4. Introduction of Security
• When you create systems that store and retrieve data, it is important
to protect the data from unauthorized use, disclosure, modification or
destruction.
• Ensuring that users have the proper authority to see the data, load
new data, or update existing data is an important aspect of
application development.
• Do all users need the same level of access to the data and to the
functions provided by your applications?
• Are there subsets of users that need access to privileged functions?
• Are some documents restricted to certain classes of users?
• The answers to questions like these help provide the basis for the
security requirements for your application.
5. Introduction of Security
• Data Security is the science and study of methods of protecting data
from unauthorized disclosure and modification.
• Data and information security is about enabling collaboration while
managing risk with an approach that balances availability versus the
confidentiality of data.
• Computer Security: Generic name for the collection of tools designed
to protect data and to hackers.
• Network Security: Measures to protect data during their
transmission.
• Internet Security: Measures to protect data during their transmission
over a collection of interconnected networks.
6. Need for Security
• Increasing threat of attacks.
• Fast growth of computer networking for information sharing.
• Availability of number of tools and resources on internet.
• Lack of specialized resources that may be allotted for securing system.
1. User A transmits a sensitive information file to user B. The unauthorized
user C is able to monitor the transmission and capture a copy of the file
during its transmission.
2. A message is sent from a customer to a stockbroker with instructions for
various transactions. Subsequently the investments lose value and the
customer denied sending the message.
3. While transmitting the message between two users, the unauthorized
user intercept the message, alters its contents to add or delete entries
and then forwards the message to destination user.
7. Terminology for Security
• Cryptography: The art or science encompassing the principles and
methods of transforming and plaintext message into one that is
unintelligible and then retransforming that message back to its
original form.
• Plaintext: The original message.
• Ciphertext: The transformed message produced as output, It depends
on the plaintext and key.
• Cipher: An algorithm for transforming plaintext message into one that
is unintelligible by transposition and/or substitution method.
• Key: Some critical information used by the cipher know only to the
sender and receiver.
8. Terminology for Security
• Encipher (encode): The process of converting plaintext to ciphertext
using a cipher and key.
• Decipher (decoder): The process of converting ciphertext back into
plaintext using a cipher and key.
• Cryptanalysis: The study of principals and methods or transforming
and unintelligible message back into an intelligible message without
knowledge of the key.
• Cryptology: Both cryptography and cryptanalysis.
• Code: An algorithm for transforming an plaintext message into an
unintelligible one using a code-book.
9. Security Services
• Security service is a service, provided by a layer of communicating
open systems, which ensures adequate security of the systems or of
data transfers as defined by ITU-T X.800 Recommendation.
10. Security Services
• Authentication: assures recipient that the message is from the source
that it claims to be from.
• Access Control: controls who can have access to resource under what
condition.
• Availability: available to authorized entities for 24/7.
• Confidentiality: information is not made available to unauthorized
individual.
• Integrity: assurance that the message is unaltered.
• Non-Repudiation: protection against denial of sending or receiving in
the communication.
11. Authentication
• Cryptography can provide two types of authentication services:
1. Integrity authentication can be used to verify that non-modification
has occurred to the data.
2. Source authentication can be used to verify the identity of who
created the information, such as the user or system.
12. Access Control
• Access control is a security technique that regulates who or what can
view or use resources in a computing environment. It is a
fundamental concept in security that minimizes risk to the business or
organization.
• Access control systems perform identification authentication and
authorization of users and entities by evaluating required login
credentials that can include passwords, personal identification
numbers (PINs), biometric scans, security tokens or other
authentication factors.
13. Availability
• Data availability means that information is accessible to authorized
users. It provides an assurance that your system and data can be
accessed by authenticated users whenever they’re needed.
• Availability is the assertion that a computer system is available or
accessible by an authorized user whenever it is needed.
14. Confidentiality
• Confidentiality means that only authorized individuals/systems can
view sensitive or classified information.
• The data being sent over the network should not be accessed by
unauthorized individuals. The attacker may try to capture the data
using different tools available on the Internet and gain access to your
information.
15. Integrity
• Data integrity provides assurance that data has not been modified in
an unauthorized manner after it was created, transmitted or stored.
• This means that there has been no insertion, deletion or substitution
done with the data.
16. Non-Repudiation
• Non-repudiation is the assurance that someone cannot deny the
validity of something. Non-repudiation is a legal concept that is
widely used in information security and refers to a service, which
provides proof of the origin of data and the integrity of the data.
• In other words, non-repudiation makes it very difficult to successfully
deny who/where a message came from as well as the authenticity
and integrity of that message.
17. Security Mechanism
• Security mechanisms are technical tools and techniques that are used
to implement security services. A mechanism might operate by itself,
or with others, to provide a particular service.
18. Security Mechanism
• Encipherment
• This security mechanism deals with hiding and covering of data which
helps data to become confidential. It is achieved by applying
mathematical calculations or algorithms which reconstruct
information into not readable form. It is achieved by two famous
techniques named Cryptography and Encipherment. Level of data
encryption is dependent on the algorithm used for encipherment.
• Access Control
• This mechanism is used to stop unattended access to data which you
are sending. It can be achieved by various techniques such as
applying passwords, using firewall, or just by adding PIN to data.
19. Security Mechanism
• Notarization
• This security mechanism involves use of trusted third party in
communication. It acts as mediator between sender and receiver so
that if any chance of conflict is reduced. This mediator keeps record of
requests made by sender to receiver for later denied.
• Data Integrity
• This security mechanism is used by appending value to data to which
is created by data itself. It is similar to sending packet of information
known to both sending and receiving parties and checked before and
after data is received. When this packet or data which is appended is
checked and is the same while sending and receiving data integrity is
maintained.
20. Security Mechanism
• Authentication exchange
• This security mechanism deals with identity to be known in
communication. This is achieved at the TCP/IP layer where two-way
handshaking mechanism is used to ensure data is sent or not.
• Bit stuffing(Traffic Padding)
• This security mechanism is used to add some extra bits into data which is
being transmitted. It helps data to be checked at the receiving end and is
achieved by Even parity or Odd Parity.
• Digital Signature
• This security mechanism is achieved by adding digital data that is not
visible to eyes. It is form of electronic signature which is added by sender
which is checked by receiver electronically. This mechanism is used to
preserve data which is not more confidential but sender’s identity is to be
notified.
21. Finite Fields
• A group G is a nonempty set together with a binary operation (*) such
that the following three properties are satisfied.
1. Associativity: (a*b)*c = a*(b*c). For all a, b, c Ɛ G
2. Identity: There is an element e Ɛ G such that a*e = e*a. For all a Ɛ G
3. Inverses: For each element a Ɛ G, there is an element b Ɛ G such
that a*b = b*a = e.
• In a finite group, the order of each element of the group divides the
order of the group.
22. The Euclidean Algorithm
• The Euclidean algorithm is an efficient method to compute the
greatest common divisor (gcd) of two integers.
• We write gcd(a, b) = d to mean that d is the largest number that will
divide both a and b. If gcd(a, b) = 1 then we say that a and b are
coprime or relatively prime.
• The gcd is sometimes called the highest common factor (hcf).
23. The Euclidean Algorithm
• INPUT: Two non-negative integers a and b with a ≥ b.
• OUTPUT: gcd(a, b).
While b > 0, do
Set r = a mod b,
a = b,
b = r
Return a.
• The proof uses the division algorithm which states that for any two integers
a and b with b > 0 there is a unique pair of integers q and r such that a = qb
+ r and 0 <= r < b.
• If you have negative values for a or b, just use the absolute values |a| and
|b| in the above algorithm. By convention, if b = 0 then the gcd is a.
24. Euclidean Algorithm - Example
• Question 1(a): Find gcd(421, 111).
• Answer:
• We use the Euclidean algorithm as follows:
421 = 111 x 3 + 88 (larger number on left)
111 = 88 x 1 + 23 (shift left)
88 = 23 x 3 + 19 (note how 19 moves down the "diagonal")
23 = 19 x 1 + 4
19 = 4 x 4 + 3
4 = 3 x 1 + 1 (last non-zero remainder is 1)
3 = 1 x 3 + 0
• The last non-zero remainder is 1 and therefore gcd(421, 111) = 1.
25. Symmetric Cipher Model
• A symmetric encryption scheme has five ingredients Plaintext,
Encryption algorithm, Secret key, Ciphertext, Decryption algorithm.
• Plaintext: This is the original intelligible message or data that is fed
into the algorithm as input.
• Encryption algorithm: The encryption algorithm performs various
substitutions and transformations on the plaintext.
• Secret key: The secret key is also input to the encryption algorithm.
The key is a value independent of the plaintext and of the algorithm.
The algorithm will produce a different output depending on the
specific key being used at the time. The exact substitutions and
transformations performed by the algorithm depend on the key.
26. Symmetric Cipher Model
• Ciphertext: This is the scrambled message produced as output. It
depends on the plaintext and the secret key. For a given message, two
different keys will produce two different ciphertexts. The ciphertext is
an apparently random stream of data and, as it stands, is
unintelligible.
• Decryption algorithm: This is essentially the encryption algorithm run
in reverse. It takes the ciphertext and the secret key and produces the
original plaintext.
28. Cryptography
• Cryptography is the study of secure communications techniques that
allow only the sender and intended recipient of a message to view its
contents. The term is derived from the Greek word kryptos, which
means hidden.
• Cryptography is the science of secret writing that brings numerous
techniques to safeguard information that is present in an unreadable
format.
• By using cryptographic systems, the sender can first encrypt a
message and then pass on it through the network. The receiver on
the other hand can decrypt the message and restore its original
content.
29. Cryptography
• Features Of Cryptography are as follows:
• Confidentiality: Information can only be accessed by the person for
whom it is intended and no other person except him can access it.
• Integrity: Information cannot be modified in storage or transition
between sender and intended receiver without any addition to
information being detected.
• Non-repudiation: The creator/sender of information cannot deny his
or her intention to send information at later stage.
• Authentication: The identities of sender and receiver are confirmed.
As well as destination/origin of information is confirmed.
30. Cryptanalysis
• The process of trying to break any cipher text message to obtain the
original plain text message itself is called as cryptanalysis.
• Cryptanalysis is the art of deciphering encrypted communications
without knowing the proper keys.
• Cryptanalysis is the breaking of codes. The person attempting a
cryptanalysis is called as a cryptanalyst.
31. Cryptanalytic Attack
• To determine the weak points of a cryptographic system, it is
important to attack the system. This attacks are called Cryptanalytic
attacks.
• Types of Cryptanalytic attacks
• Known-Plaintext Analysis (KPA)
• Chosen-Plaintext Analysis (CPA)
• Ciphertext-Only Analysis (COA)
• Man-In-The-Middle (MITM) attack
• Adaptive Chosen-Plaintext Analysis (ACPA)
32. Cryptanalytic Attack
• Known-Plaintext Analysis (KPA)
• In this type of attack, some plaintext-ciphertext pairs are already
known. Attacker maps them in order to find the encryption key. This
attack is easier to use as a lot of information is already available.
• Chosen-Plaintext Analysis (CPA)
• In this type of attack, the attacker chooses random plaintexts and
obtains the corresponding ciphertexts and tries to find the encryption
key. Its very simple to implement like KPA but the success rate is quite
low.
33. Cryptanalytic Attack
• Ciphertext-Only Analysis (COA)
• In this type of attack, only some cipher-text is known and the attacker
tries to find the corresponding encryption key and plaintext. Its the
hardest to implement but is the most probable attack as only
ciphertext is required.
• Man-In-The-Middle (MITM) attack
• In this type of attack, attacker intercepts the message/key between
two communicating parties through a secured channel.
• Adaptive Chosen-Plaintext Analysis (ACPA)
• This attack is similar CPA. Here, the attacker requests the cipher texts
of additional plaintexts after they have ciphertexts for some texts.
34. Security Attack
• A useful means of classifying security attacks, used both in X.800 and
RFC 2828,is in terms of passive attacks and active attacks.
• A passive attack attempts to learn or make use of information
from the system but does not affect system resources.
• An active attack attempts to alter system resources or affect their
operation.
• Types of Security attacks
• Passive Attacks
• Active Attacks
35. Passive Attacks
• The goal of the opponent is to obtain information that is being
transmitted. Two types of passive attacks are the Release of
Message Contents and Traffic Analysis.
• Passive attacks are very difficult to detect because they do not involve
any alternation of data. It is feasible to prevent the success of attack,
usually by means of encryption.
36. Release of Message Content
• The release of message contents is easily understood from figure.
A telephone conversation, an electronic mail message, and a
transferred file may contain sensitive or confidential information.
We would like to prevent an opponent from learning the contents of
these transmissions.
37. Traffic Analysis
• Mask the contents of message so that opponents could not extract
the information from the message. Encryption is used for masking.
38. Active Attacks
• Active attacks involved some modification of the data stream or the
creation of a false stream. These attacks can not be prevented easily.
Four types of active attacks are Masquerade, Replay, Modification
of message and Denial of Service.
39. Masquerade
• It takes place when one entity pretends to be a different entity.
• Interruption attacks are called as masquerade attacks.
40. Replay
• It involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect.
41. Modification of Message
• It involves some change to the original message. It produce an
unauthorized effect.
42. Denial of Service
• A Denial-of-Service attack (DoS attack) is an attack where an attacker
attempts to disrupt the services provided by a host, by not allowing
its intended users to access the host from the Internet. If the attack
succeeds, the targeted computer will become unresponsive and
nobody will be able to connect with it.
43. Difference between Passive and Active Attack
Passive Attack Active Attack
In Passive Attack, information remain
unchanged.
In Active Attack, information is modified.
Passive Attack is dangerous for
Confidentiality.
Active Attack is dangerous for Integrity as
well as Availability.
Attention is to be paid on prevention. Attention is to be paid on detection.
In Passive Attack, system has no impact. In Active Attack, system is damaged.
Victim does not get informed in passive
attack.
Victim gets informed in active attack.
System Resources are not changed in
passive attack.
System Resources can be changed in
active attack.
44. Substitution Technique
• Substitution technique is a classical encryption technique where the
characters present in the original message are replaced by the other
characters or numbers or by symbols.
• If the plain text (original message) is considered as the string of bits,
then the substitution technique would replace bit pattern of plain
text with the bit pattern of cipher text.
• Substitution Technique:
• Caesar Cipher
• Monoalphabetic Cipher
• Playfair Cipher
• Hill Cipher
• Polyalphabetic Cipher
• One-Time Pad
45. Caesar Cipher
• This the simplest substitution cipher by Julius Caesar. In this
substitution technique, to encrypt the plain text, each alphabet
of the plain text is replaced by the alphabet three places further
it.
• And to decrypt the cipher text each alphabet of cipher text is
replaced by the alphabet three places before it.
• Let us take a simple example:
• Plain Text: meet me tomorrow
• Cipher Text: phhw ph wrpruurz
46. Caesar Cipher
• Look at the example above, we have replaced, ‘m’ with ‘p’ which
occur three places after, ‘m’. Similarly, ‘e’ is replaced with ‘h’
which occurs in three places after ‘e’.
• Note: If we have to replace the letter ‘z’ then the next three
alphabets counted after ‘z’ will be ‘a’ ‘b’ ‘c’. So, while counting
further three alphabets if ‘z’ occurs it circularly follows ‘a’.
• There are also some drawbacks of this simple substitution
technique. If the hacker knows that the Caesar cipher is used
then to perform brute force cryptanalysis, he has only to try 25
possible keys to decrypt the plain text.
• The hacker is also aware of the encryption and decryption
algorithm.
47. Monoalphabetic Cipher
• Monoalphabetic cipher is a substitution cipher, where the cipher
alphabet for each plain text alphabet is fixed, for the entire
encryption.
• In simple words, if the alphabet ‘p’ in the plain text is replaced by
the cipher alphabet ‘d’.
• Then in the entire plain text wherever alphabet ‘p’ is used, it will
be replaced by the alphabet ‘d’ to form the ciphertext.
48. Playfair Cipher
• Playfair cipher is a substitution cipher which involves a 5X5
matrix. Let us discuss the technique of this Playfair cipher with
the help of an example:
• Plain Text: meet me tomorrow
• Key: KEYWORD
• Now, we have to convert this plain text to ciphertext using the
given key. We will discuss the further process in steps.
49. Playfair Cipher - Step 1
• Create a 5X5 matrix and place the key in that matrix row-wise
from left to right. Then put the remaining alphabets in the blank
space.
50. Playfair Cipher - Step 1
• Note: If a key has duplicate alphabets, then fill those alphabets
only once in the matrix, and I & J should be kept together in the
matrix even though they occur in the given key.
51. Playfair Cipher - Step 2
• Now, you have to break the plain text into a pair of alphabets.
• Plain Text: meet me tomorrow
• Pair: me et me to mo rx ro wz
• Note: Pair of alphabets must not contain the same letter. In case, pair
has the same letter then break it and add ‘x’ to the previous letter.
Like in our example letter ‘rr’ occurs in pair so, we have broken that
pair and added ‘x’ to the first ‘r’.
• In case while making pair, the last pair has only one alphabet left then
we add ‘z’ to that alphabet to form a pair as in our above example, we
have added ‘z’ to ‘w’ because ‘w’ was left alone at last.
• If a pair has ‘xx’ then we break it and add ‘z’ to the first ‘x’, i.e. ‘xz’ and
‘x_’.
52. Playfair Cipher - Step 3
• In this step, we will convert plain text into ciphertext. For that, take
the first pair of plain text and check for cipher alphabets for the
corresponding in the matrix. To find cipher alphabets follow the rules
below.
• Note: If both the alphabets of the pair occur in the same row replace
them with the alphabet to their immediate right. If an alphabet of the
pair occurs at extreme right then replace it with the first element of
that row, i.e. the last element of the row in the matrix circularly
follows the first element of the same row.
• If the alphabets in the pair occur in the same column, then replace
them with the alphabet immediate below them. Here also, the last
element of the column circularly follows the first element of the same
column.
53. Playfair Cipher - Step 3
• If the alphabets in the pair are neither in the same column and nor in
the same row, then the alphabet is replaced by the element in its own
row and the corresponding column of the other alphabet of the pair.
• Pair: me et me to mo rx ro wz
• Cipher Text: nk ku nk zk sk bt ck ox
• So, this is how we can convert a plain text to ciphertext using Playfair
cipher. When compared with monoalphabetic cipher Playfair cipher is
much more advanced. But still, it is easy to break.
54. Hill Cipher
• Hill cipher is a polyalphabetic cipher introduced by Lester Hill in 1929.
Let us discuss the technique of hill cipher.
• Plain text: Binary
• Key: HILL
• Choose the key in such a way that it always forms a square matrix.
With HILL as the key, we can form a 2×2 matrix.
• Now, of plain text, you have to form a column vector of length similar
to the key matrix. In our case, the key matrix is 2×2 then the column
vectors of plain text would be 2×1.
55. Hill Cipher
• The general equation to find cipher text using hill cipher is as follow:
• C = KP mod 26
• For our example, our key matrix would be:
• And our plain text matrices of 2×1 will be as follow:
56. Hill Cipher
• Now, we have to convert the key matrix and plain text matrices into
numeric matrices. For that number the alphabets such as A=0, B=1,
C=2, …………, Z=25. So, considering the alphabet numbering.
• Key matrix will be:
• Plain text matrices would be:
57. Hill Cipher
• In the first calculation, we would get two cipher alphabets for plain
text alphabet ‘B’ & ‘I’.
58. Polyalphabetic Cipher
• Polyalphabetic cipher is far more secure than a monoalphabetic
cipher. As monoalphabetic cipher maps a plain text symbol or
alphabet to a ciphertext symbol and uses the same ciphertext symbol
wherever that plain text occurs in the message.
• But polyalphabetic cipher, each time replaces the plain text with the
different ciphertext.
59. Polyalphabetic Cipher
• Polyalphabetic cipher is far more secure than a monoalphabetic
cipher. As monoalphabetic cipher maps a plain text symbol or
alphabet to a ciphertext symbol and uses the same ciphertext symbol
wherever that plain text occurs in the message.
• But polyalphabetic cipher, each time replaces the plain text with the
different ciphertext.
• Plain text: THE BOY HAS THE BAG
• Key: VIG VIG VIG VIG VIG
• Cipher text: OPKWWECIYOPKWIM
61. One-Time Pad
• The one-time pad cipher suggests that the key length should be as
long as the plain text to prevent the repetition of key. Along with that,
the key should be used only once to encrypt and decrypt the single
message after that the key should be discarded.
• Onetime pad suggests a new key for each new message and of the
same length as a new message. Now, let us see the one-time pad
technique to convert plain text into ciphertext. Assume our plain text
and key be:
• Plain text: COMETODAY
• Key: NCBTZQARX
• Cipher text: PQNXSEDRV
62. One-Time Pad
Plaintext
C O M E T O D A Y
2 14 12 4 19 14 3 0 24
Key
N C B T Z Q A R X
13 2 1 19 25 16 0 17 23
Total 15 16 13 23 44 30 3 17 47
Subtract 26
If > 25 15 16 13 23 18 04 3 17 21
Ciphertext P Q N X S E D R V
63. Transposition Technique
• Transposition technique is an encryption method which is
achieved by performing permutation over the plain text.
• Mapping plain text into cipher text using transposition technique
is called transposition cipher.
• Transposition Technique:
• Rail Fence Transposition
• Columnar Transposition
64. Rail Fence Transposition Technique
• The rail fence cipher is the simplest transposition cipher. The
steps to obtain cipher text using this technique are as follow:
• Step 1: The plain text is written as a sequence of diagonals.
• Step 2: Then, to obtain the cipher text the text is read as a
sequence of rows.
• To understand this in a better way, let us take an example:
• Plain Text: meet me tomorrow
• Now, we will write this plain text sequence wise in a diagonal
form as you can see below:
65. Rail Fence Transposition Technique
• Once you have written the message as a sequence of diagonals,
to obtain the cipher text out of it you have to read it as a
sequence of rows. So, reading the first row the first half of cipher
text will be:
m e m t m r o
• reading the second row of the rail fence, we will get the second
half of the cipher text:
e t e o o r w
• Now, to obtain the complete cipher text combine both the halves
of cipher text and the complete cipher text will be:
• Cipher Text: M E M T M R O E T E O O R W
66. Columnar Transposition Technique
• The columnar transposition cipher is more complex as compared
to the rail fence. The steps to obtain cipher text using this
technique are as follow:
• Step 1: The plain text is written in the rectangular matrix of the
initially defined size in a row by row pattern.
• Step 2: To obtain the cipher text read the text written in a
rectangular matrix column by column. But you have to permute
the order of column before reading it column by column. The
obtained message is the cipher text message.
• To understand the columnar transposition let us take an
example:
67. Columnar Transposition Technique
• Plain text: meet Tomorrow
• Now, put the plain text in the rectangle of a predefined size. For
our example, the predefined size of the rectangle would be 3×4.
As you can see in the image below the plain text is placed in the
rectangle of 3×4. And we have also permuted the order of the
column.
68. Columnar Transposition Technique
• Now, to obtain the cipher text we have to read the plain text
column by column as the sequence of permuted column order.
So, the cipher text obtained by the columnar transposition
technique in this example is:
• Cipher Text: EORTOWMTREMO.