Professional Documents
Culture Documents
Information Security
Information Security
DCS-03
Information Security
Block
Unit – 1
Information Security Concepts
Unit – 2
Introduction to Cryptography
Unit – 3
Cryptographic Algorithms
EXPERT COMMITTEE
Dr P.K.Behera (Chairman)
Reader in Computer Science
Utkal University
Bhubaneswar, Odisha
Dr. J.R.Mohanty (Member)
Professor and HOD
KIIT University
Bhubaneswar, Odisha
Sh Pabitrananda Pattnaik(Member)
Scientist –E,NIC
Bhubaneswar, Odisha
Sh Malaya Kumar Das (Member)
Scientist –E,NIC
Bhubaneswar, Odisha
Dr. Bhagirathi Nayak (Member)
Professor and Head(IT & System)
Sri Sri University
Bhubaneswar, Odisha
Dr.Manoranjan Pradhan (Member)
Professor and Head(IT & System)
G.I.T.A
Bhubaneswar, Odisha
Sri V.S.Sandilya (Convenor)
Academic Consultant (I.T)
Odisha State Open University,
Sambalpur, Odisha
Course Writer
Chandrakant Mallick
Consultant (Academic)
School of Computer and Information Science
Odisha State Open University, Odisha
1.0 Introduction
1.1 Learning Objectives
1.2 Information Security issues
1.3 Basic Terminologies and Definitions
1.4 Information Security Goals
1.5 Challenges of Information Security
1.6 The OSI Security Architecture
1.7 Types of Security Attacks
1.7.1 Attacks on Confidentiality
1.7.2 Attacks on Integrity
1.7.3 Attacks on Availability
1.8 Classifications of Security attacks
1.8.1 Passive Attacks
1.8.2 Active Attacks
1.8.2.1 Types of active Attacks
1.8.3 Passive versus Active Attacks
1.9 Self-Assessment Questions-1
1.10 Security Services and mechanisms
1.10.1 Security Services
1.10.2 Security Mechanisms
1.10.3 Specific Security Mechanisms
1.10.4 Pervasive Security Mechanisms
1.11 Relation between security services and mechanisms
1.12 Self-Assessment Questions-2
1.13 Key terms & Concepts
1.14 Answer to Self-Assessment Questions-1
1.15 Answer to Self-Assessment Questions-2
1.16 References and Suggested Readings
Computers are used by millions of people for many purposes like Banking,
Shopping, Tax returns, Education, Military, Communication, Business, Research,
Entertainment and many more. It necessitates protecting the assets of computer in
all such applications. The assets of the computer mean the hardware and software
including the information available in many forms. In the present day context
information is the most valuable asset than any other in an organization. Information
Security deals with all aspects of protecting information. In this unit we will discuss
some fundamentals concepts of information security.
The information security within an organization has undergone two major changes
in the last several decades.
The world before computers was much simpler in some ways-
· Signing, legalizing a paper would authenticate it.
· Photocopying was easily detected
· Erasing, inserting, modifying words on a paper document easily detectable
The meaning of terminologies change over time and this is especially true in the
rapidly changing technology industry. For example, we have information security,
computer security, cyber security and IT security.
Not only have these names changed meaning over time, there isn't necessarily a
clear consensus on the meanings and the degree to which they overlap or are
interchangeable. In our context we will frequently refer information security in this
course.
As per the definition above there are three measure goals of Information security
that include Confidentiality, Integrity and availability.
3. Availability
Availability requires that computer system assets are available to authorized
parties.
Availability is arequirement intended to assure that systems work promptly and
service is not denied to anauthorized user. The principle of availability states the
resources should be available to authorized users all the times.These three
concepts form what is often referred to as the Confidentiality Integrity and
Availability (CIA) Triad.
The three concepts embody the fundamental security objectives for both data and
for information as well as computing services. For example, the NIST standard
FIPS 199 (Standards for Security Categorization of Federal Information and
Information Systems) lists confidentiality, integrity, and availability as the three
security objectives for information and for information systems.
FIPS 199 provides a useful characterization of these three objectives in terms of
requirements and the definition of a loss of security in each category:
Confidentiality: Preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and proprietary
information.
A loss of confidentiality is the unauthorized disclosure of information.
Integrity: Guarding against improper information modification or destruction,
including ensuring information nonrepudiation and authenticity.
A loss of integrity is the unauthorized modification or destruction of information.
Availability: Ensuring timely and reliable access to and use of information.
Information security is both complex and challenging. Some of the reasons are as
follows:
1. Security is not as simple as it might be understood by the novice users. The
requirements seem to be straight forward; the major requirements for security
services can be confidentiality, authentication, nonrepudiation, or integrity. But the
mechanisms used to meet those requirements can be quite complex.
2. In developing a particular security mechanism or algorithm, one must
There are several types of security attacks but we can classify them based on the
security goals they compromise. The following figure shows the categories of
different types of security attacks.
According to both X.800 and RFC 4949, security attacks are classified as passive
attacks and active attacks.
Passive Attacks
Active Attacks
ITU-T provides some security services and some mechanisms to implement those
services. Security services and mechanisms are closely related because a
mechanism or combination of mechanisms is used to provide a service.
1.10.1 Security Services
Security ServicesX.800 divides these services into five categories and fourteen
specific services
The relationship between security services and mechanisms are summarized in the
table below:
2. What are Passive Attacks? Why are they difficult to detect? Name some
passive attacks.
…………………………………………………………………………………………
…………………………………………………………………………………………
…………………........………………………………………………………………….
3. List and briefly define categories of security services.
……………………………………………………………………………………………
……………………………………………………………………………………………
……………………………………………………………………………………………
Unit Structure
2.0 Introduction
2.1 Learning Objectives
2.2 Basic Terminologies
2.3 Cryptographic Systems
2.4 Cryptanalysis
2.5 Steganography
2.6 Network Security Model
2.7 Types of Cryptography
2.8 Symmetric key Cryptography
2.8.1 Unconditionally secure vs. computationally secured Encryption
2.8.2 Block Cipher Vs. Stream Cipher
2.9 Classical Encryption Techniques
2.9.1 Substitution Techniques
2.9.1.1 Monoalphabetic Cipher
2.9.1.2 Polyalphabetic Cipher
2.9.2 Transposition Techniques
2.10 Self-Assessment Questions
2.11 Key terms & Concepts
2.12 Answer to Self-Assessment Questions
2.13 References and Suggested Readings
Cryptography, which comes from the Greek words kryptos, meaning "hidden," and
graphein, meaning "to write," is the process of making and using codes to secure the
transmission of information. Cryptanalysis is the process of obtaining the original
message (called the plaintext) from an encrypted message (called the ciphertext)
without knowing the algorithms and keys used to perform the encryption.
Decryption is the process of converting the cipher text into a message that conveys
readily understood meaning.
In order to understand cryptography and its uses, you must be familiar with a number
of key terms that are used in cryptography.
In this unit, we will discuss the basic cryptography concepts and its related
terminologies used in the area of Cryptography.
Cryptography
The art or science encompassing the principles and methods of transforming an
The process of attempting to discover the plaintext or the key or both is known as
cryptanalysis. The strategy used by the cryptanalyst depends on the nature of the
encryption scheme and the information available to the cryptanalyst.
A cryptanalyst can do any or all of six different things:
1. Attempt to break a single message
2. Attempt to recognize patterns in encrypted messages, to be able to break
subsequent ones by applying a straightforward decryption algorithm
3. Attempt to infer some meaning without even breaking the encryption, such as
noticing an unusual frequency of communication or determining something by
whether the communication was short or long
4. Attempt to deduce the key, in order to break subsequent messages easily
5. Attempt to find weaknesses in the implementation or environment of use of
encryption
6. Attempt to find general weaknesses in an encryption algorithm, without
necessarily having intercepted any messages
2.4.1 Types of Cryptanalytic Attacks
There are various types of cryptanalytic attacks based on the amount of
information known to the cryptanalyst.
· Cipher text only – A copy of cipher text alone is known to the cryptanalyst.
· Known plaintext – The cryptanalyst has a copy of the cipher text and the
corresponding plaintext.
· Chosen plaintext – The cryptanalysts gains temporary access to the encryption
machine. They cannot open it to find the key, however; they can encrypt a large
number of suitably chosen plaintexts and try to use the resulting cipher texts to
deduce the key.
· Chosen cipher text – The cryptanalyst obtains temporary access to the
decryption machine, uses it to decrypt several string of symbols, and tries to use the
results to deduce the key.
A plaintext message may be hidden in any one of the two ways. The methods of
steganography conceal the existence of the message, whereas the
methods of cryptography render the message unintelligible to outsiders by
various transformations of the text. A simple form of steganography, but one that is
time consuming to construct is one in which an arrangement of words or letters
within an apparently innocuous text spells out the real message. Let us consider the
following examples.
(I) The sequence of first letters of each word of the overall message spells out the
real (Hidden) message.
(ii) Subset of the words of the overall message is used to convey the hidden
message. Various other techniques have been used historically, some of them are:
Character marking – selected letters of printed or typewritten text are overwritten
in pencil. The marks are ordinarily not visible unless the paper is held to an angle to
bright light.
Invisible ink – a number of substances can be used for writing but leave no visible
trace until heat or some chemical is applied to the paper.
Pin punctures – small pin punctures on selected letters are ordinarily not visible
unless the paper is held in front of the light.
Type written correction ribbon – used between the lines typed with a black
ribbon, the results of typing with the correction tape are visible only under a strong
light.
Drawbacks of Steganography
It requires a lot of overhead to hide a relatively few bits of information. Once the
system is discovered, it becomes virtually worthless.
The two basic building blocks of Classical encryption techniques are substitution
and transposition.
2.9.1 Substitution Techniques
A substitution technique is one in which the letters of plaintext are replaced by other
letters or by numbers or symbols to obtain the cipher text.
If the plaintext is viewed as a sequence of bits, then substitution involves replacing
plaintext bit patterns with ciphertext bit patterns.
Caesar Cipher
The earliest known, and the simplest, use of a substitution cipher was by Julius
Caesar. The Caesar cipher involves replacing each letter of the alphabet with the
letter standing three places further down the alphabet. Let us consider the following
example.
Plaintext: meet me after the toga party
Cipher: PHHW PH DIWHU WKH WRJD SDUWB
Note: The alphabet is wrapped around, so the letter following Z is A.
We can define the transformation by listing all possibilities, as follows:
Plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z
Ciphertext: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Let us assign a numerical equivalent to each letter:
A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
Example: Let us consider the example solved by Lord Peter Wimsey in Dorothy
Sayers's Have His Carcase:
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
In this case, the keyword is monarchy. The matrix is constructed by filling in the
letters of the keyword (minus duplicates) from left to right and from top to bottom,
and then filling in the remainder of the matrix with the remaining letters in alphabetic
order. The letters I and J count as one letter. Plaintext is encrypted two letters at a
time, according to the following rules:
1. Repeating plaintext letters that are in the same pair are separated with a filler
letter, such as x, so that balloon would be treated as ba lx lo on.
2. Two plaintext letters that fall in the same row of the matrix are each replaced
by the letter to the right, with the first element of the row circularly following
the last. For example, ar is encrypted as RM.
3. Two plaintext letters that fall in the same column are each replaced by the
letter beneath, with the top element of the column circularly following the
last. For example, mu is encrypted as CM.
4. Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its
own row and the column occupied by the other plaintext letter. Thus, hs
become BP and ea becomes IM (or JM, as the encipherer wishes).
The Playfair cipher is a great advance over simple monoalphabetic ciphers.
For one thing, whereas there are only 26 letters, there are 26 × 26 = 676 digrams, so
that identification of individual digrams is more difficult. Furthermore, the relative
frequencies of individual letters exhibit a much greater range than that of digrams,
Decryption is equally simple. The key letter again identifies the row. The position of
the cipher text letter in that row determines the column, and the plaintext letter is at
the top of that column.
Advantages of Vigenere Cipher
· There are multiple cipher text letters for each plaintext letter, so it is almost
secured.
Disadvantages of Vigenere Cipher
· The key is periodically repeated
· Data can be detected from the key length
One Time Pad Cipher
It is an unbreakable cryptosystem. It represents the message as a sequence of 0s
and 1s.This can be accomplished by writing all numbers in binary, for example, or
Exclusive OR operation
Thus the cipher text is generated by performing the bitwise XOR of the plaintext
and the key.
Decryption uses the same key. Because of the properties of XOR, decryption
simply involves the same bitwise operation:
Pi = Ci Ki
e.g., plaintext = 0 0 1 0 1 0 0 1
Key = 1 0 1 0 1 1 0 0
Ciphertext = 1 0 0 0 0 1 0 1
Advantage:
· Encryption method is completely unbreakable for a ciphertext only attack.
Disadvantages:
· It requires a very long key which is expensive to produce and expensive to
transmit.
· Once a key is used, it is dangerous to reuse it for a second message; any
knowledge on the first message would give knowledge of the second.
2.9.2 Transposition Techniques
All the techniques examined so far involve the substitution of a cipher text symbol
for a plaintext symbol. A very different kind of mapping is achieved by performing
some sort of permutation on the plaintext letters. This technique is referred to as a
transposition cipher.
Rail fence techniques:
Rail fence is simplest of such cipher, in which the plaintext is written down as a
sequence of diagonals and then read off as a sequence of rows.
Plaintext = meet at the school house
To encipher this message with a rail fence of depth 2, we write the message as
follows:
meatecolos
etthshohue
6. Following are the advantages and disadvantages of Block and Stream Cipher.
Advantages of Block Cipher:
• It is faster than stream cipher.
• If any block contains any transmission error then it will not have effect on other
blocks.
• It is not sufficient in hardware but may be used to connect keyboard to CPU
(central process unit)
• Block ciphers can be easier to implement in software, because there is no bit
manipulation like in stream cipher which is time consuming process and treats data
in computer-sized blocks
• Block Cipher is more suitable in trading applications.
• Short blocks at the end of a message can also be added with blank or zero status.
Disadvantages of Block Cipher:
• If two same unit or blocks of plaintext is there, then the cipher produces same
cipher text for units or blocks.
• It is easy to insert or delete units/blocks.
• Block encryption may be more susceptible to cryptanalysis attack as compared
to stream cipher as block cipher provides strong hints to attacker because two same
units produce same cipher text.
• Block encryption is more susceptible to replay as compare to stream
encryption.
Advantages of Stream Cipher
• Stream cipher is suitable for hardware implementation as only encryption and
decryption data one bit at a time.
• Stream cipher is less susceptible to cryptanalysis than block cipher as block
cipher provides strong hints to attacker because two same units produce same
cipher text.
• Stream cipher is less vulnerable to insertion or deletion of units.
3.0 Introduction
3.1 Learning Objectives
3.2 Cryptographic Algorithms
3.2.1 Hash Algorithm
3.2.2 Message Digest (MD)
3.2.3 Message Digest 4
3.2.4 Message Digest 5 (MD5)
3.2.5 Secure Hash algorithm (SHA)
3.2.6 Whirlpool
3.2.7 RACE Integrity Primitives Evaluation Message Digest (RIPEMD)
3.3 Password Hashes
3.4 Symmetric Cryptographic Algorithms
3.4.1 Understanding Symmetric Algorithms
3.4.2 Block Cipher
3.4.3 Data Encryption System (DES)
3.4.4 Triple Data Encryption Standard (3DES)
3.4.5 Advance Encryption Standard (AES)
3.4.6 Other Algorithms
3.5 Asymmetric Cryptographic Algorithms
3.6 RSA Algorithm
3.6.1 Elliptic curve Cryptography (ECC)
3.7 Using Cryptography
3.7.1 Encryption through Software
3.7.2 File and File System Cryptography
3.7.3 Pretty Good Privacy (PGP/GPG)
3.8 Self-Assessment Questions
3.9 Key Terms and Concepts
3.10 Answer to Self-Assessment Questions.
3.11 References and Further Readings
There are three categories of cryptographic algorithms. These are known as hash
algorithms, symmetric encryption algorithms, and asymmetric encryption
algorithms.
3.2.1 Hash Algorithm
The most basic type of cryptographic algorithm is a hash algorithm. Hashing is a
process for creating a unique digital fingerprint for a set of data. This fingerprint,
called a hash (sometimes called a one-way hash or digest) represents the contents.
Although hashing is considered a cryptographic algorithm, its purpose is not to
create a ciphertext that can later be decrypted.
Hashing is primarily used for comparison purposes. A hash that is created from a set
of data cannot be reversed. For example, if 12,345 is multiplied by 143, the result is
1,765,335. If the number 1,765,335 was given to a user, and the user was asked to
Another use for hashes is in strong password. When a password for an account is
created, the password is hashed and stored. When a user enters her password to log
in, that password is likewise hashed and compared with the stored hashed version;
if the two hashes match, then the user is authorized. Microsoft Windows operating
systems hash password in two ways. The first is known as the LM (LAN Manager)
hash. The LM hash is in not actually a hash, because a hash is a mathematical
function used to fingerprint the data. The LM hash instead uses a cryptography
one-way function (OWF): instead of encrypting the password with another key, the
password itself is the key. The LM has is considered a very weak function for
storing password. First, the LM hash is not case sensitive, meaning that there is no
difference between uppercase (A) and lowercase
(a). This significantly reduces the character set that an attacker must use. Second,
the LM has splits all password into two7- character parts. If the original password is
fewer the 14 characters, it simply pads the parts; if it is longer, the extra characters
are dropped. This means that an attacker attempting to break an LM hash must only
break two 7-character passwords from a limited character set. To address the
security issues in the LM hash, Microsoft introduced the NTLM (New Technology
LAN Manager) hash. Unlike the LM hash, the NTLM has does not limit stored
password to two 7-character parts. In addition, it is case sensitive and has larger
character set of 65,535 characters. The original version of NTLM uses a weak
cryptographic function and does not support more recent cryptographic methods;
Microsoft recommends that it should not be used. The current version is NTLMv2
and uses HMAC with MD5. It is considered a much stronger hashing algorithm.
The salt, along with the number of “rounds” (iterations) used with the salt, is stored
along with the “salted” password hash.
The first category is known as a stream cipher. A stream cipher takes one
character and replaces it with one character, as shown in figure
Note: The Wireless Wired Equivalent Privacy (WEP) protocol is a stream cipher.
The simplest type of stream cipher is a substitution cipher. Substitution ciphers
simply substitute one letter or character for another as shown in below given figure.
Sometimes known as mono alphabetic substitution cipher, stream cipher can be
easy to break. A homo alphabetic substitution cipher maps a single plaintext
character to multiple cipher text characters
Fig: 3DES
The asymmetric algorithm RSA was published in 1977 and patented by MIT in
1983. The RSA Algorithm is the most common asymmetric cryptography
algorithm and is the basis for several products. RSA stands for last names of its
three developers, Ron Rivest, Adi Shamir and Leonard Adleman.
The RSA algorithm multiples two large prime numbers (a prime number is a
number divisible only by itself and 1), p and q, to compute their product (n=pq)).
Next a number e is chosen that is less than n and a prime factor to (p-1)(q-1).
Another number d is determined, so that (ed-1) is divisible by (p-1) (q-1). The
values of e and d are the public and private exponents. The public key is the pair
(n.e), while the private key is (n,d). The numbers p and q can be discarded. An
illustration of the RSA algorithm using very small number is as follows:
Cryptography should be used to secure any and all data that needs to be protected.
This includes individual files or databases that are stored on standard desktop
computer servers, removable media or mobile devices. Cryptography can be