CHAPTER 1

INTRODUCTION

CSCB223 Cryptography 1
 Outline
Why Information Security and
Cryptography?

Security Risks

Security Services

Fundamentals of Cryptosystems

CSCB223 Cryptography 2
 WHY INFORMATION SECURITY
AND CRYPTOGRAPHY?

CSCB223 Cryptography 3
 Refers to the
protection of
information and
information systems
Development of computer
networks, particularly Internet, has
increased the generation, access,
exchange and store of large amount
of data and Information.
• conducted electronically
• transmitted and stored in
insecure environment.

The rise of significance of information

security has brought to the
importance and widespread use of
cryptography.

CSCB223 Cryptography 4
 Cryptography is not a new science.
Has been used for centuries to
protect sensitive information,
especially during periods of conflict

Cryptography is:
• A tremendous tool
• The basis for many security mechanisms

Cryptography lies at the heart

of most technical information
security mechanisms

Cryptography is NOT:
• The solution to all security problems
• Reliable unless implemented and used properly
• Something you should try to invent yourself
• many examples of broken ad-hoc designs
CSCB223 Cryptography 5
 Security Issues
• How can we tell whether an email from a potential client
is a genuine inquiry from the person that it claims to
have come from?

• How can we be sure that the contents of an electronic

file have not been altered?

• How can we be sure that nobody else can read an email

that we have just sent to a colleague?

• How can we accept an electronic contract received by

email from a client on the other side of the world?
CSCB223 Cryptography 6
 https://www.stuff.co.nz/dominion-post/news/116318497/up-to-1-million-ne
w-zealand-patients-data-breached-in-criminal-cyber-hack

https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-
did-it-happen-and-what-was-the-impact.html

CSCB223 Cryptography 7
 The Role of Cryptography
in Information Security
• Cryptography can be used to achieve several goals
of information security, including confidentiality,
integrity, and authentication.

Confidentiality Integrity Authentication

• Protects the • To ensure the • For authentication
confidentiality (or integrity (or (and non-
secrecy) of accuracy) of repudiation)
information. information through services through
the use of hashing digital signatures,
algorithms and digital certificates,
message digests. or a Public Key
Infrastructure (PKI).

CSCB223 Cryptography 8
 Confidentiality:
Confidentiality means ensuring that information is only accessible to those
who are authorized to view it, protecting private or sensitive data from
unauthorized access and disclosures.

 Encryption: Cryptography uses encryption algorithms to convert

plaintext data into ciphertext, making it unreadable to unauthorized
users. Only those with the proper decryption key can decipher the
ciphertext back into plaintext.
 Secure Communication: By encrypting data during transmission,
cryptography ensures that even if intercepted, the information
remains confidential and cannot be understood without the
decryption key.
 Data Protection: Cryptography helps protect sensitive information
stored in databases, files, or communication channels from
unauthorized access or disclosure.

CSCB223 Cryptography 9
 Integrity:
Integrity in information security refers to maintaining the accuracy and
consistency of data across its lifecycle, ensuring that information is not altered
by unauthorized individuals and remains reliable and trustworthy.

 Hash Functions: Cryptographic hash functions generate fixed-size hash

values (hash codes) from input data. By comparing the hash value of
received data with the original hash value, integrity checks can be
performed to detect any modifications or tampering.

 Digital Signatures: Cryptography enables the use of digital signatures to

verify the authenticity and integrity of messages or documents. Digital
signatures provide a way to ensure that the sender of a message is who
they claim to be and that the message has not been altered during
transmission.

CSCB223 Cryptography 10
 Authentication:
Authentication is the process of verifying the identity of a
user or device, typically before granting access to a system
or network, ensuring that individuals are who they claim to
be.

 Cryptography facilitates authentication mechanisms such as

digital certificates, public key infrastructure (PKI), and digital
signatures to verify the identity of users, devices, or entities
involved in communication.
 By using cryptographic techniques for authentication,
organizations can establish trust, prevent unauthorized access,
and ensure the integrity of communication channels.

CSCB223 Cryptography 11
 Outline
Why Information Security and
Cryptography?

Security Risks

Security Services

Fundamentals of Cryptosystems

CSCB223 Cryptography 12
 SECURITY RISKS

CSCB223 Cryptography 13
 Vulnerability – Threat - Risk
Vulnerability Threat Risk
Definition Weaknesses or gaps in a Anything that can The potential for
security program that exploit a vulnerability, loss, damage or
can be exploited by intentionally or destruction of an
threats to gain accidentally, and asset as a result of
unauthorized access to obtain, damage, or a threat exploiting
an asset destroy an asset a vulnerability
Example 1 Terminated employee Access the company’s Unauthorized
ID’s are not removed network and retrieve disclosure of
from the system proprietary info sensitive business
information
Example 2 Improper maintenance of Fire Loss of life, data
fire fighting equipment and infrastructure
Example 3 No security guard Intruder Theft
Example 4 Poor access control Disgruntled employee Data modified
Example 5 Inadequate preparation Flood Loss of life, data
and infrastructure
CSCB223 Cryptography 14
 Threats and Attacks (RFC 4949)
Threat
• A potential for violation of security,
which exists when there is a
circumstance, capability, action, or
event that could breach security and
cause harm. That is, a threat is a
possible danger that might exploit a
vulnerability.
Attack
• An assault on system security that
derives from an intelligent threat;
that is, an intelligent act that is a
deliberate attempt (especially in the
sense of a method or technique) to
evade security services and violate
the security policy of a system.

CSCB223 Cryptography 15
 Security Attacks

CSCB223 Cryptography 16
 Passive Attacks
Definition & Objective
Passive attacks are a type of security threat
that aims to learn or exploit information from
a system without affecting system resources.
Here are some key points about passive
attacks:

 Definition: Passive attacks are

characterized by attempts to gather
information from a system or network
without altering the data or disrupting the
system's operation .

 Objective: The primary goal of passive

attacks is to eavesdrop on communication,
intercept data, or gather sensitive
information without the knowledge of the
legitimate users or system administrators.
CSCB223 Cryptography 17
 Passive Attacks
Examples
Eavesdropping: Monitoring network traffic to
capture sensitive data such as passwords,
financial information, or confidential messages.

Packet Sniffing: Capturing data packets

transmitted over a network to analyze their
contents and extract valuable information.

Traffic Analysis: Studying patterns and

characteristics of network traffic to infer
relationships, behaviors, or communication
patterns without accessing the actual content.

18

CSCB223 Cryptography 18
 Passive Attacks
Prevention
Encryption: Encrypting sensitive data and
communication channels can protect information from
being intercepted and exploited during passive attacks.

Access Controls: Implementing access controls,

authentication mechanisms, and secure communication
protocols can help prevent unauthorized access to data.

Network Segmentation: Segmenting networks and

implementing firewalls can limit the exposure of
sensitive information to potential eavesdroppers.

CSCB223 Cryptography 19
 Active attacks
Active attacks involve the modification of data streams or the
creation of false data streams with the intention of disrupting
system operations, altering information, or impersonating
legitimate entities. Here are key points about active attacks:

• Definition: Active attacks are deliberate actions taken by

threat actors to alter system resources, disrupt
operations, or violate security policies by manipulating
data or communication channels .

• Characteristics:

– Modification of Data: Active attacks involve altering the content of

data packets, messages, or files to introduce unauthorized changes or
misleading information.
– Impersonation: Attackers may impersonate legitimate users, devices,
or entities to gain unauthorized access, deceive users, or perform
malicious activities.
– Disruption: Active attacks aim to disrupt normal system operations,
cause delays, or create false data streams to achieve specific
objectives.

CSCB223 Cryptography 20
 Types of Active Attacks:

Masquerade: Involves one entity pretending to be another entity to deceive

users or systems. This can lead to unauthorized access, data theft, or other
malicious activities.

Replay: Involves the capture and retransmission of data units to produce

unauthorized effects, such as replaying legitimate messages or altering
communication sequences.

Modification of Messages: Attackers may alter data packets, messages, or

commands to manipulate information, disrupt communication, or deceive
recipients.

Denial of Service (DoS): Active attacks that aim to overwhelm systems,

networks, or services with excessive traffic or requests, causing disruptions,
downtime, or service unavailability.

CSCB223 Cryptography 21
 Active Attacks
Prevention
• Intrusion Detection Systems: Implementing
intrusion detection systems can help detect
and respond to active attacks by monitoring
network traffic and system behavior for
suspicious activities.
• Access Controls: Enforcing strong access
controls, authentication mechanisms, and
authorization policies can prevent
unauthorized users from carrying out active
attacks.
• Data Validation: Validating input data, using
secure communication protocols, and
implementing encryption can help protect
against data modification and tampering.

CSCB223 Cryptography 22
 Outline
Why Information Security and
Cryptography?

Security Risks

Security Services

Fundamentals of Cryptosystems

CSCB223 Cryptography 23
 SECURITY SERVICES

CSCB223 Cryptography 24
 Security Service

Security services play a crucial role in

ensuring the protection of system
resources, data transfers, and
communication channels in information
systems. Here are key points about security
services:

CSCB223 Cryptography 25
 Security Service
Definition:
X.800: Security services are defined as
services provided by a protocol layer in
open systems to ensure the security of
systems or data transfers .
RFC 4949: Security services are described
as processing or communication services
offered by a system to provide specific
protection to system resources .

CSCB223 Cryptography 26
 of Security Services
Types
Confidentiality: Ensures that data is kept private and protected from unauthorized access
through encryption and access controls.

Integrity: Guarantees that data remains unchanged and unaltered during storage,
processing, or transmission through mechanisms like hash functions and digital signatures.

Authentication: Verifies the identity of users, devices, or entities involved in

communication to prevent unauthorized access and ensure trust.

Non-Repudiation: Prevents parties from denying their actions or transactions by providing

evidence of the origin or delivery of data.

Access Control: Manages and restricts access to resources based on user permissions, roles,
or policies to prevent unauthorized activities.

Availability: Ensures that systems, services, and data are accessible and operational when
needed, protecting against denial of service attacks and disruptions.

CSCB223 Cryptography 27
 Outline
Why Information Security and
Cryptography?

Security Risks

Security Services

Fundamentals of Cryptosystems

CSCB223 Cryptography 28
 FUNDAMENTALS OF
CRYPTOSYSTEMS

CSCB223 Cryptography 29
 Model for Network Security

CSCB223 Cryptography 30
 Model for Network Security (cont.)
• A message is to be transferred from one party to another across
some sort of Internet service.
• Security aspects come into play when it is necessary or desirable to
protect the information transmission from an opponent who may
present a threat to confidentiality, authenticity, and so on. All the
techniques for providing security have two components:
Some secret information shared by
A security-related transformation
the two principals and, it is hoped,
on the information to be sent
Unknown to the opponent
• E.g.: The encryption of the • E.g.: An encryption key used in
message, which scrambles the conjunction with the
message so that it is unreadable transformation to scramble the
by the opponent, and the addition message before transmission and
of a code based on the contents unscramble it on reception.
of the message, which can be
used to verify the identity of the
sender.
CSCB223 Cryptography 31
 Simplified Model of Symmetric Encryption

Plaintext Enciphering/encryption
• An original message • The process of converting from
Ciphertext plaintext to ciphertext
• The coded message Deciphering/decryption
Secret Key • Restoring the plaintext from the
• Independent of the plaintext & algorithm ciphertext
CSCB223 Cryptography 32
 Fundamentals of Cryptosystems
CRYPTOGRAPHY: the design and analysis of mechanisms
based on mathematical techniques that provide
fundamental security services.
• More accurate term is cryptology (cryptography +
cryptanalysis)

Cryptography is on how to keep the messages secret.

Cryptanalysis is on breaking an encryption, i.e. retrieving the plaintext
without knowing the proper key.

Cryptology
Cryptographers Cryptanalysts
Areas of cryptography
People who do Practitioners of
and cryptanalysis
cryptography cryptanalysis
together

CSCB223 Cryptography 33
 Fundamentals of Cryptosystems (cont.)

• CRYPTANALYSIS is like working with ‘cross

word puzzle’
• Cryptanalyst often use educated guesses
with careful mathematical analysis in
order to break an encryption.
• Who often employ cryptanalyst??
– FBI? CIA? Other secret government agents,
etc.

CSCB223 Cryptography 34
 Fundamentals of Cryptosystems (cont.)

CRYPTOGRAPHIC PRIMITIVE (OR MECHANISM):

A cryptographic process that provides a
number of specific security services.
• Block ciphers, stream ciphers, message
authentication codes, hash functions and
digital signature schemes.
• Confidentiality: block ciphers, stream
ciphers
• Integrity: Hash function, digital signatures
CSCB223 Cryptography 35
 Fundamentals of Cryptosystems (cont.)
Encryption: The process of transforming data
(i.e. plaintext) into a form which meanings are
Cryptosystem: A system not obvious (cipher text)
that support encryption
& decryption
Decryption: The reverse process of encryption

CRYPTOSYSTEM (OR CRYPTOGRAPHIC SCHEME): is often

used rather generically to refer to the implementation of
some cryptographic primitives and their accompanying
infrastructure.
* Might Include the users, the keys, the key management
etc.

CSCB223 Cryptography 36
 Fundamentals of Cryptosystems (cont.)

CRYPTOGRAPHIC ALGORITHM: the particular specification of

a cryptographic primitive.
• Eg: AES, DES, MD5, SHA-2

CRYPTOGRAPHIC PROTOCOL: A sequence of message

exchanges and operations between one or more parties, at
the end of which a series of security goals should have been
achieved.
• Eg: SSL/TLS
It employs a number of different cryptographic primitives at
various stages.

CSCB223 Cryptography 37
 Basic Principle of Cryptography
• In order to encrypt a plaintext (P) into a cipher
text (C), one requires:- C = E(Ke,P)
- the use of encryption algorithm (E)
- often the use of a secret encryption key (Ke)
• Vice versa, in order to decrypt a cipher text
(C) back into the original plaintext (P), one
requires:-
- the use of decryption algorithm (D) P = D(Kd,C)
- often the use of a secret decryption key (Kd)

**Note the word ‘often’. This is because there are cryptosystems that do not
require the use of Ke and Kd, known as keyless cipher.**
CSCB223 Cryptography 38
 Two Types of Cryptosystem
SYMMETRIC PUBLIC KEY
CRYPTOSYSTEM CRYPTOSYSTEM

• The encryption key and • The encryption key and

decryption key are decryption key are
essentially the same. fundamentally different
but related.
• Known as symmetric
cryptography/secret key • Known as asymmetric
cryptography. cryptography/public key
cryptography.

CSCB223 Cryptography 39
 Summary
• Why Information • Security services
Security and – Authentication
Cryptography? – Access Control
– Data confidentiality
– Security issues
– Data integrity
• Security risks – Nonrepudiation
– Security attacks • Fundamental of
• Passive attacks
cryptosystems
• Active attacks

CSCB223 Cryptography 40