SECTION - C

LECTURE 1

CRYPTOGRAPHY --> Cryptography is technique of securing information and communications through

use of codes so that only those person for whom the information is intended can understand it and process
it. Thus preventing unauthorized access to information. The prefix “crypt” means “hidden” and suffix
graphy means “writing”.

Modern cryptography is heavily based on mathematical theory and computer science practice;
cryptographic algorithms are designed around computational hardness assumptions, making such
algorithms hard to break in practice by any adversary. It is theoretically possible to break such a system,
but it is infeasible to do so by any known practical means.

Features Of Cryptography are as follows:

· Confidentiality: Information can only be accessed by the person for whom it is intended and no
other person except him can access it.

· Integrity: Information cannot be modified in storage or transition between sender and intended
receiver without any addition to information being detected.

· Non-repudiation: The creator/sender of information cannot deny his or her intention to send
information at later stage.

· Authentication: The identities of sender and receiver are confirmed. As well as

destination/origin of information is confirmed.

The flowchart depicts that cryptology is only one of the factors involved in securing networks.
Cryptology refers to study of codes, which involves both writing (cryptography) and solving
(cryptanalysis) them. Below is a classification of the crypto-terminologies and their various types.
1. Cryptography –

Cryptography is classified into symmetric cryptography, asymmetric cryptography and hashing. Below
are the description of these types.

Symmetric key cryptography –

It involves usage of one secret key along with encryption and decryption algorithms which help in
securing the contents of the message. The strength of symmetric key cryptography depends upon the
number of key bits. It is relatively faster than asymmetric key cryptography. There arises a key
distribution problem as the key has to be transferred from the sender to receiver through a secure channel.

Assymetric key cryptography –

It is also known as public key cryptography because it involves usage of a public key along with secret
key. It solves the problem of key distribution as both parties uses different keys for encryption/decryption.
It is not feasible to use for decrypting bulk messages as it is very slow compared to symmetric key
cryptography.

Hashing –

It involves taking the plain-text and converting it to a hash value of fixed size by a hash function. This
process ensures integrity of the message as the hash value on both, sender\’s and receiver’s side should
match if the message is unaltered.

2. Cryptanalysis – basic cryptoanalysis techniques are as follows ->

Classical attacks –

It can be divided into a)Mathematical analysis and b) Brute-force attacks. Brute-force attacks runs the
encryption algorithm for all possible cases of the keys until a match is found. Encryption algorithm is
treated as a black box. Analytical attacks are those attacks which focuses on breaking the cryptosystem by
analysing the internal structure of the encryption algorithm.

Social Engineering attack –

It is something which is dependent on the human factor. Tricking someone to reveal their passwords to
the attacker or allowing access to the restricted area comes under this attack. People should be cautious
when revealing their passwords to any third party which is not trusted.

Implementation attacks –

Implementation attacks such as side-channel analysis can be used to obtain a secret key. They are relevant
in cases where the attacker can obtain physical access to the cryptosystem.

CRYPTOGRAPHIC SYSTEM / CRYPTOSYSTEM -->

A cryptosystem is an implementation of cryptographic techniques and their accompanying infrastructure

to provide information security services. A cryptosystem is also referred to as a cipher system.

Let us discuss a simple model of a cryptosystem that provides confidentiality to the information being
transmitted. This basic model is depicted in the illustration below −

Cryptosystem

The illustration shows a sender who wants to transfer some sensitive data to a receiver in such a way that
any party intercepting or eavesdropping on the communication channel cannot extract the data.
The objective of this simple cryptosystem is that at the end of the process, only the sender and the
receiver will know the plaintext.

Components of a Cryptosystem

The various components of a basic cryptosystem are as follows −

· Plaintext. - It is the data to be protected during transmission.

· Encryption Algorithm.- It is a mathematical process that produces a ciphertext for any given
plaintext and encryption key. It is a cryptographic algorithm that takes plaintext and an encryption
key as input and produces a ciphertext.

· Ciphertext. It is the scrambled version of the plaintext produced by the encryption algorithm
using a specific the encryption key. The ciphertext is not guarded. It flows on public channel. It
can be intercepted or compromised by anyone who has access to the communication channel.

· Decryption Algorithm - It is a mathematical process, that produces a unique plaintext for any
given ciphertext and decryption key. It is a cryptographic algorithm that takes a ciphertext and a
decryption key as input, and outputs a plaintext. The decryption algorithm essentially reverses the
encryption algorithm and is thus closely related to it.
 · Encryption Key- It is a value that is known to the sender. The sender inputs the encryption key
into the encryption algorithm along with the plaintext in order to compute the ciphertext.

· Decryption Key - It is a value that is known to the receiver. The decryption key is related to the
encryption key, but is not always identical to it. The receiver inputs the decryption key into the
decryption algorithm along with the ciphertext in order to compute the plaintext.

· For a given cryptosystem, a collection of all possible decryption keys is called a key space.

INTERCEPTOR -- An interceptor (an attacker) is an unauthorized entity who attempts to determine the
plaintext. He can see the ciphertext and may know the decryption algorithm. He, however, must never
know the decryption key.

Types of Cryptosystems

Fundamentally, there are two types of cryptosystems based on the manner in which encryption-decryption
is carried out in the system −

Symmetric Key Encryption & Asymmetric Key Encryption

The main difference between these cryptosystems is the relationship between the encryption and the
decryption key.

Logically, in any cryptosystem, both the keys are closely associated. It is practically impossible to
decrypt the ciphertext with the key that is unrelated to the encryption key.

Symmetric Key Encryption

The encryption process where same keys are used for encrypting and decrypting the information is
known as Symmetric Key Encryption.

The study of symmetric cryptosystems is referred to as symmetric cryptography. Symmetric

cryptosystems are also sometimes referred to as secret key cryptosystems.

A few well-known examples of symmetric key encryption methods are − Digital Encryption Standard
(DES), Triple-DES (3DES), IDEA, and BLOWFISH.
Prior to 1970, all cryptosystems employed symmetric key encryption. Even today, its relevance is very
high and it is being used extensively in many cryptosystems. It is very unlikely that this encryption will
fade away, as it has certain advantages over asymmetric key encryption.

The salient features of cryptosystem based on symmetric key encryption are −

· Persons using symmetric key encryption must share a common key prior to exchange of
information.

· Keys are recommended to be changed regularly to prevent any attack on the system.

· A robust mechanism needs to exist to exchange the key between the communicating parties.
As keys are required to be changed regularly, this mechanism becomes expensive and
cumbersome.

· In a group of n people, to enable two-party communication between any two persons, the
number of keys required for group is n × (n – 1)/2.

· Length of Key (number of bits) in this encryption is smaller and hence, process of encryption-
decryption is faster than asymmetric key encryption.

· Processing power of computer system required to run symmetric algorithm is less.

Challenge of Symmetric Key Cryptosystem

There are two restrictive challenges of employing symmetric key cryptography.

Key establishment − Before any communication, both the sender and the receiver need to agree on a
secret symmetric key. It requires a secure key establishment mechanism in place.
Trust Issue − Since the sender and the receiver use the same symmetric key, there is an implicit
requirement that the sender and the receiver ‘trust’ each other. For example, it may happen that the
receiver has lost the key to an attacker and the sender is not informed.

These two challenges are highly restraining for modern day communication. Today, people need to
exchange information with non-familiar and non-trusted parties. For example, a communication between
online seller and customer. These limitations of symmetric key encryption gave rise to asymmetric key
encryption schemes.

Asymmetric Key Encryption

The encryption process where different keys are used for encrypting and decrypting the information
is known as Asymmetric Key Encryption.

Though the keys are different, they are mathematically related and hence, retrieving the plaintext by
decrypting ciphertext is feasible. The process is depicted in the following illustration −

Asymmetric Key Encryption

Asymmetric Key Encryption was invented in the 20th century to come over the necessity of pre-shared
secret key between communicating persons. The salient features of this encryption scheme are as follows
−
 · Every user in this system needs to have a pair of dissimilar keys, private key and public key.

· These keys are mathematically related − when one key is used for encryption, the other can
decrypt the ciphertext back to the original plaintext.

· It requires to put the public key in public repository and the private key as a well-guarded secret.
Hence, this scheme of encryption is also called Public Key Encryption.

· Though public and private keys of the user are related, it is computationally not feasible to
find one from another. This is a strength of this scheme.

· When Host1 needs to send data to Host2, he obtains the public key of Host2 from
repository, encrypts the data, and transmits.

· Host2 uses his private key to extract the plaintext.

· Length of Keys (number of bits) in this encryption is large and hence, the process of
encryption-decryption is slower than symmetric key encryption.

· Processing power of computer system required to run asymmetric algorithm is higher.

· Symmetric cryptosystems are a natural concept. In contrast, public-key cryptosystems are quite
difficult to comprehend.

You may think, how can the encryption key and the decryption key are ‘related’, and yet it is impossible
to determine the decryption key from the encryption key? The answer lies in the mathematical concepts.
It is possible to design a cryptosystem whose keys have this property. The concept of public-key
cryptography is relatively new. There are fewer public-key algorithms known than symmetric algorithms.

Challenge of Public Key Cryptosystem

Public-key cryptosystems have one significant challenge − the user needs to trust that the public key that
he is using in communications with a person really is the public key of that person and has not been
spoofed by a malicious third party.

This is usually accomplished through a Public Key Infrastructure (PKI) consisting a trusted third party.
The third party securely manages and attests to the authenticity of public keys. When the third party is
requested to provide the public key for any communicating person X, they are trusted to provide the
correct public key.

The third party satisfies itself about user identity by the process of attestation, notarization, or some other
process − that X is the one and only, or globally unique, X. The most common method of making the
verified public keys available is to embed them in a certificate which is digitally signed by the trusted
third party.
Relation between Encryption Schemes

A summary of basic key properties of two types of cryptosystems is given below −

Due to the advantages and disadvantage of both the systems, symmetric key and public-key
cryptosystems are often used together in the practical information security systems.

System of Keys

Key: An important aspect of performing encryption and decryption is the key. It is the key used for
encryption and decryption that makes the process of cryptography secure.

In cryptography, a key is a piece of information (a parameter) that determines the functional output of a
cryptographic algorithm. For encryption algorithms, a key specifies the transformation of plaintext into
ciphertext, and vice versa for decryption algorithms. Keys also specify transformations in other
cryptographic algorithms, such as digital signature schemes and message authentication codes.

At its simplest level, a cryptographic key is just a random string consisting of hundreds or thousands of
ones and zeroes (i.e. binary digits, or “bits”). However, keys are always created for a specific function,
and the associated key meta-data defines the properties of the key.

Private Key:

In Private key, the same key (secret key) is used for encryption and decryption. In this key is
symmetric because the only key is copy or share by another party to decrypt the cipher text. It is
faster than the public key cryptography.

Public Key:

In Public key, two keys are used one key is used for encryption and another key is used for
decryption. One key (public key) is used for encrypt the plain text to convert it into cipher text and
another key (private key) is used by receiver to decrypt the cipher text to read the message.
Types of Cryptography
Cryptography is further classified into three different categories:

· Symmetric Key Cryptography (Private/Secret Key Cryptography)

· Asymmetric Key Cryptography (Public Key Cryptography)

· Hash Function

Symmetric Key Cryptography

Symmetric key cryptography is a type of cryptography in which the single common key is used by
both sender and receiver for the purpose of encryption and decryption of a message. This system is
also called private or secret key cryptography and AES (Advanced Encryption System) is the most
widely uses symmetric key cryptography.

The symmetric key system has one major drawback that the two parties must somehow exchange the
key in a secure way as there is only one single key for encryption as well as decryption process.

Types: AES (Advanced Encryption Standard), DES, Triple DES, RC2, RC4, RC5, IDEA, Blowfish,
Stream cipher, Block cipher, etc. are the types of symmetric key cryptography.
Asymmetric Key Cryptography

Asymmetric Key Cryptography is completely different and a more secure approach than symmetric
key cryptography. In this system, every user uses two keys or a pair of keys (private key and public
key) for encryption and decryption process. Private key is kept as a secret with every user and public
key is distributed over the network so if anyone wants to send message to any user can use those
public keys.

Either of the key can be used to encrypt the message and the one left is used for decryption purpose.
Asymmetric key cryptography is also known as public key cryptography and is more secure than
symmetric key. RSA is the most popular and widely used asymmetric algorithm.

Types: RSA, DSA, PKCs, Elliptic Curve techniques, etc. are the common types of asymmetric key
cryptography.

Hash Function
A Hash function is a cryptography algorithm that takes input of arbitrary length and gives the
output in fixed length.

The hash function is also considered as a mathematical equation that takes seed (numeric
input) and produce the output that is called hash or message digest.

This system operates in one-way manner and does not require any key. Also, it is considered as the
building blocks of modern cryptography.

The hash function works in a way that it operates on two blocks of fixed length binary data and then
generate a hash code. There are different rounds of hashing functions and each round takes an input of
combination of most recent block and the output of the last round.

Types: Some popular hash functions are Message Digest 5 (MD5), SHA (Secure Hash Algorithm),
RIPEMD, and Whirlpool. MD5 is the most commonly used hash function to encrypt and protect your
passwords and private data.

Difference between Symmetric, Asymmetric and Hash Function Cryptography

Symmetric Key uses single key to encrypt and decrypt the message while asymmetric key uses a pair
of keys in which one key is used for encryption and other for decryption whereas hash function does
not require any key for encryption as well as decryption.

Symmetric key is relatively faster than asymmetric and hash function but less reliable in terms of
security.

Asymmetric key was introduced to overcome the problem of key exchange in symmetric key and
hash functions were introduced to provide more security than ever.
If the key is compromised over the network then there will loss of both sender and receiver in
symmetric key, only loss of key owner in asymmetric key, and in hash function, there is no key to
compromise.

Asymmetric key has higher complexity than hash function and symmetric key has very less
complexity.

Conclusion

Encryption of data is much needed in our modern time and the latest schemes may necessarily be the
best fit. There are the latest algorithms and techniques being developed as hackers and eavesdroppers
have made it tough to secure data to the best possible way. Cryptography is going to enhance more
methods in the coming years to make personal data more secure and it’s standards more reliable

Public Key Cryptography / Asymmetric Key Cryptography -->

Public Key Cryptography

Unlike symmetric key cryptography, we do not find historical use of public-key cryptography. It is a
relatively new concept.

Symmetric cryptography was well suited for organizations such as governments, military, and big
financial corporations were involved in the classified communication.

With the spread of more unsecure computer networks in last few decades, a genuine need was felt to
use cryptography at larger scale. The symmetric key was found to be non-practical due to challenges
it faced for key management. This gave rise to the public key cryptosystems.

The process of encryption and decryption is depicted in the following illustration −

Public Key Cryptography

The most important properties of public key encryption scheme are −

· Different keys are used for encryption and decryption. This is a property which set this
scheme different than symmetric encryption scheme.

· Each receiver possesses a unique decryption key, generally referred to as his private key.

· Receiver needs to publish an encryption key, referred to as his public key.

· Some assurance of the authenticity of a public key is needed in this scheme to avoid spoofing
by adversary as the receiver. Generally, this type of cryptosystem involves trusted third party
which certifies that a particular public key belongs to a specific person or entity only.

· Encryption algorithm is complex enough to prohibit attacker from deducing the plaintext
from the ciphertext and the encryption (public) key.

· Though private and public keys are related mathematically, it is not be feasible to calculate
the private key from the public key. In fact, intelligent part of any public-key cryptosystem is
in designing a relationship between two keys
Issues in Documents Security
Documents face threats of many kinds. Customer lists, sales-strategy reports, and detailed revenue
statistics might fall into the hands of competitors. Confidential personal data given by customers and
employees could be compromised leading to lawsuits. Identification details like bank-account login
information or credit-card details might be stolen by thieves. Because of these possibilities in today’s
world, the issue of document security should be a top concern.

1. Unsecured documents are easy to steal.

Important documents need to be locked in a file cabinet. While a determined thief might be able to break
a lock, a casual or opportunistic thief will likely move on. Make it a policy for anyone with important
files to put them away in a locked cabinet or desk drawer whenever they aren’t using them.

2. Too many people have access to sensitive information.

You do need some sensitive information, such as payroll records and emergency contact information for
employees, but that doesn’t mean everyone needs access to it. Limit access just to those who need the
information to complete their job responsibilities.

3. Computers are at risk.

Digital information is just as vulnerable as hard copies if you leave your computer unlocked. If your
employees use company computers or personal devices with company information, require them to lock
their computers. For that matter, antivirus software and system updates are an important and easy part of
securing devices. There’s no good reason to skip out on those.

4. Physical data is easily destroyed.

It only takes one fire or one flood to wipe out years of important business documents. In 2017, for
instance, tech company Hewlett-Packard lost “more than 100 boxes” of “correspondence, speeches, and
other items” from the company’s founders in the Santa Rosa, California, wildfires. Use a fire and
waterproof file cabinet to secure your documents.

5. Too many documents are on file.

When you no longer need a document, it’s time to shred it. Don’t leave documents with confidential
information in recycling bins, in the trash, or on a desk to take care of later. This goes for hard drives, too.
Unless you physically destroy it, a good hacker could still pull information from it.

6. Networks are unsecured.

Almost every business is at risk of an online data breach or cyber attack. CNN Tech reports that a 2017
cyber attack resulted in some British hospitals temporarily closing, and schools in Montana closed for
three days when a hacker group stole the personal information of students and teachers.

While there are a lot of ways to secure your network, one of the easiest is to simply ensure you have a
firewall in place and require a password for access.

7. Records aren’t backed up.

There are plenty of ways to lose critical data. Whether it’s user error, technical malfunction, or hacking, if
you don't regularly back up your data, it's at risk. In many cases, you can automate backups, so you don’t
even have to think about it. In a worst-case scenario, even if a hacker does steal and hold your
information for ransom, you have a copy, so you at least know what is at risk.

8. There is no disaster plan in place.

Every business needs a disaster plan. You probably have a fire escape plan, a panic button in case of
police emergencies, and maybe even an evacuation plan if you live in areas prone to natural disasters. But
do you have a plan in place for document theft? Business, employee, and customer information is at risk
no matter how diligent you are at locking file cabinets or securing your network. It’s unfortunate but true.

Work on your response now so you’re prepared if you are a victim of data theft. How will you inform
customers? What law enforcement agencies and credit agencies will you contact? What steps will you
take to ensure the impact is as limited as possible?

9. The security camera is poorly placed.

Properly positioned security cameras are a theft deterrent by themselves, but even if you are the victim of
an on-location data theft (or any other crime), good security cameras may help police identify and locate
the criminal. Business security systems don’t need to be expensive to be effective.

10. Hire a security expert.

If you truly want to limit your business’ exposure to theft, hire a security expert to audit your business.
This goes for both physical security, such as illegal entries, and cyber security, such as hacking. When you
know where the holes are in your defenses, you can take steps to make your business documents even
more secure.

Depending on your preparation and response, document security issues can make or break your business.
Take the steps necessary to reduce risk and secure critical information. It will only help your business in
the long run.