Basic Concepts of Security 1

Chapter 1 Basic Concepts of Security Introduction Computer security The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended users. The term computer system security means the collective processes and mechanisms by which sensitive and valuable information and services are protected from publication, tampering or collapse by unauthorized activities or untrustworthy individuals and unplanned events respectively. The strategies and methodologies of computer security often differ from most other computer technologies because of its somewhat elusive objective of preventing unwanted computer behavior instead of enabling wanted computer behavior. Computer Security - generic name for the collection of tools designed to protect data and to threat hackers Network Security - measures to protect data during their transmission Internet Security - measures to protect data during their transmission over a collection of interconnected networks Why Security? Computer security is required because most organizations can be damaged by Virus software or intruders. There may be several forms of damage which are obviously interrelated. These include: o Damage or destruction of computer systems, and internal data. o Loss of sensitive information to hostile parties. Use of sensitive information to steal items of monitory value. o Use of sensitive information against the organization's customers which may result in legal action by customers against the organization and loss of customers. o Damage to the reputation of an organization. Monitory damage due to loss of sensitive information, destruction of data, hostile use of sensitive data, or damage to the organization's reputation Basic Concepts Threats: A threat is a potential violation of security. The violation need not actually occur for there to be a threat. The fact that the violation might occur means that those actions that could cause it to occur must be guarded against (or prepared for). Those actions are called attacks. Those who execute such actions, or cause them to be executed, are called attackers. A threat is an object, person, or other entity, that represents a constant danger to an asset. 1 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security A non-physical threat is a potential cause of an incident that may result in;       Loss or corruption of system data Disrupt business operations that rely on computer systems Loss of sensitive information Illegal monitoring of activities on computer systems Cyber Security Breaches Others The non-physical threats are also known as logical threats. The following list is the common types of non-physical threats;            Virus Trojans Worms Spyware Key loggers Adware Denial of Service Attacks Distributed Denial of Service Attacks Unauthorized access to computer systems resources such as data Phishing Other Computer Security Risks Vulnerabilities, Threats, Attacks, and Controls A computer-based system has three separate but valuable components: hardware, software, and data. Each of these assets offers value to different members of the community affected by the system. To analyze security, we can brainstorm about the ways in which the system or its information can experience some kind of loss or harm. For example, we can identify data whose format or contents should be protected in some way. We want our security system to make sure that no data are disclosed to unauthorized parties. Neither do we want the data to be modified in illegitimate ways. At the same time, we must ensure that legitimate users have access to the data. In this way, we can identify weaknesses in the system. Threat - A threat is something that may or may not happen, but if happens it has the potential to cause serious damage. Threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible harm. A threat can be either "intentional" (i.e. hacking: an individual cracker or a criminal organization) or "accidental" (e.g. the possibility of a computer malfunctioning, or the possibility of a natural disaster such as an earthquake, a fire, or a tornado) or otherwise a circumstance, capability, action, or event Vulnerability - A vulnerability is a security risk in a software program that puts the program or computer at danger of malicious programs. It is a weakness in the security system, for example, in procedures, design, or implementation that might be exploited to cause loss or harm. 2 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security Example: may be vulnerable to unauthorized data manipulation because the system does not verify a user's identity before allowing data access Attack (or exploit) – An action taken that uses one or more vulnerabilities to realize a threat. This could be someone following through on a threat or exploiting a vulnerability. Example: An attacks means when you test any computer system, one of your jobs is to imagine how the system could malfunction. Then, you improve the system's design so that the system can withstand any of the problems you have identified. In the same way, we analyze a system from a security perspective, thinking about ways in which the system's security can malfunction and diminish the value of its assets Countermeasure – Addresses a vulnerability to reduce the probability of an attack or the impact of a threat. They do not directly address threats; instead, they address the factors that define the threats. Countermeasures range from improving application design, or improving your code, to improving an operational practice. Risk – Measure the Attacks, Computer security risks can be created by malware that can infect your computer and put system and organization in a huge damage. . Denial of service Attack 3 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security Man in the middle Attack Goals of Security: 1. Confidentiality: o Confidentiality is a set of rules that limits access to information. o Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. o Measures undertaken to ensure confidentiality are designed to prevent sensitive information from reaching the wrong people, while making sure that the right people can in fact get it. o Training can help familiarize authorized people with risk factors and how to guard against them. Further aspects of training can include strong passwords and password-related best practices and information about social engineering methods. o Access control mechanisms support confidentiality. One access control mechanism for preserving confidentiality. o Resource hiding is another important aspect of confidentiality. Sites oftenwish to conceal their configuration as well as what systems they are using; organizations may not wish others to know about specific equipment o All the mechanisms that enforce confidentiality require supporting services from the system The terms privacy and secrecy are sometimes used to distinguish between the protection of personal data (privacy) and the protection of data belonging to an organization (secrecy). For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an 4 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security unauthorized party obtains the card number in any way, a breach of confidentiality has occurred. Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds. Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information. “Prevention of unauthorized disclosure of information”. 2. Integrity:     Integrity is the assurance that the information is trustworthy and accurate. Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people (for example, in a breach of confidentiality). This goal defines how we avoid our data from being altered. MiTM (Man in the middle attacks) is the example threat for this goal. Integrity is about making sure that everything is as it is supposed to be, and in the context of computer security, the prevention of unauthorized modification of information. In Computer security, integrity means that data cannot be modified undetectably. Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. Prevention of unauthorized modification of information. Integrity mechanisms fall into two classes: prevention mechanisms and detection mechanisms. Prevention mechanisms seek to maintain the integrity of the data by blocking any unauthorized attempts to change the data or any attempts to change the data in unauthorized ways. The distinction between these two types of attempts is important. Then an unauthorized user has tried to violate the integrity of the accounting database.). Adequate authentication and access controls will generally stop the break-in from the outside, but preventing the second type of attempt requires very different controls. Detection mechanisms do not try to prevent violations of integrity; they simply report that the data’s integrity is no longer trustworthy. Detection mechanisms may analyze system events 5 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security (user or system actions) to detect problems or (more commonly) may analyze the data itself to see if required or expected constraints still hold. The mechanisms may report the actual cause of the integrity violation (a specific part of a file was altered), or they may simply report that the file is now corrupt. 3. Availability: It means that assets are accessible to authorized parties at appropriate times.  Availability is very much a concern beyond the traditional boundaries of computer security. We want to ensure that a malicious attacker cannot prevent legitimate users from having reasonable access to their systems.  Availability refers to the ability to use the information or resource desired. Availability is an important aspect of reliability as well as of system design because an unavailable system is at least as bad as no system at all.  The aspect of availability that is relevant to security is that someone may deliberately arrange to deny access to data or to a service by making it unavailable. System designs usually assume a statistical model to analyze expected patterns of use, and mechanisms ensure availability when that statistical model holds.  Someone may be able to manipulate use (or parameters that control use, such as network traffic) so that the assumptions of the statistical model are no longer valid. This means that the mechanisms for keeping the resource or data available are working in an environment for which they were not designed. As a result, they will often fail Figure - . Relationship Between Confidentiality, Integrity, and Availability. 6 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security Security Policy and Mechanism Critical to our study of security is the distinction between policy and mechanism. A security policy is a statement of what is, and what is not, allowed. Policies may be presented mathematically, as a list of allowed (secure) and disallowed (non secure) states. For our purposes, we will assume that any given policy provides an axiomatic description of secure states and nonsecure states. A security mechanism is a method, tool, or procedure for enforcing a security policy. Mechanisms can be nontechnical, such as requiring proof of identity before changing a password; in fact, policies often require some procedural mechanisms that technology cannot enforce. Strategies of Security Given a security policy’s specification of “secure” and “nonsecure” actions, these security mechanisms can prevent the attack, detect the attack, or recover from the attack. The strategies may be used together or separately. Prevention means that an attack will fail. For example, if one attempts to break into a host over the Internet and that host is not connected to the Internet, the attack has been prevented. Typically, prevention involves implementation of mechanisms that users cannot override and that are trusted to be implemented in a correct, unalterable way, so that the attacker cannot defeat the mechanism by changing it. But some simple preventative mechanisms, such as passwords (which aim to prevent unauthorized users from accessing the system), have become widely accepted. Prevention mechanisms can prevent compromise of parts of the system; Detection is most useful when an attack cannot be prevented, but it can also indicate the effectiveness of preventative measures. Detection mechanisms accept that an attack will occur; the goal is to determine that an attack is under way, or has occurred, and report it. The attack may be monitored, however, to provide data about its nature, severity, and results. Detection mechanisms do not prevent compromise of parts of the system, which is a serious drawback. The resource protected by the detection mechanism is continuously or periodically monitored for security problems. Recovery has two forms. The first is to stop an attack and to assess and repair any damage caused by that attack. As an example, if the attacker deletes a file, one recovery mechanism would be to restore the file from backup tapes. In practice, recovery is far more complex, because the nature of each attack is unique. Thus, the type and extent of any damage can be difficult to characterize completely. This type of recovery is quite difficult to implement because of the complexity of computer systems Assurance is Trust cannot be quantified precisely. System specification, design, and implementation can provide a basis for determining “how much” to trust a system. This aspect of trust is called assurance. It is an attempt to provide a basis for bolstering (or substantiating or 7 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security specifying) how much one can trust a system. Assurance in the computer world requires specific steps to ensure that the computer will function properly. Basic Cryptography Terms  Encryption is the process of turning a clear-text message (Plaintext) into a data stream which looks like a meaningless and random sequence of bits (cipher text).  The process of turning cipher text back into plaintext is called decryption.  Cryptography deals with making communications secure.  Crypto analysis deals with breaking ciphertext, that is, recovering plaintext without knowing the key.  Cryptology is a branch of mathematics which deals with both cryptography and crypto analysis.  Symmetric algorithms use the same key for encryption and decryption. These algorithms require that both the sender and receiver agree on a key before they can exchange messages securely.  Some symmetric algorithms operate on 1 bit (or sometimes 1 byte) of plaintext at a time. They are called stream ciphers. Other algorithms operate on blocks of bits at a time. They are called block ciphers.  Public-key algorithms (also known as asymmetric algorithms) use two different keys (a key pair) for encryption and decryption. 8 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security symmetric key cryptography Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. The keys may be identical or there may be a simple transformation to go between the two keys. Stream cipher A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream. Since encryption of each digit is dependent on the current state of the cipher, it is also known as state cipher. In practice, a digit is typically a bit and the combining operation an exclusive-or (XOR). Block cipher A block cipher is an encryption method that applies a deterministic algorithm along with a symmetric key toencrypt a block of text, rather than encrypting one bit at a time as in stream ciphers. For example, a common block cipher, AES, encrypts 128 bit blocks with a key of predetermined length: 128, 192, or 256 bits. Difference between stream cipher and block cipher          Stream cipher keys and algorithms are applied to each binary digit, one bit at a time whereas block cipher keys and algorithm are applied to a block of data. Stream ciphers are less time consuming compared to block ciphers. Stream ciphers are faster than block cipher, this is due to the fact that they encrypt a bit at a time. Stream ciphers do not use chaining modes of operation whereas block ciphers heavily use chaining modes of operation. Commonly known as block cipher modes of operation. Hardware implementation is easier using stream cipher than in a block cipher. A software implementation is easier using block cipher than in a stream cipher. The best example of a stream cipher is the one-time pad whereas Data encryption standard (DES) is the best example of a block cipher. Block ciphers are more code intensive compared to stream ciphers. Stream ciphers are mainly used in SSL technology while block ciphers are mainly used in database and file encryption applications. Block cipher examples Here is a list of 5 most popular block ciphers: Data encryption standard (DES) – is a 64-bit cipher that works with a 64-bit key. Actually, 8 of the 64 bits in the key are parity bits, so the key size is 56 bits long.  3DES – is a DES that run three times, Each DES operation can use a different key, with each key being 56 bits long. 3DES has a block size of 64 bits. 9 Dr.J.R.Arunkumar Arbaminch University Chapter 1  Basic Concepts of Security Advanced encryption standard (AES) – it has a block size of 128 bits and supports three possible key sizes; 128, 192, and 256 bits. The longer the key size, the stronger the encryption. One-time pad (Stream Cipher): In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a one-time pre-shared key the same size as, or longer than, the message being sent. In this technique, a plaintext is paired with a random secret key (also referred to as a one-time pad). Then, each bit or character of the plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plaintext, is never reused in whole or in part, and is kept completely secret, then the resulting cipher text will be impossible to decrypt or break Example Suppose Alice wishes to send the message "HELLO" to Bob. Assume two pads of paper containing identical random sequences of letters were somehow previously produced and securely issued to both. Alice chooses the appropriate unused page from the pad. The way to do this is normally arranged for in advance, as for instance 'use the 12th sheet on 1 May', or 'use the next available sheet for the next message'. The material on the selected sheet is the key for this message. Each letter from the pad will be combined in a predetermined way with one letter of the message. (It is common, but not required, to assign each letter a numerical value, e.g., "A" is 0, "B" is 1, and so on.)In this example, the technique is to combine the key and the message using modular addition. The numerical values of corresponding message and key letters are added together, modulo 26. So, if key material begins with "XMCKL" and the message is "HELLO", then the coding would be done as follows: H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11 (L) key = 30 16 13 21 25 message + key = 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) (message + key) mod 26 E Q N V Z → ciphertext If a number is larger than 26, then the remainder after subtraction of 26 is taken in modular arithmetic fashion. This simply means that if the computations "go past" Z, the sequence starts again at A. 10 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security The ciphertext to be sent to Bob is thus "EQNVZ". Bob uses the matching key page and the same process, but in reverse, to obtain the plaintext. Here the key is subtracted from the ciphertext, again using modular arithmetic: E Q N V Z ciphertext 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) ciphertext - 23 (X) 12 (M) 2 (C) 10 (K) 11 (L) key = -19 4 11 11 14 ciphertext – key = 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) ciphertext – key (mod 26) H E L L O → message Similar to the above, if a number is negative then 26 is added to make the number zero or higher. Thus Bob recovers Alice's plaintext, the message "HELLO". Both Alice and Bob destroy the key sheet immediately after use, thus preventing reuse and an attack against the cipher. The KGB often issued its agents one-time pads printed on tiny sheets of "flash paper"—paper chemically converted to nitrocellulose, which burns almost instantly and leaves no ash. DES - Data Encryption Standard The Data Encryption Standard (DES) is a symmetric-key algorithm for the encryption of electronic data. The Data Encryption Standard is a block cipher, meaning a cryptographic key and algorithm are applied to a block of data simultaneously rather than one bit at a time. To encrypt a plaintext message, DES groups it into 64-bit blocks. General Structure of DES DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure. The block size is 64-bit. Though, key length is 64-bit, DES has an effective key length of 56 bits, No of Sub key is 16 sub keys, sub key siza is 48biyt, since 8 of the 64 bits of the key are not used by the encryption algorithm (function as check bits only). General Structure of DES is depicted in the following illustration Since DES is based on the Feistel Cipher, all that is required to specify DES is −  Round function  Key schedule  Any additional processing − Initial and final permutation 11 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security Round Function The heart of this cipher is the DES function, f. The DES function applies a 48-bit key to the rightmost 32 bits to produce a 32-bit output. Double DES To address the discomfort, some researchers suggest using a double encryption for greater secrecy. The double encryption works in the following way. Take two keys, k1 and k2, and perform two encryptions, one on top of the other: E(k2, E(k1,m)). In theory, this approach should multiply the difficulty of breaking the encryption, just as two locks are harder to pick than one. 12 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security Triple DES However, a simple trick does indeed enhance the security of DES. Using three keys adds significant strength. The so-called triple DES procedure is C = E(k3, E(k2, E(k1,m))). That is, you encrypt with one key, decrypt with the second, and encrypt with a third. This process gives a strength equivalent to a 112-bit key (because the double DES attack defeats the strength of one of the three keys). Advantages of DES: o o o o o o o o o able to provide a high level of security specified and easy to understand publishable so that security does not depend on the secrecy of the algorithm available to all users adaptable for use in diverse applications economical to implement in electronic devices efficient to use able to be validated exportable Advanced Encryption Standard The Advanced Encryption Standard (AES), also known by its original name Rijndael (Dutch is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES (acronym of Advanced Encryption Standard) is a symmetric encryption algorithm. The algorithm was developed by two Belgian cryptographer Joan Daemen and Vincent Rijmen. AES was designed to be efficient in both hardware and software, and supports a block length of 128 bits and key lengths of 128, 192, and 256 bits. 13 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security AES Structure Each cycle consists of four steps. o Byte substitution: This step uses a substitution box structure similar to the DES, substituting each byte of a 128-bit block according to a substitution table. This is a straight diffusion operation. o Shift row: A transposition step. For 128- and 192-bit block sizes, row n is shifted left circular (n - 1) bytes; for 256-bit blocks, row 2 is shifted 1 byte and rows 3 and 4 are shifted 3 and 4 bytes, respectively. This is a straight confusion operation. o Mix column: This step involves shifting left and exclusive-ORing bits with themselves. These operations provide both confusion and diffusion. o Add subkey: Here, a portion of the key unique to this cycle is exclusive-ORed with the cycle result. This operation provides confusion and incorporates the key 14 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security Overview - Public Key Cryptography  Modern PKC was first described publicly by Stanford University professor Martin Hellman and graduate student Whitfield Diffie in 1976. Generic PKC employs two keys that are mathematically related although knowledge of one key does not allow someone to easily determine the other key. One key is used to encrypt the plaintext and the other key is used to decrypt the ciphertext.  In PKC, one of the keys is designated the public key and may be advertised as widely as the owner wants. The other key is designated the private key and is never revealed to another party.  Suppose Alice wants to send Bob a message. Alice encrypts some information using Bob's public key; Bob decrypts the ciphertext using his private key. This method could be also used to prove who sent a message; Alice, for example, could encrypt some plaintext with her private key; when The steps illustrates the P-K process 1. Each system generates a pair of keys. 2. Each system publishes its encryption key (public key) keeping its companion key private. 3. If A wishes to send a message to B it encrypts the message using B’s public key. When B receives the message, it decrypts the message using its private key. No one else can decrypt the message because only B knows its private key RSA Algorithm  The RSA algorithm was developed by Ron Rivest, Adi Shamir and Len Adleman at MIT in 1978. Since this time it has reigned supreme as the most widely accepted and implemented general-purpose approach to public-key encryption.  The RSA scheme is a block cipher in which the plaintext and cipher text are integers between 0 and n − 1 for some n. The scheme makes use of an expression with exponentials.  Plaintext is encrypted in blocks having a binary value less than some number n.  For some plaintext block M and cipher text block C we have: RSA Algorithm Overview of Key Generation 1. 2. 3. 4. Generate two large prime numbers, p and q. Let n = pq. Let Ф (n) = (p-1) (q-1). Choose a small number e, ie relatively prime to the quotient and is 1 < e < Ф (n) and gcd(e, Ф (n))=1, where e will be part of private key. 5. Find d, we will calculate by 2 methods a) Eucliden Algorithm d = e-1 mod Ф (n) b) Conherent equation method d = 1+ k(Ф (n))/e 15 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security  Encryption e 6. C = M mod n  Decryption 7. M = Cd mod n 1. Generate two large prime numbers, p and q To make the example easy to follow, I am going to use small numbers, but this is not secure. Lets have: p=7 q = 19 2. Let n = p q n=pxq = 7 x 19 = 133 3. Let Ф (n) = (p-1) (q-1) = 6 x 18 = 108 4. Choose a small number, e coprime to m.  e coprime to m, means that the largest number that can exactly divide both e and m (their greatest common divisor, or GCD) is 1. e = 2  GCD (2,108) = 2 (No !) e = 3  GCD (3,108) = 3 (Yes !) e = 4  GCD (4,108) = 4 (Yes !) e = 5  GCD (5,108) = 1 (Yes !)  Let have e= 5 5. Find d, Conherent equation method d = 1+ k(Ф (n))/e  This is equivalent to finding d which satisfies de = 1 +k (Ф (n)), Where k is any integer.  We can rewrite this as, d = (1 + nm)/ e  Now we work through values of n until an integer solution for e is found:  k = 0  d = (1 + 0 * 108) / 5 = 1/5 (no)  k = 1  d = (1 + 1 * 108) / 5 = 109/5 (no) 16 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security  k= 2  d = (1 + 2 * 108) / 5 = 217/5 (no)  k = 3  d = (1 + 3 * 108) / 5 = 325/5 = 65 (yes !) Public Key Secret Key n = 133 n = 133 e=5 d = 65 Communication Encryption  This message must be a number less than the smaller of p and q.  However, at this point we don’t know p or q, so in practice a lower bound on p andq must be published.  This can be published below their true value and so isn't a major security concern. For e.g., lets use the message “ 6”. C =Pe % n = 6 5 % 133 = 7776 % 133 = 62 Decryption This works very much like encryption, but involves a larger exponentiation which is broken down into several steps. M= c d % n = 62 65 % 133 = 62 x 62 64 % 133 = 62 x (622)32 % 133 = 62 x (3844)32 % 133 = 62 x (3844 % 133)32 % 133 = 62 x (120)32 % 133 We now repeat the sequence of operation that reduced 6265 to 12032 to reduce the exponent down to 1. = 62 x (1202)16 % 133 17 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security = 62 x (14400)16 % 133 = 62 x (14400 % 133)16 % 133 = 62 x (36)16 % 133 = 62 x (362)8 % 133 = 62 x (1296)8 % 133 = 62 x (1296 % 133)8 % 133 = 62 x (99)8 % 133 = 62 x (992)4 % 133 = 62 x (9801 % 133)4 % 133 = 62 x (92)4 % 133 = 62 x (922)2 % 133 = 62 x (922)2 % 133 = 62 x (8464 % 133)2 % 133 = 62 x (85)2 % 133 = 62 x (7225) % 133 = 62 x (7225 % 133) % 133 = 62 x (43)1 % 133 = 2666 % 133 =6 And that matches the plaintext we put in at the beginning, so that algorithm worked Cryptography Hash functions Hash functions are extremely useful and appear in almost all information security applications. A hash function is a mathematical function that converts a numerical input value into another compressed numerical value. The input to the hash function is of arbitrary length but output is always of fixed length. Values returned by a hash function are called message digest or simply hash values. The following picture illustrated hash function − Features of Hash Functions The typical features of hash functions are −  Fixed Length Output (Hash Value) 18 Dr.J.R.Arunkumar Arbaminch University Chapter 1 Basic Concepts of Security Hash function coverts data of arbitrary length to a fixed length. This process is often referred to as hashing the data. o In general, the hash is much smaller than the input data, hence hash functions are sometimes called compression functions. o Since a hash is a smaller representation of a larger data, it is also referred to as a digest. o Hash function with n bit output is referred to as an n-bit hash function. Popular hash functions generate values between 160 and 512 bits.  Efficiency of Operation o Generally for any hash function h with input x, computation of h(x) is a fast operation. o Computationally hash functions are much faster than a symmetric encryption. o 19 Dr.J.R.Arunkumar Arbaminch University