CRYPTO Unit 1

What is Cryptography? How is it different from Cryptanalysis

and Cryptology?
What is Cryptography?
• Definition:
Cryptography is the science of securing information by converting it into an
unreadable format, so that only authorized users can read it.
• Purpose:
To protect data from unauthorized access, maintain privacy, ensure integrity, and
provide secure communication.
• Main Processes:
o Encryption (Plaintext → Ciphertext)
o Decryption (Ciphertext → Plaintext)
• Key Features:
o Confidentiality: Keeps the message secret from outsiders.
o Integrity: Ensures the message was not altered.
o Authentication: Verifies sender identity.
o Non-repudiation: Prevents denial of sending the message.
• Example:
If you send "HELLO" and encrypt it using a Caesar Cipher with a shift of 3, it
becomes "KHOOR". Only someone who knows the key can decrypt it.

What is Cryptanalysis?
• Definition:
Cryptanalysis is the study of breaking cryptographic systems to retrieve the
original message without knowing the key.
• Purpose:
To find weaknesses in cryptographic algorithms and attempt unauthorized
access.
• Also called: Code-breaking.
 • Example:
Trying different keys or analyzing patterns in ciphertext to find the original
message.

What is Cryptology?
• Definition:
Cryptology is the combination of Cryptography and Cryptanalysis.
It is the broad field that studies secure communication.
• Includes:
o Cryptography → Making secure systems.
o Cryptanalysis → Breaking or testing those systems.

Explain:
1. Data Confidentiality
2. Data Integrity
3. Data Availability

1. Data Confidentiality
• Definition: Data confidentiality means protecting information so that only
authorized people can access or read it.
• Purpose: It prevents unauthorized access, keeping sensitive data private.
• How it works:
o Data is transformed using encryption algorithms, turning readable data
(plaintext) into an unreadable form (ciphertext).
 o Only users with the correct decryption key can convert it back to
readable form.
• Examples:
o Sending private emails securely.
o Online banking transactions.
• Importance: Without confidentiality, sensitive information like passwords,
financial data, and personal details could be stolen or misused.

2. Data Integrity
• Definition: Data integrity ensures that data is accurate, complete, and has not
been altered or tampered with during storage or transmission.
• Purpose: It guarantees that the data received or retrieved is exactly what was
sent or stored originally.
• How it works:
o Uses hash functions and message authentication codes (MACs) to
create unique fingerprints of data.
o Any small change in data causes a different hash value, indicating
tampering or errors.
o Helps detect accidental corruption or intentional modification.
• Examples:
o Verifying software downloads to check they are not corrupted.
o Ensuring financial records are consistent.
• Importance: Without integrity, wrong or manipulated data could lead to wrong
decisions or security breaches.

3. Data Availability
• Definition: Data availability means ensuring that data and services are
accessible to authorized users whenever needed.
• Purpose: To keep systems running without interruption so users can access
data or services anytime.
• How it works:
o Uses methods like backups, redundant systems, and fault-tolerant
hardware.
 o Protects against attacks like Denial of Service (DoS) that try to make
data unavailable.
o Regular maintenance and security monitoring improve availability.
• Examples:
o Online banking systems available 24/7.
o Cloud storage services ensuring files are always accessible.
• Importance: Without availability, even secure and accurate data is useless if
users cannot access it when needed.

List and define five principles of security with examples.

1. Confidentiality
o Definition: Ensures that information is only accessible to authorized users
and kept secret from unauthorized users.
o Example: Using encryption to protect messages so only the intended
recipient can read them.
2. Integrity
o Definition: Ensures that data is accurate, complete, and has not been
altered or tampered with without authorization.
o Example: Using hash functions to verify that a downloaded file has not
been changed by an attacker.
3. Availability
o Definition: Ensures that data and resources are available and accessible
to authorized users whenever needed.
o Example: Using backup servers and protection against Denial of Service
(DoS) attacks to keep a website online.
4. Authentication
o Definition: Verifies the identity of a user, device, or system before allowing
access to resources.
o Example: Requiring a username and password, or biometric verification,
before allowing access to an online account.
5. Non-repudiation
o Definition: Ensures that a sender of data cannot deny sending the
message, and the receiver cannot deny receiving it.
 o Example: Using digital signatures so a person cannot deny signing an
important document.

How are ethical issues in security systems classified? Explain

with brief points. Also enlist and briefly explain legal issues in
security systems.

Ethical Issues in Security Systems

Ethical issues relate to what is morally right or wrong when designing, using, or
managing security systems. They are classified into the following categories:
1. Privacy
o Respecting the privacy of users and protecting their personal
information.
o Avoid unauthorized access or use of private data.
2. Responsibility
o Users and administrators must act responsibly when handling data.
o Avoid actions like misuse or careless handling that can harm others.
3. Integrity
o Ensuring honesty in managing data and security systems.
o Avoid tampering with data or systems for personal gain.
4. Accountability
o Users and organizations should be accountable for their actions.
o Activities should be logged to track any misuse.
5. Access Control
o Ethical use of access privileges.
o Avoid unauthorized access even if possible.

Legal Issues in Security Systems

Legal issues involve laws and regulations that govern how security systems must be
used and managed to protect rights and prevent crime. Key legal issues include:
1. Data Protection Laws
 o Laws that protect personal data from misuse (e.g., GDPR).
o Organizations must follow rules for collecting, storing, and sharing
data.
2. Intellectual Property Rights
o Protecting software, data, and content from unauthorized copying or
use.
o Respect licenses and copyrights.
3. Computer Crime Laws
o Laws against hacking, data theft, and cyber-attacks.
o Illegal activities can lead to penalties and prosecution.
4. Digital Signature and Encryption Laws
o Regulations on using digital signatures and encryption.
o Ensures legal validity and controlled use of cryptographic tools.
5. Compliance Requirements
o Organizations must follow industry-specific security standards and
audits.
o Failure to comply may lead to legal actions or fines.

Explain the following types of Security Threats:

Interruption
Interception
Modification
Fabrication
Security threats refer to potential dangers that can compromise the confidentiality,
integrity, or availability of data during storage or transmission. The four major types
are:
1. Interruption
• Meaning:
Interruption occurs when a system resource becomes unavailable or is
damaged, making it unusable by authorized users.
• Objective of Attacker:
To deny access to data, services, or systems.
 • Example:
o A server crashes due to a Denial of Service (DoS) attack.
o Deleting important files from a server.
• Effect on Security:
Breaks availability.

2. Interception
• Meaning:
Interception refers to unauthorized access to data or communication by a
third party.
• Objective of Attacker:
To eavesdrop or spy on private communication or data.
• Example:
o Packet sniffing on a network.
o Wiretapping a phone line.
o Reading someone’s email without permission.
• Effect on Security:
Breaks confidentiality.

3. Modification
• Meaning:
Modification happens when an unauthorized party alters the content of a
message or file.
• Objective of Attacker:
To change the original data and possibly cause damage or confusion.
• Example:
o Changing bank account numbers in a fund transfer request.
o Editing the content of an intercepted email.
• Effect on Security:
Breaks integrity.

4. Fabrication
 • Meaning:
Fabrication refers to creation of false data or messages and pretending that it
is from a legitimate source.
• Objective of Attacker:
To mislead the recipient or system into believing the data is authentic.
• Example:
o Sending fake emails pretending to be from a bank (phishing).
o Forging login requests to gain unauthorized access.
• Effect on Security:
Breaks authenticity.

Explain the following cyber threats in brief:

1. Fraud
2. Scams
3. Destruction
4. Identity Theft
5. Intellectual Property Theft
6. Brand Theft
Cyber Threats Explained
1. Fraud
o Definition: Fraud is a cybercrime where someone tricks others to gain
money or benefits illegally.
o Example: Using fake websites or emails to steal credit card details.
o Effect: Causes financial loss and damages trust.
2. Scams
o Definition: Scams are deceptive schemes to cheat people, often by
promising false rewards or benefits.
o Example: Phishing emails asking for personal information pretending
to be from a bank.
o Effect: Leads to theft of sensitive data and money loss.
3. Destruction
 o Definition: Destruction refers to intentional damage or deletion of data
and computer systems.
o Example: Malware that deletes important files or crashes systems.
o Effect: Results in data loss, disruption of services, and costly recovery.
4. Identity Theft
o Definition: Identity theft is stealing someone’s personal information to
impersonate them.
o Example: Using stolen ID details to open bank accounts or get loans.
o Effect: Leads to financial loss, legal issues, and damaged reputation
for victims.
5. Intellectual Property Theft
o Definition: It is the unauthorized copying or use of protected creations
like software, music, or patents.
o Example: Pirated software downloads or leaking confidential product
designs.
o Effect: Causes financial loss to creators and companies and affects
innovation.
6. Brand Theft
o Definition: Brand theft happens when someone illegally uses a
company’s brand name or logo.
o Example: Fake websites selling counterfeit products under a well-
known brand.
o Effect: Damages the company’s reputation and causes loss of
customer trust.

Explain Rail Fence Transposition Technique with example.

Use: Plaintext = “India is the best country”, Depth = 2
• It is a Transposition Cipher (not substitution).
• Characters of the plaintext are rearranged in a zig-zag pattern across multiple
"rails" (rows).
• The ciphertext is obtained by reading the letters row by row.
Example:
Given:
• Plaintext: India is the best country
• Depth (Number of Rails): 2

Step-by-Step Process:
1. Remove spaces (optional – for simplicity)

Plaintext = INDIAISTHEBESTCOUNTRY

2. Write in zig-zag fashion across 2 rails (as depth = 2):

Rail 1 (Top row): letters at odd positions
Rail 2 (Bottom row): letters at even positions

Rail 1: I D A S H B S C U T Y

Rail 2: N I I T E E T O N R

3. Read row-wise to get ciphertext:

• Rail 1: IDASHBSCUTY
• Rail 2: NIITEETONR

Final Ciphertext =

IDASHBSCUTYNIITEETONR

Decryption (Reverse Process):

1. Calculate number of characters per rail.
2. Place characters back into rail positions.
3. Reconstruct original zig-zag pattern.
4. Read down the columns to get original plaintext.
 Explain Caesar Cipher with an example. Also list different
substitution techniques.
• A classical substitution cipher where each letter in the plaintext is shifted a fixed
number of positions down the alphabet.
• It’s a monoalphabetic cipher, meaning each letter maps to only one fixed letter.

Example
Let’s take:
• Plaintext: HELLO
• Key (Shift): 3
Each character is shifted 3 positions forward in the alphabet.

Plaintext H E L L O

Shift +3 K H O O R

Ciphertext = KHOOR

Features
Feature Detail

Type Monoalphabetic substitution

Key Numeric (shift value, e.g., 1 to 25)

Encryption Shift letters forward by key positions

Decryption Shift letters backward by key positions

Security Weak (can be broken by brute force)

Types of Substitution Techniques

1. Monoalphabetic Substitution
o Each letter is replaced by a fixed corresponding letter.
o Example: Caesar Cipher, Atbash Cipher.
2. Polyalphabetic Substitution
o Multiple cipher alphabets are used for substitution.
o More secure than monoalphabetic.
o Example: Vigenère Cipher.
3. Playfair Cipher
o Uses a 5x5 matrix of letters for encryption of digraphs (pairs of letters).
o Not based on shifting, but substitution based on position in the matrix.
4. Hill Cipher
o Based on linear algebra and matrix multiplication.
o Converts letters to numbers and applies matrix operations.
5. One-Time Pad (OTP)
o Uses a random key as long as the plaintext.
o Unbreakable if key is truly random and used only once.
Following questions are older than Winter 2023 exams:

Explain Row-Column Transposition Technique with example.

• A transposition cipher that rearranges the positions of characters instead of
substituting them.
• The plaintext is written in a grid of rows and columns, and the ciphertext is
formed by reading it column-wise (in a specific order).

Basic Working Steps

1. Choose a key that defines the number of columns.
2. Write the plaintext row-wise in a table with the number of columns = key
length.
3. If the last row is incomplete, pad it (e.g., with 'X').
4. Rearrange columns based on the numerical order of the key's characters.
5. Read the characters column-wise (using the rearranged order) to get the
ciphertext.

Example
Let’s use:
• Plaintext = SECURE COMMUNICATION
• Key = 4312567 (i.e., key length = 7)

Step 1: Create table with 7 columns

Write the plaintext row-wise into a table. We add spaces and remove them or pad
with extra letters (X) if needed.

4 3 1 2 5 6 7

S E C U R E C

O M M U N I C

A T I O N X X

(We added 2 X to fill the table completely)

Step 2: Read Column-wise
Now, read the values column by column using the order:
• Column 1 (C, M, I)
• Column 2 (U, U, O)
• Column 3 (E, M, T)
• Column 4 (S, O, A)
• Column 5 (R, N, N)
• Column 6 (E, I, X)
• Column 7 (C, C, X)

Final Ciphertext
Reading in above order row-wise from columns:
Ciphertext = CMI U UO EMT SOA RNN EIX CCX → CMIUUOEMTSOARNNEIXCCX

Differentiate between: Passive attacks and Active attacks.

Also give examples of both

Aspect Passive Attacks Active Attacks

Definition An attack where the attacker An attack where the attacker

only monitors the data but does modifies or disrupts the
not alter it. communication.

Objective To gain unauthorized To alter, interrupt, or fabricate

information silently. the data.

Effect on No change in the actual data or Data is changed, delayed, or

Data system. created fraudulently.

Detection Usually difficult to detect as Easier to detect due to abnormal

nothing is changed. behavior.

Harm Information leakage without Data corruption, loss, or system

affecting operations. malfunction.
Security Violates Confidentiality Violates Integrity, Availability,
Violation and sometimes Authentication

Nature of Silent and hidden Aggressive and visible

Attack

Examples
Passive Attack Examples:
1. Eavesdropping
o Attacker listens to the communication between two parties.
2. Traffic Analysis
o Attacker studies the pattern, volume, or timing of messages (even if
encrypted).
Active Attack Examples:
1. Masquerade
o Attacker pretends to be someone else (e.g., faking identity).
2. Modification of Messages
o Attacker changes content of a legitimate message.

Define and explain:

1. Plaintext
2. Ciphertext
3. Encryption
4. Decryption

1. Plaintext
• Definition:
The original, readable message or data that needs to be protected from
unauthorized access.
• Details:
It is the input to an encryption algorithm and can be understood by humans or
machines without decryption.
 • Example:
If a user sends the message:
"Meet me at 5 PM" – this is the plaintext.

2. Ciphertext
• Definition:
The encrypted (scrambled) version of the plaintext, which cannot be
understood without decryption.
• Details:
It is the output of the encryption process and appears as random or
meaningless text to an unauthorized person.
• Example:
If the encrypted form of "Meet me at 5 PM" is "PHHW PH DW 5 SP" – this is
the ciphertext.

3. Encryption
• Definition:
The process of converting plaintext into ciphertext using an encryption
algorithm and a key.
• Purpose:
To protect data from unauthorized access or tampering during transmission
or storage.
• Formula (Basic):
Ciphertext = E(Plaintext, Key)
• Example:
Using Caesar Cipher (Shift = 3),
"HELLO" → "KHOOR"

4. Decryption
• Definition:
The process of converting ciphertext back into plaintext using a decryption
algorithm and a key.
• Purpose:
To recover the original message for authorized users.
• Formula (Basic):
Plaintext = D(Ciphertext, Key)
 • Example:
"KHOOR" → "HELLO" using Caesar Cipher (Shift = 3)

Distinguish between:
1. Cryptography and Steganography
2. Symmetric and Asymmetric key cryptography

1. Cryptography vs Steganography
Aspect Cryptography Steganography

Meaning The process of converting The process of hiding the

readable data into unreadable existence of a message within
form to protect its contents. another medium (like image,
audio, etc).

Goal To protect the content of the To conceal the existence of the

message from unauthorized message itself.
access.

How it Uses algorithms and keys to Embeds data secretly into a cover
works encrypt/decrypt data. medium.

Visibility of Encrypted data is visible but Hidden message is invisible and

Message unreadable. unknown to others.

Example “HELLO” → Encrypted to Hiding a secret message inside

“KHOOR” using Caesar cipher. the pixels of an image.

2. Symmetric vs Asymmetric Key Cryptography

Aspect Symmetric Key Cryptography Asymmetric Key Cryptography

Meaning A single key is used for both Uses a pair of keys: Public Key
encryption and decryption. and Private Key.

Key Type Same key is shared between One key is public (shared), and
sender and receiver. the other is private (secret).
 Speed Faster due to simpler Slower due to complex
algorithms. mathematical operations.

Security Less secure if key is More secure due to use of key

intercepted. pairs.

Example AES, DES, RC4 RSA, ECC, DSA

Algorithms

Key Key distribution is difficult and Easier, since only public key is
Management must be secure. shared openly.

What are security services and security mechanisms?

Differentiate between them. Also explain security threats and
security attacks.

1. What are Security Services?

• Definition: Security services are functions or protections provided by a system to
ensure the security of data and communication.
• Purpose: To protect information from threats like unauthorized access,
alteration, or loss.
• Examples of Security Services:
o Confidentiality: Ensures data is only seen by authorized users.
o Integrity: Ensures data is not altered or tampered.
o Authentication: Verifies the identity of users or devices.
o Non-repudiation: Prevents denial of sending or receiving data.
o Access Control: Restricts access to resources.
o Availability: Ensures authorized users can access data and resources
when needed.

2. What are Security Mechanisms?

• Definition: Security mechanisms are the tools, techniques, or methods used
to implement security services.
• Purpose: To enforce and provide the security services effectively.
 • Examples of Security Mechanisms:
o Encryption: Converts plaintext into ciphertext to provide confidentiality.
o Digital Signatures: Provide authentication and non-repudiation.
o Hash Functions: Ensure data integrity by detecting changes.
o Access Control Lists (ACLs): Control who can access resources.
o Firewalls: Prevent unauthorized access to networks.
o Intrusion Detection Systems (IDS): Detect suspicious activities.

3. Security Threats
• Definition: Potential circumstances or events that can cause harm to a
system or data.
• Meaning: Threats are the possible dangers that may exploit vulnerabilities.
• Examples:
o Unauthorized access
o Data theft or loss
o System failure
o Viruses or malware
• Note: A threat alone may not cause damage unless it exploits a weakness.

4. Security Attacks
• Definition: Actual attempts or actions to exploit vulnerabilities and cause
harm or unauthorized effects.
• Types of Attacks:
o Passive Attacks: Eavesdropping or monitoring data without changing it
(e.g., interception).
o Active Attacks: Attempts to modify, delete, or fabricate data (e.g.,
modification, fabrication).
• Examples:
o Man-in-the-middle attack
o Denial of Service (DoS)
o Replay attack
o Phishing