Dr. M.V. Ranjith Kumar is a Senior Audit Program Manager at Infosys with 15 years of experience in cybersecurity and information security audits across various industries. He specializes in areas such as telematics implementation, blockchain architecture, and vendor risk assessments, and has published research in cybersecurity fields. The document outlines his qualifications, course content on cryptography and cyber security, and essential concepts related to computer security, cryptographic techniques, and the legal aspects of cybersecurity.

1. CB3491
CRYPTOGRAPHY
&
CYBER SECURITY
Dr. MV. Ranjith Kumar
Senior Audit Program Manager
Infosys

2. Dr. MV. Ranjith Kumar
Senior Audit Program Manager, Cyber Risk Services
Ranjith Kumar is an Audit Program Manager in Corporate Certification, Assessment and Audit CCAT team
of Infosys Pvt Ltd with 15 years of experience in Enterprise Security Audit background.
An Information Systems Security professional with proven track record in implementing Cyber Physical
System, Information Security review and IT Security Audits and Network Security Architecture Review and
Design, Threat intelligence. His key area of expertise includes Telematics implementation and control
assessments, Blockchain Architecture, IT/OT controls assurance, internal audits, Security risk and gap
assessments.
Ranijth Kumar’s’ s professional experience spans across multiple industries like Technology, Automobile,
Power and Utilities, Banking..
Professional Experience:
• Performed multiple ISO 27001 gap assessment and supported on ISMS implementation for various
Technology, Automobile, Power and Utilities, Financial and Retail clients.
• Experienced working on with data encryption, HSM, PKI and key management
• Performed multiple vendor risk assessments based on standards like NIST,ISO 27001.
• Assessment of associated risks for the IT processes and Assessment of the existing internal control
system for IT processes
• Systems scoping, Process review, Control requirements analysis, existing controls and gaps
identification, control implementation plans and monitoring, managing internal and external audits.
• Process mapping in terms of process flow-chart, narratives and segregation of duties.
• Preparing / Reviewing Process and Procedure documents.
• Involved in Data center audits for Manufacturing companies.
• Performed In-Vehicle testing, OTA programming control, Cloud backend testing, Big data security.
• Performing patching and sever hardening using Ansible technology
• Strong Technical knowledge with proficiency in implementing Block chain technology for real time use
cases
• Published several research papers in international and National reputed A++ journals in field of Cyber
security, Cyber Physical Systems, Wireless networking, Ad-hoc Networks, Blockchain, Machine
Learning, Power and grid computing, Smart Sensor Networks, Digital Image processing, etc.,
Name : Dr. MV. Ranjith Kumar
Infosys Pvt Ltd
Professional Certification:
¡ Data Privacy – CIPP, CIPM
¡ ISMS - ISO 27001 Lead Auditor
¡ CyberArk Certified – Trustee
¡ CISCO Certified Network
Associate (CCNA)
Phone: +91 97907 40111
Email: drmvranjithkumar@gmail.com
DECE, B.E., M.E., M.B.A., PG Dip., M.S. (UK), Ph.D.
Education :

3. Syllabus
UNIT I : Introduction
UNIT II : Symmetric Cryptography
UNIT III: Asymmetric Cryptography
UNIT IV: Message Authentication And
Integrity
UNIT V : Cyber Crimes and Cyber
Security

4. Week 1: Overview of computer security concepts, OSI security architecture, Types of security attacks
Week 2: Security services: CIA, Security mechanisms: encryption, access control, authentication
Week 3: Model for network security, Classical encryption techniques: substitution and transposition
Week 4: Classical Cryptography and modern cryptography its applications
Week 5: Cryptanalysis - Introduction to product cryptosystems, Basic cryptanalysis techniques
Week 6: Symmetric Ciphers - Number Theory- Basics of number theory relevant to cryptography
Week 7: Modular Arithmetic, Modular arithmetic concepts, Euclid’s algorithm and congruences
Week 8: Symmetric Key Ciphers, - Introduction to symmetric key ciphers: SDES and DES
Week 9: Cryptanalysis of Symmetric Ciphers
Week 10: Key Distribution and Pseudorandom Number Generators, AES, RC4
Week 11: Asymmetric Cryptography – Mathematics (Primes, primality testing, and factorization
Week 12: Asymmetric Key Ciphers, RSA, Diffie-Hellman, elliptic curve
Week 13: Integrity and Authentication Algorithms
Week 14: Mutual Trust and Key Management
Week 15: Cyber Crimes and Cyber Security, Overview, Tools and methods, Security measures
Course Plan Weekly : 3 Hours
Friday* : 2,3,4 (Slot)
WhatsApp : Group Creation
TEXT BOOKS
1. William Stallings, "Cryptography and Network Security - Principles and Practice", Seventh Edition, Pearson Education, 2017.
2. Nina, Sunit, “Cyber Security: Understanding Cyber crimes, Computer Forensics and Legal Perspectives”, First Edition, Wiley India, 2011.
REFERENCES
1. Behrouz A. Ferouzan, "Cryptography and Network Security", 3rd Edition, Tata Mc Graw Hill, 2015.
2. Charles Pfleeger, Shari Pfleeger, Jonathan Margulies, "Security in Computing", Fifth Edition, Prentice Hall, New Delhi, 2015.

5. Course Outcomes
After completion of the course, it is expected that:
The students will be able to
– Describe the fundamentals of networks security,
security architecture, threats and vulnerabilities.
– Apply the different cryptographic operations of
symmetric cryptographic algorithms.
– Explain the different cryptographic operations of
public key cryptography.
– Apply the various Authentication schemes to
simulate different applications.
– Discuss the various Security practices and System
security standards.

6. Cryptography
ØCryptography is the study of secure
communications techniques that allow
only the sender and intended recipient of
a message to view its contents.
ØThe term is derived from the Greek word
kryptos, which means hidden.
ØCryptography is about constructing and
analyzing protocols that prevent third
parties or the public from reading
private messages

7. Cryptographic algorithms and protocols can be
grouped into four main areas:
■ Symmetric encryption: Used to conceal the
contents of blocks or streams of data of any size,
including messages, files, encryption keys, and
passwords.
■ Asymmetric encryption: Used to conceal small
blocks of data, such as encryption keys and hash
function values, which are used in digital
signatures.
■ Data integrity algorithms: Used to protect
blocks of data, such as messages, from alteration.
■ Authentication protocols: These are schemes
based on the use of cryptographic algorithms
designed to authenticate the identity of entities.

8. Essential Network and
Computer Security
Requirements

9. q Confidentiality: Preserving authorized restrictions
on information access and disclosure, including
means for protecting personal privacy and
proprietary information.
q Integrity: Guarding against improper information
modification or destruction, including ensuring
information nonrepudiation and authenticity.
q Availability: Ensuring timely and reliable access to
and use of information.
ü Authenticity: The property of being genuine and
being able to be verified and trusted confidence in
the validity of a transmission, a message, or message
originator.
ü Accountability: The security goal that generates the
requirement for actions of an entity to be traced
uniquely to that entity.

10. Cyber Security
Cryptography
It is a process of keeping networks, devices,
programs, data secret and safe from damage
or unauthorized access.
It is a process of keeping information secret
and safe simply by converting it into
unintelligible information and vice-versa.
It is all about managing cyber risks in all
aspects such as people, process, technology,
etc.
It is all about math functions and can be
applied in technical solutions for increasing
cybersecurity.
Its main objective is to prevent or mitigate
harm or destruction of computer networks,
applications, devices, and data.
Its main objective is to keep plain text secret
from eaves or droppers who are trying to have
access to some information about the plain
text.
It is generally used for the protection of
internet-connected systems like software,
hardware, and data, risk management,
disaster planning, access control, policies.
It is generally used for integrity, entity
authentication, data origin authentication,
non-repudiation, etc.
Difference between Cybersecurity
and Cryptography

11. Legal, Ethical and
Professional Aspects of
Security
Cybercrime And Computer Crime:
§ Computer crime, or cybercrime, is a
term used broadly to describe criminal
activity in which computers or computer
networks are a tool, a target, or a place
of criminal activity.
§ The term cybercrime has a connotation
of the use of networks specifically,
whereas computer crime may or may
not involve networks.

12. The U.S. Department of Justice [DoJ]
categorizes computer crime based on
the role that the computer plays in the
criminal activity, as follows:
ØComputers as targets
ØComputers as storage devices
ØComputers as communications tools

13. Privacy Law and Regulation
A number of international organizations
and national governments have introduced
laws and regulations intended to protect
individual privacy.
vNotice
vConsent
vConsistency
vAccess
vSecurity
vOnward transfer
vEnforcement

14. Law and Ethics in
Information Security
Laws:
§ Rules that mandate or prohibit certain behavior
§ Drawn from ethics
Ethics:
§ Define socially acceptable behaviors
Key difference:
§ Laws carry the authority of a governing body
§ Ethics do not carry the authority of a governing
body
§ Based on cultural mores
§ Fixed moral attitudes or customs
§ Some ethics standards are universal

15. Policy Versus law
Policies:
§ Guidelines that describe acceptable and
unacceptable employee behaviors
§ Functions as organizational laws
§ Has penalties, judicial practices, and sanctions
Difference between policy and law:
§ Ignorance of policy is acceptable
§ Ignorance of law is unacceptable
Keys for a policy to be enforceable:
§ Dissemination
§ Review
§ Comprehension
§ Compliance
§ Uniform enforcement

16. United States Privacy Initiatives:
ØBanking and financial records
ØCredit reports
ØMedical and health insurance records
ØChildren’s privacy
ØElectronic communications

17. OSI Architecture

18. OSI Security Architecture
§ It is a systematic way of defining the
requirements for the security by ITU
§ It characterize the approaches to
satisfy the various security products
and polices
§ X.800 security architecture of OSI
defines such a systematic approach
§ OSI security architecture is useful for
organizing the task of providing
security

19. OSI Security Architecture
§ Since this architecture was developed
as an international standard,
Computer and Communications
vendors have developed security
features for their products and
services that relate to this
structured definition of services
and mechanisms

20. OSI Security Architecture
ØThe OSI security architecture focuses
on
qSecurity Attacks
qSecurity Mechanism
qSecurity Services

21. Security Attacks
vSecurity Attacks:
§ Any action that compromises the
security of information owned by an
organization
vClassifications:
ØPassive attacks
ØActive attacks

22. Passive Attacks
ØPassive attacks are in the nature of
eavesdropping on, or monitoring of,
transmissions.

23. Passive Attacks
ØThe goal of the opponent is to obtain
information that is being
transmitted.
ØTwo types of passive attacks are
§Release of message contents
§Traffic analysis.

24. Passive Attacks
• Release of message contents
– capture and read the content.
– A telephone conversation, an electronic mail
message, and a transferred file may contain
sensitive or confidential information.
• Traffic analysis
– Can’t read the information, But observe the
pattern
– Determine the location and identity of
communicating parties
– Observe frequency and length of
communication

25. Active Attacks
§ Active attacks involve some
modification of the data stream or the
creation of a false stream

26. Active Attacks
ØIt can be subdivided into four
categories:
Ø Masquerade
Ø Replay
Ø Modification of messages
Ø Denial of service

27. Active Attacks
Ø Masquerade
§ A masquerade takes place when one
entity pretends to be a different entity
§ Masquerade is a type of attack where the
attacker pretends to be an authorized
user of a system in order to gain access
to it or to gain greater privileges than
they are authorized for.

28. Active Attacks
Ø Replay
§ A replay attack also known as
playback attack.
§ Replay involves the passive capture of a
data unit and its subsequent
retransmission to produce an
unauthorized effect.

29. Active Attacks
Ø Modification of messages
§ It simply means that some portion of a
legitimate message is altered, or that
messages are delayed or reordered, to
produce an unauthorized effect
Ø Denial of service
§ A denial-of-service (DoS) is any type of
attack where the attackers (hackers)
attempt to prevent legitimate users from
accessing the service

30. Security Mechanisms
§ Security mechanism:
ØA process that is designed to detect, prevent,
or recover from a security attack
§ The following are some security
mechanisms defined in X.800
• Encipherment
• Access Control
• Digital Signature
• Data Integrity
• Authentication Exchange
• Traffic Padding
• Routing Control
• Notarization

31. Security Mechanisms
Ø Encipherment
– The use of mathematical algorithms to
transform data into a form that is not readily
intelligible.
– The transformation and subsequent recovery
of the data depend on an algorithm and zero
or more encryption keys.

32. Security Mechanisms
ØAccess Control
– A variety of mechanisms that enforce
access rights to resources.

33. Security Mechanisms
ØDigital Signature
– Here the sender can electronically sign
the data and the receiver can
electronically verify the signature.

34. Security Mechanisms
Ø Data Integrity
– The assurance that the data has not been
altered in an unauthorised manner since the
time that the data was last created,
transmitted, or stored by an authorised user.
– A variety of mechanisms used to assure the
integrity of a data unit or stream of data units.

35. Security Mechanisms
ØAuthentication Exchange
– A mechanism intended to ensure the
identity of an entity by means of
information exchange.

36. Security Mechanisms
Ø Traffic Padding
– The insertion of bits into gaps in a data stream to
frustrate traffic analysis attempts
– Traffic padding may be used to hide the traffic
pattern, which means to insert dummy traffic
into the network and present to the intruder a
different traffic pattern.

37. Security Mechanisms
ØRouting Control
– Enables selection of particular physically
secure routes for certain data and allows
routing changes, especially when a
breach of security is suspected.
ØNotarization
– The use of a trusted third party to assure
certain properties of a data exchange.

38. Security Mechanisms
ØNotarization
– The use of a trusted third party to assure
certain properties of a data exchange.

39. Security Services
§ It is a processing or communication
service that is provided by a system to
give a specific kind of protection to
system resources.
§ Security services implement security
policies and are implemented by
security mechanisms.
§ X.800 divides these services into five
categories and fourteen specific
services

40. Security Services
ØThe five categories are
• Authentication
• Access Control
• Data Confidentiality
• Data Integrity
• Nonrepudiation

41. Authentication
§ The authentication service is
concerned with assuring that a
communication is authentic
§ Two specific authentication services
are defined in X.800:
ØPeer entity authentication
ØData origin authentication

42. Authentication
§ Peer entity authentication
– Used in association with a logical
connection to provide confidence in the
identity of the entities connected.
§ Data origin authentication
– In a connectionless transfer, provides
assurance that the source of received
data is as claimed

43. Access Control
§ The prevention of unauthorized use
of a resource.
(i.e., this service controls who can have
access to a resource, under what
conditions access can occur, and what
those accessing the resource are
allowed to do)

44. Data Confidentiality
§ Confidentiality is the protection of
transmitted data from passive attacks
vConnection Confidentiality
vConnectionless Confidentiality
vSelective-Field Confidentiality
vTraffic-Flow Confidentiality

45. Data Confidentiality
• Connection Confidentiality
– The protection of all user data on a
connection
• Connectionless Confidentiality
– The protection of all user data in a single
data block
• Selective-Field Confidentiality
– The confidentiality of selected fields within
the user data on a connection or in a
single data block.
• Traffic-Flow Confidentiality
– The protection of the information that might
be derived from observation of traffic
flows

46. Data Integrity
§ The assurance that data received are
exactly as sent by an authorized
entity (i.e., contain no modification,
insertion, deletion, or replay).
Ø Connection Integrity with Recovery
Ø Connection Integrity without Recovery
Ø Selective-Field Connection Integrity
Ø Connectionless Integrity
Ø Selective-Field Connectionless Integrity

47. Data Integrity
• Connection Integrity with Recovery
– Provides for the integrity of all user data
on a connection and detects any
modification, insertion, deletion, or replay of
any data within an entire data sequence,
with recovery attempted.
• Connection Integrity without Recovery
– As above, but provides only detection
without recovery
• Selective-Field Connection Integrity
– Provides for the integrity of selected fields
within the user data of a data block
transferred over a connection and takes
the form of determination of whether the
selected fields have been modified, inserted,
deleted, or replayed.

48. Data Integrity
• Connectionless Integrity
– Provides for the integrity of a single
connectionless data block and may
take the form of detection of data
modification.
– Additionally, a limited form of replay
detection may be provided.
• Selective-Field Connectionless Integrity
– Provides for the integrity of selected
fields within a single connectionless
data block; takes the form of
determination of whether the selected
fields have been modified

49. Nonrepudiation
§ Provides protection against denial by one
of the entities involved in a communication
of having participated in all or part of the
communication
§ Nonrepudiation Origin
ØProof that the message was sent by the
specified party.
§ Nonrepudiation, Destination
ØProof that the message was received by
the specified party.

50. Relationship Between Security
Services and Mechanisms

51. Review
1. What is the OSI security architecture?
2. Three primary objectives of computer security.
3. Outline and briefly explain the different categories of passive and active security attacks.
4. Enumerate and briefly describe the categories of security services.
5. Enumerate and briefly describe the categories of security mechanisms.
6. List and briefly explain the core security design principles.
7. Distinguish between an attack surface and an attack tree.
Key Terms

52. Classical Encryption
Techniques
• Plaintext
• Encryption algorithm
• Secret key
• Ciphertext
• Decryption algorithm

53. Compressed Text

54. Substitution Techniques
Caesar Cipher
Replacing each letter of the alphabet with the
letter standing three places further down the
alphabet

55. Brute-Force Cryptanalysis of
Caesar Cipher
PHHW PH DIWHU WKH WRJD SDUWB
KEY
1. OGGV OG CHVGT VJG VQIC RCTVA
2. NFFU NF BGUFS UIF UPHB QBSUZ
3. MEET ME AFTER THE TOGA PARTY
4. LDDS LD ZESDQ SGD SNFZ OZQSX
5. KCCR KC YDRCP RFC RMEY NYPRW
6. JBBQ JB XCQBO QEB QLDX MXOQV
7. IAAP IA WBPAN PDA PKCW LWNPU
8. HZZO HZ VAOZM OCZ OJBV KVMOT
9. GYYN GY UZNYL NBY NIAU JULNS
10. FXXM FX TYMXK MAX MHZT ITKMR

56. Transposition Techniques
Rail Fence Cipher with 3 rails to encrypt
the message
WE ARE DISCOVERED RUN AT ONCE
Step 1: Prepare the Text
First, remove the spaces to get the plaintext ready for encryption:
Plaintext: WEAREDISCOVEREDRUNATONCE
Step 2: Arrange the Text on Rails
Write the message in a zigzag pattern across 3 rails:

57. Transposition Techniques
Step 3: Read the Text Row by Row
Now, read the text row by row to generate the ciphertext:
1. First row: W E C R N N E
2. Second row: E R D S O E E R U A O C
3. Third row: A I V D T E
Ciphertext: WECRNNEERDSOEEUAOCAVDTE
Decryption Process
To decrypt the message, you would follow these steps:
1.Write the ciphertext in a zigzag pattern across 3 rails by filling in the letters row by
row.
2.Read the text diagonally (zigzag) to recover the original plaintext:
Plaintext: WEAREDISCOVEREDRUNATONCE

58. Steganography
The practice of concealing a message, file, or
data within another message
Key Concepts of Steganography
Carrier: The file in which the hidden message will be embedded. This could be
an image, audio file, video file, or even a text document.
Payload: The actual message, file, or data that needs to be hidden.
Stego Object: The result after embedding the payload into the carrier. The
stego object should look as normal as possible to avoid suspicion.
Encoding: The process of hiding the payload within the carrier.
Decoding: The process of extracting the hidden message from the stego
object.

59. Steganography