NETWORK SECURITY

ENCRYPTION
 Encryption / Decryption
• A: sender; B: receiver
• Transmission medium
• An interceptor (or intruder) may block, intercept, modify, or fabricate
the transmission.

A B
plaintex
plaintext encryption
t
encrypted
ciphertext transmission decryption

Encryption attempts to make information unreadable by anyone who is not

explicitly authorized to view that data.
People or devices can be authorized to access encrypted data in many ways,
but typically this access is granted via passwords or decryption keys. 3
 Encryption / Decryption

Encryption: A process of encoding a message, so that its

meaning is not obvious. (= encoding, enciphering)

Decryption: A process of decoding an encrypted message

back into its original form. (= decoding, deciphering)

A cryptosystem is a system for encryption and

decryption.

4
 Terminology

• Cryptography: The practice of using

encryption to conceal text.
(cryptographer)
• Cryptanalysis: The study of encryption
and encrypted messages, with the
goal of finding the hidden meanings of
the messages. (cryptanalyst)
• Cryptology = cryptography +
cryptanalysis

5
 Cryptanalysis

• A cryptanalyst may work with various

data (intercepted messages, data
items known or suspected to be in a
cipher text message), known
encryption algorithms, mathematical
or statistical tools and techniques,
properties of languages, computers,
and plenty of ingenuity and luck.
1. Attempt to break a single message
2. Attempt to recognize patterns in
encrypted messages
3. Attempt to find general weakness
in an encryption algorithm

6
Two forms of encryption

• Substitutions
One letter is exchanged for another
Examples: monoalphabetic
substitution ciphers,
polyalphabetic substitution
ciphers
• Transpositions (= permutations)
The order of the letters is
rearranged
Examples: columnar transpositions

7
 History
• About 1900 BC: Egyptian scribe
used non-standard hieroglyphs
in an inscription.
– First documented example of
written cryptograph
• 1500 BC: ancient Assyrian
merchants used intaglio, a piece
of flat stone carved into a collage
of images and some writing to
identify themselves in trading
transactions.
• 100-44 BC: Julius Caesar used a
simple substitution with the
normal alphabet (just shifting
the letters a fixed amount) in
government communications.
 Substitutions
• Caesar cipher: Each letter is translated to the letter a fixed number
of letters after it in the alphabet.
Ci = E(Pi) = Pi + 3
• “Attack at dawn” becomes
• Dwwdfn dw gdzq
• Advantage: simple
• Weakness:
✓ Can be cracked with close observation
✓ Letter frequency is a big clue
– e,t,a,o most common English letters.
– Using a single key preserves frequency.
✓ Solution: use multiple keys
– E.g. shift by (3,5,7)
• “Attack at dawn” becomes dya dhr dyk dbu
• Better, but frequency information still present.

9
 Why is it important?

Encryption used to be a word that people linked with

government and secret operations, however with the use of
computers becoming more and more common, it is necessary
for data to be disguised to help protect the user.

It keeps outsiders from viewing important company

documents

It keeps information from being shared between users on

the same server or network

It can be used to make “keys” to where only certain

people can view or access a document
 Authentication and Encryption
• Authentication and encryption are two intertwined technologies
that help to insure that your data remains secure.

• Authentication is the process of insuring that both ends of the

connection are in fact who they say they are. This applies not only
to the entity trying to access a service (such as an end user) but to
the entity providing the service, as well (such as a file server or
Web site).
• Encryption helps to insure that the information within a session is
not compromised. This includes not only reading the information
within a data stream, but altering it, as well.

• While authentication and encryption each has its own

responsibilities in securing a communication session, maximum
protection can only be achieved when the two are combined. For
this reason, many security protocols contain both authentication
and encryption specifications.
 Authentication: Three Types
• · Single factor authentication
• Password
• Easy to remember
• Easy to crack
• People are predictable…passwords are usually a pets name, a birth date, etc.

• · Two factor
• Password + token (security device for users to keep in possession)
• Safer and more complex than single factor

• · Three factor
• Password + token + biometric authentication (fingerprint, retinal scan)
• Safer and more complex than single or double factor types; used for high
security purposes (ex. Government documents)
• A token is a security device for authorized users to keep in possession. Some
examples include:
• SecurID Card, Challenge/response method, and USB token
• The messages you send on WhatsApp are end-to-end
encrypted. This means that only your device, and that of the
recipient, can decode them. The feature prevents your messages
from being intercepted during transmission, even by Facebook
themselves.
 Private key and Public key Encryption
• Private Key Encryption: Each party has the same key, only this key
can decrypt the message. They must keep this key private in order
for others to be unable to decrypt the message.
• Public Key Encryption: Each party has a different key, the first
party encrypts the message, and the second party’s key is the only
one that can decrypt the message. If the second party encrypts a
message only the first party’s key can decrypt the message.
Therefore, the keys may be put into the public because the ones
that are owned by either party are the only copies.
 Encryption And Decryption
•Symmetric/ Private Key Encryption
– Uses a single number key to encode and decode the data. Both the sender and
receiver must know the key
– DES (Data Encryption Standard) is the most widely used standard for symmetric
encryption
– Because each sender and receiver would require a different key, this type of
encryption is basically used by government entities
– It is rarely used for e-commerce transactions over the Internet
– Requires a secure way to get the key to both parties

16
What is Symmetric Encryption?

Symmetric encryption is a cryptographic method in which the

same key is used for both encrypting and decrypting the data.

Basic password protection can be seen as a form of symmetric

encryption, where the same password is used to both encrypt
and decrypt data. When a user creates a password for their
account, it serves as the shared secret key for encrypting their
sensitive information.
• What does the Private
Key Look Like?

• A private key is a long

string of random letters and
numbers. This encoded
piece usually starts with —–
BEGIN RSA PRIVATE KEY—–
and ends on —–END RSA
PRIVATE KEY—–
 Encryption And Decryption
•Asymmetric / Public Key Encryption
– Uses two numeric keys
• The public key is available to anyone wishing to communicate securely with the key’s
owner
• The private key is available only to the owner
– Both keys are able to encrypt and decrypt each other’s messages
– It is computationally infeasible to deduce the private key from the public key. Anyone who has a
public key can encrypt information but cannot decrypt it. Only the person who has the
corresponding private key can decrypt the information.

20
 Encryption And Decryption
•Asymmetric / Public Key Encryption:
– The primary benefit of asymmetric cryptography is that it allows people who
have no preexisting security arrangement to exchange messages securely.
– The need for sender and receiver to share secret keys via some secure
channel is eliminated
• All communications involve only public keys, and no private key is ever
transmitted or shared.
• Some examples of public-key cryptosystems are
– RSA (named for its inventors, Ron Rivest, Adi Shamir, and Leonard
Adleman)
– Diffie-Hellman (named, you guessed it, for its inventors)
– DSA, the Digital Signature Algorithm (invented by David Kravitz).
– PGP (Pretty Good Privacy) is fairly popular and inexpensive
– Because conventional cryptography was once the only available means for
relaying secret information, the expense of secure channels and key
distribution relegated its use only to those who could afford it, such as
governments and large banks (SSL)
– Public key encryption is the technological revolution that provides strong
cryptography to the public
21
RSA Algorithm:
The RSA algorithm is a widely used public key encryption algorithm. It is based on the
principle that it is easy to multiply two large prime numbers, but hard to factorize the
product of two large prime numbers into its factors. The RSA algorithm uses this principle
to generate a public-private key pair, which can be used for encryption and decryption.
The Public and Private key pair comprise of two uniquely related cryptographic keys
(basically long random numbers).

Below is an example of a Public Key:

3048 0241 00C9 18FA CF8D EB2D EFD5 FD37 89B9 E069 EA97 FC20 5E35 F577 EE31
C4FB C6E4 4811 7D86 BC8F BAFA 362F 922B F01B 2F40 C744 2654 C0DD 2881 D673
CA2B 4003 C266 E2CD CB02 0301 0001

The Public Key is what its name suggests - Public. It is made available to everyone via
a publicly accessible repository or directory. On the other hand, the Private Key must
remain confidential to its respective owner.

Because the key pair is mathematically related, whatever is encrypted with a Public
Key may only be decrypted by its corresponding Private Key and vice versa.
 Asymmetric / Public Key Encryption:example

For example, if Rohit wants to send sensitive data to Virat, and

wants to be sure that only Virat may be able to read it, he will
encrypt the data with Virat's Public Key.

Only Virat has access to his corresponding Private Key and as a

result, is the only person with the capability of decrypting the
encrypted data back into its original form.

As only Virat has access to his Private Key, it is possible that only
Virat can decrypt the encrypted data.

Even if someone else gains access to the encrypted data, it will

remain confidential as they should not have access to Virat's Private
Key.
 What are the differences between private key and public key encryption?

✓ For symmetric encryption, the same key is used to encrypt the message and decrypt it. This key
must be random, or cryptographically generated in a way that makes it look random.

✓ For public-key encryption, instead the recipient generates two keys together, a public encryption
key and a private decryption key. The message is encrypted with the public key and can only be
decrypted with the private key.

In practice, public-key encryption is almost always used to exchange a secret key between the
parties. That way they only have to go through the complexity and computation of the public-
key system once, at least until they forget the secret key (eg, until you close your browser).

✓ Public-key encryption is slower and more complicated than symmetric encryption, but it's also
much more flexible.
✓ Consider connecting to your bank: you could theoretically use symmetric cryptography if you
shared a key with your bank, for example by showing up to a branch in person and exchanging
secret random numbers. Indeed, that's basically what a SecureID token is: a shared secret
between you and your bank. But it's much easier exchange those secret random numbers over
the internet, encrypted with the bank's public key.
Public key encryption, in which a message is encrypted with a recipient's
public key. The message cannot be decrypted by anyone who does not
possess the matching private key, who is thus presumed to be the owner of
that key and the person associated with the public key. This is used to
ensure confidentiality.

✓An analogy to public key encryption is that of a locked mailbox with a mail
slot. The mail slot is exposed and accessible to the public – its location (the
street address) is, in essence, the public key. Anyone knowing the street
address can go to the door and drop a written message through the slot.
However, only the person who possesses the key can open the mailbox and
read the message.

✓An analogy for digital signatures is the sealing of an envelope with a

personal wax seal. The message can be opened by anyone, but the presence
of the unique seal authenticates the sender.
✓ Digital signatures, also called public key signatures, are a cryptographic
method of showing who created a digital asset and ensuring the item hasn’t
been changed by another party.

✓ Examples of such assets include emails, PDFs, Word files, software

application codes, etc. Applications frequently use visual marks of some kind
(e.g., a ribbon mark in Microsoft Outlook) to represent digital signatures.

✓ These signatures are trusted because you need to have a special file called a
digital signature certificate to sign them digitally.

✓ But before you can get this digital certificate, a publicly trusted third party
(called a certificate authority or CA) must carefully vet your identity. Once
you receive and start using your digital signature certificate, it proves that
whatever you sign is authentic because it was created and signed by you,
and your identity has been validated.

✓ Digital signatures are a type of electronic signature. But unlike regular

electronic signatures, which generally look similar to handwritten
signatures, digital signatures might not look anything like traditional
signatures
Key features of Digital Signature:
A digital signature is characterized by a unique feature that is in
digital form like fingerprint that is embedded in a document.

The signer is required to have a digital certificate so that he or

she can be linked to the document.

Digital signature is often authorized by certification authorities

that are responsible for providing digital certificates that can be
compared to licenses or passports.

A digital certificate is used to validate the document to ascertain

its authenticity if it has not been forged. This plays a pivotal role
in verifying the identity of the original person with the signature.
The other key feature of a digital signature is that it is used to
secure digital documents.

There are some people who have a tendency of tempering with

digital documents obtained online but with a digital signature,
this can be impossible. The document is secured and can only be
accessed by the authorized person for any alterations or
amendments.

When a digital signature is applied to a certain document, the

digital certificate is bound to the data being signed into one
unique fingerprint.

These two components of the digital signature are unique, and

this makes it more viable than wet signatures since its origins can
be authenticated.
• Prove the authenticity of the document and its source
• Make sure that the document has not been tempered with
• Personal identity has been verified.
How Digital Signatures Are Created:
To create a digital signature, you first need to have a digital certificate in
hand. A digital certificate is a small data file that contains verified,
identifying information about you or your organization. (This is the main info
that displays to users.) But that’s not all that’s required. Without getting too
technical, digital signatures are created by applying two cryptographic tools
to the data you wish to protect:

A special cryptographic function (called a hash function or hash algorithm)

— This creates a hash value (a mishmash of letters and characters) of a fixed
length, which masks the true size of the input and ensures the integrity of
the data.

A private key, which encrypts the hash value — When the recipient receives
or downloads the file, they can decrypt it using the signer’s public key. This
key ensures only the intended user can read the data.
 Digital Certificates
• Digital Certificates
– Use asymmetric encryption to create digital signatures
– Used on the Internet to authenticate both users and vendors
– A digital certificate is a unique identifier assigned to a user/vendor by a
certification authority to verify the identity of the user/vendor
• A certification authority (such as VeriSign) is a private company that
certifies the user or vendor is who s/he claims to be
• Work together with credit card verification companies or other financial
institutions in order to verify the identity of the certificate’s requesters
– Digital signature is an encrypted attachment added to the electronic message
to verify the sender’s identity
• The digital certificate received by the user includes a copy of its public
key
• This digital certificate’s owner makes its public key available to anyone
wanting to send encryped documents to the certificate’s owner

44
 Digital Signatures
Instead of encrypting information using someone else's public key, you
encrypt it with your private key. If the information can be decrypted with your
public key, then it must have originated with you.

45
VeriSign – certification authority

46
 M-COMMERCE
• M-commerce (mobile commerce) is the buying and selling of goods and services through
wireless handheld devices such as cellular telephone and personal digital assistants (PDAs).
• Known as next-generation e-commerce, m-commerce enables users to access the Internet
without needing to find a place to plug in.
✓ The emerging technology behind m-commerce, which is based on the Wireless Application
Protocol (WAP), where mobile devices equipped with Web-ready micro-browsers to assist
buying and selling through handheld devices.

M-commerce is simply not buying and selling

with mobile devices.

It also includes:
✓purchases on mobile web and apps;
✓mobile payments;
✓mobile money transfers and m-banking;
✓mobile financial services.
Secured Online Payment Steps
 Key Players
The key players involved in authorization and settlement are:

✓ Cardholder
✓ Merchant
✓ Acquiring Bank (Merchant Bank)
✓ Issuing Bank (Cardholder Bank)
✓ Card Associations (Visa and MasterCard)

Cardholder
If you have a credit or debit card (as most of us do), you're already pretty familiar
with the role of the cardholder.

Merchant
A merchant is any business that maintains a merchant account that enables them
to accept credit or debit cards as payment from customers (cardholders) for
goods or services provided.
Key Players:

Acquiring Bank (Merchant Bank)

An acquiring bank is a registered member of the card associations (Visa and

MasterCard). An acquiring bank is often referred to as a merchant bank because
they contract with merchants to create and maintain accounts that allow the
business to accept credit and debit cards, (i.e. merchant accounts).
Acquiring banks provide merchants with equipment and software to accept cards,
promotional materials, customer service and other necessary aspects involved in
card acceptance.
The acquiring bank also deposits funds from credit card sales into a merchant's
account.

Issuing Bank (Cardholder Bank)

An issuing bank issues cards to consumers. The issuing bank is also a member of the
card associations (Visa and MasterCard).Issuing banks pay acquiring banks for
purchases that their cardholders make. It is then the cardholder's responsibility to
repay their issuing bank under the terms of their credit card agreement.
 Key Players..
Card Associations (Visa and MasterCard)

Visa and MasterCard aren't banks and they don't issue credit cards or merchant
accounts.
✓ Instead, they act as a custodian and clearing house for their respective card
brand.
✓ They also function as the governing body of a community of financial
institutions, ISOs and MSPs that work together in association to support credit
card processing and electronic payments. Hence the name, “card
associations.”

• The primary responsibilities of the Card Association are to govern the

members of their associations, including interchange fees and qualification
guidelines, act as the arbiter between issuing and acquiring banks, maintain
and improve the card network and their brand, and, of course, make a profit.
That last one has become even more important now that Visa and MasterCard
are public companies.

• Visa uses their VisaNet network to transmit data between association

members, and MasterCard uses their Banknet network.