Lesson 7

Cryptography and Security Techniques

1
 Introduction
• The cryptography techniques are to allow pre-agreed users to communicate or securely transfer
data or information even in the presence of malicious users.

• It is not only used to secure the data while it is communicated also, it is used when data is
stored and processed.

• The cryptography ensures

– Confidentiality: This is achieved through encrypting the data that is converting the data into a format that
could not be understood by any until it is reconverted or decrypted.

– Integrity: This is achieved using the hash function or message digests. The hash function takes the arbitrary
size input and produces the fixed size output. The output is used to prove the integrity of the data since a
small change in the data will largely affect the output of the data.

– Non-repudiation: This is to ensure that the sender of the information cannot deny at a later stage that he
or she is the owner of the information.

2
 Terminologies
• The terminologies in the cryptosystem are

– The plain text is the actual content.

– The cipher text is the transformed text cannot be understandable by anyone until
it is retransformed.

– The encryption is the transformation of plaintext to cipher text.

– Decryption is the transformation of the cipher text to plain text.

– The secret key is a piece of information that allows the user to perform secure
encryption and decryption.

3
 Process

Plain Text Encryption Cipher Text Decryption Plain Text

• The encryption technique takes the plain text input and converts it to the cipher text.

• The cipher text will be transmitted to the receiving end and that will be decrypted using
the decryption algorithm to produce the plain text back.’

• The modern cryptography has two types of cryptosystem: Symmetric Key Cryptography
and Asymmetric Key Cryptography.

4
 Symmetric Key Cryptography
• The symmetric key cryptography uses the secret key to encrypt the
plain text and the same key is used to decrypt the cipher text.
K K

Plain Text Encryption Cipher Text Decryption Plain Text

The following two cipher methods are used to convert the plain text into cipher text
in the symmetric key cryptography. 

Stream Cipher: This converts the plain text into cipher text by taking 1 bit or byte of
plain text at a time. This only uses confusion property and key which can be used
only once

Block Cipher: This converts the plain text into cipher text by taking plain text’s block
at a time. This uses confusion as well as diffusion properties and keys which can be
used more than once.
5
 Data Encryption Standard (DES)
• It is a block cipher with 64 bit
size block; 56 bits key out of 64
Left 32 bits Right 32 bits
bits key that is every byte last K1
bit are for the key parity. +
f

• It has total 16 rounds of Left 32 bits Right 32 bits

K2
process and for each process
f
48 bit key is given as the input +

K16
after preprocessing the 56 bits
key. f

• The key will be generated +

randomly using the random

functions. Left 32 bits
Right 32 bits

• The DES follows the SPN that is

Substitution and Permutation Inverse Initial Perm

Network.
Output
6
 Problem with Symmetric Key Cryptography
• The symmetric key cryptosystem uses the same key for both encryption as well as
decryption and this should be secure, which means only known to the sender and receiver
of the message.

• For example, the both communicating parties Alice and Bob should know the secret key
and the problem is how this secret key will be shared in the public channel.

• There is an option, both Alice and Bob physically meet in a place and share the secure key.
Later on, whenever they want to share the message then sending party can encrypt using
the shared secret key and send to the receiving party. The receiving party can decrypt the
encrypted message or cipher text using the secret key already available.

• However, physically meeting and sharing a key is not feasible in all the cases. Also, each
one has to share the key with multiple parties and this increases the complexity very
largely.

• Hence, the concept of the asymmetric cryptosystem is brought and used.

7
 Asymmetric Key Cryptography
• The Asymmetric cryptosystem or public key cryptosystem uses
two keys unlike the symmetric key cryptosystem which uses
one key for both encryption and decryption.

KPub KPri
b

Plain Text Encryption Cipher Text Decryption Plain Text

Algorithm Algorithm

• The public key cryptosystem is mainly used for the data encryption key sharing.

8
Secure Messaging Process using symmetric and
asymmetric cryptosystem

9
RSA algorithm

1.The example of RSA encryption and decryption is as follows. At

first, chose the two prime numbers. Select primes p=13, q=17.
2.
n = p * q = 13 * 17 = 221
phi = (p-1) * (q-1) = 12 * 16 = 192

3. Choose e = 5;Check gcd(e, p-1) = gcd(5,12) = 1 (i.e. 5 and 12 have no

common factors except1),and check gcd(e, q-1) = gcd(5, 16) = 1,
therefore gcd(e, phi) = gcd(e, (p-1)(q-1)) = gcd(5, 192) = 1

4. Compute d such that ed ≡ 1 (mod phi) i.e. compute d = (1/e) mod

phi = (1/5) mod 192
i.e. find a value for d such that phi divides (ed-1) i.e. find d such that
192 divides 5d-1.
Simple testing (d = 1, 2, ...) gives d = 269

Check: ed-1 = 5.269- 1 = 1344, which is divisible by phi that is 1344

mod 192 = 0.

5. Public key = (n, e) = (221, 5); Private key = (n,d ) = (221, 269).

Now say we want to encrypt the message M = 8,

C = Memod n = 85mod 221= 32768mod 221= 60

Hence the ciphertext c = 13 and decryption as follows.

M =Cdmod n = 60269mod 221= 8
10
 Key Types

• Private and public signature keys: The key pair is to generate and verify digital signatures.

• Symmetric authentication key: This key is for message authentication.

• Symmetric data encryption key: A single key used for encryption as well as decryption of
the data to ensure confidentiality.

• Symmetric key-wrapping key: Also called a key-encryption key, is used to encrypt/decrypt

other keys.

• Symmetric random number generation key: This is used as a seed to generate the pseudo
random number.

• Symmetric master key: It is to derive other symmetric keys also knows as key-derivation
key.

11
 Attacks

• Based on the actions of the attackers, the

attacks are categorized as follows.

– Passive Attacks: The main goal of a passive attack

is to obtain unauthorized access to the
information without disrupting the service.

– Active Attacks: An active attack involves changing

the information and disrupting the service.
12
 Attack model on the Cryptosystem

• Ciphertext-only attack (COA) –The assumption here is that the cryptanalyst has
access only to the ciphertext, and has no access to the plaintext.
– Brute force attack or exhaustive key search is a type of ciphertext only attack in which
every possible key is tried until the correct one is found. For example, if the key size is 3
bits then all 2^3 possible keys will be tried to find the exact key. This is complex when the
size of the key is large.

• Known-plaintext attack (KPA) - The cryptanalyst has access to a limited number

of plaintext and the corresponding enciphered text.

• Chosen-plaintext attack (CPA) - The cryptanalyst is able to choose a number of

plaintexts to be enciphered and have access to the resulting ciphertext.

• Chosen-ciphertext attack (CCA) – The cryptanalyst can choose arbitrary

ciphertext and have access to plaintext decrypted from it.

13
 Cryptoperiod

• A cryptoperiod is the life time a specific key authorized for use by

legitimate entities after that it is considered as expired.

• Some of the reasons for having the cryptoperiod is as follows:

– Limits the amount of exposure if a single key is compromised – The disclosure
of a key will not allow disclosing all the data. It is possible to disclose only the
data whatever is encrypted using the compromised key.

– Limits the time available for attempts to penetrate the system to get the key.
After the cryptoperiod, even attacker gaining the key will not give any use for
them.

– Limits the time available for computationally intensive cryptanalytic attacks.

14
 Hash functions
• The cryptographic hash function takes arbitrary size input and produces the
fixed size output.

• It is a one-way function, that is, a function which is practically infeasible to

invert or reverse the computation means bringing the input from the
output.

• However, using the brute force search, the equivalent input can be
identified for the output available but this is very exhaustive process.

• The hash algorithm is deterministic that is whatever number of times we

give the same input to the function it will always produce the same output
however the algorithm produces the random output for the specific input.

15
 Example
• A small change in the input will give avalanche effect in the output for
example,

• Input 1: Hello Anna University. I am the student of you and in second year of
the course.
– Function: SHA256
– Output1:
df6ba298ff42e40e44e8be8d6303c2bb08230a4c17b52ca8b7037ef5a57c1360

• Input 2: Hi Anna University. I am the student of you and in second year of

the course.
– Function: SHA256
– Output2:
4002e2040c3c336b38578d9db91188e632428aa3adc1f40fa197a70e36a5b7c2

16
 Properties
• Pre-Image Resistance: Hash function should be one-way function not
possible to bring the input from the output using any of the functions.

• Second Pre-Image Resistance: Given an input and its hash output, it

should be hard to find a different input with the same hash. For
example, in the below, from given input M 1 and its equivalent hash H, it
should be hard to find message M2 which will produce same hash
output H.

• Collision Resistance: Finding two different inputs of any length that

produce the same hash should be hard. The difference between the
above is, free to choose any two inputs.

17
 Digital Signature

• The digital signature is a technique to ensure the authenticity and the integrity of the
message that is the message is from the specific source and the message is not
modified.

• This is achieved with the help of encryption and hashing.

• The user who wishes to send the message will compute the hash of the message,
encrypt the hash using his/her private key and send the message along with the
encrypted hash to the receiver.

• On arrival of the message and the encrypted hash, the receiver decrypts the encrypted
hash using the sender’s public key. Also compute the hash of the received message.

• If the decrypted hash and the computed hash match then the receiving message from
the specific sender and the message are not modified.

18
 Public Key Infrastructure

• The public key infrastructure (PKI) is a set of roles, policies, and procedures
needed to create, manage, distribute, use, store and revoke digital certificates
and manage public-key encryption.

• In simple words, the PKI answer the question how does the receiver ensure
that the public key shared by the sender is the authentic and he/she is the one
sending it.

• For example, when we are accessing the google.com server, the public key of
the Google server is shared with us (this is the internal process of the browser)
but we are not sure whether the key belongs to Google or someone else.

• To answer this, the concept of the digital certificate in PKI is used.

19
Digital Certificate

20
 Cryptographic Vulnerabilities
• There are various vulnerabilities present in the different
cryptographic techniques.

• Length Extension Attack: This attack is possible in the hash

functions that use the Merkle-Damgard construction.

• Key Extraction in RSA by having common Modulus:

Instead of generating unique modulus N = p*q for each
user, a trusted server may wish to have single N for all
users.

21
 Malware Protection

• Malware is short for "malicious software," refers to a type of computer

program designed to infect a legitimate user's computer and inflict harm on it
in multiple ways.

• It is vital that all users know how to recognize and protect themselves from
malware in all of its forms.

Malware Growth Statistics

22
 Types of malware
• Virus
• Worm
• Trojan
• Advanced Persistent Threat
• Ransomware
• Web drive-by
• Spyware
• Rootkit
• Bots & Botnets
• Adware
• So on

23
 Protection Mechanism
• Personal vigilance: The user must be very careful in
downloading any files or clicking on any anonymous links.

• Protective tools: A robust antivirus is the primary

component of technological defenses that every personal
and business computer system should have.
– Anti-Virus
– Intrusion Detection System
– Intrusion Prevention System
– Firewall

24
 Intrusion Detection System
• The Intrusion Detection System (IDS) can be a software or
hardware that regularly monitors the network or system for
malicious activity or the violations of the policy.

• In general, the IDS is categorized in to

– Host-Based IDS (HIDS)
– Network-Based IDS (NIDS)

• The detection method of IDS is in two modes:

– Signature based
– Anomaly based

25
 Firewall
• A packet-filtering firewall examines packets in isolation and does not
know the packet's context as shown in the above example.

• A stateful inspection firewall examines network traffic to determine

whether one packet is related to another packet and takes the decision.

• A Next Generation Firewall has a multilayered approach that integrate

firewall capabilities with an IDS/IPS and application control.

• Circuit Level Gateway is a session level monitor. For example, TCP data
packet handshaking will be validated based on firewall rules and policies.

26
 IDS vs Firewallvs Anti-Virus

• TheNetwork based IDS and Firewall are network security devices

however traditional firewall (excluding the NGFW) follows the static set
of rules to permit or deny network connections.

• Essentially, firewalls limit access to networks to prevent intrusion and do

not address the detection of attack inside the network.

• This is achieved by the Intrusion Detection System that is IDS watches for
attacks that originate from within a system.

• The Anti-Virus also checks the attacks within the system but the
traditional Anti-Virus does not have the capability of IDS cannot check
the violation of policy.

27
 Threat and Incident Management

• This is the process of identifying, managing,

recording and analyzing security threats or
incidents in real-time.

28
 Vulnerability

• This is the loophole in the application or system that is exploited by the attackers to
damage or disrupt the services.

– Network vulnerabilities: These vulnerabilities are spread over a network of systems. The

system refers computers, routers, IoTdevices, and others communicating with the internet.

– System vulnerabilities: The vulnerabilities those are exclusive to a particular device or an IT

asset.

– Application vulnerabilities: This is a flaw in an application that may allow the attackers to

damage. It could expose the sensitive data and may also give them full access to the system.

– Configuration vulnerabilities: These are the vulnerabilities which originate from flaws like
having default passwords, or not using any passwords for accessing the devices such as
camera and home devices or others. This vulnerability is because of the flawed configuration
by the end user or the manufacturer.

29
 Vulnerability Management
• This is the process of identifying, evaluating,
removing and reporting security vulnerabilities
in systems and the software that runs on them.
Detect
Vulnerability

Confirm Assess the

remediation risk

Prioritize
remediation

30
 Security information and event
management (SIEM)

• This is part of the computer security that combines security information

management (SIM) and security event management (SEM).

• This analysis the security alerts generated by applications and network

hardware in real time.

• These are also used to log security data and generate reports
for compliance purposes that is to check whether the organization
compliance with a standard or not.

• This helps organizations recognize potential security threats and

vulnerabilities before they have a chance to disrupt business operations.

31
 SIEM - Capabilities

• Data aggregation: Log management collects and aggregate data from different sources such as
network, servers, databases, applications.

• Correlation: Identify the common attributes, and links events together into meaningful bundles.
This is to perform integrate different sources, in order to turn data into useful information.

• Alerting: The automated analysis of correlated events or any anomaly events in the system or
application and alert the administrators.

• Dashboards:  Fetch the event data and present into informational charts to assist in seeing
patterns, or identifying activity that is not forming a standard pattern. This makes the security
team to understand the abnormality very well and useful to convince the non-security
professionals.

• Compliance: Applications can be developed and implemented to automate the collection of

compliance data, producing reports that adapt to existing security, governance and auditing
processes.

• Retention: Providing the long-term storage for the historical data thus facilitate correlation of
data over time, and to provide the retention necessary for compliance requirements.
32
 Computer Forensic
• The forensic is the process that happens after the incident to collect the evidence found in
devices and digital storage media.

• The objective is to identify, preserve, recover, analyze and present facts and opinions about the
digital information.

• The use of computer forensics is not always tied to a crime. It also used in data recovery
process to gather data from the crashed server, failed drive, formatted operating system or
other situation where a system has unexpectedly stopped working.

– Database forensics: The examination of information contained in databases, both data and related
metadata to identify the unauthorized modification or insertion of the data.

– Email forensics: The recovery and analysis of emails and other information contained in email platforms,
such as schedules, contacts, contents, etc.

– Malware forensics: Analyzing the code to identify possible malicious programs and analyzing their payload.
Such programs may include Trojan horses, Ransomware or various viruses. 

– Mobile forensics: It is used for the recovery of digital evidence or the lost data from mobile devices.
33
 Forensic Techniques
• Cross-drive analysis: Correlates information found on multiple hard drives, identify the
connection and detect the anomalies if any.

• Live analysis:  The device is analyzed from within the Operating System while the device
is running. The analysis looks at volatile data, which is often stored in cache or RAM.
Also, to collect the encryption keys during the encryption process.

• Deleted files: A common technique used in computer forensics is the recovery of

deleted files. Most of the operating systems and file systems do not always erase
physical file data, allowing investigators to reconstruct it from the physical disk sectors. 

• Stochastic forensics: The analyzer reconstructs digital activity without the use of digital
artifacts. Artifacts include clues related to a digital crime, such as changes to file
attributes during data theft. This type of forensic is frequently used where the attacker
is thought to be an insider, who might not leave digital artifacts or delete it.

34
 Computer forensics Process

• Data collection of Acquisition

• Analysis
• Presentation

Tools
• Software Tools (Few)
– Autospy
– Encase
– The Sleuth Kit
– Forensic Toolkit, or FTK,
• Hardware tools (Few)
– Forensic Recovery of Evidence Device (FRED)
– CRU Forensic field kit

35
 Local Environment Management

• In most the organization, the IT infrastructure is distributed across

various regions and maintained.

• It is very much required to give importance to each location and provide

the security according to the local environment.

• The organization cannot have the same security plan for all location
because the local environment of each location differs hence the unique
security plan is required.

• According to the local environment, unique physical security, personnel

security, and information security requirements need to be arranged.

36
 Physical Security

• Physical security is the protection of personnel, hardware, software, networks and data from physical actions
and events that could cause serious loss or damage to an organization.

• The physical infrastructure of an organization is as follows.

– Information system hardware: This includes storage equipment, transmission and networking facilities, supporting
documentation, and offline storage media.
– Physical facility: This includes buildings and other structures containing the system and network components.
– Supporting facilities: This includes electrical power, communication services, and environmental controls such as heat,
humidity, etc.
– Personnel: Humans involved in the control, maintenance, and use of the infrastructure.

• Physical Security Threats

– Environmental threats
– Technical threats
– Human-caused threats

• Security
– Access control
– Surveillance
– Testing

37
 Business Continuity Planning
• The service of a business is always affected by two kinds of threats
– one is natural disaster that is through earthquake, flood, cyclone, etc.
– second is attacker that may be the human or the automated bots.

• The safety and security are required to continue the service and protect the service.
Business Continuity Planning and Disaster Recovery Management is a strategy for
maintaining service continuity even if the infrastructure is disrupted by an
unanticipated activity.

• The important goals of the BCP are as follows.

– Availability: The service should be available always regardless of local failures. These failures
might be in the business processes, in the physical facilities or in the IT hardware or software.
– Continuous operations: The intention is to have running service during a disruption, as well as
during planned outages such as scheduled backups or planned maintenance.
– Disaster recovery: We need a mechanism to recover a data from a different site if a disaster
destroys the primary site.

38
 Google Business Continuity Plan

• Recovery Time Objective (RTO): This is the maximum

acceptable length of time that the client application can be
offline and defined in the service level agreement.

• Recovery Point Objective (RPO): This is the maximum

acceptable length of time during which data might be lost
from the client application due to a major incident. This metric
varies based on the ways that the data is used. For example,
user data that is frequently modified could have an RPO of just
a few minutes. In contrast, less critical, infrequently modified
data could have an RPO of several hours.

39
 Identity and Access Management

• The Identity and Access management (IAM) ensures the right people access the allotted
resources. This ensures the secure service provisioning and service access.
– Provisioning process: The users with the accounts and access rights are allowed to access systems and
applications any time.
– User access process: This allows users to access a new system by performing access process acts such as
authentication and sign-on.

• There are three deployment approaches for IAM:

– Centralized: All access decisions, provisioning, management, and technology are concentrated in a single
physical or virtual location. Policies, standards, and operations are pushed out to all users/sites from this
single location only.

– Decentralized: The organization entities in local, regional, or business unit level can involve in making the
decisions for all access choices, provisioning, management, and technology.

– Federated: Each organization is allowed to subscribe to a common set of policies, standards, and procedures
for the provisioning and management of users.

40
 References
• https://purplesec.us/resources/cyber-security-statistics/ [accessed on 28/7/2021]
• https://www.kaspersky.co.in/resource-center/preemptive-safety/what-is-malware-and-how-to-protect-against-it [accessed on
28/7/2021]
• https://www.soscanhelp.com/blog/how-does-antivirus-work [accessed on 30/7/2021]
• https://antivirus.comodo.com/faq/how-antivirus-works.php [accessed on 30/7/2021]
• https://www.checkpoint.com/cyber-hub/network-security/what-is-an-intrusion-detection-system-ids/ [accessed on 30/7/2021]
• https://www.intechopen.com/chapters/67618 [accessed on 30/7/2021]
• https://digitalguardian.com/blog/what-digital-rights-management [accessed on 30/7/2021]
• RakeshAgrawal, Peter J. Haas, and Jerry Kiernan. Watermarking relationaldata: framework, algorithms and analysis. The VLDB
Journal, 12(2):157–169,2003.
• J. Kiernan and R. Agrawal. Watermarking relational databases. In Proceedingsof the 28th International Conference on Very Large
Databases VLDB, 2002.
• Michael Gertz and SushilJajodia (Editors), Handbook of Database Security: Applications and Trends, ISBN-10: 0387485325.
Springer, 2007
• https://en.wikipedia.org/wiki/Confusion_and_diffusion [accessed on 31/7/2021]
• https://www.di-mgt.com.au/rsa_alg.html [accessed on 1/8/2021]
• https://www.tutorialspoint.com/cryptography/attacks_on_cryptosystems.htm [accessed on 1/8/2021]
• https://en.wikipedia.org/wiki/Attack_model [accessed on 1/8/2021]
• https://en.wikipedia.org/wiki/Digital_signature [accessed on 1/8/2021]
• https://en.wikipedia.org/wiki/Public_key_infrastructure [accessed on 1/8/2021]
• Jason Creasey and Ian Glover, Cyber Security Incident Response Guide Version 1, CREST

41
 References
• https://www.crest-approved.org/wp-content/uploads/2014/11/CSIR-Procurement-Guide.pdf[accessed on 1/8/2021]
• https://www.g2.com/articles/vulnerability-management [accessed on 30/7/2021]
• https://en.wikipedia.org/wiki/Security_information_and_event_management [accessed on 1/8/2021]
• https://searchsecurity.techtarget.com/definition/computer-forensics [accessed on 1/8/2021]
• https://searchsecurity.techtarget.com/definition/physical-security [accessed on 2/8/2021]
• https://www.ibm.com/in-en/services/business-continuity/plan [accessed on 30/7/2021]
• https://www.i2k2.com/disaster-backup/business-continuity-consulting/ [accessed on 30/7/2021]
• https://cloud.google.com/architecture/dr-scenarios-planning-guide [accessed on 30/7/2021]
• https://en.wikipedia.org/wiki/Length_extension_attack [accessed on 2/8/2021]
• DanBoneh, Twenty Years of Attacks on the RSA Cryptosystem
• https://crypto.stanford.edu/~dabo/papers/RSA-survey.pdf [accessed on 2/8/2021]
• https://www.di-mgt.com.au/rsa_factorize_n.html [accessed on 2/8/2021]
• Effective Cyber Security: A Guide to Using Best Practices and Standards by William Stallings, Addison-Wesley.
• https://www.tutorialspoint.com/cryptography_with_python/cryptography_with_python_rsa_cipher_encryption.htm
[accessed on 16/8/2021]
• https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding [accessed on 16/8/2021]
• https://comtact.co.uk/blog/what-are-the-different-types-of-malware/ [accessed on 17/8/2021]
• https://www.primaryguard.com/disaster-recovery/ [accessed on 17/8/2021]
• https://keccak.team/sponge_duplex.html[accessed on 18/8/2021]
• https://en.wikipedia.org/wiki/Sponge_function[accessed on 18/8/2021]
• https://en.wikipedia.org/wiki/X.509[accessed on 18/8/2021]

42