Traditional Ciphers and Security Concepts in Cryptography

Posted on May 23, 2024 in Computers

1. What are Traditional Ciphers?

Traditional ciphers are classical encryption techniques used historically to encode messages before modern computer-based methods. They manipulate plaintext characters or structure to create ciphertext that appears random to unauthorized individuals. Traditional ciphers are broadly categorized into two main types: substitution ciphers and transposition ciphers.


1. Substitution Ciphers (Caesar Cipher)

In substitution ciphers, each plaintext character is replaced with another based on a predetermined rule or key. Examples include the Caesar and Atbash ciphers. The Caesar cipher is one of the simplest, shifting each letter by a fixed number of positions in the alphabet.

Example:

Suppose we want to encrypt “HELLO” using a Caesar cipher with a shift of 3.


Plaintext: H E L L O

Ciphertext: K H O O R

Merits:
  • Easy to understand and implement.
  • Suitable for educational purposes or quick, informal encryption.
  • Provides some security against casual eavesdropping.
Demerits:
  • Vulnerable to frequency analysis, potentially revealing patterns and decrypting the message.
  • Limited key space (25 possible shifts in the English alphabet).


2. Transposition Ciphers (Rail Fence Cipher)

Transposition ciphers rearrange plaintext characters without changing them. A common example is the Rail Fence cipher, where characters are written in a zigzag pattern across multiple “rails” and read row by row to produce ciphertext.

Example:

Let’s encrypt “MEET ME AT NOON” using a Rail Fence cipher with 3 rails.

M . . . . E . . . . A . . .


. E . T . M . T . N . O . .

. . E . . . . E . . . . . .

Ciphertext: M E A T M T N O E E M E

Merits:
  • Resistant to frequency analysis as characters remain unchanged.
  • Increased security with more rails, making decryption more complex.
  • Larger key space than simple substitution ciphers.
Demerits:
  • Vulnerable to known plaintext attacks if the attacker knows the Rail Fence structure.
  • Cumbersome for long or irregular-length messages due to predetermined rail numbers.


QHAdXLhyM64AAAAASUVORK5CYII=

2. Numerical-Based Ciphers

These include Autokey, Playfair, Hill, and Affine ciphers.

3. Euler’s Phi Function

Euler’s phi function, denoted by φ(n), counts positive integers less than or equal to n that are coprime to n (relatively prime).

Rules:

  • Prime Numbers: If n is prime, φ(n) = n – 1.
  • Prime Powers: If n = p^k (p is prime, k is a positive integer), φ(n) = n – n/p.
  • Multiplicative Property: If a and b are coprime, φ(ab) = φ(a) * φ(b).
  • General Case: For n = p1^k1 * p2^k2 * … * pn^kn (distinct primes pi, positive integers ki), φ(n) = n * (1 – 1/p1) * (1 – 1/p2) * … * (1 – 1/pn).

Numerical Example:

Find φ(30).

Solution:

30 = 2 * 3 * 5

φ(30) = φ(2) * φ(3) * φ(5) = 1 * 2 * 4 = 8.

4. Security Goals, Services, and Mechanisms

Understanding the relationship between these concepts is crucial in cybersecurity.

Security Goals:

  • Confidentiality: Only authorized entities can access sensitive information.
  • Integrity: Data and resources remain accurate, consistent, and trustworthy.
  • Availability: Systems and resources are accessible and usable without disruption.
  • Authenticity: Verification of user or system identity.
  • Non-repudiation: Preventing denial of actions or transactions.

Security Services:

  • Authentication: Verifying user or system identity.
  • Authorization: Determining permitted resource access or actions.
  • Encryption: Protecting data by converting it into an unreadable form.
  • Integrity Checking: Verifying data hasn’t been altered.
  • Access Control: Restricting resource access based on policies.
  • Auditing and Logging: Monitoring and recording activities for security incident detection and accountability.

Security Mechanisms:

  • Cryptography: Provides encryption and integrity checking (e.g., AES, RSA, SHA).
  • Firewalls: Implement access control and filtering to protect networks.
  • Digital Certificates: Support authentication and non-repudiation by verifying entity identities.
  • Biometric Systems: Provide authentication based on unique physical or behavioral characteristics.
  • Intrusion Detection Systems (IDS): Support auditing and monitoring by detecting suspicious activities.

Security goals define desired outcomes, services outline actions to achieve them, and mechanisms are the technical implementations.

5. DES Algorithm

The Data Encryption Standard (DES) is a symmetric-key block cipher algorithm, now considered insecure and replaced by AES. It operates on 64-bit blocks with a 56-bit key (supplied as 64 bits with parity bits).

Key Generation:

  • The 64-bit key undergoes “Permuted Choice 1” (PC-1), discarding parity bits and shuffling the rest.

Key Expansion:

  • The 56-bit key is divided into two 28-bit halves, each undergoing circular left shifts to generate 16 subkeys (48 bits each) using “Permuted Choice 2” (PC-2).

Encryption:

  • Plaintext undergoes “Initial Permutation” (IP) and is divided into 32-bit halves (L0, R0).
  • 16 rounds of Feistel cipher structure: right half (Ri-1) processed with function f (using subkey), output XORed with left half (Li-1) to become next right half (Ri), previous right half becomes next left half (Li).
  • Halves swapped, “Final Permutation” (FP) applied.

Decryption:

  • Same as encryption but with subkeys in reverse order.

Security:

  • DES is vulnerable to brute-force attacks due to its small key size.
  • Triple DES (3DES) improves security by applying DES three times with different keys.

6. Kerberos and TGS

Kerberos is a network authentication protocol using secret-key cryptography for strong client-server authentication.

Components:

  • Kerberos Server (KDC): Central authentication server (Authentication Server (AS) and Ticket Granting Service (TGS)).
  • Client: User or client accessing resources.
  • Service: Network service being accessed.
  • Ticket: Cryptographic token from KDC for service access.

Authentication Process:

  • AS Exchange: Client requests authentication (AS-REQ), receives Ticket Granting Ticket (TGT) encrypted with its key.
  • TGS Exchange: Client requests service access (TGS-REQ) using TGT, receives service ticket (ST) encrypted with the service’s key.
  • Service Access: Client presents ST to the service for access.

TGS Role:

  • Issues service tickets (ST) to clients upon TGS request (TGS-REQ) and TGT verification.
  • Facilitates secure authentication and authorization for service access.

7. RSA Algorithm and Digital Signatures

RSA is an asymmetric cryptographic algorithm used for encryption and digital signatures. Digital signatures verify message authenticity and integrity.

RSA Digital Signature Steps:

  1. Sender (A) calculates message digest (MD1) using SHA-1.
  2. A encrypts MD1 with their private key (Digital Signature – DS).
  3. A sends DS and the original message (M) to the receiver (B).
  4. B calculates their message digest (MD2) for M using the same algorithm.
  5. B decrypts DS using A’s public key, retrieving MD1.
  6. If MD1 == MD2, B accepts M as authentic and unaltered from A.


Zv3oPBMMGizmVycjL+f3mlsl8bwZywAAAAAElFTkSuQmCC
x+jJinX0mcXiQAAAABJRU5ErkJggg==
RaJHo4XnwwYYqXvdO0EEIIIYQQQojeQ11VrMvuVWv1+p1EIYQQQgghhBDfXSQShRBCCCGEEEJ0IpEohBBCCCGEEKITiUQhhBBCCCGEEJ1IJAohhBBCCCGE6EQiUQghhBBCCCFEJxKJQgghhBBCCCE6kUgUQgghhBBCCNGJRKIQQgghhBBCiE4kEoUQQgghhBBCdCKRKIQQQgghhBCiE4lEIYQQQgghhBB5gP8PIhK86YERy0MAAAAASUVORK5CYII=
4EzoxvCdtLS0tLRyFM5KMjT7qb2WlpaW1s8R8P8HLCKrwQn6JlgAAAAASUVORK5CYII=
8P3i8zEeZ7dnsAAAAASUVORK5CYII=
RMzkoBdM9QAAAAABJRU5ErkJggg==

8. Man-in-the-Middle Attack on Diffie-Hellman

A MITM attack on Diffie-Hellman occurs when an attacker intercepts and alters communication during key exchange.

Attack Steps:

  1. Interception: Attacker intercepts communication between Alice and Bob.
  2. Impersonation: Attacker impersonates both parties, establishing separate key exchanges.
  3. Relaying: Attacker relays messages, manipulating public keys and deriving shared keys with each party.
  4. Decryption: Attacker decrypts and potentially alters communication.

Mitigation:

  • Authentication: Verify identities to prevent impersonation.
  • Public Key Infrastructure (PKI): Use digital certificates for authenticity verification.
  • Key Verification: Ensure derived shared keys match.
  • Forward Secrecy: Use temporary key pairs (DHE, ECDHE).

Numerical Example:

Alice and Bob agree on p = 23, g = 5. Alice’s secret key (a) = 6, Bob’s (b) = 15. They compute and exchange A = g^a mod p = 8 and B = g^b mod p = 19. Both calculate the shared key K = B^a mod p = A^b mod p = 2. This basic protocol is susceptible to MITM attacks without additional security measures.

9. Data Block Cipher Modes of Operation

These modes define how block ciphers encrypt arbitrary-length plaintext data by processing multiple blocks.

  1. Electronic Codebook (ECB): Each block encrypted independently (weak, identical plaintext yields identical ciphertext).
  2. Cipher Block Chaining (CBC): Each block XORed with the previous ciphertext block before encryption (requires IV).
  3. Cipher Feedback (CFB): Block cipher as a stream cipher, encrypting IV/previous ciphertext for keystream (allows smaller encryption units).
  4. Output Feedback (OFB): Similar to CFB but encrypts a continuously generated keystream (faster but no error propagation).
  5. Counter (CTR): Block cipher as a stream cipher, encrypting counter values for keystream.

10. Public Key Infrastructure (PKI)

PKI manages digital certificates, keys, and cryptographic operations for secure communication and authentication.

Components:

  • Certificate Authority (CA): Issues, revokes, and manages certificates, verifying applicant identities.
  • Registration Authority (RA): Verifies applicant identities on behalf of the CA.
  • Certificate Revocation List (CRL): List of revoked certificates.
  • Certificate Repository: Storage for certificates and related information.
  • Certificate Policy (CP) and Certificate Practice Statement (CPS): Rules and guidelines for certificate issuance and management.
  • Certificate Formats (e.g., X.509): Define certificate structure and content.
  • Key Management System: Manages cryptographic keys.
  • Certificate Validation Mechanisms: Verify certificate trustworthiness (e.g., certificate chain validation).

11. Hash Function Properties and Role in Security

Hash functions convert arbitrary-length input into fixed-size output (hash value).

Properties:

  • Deterministic: Same input always produces the same output.
  • Fixed Output Size: Output size is fixed regardless of input size.
  • Pre-image Resistance: Difficult to reverse the hash to find the original input.
  • Second Pre-image Resistance: Difficult to find a different input with the same hash as a given input.
  • Collision Resistance: Difficult to find two different inputs producing the same hash.
  • Avalanche Effect: Small input changes result in significant output changes.
  • Efficiency: Computationally efficient, especially for large data.

Role in Security:

  • Data Integrity: Verify data hasn’t been altered.
  • Digital Signatures: Create a fixed-size message digest for signing.
  • Password Hashing: Securely store passwords.
  • Message Authentication: Ensure message authenticity and integrity (e.g., MACs).

12. HMAC, CBC-MAC, and CMAC Comparison

FeatureHMACCBC-MACCMAC
Algorithm TypeHash-based MACBlock cipher-based MAC (CBC mode)Block cipher-based MAC (CMAC mode)
SecurityHighly secure with a secure hash function and keyVulnerable to length extension attacksMore secure than CBC-MAC, resistant to length extension attacks
EfficiencyMore efficient (hash computations only)Less efficient (multiple encryption operations)Slightly more efficient than CBC-MAC
Key ManagementSingle secret keySingle secret key + IV managementSingle secret key
StandardizationWidely standardizedStandardized but less commonStandardized and gaining popularity

13. Secure Hash Function Characteristics and SHA-1

Characteristics:

  • Collision Resistance: Infeasible to find two inputs with the same hash.
  • Pre-image Resistance: Infeasible to find input from a given hash.
  • Second Pre-image Resistance: Infeasible to find a different input with the same hash as a given input.
  • Avalanche Effect: Small input changes lead to significant output changes.
  • Deterministic: Same input always produces the same output.
  • Efficiency: Computationally efficient.

SHA-1:

  • Cryptographic hash function producing a 160-bit hash value.
  • Widely used but now considered insecure due to collision vulnerabilities.
  • Deprecated in favor of more secure alternatives like SHA-256 and SHA-3.

14. SHA-1 and MD5 Difference

SdxLHl6o18QAAAAASUVORK5CYII=

26. Replay Attacks and Mitigation

Examples:

  • Replaying authentication requests.
  • Replaying payment transactions.
  • Replaying remote control commands.

Mitigation:

  1. Timestamps or Nonces: Ensure message freshness.
  2. Sequence Numbers: Ensure sequential order of transmissions.
  3. One-Time Tokens or Challenges: Validate the uniqueness of requests.

27. TCP/IP Vulnerabilities Layerwise

Application Layer (Layer 7):

  • DoS Attacks
  • Injection Attacks
  • Session Hijacking

Transport Layer (Layer 4):

  • SYN Flood
  • UDP Flood
  • Session Hijacking

Internet Layer (Layer 3):

  • IP Spoofing
  • ICMP Attacks

Link Layer (Layer 2) and Physical Layer (Layer 1):

ARP Spoofing: In local area networks, attackers can manipulate Address Resolution Protocol (ARP) messages to associate their MAC address with the IP address of another device, facilitating man-in-the-middle attacks.

MAC Address Spoofing: Attackers may forge MAC addresses to impersonate legitimate devices on the network, bypassing MAC address filtering or gaining unauthorized access.

Physical Access: Physical access to


network infrastructure or devices can lead to various attacks, including theft of sensitive information, tampering with equipment, or installation of malicious hardware.

Mitigating these vulnerabilities requires a combination of technical controls (e.g., firewalls, intrusion detection systems, encryption) and security best practices (e.g., patch management, access controls, user training). Regular security assessments, vulnerability scans, and penetration testing can help identify and address weaknesses in TCP/IP networks.

17. Why are the digital certificates and signatures required? What is the role of digital signature in digital certificates? Explain any one digital signature algorithm.

Digital certificates and signatures play 


critical roles in ensuring the security and authenticity of digital communications. Here’s why they are required: Authentication: Digital certificates enable the authentication of entities (such as servers, websites, or individuals) in a digital communication network. By verifying the digital certificate presented by a party, other parties can trust the identity of the entity and establish secure communication channels.

Data Integrity: Digital signatures ensure the integrity of transmitted data by providing a means to detect any unauthorized modifications or tampering. By attaching a digital signature to a message or document, the sender can prove that the content hasn’t been altered since the signature was applied.


Non-Repudiation: Digital signatures provide non-repudiation, meaning that the signer cannot deny having signed the document. Once a digital signature is applied, it serves as evidence of the signer’s intention to approve or authenticate the content.

Confidentiality: While not a direct role of digital certificates, they are often used in conjunction with encryption protocols (such as SSL/TLS) to establish secure, encrypted communication channels, ensuring the confidentiality of transmitted data.

Now, let’s focus on one digital signature algorithm: RSA (Rivest-ShamirAdleman).

RSA Digital Signature Algorithm:

RSA is one of the most widely used digital signature algorithms, named after its inventors: Ron Rivest, Adi Shamir,


 and Leonard Adleman. It relies on the mathematical properties of large prime numbers and modular arithmetic.

Here’s how the RSA digital signature algorithm works:

Key Generation:

Choose two large prime numbers, 

𝑝p and 𝑞.

Compute the modulus 

𝑛=𝑝×𝑞 n=p×q.

Compute Euler’s totient function 

𝜙(𝑛)=(𝑝−1)×(𝑞−1) ϕ(n)=(p−1)×(q−1).

Choose an integer 

𝑒

e such that 

1

1

𝑒

e is coprime with 

𝜙(𝑛) ϕ(n). 

𝑒

e serves as the public exponent.

Compute the private exponent 

𝑑


d such that 

𝑑×𝑒≡1(mod𝜙(𝑛)) d×e≡1(modϕ(n)). 

𝑑

d serves as the private exponent.

Signing:

To sign a message 

𝑀

M, the sender calculates the message hash 

𝐻(𝑀)

H(M).

The sender then computes the signature 

𝑆

S using the private key 

𝑑d: 𝑆=𝐻(𝑀)mod 

𝑛

S=H(M) 

d  modn.

The resulting signature 

𝑆

S is appended to the message or transmitted alongside it.

Verification:

To verify the signature, the receiver obtains the sender’s public key 


(𝑒,𝑛)

(e,n).

The receiver calculates the hash of the received message 

𝐻(𝑀)

H(M).

The receiver then computes 

𝑆′=𝑆𝑒mod

𝑛

S ′=S  e  modn.

If 

𝑆′S ′

aaaaaa matches the hash 

𝐻(𝑀)

H(M), the signature is considered valid.

RSA digital signatures offer strong security and are widely supported in various cryptographic applications. However, their computational complexity makes them slower than some other signature algorithms, especially when dealing with large keys and messages. Nevertheless, RSA remains a cornerstone of modern cryptography and is extensively used in digital certificates, secure communication protocols, and digital signatures.