2023

CO6602 Cryptography and

Security
COURSEWORK
J87070
Contents
Task 1 ...................................................................................................................................................... 2
Task 2 ...................................................................................................................................................... 4
Block and Stream Ciphers ................................................................................................................... 4
AES ...................................................................................................................................................... 4
RC4 ...................................................................................................................................................... 5
Differences .......................................................................................................................................... 5
Suitability ............................................................................................................................................ 5
Task 3 ...................................................................................................................................................... 6
References .............................................................................................................................................. 7

1|Page
Task 1
a. First I input the cipher into a Frequency Analysis tool, I noticed that U was the second
character in many of the two letter words, so substituted that for F in the mindset of that
being ‘OF’

This came out making sense, therefore A must be O

The next common sense guess would be that ‘CEI’ as a word kept appearing in the text

So I assumed this to be one of the most common three letter words in English, ‘The’

This then screamed out ‘That they’ to me, so I replaced P to a and W to Y

clearly spells ‘the fact that’, substituting Q for C

Getting to this stage I noticed that o quite often was followed by F, this lead to me replacing
F with n and getting the result ‘on’, which seemed to make sense

Given the topic we are currently studying, and the letters revealed, this clearly came to say
Frequency Analysis, replacing those characters

correcting the spelling mistakes that seemed to be present

2|Page
 I then noticed that

Is clearly communicate

Is also clearly language

which leaves this sentence, meaning that T must be w

Specific

Which leaves this, basically decoded and just filling in the gaps:
“frequency analysis is usable do to the fact that languages follow rules so that they make
sense when used to communicate. if someone is aware of the original language that a
specific ciphertext has been written in and has enough knowledge of the language, then
frequency analysis is an option to solve simple encryptions. online tools can be used to assist
with frequency analysis however none will be used to solve this ciphertext. the most
common letter in the English language is ‘e’ which was proven by the inventor of morse
code, Samuel Morse, as it came into play while he created his new alphabet as pointed out
by lexico"
b.
c. WOOAHYURWEMELBRAVRLEOTLEITMTEWOW
32 Characters
Logically the possible keys are: 1, 2, 4, 8 and 16
We can rule out 1, 2 and most likely 16.
Key 4, nothing there
W O O A H Y U R
W E M E L B R A
V R L E O T L E
I T M T E W O W
Key 8, Nothing there
W O O A
H Y U R
W E M E
L B R A
V R L E
O T L E
I T M T
E W O W
This led me to look into the possibility of more forms of transposition cipher, one of the
most common forms I could find was rail fence ciphers, so I read into how this cipher works.
Due to this cipher working by essentially filling in a matrix grid, I thought that I could develop
a Python script to brute force this cipher. The basic function of the code used was to create a
matrix – height set by the key and length set by ciphertext.length that could be defined with

3|Page
 the user input – this could be inputted as a single number, or a range for brute forcing. Then
within this matrix the code would input characters one by one into the matrix, moving along
and down the matrix with each step, when reaching the bottom or top of the matrix the
up/down stepper would reverse meaning the code would create the railfence structure,
then the code would read back from this railfence by repeating the steps and reading each
character into a string, at the end this string being printed. After developing this code
(referenced in my appendix), I was able to pass the ciphertext through the tool developed
and enter 1,2,3,4,5,6,7,8,9,10 as my key, which eventually brute forced the correct
ciphertext at key 6:

WHERE WILL YOU BE TOMORROW AT TWELVE AM

Task 2

Block and Stream Ciphers

The primary difference between block and stream ciphers are how they are used, block ciphers are
used to encrypt/decrypt a block of information at a set size, for example Advanced Encryption
Standard (AES), used by the US Government and many private entities, is set with deterministic
block size of 128 bits, with key lengths of 128, 192 and 256 bits (Nirula, 2022). Stream ciphers
alternatively are encrypted 1 bit at a time, this makes them fit for live data encryption, this functions
in one of two ways, either Synchronous cipher, in which two key states will be identical so the
sender and receiver of the byte can generate the same pseudo-random numbers in order to
en/decrypt the ciphertext. Asynchronous ciphers have a keystream that is generated by a key which
then generates pseudo random numbers to then run the encryption/decryption algorithm (Bidgoli,
2002). RC4 was a popular cipher, until the discovery of the invariance attack after the leak of the
cipher in 2003 which essentially made the breaking of RC4 trivial (Imperva, 2015). The main
advantage of block ciphers is that they don’t just change data, they can use many layers of
protection on their encryption (Sengupta, 2022), whereas the comparatively simple nature of stream
ciphers and their reliance on their pseudorandom algorithm means that they can potentially be
XORed to be cracked, like eventually RC4 was.

Using this idea, we will look more in depth into the AES and RC4 algorithms, this feels fitting as both
algorithms are very understood.

AES
The AES encryption algorithm was developed out of the death of the DES encryption algorithm as
DES was effectively cracked due to its small key size. The AES encryption algorithm is a block cipher
and it encrypts information through a series of processes; first the data is split into blocks, then the
key is expanded through the Rijandael’s key schedule, then the initial key is added to the current
ciphertext, then byte substituted in Rijandeel’s S-Box, rows are then shifted (1st column stays, 2nd
column shifts once, 3rd twice and 4th three times), columns are then mixed, the round key from key
expansion is then added to the ciphertext and this is repeated depending on the size of the key, 256-
bit keys are repeated 14 times (Rimkienė, 2022). This has the effect of creating a very secure key,
AES 256 to the writing of this appears not to have been cracked.

4|Page
AES 256 is used for many things, but most infamously it is used by the US Government in the
encryption and sending of Top Secret classified documents, proving its reliability for long form,
secure encryption (National Security Agency, 2022).

The main downsides of AES and other block ciphers is that comparatively to something like RC4, it is
very resource intensive, the number of calculations that need to go on to encrypt a relatively small
amount of information can be a lot. This would make it unsuitable when speed is an important
factor in encryption.

RC4
RC4 is a stream cipher, this was designed by RSA Security in 1987 – making this the older of the two
ciphers – and was leaked to the public in 1994 (Yambadwar, 2021). RC4 works by inputting the
plaintext and a key, the keystream is then generated by: the Key Scheduling Algorithm (KSA) which
uses the keylength and is processed 256 times this mixes in the key bytes into the cipher and the
Pseudo-Random Generation Algorithm (PRGA) this produces a stream of bytes, this can then be
XORed with the plaintext to generate the ciphertext (Malviya, 2021). The important fact about RC4 is
that it is very resource light and is a remarkably simply code that can be very easily implemented
into many systems. It’s lightweight nature also makes it very effective at large streams of data, and
for a long time was used for the standard connection to home routers using the WEP security.

RC4 as mentioned earlier however was exploited in 2003, not long after it was leaked. This lead to
the phasing out of RC4 in many systems, a good example being WEP, as WEP was replaced with the
more secure WPA for router security (which would eventually be replaced by WPA2) (Salter, 2019).
This means RC4 is not a reliable Cipher anymore and mostly isn’t used being replaced by more
modern alternatives.

Differences
Even though these two systems are both ciphers, they are different in nearly every way. Not even
using similar methods to obscure their data and one being a stream cipher whilst the other is a block
cipher. AES is the more reliable of the two ciphers, it’s more robust obfuscation of the plaintext and
the fact it hasn’t been cracked despite being largely publicly understood and available to use, shows
it’s robustness, whereas RC4 is a very simple cipher that was cracked 5 years after with academic
articles from 1996 showing that brute force attacks were very capable of breaking the cipher (Kent &
Couture, 1996).

Suitability
AES is a very strong encryption standard for a block cipher and, has one major competitor which is
RSA. RSA is a very different type of block cipher which uses two large prime numbers to generate it’s
key and these can only be known from the creator of the public key, RSA therefore becomes much
more resource intensive and is better for smaller datasets (Franklin, 2022), so the suitability of which
one you would choose would depend on the data needing to be processed.

RC4 however is as mentioned earlier, unreliable, and insecure. It functions best with large datasets
and is a stream cipher, meaning it would be more suited to bit by bit transactions than AES, but
there are definitely alternative stream ciphers better than RC4. ChaCha seems to be one of the more
popular alternatives, a offshoot of the Salsa20 stream cipher, it is faster and equally secure as its
older version (Bernstein, 2008), making this a much stronger cipher to use for a scenario in which
you need a stream cipher.

5|Page
Task 3
For this purpose, I would suggest a linguistic algorithm. I do not know of any specifically so have
developed a null cipher of my own using punctuation to determine the ciphertext:

. or ? or ! – End of a sentence, if alone, the first word is plaintext

, – Count up the number of commas in a sentence, count that many words in and this is the
plaintext.

‘ – This denotes a false sentence, if there are two apostrophes, they counter one another and act as
none.

: – The word directly after the colon is the plaintext.

; – Two words after the semi-colon is the plaintext.

( ) – The word or words either side of the brackets are ciphertext.

Example:

Plain text: This is my encryption algorithm in action.

Cipher Text: This fish lets me grow. Yellow, is my pantaloons, green tells who. I like bees, they’re
cool. Second, my gran is a nazi. I despise encryption, it is the devils, lettuce. The strongest fact:
algorithm is cool. I like to be; second in. Action heroes’ are it’s best feature.

This algorithm would be translatable by a human, or a correctly coded program but would likely be
very hard to brute force as linguistic ciphers tend to be (Hamdan & Hamarsheh, 2017) but, also on
account of the ability to insert false sentences, and fake falses making the rule likely hard to discern
for outside observers even if they were aware there was a cipher involved. This cipher could be used
as the first example with jargon, or if implemented more intelligently could be used to hide hidden
messages in plain sight such as:

Plaintext: My cover is blown escape requested urgently.

Ciphetext. My friend John. I wish to inform you, my cover letter for the job was rejected. I don’t
know why. This is very disheartening, as I wished to work for that company. This has hurt my
confidence; my blown back has not helped matters. It escapes me, the name of our friend who could
help? I request your assistance in aiding my memory, it is not what it once was. I was speaking to our
kind friends in the Russian embassy: urgently, that is how they act.

This algorithm does however have some downsides, if it is broken, it is useless and new rules will
need to be assigned for each punctuation mark which could cause issues if this cipher is broken too
many times. Furthermore, this cipher would take an exceedingly long time to encode long pieces of
text into but for delivering short plaintext messages in plain sight that can be decoded by a human
being with the cipher relatively easily, it works perfectly.

Because of the algorithm not using all available punctuation marks, this could be expanded further
with more rules for: / @ # ~ - _ = + | \ [ ]

6|Page
References
Bernstein, D. J. (2008). ChaCha, a variant of Salsa20. Chicago: Department of Mathematics,
Statistics, and Computer Science .

Bidgoli, H. (2002). Encyclopedia of Information Systems. California: Elsevier.

Franklin, R. (2022, November 14). AES vs. RSA Encryption: What Are the Differences? Retrieved from
Precisely: https://www.precisely.com/blog/data-security/aes-vs-rsa-encryption-
differences#:~:text=RSA%20is%20more%20computationally%20intensive,only%20small%20
amounts%20of%20data.

Hamdan, A. M., & Hamarsheh, a. (2017). AH4S: an algorithm of text in text steganography using the
structure of omega network. Security and Communication Networks, 6004-6016.

Imperva. (2015). Attacking SSL when using RC4. Retrieved from imperva:
https://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf

Kent, K. B., & Couture, N. (1996). The Effectiveness of Brute Force Attacks on RC4. New Brunswick:
University of New Brunswick. Retrieved from
http://www.cs.unb.ca/~ken/papers/cnsr2004.pdf

Malviya, N. (2021, January 11). Rivest Cipher 4 (RC4). Retrieved from Infosec Institute:
https://resources.infosecinstitute.com/topic/rivest-cipher-4-rc4/

National Security Agency. (2022, October 3). Commercial Solutions for Classified (CSfC) Selections for
Internet Protocol Security (IPsec) Virtual Private Network (VPN) Gateways . Retrieved from
NSA.gov:
https://www.nsa.gov/portals/75/documents/resources/everyone/csfc/components-
list/selections/vpn-gateways.pdf

Nirula, U. (2022, March 27). Block Cipher. Retrieved from Study.com:

https://study.com/academy/lesson/block-cipher-definition-purpose-examples.html

Rimkienė, R. (2022, August 29). What is AES Encryption? Retrieved from Cybernews:
https://cybernews.com/resources/what-is-aes-encryption/

Salter, J. (2019, October 3). A brief history of Wi-Fi security protocols from “oh my, that’s bad” to
WPA3. Retrieved from Ars Technica: https://arstechnica.com/gadgets/2019/03/802-
eleventy-who-goes-there-wpa3-wi-fi-security-and-what-came-before-it/

Sengupta, S. (2022, February 3). Block Cipher vs. Stream Cipher. Retrieved from Crash-test security:
https://crashtest-security.com/block-cipher-vs-stream-cipher/

Yambadwar, S. (2021, December 6). What is RC4 Encryption? Retrieved from GeeksForGeeks:
https://www.geeksforgeeks.org/what-is-rc4-encryption/

7|Page