Sanjivani Rural Education Society’s

Sanjivani College of Engineering, Kopargaon-423603

(An Autonomous Institute Affiliated to Savitribai Phule Pune University, Pune)
NAAC ‘A’ Grade Accredited, ISO 9001:2015 Certified
Department of Information Technology
(NBA Accredited)

Cryptography and Cyber Security

[IT311]

Mrs. Kanchan D. Patil

Assistant Professor
 Unit 1: Security Fundamentals

• Introduction, Threats and Attacks, Security Services, Security

Mechanisms, Cipher Techniques: Substitution and Transposition, One
Time Pad, Block Ciphers, Stream Ciphers.

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Introduction

The art of war teaches us to rely not on the likelihood of the

enemy's not coming, but on our own readiness to receive him;
not on the chance of his not attacking, but rather on the fact
that we have made our position unassailable.

—The Art of War, Sun Tzu

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Introduction
• Information Security requirements have changed in recent times
• protecting information by mitigating information risks
• Information security's primary focus is the balanced protection of
the confidentiality, integrity and availability of data

• Traditionally provided by physical and administrative mechanisms

• Physical (eg. Rugged filing cabinates with locks)
• Administrative (eg. Personnel screening procedures during hiring
process)

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Introduction
• Some more mechanisms
• Provide user id and password to every user
• Encode the information stored in database in some fashion
• Nowadays, Computer use requires automated tools to protect files and
other stored information
• Shared systems which can be accessed over network
• Use of networks and communications links requires measures to protect
data during transmission
• Distributed Systems

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Categories of Computer Security

• Computer Security - generic name for the collection of tools designed to

protect data and to thwart hackers
• Network Security - measures to protect data during their transmission
• Internet Security - measures to protect data during their transmission
over a collection of interconnected networks

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Aspects of Security

• Consider 3 aspects of information security

• security attack
• security mechanism
• security service

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Security Attack
• any action that compromises the security of information owned by an
organization
• information security is about how to prevent attacks, or failing that, to
detect attacks on information-based systems
• often threat & attack used to mean same thing
• can focus of generic types of attacks
• Passive : A passive attack attempts to learn or make use of
information from the system but does not affect system resources.
• Active : An active attack attempts to alter system resources or affect
their operation.

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Security Attack
• Threat:
A potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security and
cause harm. That is, a threat is a possible danger that might exploit a
vulnerability.
• Attack:
An assault on system security that derives from an intelligent threat;
that is, an intelligent act that is a deliberate attempt (especially in the
sense of a method or technique) to evade security services and violate
the security policy of a system.

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Passive Attack : Release of Message Contents

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Passive Attack : Traffic Analysis

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Active Attack : Masquerade
It takes place when one entity pretends to be a different entity

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Active Attack : Replay
It involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized
effect

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Active Attack : Modification of Messages
some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an
unauthorized effect

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Active Attack : Daniel of Service
prevents or inhibits the normal use or management of communications facilities

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Security Services
• X.800 Definition:
Defines a security service as a service provided by a protocol layer of
communicating open systems, which ensures adequate security of the
systems or of data transfers.
• RFC 2828:
A processing or communication service that is provided by a system
to give a specific kind of protection to system resources

• Security services implement security policies and are implemented

by security mechanisms

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Security Services
• X.800 divides security services into five categories and fourteen
specific services
• Authentication
• Access Control
• Data Confidentiality
• Data Integrity
• Non-repudiation

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Security Services : Authentication
• The assurance that the communicating entity is the one that it claims
to be

• Peer Entity Authentication:

Used in association with a logical connection to provide confidence
in the identity of the entities connected

• Data Origin Authentication

In a connectionless transfer, provides assurance that the source of
received data is as claimed

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Security Services : Access Control

• The prevention of unauthorized use of a resource (i.e., this service

controls who can have access to a resource, under what conditions
access can occur, and what those accessing the resource are allowed to
do).

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Security Services : Data Confidentiality
• The protection of data from unauthorized disclosure
• Confidentiality is the protection of transmitted data from passive
attacks
• Connection Confidentiality: The protection of all user data on a
connection
• Connectionless Confidentiality: The protection of all user data in a
single data block
• Selective-Field Confidentiality: The confidentiality of selected fields
within the user data on a connection or in a single data block
• Traffic Flow Confidentiality: The protection of the information that
might be derived from observation of traffic flow
Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Security Services : Data Integrity
• The assurance that data received are exactly as sent by an authorized
entity (i.e., contain no modification, insertion, deletion, or replay)

• Connection Integrity with Recovery: Provides for the integrity of all

user data on a connection and detects any modification, insertion,
deletion, or replay of any data within an entire data sequence, with
recovery attempted

• Connection Integrity without Recovery: As above, but provides only

detection without recovery

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Security Services : Data Integrity
• Selective-Field Connection Integrity: Provides for the integrity of
selected fields within the user data of a data block transferred over a
connection and takes the form of determination of whether the
selected fields have been modified, inserted, deleted, or replayed
• Connectionless Integrity: Provides for the integrity of a single
connectionless data block and may take the form of detection of
data modification. Additionally, a limited form of replay detection
may be provided
• Selective-Field Connectionless Integrity: provides for the integrity of
selected fields within a single connectionless data block. takes the
form of determination of whether the selected fields have been
modified.
Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Security Mechanisms
• Mechanisms are divided into two
• Those that are implemented in a specific protocol layer
• Those that are not specific to any particular protocol layer or
security service
• X.800 distinguishes between reversible encipherment mechanisms
and irreversible encipherment mechanisms
• A reversible encipherment mechanism is simply an encryption
algorithm that allows data to be encrypted and subsequently
decrypted.
• Irreversible encipherment mechanisms include hash algorithms and
message authentication codes, which are used in digital signature
and message authentication applications.
Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Specific Security Mechanisms
• May be incorporated into the appropriate protocol layer in order to
provide some of the OSI security services
• Encipherment: The use of mathematical algorithms to transform
data into a form that is not readily intelligible. The transformation
and subsequent recovery of the data depend on an algorithm and
zero or more encryption keys
• Digital Signature: Data appended to, or a cryptographic
transformation of, a data unit that allows a recipient of the data unit
to prove the source and integrity of the data unit and protect against
forgery (e.g., by the recipient)
• Access Control: A variety of mechanisms that enforce access rights
to resources.
Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Specific Security Mechanisms
• Data Integrity: A variety of mechanisms used to assure the integrity
of a data unit or stream of data units
• Authentication Exchange: A mechanism intended to ensure the
identity of an entity by means of information exchange
• Traffic Padding: The insertion of bits into gaps in a data stream to
frustrate traffic analysis attempts
• Routing Control: Enables selection of particular physically secure
routes for certain data and allows routing changes, especially when a
breach of security is suspected
• Notarization: The use of a trusted third party to assure certain
properties of a data exchange

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Pervasive Security Mechanisms
• Mechanisms that are not specific to any particular OSI security service
or protocol layer
• Trusted Functionality: which is perceived to be correct with respect to
some criteria (e.g., as established by a security policy)
• Security Label: The marking bound to a resource (which may be a data
unit) that names or designates the security attributes of that resource
• Event Detection: Detection of security-relevant events
• Security Audit Trail: Data collected and potentially used to facilitate a
security audit, which is an independent review and examination of
system records and activities
• Security Recovery: Deals with requests from mechanisms, such as event
handling and management functions, and takes recovery actions
Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Model for Network Security

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Model for Network Security
• A message is to be transferred from one party to another across some
sort of internet.
• The two parties, who are the principals in this transaction, must
cooperate for the exchange to take place.
• A logical information channel is established by defining a route through
the internet from source to destination and by the cooperative use of
communication protocols (e.g., TCP/IP) by the two principals.
• Security aspects come into play when it is necessary or desirable to
protect the information transmission from an opponent who may
present a threat to confidentiality, authenticity, and so on

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Model for Network Security
• All the techniques for providing security have two components
• A security-related transformation on the information to be sent.
• Examples: encryption of the message, which scrambles the message so
that it is unreadable by the opponent, and the addition of a code based
on the contents of the message, which can be used to verify the identity
of the sender
• Some secret information shared by the two principals and, it is hoped,
unknown to the opponent.
• Example: an encryption key used in conjunction with the
transformation to scramble the message before transmission and
unscramble it on reception.

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Model for Network Security
• This general model shows that there are four basic tasks in designing a
particular security service
1. Design an algorithm for performing the security-related transformation.
The algorithm should be such that an opponent cannot defeat its
purpose.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of the secret
information.
4. Specify a protocol to be used by the two principals that makes use of
the security algorithm and the secret information to achieve a
particular security service.

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Network Access Security Model
• There are other security-related situations of interest that do not neatly
fit this model
• This model reflects a concern for protecting an information system from
unwanted access
• Type 1:
• concerns caused by the existence of hackers, who attempt to penetrate
systems that can be accessed over a network.
• The hacker can be someone who, with no malign intent, simply gets
satisfaction from breaking and entering a computer system. Or, the
intruder can be a disgruntled employee who wishes to do damage, or a
criminal who seeks to exploit computer assets for financial gain (e.g.,
obtaining credit card numbers or performing illegal money transfers)
Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Network Access Security Model
• There are other security-related situations of interest that do not neatly
fit this model

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Network Access Security Model
• Type 2:
• Another type of unwanted access is the placement in a computer
system of logic that exploits vulnerabilities in the system and that can
affect application programs as well as utility programs, such as editors
and compilers.
• Programs can present two kinds of threats:
• Information access threats intercept or modify data on behalf of
users who should not have access to that data.
• Service threats exploit service flaws in computers to inhibit use by
legitimate users

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 Cipher Techniques: Substitution and
Transposition
• There are two specific ways in designing a particular security service
1. Select appropriate gatekeeper functions to identify users : It includes
password-based login procedures that are designed to deny access to
all but authorized users and screening logic that is designed to detect
and reject worms, viruses, and other similar attacks.
2. Implement security controls to ensure only authorised users access
designated information or resources : It consists of a variety of internal
controls that monitor activity and analyze stored information in an
attempt to detect the presence of unwanted intruders.

• Trusted computer systems may be useful to help implement this model

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology
 References:

• William Stallings, “Cryptography and Network Security-Principles and

practice”

Cryptography & Cyber Security Mrs. Kanchan Patil Department of Information Technology