CHAPTER 1

INTRODUCTION

CSCB223 Cryptography 1
 Course Outcomes (CO)
• Acquire knowledge on the fundamentals of security
CO1 goals, cryptographic services and mechanisms.

• Explain the concepts and practical workings of

CO2 cryptographic mechanisms from history to present.

• Apply relevant theories and principles to real life

CO3 problems and situations.

CO4 • Assess, design and implement secure systems using

cryptography.

CO5 • Discuss the latest issues in cryptography.

CSCB223 Cryptography 2
 Outline
Why Information Security and
Cryptography?

Security Risks

Security Services

Fundamentals of Cryptosystems

CSCB223 Cryptography 3
 WHY INFORMATION SECURITY
AND CRYPTOGRAPHY?

CSCB223 Cryptography 4
 Refers to the protection
of information and
information systems

Development of computer
networks, particularly Internet, has
increased the generation, access,
exchange and store of large amount
of data and Information.
• conducted electronically
• transmitted and stored in
insecure environment.

The rise of significance of information

security has brought to the
importance and widespread use of
cryptography.

CSCB223 Cryptography 5
 Cryptography is not a new science.
Has been used for centuries to
protect sensitive information,
especially during periods of conflict

Cryptography is:
• A tremendous tool
• The basis for many security mechanisms

Cryptography lies at the heart

of most technical information
security mechanisms

Cryptography is NOT:
• The solution to all security problems
• Reliable unless implemented and used properly
• Something you should try to invent yourself
• many examples of broken ad-hoc designs
CSCB223 Cryptography 6
 Security Issues
• How can we tell whether an email from a potential
client is a genuine inquiry from the person that it
claims to have come from?

• How can we be sure that the contents of an

electronic file have not been altered?

• How can we be sure that nobody else can read an

email that we have just sent to a colleague?

• How can we accept an electronic contract received

by email from a client on the other side of the world?

CSCB223 Cryptography 7
 https://www.stuff.co.nz/dominion-post/news/116318497/up-to-1-million-
new-zealand-patients-data-breached-in-criminal-cyber-hack

https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-
did-it-happen-and-what-was-the-impact.html

CSCB223 Cryptography 8
 The Role of Cryptography
in Information Security
• Cryptography can be used to achieve several
goals of information security, including
confidentiality, integrity, and authentication.

Confidentiality Integrity Authentication

• Protects the • To ensure the • For authentication

confidentiality (or integrity (or (and non-
secrecy) of accuracy) of repudiation)
information. information through services through
the use of hashing digital signatures,
algorithms and digital certificates,
message digests. or a Public Key
Infrastructure (PKI).

CSCB223 Cryptography 9
 Outline
Why Information Security and
Cryptography?

Security Risks

Security Services

Fundamentals of Cryptosystems

CSCB223 Cryptography 10
 SECURITY RISKS

CSCB223 Cryptography 11
 Vulnerability – Threat - Risk
Vulnerability Threat Risk
Definition Weaknesses or gaps in a Anything that can The potential for
security program that exploit a vulnerability, loss, damage or
can be exploited by intentionally or destruction of an
threats to gain accidentally, and asset as a result of
unauthorized access to obtain, damage, or a threat exploiting
an asset destroy an asset a vulnerability
Example 1 Terminated employee Access the company’s Unauthorized
ID’s are not removed network and retrieve disclosure of
from the system proprietary info sensitive business
information
Example 2 Improper maintenance of Fire Loss of life, data
fire fighting equipment and infrastructure
Example 3 No security guard Intruder Theft
Example 4 Poor access control Disgruntled employee Data modified
Example 5 Inadequate preparation Flood Loss of life, data
and infrastructure
CSCB223 Cryptography 12
 Threats and Attacks (RFC 4949)
Threat
• A potential for violation of security, which exists
when there is a circumstance, capability, action, or
event that could breach security and cause harm.
That is, a threat is a possible danger that might
exploit a vulnerability.
Attack
• An assault on system security that derives from an
intelligent threat; that is, an intelligent act that is a
deliberate attempt (especially in the sense of a
method or technique) to evade security services and
violate the security policy of a system.

CSCB223 Cryptography 13
 Security Attacks
• A means of classifying security
attacks, used both in X.800
and RFC 4949, is in terms of
passive attacks and active
attacks
• A passive attack attempts to
learn or make use of
information from the system
but does not affect system
resources
• An active attack attempts to
alter system resources or
affect their operation

CSCB223 Cryptography 14
 Passive Attacks
• Are in the nature of eavesdropping on, or
monitoring of, transmissions
• Goal of the opponent is to obtain
information that is being transmitted
• Two types of passive
attacks are:
– The release of
message contents
– Traffic analysis

CSCB223 Cryptography
 Active Attacks
• Takes place when one entity
pretends to be a different entity
• Involve some Masquerade • Usually includes one of the other
modification of the data forms of active attack
stream or the creation of
a false stream
• Involves the passive capture of a
• Difficult to prevent data unit and its subsequent
because of the wide Replay retransmission to produce an
unauthorized effect
variety of potential
physical, software, and
network vulnerabilities • Some portion of a legitimate
• Goal is to detect attacks Modification message is altered, or messages
and to recover from any of messages are delayed or reordered to
produce an unauthorized effect
disruption or delays
caused by them
Denial of • Prevents or inhibits the normal
use or management of
service communications facilities

CSCB223 Cryptography
 Outline
Why Information Security and
Cryptography?

Security Risks

Security Services

Fundamentals of Cryptosystems

CSCB223 Cryptography 17
 SECURITY SERVICES

CSCB223 Cryptography 18
 Security Service
Defined by X.800 as:
• A service provided by a protocol layer of
communicating open systems and that
ensures adequate security of the systems
or of data transfers
Defined by RFC 4949 as:
• A processing or communication service
provided by a system to give a specific
kind of protection to system resources

CSCB223 Cryptography 19
 X.800 divides
these services
into 5 categories
& 14 specific
services

CSCB223 Cryptography 20
 Outline
Why Information Security and
Cryptography?

Security Risks

Security Services

Fundamentals of Cryptosystems

CSCB223 Cryptography 21
 FUNDAMENTALS OF
CRYPTOSYSTEMS

CSCB223 Cryptography 22
 Model for Network Security

CSCB223 Cryptography 23
 Model for Network Security (cont.)
• A message is to be transferred from one party to another across
some sort of Internet service.
• Security aspects come into play when it is necessary or desirable to
protect the information transmission from an opponent who may
present a threat to confidentiality, authenticity, and so on. All the
techniques for providing security have two components:
Some secret information shared by
A security-related transformation
the two principals and, it is hoped,
on the information to be sent
Unknown to the opponent
• E.g.: The encryption of the • E.g.: An encryption key used in
message, which scrambles the conjunction with the
message so that it is unreadable transformation to scramble the
by the opponent, and the addition message before transmission and
of a code based on the contents unscramble it on reception.
of the message, which can be
used to verify the identity of the
sender.

CSCB223 Cryptography 24
 Simplified Model of Symmetric Encryption

Plaintext Enciphering/encryption
• An original message • The process of converting from
Ciphertext plaintext to ciphertext
• The coded message Deciphering/decryption
Secret Key • Restoring the plaintext from the
• Independent of the plaintext & algorithm ciphertext
CSCB223 Cryptography 25
 Fundamentals of Cryptosystems
CRYPTOGRAPHY: the design and analysis of mechanisms
based on mathematical techniques that provide
fundamental security services.
• More accurate term is cryptology (cryptography +
cryptanalysis)

Cryptography is on how to keep the messages secret.

Cryptanalysis is on breaking an encryption, i.e. retrieving the plaintext
without knowing the proper key.

Cryptology
Cryptographers Cryptanalysts
Areas of cryptography
People who do Practitioners of
and cryptanalysis
cryptography cryptanalysis
together

CSCB223 Cryptography 26
 Fundamentals of Cryptosystems
(cont.)
• CRYPTANALYSIS is like working with ‘cross
word puzzle’
• Cryptanalyst often use educated guesses
with careful mathematical analysis in
order to break an encryption.
• Who often employ cryptanalyst??
– FBI? CIA? Other secret government agents,
etc.

CSCB223 Cryptography 27
 Fundamentals of Cryptosystems
(cont.)
CRYPTOGRAPHIC PRIMITIVE (OR MECHANISM):
A cryptographic process that provides a
number of specific security services.
• Block ciphers, stream ciphers, message
authentication codes, hash functions and
digital signature schemes.
• Confidentiality: block ciphers, stream
ciphers
• Integrity: Hash function, digital signatures

CSCB223 Cryptography 28
 Fundamentals of Cryptosystems
(cont.)
Encryption: The process of transforming data
(i.e. plaintext) into a form which meanings are
Cryptosystem: A system not obvious (cipher text)
that support encryption
& decryption
Decryption: The reverse process of encryption

CRYPTOSYSTEM (OR CRYPTOGRAPHIC SCHEME): is often

used rather generically to refer to the implementation of
some cryptographic primitives and their accompanying
infrastructure.
* Might Include the users, the keys, the key management
etc.

CSCB223 Cryptography 29
 Fundamentals of Cryptosystems
(cont.)
CRYPTOGRAPHIC ALGORITHM: the particular specification of
a cryptographic primitive.
• Eg: AES, DES, MD5, SHA-2

CRYPTOGRAPHIC PROTOCOL: A sequence of message

exchanges and operations between one or more parties, at
the end of which a series of security goals should have been
achieved.
• Eg: SSL/TLS
It employs a number of different cryptographic primitives at
various stages.

CSCB223 Cryptography 30
 Basic Principle of Cryptography
• In order to encrypt a plaintext (P) into a
cipher text (C), one requires:- C = E(Ke,P)
- the use of encryption algorithm (E)
- often the use of a secret encryption key (Ke)
• Vice versa, in order to decrypt a cipher text
(C) back into the original plaintext (P), one
requires:-
- the use of decryption algorithm (D) P = D(Kd,C)
- often the use of a secret decryption key (Kd)

**Note the word ‘often’. This is because there are cryptosystems that do not
require the use of Ke and Kd, known as keyless cipher.**
CSCB223 Cryptography 31
 Two Types of Cryptosystem
SYMMETRIC PUBLIC KEY
CRYPTOSYSTEM CRYPTOSYSTEM

• The encryption key and • The encryption key and

decryption key are decryption key are
essentially the same. fundamentally different
but related.
• Known as symmetric
cryptography/secret key • Known as asymmetric
cryptography. cryptography/public key
cryptography.

CSCB223 Cryptography 32
 Summary
• Why Information
Security and
Cryptography?
– Security issues
• Security risks
– Security attacks
• Passive attacks
• Active attacks
CSCB223 Cryptography
• Security services
– Authentication
– Access Control
– Data confidentiality
– Data integrity
– Nonrepudiation
• Fundamental of
cryptosystems
33
 Department of Computing
College of Computing and Informatics
Universiti Tenaga Nasional

CSCB223 Cryptography 34