CS65-COMPUTER NETWORKS Dept.

of EEE

• Network security is needed to protect data during their

transmission and to guarantee that data transmissions
are authentic.
• The three requirements of network security are :
– Secrecy : Information available in the computer should only be
NETWORK SECURITY accessed by the authorized users.
– Integrity : Information can only be modified by authorized
parties.
– Availability : Information made available only to authorized
parties.

4/4/2011 1 4/4/2011 2

• Security attack include : • Counter measures :

– Interruption : System or information destroyed or unusable to – Implementing encrypted data transfer
user.
– Use of passwords/keys
– Interception : Unauthorized person or party gains access to the
data. – Usage of firewalls and network security protocols
– Modification : Unauthorized person gains access to the data and
modify the data.
– Fabrication : Unauthorized person gains control over network
and transmit fabricated data
• Security attacks could be of
– Passive attacks : monitors the transmissions and do not involve
any modification of data.
– Active attacks : it modifies the data

4/4/2011 3 4/4/2011 4

Prepared by S.Muralidharan 1
CS65-COMPUTER NETWORKS Dept. of EEE

Cryptography
• Cryptography is the art of converting the original
intelligible message, referred to as “plaintext” into
random nonsense, referred to as “ciphertext”. • Plaintext vs. Ciphertext
• The process of converting the plaintext into ciphertext is – P(plaintext): the original form of a message
called “encryption”. The reverse process is called – C(ciphertext): the encrypted form
“decryption”. The user can do the “decryption” only by • Basic operations
using a secret key. – plaintext to ciphertext: encryption: C = E(P)
– ciphertext to plaintext: decryption: P = D(C)
• can be characterized by: – requirement: P = D(E(P))
– type of encryption operations used
• substitution / transposition / product
– number of keys used
• single-key or private / two-key or public
– way in which plaintext is processed
• block / stream
4/4/2011 5 4/4/2011 6

• Cryptography • Breakable encryption

– cryptography means hidden writing, the practice of using
encryption to conceal text
• Cryptanalysis
– cryptanalyst studies encryption and encrypted message, with
the goal of finding the hidden meaning of the messages
• cryptanalyst can do any or all of three different things:
– attempt to break a single message
– attempt to recognize patterns in encrypted messages, in order
to be able to break subsequent ones by applying a
straightforward decryption algorithm
– attempt to find general weakness in an encryption algorithm,
without necessarily having intercepted any messages
• Cryptology
– includes both cryptography and cryptanalysis
– An encryption algorithm may be breakable, meaning that given
enough time and data, an analyst could determine the algorithm
– practicality is an issue
• for a given cipher scheme, there may be 1030 possible
decipherments, so the task is to select the right one out of
the 1030
• cryptanalyst cannot be expected to try just the hard, long
way
– another efficient algorithm may exist
• estimates of breakability are based on current technology
– budget dependent

4/4/2011 7 4/4/2011 8

Prepared by S.Muralidharan 2
CS65-COMPUTER NETWORKS Dept. of EEE

Simple substitution
• Keyless Cipher
– a cipher that does not require the use of a key
• Simple substitution
• key cannot be changed – use a correspondence table
• substitute each character by another character or symbol
• Two forms of encryption
– monoalphabetic cipher
– substitution: one letter is exchanged for another • one-by-one
– transposition: the order of the letters is rearranged
The Caesar Cipher
• Named for Julious Caesar
– Caesar used a shift of 3
– translation chart
Plaintext A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Ciphertext d e f g h I j k l m n o p q r s t u v w x y z a b c

– E(TREATY IMPOSSIBLE) = wuhdwb lpsrvvleoh

• E(T) = w, E(R)=u, etc.

4/4/2011 9 4/4/2011 10

• Permutation based
– generalization of the Caesar cipher
– permutation
• 1-1
• example:
• Advantages and Disadvantages of the Caesar Cipher – use more complex rule
– advantage • use a key, a word that controls the enciphering
• easy to use Plaintext A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
– disadvantage Ciphertext k e y a b c d f g h i j l m n o p q r s t u v w x z
• simple structure
• easy to break start key: e key: k key: y

4/4/2011 11 4/4/2011 12

Prepared by S.Muralidharan 3
CS65-COMPUTER NETWORKS Dept. of EEE

Other Substitution Schemes • The Vigenere cipher is a

• In order to make substitution ciphers more secure, more polyalphabetic cipher based on
using successively shifted
than one alphabet can be used
alphabets, a different shifted
• Such ciphers are called polyalphabetic, which means alphabet for each of the 26 English
that the same letter of a message can be represented letters
ABCDEFGHIJKLMNOPQRSTUVWXYZ
BCDEFGHIJKLMNOPQRSTUVWXYZA
CDEFGHIJKLMNOPQRSTUVWXYZAB
DEFGHIJKLMNOPQRSTUVWXYZABC
EFGHIJKLMNOPQRSTUVWXYZABCD
FGHIJKLMNOPQRSTUVWXYZABCDE
GHIJKLMNOPQRSTUVWXYZABCDEF
HIJKLMNOPQRSTUVWXYZABCDEFG

by different letters when encoded • The procedure is based on the

IJKLMNOPQRSTUVWXYZABCDEFGH
JKLMNOPQRSTUVWXYZABCDEFGHI
KLMNOPQRSTUVWXYZABCDEFGHIJ
– Such a one-to-many correspondence makes the use of table shown in the Fig. and the use LMNOPQRSTUVWXYZABCDEFGHIJK
frequency analysis much more difficult in order to crack the of a keyword. MNOPQRSTUVWXYZABCDEFGHIJKL
NOPQRSTUVWXYZABCDEFGHIJKLM
code OPQRSTUVWXYZABCDEFGHIJKLMN
• T is sometimes enciphered as ‘a’ and sometimes as ‘b’
• In order to encrypt a plaintext, one PQRSTUVWXYZABCDEFGHIJKLMNO
• frequency of ‘a’ is high and that of ‘b’ is low locates the row with the first letter QRSTUVWXYZABCDEFGHIJKLMNOP
RSTUVWXYZABCDEFGHIJKLMNOPQ
to be encrypted, and the column
• One such cipher named for Blaise de Vigenere a 16th with the first letter of the key. The
STUVWXYZABCDEFGHIJKLMNOPQR
TUVWXYZABCDEFGHIJKLMNOPQRS
century Frenchman letter where the line and column
UVWXYZABCDEFGHIJKLMNOPQRST
VWXYZABCDEFGHIJKLMNOPQRSTU
– The Vigenere cipher cross is the ciphertext letter.
WXYZABCDEFGHIJKLMNOPQRSTUV
XYZABCDEFGHIJKLMNOPQRSTUVW
YZABCDEFGHIJKLMNOPQRSTUVWX
• The letters of the keyword ZABCDEFGHIJKLMNOPQRSTUVWXY
determine the shifted alphabets
used in the encoding process
4/4/2011 13 4/4/2011 14

Polyalphabetic Substitution-based
Polyalphabetic Substitution-based Cipher Ciphers (contd..)
•To encode the message, take the first letter of the plaintext, t, and
the corresponding key character immediately above it, C
•Similar to monoalphabetic ciphers except multiple alphabetic •Go to row C column t in the 26x26 matrix and retrieve the
strings are used to encode the plaintext cipher text character V
•For example, a matrix of strings, 26 rows by 26 characters or •Continue with the other characters in the plaintext
columns can be used
•A key such as COMPUTERSCIENCE is placed repeatedly
over the plaintext
COMPUTERSCIENCECOMPUTERSCIENCECOMPUTER
thisclassondatacommunicationsisthebest

4/4/2011 15 4/4/2011 16

Prepared by S.Muralidharan 4
CS65-COMPUTER NETWORKS Dept. of EEE

Transposition Transposition-based Ciphers

• A transposition cipher is an encoding process that
does not change any of the letters of the original
message, but changes the position of the letters
•In a transposition-based cipher, the order of the
• One simple transposition cipher reverses the order of
the letters. For example, the message plaintext is not preserved
– THE GAME IS AFOOT becomes the EHT •As a simple example, select a key such as
EMAG SI TOOFA. COMPUTER
• Such "backward writing" is easy to recognize and
•Number the letters of the word COMPUTER in the
decode.
order they appear in the alphabet
• By analogy, transposition ciphers are like jigsaw puzzles
1 4 3 5 8 7 2 6
– All the pieces are present, its just a matter of
putting them in the correct order C O M P U T E R

4/4/2011 17 4/4/2011 18

Transposition-based Ciphers (continued) Transposition-based Ciphers (continued)

•Now take the plaintext message and write it under the

key
•Then read the ciphertext down the columns, starting
1 4 3 5 8 7 2 6
with the column numbered 1, followed by column
C O M P U T E R number 2
t h i s i s t h TESVTLEEIEIRHBSESSHTHAENSCVKITAA
e b e s t c l a
s s i h a v e e
v e r t a k e n

4/4/2011 19 4/4/2011 20

Prepared by S.Muralidharan 5
CS65-COMPUTER NETWORKS Dept. of EEE

KEY KEY

Symmetric and Asymmetric

plain text
Keys message
encryption
box
encrypted message decryption
box
plain text
message

bad guy
listening in

4/4/2011 21 4/4/2011 22

Features : Key generation is the process of generating keys for

• As a password is used to
access a computer system, a
cryptographic key is a
Key Generation
password or passphrase that is
used to unlock an encrypted
message.
• Mathematical functions that
work in tandem with a key
• Same plaintext data encrypts
into different cipher text with
different keys
• Security of data relies on:
– Strength of the algorithm
– Secrecy of the key
4/4/2011
cryptography. A key is used to encrypt and decrypt whatever
data is being encrypted/decrypted.
Modern cryptographic systems include symmetric-key
algorithms (such as DES and AES) and public-key
algorithms (such as RSA).
Symmetric-key algorithms use a single shared key; keeping data
secret requires keeping this key secret.
Public-key algorithms use a public key and a private key. The
public key is made available to anyone (often by means of a digital
certificate). A sender will encrypt data with the public key; only the
holder of the private key can decrypt this data.
In encryption systems that use a cipher algorithm, messages
can be much longer than the key. The key must, however, be
long enough so that an attacker cannot try all possible
combinations.
A key length of 80 bits is generally considered the minimum
for strong security with symmetric encryption algorithms. 128-
bit keys are commonly used and considered very strong.
23 4/4/2011 24

Prepared by S.Muralidharan 6
CS65-COMPUTER NETWORKS Dept. of EEE

KE = KD
Key

• Encryption with key

– encryption key: KE
Plaintext Original
– decryption key: KD Ciphertext
Plaintext
Encryption Decryption
– C = E(KE, P)
– P = D(KD, E(KE, P))
• Symmetric
KE KD
– When encryption and decryption keys are the same
• D and E are mirror images of each other Encyption Key Decyption Key
KE KD
– P = D (K, E(K,P))
• Asymmetric
– When the encryption and decryption keys are different
– P = D(KD E (KE ,P)) Plaintext Ciphertext
Original
Plaintext
Encryption Decryption

4/4/2011 25 4/4/2011 26

Symmetric Vs Asymmetric Symmetric Encryption

Algorithms
Type of
Advantages Disadvantages
Algorithm
Symmetric Single key •Requires sender and receiver
to agree on a key before
transmission of data
•Security lies only with the key
•High cost
Asymmetric •Encryption and Security of keys can be
decryption keys are compromised when malicious
different users post phony keys
•Decryption key cannot
be calculated from
encryption key

4/4/2011 27 4/4/2011 28

Prepared by S.Muralidharan 7
CS65-COMPUTER NETWORKS Dept. of EEE

Encryption Using a Symmetric Algorithms

• Usually use same key for encryption and decryption
Symmetric Algorithm • Encryption key can be calculated from decryption key
and vice versa
• Require sender and receiver to agree on a key before
they communicate securely
• Security lies with the key
• Also called secret key algorithms, single-key algorithms,
or one-key algorithms

4/4/2011 29 4/4/2011 30

Categories of Algorithms
• Stream algorithms Stream Ciphers
– Operate on the plaintext one bit at a time • Advantage
• Block algorithms – Speed of Transposition
– Encrypt and decrypt data in groups of bits, typically 64 bits in – Low error propagation
size • Disadvantage
• Stream Cipher • Block Cipher – Low diffusion
– convert one symbol of – convert a group of • subject to the tools such as frequency distribution, digram analysis,
plaintext immediately into plaintext symbols as one the index of coincidence, and the Kasiski method
a symbol of ciphertext block – Susceptibility to malicious insertions and modifications
• integrity

4/4/2011 31 4/4/2011 32

Prepared by S.Muralidharan 8
CS65-COMPUTER NETWORKS Dept. of EEE

Block Cipher
Asymmetric Algorithms
• Use different keys for encryption and decryption
• Disadvantages
– the strengths of stream cipher
• Decryption key cannot be calculated from the encryption
• speed
key
• error propagation • Anyone can use the key to encrypt data and send it to
• Advantages the host; only the host can decrypt the data
– Diffusion • Also known as public key algorithms
• information from the plaintext if diffused into several ciphertext symbols
• one ciphertext block may depend on several plaintext letters
– Immunity to insertions: integrity
• it is impossible to insert a single symbol into one block
• the length of the block would then be incorrect, and the decipherment
would quickly reveal the insertion
• active interceptor cannot simply cut one ciphertext letter out of a
message and paste a new one in to change an account, a time, a date,
or a name of a message

4/4/2011 33 4/4/2011 34

Asymmetric Key Algorithm

4/4/2011 35 4/4/2011 36

Prepared by S.Muralidharan 9
CS65-COMPUTER NETWORKS Dept. of EEE

Common Encryption Algorithms

• Lucifer (1974) • Triple DES (1998)
• Diffie-Hellman • IDEA (1992)
(1976) • Blowfish (1993)
• RSA (1977) • RC5 (1995) DIGITAL SIGNATURE
• DES (1977)

4/4/2011 37 4/4/2011 38

• A digital signature or digital signature scheme is a
mathematical scheme for demonstrating the authenticity
of a digital message or document. A valid digital
signature gives a recipient reason to believe that the
message was created by a known sender, and that it
was not altered in transit. Digital signatures are
commonly used for software distribution, financial
transactions, and in other cases where it is important to
detect forgery or tampering.
• Digital signatures employ a type of asymmetric
cryptography.
• A digital signature scheme typically consists of three
algorithms:
– A key generation algorithm that selects a private key uniformly
at random from a set of possible private keys. The algorithm
outputs the private key and a corresponding public key.
– A signing algorithm that, given a message and a private key,
produces a signature.
– A signature verifying algorithm that, given a message, public
key and a signature, either accepts or rejects the message's
claim to authenticity.
• Two main properties are required.
– First, a signature generated from a fixed message and fixed
private key should verify the authenticity of that message by
using the corresponding public key.
– Secondly, it should be computationally infeasible to generate a
valid signature for a party who does not possess the private key.

4/4/2011 39 4/4/2011 40

Prepared by S.Muralidharan 10
CS65-COMPUTER NETWORKS Dept. of EEE

SIGNING THE ENTIRE DOCUMENT

• Digital signature can provide authentication, integrity, and • The sender uses the private key to encrypt (sign).
nonrepudiation for a message.
• The receiver uses the public key of the sender to decrypt
– Authentication : receiver needs to be sure of the sender’s
identity and an imposter has not sent the message. the message.
– Integrity : the data must arrive at the receiver exactly as they • Digital signature does not provide privacy. If there is a
were sent. need for privacy, another layer of encryption/decryption
– Nonrepudiation : the receiver must be able to prove that a must be applied.
received message came from a specific sender.
• The idea of digital signature is similar to the signing of a
document.
– Signing the entire document
– Signing the condensed version of the document

4/4/2011 41 4/4/2011 42

SIGNING THE DIGEST

• To create digest of the message, a “hash function” is
used.
– Most common “hash function” is MD5(Message Digest 5) and
SHA-1(Secure Hash Algorithm 1)
– MD5 creates 120-bit digest and SHA-1 creates 160-bit digest
• Hash function guarantee success. Because
– Digest can only be created from the message, not vice versa
– Hashing is one-to-one function; there is little probability that two
messages will create the same digest.
• After the creation of digest, it is encrypted using
sender’s private key.
• Encrypted digest is attached to the original message
and sent to the receiver.
• Receiver receives original message and encrypted
digest and apply hash function to create digest.
• Receiver then decrypts the received digest using public
key of the sender.
• If the two digests are the same the signature is valid.

4/4/2011 43 4/4/2011 44

Prepared by S.Muralidharan 11
CS65-COMPUTER NETWORKS Dept. of EEE

4/4/2011 45 4/4/2011 46

Contents of a typical digital certificate

• Serial Number: Used to uniquely identify the certificate.
• Subject: The person, or entity identified.
• Signature Algorithm: The algorithm used to create the signature.
• Issuer: The entity that verified the information and issued the certificate.
• Valid-From: The date the certificate is first valid from.
• Valid-To: The expiration date.
• Key-Usage: Purpose of the public key (e.g. encipherment, signature,
certificate signing...).
• Public Key: the purpose of SSL when used with HTTP is not just to
encrypt the traffic, but also to authenticate who the owner of the website is,
and that someone's been willing to invest time and money into proving the
authenticity and ownership of their domain.
• Thumbprint Algorithm: The algorithm used to hash the certificate.
• Thumbprint: The hash itself to ensure that the certificate has not been
tampered with.

4/4/2011 47

Prepared by S.Muralidharan 12