Cryptography and Network Security

CS 701

SK Hafizul Islam
hafi786@gmail.com
Department of CSE
IIIT Kalyani
 Books
Text Book
• [T1] W. Stallings: Cryptography and Network Security, 5e, Pearson.
References
• [R1] B. A. Forouzan & D. Mukhopadhyay: Cryptography and
Network Security, 2e, McGraw-Hill.
• [R2] D. R. Stinson: Cryptography: Theory and Practice (Discrete
Mathematics and Its Applications), 3e, CRC Press.
• [R3] B. Schneier: Applied cryptography: protocols, algorithms, and
source code in C, 2e, John Wiley & Sons.
• [R4] Bernard Menezes: Network Security & Cryptography, 1st
Edition, Cengage Learning, Delhi, 2011.

3 July 2018 CS 701 2

 Evaluation Scheme

Component Weightage Duration

Attendance 10% NA
Assignment/Surprise Quiz/Project 5%2 = 10% NA
Mid-Sem. Examination 30% 90 mins.
End-Sem. Examination 50% 3 hours

Chamber Consultation: Tuesday 3:00 PM – 4:00 PM

3 July 2018 CS 701 3

 Class Schedule
• Monday 2:00 PM – 3:40 PM, Room No. – G01 (2 Hrs.)
• Tuesday 2:00 PM – 2:50 PM, Room No. – G02 (1 Hr.)

3 July 2018 CS 701 4

 Policies
• De-Registration Policy:
 A student will be de-registered from this course, if the
attendance in mid-semester is below 50% and in overall is
below 75%.
• Make-Up Policy:
 For Mid-Sem./End-Sem., as per institute rules.
 No Makeup for Assignment/Surprise Quiz/Project

3 July 2018 CS 701 5

 Course Outline
• PART – I (Introduction)
• PART – II (Symmetric Encryption and Hash Function)
• PART – III (Number Theory and Public Key Cryptography)
• PART – IV (Digital Signature)
• PART – V (User Authentication and Key Management)
• PART – VI (Security for Transport and Networks Layers)

3 July 2018 CS 701 6

 Part - I
• Introduction to Network Security
– Architecture
– Attacks
– Services
– Mechanism
– Network Security model and Standards

3 July 2018 CS 701 7

 Part - II
• Symmetric Key Encryption
– Classical Encryption Techniques
– DES
– Group Theory
– AES
– Cipher Operation
– Cryptographic Hash Function

3 July 2018 CS 701 8

 Part - III
• Number Theory
– Prime Numbers
– Fermat’s and Euler’s Theorems
– Testing for Primality.
• Public Key Cryptography (PKC)
– RSA Encryption
– Attacks in RSA
– RSAES-OAEP.
– ElGamal Encryption
– Diffie-Hellman Key Exchange

3 July 2018 CS 701 9

 Part - IV
• Digital Signatures
– RSA Digital Signature
– ElGamal Digital Signature Scheme
– Schnorr Digital Signature Scheme
– Digital Signature Standard (DSS)

3 July 2018 CS 701 10

 Part - V
• User Authentication Protocols
– Remote User Authentication Using Symmetric Encryption
– Remote User Authentication Using Asymmetric Encryption
• Key Management and Distribution
– Symmetric Key Distribution Using Symmetric Encryption
– Symmetric Key Distribution Using Asymmetric Encryption
– Distribution of Public Keys
– X.509 Certificates
– Public Key Infrastructure

3 July 2018 CS 701 11

 Part - VI
• Secure Sockets Layer (SSL)
• Transport Layer Security (TLS)
• Electronic Mail Security
• IP Security
• VPN

3 July 2018 CS 701 12

 Objectives
• To define various security goals.
• To define security attacks that threaten security goals.
• To define security services and how they are related to the security
goals.
• To define security mechanisms to provide security services.
• To introduce cryptography to implement security mechanisms.

3 July 2018 CS 701 13

 Definitions
• Cryptography - means “secret writing”. However, we use the term
to refer to the science and art of transforming messages to make
them secure and immune to attacks.

• Network Security - measures to protect data during their

transmission

https://en.wikipedia.org/wiki/Cryptography

3 July 2018 CS 701 14

 Definitions…
• Cryptanalysis - (from the Greek kryptós, "hidden", and analýein,
"to loosen") is the art and science of analyzing information systems
in order to study the hidden aspects of the systems.
 Cryptanalysis is used to breach cryptographic security systems
and gain access to the contents of encrypted messages, even if
the cryptographic key is unknown.

• Cryptology – Cryptography + Cryptanalysis

3 July 2018 CS 701 15

 Security goals
― Confidentiality
― Integrity
― Availability
― Authenticity

3 July 2018 CS 701 16

 Confidentiality
• It is probably the most common aspect of information security.
• We need to protect our confidential information.
• An organization needs to guard against those malicious actions
that endanger the confidentiality of its information.

3 July 2018 CS 701 17

 Integrity
• Information needs to be changed constantly.
• Integrity means that changes need to be done only by authorized
entities and through authorized mechanisms.

3 July 2018 CS 701 18

 Availability
• The information created and stored by an organization needs to be
available to authorized entities.

3 July 2018 CS 701 19

 Authenticity
• The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or
message originator.
• It means verifying that users are who they say they are and that
each input arriving at the system came from a trusted source.

3 July 2018 CS 701 20

 Threats, Services and Mechanisms
• A security threat is a possible action by which a security policy
may be breached (e.g., loss of integrity or confidentiality).

• A security service is a measure which can be put in place to

address a threat (key management, authentication).

• A security mechanism is an action to provide a service (e.g.

encryption, digital signature).

3 July 2018 CS 701 21

 Security Attack
• An attack is a realization of a threat.
– Cryptanalytic attacks
– Non-cryptanalytic attacks

3 July 2018 CS 701 22

 Cryptanalytic attacks
• These attacks are combinations of statistical and algebraic
techniques amide at ascertaining the secret key of a cipher.

3 July 2018 CS 701 23

 Non-cryptanalytic attacks
• These attacks do not exploit the mathematical weakness of the
cryptographic algorithm. However, security goals can be very much
threatened by this class of attacks

3 July 2018 CS 701 24

 Passive attacks
• A passive attack attempts to learn or make use of information
from the system, but does not affect system resources
• Passive attacks are in the nature of eavesdropping on, or
monitoring of, transmissions.
• The goal of the opponent is to obtain information that is being
transmitted.
Snooping
Traffic analysis

3 July 2018 CS 701 25

 Passive attacks

3 July 2018 CS 701 26

 Passive Attacks Threatening Confidentiality
Snooping/Release of message contents
• It refers to unauthorized access to or interception of data.
• A telephone conversation, an electronic mail message, and a
transferred file may contain sensitive or confidential information.

3 July 2018 CS 701 27

 Passive Attacks Threatening Confidentiality
Traffic analysis
• It refers to obtaining some other type of information by
monitoring online traffic.
• If we had encryption protection in place, an opponent might still
be able to observe the pattern of these messages.
• The opponent could determine the location and identity of
communicating hosts and could observe the frequency and length
of messages being exchanged.
• This information might be useful in guessing the nature of the
communication that was taking place.

3 July 2018 CS 701 28

 Passive Attacks Threatening Confidentiality
Traffic analysis

3 July 2018 CS 701 29

 Prevent Passive attacks
• Passive attacks are very difficult to detect, because they do not
involve any alteration of the data.
• The emphasis in dealing with passive attacks is on prevention
rather than detection.
• We would like to prevent an opponent from learning the contents
of these transmissions.
• Masking the contents of message so that opponents, even if they
captured the message, could not extract the information from the
message.
• It is feasible to prevent the success of these attacks, usually by
means of encryption.

3 July 2018 CS 701 30

 Active attacks
• An active attack attempts to alter system resources or affect their
operation.
• Active attacks involve some modification of the data stream or the
creation of a false stream.
Masquerade
Replay
Modification
Denial of service (DoS)

3 July 2018 CS 701 31

 Active Attack
• Masquerading or spoofing happens when the attacker
impersonates somebody else.

3 July 2018 CS 701 32

 Active Attack
• Modification means that the attacker intercepts the message and
changes it.

3 July 2018 CS 701 33

 Active Attack
• Replaying means the attacker obtains a copy
of a message sent by a user and later tries to replay it.

3 July 2018 CS 701 34

 Active Attack
• Repudiation means that sender of the message might later deny
that she has sent the message; the receiver of the message might
later deny that he has received the message.

3 July 2018 CS 701 35

 Active Attacks Threatening Availability
• Denial of service (DoS) is a very common attack.
• It may slow down or totally interrupt the service of a system.

3 July 2018 CS 701 36

 Prevent Active attacks
• It is quite difficult to prevent active attacks absolutely because of
the wide variety of potential physical, software, and network
vulnerabilities.
• The goal is to detect active attacks and to recover from any
disruption or delays caused by them.

3 July 2018 CS 701 37

 Passive vs Active Attacks

3 July 2018 CS 701 38

 Security Service
• enhance security of data processing systems and information
transfers of an organization
• Intended to counter security attacks
• using one or more security mechanisms
• often replicates functions normally associated with physical
documents
 which, for example, have signatures, dates; need protection
from disclosure, tampering, or destruction; be notarized or
witnessed; be recorded or licensed

3 July 2018 CS 701 39

 Security Services
• X.800 defines a security service as “a service provided by a
protocol layer of communicating open systems, which ensures
adequate security of the systems or of data transfers”

• RFC 2828 defines a security service as “a processing or

communication service provided by a system to give a specific
kind of protection to system resources”

http://www.itu.int/rec/T-REC-X.800-199103-I/e
https://www.ietf.org/rfc/rfc2828.txt

3 July 2018 CS 701 40

 Security Services (X.800)
• Authentication – assurance that the communicating entity is the
one claimed
• Access Control – prevention of the unauthorized use of a resource
• Data Confidentiality – protection of data from unauthorized
disclosure
• Data Integrity – assurance that data received is as sent by an
authorized entity
• Non-Repudiation – protection against denial by one of the parties
in a communication

3 July 2018 CS 701 41

 Security Mechanism
• feature designed to detect, prevent, or recover from a security
attack
• no single mechanism that will support all services required
• however one particular element underlies many of the security
mechanisms in use:
– cryptographic techniques

3 July 2018 CS 701 42

 Security Mechanisms (X.800)
• May be incorporated into the appropriate protocol layer in order to
provide some of the OSI security services:
– Encipherment:- The use of mathematical algorithms to
transform data into a form that is not readily intelligible.
– Digital signature:- Data appended to, or a cryptographic
transformation of, a data unit that allows a recipient of the data
unit to prove the source and integrity of the data unit and
protect against forgery
– Access control:- A variety of mechanisms that enforce access
rights to resources.
– Data integrity:- A variety of mechanisms used to assure the
integrity of a data unit or stream of data units.

3 July 2018 CS 701 43

 Security Mechanisms (X.800)
• May be incorporated into the appropriate protocol layer in order to
provide some of the OSI security services:
– Authentication exchange:- A mechanism intended to ensure
the identity of an entity by means of information exchange.
– Traffic padding:- The insertion of bits into gaps in a data stream
to frustrate traffic analysis attempts.
– Routing control:- Enables selection of particular physically
secure routes for certain data and allows routing changes,
especially when a breach of security is suspected.
– Notarization:- The use of a trusted third party to assure certain
properties of a data exchange.

3 July 2018 CS 701 44

 Model for Network Security

3 July 2018 CS 701 45

 Model for Network Security
• Using this model requires us to:
 design a suitable algorithm for the security transformation
 generate the secret information (keys) used by the algorithm
 develop methods to distribute and share the secret
information
 specify a protocol enabling the principals to use the
transformation and secret information for a security service

3 July 2018 CS 701 46

 Model for Network Access Security

3 July 2018 CS 701 47

 Model for Network Access Security
• Using this model requires us to:
1. select appropriate gatekeeper functions to identify users
2. implement security controls to ensure only authorised users
access designated information or resources
• trusted computer systems may be useful to help implement this
model

3 July 2018 CS 701 48

 Thank You

3 July 2018 CS 701 49