ITSE202

CYBERSECURIT
Y II
LECTURE II – Cryptography
 1.WHY WE NEED
CRYPTOGRAPHY?
 While networks can be made relatively secure, there
is always the possibility that the information can be
intercepted at some point or unauthorized access
gained. When this happens, there is a final defense –
encryption.
1.WHY WE NEED CRYPTOGRAPHY

(Cont….)
2. WHAT IS CRYPTOGRAPHY?
 It is coming from a Greek word “krypto’s” means
“Hidden Secrets”.
 The goal is to conceal the information even if the
information is intercepted by the others.
 Thus, it takes an exceedingly important role to have
Confidentiality, Integrity, Availability (CIA Triad) in our
technology such as network communications,
internet, e-mails, cell phones, etc.
3. BASIC TERMS IN CRYPTOGRAPHY
 Plain text; the message.
 Cipher Text; unintelligible version of the message.
 Encryption; the operation to transform the plain text into the
cipher text.
 Decryption; the operation to transform the cipher text into
the
plain text.
 Cipher (or cypher); the algorithm to carry out encryption
and
decryption.
 Key; crucial information used by cipher and only known for
4. HISTORY OF CRYPTOGRAPHY
 Since ancient times the division between one side and
its adversary has made it important to search for a way
of hiding messages while information is in transit.
 Classical algorithms are usually defined as those
invented pre-computer, up to around the 1950s. These
techniques tended to work on the actual letters
themselves, rather than other representations such as
bits and bytes.
 During World War II, ciphers were developed, which rely
on complex gearing mechanisms to encipher the text.
These include the Enigma Cipher and the Lorenz
Cipher.
4.1. Hieroglyph
The first known cryptography method used by
Egyptians 4000 years ago. They make contact by
messages written in hieroglyph.
4.1. Hieroglyph
 4.2. Caesar Cipher
 Perhaps the most famous of these ancient encryption
systems is the Caesar cipher, so called by the ancient
historian of Rome, Suetonius.
 This cipher is a shift cipher; that is it relies on a shift of the
alphabet according to some key.
 It is said that Caesar used a simple version with a shift of
3, but, of course, any number of shifts could be applied
from 1 to 25. Another shift, that is shift 26, will bring the
alphabet back to its original state, as there are 26
characters in the alphabet.
A B C D E F

A B C D E F

Encryptio internet ———— lqwhuqh

n ———> w

A B C D E F

A B C D E F

Decryptio internet lqwhuqh

<
n w
————
SEE https://cryptii.com/pipes/caesar-cipher
———
DECODE https://www.dcode.fr/caesar-cipher
5. TYPES OF CRYPTOGRAPHY
Symmetric Key Cryptography

Asymmetric Key Cryptography

Hash Functions
5.1. Symmetric Key Cryptography
The sender and the receiver use the same key to
encrypt and decrypt the message. Also, known as
private key encryption.
same pre- same pre-
shared key shared key
Plain Cipher Plai
Sende Receive
Text encryption Text decryption n
r Text r
5.1.1. Symmetric Encryption
Algorithms
 3DES (triple DES)
 IDEA
 AES
 3DES (triple DES)
 Digital Encryption Standard (DES) is a symmetric block
cipher with 64-bit block size that uses a 56-bit key. It
takes a 64-bit block of plaintext as input and outputs
a 64-bit block of ciphertext. It always operates on
blocks of equal size and it uses both permutations and
substitutions in the algorithm. A permutation is a way
of arranging all elements of a set.
 Triple DES encrypts data three times and uses a
different key for at least one of the three passes,
giving it a cumulative key size of 112 to 168 bits. 3DES
is more resistant to attack, but it is much slower than
DES.
The 3DES encryption cycle is as follows:

1. Data encrypted by first DES. (56 bit)

2. Data decrypted by second DES. (112 bit)

3. Data re-encrypted by third DES. (168 bit)

The reverse process decrypts the ciphertext.

See
 IDEA
 The International Data Encryption Algorithm (IDEA) uses
64-bit blocks and 128-bit keys. IDEA performs eight
rounds of transformations on each of the 16 blocks that
results from dividing each 64-bit block (64 / 4).

 IDEA was the replacement for DES, and now PGP (Pretty
Good Privacy) uses it. PGP is an encryption program
that provides privacy and authentication in data
communication. GNU Privacy Guard (GnuPG) is a
licensed, free version of PGP.
 AES
 The Advanced Encryption Standard (AES) has a fixed
block size of 128 bits with a key size of 128, 192, or
256 bits. The National Institute of Standards and
Technology (NIST) approved the AES algorithm in
December 2001. The U.S. government uses AES to
protect classified information.

 AES is a strong algorithm that uses longer key lengths.

AES is faster than DES and 3DES, so it provides both a
solution for software applications as well as hardware
use in firewalls and routers.
5.2. Asymmetric Key Cryptography
It is also known as public key encryption. It requires two
different keys. Public key is used to encrypt the message
and the private key is used to decrypt the message. There
is no key exchange. If Alice wants to send a message to
Bob. First, Alice
has to request Bob’s public key to encrypt the message.
Then, Bob opens that message with his private key. So,
the keys are asymmetric.
Requesting Bob’s public key

Alice Bob
Bob sends his public key
5.2.1 Asymmetric Key Algorithms
 RSA (Reverse Shamir Adleman)
 Diffie-Hellman
 ElGamal
 Elliptic Curve Cryptography (ECC)
RSA (Reverse Shamir Adleman)
Uses the product of two very large prime key numbers
with an equal length of between 100 and 200
digits(1024-bits and 2048-
bits). Browsers use RSA to establish a secure connection.
Diffie-Hellman

Provides an electronic exchange method to share the

secret
key. For instance Alice’s Private Key Combined with Bob’s
Public
Key to encrypt the message, and then they exchange the
keys
to decrypt the message. Secure protocols, such as Secure
Sockets Layer (SSL), Transport Layer Security (TLS),
Secure Shell (SSH), and Internet Protocol Security (IPsec),
use Diffie-Hellman.
ElGamal
ElGamal uses the U.S. government standard for digital
signatures. This algorithm is free for use because no one
holds the patent.
Elliptic Curve Cryptography (ECC)
Uses elliptic curves (mathematical equations based on
points
on the elliptic shape) as part of the algorithm. It
generates
security between key pairs (public and private keys) for
public key encryption by using the mathematics of
elliptic curves. In
the U.S., the National Security Agency uses ECC for
digital
signature generation and key exchange.
5.2.2. Key Management
 Key management includes the generation, exchange,
storage, use and replacement of keys used in an
encryption algorithm.
 It is the most difficult part of designing a
cryptosystem.
 Many cryptosystems have failed because of mistakes
in their key management procedures.
 In practice, most attacks on cryptographic systems
target the key management level, rather than the
cryptographic algorithm itself.
 There are several essential characteristics of key
management to consider. Two terms used to describe
keys are:
 Key length — Also called the key size, this is the length
of the key in bits.
 Keyspace — This is the number of possibilities that a
specific key length can generate.

As key length increases, the keyspace increases

exponentially. The keyspace of an algorithm is the set of all
possible key
values. Longer keys are more secure; however, they are
also
more resource intensive. Almost every algorithm has some
weak keys in its keyspace that can enable a criminal to
5.2.3. Comparing Encryption Types
5.3. Hash Functions

 Accept a variable size message M as input and

produce a fixed size output, referred to as a hash
value or message digest.

 A change in any bit of M results in a huge change in

it’s hash value.
5.3.1. Properties of Hash Functions

A cryptographic hash function has the following

properties:
oThe input can be any length.
oThe output has a fixed length.
oThe hash function is one-way and is not reversible.
oTwo different input values will almost never result
in the
same hash.
5.3.2. Hash Algorithms

Hash functions help to ensure that a user or

communication error does not change data
accidentally.
For instance, a sender may want to make sure that no
one
alters a message on its way to the recipient.

The sending device inputs the message into a hashing

algorithm and computes its fixed-length digest or
fingerprint.
5.3.2.1. Latest Hash Algorithms
 Message Digest 5 (MD5)Algorithm

 Secure Hash Algorithm (SHA)

Message Digest 5 (MD5) Algorithm
 Ron Rivest developed the MD5 hashing algorithm in
1992, and
several Internet applications use it today. MD5 is a one-
way
function that makes it easy to compute a hash from the
given
input data but makes it very difficult to compute input
data
from a hash value. MD5 produces a 128-bit hash value.
However, the Flame malware compromised the security
of MD5 The authors of the Flame malware used an MD5
in 2012.
Secure Hash Algorithm (SHA)
The U.S. National Institute of Standards and Technology
(NIST)
developed SHA, the algorithm specified in the Secure
Hash
Standard (SHS). NIST published SHA-1 in 1994. SHA-2
replaced SHA-1 with four additional hash functions to
make up the SHA
family:
oSHA-224 (224 bit)
oSHA-256 (256 bit)
oSHA-384 (384 bit)
oSHA-512 (512 bit)
SHA-2 is a stronger algorithm, and it is replacing MD5.
SHA-256,
SHA-384 and SHA-512 are the next-generation
algorithms.
5.3.3 Hashing Files and Digital Media
Integrity ensures that data and information is complete
and unaltered at the time of its acquisition. It is
important for users to have confidence in this when
downloading a file from the Internet, or if a forensic
examiner is looking for evidence on digital media, and
so on.
5.3.4. Hashing Passwords
 Hashing algorithms can turn any amount of data into a
fixed- length fingerprint or digital hash. Nobody can
reverse a digital hash to discover the original input. If the
input changes at all,
it results in a different hash.
This works to protect passwords. A system needs to
store a
password in a form that protects it and keeps it away
from
prying eyes, while also being able to still verify that a
user’s
password is correct.
5.3.5 Cracking Hashes
To crack a hash, an attacker must guess the password.
The top two attacks used to guess passwords are
dictionary and brute- force attacks.
5.3.6 Salting

Salting makes password hashing more secure.

If two users have the same password, they will also have
the
same password hashes. A salt, which is a random string
of
characters, is an additional input added to the password
before hashing.

This creates a different hash result even when the two

passwords
database are identical, as shown here. Then, the
stores bothathe
generates hash and
different hashthe
forsalt. The same
different users,password
becausesalt
the
Salting prevents an attacker from using a dictionary
attack to
try to guess passwords. Salting also makes it impossible
to use
lookup tables and rainbow tables to crack a hash.111
–Lookup table; stores the pre-computed hashes of passwords in a
password dictionary, along with the corresponding password. A
lookup table is a data structure that processes hundreds of hash
lookups per
second.
–Reverse Lookup Table; this attack allows the cybercriminal to
launch a
dictionary or brute-force attack on many hashes without the pre-
computed lookup table. The cybercriminal creates a lookup table
thatthe breached account database
plots each password hash from to a list
of users. The cybercriminal hashes each password guess and
uses the
lookup table to get a list of users whose password matched the
5.3.6.1 Implementing Salting
The following recommendations will help ensure
successful implementation of salting:

oThe salt needs to be unique for every user

password.
oNever reuse a salt.

oAlways hash on the server, in a web application.

The steps a database application uses to store and
validate a salted password.

To store a password:
Use CSPRNG(Cryptographically Secure Pseudorandom
Number
Generator) to generate a long, random salt.
Add the salt to the beginning of the password.
Hash it with SHA-256, a standard cryptographic hash
function.
Save the salt and the hash in the user’s database
record.
To validate a password:
Retrieve a user’s salt and hash from the database.
Add the salt to the password and hash it with the same
hash
function.

Compare the hash of the password just submitted by

the user
trying to log in to the one stored in the database.

If the hashes do not match, the password the user has

just
tried to log in with is incorrect.
5.3.7. What Is an HMAC Operation?

The next step in preventing a cybercriminal from

launching a dictionary or brute-force attack on a hash is
to add a secret key to the hash.

Only the person who knows the hash can validate a
password.
One way to do this is to include the secret key in the
hash
using a hash algorithm called keyed-hash message
authentication code (HMAC or KHMAC).
5.3.7.1. HMAC Hashing
Algorithm
HMACs use an additional secret key as input to the hash
function. The use of HMAC goes a step further than just
integrity assurance, adding authentication. An HMAC uses

a
specific algorithm that combines a cryptographic hash
function with a secret key.
Only the sender and the receiver know the secret key,
and the
output of the hash function now depends on the input
data
and the secret key. Only parties who have access to that
6.
REFERENCES
 Ralph Moseley, (2022). Advanced Cybersecurity Technologies, 1th
Edition.
 Tim Rains, (2020). Cybersecurity Threats, Malware Trends, and
Strategies. Preetha S, P. Lalasa & Pradeepa R, (2021). A
 Comprehensive Overview on
Cybersecurity: Threats and Attacks.

 William
 Pollock, (2019). Linuz Basics for Hackers.
Na. Vikraman, (2021). Cryptography and Network Security.

 Nathan House, (2017). The Complete Cyber Security Course, 1th



Edition.
 Seepanshu Rajput, (2020). Cryptography in Network Security.