Category: 1. Introduction to Cryptography

The primary objective of using cryptography is to provide the following four fundamental information security services. Let us now see the possible goals intended to be fulfilled by cryptography.

Confidentiality

Confidentiality is the fundamental security service provided by cryptography. It is a security service that keeps the information from an unauthorized person. It is sometimes referred to as privacy or secrecy.

Confidentiality can be achieved through numerous means starting from physical securing to the use of mathematical algorithms for data encryption.

Data Integrity

It is security service that deals with identifying any alteration to the data. The data may get modified by an unauthorized entity intentionally or accidently. Integrity service confirms that whether data is intact or not since it was last created, transmitted, or stored by an authorized user.

Data integrity cannot prevent the alteration of data, but provides a means for detecting whether data has been manipulated in an unauthorized manner.

Authentication

Authentication provides the identification of the originator. It confirms to the receiver that the data received has been sent only by an identified and verified sender.

Authentication service has two variants −

• Message authentication identifies the originator of the message without any regard router or system that has sent the message.
• Entity authentication is assurance that data has been received from a specific entity, say a particular website.

Apart from the originator, authentication may also provide assurance about other parameters related to data such as the date and time of creation/transmission.

Non-repudiation

It is a security service that ensures that an entity cannot refuse the ownership of a previous commitment or an action. It is an assurance that the original creator of the data cannot deny the creation or transmission of the said data to a recipient or third party.

Non-repudiation is a property that is most desirable in situations where there are chances of a dispute over the exchange of data. For example, once an order is placed electronically, a purchaser cannot deny the purchase order, if non-repudiation service was enabled in this transaction.

Cryptology is a very young science. Although humans have had rudimentary forms of cryptography for thousands of years, the systematic study of cryptology as a science only began about a hundred years ago. The advent of computers made cryptography many orders of magnitude more complex than it had been previously.

• 1900 BC – First evidence of altered symbols in text found in the tomb of Khnumhotep II in Egypt. The writings weren’t meant to be secret, but are the first evidence we have of someone altering encoding symbols.
• 100 BC – Ceasar Cipher. Julius Caesar was known to use a form of encryption to convey secret messages to his army generals posted on the war front. This substitution cipher, known as the Caesar cipher, is perhaps the most mentioned historic cipher (an algorithm used for encryption or decryption) in academic literature. It’s a simple cipher where each character of the plain text is simply substituted by another character to form the ciphertext. For example, “a” becomes “d”, “b” becomes “e”, and so on.
• 500 AD – Vigenere’s Cipher. Vigenere designed a cipher that is said to have been the first cipher to use a secret key.
• 1800 Hebern Rotor Machine. In the early 1800s, when everything became electric, Hebern designed an electromechanical device that used a single rotor in which the secret key is embedded in a rotating disk. The key encoded a substitution box and each keystroke on the keyboard resulted in the output of ciphertext. Like the caesar and vigenere ciphers, Hebern’s machine was broken by using letter frequencies.
• 1918 – Enigma Machine. The Engima machine was invented by German engineer Arthur Scherbius at the end of World War I and was heavily used by German forces during World War II. The Enigma machine used 3 or more rotors that spin at different speeds as you type on the keyboard and output corresponding letters of the ciphertext. In the case of Enigma, the key was the initial setting of the rotors.
• 1943 Alan Turing and others on his team at Bletchley Park, complete the “Heath Robinson”, a specialized machine for cipher-breaking. This team was also responsible for cracking the Enigma Machine during the second world war.
• 1948 – Claude Shannon writes a paper that is responsible for establishing our modern mathematical basis of information theory.
• 1970 – Lucifer Cipher. In the early 1970s, a team from IBM designed a cipher called Lucifer. The Nation Bureau of Standards (now NIST) in the U.S. put out a request for proposals for a block cipher that would become a national standard. Lucifer was eventually accepted and became DES (Data Encryption Standard).
• 1977 – RSA public key encryption invented by Ron Rivest, Adi Shamir and Leonard Adleman.
• 1991 – Phil Zimmermann releases PGP.
• 1994 – Secure Sockets Layer (SSL) encryption protocol released by Netscape, which now secures the majority of the modern web.
• 1994 – Peter Shor devises an algorithm which lets quantum computers determine the factorization of large integers quickly.
• 1997 – DES Broken by exhaustive search. In 1997 and the following years, DES was broken by an exhaustive search attack. The main problem with DES was the small size of the encryption key. As computing power increased, it became easy to brute force all the different combinations of the key to get a possible plaintext message.
• 2000 – AES accepted as DES replacement. In 1997, NIST again put out a request for proposal for a new block cipher. It received 50 submissions. In 2000, it accepted Rijndael, and christened it as AES or the Advanced Encryption Standard.
• 2004 – MD5 shown to be vulnerable to collisions
• 2009 – Bitcoin network launch

Bitcoin and other cryptocurrencies rely on cryptographic algorithms to function, hence the “crypto” in the name. Bitcoin uses two primary cryptographic methods. The first is asymmetric encryption. A bitcoin wallet is, at its core, a collection of private keys that can be used to sign transactions on the network. Bitcoin and other blockchain technologies utilize cryptographic signatures, which are a form of asymmetric encryption, to guarantee that when you send a Bitcoin to your friend, it was actually you that sent it.

The second is hashing. Bitcoin mining makes use of the SHA-256 algorithm to act as a proof-of-work on the network. Because the output of hash functions can’t be easily guessed, the network can trust that an actor in the network has expended a good deal of energy computing the result of a calculation.

The reason we care that it took someone a lot of work to add a new block to the blockchain is to make it more secure. Every miner has to solve a difficult “hashing lottery” to add a new block, but if it were too easy, anyone could add new blocks quickly to rewrite the blockchain to their advantage.

Never try to design your own cryptosystem. The best cryptographers in the world routinely design cryptosystems with serious security flaws. As it turns out, it’s really hard to build a secure system. There are just too many attack vectors to consider.

For a cryptosystem to be considered “secure enough” it needs to go through intense scrutiny by the security community. “Security through obscurity”, or the fact that attackers may not have knowledge of your system, is something that should never be relied on. In fact, good systems do expose to attackers how they work. Only the private keys should be kept secret.

The enemy knows the system. One ought to design systems under the assumption that the enemy will immediately gain full familiarity with them.

According to Kerckhoffs’s principle

Always take reasonable steps to protect any keys that your software systems use.

Never store encryption keys in plain text with the data they protect. That’s the virtual equivalent of locking your front door and leaving the key on the frame. It’s the first place an attacker will look.

Let’s take a look at a few rules of thumb for securely storing keys.

1. Protect your private keys with strong access control lists, or ACLs. Follow the principle of least privilege, that is, only allow those you really need the keys to get access to them.
2. Use a secure password or secret manager to keep track of your keys. Good secret managers will encrypt your keys using a strong key-derivation function like bcrypt or scrypt.
3. In extreme cases, a hardware security module is a physical device that can be used to store keys offline securely. Software applications can then access HSMs connected to the same machine. The HSM actualy performs decryption on the HSM itself, so the keys never leave the device.

Lastly, ensure you only use key strengths and operating modes that comply with the latest industry best practices. For example, AES-256 should typically be used over AES-128, if for no other reason than its larger key size provides more entropy when going up against a quantum algorithm.

The core principles of modern-day cryptography include:

• Confidentiality
• Integrity
• Non-repudiation
• Authentication

Let’s go over each one by one.

Confidentiality

Data Confidentiality ensures that the data is limited to those who are authorized to view it. The data should only be visible to those who possess some critical information, like the decryption key, for example.

Integrity

Data integrity refers to the accuracy, legitimacy, and consistency of information in a system. When a message is sent, particularly using an untrusted medium like the internet, data integrity ensures us that a message wasn’t tampered with or accidentally altered.

Let’s use the example of military orders. We’re at war and an army general needs to send an order of retreat to his troops across the sea. Without a guarantee of data integrity, a hacker could intercept the message, change the order, and send it on its way. The army might receive an order to advance and walk right into a trap the general knew about.

Non-repudiation

Non-Repudiation assures that no one can deny the validity of the data in question, and is actually a legal term used in cyber security. Non-Repudiation is typically accomplished by the use of a service that provides proof of the origin and integrity of the information. It makes it nearly impossible to successfully deny who or where a message came from.

Non-repudiation is similar to data integrity, but it has more to do with knowing who sent the information, and less with whether or not it was changed along the way. In the military example from above, even if we could guarantee that the retreat order was never tampered with, non-repudiation would be a way to ensure it was the general who gave the order in the first place, and not some enemy spy.

Authentication

There are two kinds of authentication typically used in cryptography.

1. Integrity authentication like a MAC or HMAC ensures that data hasn’t been tampered with.
2. Source authentication, like an SSL certificate, can be used to verify the identity of who created the information. Every time you connect to a website over HTTPS, your browser ensures that you’re connected to the site you think you are by checking the SSL certificate.

A secure system should provide several assurances such as confidentiality, integrity, and availability of data as well as authenticity and non-repudiation. When used correctly, crypto helps to provide these assurances. Cryptography can ensure the confidentiality and integrity of both data in transit as well as data at rest. It can also authenticate senders and recipients to one another and protect against repudiation.

Software systems often have multiple endpoints, typically multiple clients, and one or more back-end servers. These client/server communications take place over networks that cannot be trusted. Communication occurs over open, public networks such as the Internet, or private networks which may be compromised by external attackers or malicious insiders.

It can protect communications that traverse untrusted networks. There are two main types of attacks that an adversary may attempt to carry out on a network. Passive attacks involve an attacker simply listening on a network segment and attempting to read sensitive information as it travels. Passive attacks may be online (in which an attacker reads traffic in real-time) or offline (in which an attacker simply captures traffic in real-time and views it later—perhaps after spending some time decrypting it). Active attacks involve an attacker impersonating a client or server, intercepting communications in transit, and viewing and/or modifying the contents before passing them on to their intended destination (or dropping them entirely).

The confidentiality and integrity protections offered by cryptographic protocols such as SSL/TLS can protect communications from malicious eavesdropping and tampering. Authenticity protections provide assurance that users are actually communicating with the systems as intended. For example, are you sending your online banking password to your bank or someone else?

It can also be used to protect data at rest. Data on a removable disk or in a database can be encrypted to prevent disclosure of sensitive data should the physical media be lost or stolen. In addition, it can also provide integrity protection of data at rest to detect malicious tampering.

With symmetric cryptography, the same key is used for both encryption and decryption. A sender and a recipient must already have a shared key that is known to both. Key distribution is a tricky problem and was the impetus for developing asymmetric cryptography.

With asymmetric crypto, two different keys are used for encryption and decryption. Every user in an asymmetric cryptosystem has both a public key and a private key. The private key is kept secret at all times, but the public key may be freely distributed.

Data encrypted with a public key may only be decrypted with the corresponding private key. So, sending a message to John requires encrypting that message with John’s public key. Only John can decrypt the message, as only John has his private key. Any data encrypted with a private key can only be decrypted with the corresponding public key. Similarly, Jane could digitally sign a message with her private key, and anyone with Jane’s public key could decrypt the signed message and verify that it was in fact Jane who sent it.

Symmetric is generally very fast and ideal for encrypting large amounts of data (e.g., an entire disk partition or database). Asymmetric is much slower and can only encrypt pieces of data that are smaller than the key size (typically 2048 bits or smaller). Thus, asymmetric crypto is generally used to encrypt symmetric encryption keys which are then used to encrypt much larger blocks of data. For digital signatures, asymmetric crypto is generally used to encrypt the hashes of messages rather than entire messages.

A cryptosystem provides for managing cryptographic keys including generation, exchange, storage, use, revocation, and replacement of the keys.

When talking about network security, the CIA triad is one of the most important models which is designed to guide policies for information security within an organization. 

CIA stands for :

1. Confidentiality
2. Integrity
3. Availability

These are the objectives that should be kept in mind while securing a network. 

Confidentiality :
Confidentiality means that only authorized individuals/systems can view sensitive or classified information. The data being sent over the network should not be accessed by unauthorized individuals. The attacker may try to capture the data using different tools available on the Internet and gain access to your information. A primary way to avoid this is to use encryption techniques to safeguard your data so that even if the attacker gains access to your data, he/she will not be able to decrypt it. Encryption standards include AES(Advanced Encryption Standard) and DES (Data Encryption Standard). Another way to protect your data is through a VPN tunnel. VPN stands for Virtual Private Network and helps the data to move securely over the network. 
 

Integrity :
The next thing to talk about is integrity. Well, the idea here is to make sure that data has not been modified. Corruption of data is a failure to maintain data integrity. To check if our data has been modified or not, we make use of a hash function. 
We have two common types: SHA (Secure Hash Algorithm) and MD5(Message Direct 5). Now MD5 is a 128-bit hash and SHA is a 160-bit hash if we’re using SHA-1. There are also other SHA methods that we could use like SHA-0, SHA-2, SHA-3. 

Let’s assume Host ‘A’ wants to send data to Host ‘B’ maintaining integrity. A hash function will run over the data and produce an arbitrary hash value H1 which is then attached to the data. When Host ‘B’ receives the packet, it runs the same hash function over the data which gives a hash value H2. Now, if H1 = H2, this means that the data’s integrity has been maintained and the contents were not modified. 

Availability :

This means that the network should be readily available to its users. This applies to systems and to data. To ensure availability, the network administrator should maintain hardware, make regular upgrades, have a plan for fail-over, and prevent bottlenecks in a network. Attacks such as DoS or DDoS may render a network unavailable as the resources of the network get exhausted. The impact may be significant to the companies and users who rely on the network as a business tool. Thus, proper measures should be taken to prevent such attacks. 

The word Steganography is derived from two Greek words- ‘stegos’ meaning ‘to cover’ and ‘grayfia’, meaning ‘writing’, thus translating to ‘covered writing’, or ‘hidden writing’. Steganography is a method of hiding secret data, by embedding it into an audio, video, image, or text file. It is one of the methods employed to protect secret or sensitive data from malicious attacks. 

How is it different from cryptography? 
Cryptography and steganography are both methods used to hide or protect secret data. However, they differ in the respect that cryptography makes the data unreadable, or hides the meaning of the data, while steganography hides the existence of the data. 

In layman’s terms, cryptography is similar to writing a letter in a secret language: people can read it, but won’t understand what it means. However, the existence of a (probably secret) message would be obvious to anyone who sees the letter, and if someone either knows or figures out your secret language, then your message can easily be read. 

If you were to use steganography in the same situation, you would hide the letter inside a pair of socks that you would be gifting the intended recipient of the letter. To those who don’t know about the message, it would look like there was nothing more to your gift than the socks. But the intended recipient knows what to look for, and finds the message hidden in them. 

Similarly, if two users exchanged media files over the internet, it would be more difficult to determine whether these files contain hidden messages than if they were communicating using cryptography. 

Cryptography is often used to supplement the security offered by steganography. Cryptography algorithms are used to encrypt secret data before embedding it into cover files. 

Image Steganography – 
As the name suggests, Image Steganography refers to the process of hiding data within an image file. The image selected for this purpose is called the cover image and the image obtained after steganography is called the stego image. 

How is it done? 
An image is represented as an N*M (in case of greyscale images) or N*M*3 (in case of color images) matrix in memory, with each entry representing the intensity value of a pixel. In image steganography, a message is embedded into an image by altering the values of some pixels, which are chosen by an encryption algorithm. The recipient of the image must be aware of the same algorithm in order to know which pixels he or she must select to extract the message. 

Figure – Process of Image Steganography 

Detection of the message within the cover image is done by the process of steganalysis. This can be done through comparison with the cover image, histogram plotting, or noise detection. While efforts are being invested in developing new algorithms with a greater degree of immunity against such attacks, efforts are also being devoted towards improving existing algorithms for steganalysis, to detect the exchange of secret information between terrorists or criminal elements. 

Cryptography is the technique which is used for doing secure communication between two parties in the public environment where unauthorized users and malicious attackers are present. In cryptography there are two processes i.e. encryption and decryption performed at sender and receiver end respectively. Encryption is the processes where a simple multimedia data is combined with some additional data (known as key) and converted into unreadable encoded format known as Cipher. Decryption is the reverse method as that of encryption where the same or different additional data (key) is used to decode the cipher and it is converted in to the real multimedia data.

Cryptography techniques can be categorized according to their basic principles or protocols they follow. But here we are going to concentrate on the two types of cryptography technique: Classical Cryptography and Quantum Cryptography. These are explained as following below.

1. Classical Cryptography:
Classical cryptography is based on the mathematics and it relies on the computational difficulty of factorizing large number. The security of classical cryptography is based on the high complexity of the mathematical problem for the instance factorization of large number.

In the classical cryptography the original data i.e., the plain text is transformed into the encoded format i.e. cipher text so that we can transmit this data through insecure communication channels. A data string which known as key is used to control the transformation of the data from plain text to cipher text. This arrangement helps to keep data safe as it required the key for extracting the original information from the cipher text. Without the key no one can read the data. In this technique it is assumed that the only authorized receiver has the key.

Classical Cryptography has two types of techniques:

1. Symmetric Cryptography:
   In the symmetric cryptography a single key is used for encrypting and decryption the data. This encryption key is private key. This is the limitation of this encryption technique that this private key must be distributed only among the authorized sender and receiver.
2. Asymmetric Cryptography:
   In the asymmetric cryptography a pair of key, i.e., public key and private key is used for encryption and decryption. A sender can use its public key to encrypt the data and on receiver end receiver can decrypt the data by using its private key. This technique overcomes the problem of key distribution.Advantages of Classical Cryptography:
   • While employing the one-time pad, it is unbreakable.
   • It is easy to do manually, no computer required.
   • It protects the plain text from casual snooping.
   Disadvantages of Classical Cryptography:
   • While employing the one-time pad, it is cumbersome and requires a personal meetup to exchange the pads.
   • If not employing the OTP, anyone who is even remotely interested in knowing what you wrote and knows about cryptography will be able to break the encryption.

2. Quantum Cryptography:
Quantum Cryptography is based on physics and it relies on the laws of quantum mechanics. It is arising technology which emphasizes the phenomena of quantum physics in which two parties can have secure communication based on the invariabilities of the laws of the quantum mechanics. Quantum mechanics is the mathematical framework or set of rules for the construction of physical theories.

There are 2 important elements of quantum mechanics on which quantum cryptography depends: Heisenberg Uncertainty Principle and Photon Polarization Principle. These are explained as following below.

1. Heisenberg Uncertainty Principle:
   This principle says that if you measure one thing, you cannot measure another thing accurately. For example, if you apply this principle to human, you could measure a person’s height, but you can’t measure his weight. The only odd thing about this principle is that it becomes true only for the instant at which you try to measure something. This principle is applied to the photons. Photons have wave like structure and are polarized or tilted in certain direction. While measuring photon polarization, all subsequent measurements are get affected by the choice of measures that we made for polarization. This principle plays the vital role to prevent the efforts of attacker in quantum cryptography.
2. Photon Polarization Principle:
   This principle refers that, an eavesdropper cannot copy the unique quantum bits, i.e., unknown quantum state, due to the no-cloning principle. If an attempt is made for measuring any properties, it will disturb the other information.

Advantages of Quantum Cryptography:

• It establishes secure communication by providing security based on fundamental laws of physics instead of mathematical algorithms or computing technologies used today.
• It is virtually unhackable.
• It is simple to use.
• Less resources are needed in order to maintain it.
• It is used to detect eavesdropping in QKD (Quantum Key Distribution). This is due to the fact that it is not possible to copy the data encoded in quantum state.
• The performance of such cryptography systems is continuously improved.

Disadvantages of Quantum Cryptography:

• The world wide implementation of this can take up lots of jobs and hence unemployment will increase.
• While traveling through the channel polarization of photon may change due to various causes.
• Quantum cryptography lacks many vital features such as digital signature, certified mail etc.
• The largest distance supported by QKD is about 250 KM at a speed of 16 bps through guided medium.