any process designed to detect, prevent, or
recover from a security attack.
• Security services a processing or communication service that enhances the
security of data processing system and information transfers of an
organization.
• The generic name for the collection of tools designed to protect data and to
thwart hackers is computer security
Introduction: Threat vs
Attack
•
1.2 Continued
Figure 1.2 Taxonomy of attacks with relation to security goals
1.12
Security Attacks
Passive Attack
• Passive attacks are in the nature of eavesdropping on, or monitoring of,
transmissions. The goal of the opponent is to obtain information that is
being transmitted
• Two types of passive attacks are release of message contents and traffic
analysis
• The release of message contents is easily understood (Figure a).

Security Attacks
Security Attacks
• A second type of passive attack, traffic analysis (Figure b)
• Mask the message contents.

• The common technique for masking contents is encryption.
• The opponent could determine the location and identity of communicating
hosts and could observe the frequency and length of messages being
exchanged. This information might be useful in guessing the nature of the
communication that was taking place.
Security Attacks
Security Attacks
• Passive attacks are very difficult to detect because they do not involve any
alteration of the data.
Security Attacks
Active Attacks
• Active attacks involve some modification of the data stream or the creation
of a false stream and can be subdivided into four categories:
– Masquerade : One entity pretends to be a different entity

– Replay : The passive capture of a data unit and its subsequent
transmission to produce an unauthorized effect
– Modification of messages : The portion of the legitimate message is
altered
– Denial of service : Preventing or inhibiting the normal use or
management of communications facilities
General categories of
security attacks
• Interruption: An asset of the system is destroyed or becomes unavailable
or unusable - attack on availability
• Interception: An unauthorized party gains access to an asset – attack on

confidentiality
• Modification: An unauthorized party not only gains access to but tampers

with an asset – attack on integrity
• Fabrication: An unauthorized party inserts counterfeit objects into the

system – attack on authenticity
1.3.1 Security Services
Figure 1.3 Security services
1.20
Security Services
• AUTHENTICATION -: The assurance that the communicating entity is

the one that it claims to be
– Peer Entity Authentication -: Used in association with a logical

connection to provide confidence in the identity of the entities
connected
– Data Origin Authentication -: In a connectionless transfer, provides
assurance that the source of received data is as claimed
• ACCESS CONTROL -: The prevention of unauthorized use of a resource

(i.e., this service controls who can have access to a resource, under what
conditions access can occur, and what those accessing the resource are
allowed to do)
Security Services
• DATA CONFIDENTIALITY -: The protection of data from unauthorized
disclosure
– Connection Confidentiality -: The protection of all user data on a

connection
– Connectionless Confidentiality -: The protection of all user data in a
single data block
– Selective-Field Confidentiality -: The confidentiality of selected fields
within the user data on a connection or in a single data block
– Traffic Flow Confidentiality -: The protection of the information that
might be derived from observation of traffic flows
Security Services
• DATA INTEGRITY -: The assurance that data received are exactly as

sent by an authorized entity (i.e., contain no modification, insertion,
deletion, or replay)
– Connection Integrity with Recovery -: Provides for the integrity of all

user data on a connection and detects any modification, insertion,
deletion, or replay of any data within an entire data sequence, with
recovery attempted
– Connection Integrity without Recovery -: As above, but provides
only detection without recovery
Security Services
• NONREPUDIATION -: Provides protection against denial by one of the
entities involved in a communication of having participated in all or part of
the communication
– Nonrepudiation, Origin -: Proof that the message was sent by the

specified party
– Nonrepudiation, Destination -: Proof that the message was received
by the specified party
• AVAILABILITY-: Requires that computer system assets be available to

authorized parties when needed
1.3.2 Security Mechanism
Figure 1.4 Security mechanisms : Specific and pervasive
1.25
SECURITY
MECHANISMS
• Encipherment -: The use of mathematical algorithms to transform data
into a form that is not readily intelligible
• Digital Signature -: Data appended to, or a cryptographic transformation

of, a data unit that allows a recipient of the data unit to prove the source
and integrity of the data unit and protect against forgery (e.g., by the
recipient)
• Access Control -: A variety of mechanisms that enforce access rights to

resources
• Data Integrity -: A variety of mechanisms used to assure the integrity of a

data unit or stream of data units
SECURITY
MECHANISMS
• Authentication Exchange -: A mechanism intended to ensure the identity
of an entity by means of information exchange
• Traffic Padding -: The insertion of bits into gaps in a data stream to

frustrate traffic analysis attempts
• Routing Control -: Enables selection of particular physically secure routes

for certain data and allows routing changes, especially when a breach of
security is suspected
• Notarization -: The use of a trusted third party to assure certain properties

of a data exchange
1.3.3 Relation between Services and Mechanisms
1.29
A Model for Network
Security
If P is the plaintext, C is the ciphertext, and K is the key,
Receiver creates P1; we can prove that P1 = P: (if no errors)
3.31
Figure 3.2 Locking and unlocking with the same key
3.32
3.1.1 Kerckhoff’s Principle
Based on Kerckhoff’s principle, one should always

assume that the adversary knows the
encryption/decryption algorithm. The resistance of the
cipher to attack must be based only on the secrecy of the
key.
3.33
3.1.2 Cryptanalysis
As cryptography is the science and art of creating secret
codes, cryptanalysis is the science and art of breaking
those codes.
Two approaches to attack: Cryptanalysis and Brute
force
Figure 3.3 Cryptanalysis attacks
3.34
3.1.2 Continued
Ciphertext-Only Attack
Figure 3.4 Ciphertext-only attack
3.35
3.1.2 Continued
Known-Plaintext Attack
Figure 3.5 Known-plaintext attack
3.36
3.1.2 Continued
Chosen-Plaintext Attack
Figure 3.6 Chosen-plaintext attack
3.37
3.1.2 Continued
Chosen-Ciphertext Attack
Figure 3.7 Chosen-ciphertext attack
3.38
Types of attacks on encrypted
messages
Types of cryptanalytic
attacks
• Ciphertext-only attack
– The cryptanalyst does not know any of the underlying plaintext
– A basic assumption is that ciphertext is always available to an attacker
• Known-plaintext attack
– The attacker is having the ciphertext and as well as some of the
corresponding plaintext (One or more plaintext-ciphertext pairs formed
with the secret key)
Types of cryptanalytic
attacks
• Chosen plaintext attack
– cryptanalyst can encrypt a plaintext of his choosing and study the
resulting ciphertext
– This is most common against asymmetric cryptography, where a
cryptanalyst has access to a public key
• Chosen ciphertext attack

– cryptanalyst chooses a ciphertext and attempts to find a matching
plaintext
– This can be done with a decryption oracle (a machine that decrypts
without exposing the key)
Symmetric Encryption
• A symmetric encryption scheme has five ingredients
• Plaintext
• Encryption algorithm
• Secret key
Symmetric Encryption
• Cipher text: Depends on the plaintext and the secret key.
• Decryption algorithm:
• An original message is known as the plaintext, while the coded message is
called the ciphertext
• The process of converting from plaintext to ciphertext is known as

enciphering or encryption; restoring the plaintext from the ciphertext is
deciphering or decryption
• The many schemes used for encryption constitute the area of study known
as cryptography. Such a scheme is known as a cryptographic system or a
cipher
• Techniques used for deciphering a message without any knowledge of the

enciphering details fall into the area of cryptanalysis. Cryptanalysis is
what the layperson calls "breaking the code”
• The areas of cryptography and cryptanalysis together are called cryptology

Cryptographic Systems
• Cryptographic systems are characterized along three independent
dimensions:
• The type of operations used for transforming plaintext to ciphertext

– All encryption algorithms are based on two general principles:
– Substitution: in which each element in the plaintext (bit, letter, group

of bits or letters) is mapped into another element
– Transposition: in which elements in the plaintext are rearranged
• The number of keys used

– If both sender and receiver use the same key, the system is referred to
as symmetric encryption
– If the sender and receiver use different keys, the system is referred to as
asymmetric, two-key, or public-key encryption
Cryptographic Systems
• The way in which the plaintext is processed

– A block cipher processes the input one block of elements at a time,
producing an output block for each input block
– A stream cipher processes the input elements continuously, producing
output one element at a time, as it goes along
Cryptanalysis and brute
force attack
• Cryptanalysis
– Cryptanalytic attacks rely on the nature of the algorithm plus perhaps
some knowledge of the general characteristics of the plaintext or even
some sample plaintext-ciphertext pairs
• Brute-force attack
– The attacker tries every possible key on a piece of ciphertext until an
intelligible translation into plaintext is obtained
Unconditionally Secured &computationally
secured encryption schemes
• If the ciphertext generated by the scheme doesn’t contain enough

information to determine uniquely the corresponding plain text and no
matter that how much ciphertext is available
• The encryption algorithm should meet one or both of the following

criteria:
– The cost of breaking the cipher exceeds the value of the encrypted
information
– The time required to break the cipher exceeds the useful lifetime of the
information
• If both the above criteria are met, such an encryption scheme is said to be
computationally secure
3-2 SUBSTITUTION CIPHERS
A substitution cipher replaces one symbol with another. Substitution ciphers can be
categorized as either monoalphabetic ciphers or polyalphabetic ciphers.
Note
A substitution cipher replaces one

symbol with another.
3.49
3.2.1 Monoalphabetic Ciphers
Note
In monoalphabetic substitution, the

relationship between a symbol in the
plaintext to a symbol in the ciphertext is
always one-to-one.
3.50
3.2.1 Continued
Example 3.1
The following shows a plaintext and its corresponding ciphertext.
The cipher is probably monoalphabetic because both l’s (els) are
encrypted as O’s.
3.51
3.2.1 Continued
Additive Cipher
The simplest monoalphabetic cipher is the additive cipher. This

cipher is sometimes called a shift cipher and sometimes a Caesar
cipher, but the term additive cipher better reveals its
mathematical nature.
Figure 3.8 Plaintext and ciphertext in Z26
3.52
3.2.1 Continued
Figure 3.9 Additive cipher
Note
When the cipher is additive, the

plaintext, ciphertext, and key are
integers in Z26.
3.53
3.2.1 Continued
Example 3.3
Use the additive cipher with key = 15 to encrypt the message
“hello”.
Solution
We apply the encryption algorithm to the plaintext, character by
character:
3.54
3.2.1 Continued
Example 3.4
Use the additive cipher with key = 15 to decrypt the message

“WTAAD”.
Solution
We apply the decryption algorithm to the plaintext character by

character:
3.55
3.2.1 Continued
Shift Cipher and Caesar Cipher
Historically, additive ciphers are called shift ciphers. Julius Caesar
used an additive cipher to communicate with his officers. For this
reason, additive ciphers are sometimes referred to as the Caesar
cipher. Caesar used a key of 3 for his communications.
Note
Additive ciphers are sometimes referred

to as shift ciphers or Caesar cipher.
3.56
3.2.1 Continued
Example 3.5
Eve has intercepted the ciphertext “UVACLYFZLJBYL”. Show
how she can use a brute-force attack to break the cipher.
Solution
Eve tries keys from 1 to 7. With a key of 7, the plaintext is “not

very secure”, which makes sense.
3.57
3.2.1 Continued
Table 3.1 Frequency of characters in English
Table 3.2 Frequency of diagrams and trigrams
3.58
3.2.1 Continued
Monoalphabetic Substitution Cipher
A better solution is to create a mapping between each plaintext

character and the corresponding ciphertext character. Alice and
Bob can agree on a table showing the mapping for each character.
Figure 3.12 An example key for monoalphabetic substitution cipher
Brute force attack difficult -26! Keys.

3.59
statistical attack based on frequency of characters
3.2.1 Continued
Example 3.13
We can use the key in Figure 3.12 to encrypt the message
The ciphertext is
3.60
3.2.2 Polyalphabetic Ciphers
In polyalphabetic substitution, each occurrence of a

character may have a different substitute. The
relationship between a character in the plaintext to a
character in the ciphertext is one-to-many.
Autokey Cipher
3.61
3.2.2 Continued
Example 3.14
Assume that Alice and Bob agreed to use an autokey cipher with
initial key value k1 = 12. Now Alice wants to send Bob the message
“Attack is today”. Enciphering is done character by character.
Hides single letter frequency of plaintext. Vulnerable to brute force

attack,since limited key space of first subkey.(only 25)
3.62
Substitution Ciphers
1. Repeating plaintext letters that are in the same
The 'key' for a playfair
pair are separated with a filler letter, such as x, so
cipher is generally a that full would be treated as fu lx lz
word, for the sake of 2. Two plaintext letters that fall in the same row of
example we will choose the matrix are each replaced by the letter to the
'monarchy'. This is then right, with the first element of the row circularly
used to generate a 'key following the last. For example, ar is encrypted as
RM.
square', e.g.
3. Two plaintext letters that fall in the same column
are each replaced by the letter beneath, with the top
element of the column circularly following the last.
For example, mu is encrypted as CM.
4. Otherwise, each plaintext letter in a pair is
replaced by the letter that lies in its own row and the
column occupied by the other plaintext letter. Thus,
hs becomes BP and ea becomes IM (or JM, as the
Note that there is no 'j', it is encipherer wishes).
combined with 'i'. We now
apply the encryption rules to
encrypt the plaintext.
3.2.2 Continued
Playfair Cipher
Figure 3.13 An example of a secret key in the Playfair cipher
Example 3.15
Let us encrypt the plaintext “hello” using the key in Figure 3.13.
3.64
Vigenere cipher
• Using more than one alphabet, switching between them systematically
• How this Cipher Works
1. Pick a keyword
2. Write your keyword across the top of the text you want to encipher,
repeating it as many times as necessary.
EXAMPLE:
3.2.2 Continued
Vigenere Cipher
Example 3.16
We can encrypt the message “She is listening” using the 6-
character keyword “PASCAL”.
3.66
3.2.2 Continued
Example 3.16
Let us see how we can encrypt the message “She is listening” using
the 6-character keyword “PASCAL”. The initial key stream is (15,
0, 18, 2, 0, 11). The key stream is the repetition of this initial key
stream (as many times as needed).
3.67
Vernam Cipher (One - time pad)
• It is implemented using a random set of characters as the key
• One-Time usgae
• Length of the key text is equal to the length of the original plain text
Algorithm
• Translate each plain text alphabet in to corresponding Number (i.e. A=0,
B=1,…,Z=25)
• Do the same for each character key text
• Add each number corresponding to the plain text alphabet to the
corresponding key text alphabet number
• If the sum thus produced is greater than 26, subtract 26 from it
• Translate each number of the sum back to the corresponding alphabet. This
gives the output ciphertext
Example
• Plain text message: HOW ARE YOU
• One-time pad (KEY TEXT) : NCBTZQARX
• One-time pad is discarded after a single use

• This technique is highly secure and suitable for small plain text message.
• It is clearly impractical for large messages
Transposition Ciphers
• In the Transposition technique,there is no any substitution of characters;
instead their position change
• A character in 1st position of Plaintext may appear in the 10 th position of

the cipher text
• A transposition cipher re-orders characters in a block of symbols. There are

Various Transposition cipher techniques given following:
– Keyless transposition techniques

– Keyed transposition techniques
keyless Ciphers
1) Rail Fence Technique
• Rail Fence technique involves writing plain text message as a sequence of
diagonals and then reading it row-by-row to produce cipher text
• Encryption Algorithm:-
– Write down the plain text message as a sequence of diagonals
– Read the Plain text Row-by-Row and write down left to right then top
to bottom
Example
• Original Plain text massage: Come Home Tomorrow
• After we arrange the plaintext message as a sequence of diagonals, it look
like follows
• Now read the text row-by-row, and write it sequentially. Thus we have:
• CMHMTMROOEOEOORW as the cipher text
2) Simple Columnar Transposition Technique
• Simple columnar transposition technique simply arranges the plaintext as a
sequence of rows of a rectangle that are read in columns randomly
– Write the plain text message row-by-row in a rectangle of a pre-defined
size
– Read the message column-by-column. However it need not be in order
of columns 1, 2, 3 etc. it can be in any order such as 2, 3, 1 etc
– The message thus obtained is the cipher text message
Example
• Original Plain text massage: Come Home Tomorrow
• Let us consider a rectangle with six columns. Therefore, when we write the
message in the rectangle row-by-row suppressing spaces
• Now , let us decide the order of columns as some random order, say 4, 6,
1, 2, 5 & 3. Then read the text in the order of these columns
• The ciphertext thus obtained would be EOWOOCMROEHMMTO
3) Simple Columnar Transposition Technique with multiple Rounds
• To improve the basic simple columnar, we can introduce more complexity
• Use the same basic operation of simple columnar technique, but do it more
than once
Algorithm:
– Write the plain text message row-by-row in a rectangle of a pre-defined
size
– Read the message column-by-column. However, it need not to be in
order of column 1, 2, 3 etc. it can be any random order such as 2, 3, 1
etc
– The message thus obtained is the cipher text message of round 1
– Repeat steps 1to 3 as many times as desired
3.3.2 Keyed Transposition Ciphers
The keyless ciphers permute the characters by using

writing plaintext in one way and reading it in another
way The permutation is done on the whole plaintext to
create the whole ciphertext. Another method is to divide
the plaintext into groups of predetermined size, called
blocks, and then use a key to permute the characters in
each block separately.
3.74
3.3.2 Continued
Example 3.25
Alice needs to send the message “Enemy attacks tonight” to Bob..
The key used for encryption and decryption is a permutation key,

which shows how the character are permuted.
The permutation yields
3.75
3.3.3 Combining Two Approaches
Example 3.26
Figure 3.21
3.76
3-4 STREAM AND BLOCK CIPHERS
In stream cipher, encryption/decryption done one symbol at a time.
3.77
3.4.1 Stream Ciphers
Call the plaintext stream P, the ciphertext stream C, and

the key stream K.
Figure 3.26 Stream cipher
3.79
3.4.1 Continued
Example 3.30
Additive ciphers can be categorized as stream ciphers
3.80
3.4.1 Continued
Example 3.32
Vigenere ciphers are also stream ciphers according to the
definition. In this case, the key stream is a repetition of m values,
where m is the size of the keyword. In other words,
3.81
3.4.2 block Ciphers
In a block cipher, a group of plaintext symbols of size m

(m > 1) are encrypted together creating a group of
ciphertext of the same size. A single key is used to
encrypt the whole block even if the key is made of
multiple values. Figure 3.27 shows the concept of a block
cipher.
Figure 3.27 Block cipher
3.82
3.4.2 Continued
Example 3.34
Playfair ciphers are block ciphers. The size of the block is m = 2.
Two characters are encrypted together.
3.83
Claude Shannon and
Substitution-Permutation
Ciphers
• in 1949 Claude Shannon introduced idea of substitution-permutation (S-P)
networks
– modern ciphers re -substitution-transposition- product cipher
• S-P networks are based on the two primitive cryptographic operations we

have seen before:
– substitution (S-box)- Each plaintext element/group of element uniquely
replaced by corresponding ciphertext/group of elements.
– permutation (P-box) – Order of elements changed
• provide confusion and diffusion of message

Confusion and Diffusion
• cipher needs to completely obscure statistical properties of original

message (all statists tics of cipher text is independent of key used.)
• a one-time pad does this
• more practically Shannon suggested combining elements to obtain:
• diffusion – dissipates statistical structure of plaintext over bulk of cipher

text
• confusion – makes relationship between ciphertext and key as complex as
possible
Feistel Cipher Structure
• Horst Feistel devised the feistel cipher

– based on concept of invertible product cipher
• partitions input block into two halves

– process through multiple rounds which
– perform a substitution on left data half based on round function of right
half & subkey
– then have permutation swapping halves
• implements Shannon’s substitution-permutation network concept

Feistel Cipher Structure
Feistel Cipher Design
Principles
• block size
– increasing size improves security, but slows cipher
• key size
– increasing size improves security, makes exhaustive key searching
harder, but may slow cipher
• number of rounds
– increasing number improves security, but slows cipher
• subkey generation
– greater complexity can make analysis harder, but slows cipher
• round function
– greater complexity can make analysis harder, but slows cipher
• fast software en/decryption & ease of analysis

– are more recent concerns for practical use and testing
Feistel Cipher Systems
Conventional Encryption
Algorithms
• Data Encryption Standard (DES)
– The most widely used encryption scheme
– The algorithm is reffered to the Data
Encryption Algorithm (DEA)
– DES is a block cipher
– The plaintext is processed in 64-bit blocks
– The key is 56-bits in length
91
Data Encryption Standard
(DES)
• The algorithm has 16 rounds. Each
round has the following architecture:
Li and Ri are each

92 32-bit long strings
DES
• The overall processing at each
iteration:
– Li = Ri-1
– Ri = Li-1 F(Ri-1, Ki)

• Concerns about:
– The algorithm and the key length (56-
bits)
93
94
DES
• Before any rounds, the plaintext bits are
permuted using an initial permutation.
• Hence, at the end of the 16 rounds the
inverse permutation is applied.
• The initial permutation is public
knowledge
95
DES Round Structure
• uses two 32-bit L & R halves
• as for any Feistel cipher can describe as:

Li = Ri–1
Ri = Li–1 xor F(Ri–1, Ki)
• takes 32-bit R half and 48-bit subkey and:

– expands R to 48-bits using perm E
– adds to subkey
– passes through 8 S-boxes to get 32-bit result
– finally permutes this using 32-bit perm P
97
DES: Expansion Function
Added
• The 32-bits of Right

half data are
permuted and 16 of
them are repeated
twice to obtain a 48
bit string.
98
DES Round Structure
column
99
DES: S Blocks.
• S blocks takes in as input 6-bit arguments
and outputs four bits.
• This is the substitution part of the cipher.
• Each S block has a different functionality as
defined by the corresponding tables.
100
101
102
DES
• After substitution, the

function output is now 32
bits and it goes through a
fixed permutation.
• Thus we perform
“confusion” and
“diffusion” steps in each
round.
103
DES Key Schedule
• forms subkeys used in each round
• consists of:
– initial permutation of the key (PC1) which selects 56-bits in two 28-bit
halves
– 16 stages consisting of:
• selecting 24-bits from each half
• permuting them by PC2 for use in function f,
• rotating each half separately either 1 or 2 places depending on the
key rotation schedule K
DES Decryption
• decrypt must unwind steps of data computation
• with Feistel design, do encryption steps again
• using subkeys in reverse order (SK16 … SK1)
106
Avalanche Effect
• key desirable property of encryption algorithm.
• where a change of one input or key bit results in changing approximately

half output bits
•
Strength of DES (cont.)
• Avalanche effect in
DES
– If a small change in
either the plaintext or
the key, the ciphertext
should change
markedly.
• DES exhibits a strong
avalanche effect.
Strength of DES – Key Size
• 56-bit keys have 256 = 7.2 x 1016 values
• brute force search looks hard
• recent advances have shown is possible

– in 1998 on dedicated h/w (EFF) broken DES in a few days
• alternatives available for DES: AES, triple DES etc.
Strength of DES
• – Nature of the algorithm
• -Timing Attacks – information about key or plaintext is
obtained by observing time for decryption of cipher text
USE OF MODERN BLOCK CIPHERS
Symmetric-key encipherment can be done using modern

block ciphers. Modes of operation have been devised to
encipher text of any size employing either DES or AES.
8.112
8-1 Continued
8.113
8.1.1 Electronic Codebook (ECB) Mode
The simplest mode of operation is called the electronic

codebook (ECB) mode.
Figure 8.2 Electronic codebook (ECB) mode
8.114
Electronic Codebook Book
(ECB)
• message is broken into independent blocks which are encrypted
• each block is a value which is substituted, like a codebook, hence name
• each block is encoded independently of the other blocks

Ci = DESK1 (Pi)
• uses: secure transmission of single values

(ECB)
Advantages and Limitations
of ECB
• repetitions in message may show in ciphertext
• weakness due to encrypted message blocks being independent
• main use is sending a few blocks of data

8.1.2 Cipher Block Chaining (CBC) Mode
In CBC mode, each plaintext block is exclusive-ored with

the previous ciphertext block before being encrypted.
Figure 8.3 Cipher block chaining (CBC) mode
8.118
8.1.2 Continued
Figure 8.3 Cipher block chaining (CBC) mode
8.119
8.1.2 Continued
Example 8.4
It can be proved that each plaintext block at Alice’s site is recovered
exactly at Bob’s site. Because encryption and decryption are inverses
of each other,
Initialization Vector (IV)

The initialization vector (IV) should be known by the
sender and the receiver.
8.120
Cipher FeedBack (CFB)
Output FeedBack (OFB)
• message is treated as a stream of bits
• output of cipher is added to message
• output is then feed back (hence name)
• feedback is independent of message
• can be computed in advance

Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
• uses: stream encryption over noisy channels

Counter (CTR)
• Used in ATM networks
• Counter equal to plaintext block size is used.
Counter (CTR)
•
Advanced Encryption Standard
(AES)
1-1 INTRODUCTION
The Advanced Encryption Standard (AES) is a

symmetric-key block cipher published by the National
Institute of Standards and Technology (NIST) in
December 2001.
Topics discussed in this section:

1.1.1 History
1.1.2 Criteria
1.1.3 Rounds
1.1.4 Data Units
1.1.5 Structure of Each Round
1.1.1 History.
In February 2001, NIST announced that a draft of the

Federal Information Processing Standard (FIPS) was
available for public review and comment. Finally, AES
was published as FIPS 197 in the Federal Register in
December 2001.
Joan Daemen & Vincent Rijment - Rinjndael

1.1.2 Criteria
The criteria defined by NIST for selecting AES fall into

three areas:
1. Security
2. Cost
3. Implementation.
1.1.3 Rounds.
AES is a non-Feistel cipher that encrypts and decrypts a

data block of 128 bits. It uses 10, 12, or 14 rounds. The
key size, which can be 128, 192, or 256 bits, depends on
the number of rounds.
Note
AES has defined three versions, with 10, 12,

and 14 rounds.
Each version uses a different cipher key size
(128, 192, or 256), but the round keys are
always 128 bits.
1.1.3 Continue
Figure 1.1 General design of AES encryption cipher

1.1.4 Data Units.
Figure 1.2 Data units used in AES
1.1.4 Continue
Figure 1.3 Block-to-state and state-to-block transformation

1.1.4 Continue
Example 1.1 Continue
Figure 1.4 Changing plaintext to state

1.1.5 Structure of Each Round
Figure 1.5 Structure of each round at the encryption site
1-2 TRANSFORMATIONS
To provide security, AES uses four types of

transformations: substitution, permutation, mixing, and
key-adding.

1.2.1 Substitution
1.2.2 Permutation
1.2.3 Mixing
1.2.4 Key Adding
1.2.1 Substitution
AES, like DES, uses substitution. AES uses two

invertible transformations.
SubBytes
The first transformation, SubBytes, is used at the
encryption site. To substitute a byte, we interpret the byte
as two hexadecimal digits.
Note
The SubBytes operation involves 16

independent byte-to-byte transformations.
1.2.1 Continue
Figure 1.6 SubBytes transformation

1.2.1 Continue
1.2.1 Continue
1.2.1 Continue
InvSubBytes
1.2.1 Continue
InvSubBytes (Continued)
1.2.1 Continue
Example 1.2
Figure 1.7 shows how a state is transformed using the SubBytes

transformation. The figure also shows that the InvSubBytes
transformation creates the original one. Note that if the two bytes
have the same values, their transformation is also the same.
Figure 1.7 SubBytes transformation for Example 1.2

1.2.2 Permutation
Another transformation found in a round is shifting,

which permutes the bytes.
ShiftRows
In the encryption, the transformation is called ShiftRows.
Figure 1.9 ShiftRows transformation

1.2.2 Continue
Example 1.4
Figure 1.10 shows how a state is transformed using ShiftRows

transformation. The figure also shows that InvShiftRows
transformation creates the original state.
Figure 1.10 ShiftRows transformation in Example 1.4

1.2.3 Mixing
We need an interbyte transformation that changes the

bits inside a byte, based on the bits inside the
neighboring bytes. We need to mix bytes to provide
diffusion at the bit level.
Figure 1.11 Mixing bytes using matrix multiplication

1.2.3 Continue
Figure 1.12 Constant matrices used by MixColumns and InvMixColumns

1.2.3 Continue
MixColumns
The MixColumns transformation operates at the column
level; it transforms each column of the state to a new
column.
Figure 1.13 MixColumns transformation

1.2.3 Continue
InvMixColumns
The InvMixColumns transformation is basically the same
as the MixColumns transformation.
Note
The MixColumns and InvMixColumns

transformations are inverses of each other.
1.2.3 Continue
Example 1.5
Figure 1.14 shows how a state is transformed using the

MixColumns transformation. The figure also shows that the
InvMixColumns transformation creates the original one.
Figure 1.14 The MixColumns transformation in Example 1.5

1.2.4 Key Adding
AddRoundKey
AddRoundKey proceeds one column at a time.
AddRoundKey adds a round key word with each state
column matrix; the operation in AddRoundKey is matrix
addition.
Note
The AddRoundKey transformation is the

inverse of itself.
1.2.4 Continue
Figure 1.15 AddRoundKey transformation
1-3 KEY EXPANSION
To create round keys for each round, AES uses a key-

expansion process. If the number of rounds is Nr , the
key-expansion routine creates Nr + 1 128-bit round keys
from one single 128-bit cipher key.

1.3.1 Key Expansion in AES-128
1.3.2 Key Expansion in AES-192 and AES-256
1.3.3 Key-Expansion Analysis
1-3 Continued
1.3.1 Key Expansion in AES-128
Figure 1.16 Key expansion in AES
7.160
7.161
1.3.1 Continue
1.3.2 Key Expansion in AES-192 and AES-256
Key-expansion algorithms in the AES-192 and AES-256

versions are very similar to the key expansion algorithm in
AES-128, with the following differences:
1.3.3 Key-Expansion Analysis
The key-expansion mechanism in AES has been

designed to provide several features that thwart the
cryptanalyst.
1-4 CIPHERS
AES uses four types of transformations for encryption

and decryption. In the standard, the encryption
algorithm is referred to as the cipher and the decryption
algorithm as the inverse cipher.

1.4.1 Original Design
1.4.2 Alternative Design
1-6 ANALYSIS OF AES
This section is a brief review of the three characteristics

of AES.

1.6.1 Security
1.6.2 Implementation
1.6.3 Simplicity and Cost
1.6.1 Security
AES was designed after DES. Most of the known attacks

on DES were already tested on AES.
Brute-Force Attack
AES is definitely more secure than DES due to the
larger-size key.
Statistical Attacks
Numerous tests have failed to do statistical analysis of
the ciphertext.
1.6.1 Continue
Statistical Attacks
Numerous tests have failed to do statistical analysis of
the ciphertext.
1.6.2 Implementation
AES can be implemented in software, hardware, and

firmware. The implementation can use table lookup
process or routines that use a well-defined algebraic
structure.
1.6.3 Simplicity and Cost
The algorithms used in AES are so simple that they can

be easily implemented using cheap processors and a
minimum amount of memory.
Key expansion in AES 192 and AES 256
7.171
Modes of Operation
• It is a technique for enhancing the effect of cryptographic algorithm or
adapting the algorithm for an application.
• Five modes defined by NIST(SP-800-38A)
(ECB)
• message is broken into independent blocks which are encrypted
• each block is a value which is substituted, like a codebook, hence name
• each block is encoded independently of the other blocks
• uses: secure transmission of single values

(ECB)
of ECB
• repetitions in message may show in ciphertext
– if aligned with message block
– particularly with data such graphics
– or with messages that change very little, which become a code-book
analysis problem
• weakness due to encrypted message blocks being independent
• main use is sending a few blocks of data

Cipher Block Chaining
(CBC)
• message is broken into blocks
• but these are linked together in the encryption operation
• each previous cipher blocks is chained with current plaintext block, hence
name
• use Initial Vector (IV) to start process

Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
• uses: bulk data encryption, authentication

Cipher Block Chaining
(CBC)
7.178
of CBC
• each ciphertext block depends on all message blocks
• thus a change in the message affects all ciphertext blocks after the change
as well as the original block
• need Initial Value (IV) known to sender & receiver

– however if IV is sent in the clear, an attacker can change bits of the first
block, and change IV to compensate
– hence either IV must be a fixed value (as in EFTPOS) or it must be sent
encrypted in ECB mode before rest of message
• at end of message, handle possible last short block

– by padding either with known non-data value (eg nulls)
– or pad last block with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count
Cipher FeedBack (CFB)
CFB
• Block cipher can be converted to stream cipher using CFB,OFB,CTR

• Padding not needed.
• Plaintext and ciphertext size is same.
of CFB
• appropriate when data arrives in bits/bytes
• most common stream mode
• limitation is need to stall while do block encryption after every n-bits
• note that the block cipher is used in encryption mode at both ends
• errors propogate for several blocks after the error

7.184
of OFB
• used when error feedback a problem or where need to encryptions before
message is available
• superficially similar to CFB
• but feedback is from the output of cipher and is independent of message

• a variation of a Vernam cipher
– hence must never reuse the same sequence (key+IV)
• sender and receiver must remain in sync, and some recovery method is
needed to ensure this occurs
• originally specified with m-bit feedback in the standards
• subsequent research has shown that only OFB-64 should ever be used
Counter (CTR)
• a “new” mode, though proposed early on
• similar to OFB but encrypts counter value rather than any feedback value
• must have a different key & counter value for every plaintext block (never
reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
• uses: high-speed network encryptions

Counter (CTR)
7.188
of CTR
• efficiency
– can do parallel encryptions
– in advance of need
– good for bursty high speed links
• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never reuse key/counter values, otherwise could break (cf
OFB)
7.190
Mathematics of
Cryptography
2.1
Note Greatest Common Divisor
The greatest common divisor of two

positive integers is the largest integer
that can divide both integers.
Note Euclidean Algorithm
Fact 1: gcd (a, 0) = a

Fact 2: gcd (a, b) = gcd (b, r), where r is
the remainder of dividing a by b
2.2
2.1.4 Continued
Figure 2.7 Euclidean Algorithm
Note
When gcd (a, b) = 1, we say that a and b

are relatively prime.
2.3
2.1.4 Continued
Note
When gcd (a, b) = 1, we say that a and b

are relatively prime.
2.4
2.1.4 Continued
Example 2.7
Find the greatest common divisor of 2740 and 1760.
Solution
We have gcd (2740, 1760) = 20.
2.5
2.1.4 Continued
Example 2.8
Find the greatest common divisor of 25 and 60.
Solution
We have gcd (25, 65) = 5.
2.6
2.1.4 Continued
Extended Euclidean Algorithm
Given two integers a and b, we often need to find other two
integers, s and t, such that
The extended Euclidean algorithm can calculate the gcd (a, b)

and at the same time calculate the value of s and t.
2.7
2.1.4 Continued
Figure 2.8.b Extended Euclidean algorithm, part b
2.8
2.1.4 Continued
Figure 2.8.a Extended Euclidean algorithm, part a
2.9
2.1.4 Continued
Example 2.9
Given a = 161 and b = 28, find gcd (a, b) and the values of s
and t.
Solution
We get gcd (161, 28) = 7, s = −1 and t = 6.
2.10
2.1.4 Continued
Example 2.10
and t.
Solution
We get gcd (17, 0) = 17, s = 1, and t = 0.
2.11
2.1.4 Continued
Example 2.11

and t.
Solution
We get gcd (0, 45) = 45, s = 0, and t = 1.
2.12
2.1.4 Continued
Example 2.14
Find the result of the following operations:
a. 27 mod 5 b. 36 mod 12
c. −18 mod 14 d. −7 mod 10
Solution
a. Dividing 27 by 5 results in r = 2
b. Dividing 36 by 12 results in r = 0.
c. Dividing −18 by 14 results in r = −4. After adding the
modulus r = 10
d. Dividing −7 by 10 results in r = −7. After adding the
modulus to −7, r = 3.
2.13
2.2.3 Congruence
To show that two integers are congruent, we use the

congruence operator ( ≡ ). For example, we write:
2.14
2.2.4 Continued
Properties
2.15
2.2.5 Continue
Multiplicative Inverse
In Zn, two numbers a and b are the multiplicative inverse of
each other if
Note
In modular arithmetic, an integer may or

may not have a multiplicative inverse.
When it does, the product of the integer
and its multiplicative inverse is
congruent to 1 modulo n.
2.16
2.2.5 Continued
Example 2.22
Find the multiplicative inverse of 8 in Z10.
Solution
There is no multiplicative inverse because gcd (10, 8) = 2 ≠ 1.
In other words, we cannot find any number between 0 and 9
such that when multiplied by 8, the result is congruent to 1.
Example 2.23
Find all multiplicative inverses in Z10.
Solution
There are only three pairs: (1, 1), (3, 7) and (9, 9). The
numbers 0, 2, 4, 5, 6, and 8 do not have a multiplicative
inverse.
2.17
2.2.5 Continued
Example 2.24
Find all multiplicative inverse pairs in Z11.

Solution
We have seven pairs: (1, 1), (2, 6), (3, 4), (5, 9), (7, 8), (9, 5),
and (10, 10).
2.18
2.2.5 Continued
Figure 2.15 Using extended Euclidean algorithm to
find multiplicative inverse
2.19
2.2.5 Continued
Example 2.25
Solution
The gcd (26, 11) is 1; the inverse of 11 is -7 or 19.
2.20
2.2.5 Continued
Example 2.26
Solution
The gcd (100, 23) is 1; the inverse of 23 is -13 or 87.
2.21
9.1.4 Euler’s Phi-Function
Euler’s phi-function, f (n), which is sometimes called the

Euler’s totient function plays a very important role in
cryptography.
9.22
9.1.4 Continued
We can combine the above four rules to find the value of

f(n). For example, if n can be factored as
n = p1e × p2e × … × pke
1 2 k
then we combine the third and the fourth rule to find
Note
The difficulty of finding f(n) depends on the
difficulty of finding the factorization of n.
9.23
9.1.4 Continued
Example 9.7
What is the value of f(13)?
Solution
Because 13 is a prime, f(13) = (13 −1) = 12.
Example 9.8
Solution
We can use the third rule: f(10) = f(2) × f(5) = 1 × 4 = 4, because 2
and 5 are primes.
9.24
9.1.4 Continued
Example 9.9
Solution
We can write 240 = 24 × 31 × 51. Then
f(240) = (24 −23) × (31 − 30) × (51 − 50) = 64
Example 9.10
Can we say that f(49) = f(7) × f(7) = 6 × 6 = 36?
Solution
No. The third rule applies when m and n are relatively prime. Here
49 = 72. We need to use the fourth rule: f(49) = 72 − 71 = 42.
9.25
Public key cryptography /
Asymmetric key cryptography
Public key encryption structure
• First proposed by Diffie & Hellman – 1976

• Algorithms are based on mathematical
functions & not on bit patterns
• Uses 2 separate keys
• Plain text, EA , public & private key, cipher
text, DA
characteristics
6 ingredients
Steps
Public key cryptosystem-
secrecy
authentication
secrecy& authentication
Applications of public key
cryptosystems
1. Encryption / Decryption
Sender encrypts a message with the
recipient’s public key
2. Digital signature
sender signs a message with private key
3. Key exchange
two sides cooperate to exchange a session key
Applications of public key
cryptosystems
Requirements of PKC
10.1.4 Trapdoor One-Way Function
The main idea behind asymmetric-key cryptography is the

concept of the trapdoor one-way function.
Functions
Figure 10.3 A function as rule mapping a domain to a range
10.33
10.1.4 Continued
One-Way Function (OWF)
1. f is easy to compute.
2. f −1 is difficult to compute.
Trapdoor One-Way Function (TOWF)
3. Given y and a trapdoor(secret), x

can be computed easily.
10.34
10.1.4 Continued
Example 10. 1
When n is large, n = p × q is a one-way function. Given p and
q , it is always easy to calculate n ; given n, it is very difficult to
compute p and q. This is the factorization problem.
Example 10. 2
When n is large, the function y = xk mod n is a trapdoor one-
way function. Given x, k, and n, it is easy to calculate y. Given
y, k, and n, it is very difficult to calculate x. This is the discrete
logarithm problem.
10.35
Requirements for public key
cryptography
1. Pair of keys (public key KUb, private key KRb)
2. Easy to encrypt the message C=E KUb(M)
3. Easy to decrypt the ciphertext
M = DKRb(C)=DKRb[ E KUb(M) ]
4. Knowing KUb, it is infeasible to determine KRb
5. Knowing C & KUb, it is infeasible to determine M
6. Either of 2 keys can be used for encryption
M = DKRb[ EKUb(M) ] = DKUb[ EKRb(M) ]
Public Key Cryptanalysis
Brute force Attack
Complexity in invertible mathematical functions, key size is large
enough for brute force impractical, small enough for ease of
enc/dec
Compute Private key with Public key – Not mathematically proven
that it is infeasible for PKC.
Probable message Attack:
9.38
RSA ALGORITHM
Block Cipher, PT and CT are integers between

0 to n-1 for some n. {typical size 1024 bits/309
Decimal digits}
RSA Algorithm
Security of RSA
DIFFIE HELLMAN KEY EXCHANGE
-Discrete Logarithms
9.46
4-1 ALGEBRAIC STRUCTURES
Cryptography requires sets of integers and specific

operations that are defined for those sets. The
combination of the set and the operations that are
applied to the elements of the set is called an
algebraic structure.
4.47
9.48
9.49
9.6.2 Continued
Order of the Group is number of elements in the group. In G =

<Zn∗, ×> it is proved that, order of the group is f(n).
What is the order of group G = <Z21∗, ×>? |G| = f(21) = f(3) ×

f(7) = 2 × 6 =12. There are 12 elements in this group: 1, 2, 4, 5, 8,
10, 11, 13, 16, 17, 19, and 20. All are relatively prime with 21.
9.50
9.6.2 Continued
Order of an Element: in G = <Zn∗, ×>, the order of an element

‘a’ is the smallest integer ‘i’ such that ai ≡ e mod (n), where e is
identity element ie 1.
Lagrange's Theorem: order of an element divides order

of group
9.51
9.52
9.53
9.54
Diffie-Hellman Key Exchange
Example
q=11 α=3
XA = 5
YA = 35 mod 11 = 1
XB = 3
YB = 33 mod 11 = 27 mod 11= 5
K1= 55 mod 11 = 1
3
K2= 1 mod 11 = 1
A & B can share 1 without transmitting
q=23 α=5
XA = 6 XB = 15
K=?
Man –in- the- Middle attack
Middle man attack / bucket bridage attack
Alice Carol Bob
q=11 α=7 q=11 α=7 q=11 α=7
XA = 3 MXA=8 MXB=6 XB = 9
YA = 73 mod 11 YA= 78 mod 11 YB = 79 mod 11
=2 =9 =8
YB = 4 YB= 76 mod 11 YA = 9
=4
K1= 43 mod 11 YA=2 YB=8 K2= 99 mod 11
=9 K1= 88 mod 11 =5
=5
K2= 26 mod 11
=9
10-4 ELGAMAL CRYPTOSYSTEM
10.62
10.4.2 Procedure
Figure 10.11 Key generation, encryption, and decryption in ElGamal
10.63
10.4.2 Continued
Key Generation
10.64
10.4.2 Continued
10.65
10.4.2 Continued
10.66
10.4.3 Continued
Example 10. 10
Bob chooses p = 11 and e1 = 2.

and d = 3 e2 = e1d = 8. So the public keys are (2, 8, 11)
and the private key is 3. Alice chooses r = 4 and calculates
C1 and C2 for the plaintext 7.
Bob receives the ciphertexts (5 and 6) and calculates the

plaintext.
10.67
9-4 CHINESE REMAINDER THEOREM
The Chinese remainder theorem (CRT) is used to

solve a set of congruent equations with one
variable but different moduli, which are relatively
prime, as shown
below:
9.70
9-4 Continued
Example 9.35
The following is an example of a set of equations with different
moduli:
The solution to this set of equations is given in the next section; for
the moment, note that the answer to this set of equations is x = 23.
This value satisfies all equations: 23 ≡ 2 (mod 3), 23 ≡ 3 (mod 5),
and 23 ≡ 2 (mod 7).
9.71
9-4 Continued
Solution To Chinese Remainder Theorem
1. Find M = m1 × m2 × … × mk. This is the common modulus.

2. Find M1 = M/m1, M2 = M/m2, …, Mk = M/mk.
3. Find the multiplicative inverse of M1, M2, …, Mk using the
corresponding moduli (m1, m2, …, mk). Call the inverses
M1−1, M2−1, …, Mk −1.
4. The solution to the simultaneous equations is
9.72
9-4 Continued
Example 9.36
Find the solution to the simultaneous equations:
Solution
We follow the four steps.
1. M = 3 × 5 × 7 = 105
2. M1 = 105 / 3 = 35, M2 = 105 / 5 = 21, M3 = 105 / 7 = 15
3. The inverses are M1−1 = 2, M2−1 = 1, M3 −1 = 1
4. x = (2 × 35 × 2 + 3 × 21 × 1 + 2 × 15 × 1) mod 105 = 23 mod 105
9.73
Quadratic Residues and Nonresidue
In the equation x2 ≡ a (mod p), a is called a quadratic
residue (QR) if the equation has two solutions; a is called
quadratic nonresidue (QNR) if the equation has no
solutions.
9.1
9.5.1 Continued
Example 9.41
There are 10 elements in Z11*. Exactly five of them are quadratic

residues and five of them are nonresidues. In other words, Z11* is
divided into two separate sets, QR and QNR, as shown in Figure
9.4.
Figure 9.4 Division of Z11* elements into QRs and QNRs
9.2
9.5.1 Continued
Euler’s Criterion
a. If a(p−1)/2 ≡ 1 (mod p), a is a quadratic residue
modulo p.
b. If a(p−1)/2 ≡ −1 (mod p), a is a quadratic nonresidue
modulo p.
Example 9.42
To find out if 14 or 16 is a QR in Z23*, we calculate:
14 (23−1)/2 mod 23 → 22 mod 23 → −1 mod 23 nonresidue
16 (23−1)/2 mod 23 → 1611 mod 23→ 1 mod 23 residue

9.3
9.5.1 Continued
Solving Quadratic Equation Modulo a Prime
Special Case: p = 4k + 3
9.4
10-3 RABIN CRYPTOSYSTEM
The Rabin cryptosystem can be thought of as an RSA

cryptosystem in which the value of e and d are fixed.
The encryption is C ≡ P2 (mod n) and the decryption is
P ≡ C1/2 (mod n).
10.5
10-3 Continued
Figure 10.10 Rabin cryptosystem
10.6
10.3.1 Procedure
Key Generation
10.7
10.3.1 Continued
Encryption
10.8
10.3.1 Continued
Decryption
Note
The Rabin cryptosystem is not deterministic:
Decryption creates four plaintexts.
10.9
10.3.1 Continued
Example 10. 9
Here is a very trivial example to show the idea.

1. Bob selects p = 23 and q = 7. Note that both are
congruent to 3 mod 4.
2. Bob calculates n = p × q = 161.
3. Bob announces n publicly; he keeps p and q private.
4. Alice wants to send the plaintext P = 24. Note that 161 and 24
are relatively prime; 24 is in Z161*. She calculates C = 242 = 93
mod 161, and sends the ciphertext 93 to Bob.
10.10
10.3.1 Continued
Example 10. 9
5. Bob receives 93 and calculates four values:

a1 = +(93 (23+1)/4) mod 23 = 1 mod 23
a2 = −(93 (23+1)/4) mod 23 = 22 mod 23
b1 = +(93 (7+1)/4) mod 7 = 4 mod 7
b2 = −(93 (7+1)/4) mod 7 = 3 mod 7
6. Bob takes four possible answers, (a1, b1), (a1, b2), (a2, b1), and
(a2, b2), and uses the Chinese remainder theorem to find four
possible plaintexts: 116, 24, 137, and 45. Note that only the
second answer is Alice’s plaintext.
10.11
Message Integrity
and
Message Authentication
11.1
11-1 MESSAGE INTEGRITY
The cryptography systems that we have studied so far

provide secrecy, or confidentiality, but not integrity.
However, there are occasions where we may not even
need secrecy but instead must have integrity.
11.2
11.1.1 Document and Fingerprint
One way to preserve the integrity of a document is

through the use of a fingerprint. If Alice needs to be sure
that the contents of her document will not be changed,
she can put her fingerprint at the bottom of the document.
11.3
11.1.2 Message and Message Digest
The electronic equivalent of the document and fingerprint

pair is the message and digest pair.
Figure 11.1 Message and digest
11.4
11.1.3 Difference
The two pairs (document / fingerprint) and (message /

message digest) are similar, with some differences. The
document and fingerprint are physically linked together.
The message and message digest can be unlinked
separately, and, most importantly, the message digest
needs to be safe from change.
Note
The message digest needs to be safe from change.
11.5
11.1.4 Checking Integrity
Figure 11.2 Checking integrity
11.6
11.1.5 Cryptographic Hash Function Criteria
A cryptographic hash function must satisfy three criteria:

preimage resistance, second preimage resistance, and
collision resistance.
Figure 11.3 Criteria of a cryptographic hash function
11.7
11.1.5 Continued
Preimage Resistance
Figure 11.4 Preimage
11.8
11.1.5 Continued
Second Preimage Resistance
Figure 11.5 Second preimage
11.9
11.1.5 Continued
Collision Resistance
Figure 11.6 Collision
11.10
11-2 RANDOM ORACLE MODEL
The Random Oracle Model, which was introduced in
1993 by Bellare and Rogaway, is an ideal
mathematical model for a hash function. A function
based on this model behaves as follows
1.When a message of any length given, the oracle creates and
gives a fixed length message digest of random string of 0’s
and 1’s by recording message and message digest.
2. When a message is given for which a digest exists, the

oracle simply gives the digest in the record.
3. The digest for a new message needs to be chosen

independently from all previous messages.
11.11
11-3 MESSAGE AUTHENTICATION
A message digest does not authenticate the sender of

the message.
The digest created by a cryptographic hash function is

normally called a modification detection code (MDC).
Message authentication is provided by a message

authentication code (MAC).
11.12
11.3.1 Modification Detection Code (MDC)
A modification detection code (MDC) is a message digest

that can prove the integrity of the message:
11.13
11.3.1 Continued
Figure 11.9 Modification detection code (MDC)
11.14
11.3.2 Message Authentication Code (MAC)
Figure 11.10 Message authentication code
11.15
11.3.2 Continued
Note
The security of a MAC depends on the security of
the underlying hash algorithm.
11.16
11.3.2 Continued
Nested MAC
Figure 11.11 Nested MAC
11.17
11.3.2 Continued
HMAC
Figure 11.12
Details of HMAC
11.18
11.19
12:Cryptographic
Hash Functions
12.20
12-1 INTRODUCTION
A cryptographic hash function takes a message of arbitrary length

and creates a message digest of fixed length.
Ex: SHA-512 , Whirlpool etc.
Iterated hash functions

- compression functions with fixed size input
12.21
12.1.1 Iterated Hash Function
Merkle-Damgard Scheme
Figure 12.1 Merkle-Damgard scheme
12.22
12.1.2 Two Groups of Compression Functions
1. The compression function is made from scratch.

Message Digest (MD)
SHA
2. A symmetric-key block cipher serves as a compression

function.
Whirlpool
12.23
12.1.2 Continued
12.24
HASH FUNCTIONS BASED ON BLOCK CIPHERS
11.25
12.1.2 Continued
Rabin Scheme
Figure 12.2 Rabin scheme
12.26
• Based on Merkle Damgard scheme
• Only encryption used
• Size of digest is size of data block
• Demerit: MIM (adversary can use decryption algorithm)
11.27
DAVIS MEYER SCHEME
11.28
12.1.2 Continued
Matyas-Meyer-Oseas Scheme
Figure 12.4 Matyas-Meyer-Oseas scheme
Used if data block and cipher key are same size

(AES).
12.29
12.1.2 Continued
Miyaguchi-Preneel Scheme(used in Whirlpool)
Figure 12.5 Miyaguchi-Preneel scheme
Extended version of previous one. To make the

algorithm stronger against
12.30 attack,plaintext,ciphertext,key all X-ORed
12-3 WHIRLPOOL
Whirlpool is an iterated cryptographic hash function,.

It is based on the Miyaguchi-Preneel scheme.
It uses a symmetric-key block cipher in place of the
compression function.
The block cipher is a modified AES cipher that has
been tailored for this purpose.
12.31
12-3 WHIRLPOOL message preparation
After padding and adding length field, the message is

multiple of 512 bits.
H0 is initialized to all 0s and serves as key for 1st block.

Cipher text out put of each block is key for next block
after xoring with previous key and plaintext block.
12.32
12-3 Continued
Figure 12.12 Whirlpool hash function
12.33
12.3.1 Whirlpool Cipher
Figure 12.13 General idea of the Whirlpool cipher
12.34
12.3.1 Continued
Figure 12.14 Block and state in the Whirlpool cipher
12.35
12.3.1 Continued
Structure of Each Round

Each round uses four
transformations.
Figure 12.15 Structure of

each round in the Whirlpool
cipher
12.36
12.3.1 Continued
SubBytes Like in AES, SubBytes provide a nonlinear

transformation.
Figure 12.16 SubBytes transformations in the Whirlpool cipher
12.37
12.3.1 Continued
12.38
12.3.1 Continued
ShiftColumns
Figure 12.18 ShiftColumns transformation in the Whirlpool cipher
12.39
12.3.1 Continued
Figure 12.19 MixRows transformation in the Whirlpool cipher
12.40
12.3.1 Continued
Figure 12.20 AddRoundKey transformation in the Whirlpool cipher
12.41
12.3.1 Continued
Figure 12.21 Key expansion in the Whirlpool cipher
12.42
12.3.2 Summary
12.43
12-2 SHA-512
SHA-512 is the version of SHA with a 512-

bit message digest. This version, like the
others in the SHA family of algorithms, is
based on the Merkle-Damgard scheme.
12.44
12.2.1 Introduction
Figure 12.6 Message digest creation SHA-512
12.45
12.2.1 Continued
Message Preparation
SHA-512 insists that the length of the original message be
less than 2128 bits.
Note
SHA-512 creates a 512-bit message digest out of a
message less than 2128.
12.46
12.2.1 Continued
Figure 12.7 Padding and length field in SHA-512
12.47
12.2.1 Continued
Example 12.3
What is the number of padding bits if the length of the original
message is 2590 bits?
Solution
We can calculate the number of padding bits as follows:
The padding consists of one 1 followed by 353 0’s.
12.48
12.2.1 Continued
Example 12.4
Do we need padding if the length of the original message is already
a multiple of 1024 bits?
Solution
Yes we do, because we need to add the length field. So padding is
needed to make the new block a multiple of 1024 bits.
12.49
12.2.1 Continued
Example 12.5
What is the minimum and maximum number of padding bits that
can be added to a message?
Solution
a. The minimum length of padding is 0 and it happens when

(−M − 128) mod 1024 is 0. This means that |M| = −128 mod
1024 = 896 mod 1024 bits. In other words, the last block in the
original message is 896 bits. We add a 128-bit length field to
make the block complete.
12.50
12.2.1 Continued
Example 12.5 Continued
b) The maximum length of padding is 1023 and it happens when

(−|M| −128) = 1023 mod 1024. This means that the length of the
original message is |M| = (−128 −1023) mod 1024 or the length
is |M| = 897 mod 1024. In this case, we cannot just add the
length field because the length of the last block exceeds one bit
more than 1024. So we need to add 897 bits to complete this
block and create a second block of 896 bits. Now the length can
be added to make this block complete.
12.51
12.2.1 Continued
Words
Figure 12.8 A message block and the digest as words
12.52
12.2.1 Continued
Word Expansion
Figure 12.9 Word expansion in SHA-512
12.53
The 1024 bits becomes the first 16 words,rest words
come from already made words.
11.54
11.55
12.2.1 Continued
Example 12.6
Show how W60 is made.
Solution
Each word in the range W16 to W79 is made from four
previously-made words. W60 is made as
12.56
12.2.1 Continued
Message Digest Initialization
12.57
12.2.2 Compression Function
Figure 12.10 Compression function in SHA-512
12.58
12.2.2 Continued
Figure 12.11 Structure of each round in SHA-512
12.59
12.2.2 Continued
Majority Function
Conditional Function
Rotate Functions
12.60
12.2.2 Continued
12.61
12.2.2 Continued
There are 80 constants, K0 to K79, each of 64 bits. Similar

These values are calculated from the first 80 prime
numbers (2, 3,…, 409). For example, the 80th prime is
409, with the cubic root (409)1/3 = 7.42291412044.
Converting this number to binary with only 64 bits in the
fraction part, we get
The fraction part: (6C44198C4A475817)16
12.62
12.2.2 Continued
Example 12.7
We apply the Majority function on buffers A, B, and C. If the
leftmost hexadecimal digits of these buffers are 0x7, 0xA, and 0xE,
respectively, what is the leftmost digit of the result?
Solution
The digits in binary are 0111, 1010, and 1110.
a. The first bits are 0, 1, and 1. The majority is 1.
b. The second bits are 1, 0, and 1. The majority is 1.
c. The third bits are 1, 1, and 1. The majority is 1.
d. The fourth bits are 1, 0, and 0. The majority is 0.
The result is 1110, or 0xE in hexadecimal.

12.63
12.2.2 Continued
Example 12.8
We apply the Conditional function on E, F, and G buffers. If the
leftmost hexadecimal digits of these buffers are 0x9, 0xA, and 0xF
respectively, what is the leftmost digit of the result?
Solution
The digits in binary are 1001, 1010, and 1111.
a. The first bits are 1, 1, and 1. The result is F1, which is 1.
b. The second bits are 0, 0, and 1. The result is G2, which is 1.
c. The third bits are 0, 1, and 1. The result is G3, which is 1.
d. The fourth bits are 1, 0, and 1. The result is F4, which is 0.
The result is 1110, or 0xE in hexadecimal.

12.64
12.2.3 Analysis
With a message digest of 512 bits, SHA-512 expected to be

resistant to all attacks, including collision attacks.
12.65
Chapter 13
Digital Signature
13.1
13.1.1 Inclusion
A conventional signature is included in the document; it

is part of the document. But when we sign a document
digitally, we send the signature as a separate document.
13.2
13.1.2 Verification Method
13.3
13.1.3 Relationship
For a conventional signature, a one-to-many

relationship between a signature and documents. For a
digital signature, there is a one-to-one relationship
between a signature and a message.
13.4
13.1.4 Duplicity
In conventional signature, a copy of the signed document

can be distinguished from the original one on file. In
digital signature, there is no such distinction unless there
is a factor of time on the document.
13.5
PROCESS
Figure 13.1 Digital signature process
13.6
13.2.1 Need for Keys
Figure 13.2 Adding key to the digital signature process
Note
A digital signature needs a public-key system.
The signer signs with her private key; the verifier
verifies with the signer’s public key.
13.7
13.2.1 Continued
Note
A cryptosystem uses the private and public keys of
the receiver: a digital signature uses
the private and public keys of the sender.
13.8
13.2.2 Signing the Digest
Figure 13.3 Signing the digest
13.9
Can a secret key sign and verify signature?
1. Multiple secret keys to sign document

2. Creation of secret key for session needs
authentication, depends on signature.
3. A could use secret key between himself and B, sign
a document, send to C and pretend that it came
from A.
13.10
13-3 SERVICES
13.3.1 Message Authentication

13.3.2 Message Integrity
13.3.3 Nonrepudiation
13.3.4 Confidentiality
13.11
13.3.1 Message Authentication
A secure digital signature scheme, like a secure

conventional signature can provide message
authentication.
Note
A digital signature provides message authentication.
13.12
13.3.2 Message Integrity
The integrity of the message is preserved even if we sign

the whole message because we cannot get the same
signature if the message is changed.
Note
A digital signature provides message integrity.
13.13
13.3.3 Nonrepudiation
Figure 13.4 Using a trusted center for nonrepudiation
Note
Nonrepudiation can be provided using a trusted

party.
13.14
13.3.4 Confidentiality
Figure 13.5 Adding confidentiality to a digital signature scheme
Note
A digital signature does not provide privacy.

If there is a need for privacy, another layer of
encryption/decryption must be applied.
13.15
13.4.1 Attack Types
Key-Only Attack
the attacker is only given the public verification key. Similar to

ciphertext only attack.
Known-Message Attack
the attacker has one or more message signature pairs for a variety of
messages known by the attacker but not chosen by the attacker. Similar
to known plaintext attack.
Chosen-Message Attack
the attacker first learns signatures on arbitrary messages of the attacker's
choice.
13.16
Forgery: Result of successful attack
Existential Forgery
Eve may be able to create valid message signature pair,

but not one that can be used. Here document is forged,
but content is some random, and it is probable and
message is syntactically/semantically unintelligible.
Selective Forgery
Eve may be able to forge on alices signature on a

message with the content selectively chosen by eve.
Although it is beneficial to eve and detrimental to
alice, probability is low but not negligible.
13.17
13-5 DIGITAL SIGNATURE SCHEMES
RSA Digital Signature Scheme

ElGamal Digital Signature Scheme
Schnorr Digital Signature Scheme
Digital Signature Standard (DSS)
13.18
13.5.1 Continued
Key Generation
Key generation in the RSA digital signature scheme is
exactly the same as key generation in the RSA
Note
In the RSA digital signature scheme, d is private;
e and n are public.
13.19
13.5.1 Continued
Signing and Verifying
Figure 13.7 RSA digital signature scheme
13.20
Attacks on RSA signature: Safe against
identified attacks
13.21
13.22
13.23
13.5.1 Continued
RSA Signature on the Message Digest

Figure 13.8 The RSA signature on the message digest
13.24
13.5.1 Continued
Note
When the digest is signed instead of the message
itself, the susceptibility of the RSA digital signature
scheme depends on the strength of the hash
algorithm.
13.25
13.26
13.27
13.5.2 ElGamal Digital Signature Scheme
Figure 13.9 General idea behind the ElGamal digital signature scheme
13.28
13.5.2 Continued
Key Generation
The key generation procedure here is exactly the same as
the one used in the cryptosystem.
13.29
13.5.2 Continued
Verifying and Signing
Figure 13.10 ElGamal digital signature scheme
13.30
13.31
13.32
13.33
13.34
13.5.3 Schnorr Digital Signature Scheme
Figure 13.11 General idea behind the Schnorr digital signature scheme
13.35
13.5.4 Digital Signature Standard (DSS)
Figure 13.13 General idea behind DSS scheme
13.36
13.5.4 Continued
DSS Versus RSA

Computation of DSS signatures is faster than
computation of RSA signatures when using the same p.
DSS Versus ElGamal

DSS signatures are smaller than ElGamal signatures
because q is smaller than p.
13.37
13.5.5 Elliptic Curve Digital Signature Scheme
Figure 13.15 General idea behind the ECDSS scheme
13.38
13-6 VARIATIONS AND APPLICATIONS
This section briefly discusses variations and

applications for digital signatures.

13.6.1 Variations
13.6.2 Applications
13.39
13.6.1 Variations
Time Stamped Signatures

Sometimes a signed document needs to be time stamped to
prevent it from being replayed by an adversary. This is
called time-stamped digital signature scheme.
Blind Signatures
Sometimes we have a document that we want to get
signed without revealing the contents of the document to
the signer.
13.40
13.41
13.42
13.43
KEY MANAGEMENT
31.1
31-7 KEY MANAGEMENT
How secret keys in symmetric-key cryptography and

how public keys in asymmetric-key cryptography are
distributed and maintained?

Symmetric-Key Distribution
Public-Key Distribution
31.2
31.3
Figure 31.19 KDC
31.4
31.5
31.6
31.7
31.8
31.9
31.10
31.11
Figure 31.21 Kerberos servers
31.12
31.13
Figure 31.22 Kerberos example
31.14
31.15
31.16
31.17
31.18
31.19
31.20
31.21
31.22
X.509 Certificates
31.24
Certificate Revocation
 Certificates have a period of validity

 may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
 CAs maintain a list of revoked certificates, but not expired
 the Certificate Revocation List (CRL)
 users should check certificates with CA’s CRL
Notations
31.28
31.29
31.30
X.509 Version 3
X.509 v2 drawbacks-
 1.Subject field is inadequate to convey the identity of a key
owner to a public key user and recognizes entities by e-mail
address,a URL etc.
 2.there is a need to indicate security policy information.this
enables a security application or function such as IPSec,to relate
an X.509 certificate to a given policy.
 3.there is a need to limit the damage that can result from a
faulty or malicious CA by setting constraints on the applicability
of a particular cetificate.
 4.it is important to be able to identify different keys to be used
by the same owner at different times.This feature supports key
life cycle management-in particular the ability to update keypairs
for users and CA on regular basis under exceptional conditions.
Extensions
 Three categories-
 1.Key and Policy Information
 2.Certificate subject and issuer
attributes
 3.Certification Path constraints.
1.Key and Policy Information
 1.Authority Key identifier-identifies the public key to

be used to verify the signature on the certificate or
CRL.distinct keys of the same CA to be
differentiated.
 2.Subject key identifier-useful for subject key pair
updating.a subject may have multiple keypairs for
different purposes.
 3.key usage-restriction imposed for using the key
 4.private key usage period-period of the private key
corresponding to the public key
 5.certificate policies-in environments where multiple
policies apply
2.Certificate subject and issuer
attributes
 Purpose-to increase the confidence of
the user about subject
1.Subject alternative name
2.Issuer alternative name
3.Subject directory attributes
3.Certification Path constraints.
 1.basic constraints
 2.name constraints
 3.policy constraints
PKI
Security at the
Transport Layer:
SSL and TLS
17.1
17 Continued
Figure 17.1 Location of SSL and TLS in the Internet model
17.2
17-1 SSL ARCHITECTURE
SSL is designed to provide security and compression

services to data generated from the application layer.

17.1.1 Services
17.1.2 Key Exchange Algorithms
17.1.3 Encryption/Decryption Alogrithms
17.1.4 Hash Algorithms
17.1.5 Cipher Suite
17.1.6 Compression Algorithms
17.1.7 Crypography Parameter Generation
17.1.8 Session and Connections
17.3
17.1.1 Services
Fragmentation- Blocks of max 2^14 bytes
Compression-lossless compression method negotiated

between client and server(optional)
Message Integrity-uses keyed hash functions
Confidentiality- Symmetric encryption of original data& MAC
Framing- Header is added to encrypted payload & passed to

transport protocol
17.4
17.1.2 Continued
Client & server need 6 cryptographic secrets (4 keys &

2 IVs)
To create these, one pre master secret is established
b/n parties
17.5
17.1.2 Key Exchange Algorithms
Figure 17.2 Key-exchange methods
17.6
17.1.2 Continued
Null
There is no key exchange in this method. No pre-

master secret is established between the client and the
server.
Note
Both client and server need to know the

value of the pre-master secret.
17.7
17.1.2 Continued
RSA
Figure 17.3 RSA key exchange; server public key
17.8
17.1.2 Continued
Anonymous Diffie-Hellman
Figure 17.4 Anonymous Diffie-Hellman key exchange
17.9
17.1.2 Continued
Ephemeral Diffie-Hellman key exchange
Figure 17.5 Ephemeral Diffie-Hellman key exchange
17.10
Solution to MIM problem
Signature is used, certificates are exchanged
using RSA/DSS
17.11
17.1.2 Continued
Fixed Diffie-Hellman
Another solution is the fixed Diffie-Hellman method.
All entities in a group can prepare fixed Diffie-
Hellman parameters (g and p).
Fortezza
Fortezza is a registered trademark of the U.S. National
Security Agency (NSA). It is a family of security
protocols developed for the Defense Department.
17.12
17.1.3 Encryption/Decryption Algorithms
Figure 17.6 Encryption/decryption algorithms
17.13
17.1.3 Continued
NULL
The NULL category simply defines the lack of an
encryption/decryption algorithm.
Stream RC
Two RC algorithms are defined in stream mode.
Block RC
One RC algorithm is defined in block mode.
DES
All DES algorithms are defined in block mode.
17.14
17.1.3 Continued
IDEA
The IDEA algorithm defined in block mode is
IDEA_CBC, with a 128-bit key.
Fortezza
The one Fortezza algorithm defined in block mode is

FORTEZZA_CBC.
17.15
17.1.4 Hash Algorithm
Figure 17.7 Hash algorithms for message integrity
17.16
17.1.4 Continued
NULL
The two parties may decline to use an algorithm. In
this case, there is no hash function and the message is
not authenticated.
MD5
The two parties may choose MD5 as the hash
algorithm. In this case, a 128-key MD5 hash
algorithm is used.
SHA-1
The two parties may choose SHA as the hash
algorithm. In this case, a 160-bit SHA-1 hash
algorithm is used.
17.17
17.1.5 Cipher Suite
The combination of key exchange, hash, and

encryption algorithms defines a cipher suite for each
SSL session.
17.18
17.1.5 Continued
Table 17.1 SSL cipher suite list
17.19
17.1.6 Compression Algorithms
Compression is optional in SSLv3. No specific

compression algorithm is defined for SSLv3.
Therefore, the default compression method is NULL.
17.20
17.21
17.22
17.23
17.24
17.25
17.26
17.27
17.2.1 Handshake Protocol
Figure 17.13 Handshake Protocol
17.28
17.2.1 Continued
Figure 17.14 Phase I of Handshake Protocol
17.29
17.2.1 Continued
Note
After Phase I, the client and server know the

following:
❏ The version of SSL
❏ The algorithms for key exchange, message
authentication, and encryption
❏ The compression method
❏ The two random numbers for key
generation
17.30
17.2.1 Continued
Figure 17.15 Phase II of Handshake Protocol
17.31
17.2.1 Continued
Note
After Phase II,

❏ The server is authenticated to the client.
❏ The client knows the public key of the
server if required.
17.32
17.2.1 Continued
Figure 17.17 Phase III of Handshake Protocol
17.33
17.2.1 Continued
Note
After Phase III,

❏ The client is authenticated for the server.
❏ Both the client and the server know the
pre-master secret.
17.34
17.2.1 Continued
Figure 17.19 Phase IV of Handshake Protocol
17.35
17.2.1 Continued
Note
After Phase IV, the client and server are

ready to exchange data.
17.36
17.37
17.38
17.39
17-4 Transport Layer Security (TLS)
The Transport Layer Security (TLS) protocol is the

IETF standard version of the SSL protocol. The two
are very similar, with slight differences.

17.4.1 Version
17.4.2 Cipher Suite
17.4.3 Generation of Cryptographic Secrets
17.4.4 Alert Protocol
17.4.6 Record Protocol
17.40
17.4.1 Version
The first difference is the version number (major and

minor). The current version of SSL is 3.0; the current
version of TLS is 1.0. In other words, SSLv3.0 is
compatible with TLSv1.0.
17.41
17.4.2 Continued
Table 17.6 Cipher Suite for TLS
17.42
17.4.3 Generation of Cryptographic Secrets
Figure 17.40 Data-expansion function
17.43
17.4.3 Continued
Figure 17.41 PRF
17.44
17.4.3 Continued
Figure 17.42 Master secret generation
17.45
17.4.3 Continued
Figure 17.43 Key material generation
17.46
17.4.4 Alert Protocol
TLS supports all of the alerts defined in SSL except for

NoCertificate. TLS also adds some new ones to the list.
Table 17.7 shows the full list of alerts supported by
TLS.
17.47
17.4.4 Continued
Table 17.7 Alerts defined for TLS
17.48
Figure 17.44 Hash for CertificateVerify message in TLS
17.49
17.4.5 Continued
Figure 17.45 Hash for Finished message in TLS
17.50
17.4.6 Record Protocol
Figure 17.46 HMAC for TLS
17.51
FIREWALLS
What is a Firewall?
• a choke point of control and monitoring
• interconnects networks with differing trust
• imposes restrictions on network services
• only authorized traffic is allowed
• auditing and controlling access
• can implement alarms for abnormal behavior
• provide NAT & usage monitoring
• implement VPNs using IPSec
• must be immune to penetration
FIREWALLS
•
What is a Firewall?
FIREWALL CHARACTERISTICS
CHARCTERISTICS
CAPABILITIES
Firewall Limitations
• cannot protect from attacks bypassing it
• cannot protect against internal threats
• eg disgruntled or colluding employees
• cannot protect against access via WLAN
• if improperly secured against external use
• cannot protect against malware imported via laptop, PDA, storage
infected outside
Firewalls – Packet Filters
simplest, fastest firewall component

foundation of any firewall system
examine each IP packet (no context) and permit or deny according to
rules
hence restrict access to services (ports)
possible default policies
DEFAULT = discard-that not expressly permitted is prohibited
DEFAULT = forward-that not expressly prohibited is permitted
Firewalls – Packet Filters
Weakness of packet filter firewalls.
Attacks on Packet Filters
• IP address spoofing
• fake source address to be trusted
• add filters on router to block
• source routing attacks
• attacker sets a route other than default
• block source routed packets
• tiny fragment attacks
• split header info over several tiny packets
• either discard or reassemble before check
Firewalls – Stateful Packet Filters
• traditional packet filters do not examine higher layer context
• ie matching return packets with outgoing flow
• stateful packet filters address this need
• they examine each IP packet in context
• keep track of client-server sessions
• check each packet validly belongs to one
• hence are better able to detect bogus packets out of context
• may even inspect limited application data
Firewalls - Application Level Gateway
(or Proxy)
have application specific gateway / proxy
has full access to protocol
user requests service from proxy
proxy validates request as legal
then actions request and returns result to user
can log / audit traffic at application level
need separate proxies for each service
some services naturally support proxying
others are more problematic
Firewalls - Application Level Gateway (or
Proxy)
Firewalls - Circuit Level Gateway
• relays two TCP connections
• imposes security by limiting which such connections are allowed
• once created usually relays traffic without examining contents
• typically used when trust internal users by allowing general outbound
connections
• SOCKS is commonly used
Firewalls - Circuit Level Gateway
Bastion Host
highly secure host system

runs circuit / application level gateways

Host-Based Firewalls
• s/w module used to secure individual host

• available in many operating systems
• or can be provided as an add-on package
• often used on servers
• advantages:
• can tailor filtering rules to host environment
• protection is provided independent of topology
• provides an additional layer of protection
Personal Firewalls
• controls traffic between PC/workstation and Internet or enterprise
network
• a software module on personal computer
• or in home/office DSL/cable/ISP router
• typically much less complex than other firewall types
• primary role to deny unauthorized remote access to the computer
• and monitor outgoing activity for malware
Personal Firewalls
Firewall Configurations
DMZ Networks
Virtual Private Networks
Distributed
Firewalls
Summary of Firewall Locations and Topologies
host-resident firewall
screening router
single bastion inline
single bastion T
double bastion inline
double bastion T
distributed firewall configuration
Summary
• have considered:
• firewalls
• types of firewalls
• packet-filter, stateful inspection, application proxy, circuit-level
• basing
• bastion, host, personal
• location and configurations
• DMZ, VPN, distributed, topologies
Intrusion detection and
prevention systems
Intruders
• significant issue for networked systems is hostile or unwanted access

• either via network or local
• can identify classes of intruders:
• varying levels of competence
Examples of Intrusion
remote root compromise of e mail server

web server defacement
guessing / cracking passwords
copying viewing sensitive data / databases
running a packet sniffer
distributing pirated software
using an unsecured modem to access internal
network
impersonating a user to reset password
using an unattended workstation
Intrusion Techniques
• aim to gain access and/or increase privileges on a system-backdoor
entry
• often use system / software vulnerabilities
• key goal often is to acquire passwords
• so then exercise access rights of owner
Few approaches from [ALVA90] report
Password Guessing
one of the most common attacks
attacker knows a login (from email/web page etc)
then attempts to guess password for it
defaults, short passwords, common word searches
user info (variations on names, birthday, phone, common
words/interests)
exhaustively searching all possible passwords
check by login or against stolen password file
success depends on password chosen by user
surveys show many users choose poorly
Password Capture
another attack involves password capture

watching over shoulder as password is entered
using a trojan horse program to collect
monitoring an insecure network login
• eg. telnet, FTP, web, email
extracting recorded info after successful login (web
history/cache, last number dialed etc)
using valid login/password can impersonate user
users need to be educated to use suitable
precautions/countermeasures
Intrusion Detection
•
Approaches to Intrusion Detection
•
Audit Records
•
Audit Record Analysis
• foundation of statistical approaches

• analyze records to get metrics over time
• counter, gauge, interval timer, resource use
• use various tests on these to determine if current behavior is
acceptable
• mean & standard deviation, multivariate, markov process, time series,
operational
• key advantage is no prior knowledge used
Rule-Based Intrusion Detection
• observe events on system & apply rules to decide if activity is

suspicious or not
• rule-based anomaly detection
• analyze historical audit records to identify usage patterns & auto-generate
rules for them
• then observe current behavior & match against rules to see if conforms
• like statistical anomaly detection does not require prior knowledge of
security flaws
Rule-Based Intrusion Detection
rule-based penetration identification
uses expert systems technology
with rules identifying known penetration, weakness patterns, or suspicious
behavior
compare audit records or states against rules
rules usually machine & O/S specific
rules are generated by experts who interview & codify knowledge of security
admins
quality depends on how well this is done
Chapter 14
Entity Authentication
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
14.1
14-1 INTRODUCTION
Entity authentication is a technique designed to let

one party prove the identity of another party.
An entity can be a person, a process, a client, or a
server.
The entity whose identity needs to be proved is called
the claimant;
the party that tries to prove the identity of the claimant
is called the verifier.
14.2
14.1.1 Data-Origin Versus Entity Authentication
There are two differences between message

authentication and entity authentication .
1) Message authentication might not happen in real

time; entity authentication does.
2) Message authentication simply authenticates one
message; the process needs to be repeated for each
new message. Entity authentication authenticates the
claimant for the entire duration of a session.
3) EMAIL & ATM
14.3
14.1.2 Verification Categories
Something known PIN,password,secret key
Something possessed :
passport,cards
Something inherent
14.4
14-2 PASSWORDS
The simplest and oldest method of entity

authentication is the password-based authentication,
where the password is something that the claimant
knows.

14.2.1 Fixed Password
14.2.2 One-Time Password
14.5
14.2.1 Fixed Password
First Approach
Figure 14.1 User ID and password file
14.6
Attacks: Eavesdropping, Stealing, Accessing password file
14.7
14.2.1 Continued
Second Approach
Figure 14.2 Hashing the password
14.8
14.2.1 Continued
Dictionary attack : create a list of numbers, apply hash

function.
Get the password file /search second field.
14.9
14.2.1 Continued
Third Approach
Figure 14.3 Salting the password
14.10
14.2.1 Continued
Salting: a random string is concatenated to the password.

Salted password is hashed. ID,salt,hash are stored.
Dictionary attack is difficult.
14.11
14.2.1 Continued
Fourth Approach
In the fourth approach, two identification techniques are
combined. A good example of this type of authentication
is the use of an ATM card with a PIN (personal
identification number).
14.12
First Approach
In the first approach, the user and the system agree upon a list of passwords.
Cons: long list of pwds, searching difficult in list
Reuse of pwd useless.
Second Approach
In the second approach, the user and the system agree to sequentially update the
password.
Pi is used to encrypt pi+1
14.13
Third Approach
In the third approach, the user and the system create a sequentially updated
password using a hash function.
User and system agree on original password ,p0 and a counter n.
The system stores identity of user,value of n and value of hn(p0)
14.14
14.2.2 Continued
Figure 14.4 Lamport one-time password
14.15
14-3 CHALLENGE-RESPONSE
In password authentication, the claimant proves her

identity by demonstrating that she knows a secret, the
password. In challenge-response authentication, the
claimant proves that she knows a secret without
sending it.

14.3.1 Using a Symmetric-Key Cipher
14.3.2 Using Keyed-Hash Functions
14.3.3 Using an Asymmetric-Key Cipher
14.3.4 Using Digital Signature
14.16
14-3 Continue
Note
In challenge-response authentication, the claimant
proves that she knows a secret without sending it to
the verifier.
Note
The challenge is a time-varying value sent by the
verifier; the response is the result
of a function applied on the challenge.
14.17
14.3.1 Using a Symmetric-Key Cipher
First Approach
Figure 14.5 Nonce challenge
14.18
14.3.1 Continued
Second Approach: in clock synchronized systems
Figure 14.6 Timestamp challenge
14.19
14.3.1 Continued
Third Approach.
Figure 14.7 Bidirectional authentication
14.20
14.3.2 Using Keyed-Hash Functions
Instead of using encryption/decryption for entity

authentication, we can also use a keyed-hash function
(MAC).
Figure 14.8 Keyed-hash function
14.21
14.3.3 Using an Asymmetric-Key Cipher
First Approach
Figure 14.9 Unidirectional, asymmetric-key authentication
14.22
14.3.3 Continued
Second Approach
Figure 14.10 Bidirectional, asymmetric-key
14.23
14.3.4 Using Digital Signature
First Approach
Figure 14.11 Digital signature, unidirectional
14.24
14.3.4 Continued
Second Approach
Figure 14.12 Digital signature, bidirectional authentication
14.25
14-4 ZERO-KNOWLEDGE
In zero-knowledge authentication, the claimant does

not reveal anything that might endanger the
confidentiality of the secret. The claimant proves to the
verifier that she knows a secret, without revealing it.
The interactions are so designed that they cannot lead
to revealing or guessing the secret.
14.4.1 Fiat-Shamir Protocol
14.4.2 Feige-Fiat-Shamir Protocol
14.4.3 Guillou-Quisquater Protocol
14.26
14.4.1 Fiat-Shamir Protocol
Figure 14.13 Fiat-Shamir protocol
14.27
14.28
14.29
14.4.2 Feige-Fiat-Shamir Protocol
Figure 14.15 Feige-Fiat-Shamir protocol
14.30
14.4.3 Guillou-Quisquater Protocol
Figure 14.16 Guillou-Quisquater protocol
14.31
14.4.3 Continued
Figure 14.16 Guillou-Quisquater protocol
14.32
14-5 BIOMETRICS
Biometrics is the measurement of physiological or

behavioral features that identify a person
(authentication by something inherent). Biometrics
measures features that cannot be guessed, stolen, or
shared.
14.5.1 Components
14.5.2 Enrollment
14.5.3 Authentication
14.5.4 Techniques
14.5.5 Accuracy
14.5.6 Applications
14.33
14.5.1 Components
Several components are needed for biometrics, including

capturing devices, processors, and storage devices..
14.34
14.5.2 Enrollment
Before using any biometric techniques for authentication,

the corresponding feature of each person in the
community should be available in the database. This is
referred to as enrollment.
14.35
14.5.3 Authentication
Verification
Identification
14.36
14.5.4 Techniques
Figure 14.17 Techniques
14.37
14.5.4 Continued
Physiological Techniques
Fingerprint Hands
Iris Voice
Retina DNA
Face
14.38
14.5.4 Continued
Behavioral Techniques
Signature
Keystroke
14.39
14.5.5 Accuracy
False Rejection Rate (FRR)
False Acceptance Rate (FAR)
14.40
14.5.6 Applications
Several applications of biometrics are already in use. In

commercial environments, these include access to
facilities, access to information systems, transaction at
point-ofsales, and employee timekeeping. In the law
enforcement system, they include investigations (using
fingerprints or DNA) and forensic analysis. Border
control and immigration control also use some biometric
techniques.
14.41

Is Combined

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Is Combined

Uploaded by

Copyright:

Available Formats

Introduction

Information security: Ensures that both physical and

Cyber security: Subset of information security,

Network Security: Subset of cyber security, protects

Field of network and Internet security: measures to

• Definition of Computer Security from NIST:

Confidentiality-Data and privacy

• Accountability: Security goal that

• Security attacks any action compromises security of information owned

Figure 1.2 Taxonomy of attacks with relation to security goals

• The release of message contents is easily understood (Figure a).

• Mask the message contents.

– Masquerade : One entity pretends to be a different entity

• Interception: An unauthorized party gains access to an asset – attack on

• Modification: An unauthorized party not only gains access to but tampers

• Fabrication: An unauthorized party inserts counterfeit objects into the

• AUTHENTICATION -: The assurance that the communicating entity is

– Peer Entity Authentication -: Used in association with a logical

• ACCESS CONTROL -: The prevention of unauthorized use of a resource

– Connection Confidentiality -: The protection of all user data on a

• DATA INTEGRITY -: The assurance that data received are exactly as

– Connection Integrity with Recovery -: Provides for the integrity of all

– Nonrepudiation, Origin -: Proof that the message was sent by the

• AVAILABILITY-: Requires that computer system assets be available to

• Digital Signature -: Data appended to, or a cryptographic transformation

• Access Control -: A variety of mechanisms that enforce access rights to

• Data Integrity -: A variety of mechanisms used to assure the integrity of a

• Traffic Padding -: The insertion of bits into gaps in a data stream to

• Routing Control -: Enables selection of particular physically secure routes

• Notarization -: The use of a trusted third party to assure certain properties

Receiver creates P1; we can prove that P1 = P: (if no errors)

Based on Kerckhoff’s principle, one should always

Figure 3.4 Ciphertext-only attack

Figure 3.5 Known-plaintext attack

Figure 3.6 Chosen-plaintext attack

Figure 3.7 Chosen-ciphertext attack

• Chosen ciphertext attack

• The process of converting from plaintext to ciphertext is known as

• Techniques used for deciphering a message without any knowledge of the

• The areas of cryptography and cryptanalysis together are called cryptology

• The type of operations used for transforming plaintext to ciphertext

– Substitution: in which each element in the plaintext (bit, letter, group

• The number of keys used

• The way in which the plaintext is processed

• If the ciphertext generated by the scheme doesn’t contain enough

• The encryption algorithm should meet one or both of the following

A substitution cipher replaces one

In monoalphabetic substitution, the

The simplest monoalphabetic cipher is the additive cipher. This

Figure 3.8 Plaintext and ciphertext in Z26

When the cipher is additive, the

Use the additive cipher with key = 15 to decrypt the message

We apply the decryption algorithm to the plaintext character by

Additive ciphers are sometimes referred

Eve tries keys from 1 to 7. With a key of 7, the plaintext is “not

Table 3.2 Frequency of diagrams and trigrams

A better solution is to create a mapping between each plaintext

Figure 3.12 An example key for monoalphabetic substitution cipher

Brute force attack difficult -26! Keys.

In polyalphabetic substitution, each occurrence of a

Hides single letter frequency of plaintext. Vulnerable to brute force

• One-time pad is discarded after a single use

• A character in 1st position of Plaintext may appear in the 10 th position of

• A transposition cipher re-orders characters in a block of symbols. There are