C&NS Unit-1 R16

Cryptography and Network Security UNIT-1
INTRODUCTION
Syllabus: UNIT- I: Basic Principles
Security Goals, Cryptographic Attacks, Services and Mechanisms, Mathematics of
Cryptography
Information Security plays a vital role in today’s world of communication, military

operations, and in financial organizations, .. etc. Information in the wrong hands can lead to
a major loss of country, business or any organization. Before the wide spread use of
electronic communication, the security of information is valuable to an organization and it is
provided by means of physical and administrative. Physical security of information is by
providing lockers to store the sensitive documents. Information can also be secured by
screening the employee while hiring. A disgruntled employee can leak company’s sensitive
information to the outside world.
The requirements of information security in an organization have undergone two major
changes in the last several decades.
1. The first change occurred with the introduction of computers. Due to this, there is a
need to develop automated tools and s/w for protecting information stored in the
computer. This is required more for shared systems, and for systems which can be
accessed over a public telephone network. The collection of tools designed to
protect data and to thwart (prevent) hackers is computer security.
2. The second change occurred with the introduction of distributed computers and the
use of networks and communications facilities (routers, gateways) to transport data
from one user to another. Therefore Network Security measures are needed to
protect data during the transmission.
There are no clear boundaries between these two forms of security. The most popular
attack on information systems is the computer virus. A virus may be introduced into a
system physically using a diskette (any storage device), or it may also arrive over an
internet. In either case, once the virus is identified, internal computer security tools are
required to detect and recover from the virus.
Dr. Kalavathi A, Professor & HoD IT

1
Security Violations:
1. User A transmits a confidential file to user B. this file contains some sensitive
information that are to be protected from disclosure. An unauthorized user C may
capture a file during it’s transmission.
2. A network manager, D, transmits a message to a computer, E who is working under
him. The message instructs E to update the authorization file and their access
privileges,
3. Instead of intercepting a message, a user F constructs his own message and
transmits to E, as if the message come from the network manager D.
4. In case of employee firing without any warning or notice, the personal manager
sends a message to a server system to invalidate the employee’s account. After the
invalidation, server posts a notice to the employee for confirmation of the action.
Employee intentionally delays to give confirmation so that he can get final acces to
the server to retrieve sensitive information.
5. A message is sent from a customer to a stock broker to sell all his shares.
Consequently, suppose if shares price goes down, customer denies sending the
message.
These are the possible types of security violations, these illustrates the range of
concerns of network security. Internetwork security is both interesting and complex.
The Three Aspects of Security:

To assess the security needs of an organization effectively, and to evaluate and choose
various security products and policies, the following three aspects of information security
are considered
1. Security Attack: An action which compromises the security of information owned by
an organization. This is an assault against a computer or network infrastructure
2. Security Mechanism: a mechanism that is designed to detect, prevent and recover
from security attacks.
3. Security service: A service that enhances the security of information systems and
data transmission of any organization

2
OSI Security Architecture: ITU-T (International Telecommunication Union

Telecommunication Standardization Sec Recommendation X.800, Security Architecture for
OSI defines systematic way to
• Defining the requirements for security
• Characterizing the approaches to satisfying those requirements.
The OSI security architecture is useful to managers as a way of organizing the task of
providing security. Furthermore, because this architecture was developed as an
international standard, computer and communications vendors have developed security
features for their products and services that relate to this structured definition of services
and mechanisms. These can be defined briefly as follows:
Threats and Attacks (RFC 2828)
Threat : A potential for violation of security, which exists when there is a circumstance,
capability, action, or event that could breach security and cause harm. That is, a threat is a
possible danger that might exploit a vulnerability.
Attack: An assault on system security that derives from an intelligent threat; that is, an
intelligent act that is a deliberate attempt (especially in the sense of a method or technique)
to evade security services and violate the security policy of a system.

3
Security Services: Computer and network security research and development have focused
on general security services that encompass the various functions required for information
security. ITU-T has defined 6 types of security services
1. Confidentiality: The general meaning of confidentiality is the state of keeping or
being kept secret or private. Ensures that the information in a computer system and
transmitted information are accessible only for authorized users.
Ex: Access types includes: read, print, display and other forms of disclosure.
Disclosure: Revealing the contents of a message
2. Authentication: This is a process or action of verifying the identity of a user or
person. Ensures that the origin (source) of a message or electronic document is
correctly identified with an assurance that the identity is not false.
3. Integrity: The general meaning of it is the quality of being honest and having strong
moral principles. Ensures that only authorized parties are able to modify computer
system assets and transmitted data. And also ensure that the data has not been
modified by anyone (third person, intruder) and anywhere else in the network.
Ex: Modification includes: writing, inserting, changing, deleting, creating, appending
and delaying or replaying of transmitted messages.
The various types of Integrity is:
4. Nonrepudiation: It is the assurance that some one cannot deny something. It refers
to the ability that a party to a contract or a communication cannot deny the
authenticity of their signature on a document or the sending of a message that they
originated. In other words, neither the sender nor the receiver of a transmitted
message be able to deny the transmission or reception

The various forms of Nonrepudiation are :
Nonrepudiation, Origin: Proof that the message was sent by the specified party.
Nonrepudiation, Destination: Proof that the message was received by intended
receiver.
5. Access Control: It is the selective restriction of access to an information resource or
information. Permission to access a resource is known as authorization. The
prevention of unauthorized use of a resource (i.e., this service controls who can have
access to a resource, under what conditions access can occur, and what those

4
accessing the resource are allowed to do). Access privileges to the information
system are:
Ex: Write, Read, Execute, Save
6. Availability: It requires that computer system assets be available to authorized users
whenever needed.
Security Mechanisms: There is no single mechanism that will provide all the security
services. One of the most specific security mechanisms in use is cryptographic techniques.
Encryption or encryption-like transformations of information are the most common means
of providing security. Some of the mechanisms are:
1. Enciphering and Deciphering
2. Digital Signature
3. Access Control
Security Attacks: According to G.J. Simmons information security deals with how to prevent
cheating, or failing that, to detect cheating in information based systems where information
has no meaningful physical existence. Attacks on the security of a computer system or
network are best characterized by viewing the function of the computer system as providing
information.
In general there is a flow of information from a source to destination. This normal
flow is depicted in the following figure.
Security attacks are categorized into four types:

1. Interruption: Information assets may be destroyed or becomes unavailable or
unusable. This attack happens on the lack of availability service.
Ex: destruction of a piece of hardware like hard disk, cutting the communication line,
or disabling file management system.

5
2. Interception: An unauthorized party gains access to the resources. This is an attack

on confidentiality. The unauthorized party may be a person, a program or a
computer.
Ex: Wiretapping, air tapping, illicit copying of files or programs.
3. Modification: An unauthorized party gains access and tampers information assets.

This attack is on Integrity service.
Ex: changing values in a database, altering a program, modifying the contents of a
message.
4. Fabrication: An unauthorized party inserts forged objects into the system. This
attack is on authenticity.
Ex: inserting fake messages in a network or addition of records in a file.
These four types of attacks are further categorized into passive and active attacks.

6
Passive Attacks: These attacks comes under the category of eavesdropping and monitoring
of transmissions. In this case the goal of opponent is to obtain transmitted information.
There are two types of passive attacks:
i) Release of Message Contents: Any telephone conversation, a transmitted file, an
e-mail message may contain confidential information. The opponent will try to
capture the message and reveal the contents of transmitted message
ii) Traffic Analysis: In case of a protected message, opponents, even if they capture,
they could not extract the contents of a message. But still the opponent can
observe the traffic these messages. Opponent can also determine the location
and identity of communicating hosts (means source and destination) and could
observe the frequency and length of messages being exchanged.
These passive attacks are very difficult to detect because they do not alter the contents of
message. But measures are available to prevent these attacks.
Active attacks: These attacks involve modification data stream or the creation of a
fraudulent data. These are further classified into masquerade, replaying, modification of
messages, denial of service.
Masquerade: This attack takes place when one user pretends like another user. In terms of
communications security issues, a masquerade is a type of attack where the attacker
pretends to be an authorized user of a system in order to gain access to it or to gain greater
privileges than they are authorized for.

7
Replay: A replay attack (also known as playback attack) is a form of network attack in which
a valid data transmission is maliciously or fraudulently repeated or delayed. Replay attacks
are the network attacks in which an attacker spies the conversation between the sender and
receiver and takes the authenticated information e.g. sharing key and then contact to the
receiver with that key. In Replay attack the attacker gives the proof of his identity and
authenticity.
Ex: Suppose in the communication of two parties Bob and Alice; Bob is sharing his secret key
to Alice to prove his identity but in the meanwhile Attacker Darth eavesdrop the
conversation between them and keeps the information which are needed to prove his
identity to Alice. Later Darth contacts to Alice and prove its authenticity.
Modification of messages: In a message modification attack, an intruder alters packet

header addresses to direct a message to a different destination or modify the data on a
target machine.
Ex: Allow Ram to read confidential file is modified to
Allow Shyam to read confidential file.

8
Denial of Service: In a denial of service (DoS) attack, users are underprivileged of access to a
network or web resource. It prevents the normal use or management of communications
facilities. Another form of denial of service is disruption of an entire network, either by
disabling the network or be overloading it with huge number of messages so as to degrade
performance.
Network Security Model: A message is transmitted from one party to another across the
Internet. The two parties, who are principal communication parties in this scenarios, must
cooperate each other to transmit data. A logical channel is established between the two
parties using TCP/IP.
Security aspects are applied when it is necessary to protect information transmission
from an opponent (third party) who may attack on confidentiality, authenticity, and any
service.

9
A trusted third party is required to achieve secure transmission. A third party is responsible
for distributing the secret information to the two principals. This general model performs
four basic tasks:
1. Design an algorithm for performing secure transmission
2. Generate the secret information to be used with the designed algorithm
3. Develop methods for distribution and sharing of secret information
4. Specify protocols which are used by two principals for secure transmission
To protect information systems from unwanted access, the following network access
security model is used:
An opponent may be a human or software. Hackers attempt to penetrate a systems that can
be accessed over a network. Hacker is a person who uses computers to gain unauthorized
access. In computing, a hacker is any skilled computer expert (programmer) that uses their
technical knowledge, uses bugs or exploits to break computer systems.
A software program, can present two types of threats:
1. Information access threats: Interception and modification of messages on behalf of
unauthorized users who do not have access to that data.
Dr. Kalavathi A, Professor & HoD IT 1

0
2. Service threats: These threats exploit service fa in computer to prevent use by

legitimate user
Virus and worms are two examples of service threats.
Virus attacks can be introduced into a system by copying or downloading a file from a
diskette or from any web server. Whereas worms can be inserted into a computer across a
network. Computer worms are similar to viruses in that they replicate functional copies of
themselves and can cause the same type of damage. In contrast to viruses, which require
the spreading of an infected host file, worms are standalone software and do not require a
host program or human help to propagate. A worm is a special kind of computer virus that
propagates by self-replication over a computer network. This propagation can be either via
e-mail or other means such as files being copied over a network.
Computer Virus Computer Worm
How does it infect a It inserts itself into a file or It exploits a weakness in an

computer system? executable program. application or operating
system by replicating itself.
How can it spread? It has to rely on users It can use a network to

transferring infected replicate itself to other
files/programs to other computer systems without
computer systems. user intervention.
Does it infect files? Yes, it deletes or modifies files. Usually not. Worms usually
Sometimes a virus also changes only monopolize the CPU
the location of files. and memory.
whose speed is virus is slower than worm. worm is faster than virus.
more? E.g. The code red worm
affected 3 lack PCs in just 14
Hrs.
Definition The virus is the program code The worm is code that
that attaches itself to replicate itself in order to

1
Computer Virus Computer Worm
application program and when consume resources to bring

application program run it runs it down.
along with it.
The security mechanism required to prevent above two threats is to use gatekeeper
function and internal security controls. The first, gatekeeper function use password based
login procedures to allow only authorized users. The second one internal security controls
monitors the activity and analyse the stored information to detect the presence of
unwanted intruders.
MATHEMATICS OF CRYPTOGRAPHY
2
Integer Arithmetic :
Set of Integers: The set of integers, denoted by Z, contains all integral numbers (with no
fractions) from negative infinity to positive infinity.
Z={, , , -2,-1,0,1,2,.,.,.,}
Binary Operations: In Cryptography three binary operations are applied on set of integers. A
binary operation, takes two inputs and produces one output. Three common binary
operations are : addition, subtraction and multiplication. The two inputs come from set of
integers; the output goes into the set of integers.
Z={,.,.,-2,-1,0,1,2,…}
a b
+ - X
Z = {..,-2,-1,-,1,2,…}
Ex:
Add : 5+9=14 (-5)+9=4 5+(-9)=-4 (-5)+(-9)=-14
Sub : 5-9=-4 (-5)-9=-14 5-(-9)=14 (-5)-(-9)=4
Mul : 5x9=45 (-5)x9=-45 5x(-9)=-45 (-5)x(-9)=45
Integer Division: IF we divide a by n we get q and r. The relationship between them is:
A=qxn+r
Ex: a=255 n=11, q is 23 and r=2
Two restrictions: when we use division in cryptography, we impose two restrictions:
1. Divisor must be a positive integer (n>0)
2. Remainder must be a nonnegative integer(r>=0)
Ex: a=255 n=11
To apply the restriction that r needs to be positive, we decrement the value of q by 1 and
we add the value of n to r to make it positive
Therefore, -255=(-24x11)+(-2+9)=(-24x11)+9

3
Divisibility : If a is not zero and we let r=0 in the division relation , we get a=qxn. This is
known as n divides a and can also be treated as a is divisible by n. This can be shown as a|n.
If the remainder is not zero, then n does not provide a and this is represented as a |n.
Properties of Divisibility:
1.If a|1 , then a=+_1
2. If a|b and b|a, then a=+_b
3. if a|b and b|c, then a|c
4. If a|b and a|c, then a|(mxb+nxc), where m and n are arbitrary integers
Ex: 3|15 and 15|45 then according to 3rd property 3|45
3|15 and 3|9, according to 4th property,3|(15x2+9x4)=3|66
All Divisors: A positive integer can have more than one divisor. There are two facts about
divisors of positive integers.
1. The integer 1 has exactly one divisor itself.
2. Any positive integer has at least two divisors, 1 and itself(but it can have more)
Greatest Common Divisor(GCD): GCD is very much useful in cryptography. Two positive
integers may have many common divisors, but there is only one greatest common divisor.
Ex: The common divisors of 12 and 40 are 1,2 and 4. GCD is 4.
Euclidean Algorithm : Finding the GCD of two positive integers by listing all common divisors
is not practical when the two integers are large. A famous mathematician Eucild developed
an algorithm 2000 years before itself. This algorithm is based on the following two facts:
1. Gcd(a,0)=a
2. 2. Gcd(a,b)=gcd(b,r), where r is the remainder of dividing a by b
r1=a;
r2=b;
while(r2>0)
{
q=r1/r2;
r=r1 - qxr2;
r1=r2;
r2=r;
}
gcd(a,b)=r1
Ex: find the gcd of 2740 and 1760
q r1 r2 r
1 2740 1760 980
1 1760 980 780
1 980 780 200
3 780 200 180
1 200 180 20
9 180 20 0
20 0

4
Extended Euclidean Algorithm: Given two integers and b, we often need to find other two
integers, s and t, such that sxa + txb = gcd(a,b) . The extended Euclidean
algorithm can calculate gcd(a,b) and at the same time calculate the value of s and t.
1212
r1=a;
r2=b;
s1=1;
s2=0;
t1=0;
t2=1;
while(r2>0)
{
q=r1/r2;
r=r1 - qxr2;
r1=r2;
r2=r;
s=s1 - qxs2;
s1=s2;
s2=s;
t=t1 – qxt2;
t1=t2;
t2=t;
}
gcd(a,b)=r1;
s=s1;
t=t1;
Ex: Given a=161 and b=28 find gcd(a,b) and the values of s and t
q r1 r2 r s1 s2 s t1 t2 t
5 161 28 21 1 0 1 0 1 -5
1 28 21 7 0 1 -1 1 -5 6
3 21 7 0 1 -1 4 -5 6 -23
7 0 -1 4 6 -23
Linear Diophantine Equations: This is the immediate application to find the solution to the
linear Diophantine equations of two variables is extended Euclidean algorithm.
Ex:ax+by=c we need to find integer values x and y that satisfy the equation. This type of
equation has either no solution or an infinite number of solutions.
Let d=gcd(a,b) if d does not divide c then the equation has no solution. If d divides c then
we have infinite number of solutions. One of them is called the particular, the rest are
general solutions.

5
Finding a particular solution:

If d divides c
1. Reduce the equation to a1x+b1y=c1 by dividing both sides of the equation by d.
2. Solve for s and t in the relation a1s+b1t=1 using the extended Euclidean algorithm.
3. The particular solution is x0=(c/d)s and y0=(c/d)t
General Solutions:
x=x0+k(b/d) and y=y0-k(a/d)
Ex: Find the particular and general solutions of 21x+14y=5

Sol: d=gcd(a,b)=gcd(21,14)=7
Since 7 divides 35
Particular solution
1. 3x+2y=5
2. 3s+2t=1 using extended Euclidean, s=1 and t=-1
3. X0=5x1=5 y0=5x(-1)=-5
General solutions:
X=5+kx2 and y=-5 –kx3 where k=1,2,3,….
(5,-5),(7,-8),(9,-11)
Modular Arithmetic:
CONVENTIONAL ENCRYPTION: CLASSICAL TECHNIQUES

Conventional encryption is also known as symmetric encryption, single key encryption, same
key encryption and secret key encryption.
Simplified model of Symmetric Encryption: In conventional encryption,
 The original intelligible message, is considered as plain text.
 This plain text is converted into random nonsense (unintelligible), and is considered
as cipher text.
 The ingredients of any encryption algorithm consists of plain text and key.
 The key value is an independent of the plain text.
 Once the cipher text is generated, it is transmitted in the network.
 Upon reception, the receiver transforms the cipher text back to the original plain
text by using a decryption algorithm and the same key that was used in encryption.

6
The security of conventional encryption depends on the following factors:

 Encryption algorithm must be powerful and it must be impractical to decrypt a
message based on the cipher text
 Secrecy of the key
Means, it is impossible to decrypt a message on the basis of cipher text plus the
knowledge of encryption/decryption algorithm. The essential elements of a conventional
encryption scheme are :
 A source inputs a plain text message X=[X1,X2,X3,..,XM].
 The M elements of X are letters in some finite alphabet set
 For encryption, a key scheme K=[K1,K2,K3,..,KM] is generated
 If the key is generated by a source then it must be shared or distributed to the
destination by using secure channel, (or)
 A third party generates a key and deliver it securely to both source and
destination.
 With the message X, and encryption key K, the encryption algorithm produces a
cipher text Y where Y= [Y1,Y2,Y3,..,YM].
Y=EK(X)
 The intended receiver, by using the same key decrypts the cipher text using
X=DK(Y)
The three independent dimensions of Cryptography (or) Classifications of Cryptography:

1. The type of operations to be performed for transforming plain text to cipher text

7
a) Substitution: Each element of the plain text is substituted or replaced with

another elements.
Ex: Caesar Cipher, Mono alphabetic cipher, Playfair cipher, Hill Cipher, Vigenre,
Vernam and One-time pad cipher
b) Transposition: The plain text letters are rearranged to form a cipher text.
Ex: Railfence, Columnar Transposition, Row Transposition Rotor Machines
2. The number of keys used:
a) Single Key : If both the sender and receiver uses the same key then it is known as
Single-key, same-key, symmetric key, conventional key or secret key
cryptography
Ex: DES, IDEA, CAST128, AES, BlowFish,
b) Multiple Key: If both the sender and receiver uses different keys for encryption
and decryption then it is known as two-key, multiple-key, public-key, private-key,
asymmetric key cryptography.
Ex: RSA, Diffie-Hellman, ECC
3. The way in which the plain text is processed :
a) Stream Cipher: stream ciphers processes input elements continuously and
outputs one element at a time.
Ex: Caesar cipher, mono alphabetic cipher, vigenere, vernam, one-time pad
b) Block Cipher: Block ciphers processes the input one block of elements at a time
and produces on output block for each input block
Ex: play fair cipher, hill cipher, DES,CAST 128, IDEA,Blowfish, AES
Classical Encryption Techniques:
Substitution Techniques: The letters of the plain text are replaced by other letters, numbers,
or symbols.
1. Caesar Cipher: The earliest and simplest by Julies Caesar. Caesar cipher replaces each
letter with the other alphabet. This cipher allocates a numerical code to each
alphabet. All cipher algorithms use reversible functions as cryptographic operations.
i.e,
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
a b c d e f g h I j k l m n o p q r s t u v w x y z

8
Ex: Plain Text: meet me after the toga party

Key: a numeric value
The formula for Encryption is:
C=EK(P)
C=(P+K) mod 26
The formula for Decryption is:
P= DK(P)
P=(C-K) mod 26
If K=3, the above plain text can be transformed as
Plain : Meet me after the toga party
Cipher: PHHW PH DIWHU WKH WRJD SDUWB
Brute Force Crypt Analysis: If the crypt analyst knows that this cipher text uses Caesar
cipher, then he can apply a brute force attack (Trying with all possible keys) on the cipher
text. There are 25 possible keys. Crypt analyst continue this operation till he gets a
meaningful content. With only 25 possible keys Caesar cipher is not secure

9
Frequency Analysis: This algorithm is structured based on the regularities of the language. If
you have got a message encrypted using the substitution cipher that you want to crack, you
can use frequency analysis. In other words, if the sender has tried to disguise a letter by
replacing with a different letter, you can still recognise the original letter because the
frequency characteristics of the original letter will be passed on to the new letters.
To apply frequency analysis, we need to know the frequency of every letter in the English
alphabet, or the frequency of letters in whichever language the sender is using.
Below is a list of average frequencies for letters in the English language. So, for example, the
letter E accounts for 12.7% of all letters in English, whereas Z accounts for 0.1 %. All the
frequencies are tabulated and plotted below.

0
Please note, these frequencies are averages, and E will not always constitute 12.7 % of all
the letters in a text, and may not even be the most common letter. The longer the message,
the more likely it is that will obey the average distribution shown above. However, there are
exceptions to this rule. In 1969, the French author Georges Perec managed to write a 200-
page book called 'La Disparition' without using any words containing the letter E. Amazingly,
the book was later translated into English by Gilbert Adair, again avoiding the use of the
letter E. along with letter frequencies, this cipher also uses the analysis of most frequently
occurring digrams, trigrams, and four letter …etc. Consider the following cipher text:
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
At first, the relative frequency of the letters can be determined and compared to a standard
frequency distribution for English. If the message were long enough, this technique alone
might be sufficient, but because this is a relatively short message, we cannot expect an
exact match. In any case, the relative frequency of the letters in the cipher text (in
percentages) are as follows:
Comparing these frequencies, it seems that cipher letters P and Z are the equivalents of
plain letters e and t. There are a number of ways to proceed at this point. We could make
some tentative assignments and start to fill in the plaintext to see if it looks like a reasonable
"skeleton" of a message. A more systematic approach is to look for other regularities. For
example, certain words may be known to be in the text. Or we could look for repeating
sequences of cipher letters and try to deduce their plaintext equivalents. A powerful tool is

1
to look at the frequency of two-letter combinations, known as digrams. The most common
such digram is th. In our ciphertext, the most common digram is ZW, which appears three
times. So we make the correspondence of Z with t and W with h. Then, by our earlier
hypothesis, we can equate P with e. Now notice that the sequence ZWP appears in the
ciphertext, and we can now translate that sequence as "the." This is the most frequent
trigram (three-letter combination) in English, which seems to indicate that we are on the
right track. Next, notice the sequence ZWSZ in the first line. We do not know that these four
letters form a complete word, but if they do, it is of the form th_t. Therefore, S equates with
a. So far, then, we have:
Only four letters have been identified, but already we have quite a bit of the message. Continued
analysis of frequencies plus trial and error should easily yield a solution from this point. The
complete plaintext, with spaces added between words, follows:
It was disclosed yesterday that several informal but direct contacts have been made with political
representatives of the viet cong in moscow
Play fair Cipher: This cipher was actually invented by British scientist Sir Charles Wheatstone
in 1854, but it bears the name of his friend Baron Play fair of St. Andrews. This is the best-
known multiple-letter encryption cipher, which treats digrams in the plaintext as single units
and translates these units into cipher text digrams.
C O M P U
T E R A B
D F G H I/J
K L N Q S
V W X Y Z
In this case, the keyword is Computer. The matrix is constructed by filling with the letters of

2
the keyword from left to right and from top to bottom, and then fill the remaining matrix
with the remaining letters in alphabetic order. Since the size of matrix is 5X5 we combine
the letters I and J in a single block. Plaintext is encrypted two letters at a time, according to
the following rules:
1. Repeating plaintext letters that would fall in the same pair are separated with a filler
letter, such as x,
Ex: balloon would be enciphered as ba lx lo on.
2. Plaintext letters that fall in the same row of the matrix are each replaced by the letter to
the right, with the first element of the row circularly following the last.
Ex: mu is encrypted as PC.
3. Plaintext letters that fall in the same column are each replaced by the letter beneath, with
the top element of the row circularly following the last.
Ex: cv is encrypted as TC.
4. Otherwise, each plaintext letter is replaced by the letter that lies in its own row and the
column occupied by the other plaintext letter.
Ex: hl becomes FQ and pd becomes CH
Security Analysis: The Play fair cipher is a great advance over simple mono alphabetic
ciphers. For one thing, Whereas there are only 26 letters, there are 26 ¥ 26 = 676 digrams,
so that identification of individual digrams is more difficult. Furthermore, the relative
frequencies of individual letters exhibit a much greater range than that of digrams, making
frequency analysis much more difficult. For these reasons, the Play fair cipher was for a long
time considered unbreakable
Hill Cipher: Another interesting multiletter cipher is the Hill cipher, developed by the
mathematician Lester Hill in 1929. The encryption algorithm takes m successive plaintext
letters and substitutes for them m ciphertext letters. The substitution is determined by m
linear equations in which each character is assigned a numerical value (a = 0, b = 1, … z =
25). For m = 3, the system can be described as follows:
C1 = (k11p1 + k12p2 + k13p3) mod 26
C2 = (k21p1 + k22p2 + k23p3) mod 26
C3= (k31p1 + k32p2 + k33p3) mod 26

3
This can be expressed in terms of column vectors and matrices:
Or C=KP mod 26
Here C and P are column vectors of length 3, representing the plaintext and cipher text, and K is a
3¥3 encryption matrix. All operations are performed on mod 26.
Ex: consider the plaintext "paymoremoney",
And the encryption key
Hill cipher encrypts one block at a time. Here the block size is 3. So the first three letters of the plain
text are represented in a column matrix (15 0 24).
Then K(15 0 24) = (375 819 486) mod 26
= (11 13 18)
= LNS.
Continuing this process till the length of plain text which yields the following cipher text
LNSHDLEWMTRW.
Decryption requires using the inverse of the matrix K. The inverse K –1 of a matrix K is defined by the
equation KK–1 = K–1K = I, where I is the matrix that is all zeros except for ones along the main diagonal
from upper left to lower right. In this case, the inverse is:
C = EK(P)
= KP mod 26
P = DK(C)
= K–1C mod 26

4
= K–1KP
=P
Polyalphabetic Ciphers
Another way to improve mono alphabetic technique is to use different mono alphabetic
substitutions. The general name for this approach is polyalphabetic substitution cipher. The best-
known, and one of the simplest, such algorithms is referred to as the Vigenère cipher. In this
scheme, the set of related mono alphabetic substitution rules consists of the 26 Caesar ciphers, with
shifts of 0 through 25. Each cipher is denoted by a key letter, which is the cipher text letter that
substitutes for the plaintext letter a. To aid in understanding the scheme and to aid in its use, a
matrix known as the Vigenère tableau is constructed.

5
The process of encryption is simple: Always plain text characters signify column labels and key
characters signify row labels. Now, the cipher text character corresponds to the element which is in
plain text character column and key character row. To encrypt a message, a key is needed that is as
long as the message. User can select any key word of any length. It may be a repeating keyword.
Ex: Plain Text: we are discovered save your self
Key : deceptive
deceptIvedeceptIvedeceptive
wearedIscoveredsaveyourself
ciphertext: Z I CVTWQNGRZGVTWAVZHCQYGLMGJ
Decryption is equally simple. The key letter again identifies the row. The position of the cipher text
letter in that row determines the column, and the plaintext letter is at the top of that column. The
strength of this cipher is that there are multiple cipher text letters for each plaintext letter, one for
each unique letter of the keyword. A Vigenère cipher is suspected, then progress depends on
determining the length of the keyword, as will be seen in a moment. For now, let us concentrate on
how the keyword length can be determined. If two identical sequences of plaintext letters occur at a
distance that is an integer multiple of the keyword length, they will generate identical cipher text
sequences. In this foregoing example, two instances of the sequence "red" are separated by 9
character positions. Consequently, in both cases, r is encrypted using key letter e, e is encrypted
using key letter p, and d is encrypted using key letter t. Thus, in both cases the cipher text sequence
is VTW.
An analyst looking at only the cipher text would detect the repeated sequences VTW at a
displacement of 9 and make the assumption that the keyword is either 3 or 9 letters in length. The
periodic nature of the keyword can be eliminated by using a nonrepeating keyword that is as long as
the message itself. Vigenère proposed what is referred to as an autokey system, in which a keyword
is concatenated with the plaintext itself to provide a running key.
Ex:
key: deceptivewearediscoveredsav
plain text: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGKZEIIGASXSTSLVVWLA
Even this scheme is vulnerable to cryptanalysis. Because the key and the plaintext share the same
frequency distribution of letters, a statistical technique can be applied. The ultimate defense against
such a cryptanalysis is to choose a keyword that is as long as the plaintext and has no statistical
relationship to it. Such a system was introduced by an AT&T engineer named Gilbert Vernam in

6
1918. His system works on binary data rather than letters. The system can be expressed succinctly as
follows:
Ci = pi + ki where
pi = ith binary digit of plaintext
ki = ith binary digit of key
Ci = ith binary digit of ciphertext
+ = exclusive-or (XOR) operation
Thus, the ciphertext is generated by performing the bitwise XOR of the plaintext and the key.
Because of the properties of the XOR, decryption simply involves the same bitwise operation:
Pi = Ci + ki
One-Time Pad
An Army Signal Corp officer, Joseph Mauborgne, proposed an improvement to the Vernam cipher
that yields the ultimate in security. Mauborgne suggested using a random key that was truly as long
as the message, with no repetitions. Such a scheme, known as a one-time pad, is unbreakable. It
produces random output that bears no statistical relationship to the plaintext. Because the cipher
text contains no information whatsoever about the plaintext, there is simply no way to break the
code.
Ex: Consider the following cipher text:

7
Transposition Techniques: Substitution techniques substitute or replace each plain text

character with another plain text character whereas transposition cipher rearrange the
letters of the plain text to get cipher text.
a) Rail fence Cipher: In this cipher plain text is written down as a sequence of
diagonals(columns) and then read off as a sequence of rows.
Ex: meet me after the toga party
m e m a t r h t g p r y
e t e f e t e o a a t
MEMATRHTGPRYETEFETEOAAT
Columnar Transposition Cipher: This is a somewhat more complex scheme than the above
where the message (plain text) is written row by row in a matrix and read off cipher text
column by column. The secret key which is used in this cipher is a non repeatable letter key
word. Where each letter is given an index based on its alphabetical order and the same is
treated as a column index.
Ex: Plain Text : attack postponed until two am
And Key : computer
1 4 3 5 8 7 2 6
C O M P U T E R
a t t a c k p o
s t p o n e d u
n t I l t w o a
m u v w x y z a
Cipher Text: ASNMPDOZTPIVTTTUAOLWOUAAKEWYCNTX
The transposition cipher can be made significantly more secure by performing more than
one stage of transposition. The result is a more complex permutation that is not easily
reconstructed.
Rotor Machines: The example just given suggests that multiple stages of encryption can produce
an algorithm that is significantly more difficult to cryptanalyze. Before the introduction of DES, the
most important application of the principle of multiple stages of encryption was a class of systems
known as rotor machines. The basic principle of the rotor machine is illustrated in the following
figure. The machine consists of a set of independently rotating cylinders through which electrical

8
pulses can flow. Each cylinder has 26 input pins and 26 output pins, with internal wiring that
connects each input pin to a unique output pin. For simplicity, only three of the internal connections
in each cylinder are shown.
If we associate each input and output pin with a letter of the alphabet, then a single cylinder defines
a monoalphabetic substitution. For example, if an operator depresses the key for the letter A, an
electric signal is applied to the first pin of the first cylinder and flows through the internal connection
to the twenty-fifth output pin. Consider a machine with a single cylinder.
After each input key is depressed, the cylinder rotates one position, so that the internal connections
are shifted accordingly. Thus, a different mono alphabetic substitution cipher is defined. After 26
letters of plaintext, the cylinder would be back to the initial position. Thus, we have a polyalphabetic
substitution algorithm with a period of 26.
A single-cylinder system is trivial and does not present a formidable cryptanalytic task. The power of
the rotor machine is in the use of multiple cylinders, in which the output pins of one cylinder are
connected to the input pins of the next. Figure 2.7 shows a three-cylinder system. The left half of the
figure shows a position in which the input from the operator to the first pin (plaintext letter a) is

9
routed through the three cylinders to appear at the output of the second pin (cipher text letter B.
With multiple cylinders, the one farthest from the operator input rotates one pin position with each
keystroke. The right half of Figure 2.7 shows the system's configuration after a single keystroke. For
every complete rotation of the outer cylinder, the middle cylinder rotates one pin position. Finally,
for every complete rotation of the middle cylinder, the inner cylinder rotates one pin position. This is
the same type of operation seen with an odometer. The result is that there are 26 ¥ 26 ¥ 26 = 17,576
different substitution alphabets used before the system repeats. The addition of fourth and fifth
rotors results in periods of 456,976 and 11,881,376 letters, respectively.
Steganography: A plaintext message may be hidden in one of two ways. The methods of
steganography conceal the existence of the message, whereas the methods of cryptography render
the message unintelligible to outsiders by various transformations of the text. A simple form of
steganography, is one in which an arrangement of words or letters within an apparently innocuous
text spells out the real message. For example, the sequence of first letters of each word of the
overall message spells out the hidden message. Various other techniques have been used
historically; some examples are the following:
 Character marking: Selected letters of printed or typewritten text are overwritten in pencil.
The marks are ordinarily not visible unless the paper is held at an angle to bright light.
• Invisible ink: A number of substances can be used for writing but leave no visible trace until heat or
some chemical is applied to the paper.
• Pin punctures: Small pin punctures on selected letters are ordinarily not visible unless the paper is
held up in front of a light.
• Typewriter correction ribbon: Used between lines typed with a black ribbon, the results of typing
with the correction tape are visible only under a strong light.
Some other modern techniques available are:
1. Text Steganography
2. Image Steganography
3. Video Steganography
4. Audio Steganography
5. Linguistic Steganography
Phishing: This is an attempt to obtain sensitive information such as usernames, passwords, and
credit card details (and, indirectly, money), often for malicious reasons, by disguising as a
trustworthy entity in an electronic communication. Phishing is typically carried out by email spoofing

0
or instant messaging, and it often directs users to enter personal information at a fake website, the
look and feel of which are almost identical to the legitimate one.
Phishing Types:
Spear phishing: Phishing attempts directed at specific individuals or companies have been termed
spear phishing. Attackers may gather personal information about their target to increase their
probability of success. This technique is by far the most successful on the internet today, accounting
for 91% of attacks.[9]
Clone phishing: Clone phishing is a type of phishing attack whereby a legitimate, and previously
delivered, email containing an attachment or link has had its content and recipient address(es) taken
and used to create an almost identical or cloned email. This technique could be used to pivot
(indirectly) from a previously infected machine and gain a foothold on another machine, by
exploiting the social trust associated with the inferred connection due to both parties receiving the
original email.
Whaling: Several phishing attacks have been directed specifically at senior executives and other high-
profile targets within businesses, and the term whaling has been coined for these kinds of attacks. In
the case of whaling, the masquerading web page/email will take a more serious executive-level
form. The content will be crafted to target an upper manager and the person's role in the company.
Link manipulation: Most methods of phishing use some form of technical deception designed to
make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed
organization. Misspelled URLs or the use of subdomains are common tricks used by phishers. In the
following example URL, http://www.yourbank.example.com/, it appears as though the URL will take
you to the example section of the yourbank website; actually this URL points to the "yourbank" (i.e.
phishing) section of the example website.
Filter evasion: Phishers have even started using images instead of text to make it harder for anti-
phishing filters to detect text commonly used in phishing emails.[20] However, this has led to the
evolution of more sophisticated anti-phishing filters that are able to recover hidden text in images.
These filters use OCR (optical character recognition) to optically scan the image and filter it.
Some anti-phishing filters have even used IWR (intelligent word recognition), which is not meant to
completely replace OCR, but these filters can even detect cursive, hand-written, rotated (including
upside-down text), or distorted (such as made wavy, stretched vertically or laterally, or in different
directions) text, as well as text on colored backgrounds.
Website forgery: Once a victim visits the phishing website, the deception is not over. Some phishing
scams use JavaScript commands in order to alter the address bar. This is done either by placing a

1
picture of a legitimate URL over the address bar, or by closing the original bar and opening up a new
one with the legitimate URL.
Phone phishing: Not all phishing attacks require a fake website. Messages that claimed to be from a
bank told users to dial a phone number regarding problems with their bank accounts. Once the
phone number (owned by the phisher, and provided by a voice over IP service) was dialed, prompts
told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake
caller-ID data to give the appearance that calls come from a trusted organisation. SMS phishing uses
cell phone text messages to induce people to divulge their personal information.
SQL Injection attacks: A SQL injection attack consists of insertion or "injection" of a SQL query via the
input data from the client to the application. A successful SQL injection exploit can read sensitive
data from the database, modify database data (Insert/Update/Delete), execute administration
operations on the database (such as shutdown the DBMS), recover the content of a given file
present on the DBMS file system and in some cases issue commands to the operating system. SQL
injection attacks are a type of injection attack, in which SQL commands are injected into data-plane
input in order to effect the execution of predefined SQL commands.
• SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause
repudiation issues such as voiding transactions or changing balances, allow the complete disclosure
of all data on the system, destroy the data or make it otherwise unavailable, and become
administrators of the database server.
• SQL Injection is very common with PHP and ASP applications due to the prevalence of older
functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET
applications are less likely to have easily exploited SQL injections.
• The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to
a lesser extent, defense in depth countermeasures, such as low privilege connections to the
database server and so on. In general, consider SQL Injection a high impact severity. SQL injection
errors occur when:
1. Data enters a program from an untrusted source.
2. The data used to dynamically construct a SQL query
Ex:1. Incorrectly filtered escape characters
In SQL:
select id, firstname, lastname from authors
If one provided:

2
Firstname: evil'ex
Lastname: Newman
the query string becomes:
select id, firstname, lastname from authors where forename = 'evil'ex' and surname ='newman'
which the database attempts to run as:
Incorrect syntax near il' as the database tried to execute evil.
This form of SQL injection occurs when user input is not filtered for escape characters and is then
passed into a SQL statement. This results in the potential manipulation of the statements performed
on the database by the end-user of the application.
This SQL code is designed to pull up the records of the specified username from its table of users.
However, if the "userName" variable is crafted in a specific way by a malicious user, the SQL
statement may do more than the code author intended. For example, setting the "userName"
variable as:
' or '1'='1 renders one of the following SQL statements by the parent language:
SELECT * FROM users WHERE name = '' OR '1'='1';
If this code were to be used in an authentication procedure then this example could be used to force
the selection of a valid username because the evaluation of '1'='1' is always true.
2. Incorrect type handling
This form of SQL injection occurs when a user-supplied field is not strongly typed or is not checked
for type constraints. This could take place when a numeric field is to be used in a SQL statement, but
the programmer makes no checks to validate that the user supplied input is numeric. For example:
statement := "SELECT * FROM userinfo WHERE id =" + a_variable + ";"
It is clear from this statement that the author intended a_variable to be a number correlating to the
"id" field. However, if it is in fact a string then the end-user may manipulate the statement as they
choose, thereby bypassing the need for escape characters. For example, setting a_variable to 1;
DROP TABLE users will drop (delete) the "users" table from the database, since the SQL becomes:
SELECT * FROM userinfo WHERE id=1;DROP TABLE users;
Buffer Overflow Attack: In computer security and programming, a buffer overflow, or buffer
overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's
boundary and overwrites adjacent memory. This is a special case of violation of memory safety.
Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the
program operates. This may result in erratic program behavior, including memory access errors,

3
incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software
vulnerabilities and can be maliciously exploited. Programming languages commonly associated with
buffer overflows include C and C++, which provide no built-in protection against accessing or
overwriting data in any part of memory and do not automatically check that data written to an array
(the built-in buffer type) is within the boundaries of that array. Bounds checking can prevent buffer
overflows.
Technical description:
A buffer overflow occurs when data written to a buffer also corrupts data values in memory
addresses adjacent to the destination buffer due to insufficient bounds checking. This can occur
when copying data from one buffer to another without first checking that the data fits within the
destination buffer.
Ex: In the following example, a program has two data items which are adjacent in memory: an 8-
byte-long string buffer, A, and a two-byte big-endian integer, B.
char A[8] = {};
unsigned short B = 1979;
Initially, A contains nothing but zero bytes, and B contains the number 1979.
variable name A B
value [null string]
1979
hex value 00 00 00 00 00 00 00 00 07 BB
Now, the program attempts to store the null-terminated string "excessive" with ASCII encoding in
the A buffer.
strcpy(A, "excessive");
"excessive" is 9 characters long and encodes to 10 bytes including the terminator, but A can take
only 8 bytes. By failing to check the length of the string, it also overwrites the value of B:
variable name A B
value 'e' 'x' 'c' 'e' 's' 's' 'i' 'v' 25856
hex 65 78 63 65 73 73 69 76 65 00
B's value has now been inadvertently replaced by a number formed from part of the character
string. In this example "e" followed by a zero byte would become 25856.
Writing data past the end of allocated memory can sometimes be detected by the operating system
to generate a segmentation fault error that terminates the process.

4
Exploitation:
The techniques to exploit a buffer overflow vulnerability vary by architecture, by operating system
and by memory region. For example, exploitation on the heap (used for dynamically allocated
memory), differs markedly from exploitation on the call stack.
String formatting vulnerabilities: printf statement is quite common in C programs. printf ("The magic
number is: %d\n", 1911);
The text to be printed is “The magic number is:”, followed by a format parameter ‘%d’, which is
replaced with the parameter (1911) in the output. Therefore the output looks like: The magic
number
is: 1911. In addition to %d, there are several other format parameters, each having different
meaning.
The following table summarizes these format parameters:
Parameter Meaning Passed as
-------------------------------------------------------------------
%d decimal (int) value
%u unsigned decimal (unsigned int) value
%x hexadecimal (unsigned int) value
%s string ((const) (unsigned) char *) reference
%n number of bytes written so far, (*int) reference
The stack and its role at format strings The behavior of the format function is controlled by the
format string. The function retrieves the parameters requested by the format string from the stack.
printf ("a has value %d, b has value %d, c is at address: %08x\n",a, b, &c);
Value of a
Value of b
Adress of c
printf()’s internal pointer Moving in this direction. What if there is a miss-match between the format
string and the actual arguments? printf ("a has value %d, b has value %d, c is at address: %08x\n",
a, b);
In the above example, the format string asks for 3 arguments, but the program actually provides
only two (i.e. a and b).
Can this program pass the compiler?

5
Yes, because the function printf() is defined as function with variable length of arguments. There-
fore, by looking at the number of arguments, everything looks fine. To find the miss-match,
compilers needs to understand how printf() works and what the meaning of the format string is.
However, compilers usually do not do this kind of analysis. Sometimes, the format string is not a
constant string, it is generated during the execution of the program. Therefore, there is no way for
the compiler to find the miss-match in this case.
Can printf() detect the miss-match?
The function printf() fetches the arguments from the stack. If the format string needs 3 arguments, it
will fetch 3 data items from the stack. Unless the stack is marked with a boundary, printf() does not
know that it runs out of the arguments that are provided to it. Since there is no such a marking.
printf() will continue fetching data from the stack. In a miss-match case, it will fetch some data that
do not belong to this function call.
2 Attacks on Format String Vulnerability
 Crashing the program
printf ("%s%s%s%s%s%s%s%s%s%s%s%s");
For each %s, printf() will fetch a number from the stack, treat this number as an address, and print
out the memory contents pointed by this address as a string, until a NULL character (i.e., number 0,
not character 0) is encountered. Since the number fetched by printf() might not be an address, the
memory pointed by this number might not exist (i.e. no physical memory has been assigned to such
an address), and the program will crash. It is also possible that the number happens to be a good
address, but the address space is protected (e.g. it is reserved for kernel memory). In this case, the
program will also crash.
DOS and DDOS attacks

In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to
make a machine or network resource unavailable to its intended users. DDoS (Distributed Denial of
Service) attacks are sent by two or more persons, or bots (see botnet). DoS (Denial of Service)
attacks are sent by one person or system. As of 2014, the frequency of recognized DDoS attacks had
reached an average rate of 28 per hour. Perpetrators of DoS attacks typically target sites or services
hosted on high-profile web servers such as banks, credit card payment gateways, and even root
nameservers. DoS threats are also common in business, and are sometimes responsible for website
attacks. This technique has now seen extensive use in certain games, used by server owners, or
disgruntled competitors on games, such as server owners' popular Minecraft servers. Increasingly,

6
DoS attacks have also been used as a form of resistance. Richard Stallman has stated that DoS is a
form of 'Internet Street Protests’. The term is generally used relating to computer networks, but is
not limited to this field; for example, it is also used in reference to CPU resource management.
One common method of attack involves saturating the target machine with external
communications requests, so much so that it cannot respond to legitimate traffic, or responds so
slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. In
general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or
consuming its resources so that it can no longer provide its intended service or obstructing the
communication media between the intended users and the victim so that they can no longer
communicate adequately.
Denial-of-service attacks are considered violations of the Internet Architecture Board's Internet
proper use policy, and also violate the acceptable use policies of virtually all Internet service
providers. They also commonly constitute violations of the laws of individual nations.
A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate
users of a service from using that service. There are two general forms of DoS attacks: those that
crash services and those that flood services.
A DoS attack can be perpetrated in a number of ways. Attacks can fundamentally be classified into
five families
1. Consumption of computational resources, such as bandwidth, memory, disk space, or
processor time.
2. Disruption of configuration information, such as routing information.
3. Disruption of state information, such as unsolicited resetting of TCP sessions.
4. Disruption of physical network components.
5. Obstructing the communication media between the intended users and the victim so that
they can no longer communicate adequately.
A DoS attack may include execution of malware intended to
• Max out the processor's usage, preventing any work from occurring.
• Trigger errors in the microcode of the machine.
• Trigger errors in the sequencing of instructions, so as to force the computer into an unstable
state or lock-up.
• Exploit errors in the operating system, causing resource starvation and/or thrashing, i.e. to
use up all available facilities so no real work can be accomplished or it can crash the system itself
• Crash the operating system itself.

7
In most cases DoS attacks involve forging of IP sender addresses (IP address spoofing) so that the
location of the attacking machines cannot easily be identified and to prevent filtering of the packets
based on the source address.
Spoofing attack
In the context of network security, a spoofing attack is a situation in which one person or program
successfully masquerades as another by falsifying data and thereby gaining an illegitimate
advantage.
Spoofing and TCP/IP, IP address spoofing and ARP spoofing
Many of the protocols in the TCP/IP suite do not provide mechanisms for authenticating the source
or destination of a message. They are thus vulnerable to spoofing attacks when extra precautions are
not taken by applications to verify the identity of the sending or receiving host. IP spoofing and ARP
spoofing in particular may be used to leverage man-in-the-middle attacks against hosts on a
computer network. Spoofing attacks which take advantage of TCP/IP suite protocols may be
mitigated with the use of firewalls capable of deep packet inspection or by taking measures to verify
the identity of the sender or recipient of a message.
Caller ID spoofing Public telephone networks often provide Caller ID information, which includes the
caller's name and number, with each call. However, some technologies (especially in Voice over IP
(VoIP) networks) allow callers to forge Caller ID information and present false names and numbers.
Gateways between networks that allow such spoofing and other public networks then forward that
false information. Since spoofed calls can originate from other countries, the laws in the receiver's
country may not apply to the caller. This limit's laws' effectiveness against the use of spoofed Caller
ID information to further a scam.
E-mail address spoofing: The sender information shown in e-mails (the "From" field) can be spoofed
easily. This technique is commonly used by spammers to hide the origin of their e-mails and leads to
problems such as misdirected bounces (i.e. e-mail spam backscatter). E-mail address spoofing is
done in quite the same way as writing a forged return address using snail mail. As long as the letter
fits the protocol, (i.e. stamp, postal code) the SMTP protocol will send the message. It can be done
using a mail server with telnet.
GPS Spoofing: A GPS spoofing attack attempts to deceive a GPS receiver by broadcasting counterfeit
GPS signals, structured to resemble a set of normal GPS signals, or by rebroadcasting genuine signals
captured elsewhere or at a different time. These spoofed signals may be modified in such a way as to
cause the receiver to estimate its position to be somewhere other than where it actually is, or to be

8
located where it is but at a different time, as determined by the attacker. One common form of a
GPS spoofing attack, commonly termed a carry-off attack begins by broadcasting signals
synchronized with the genuine signals observed by the target receiver.
TCP Session Hijacking:

The concept session hijacking involves a hacker to take over an existing session between a user and
host machine. By taking over the valid session the attacker then violates or exploits the session. The
attacker steals the valid session id which is used to get into the system and then snoop data. One the
attacker get the valid session, he can take over access of any authenticated device or resource like
an ftp server, webserver or a telnet session. Once the hijacker /attacker make a successful hijack,
then he could play the role of a genuine user or can even silently just monitor or watch what
communication is happening. As a session is created for some specific time and during this time the
client is authenticated by the server thus during this time the Server and client trust each other for
the session. The data transfer that takes place during the session are not authenticated every time
till the session is active and it is this benefit that the attacker takes and keeps on stealing
information. The danger when a successful session hijack is done is activities like data theft, identity
theft and data corruption can take place. The traffic can be sniffed and the transaction can be
recorded.
TCP Session hijacking means taking over a TCP session between two devices. Blink Hijacking is
another method where the response on the system can be assumed. Steps involved in session
hijacking:
 Track the connection
 Desynchronize the connection
 Inject the attacker’s packet
The following can lead to a session being hijacked
 No timeout set for invalid session ids
 Insecure handling
 Indefinite session expiry time
 Transmission of data in clear text
 Session id being small in length
Sequence Numbers are exchanged during TCP Three way handshaking.
• Host A sends a SYN bit set packet to Host B to create a new connection.
• Host B will reply with SYN/ACK bits set packet to Host A with a initial sequence number.

9
• Host A will reply with ACK bit set packet to Host B with Initial Sequence Number + 1
So, If attackers manage to predict the initial sequence number then they can actually send the last
ACK data packet to the server, spoofing as original Host. then they can hijack the TCP Connection
Techniques of Session Hijacking
Brute force a session ID: This is similar to Brute Force passwords, where the attacker will try to guess
the session id. The attacker would have some idea of the session ids available. The attacker could be
benefited or helped with the uses of some malware, sniffing, cross site scripting or HTTP refreshers.
Steal the session ID: Sniffing can be used to steal a session id and then compromise the
communication or the target.
Calculate a session ID: Some really good attackers could also calculate the session id based on the
session id he seeing and can then guess or calculate the next session id thus understanding the
sequence.
Methods of TCP Session Hijacking:

Now before predicting a initial sequence number of a TCP three way handshaking, attackers need to
be in between the client and server to successfully hijack the TCP connection, for which attacker can
actually use these three techniques.
• Source routing: attacker can actually use source routing in such a way that the data is being
transferred between client and server through attacker. In that case attacker can see the data being
exchanged and can see the Initial Sequence Number.
• Man in the middle attack: By Logically placing himself between the server and client, an
attacker can similarly see the data connection going through him.

0
• Attacker can also use ICMP redirect to spoof himself as gateways so that data can be passed
through him.
• Attacker can also hijack the TCP session by not predicting or looking for initial sequence
number instead he can let the user establish a successful connection and then spoofing himself as a
client by changing his MAC address with that of the original Host, attacker can send RST bit set to the
server to reset the connection and starting a whole new connection from TCP three way
handshaking and exchanging the new sequence numbers.
UDP Session Hijacking: Since UDP does not use packet sequencing and synchronizing; it is easier
than TCP to hijack UDP session. The hijacker has simply to forge a server reply to a client UDP
request before the server can respond. If sniffing is used than it will be easier to control the traffic
generating from the side of the server and thus restricting server’s reply to the client in the first
place.
Hijacking Application Levels : At this level a hijacker can not only hijack already existing sessions but
can also create new sessions from the stolen data.
HTTP Session Hijack: Hijacking HTTP sessions involves obtaining Session ID’s for the sessions, which is
the only unique identifier of the HTTP session. Session ID’s can be found at three places
1. In the URL received by the browser for the HTTP GET request.
2. With cookies which will be stored in clients computer.
3. Within the form fields.
Obtaining Session ID’s: One way to obtain the Session ID is by sniffing, which is same as the Man in
middle attack. Cookies and URL’s can be sniffed from the packets and if unencrypted can
provide critical user logon information.
Another way is by Brute Forcing the Session ID’s which involves trying a set of session id’s based on
some pattern. Brute forcing is a time consuming task but worked on some algorithm can produce
results rather quickly.
Man-in-the-Middle-attack (MITM)
In this the attackers get in middle of an existing connection between two or more computers and
intercept the messages. The entire communication goes though the attacker.
The victim’s messages go to the attacker and the attacker then sends it to the server. And in reply
the server sends some message which again goes through the attacker sitting in middle. Both the

1
client and server are unaware that they are not communicating directly and someone is sitting in
middle and intercepting the messages and relaying them.
The complete MITM takes place in a two phase, like:
- Client to attacker
- Attacker to Server
ARP Attacks: ARP is a stateless protocol. It was designed to map internet protocol IP addresses with
the associated MAC address. In windows,
Specifically IPV4, ARP maps IP between network layer and data link layer of OSI. ARP protocol’s main
flaw is in its cache. It is possible for ARP to update existing entries and add new entries to the cache.
It leads to trust that forged replies can be made easily which result ARP cache poisoning attacks. It
fools all nodes on the network. This is done due to lack of authentication features in ARP.
MAC Address Flooding: An ARP cache poisoning attack is mainly used in switched networks. By
flooding a switch with fake MAC addresses, a switch is overloaded. Due to this it broadcasts all
network traffic to every connected node. The following are various types of attacks:

2
1. Connection Hijacking and Interception: Packet or connection hijacking and interception sis
the action in which any connected client can be victimized into getting their connection
manipulated to take complete control over.
2. Connection Resetting: While resetting a client’s connection, we are cutting the established
connection with the system. This can be done easily by using a specially crafted code to the
destination.
3. Man in the Middle (MITM): MITM is a packet manipulation attack which also redirects
packets to the attacker.
4. Packet Sniffing: It is very easy if the network is segmented via a hub, rather than a switch. It
is possible to sniff on a switched network by performing a MAC flood attack.
Route Table Modification Attacks: Router is a device that operates in layer 3 of OSI model which
main function is path selection and packet forwarding. Routers can be core network equipment in
any organization so the security of router is major concern. However there are different types of
router attacks that network professionals must be aware of. Types of Router Attacks are
1. Denial of Service attacks: – The DoS attack is done by the attacker who has the motive of
flooding request to the router or other devices affecting the availability. Sending more
number of ICMP packets from multiple sources makes the router unable to process traffic. If
the router is unable to process traffic it is unable to provide services in the network and the
whole network goes down affecting daily activity of organization.
2. Packet Mistreating Attacks: – In this type of attack after the router is injected with malicious
codes the router simply mistreats the packets. Router cannot handle its own routing process
and starts mishandling the packet. The malicious router is unable to process the packets
properly and creates loops, denial-of-service, and congestion and so on in the network. This
type of attack is very difficult to find and debug.
3. Routing table poisoning: – Routers use routing table to send packets in the network. The
router moves the packets by looking into the routing table. The routing table is formed by
exchanging routing information between routers. Routing table poisoning means the
unwanted or malicious change in routing table of the router. This is done by editing the
routing information update packets which are advertised by routers. This attack can cause
severe damage in the network by entering wrong routing table entries in the routing table.
4. Hit-and-Run Attacks: – This attack is also called test attack where the attacker injects
malicious packets into the router and sees if the network is online and functioning or not. If

3
yes, the attacker sends further more malicious packets to harm the router. This attack can
cause router to do unusual activities that depends upon the code injected by the attacker.
This type of attack is hard to identify and can cause severe damage to the router’s work.

4

C&NS Unit-1 R16

Uploaded by

Copyright:

Available Formats

C&NS Unit-1 R16

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

C&NS Unit-1 R16

Uploaded by

Copyright:

Available Formats

Cryptography and Network Security UNIT-1

Information Security plays a vital role in today’s world of communication, military

Dr. Kalavathi A, Professor & HoD IT

The Three Aspects of Security:

Dr. Kalavathi A, Professor & HoD IT

OSI Security Architecture: ITU-T (International Telecommunication Union

Dr. Kalavathi A, Professor & HoD IT

message be able to deny the transmission or reception

Dr. Kalavathi A, Professor & HoD IT

Security attacks are categorized into four types:

Dr. Kalavathi A, Professor & HoD IT

2. Interception: An unauthorized party gains access to the resources. This is an attack

3. Modification: An unauthorized party gains access and tampers information assets.

Dr. Kalavathi A, Professor & HoD IT

Dr. Kalavathi A, Professor & HoD IT

Modification of messages: In a message modification attack, an intruder alters packet

Dr. Kalavathi A, Professor & HoD IT

Dr. Kalavathi A, Professor & HoD IT

Dr. Kalavathi A, Professor & HoD IT 1

2. Service threats: These threats exploit service fa in computer to prevent use by

Computer Virus Computer Worm

How does it infect a It inserts itself into a file or It exploits a weakness in an

How can it spread? It has to rely on users It can use a network to

Dr. Kalavathi A, Professor & HoD IT 1

Computer Virus Computer Worm

application program and when consume resources to bring

Dr. Kalavathi A, Professor & HoD IT 1

Dr. Kalavathi A, Professor & HoD IT 1

Dr. Kalavathi A, Professor & HoD IT 1

Finding a particular solution:

Ex: Find the particular and general solutions of 21x+14y=5

CONVENTIONAL ENCRYPTION: CLASSICAL TECHNIQUES

Dr. Kalavathi A, Professor & HoD IT 1

The security of conventional encryption depends on the following factors:

The three independent dimensions of Cryptography (or) Classifications of Cryptography:

Dr. Kalavathi A, Professor & HoD IT 1

a) Substitution: Each element of the plain text is substituted or replaced with

Dr. Kalavathi A, Professor & HoD IT 1

Ex: Plain Text: meet me after the toga party

Dr. Kalavathi A, Professor & HoD IT 1

Dr. Kalavathi A, Professor & HoD IT 2

Dr. Kalavathi A, Professor & HoD IT 2

Dr. Kalavathi A, Professor & HoD IT 2

Dr. Kalavathi A, Professor & HoD IT 2

This can be expressed in terms of column vectors and matrices:

Dr. Kalavathi A, Professor & HoD IT 2

Dr. Kalavathi A, Professor & HoD IT 2

plain text: wearediscoveredsaveyourself

Dr. Kalavathi A, Professor & HoD IT 2

pi = ith binary digit of plaintext

ki = ith binary digit of key

Ci = ith binary digit of ciphertext

+ = exclusive-or (XOR) operation

Dr. Kalavathi A, Professor & HoD IT 2

Transposition Techniques: Substitution techniques substitute or replace each plain text

Dr. Kalavathi A, Professor & HoD IT 2

Dr. Kalavathi A, Professor & HoD IT 2

Dr. Kalavathi A, Professor & HoD IT 3

Dr. Kalavathi A, Professor & HoD IT 3