Computer Security (504) Shree Adarsh BCA College, Radhanpur M.T.

CHAUDHARY

 Introduction to Cryptography
Cryptography is the art and science of making a cryptosystem that is capable
of providing information security.
Cryptography deals with the actual securing of digital data. It refers to the
design of mechanisms based on mathematical algorithms that provide fundamental
information security services. You can think of cryptography as the establishment of
a large toolkit containing different techniques in security applications.
Cryptography is the study and practice of techniques for secure
communication in the presence of third parties called adversaries. It deals with
developing and analyzing protocols which prevents malicious third parties from
retrieving information being shared between two entities thereby following the
various aspects of information security.
Secure Communication refers to the scenario where the message or data
shared between two parties can’t be accessed by an adversary. In Cryptography, an
Adversary is a malicious entity, which aims to retrieve precious information or
data thereby undermining the principles of information security.
Security Services of Cryptography
The primary objective of using cryptography is to provide the following four
fundamental information security services. Let us now see the possible goals intended
to be fulfilled by cryptography.

1 Confidentiality
Confidentiality is the fundamental security service provided by cryptography. It
is a security service that keeps the information from an unauthorized person. It is
sometimes referred to as privacy or secrecy.
refers to certain rules and guidelines usually executed under confidentiality
agreements which ensure that the information is restricted to certain people or
places.
2 Data integrity
refers to maintaining and making sure that the data stays accurate and
consistent over its entire life cycle.
It is security service that deals with identifying any alteration to the data. The
data may get modified by an unauthorized entity intentionally or accidently. Integrity
service confirms that whether data is intact or not since it was last created,
transmitted, or stored by an authorized user.
Data integrity cannot prevent the alteration of data, but provides a means for
detecting whether data has been manipulated in an unauthorized manner.

3. Authentication
Authentication provides the identification of the originator. It confirms to the
receiver that the data received has been sent only by an identified and verified sender.

Page 1 of 14
Computer Security (504) Shree Adarsh BCA College, Radhanpur M.T.CHAUDHARY

Authentication service has two variants −

 Message authentication identifies the originator of the message without any
regard router or system that has sent the message.
 Entity authentication is assurance that data has been received from a specific
entity, say a particular website.
4. Non-repudiation
refers to ability to make sure that a person or a party associated with a contract
or a communication cannot deny the authenticity of their signature over their
document or the sending of a message
It is a security service that ensures that an entity cannot refuse the ownership of
a previous commitment or an action. It is an assurance that the original creator of the
data cannot deny the creation or transmission of the said data to a recipient or third
party.
 Types Of Cryptography:
In general there are three types Of cryptography:
1.Symmetric Key Cryptography:
It is an encryption system where the sender and receiver of message use a
single common key to encrypt and decrypt messages. Symmetric Key Systems
are faster and simpler but the problem is that sender and receiver have to
somehow exchange key in a secure manner. The most popular symmetric key
cryptography system is Data Encryption System(DES).

2. Asymmetric Key Cryptography:

Under this system a pair of keys is used to encrypt and decrypt
information. A public key is used for encryption and a private key is used for
decryption. Public key and Private Key are different. Even if the public key is
known by everyone the intended receiver can only decode it because he alone
knows the private key.

Page 2 of 14
Computer Security (504) Shree Adarsh BCA College, Radhanpur M.T.CHAUDHARY

3. Hash Functions:
There is no usage of any key in this algorithm. A hash value with fixed
length is calculated as per the plain text which makes it impossible for contents
of plain text to be recovered. Many operating systems use hash functions to
encrypt passwords.

 Encryption
Encryption is a security method in which information is encoded in such a way
that only authorized user can read it. It uses encryption algorithm to generate
ciphertext that can only be read if decrypted.

Page 3 of 14
Computer Security (504) Shree Adarsh BCA College, Radhanpur M.T.CHAUDHARY

1. Public Key encryption

Public key encryption algorithm uses pair of keys, one of which is a secret key
and one of which is public. These two keys are mathematically linked with each
other.

2. Hashing
In terms of security, hashing is a technique used to encrypt data and
generate unpredictable hash values. It is the hash function that generates the
hash code, which helps to protect the security of transmission from unauthorized
users.
Encryption has mainly 5 ingredients :
1. Plain text
It is the original data that is given to the algorithm as an input.
2. Encryption algorithm
This encryption algorithm performs various transformations on plain text to
convert it into ciphertext.
3. Secret key
The secret key is also an input to the algorithm. The encryption algorithm will
produce different outputs based on the keys used at that time.
4.Ciphertext
It contains encrypted information because it contains a form of original plaintext
that is unreadable by a human or computer without proper cipher to decrypt it. It
is output from the algorithm.
5. Decryption algorithm
This is used to run encryption algorithms in reverse. Ciphertext and Secret key is
input here and it produces plain text as output.
 Decryption
Decryption is a Cyber Security technique that makes it more difficult for
hackers to intercept and read the information they’re not allowed to do. It is
transforming encrypted or encoded data or text back to its original plain format
that people can easily read and understand from computer applications. This is
the reverse of encryption, which requires coding data to make it unreadable for
all, but only those with matching Decryption keys can read it.
Although encryption protects the data, recipients must have the right
Decryption or decoding tools to access the original details. What Decryption does
is unencrypt the data, which can be done manually, automatically, using the best
Decryption software, unique keys, passwords, or codes. This translates
unreadable or indecipherable data into original text files, e-mail messages,
Page 4 of 14
Computer Security (504) Shree Adarsh BCA College, Radhanpur M.T.CHAUDHARY

images, user data, and directories that users and computer systems can read and
interpret.
Types of Decryption
1. Triple DES
Triple DES was developed to replace the original Data Encryption Standard
(DES) algorithm that hackers gradually learned to beat with great ease. Triple
DES uses three single 56-bit keys each. Despite being phased out slowly, Triple
DES still establishes secure hardware encryption and Decryption solutions for
financial services and other industries.
2. RSA
It is a public-key encryption-Decryption algorithm and a standard for
encrypting data sent over the networks. It also is one of the approaches used in
our PGP and GPG programs. Compared to Triple DES, RSA is considered an
asymmetric algorithm due to the use of a pair of keys. You have your public key,
which we use to encrypt our message, and a private key to decrypt it.
3. AES
It is highly efficient in 128-bit form, and AES also utilizes 192 and 256-bit
keys for heavy-duty data encryption. AES is generally believed to be resistant to
all attacks, excluding brute force, which tries to decode messages using all
possible combinations of 128, 192, or 256-bit cryptosystems. Still, Cyber Security
specialists claim that AES will finally be hailed as a de facto standard for data
encryption in the private sector.
4. Blowfish
Blowfish is another algorithm developed to replace DES. This symmetric
cipher breaks messages into 64-bit blocks and encrypts them individually.
Blowfish is known both for its incredible speed and overall performance, as many
say it has never been defeated. In the meantime, vendors have made good use of
its free availability in the public domain.
5. Twofish
The keys used for this algorithm can be up to 256 bits in length, and only
one key is required as a symmetrical technique. Twofish is considered one of the
fastest of its kind and is suitable for both hardware and software environments.
Like Blowfish, Twofish is freely accessible to anyone who wants to make use of it.
WHY IS DECRYPTION USED?
 It helps you secure sensitive info, such as passwords and login IDs.
 Provides confidentiality of private information
 It helps you ensure that the record or file is still unchange
 Beneficial for network communication such as the internet and where the hacker
can quickly obtain unencrypted data.
 It’s an essential method because it lets you protect data safely that you don’t want
someone else to access.

Page 5 of 14
Computer Security (504) Shree Adarsh BCA College, Radhanpur M.T.CHAUDHARY

 PlainText and CipherText

Plaintext is the term used to refer to the information in plain language that
the sender desires to send to one or more receiving computers or individuals.
Also referred to as cleartext, plaintext is commonly referred to as the input to a
cipher or encryption algorithm
In cryptographic circles, plaintext is commonly used as the input to a cipher
or encryption algorithm. The output of these cipher’s is normally referred to as
ciphertext. The outputted text can be a result of one or many rounds of
encryption employed on the plaintext depending on the specific algorithm in use

Ciphertext is encrypted text transformed from plaintext using

an encryption algorithm. Ciphertext can't be read until it has been converted into
plaintext (decrypted) with a key. The decryption cipher is an algorithm that
transforms the ciphertext back into plaintext.
 Digital Signature standards.
A digital signature is a mathematical technique which validates the
authenticity and integrity of a message, software or digital documents. It allows
us to verify the author name, date and time of signatures, and authenticate the
message contents. The digital signature offers far more inherent security and
intended to solve the problem of tampering and impersonation (Intentionally
copy another person's characteristics) in digital communications.
Digital Signature is a mathematical technique which is used to authenticate
a digital document. This is equivalent to handwritten signature or a stamped seal
and offers far more security and integrity to the message or digital document. It
solves the problem of impersonation in digital communications by providing
evidence of origin, identity and status of the digital transactions.
Digital signatures allow us to verify the author, date and time of signatures,
authenticate the message contents. It also includes authentication function for
additional capabilities.
A digital signature is a mathematical technique used to validate the
authenticity and integrity of a message, software, or digital document.
How does a Digital Signature Work?
Digital signatures are based on asymmetric cryptography, which means that
the information can be shared using a public key cryptography, and uses both
Page 6 of 14
Computer Security (504) Shree Adarsh BCA College, Radhanpur M.T.CHAUDHARY

public and private keys to encrypt and decrypt data. These two keys are not
identical. There will be one public key which can be shared with everyone and
the Private key is known only to the user. To understand it better, we can say
public key is the email id which can be shared openly and you can compare the
private key to the password of that email id which has to be kept a secret. One
has to be very careful to store the private key in a secure place, as there is no way
to regain the private key, once it is lost.

The asymmetric cryptography, uses two mutually authenticating

cryptographic keys. Public and Private keys are simply extremely large and random
numbers. The sender on the network generates a private key and public key. They
sign the message with the Digital signature comprising of both the keys and send
their transaction message using public key. In the peer to peer network, each
transaction is validated by every node. Every node or receiver of the message then
checks the transaction using the public key and verifies that the sender is genuine
using elliptic curves and complex modular mathematics.
The Public key and private key pair is uniquely related cryptographic keys and
they are basically random long numbers comprising alphabets and numbers and
goes like this –
3048 0241 00C9 18FA CF8D EB2D EFD5 FD37 89B9 E069 EA97 FC20 5E35 F577 EE31
C4FB C6E4 4811 7D86 BC8F BAFA 362F 922B F01B 2F40 C744 2654 C0DD 2881 D673
CA2B 4003 C266 E2CD CB02 0301 0001
As the key pair is mathematically related, whatever is encrypted with a
Public Key can only be decrypted by its corresponding Private Key and vice versa.
The sender will encrypt the message using his private key and sends across
public key in the matter of Bitcoin Network.
The node or receiver of the message checks it using the verification
algorithm that the message has been signed by the sender, and that the Node is a
valid user and the holder of the private key to the public key sent. This is how the
digital signatures are authenticated and used to secure transactions.
Page 7 of 14
Computer Security (504) Shree Adarsh BCA College, Radhanpur M.T.CHAUDHARY

Application of Digital Signature Standards.

1. Authentication
Authentication is a process which verifies the identity of a user who wants to
access the system. In the digital signature, authentication helps to authenticate the
sources of messages.
2. Non-repudiation
Non-repudiation means assurance of something that cannot be denied. It
ensures that someone to a contract or communication cannot later deny the
authenticity of their signature on a document or in a file or the sending of a message
that they originated.
3. Integrity
Integrity ensures that the message is real, accurate and safeguards from
unauthorized user modification during the transmission.
Types of Digital Signature
 Certified Signatures
 Approval Signatures
 Visible digital signature
 Invisible digital signature

 Electronic mail security

Email security can be defined as the use of various techniques to secure
sensitive information in email communication and accounts against
unauthorized access, loss, or compromise. In simpler terms, email security
allows an individual or organization to protect the overall access to one or more
email addresses or accounts.
Email security can be defined as the use of various techniques to keep
sensitive information in email communication and accounts secure. These
precautions are taken chiefly against unauthorized access, loss, or compromise.
Why Is Email Security Important?
Email is a popular attack vector. Therefore, enterprises and individuals
must secure their email accounts against common attacks and attempt to gain
unauthorized access to the communications’ accounts or content.
1. Email is a common target for cyber-criminals
when employees work remotely, as observed in the COVID-19 pandemic
situation, they tend to use their official emails for almost all communication.
Such communications are vulnerable, and the employees are at the risk of
being attacked by cyber-criminals. Cyber-criminals often use phishing,

Page 8 of 14
Computer Security (504) Shree Adarsh BCA College, Radhanpur M.T.CHAUDHARY

baits, social engineering, and many other types of attacks to exploit cracks in
the security system.
2. A small loophole can affect the entire organization
A small loophole in an email’s security can allow deadly malware or
spyware to sneak into the entire communication network, wreaking havoc in
the entire organization. The situation worsens when the organization’s
network is hit by deadly ransomware.
3. Crucial for organizations to protect sensitive information
The company’s confidential information may include highly sensitive
information that can be used against the organization or for criminal purposes.
Cyber-criminals can also target day-to-day communication and change messages,
which can create miscommunication and compel the communicators (the
employees) to release or hide relevant information.
Although email service providers employ standard security measures,
cyber-criminals can easily circumvent many of these measures. Generally,
standard email defenses can only stop threats that are already known to them. In
some situations, the email system also prompts its users to decide whether the
received messages are secure or not and act accordingly. Advanced threat
detection systems currently use artificial intelligence databases, real-time
analysis, and machine learning for better protection.
The technological advancement in online security systems can also
empower cyber-criminals and hackers as they tend to use more and more
advanced methods to breach various security firewalls.
These methods include AI fuzzing (AIF) and machine learning poisoning
(MLP), enabling hackers to automate cyber-attacks. Besides, cyber-criminals can
exploit many cloud vulnerabilities, damaging an organization’s workflow,
business, image, and credibility in the industry.
Benefits of email security
 Control device access
 Identify suspicious user behavior
 Improve spam and phishing protection
 Maintain communication confidentiality
 Protection against zero-day threats
 Real-time threat protection
 Stop ransomware attacks and other threats
 MIME
MIME stands for Multipurpose Internet Mail Extensions. It is used to
extend the capabilities of Internet e-mail protocols such as SMTP. The
MIME protocol allows the users to exchange various types of digital content
such as pictures, audio, video, and various types of documents and files in
the e-mail.

Page 9 of 14
Computer Security (504) Shree Adarsh BCA College, Radhanpur M.T.CHAUDHARY

MIME is an e-mail extension protocol, i.e., it does not operate

independently, but it helps to extend the capabilities of e-mail in collaboration
with other protocols such as SMTP.
Since MIME was able to transfer only text written file in a limited size
English language with the help of the internet. At present, it is used by almost all
e-mail related service companies such as Gmail, Yahoo-mail, Hotmail.
MIME represents Multi-Purpose Internet Mail Extensions. It is a
development to the Internet email protocol that enables its users to exchange
several kinds of data files over the Internet, including images, audio, and video.
MIME was designed mainly for SMTP, but the content types defined by
MIME standards are important also in communication protocols outside of email,
such as Hypertext Transfer Protocol (HTTP).

Need of MIME Protocol

1. The MIME protocol supports multiple languages in e-mail, such as Hindi, French,
Japanese, Chinese, etc.
2. Simple protocols can reject mail that exceeds a certain size, but there is no word
limit in MIME.
3. Images, audio, and video cannot be sent using simple e-mail protocols such as
SMTP. These require MIME protocol.
4. Many times, emails are designed using code such as HTML and CSS, they are
mainly used by companies for marketing their product. This type of code uses
MIME to send email created from HTML and CSS.

MIME Header
MIME adds five additional fields to the header portion of the actual e-mail
to extend the properties of the simple email protocol. These fields are as follows:

Page 10 of 14
Computer Security (504) Shree Adarsh BCA College, Radhanpur M.T.CHAUDHARY

1. MIME Version
It defines the version of the MIME protocol. This header usually has a
parameter value 1.0, indicating that the message is formatted using MIME.
2. Content Type
It describes the type and subtype of information to be sent in the message. These
messages can be of many types such as Text, Image, Audio, Video, and they also
have many subtypes such that the subtype of the image can be png or jpeg.
Similarly, the subtype of Video can be WEBM, MP4 etc.
3. Content Type Encoding
In this field, it is told which method has been used to convert mail information
into ASCII or Binary number, such as 7-bit encoding, 8-bit encoding, etc.
4. Content Id
In this field, a unique "Content Id" number is appended to all email messages so
that they can be uniquely identified.
5. Content description
This field contains a brief description of the content within the email. This means
that information about whatever is being sent in the mail is clearly in the
"Content Description". This field also provides the information of name, creation
date, and modification date of the file.
 Web Security
Secure Socket Layer
Secure Electronic Transaction

1. Secure Socket Layer

Secure Socket Layer (SSL) provides security to the data that is
transferred between web browser and server. SSL encrypts the link between
a web server and a browser which ensures that all data passed between them
remain private and free from attack.

Page 11 of 14
Computer Security (504) Shree Adarsh BCA College, Radhanpur M.T.CHAUDHARY

Secure Socket Layer Protocols:

 SSL record protocol
 Handshake protocol
 Change-cipher spec protocol
 Alert protocol
1. SSL Record Protocol:
SSL Record provides two services to SSL connection.
 Confidentiality
 Message Integrity
In the SSL Record Protocol application data is divided into fragments. The
fragment is compressed and then encrypted MAC (Message Authentication
Code) generated by algorithms like SHA (Secure Hash Protocol) and MD5
(Message Digest) is appended. After that encryption of the data is done and in
last SSL header is appended to the data.
2. Handshake Protocol:
Handshake Protocol is used to establish sessions. This protocol allows the
client and server to authenticate each other by sending a series of messages to each
other. Handshake protocol uses four phases to complete its cycle.
Phase-1: In Phase-1 both Client and Server send hello-packets to each other. In
this IP session, cipher suite and protocol version are exchanged for security
purposes.
Phase-2: Server sends his certificate and Server-key-exchange. The server end
phase-2 by sending the Server-hello-end packet.
Phase-3: In this phase Client reply to the server by sending his certificate and
Client-exchange-key.
Phase-4: In Phase-4 Change-cipher suite occurred and after this Handshake
Protocol ends.
3. Change-cipher Protocol:
This protocol uses the SSL record protocol. Unless Handshake Protocol is
completed, the SSL record Output will be in a pending state. After handshake
protocol, the Pending state is converted into the current state.
Change-cipher protocol consists of a single message which is 1 byte in length
and can have only one value. This protocol’s purpose is to cause the pending
state to be copied into the current state.
4. Alert Protocol:
This protocol is used to convey SSL-related alerts to the peer entity. Each
message in this protocol contain 2 bytes.
 Secure electronic transaction
Secure Electronic Transaction or SET is a system that ensures the security
and integrity of electronic transactions done using credit cards in a scenario. SET is
not some system that enables payment but it is a security protocol applied to those
payments. It uses different encryption and hashing techniques to secure payments
Page 12 of 14
Computer Security (504) Shree Adarsh BCA College, Radhanpur M.T.CHAUDHARY

over the internet done through credit cards. The SET protocol was supported in
development by major organizations like Visa, Mastercard, Microsoft which
provided its Secure Transaction Technology (STT), and Netscape which provided
the technology of Secure Socket Layer (SSL).
SET protocol restricts the revealing of credit card details to merchants thus
keeping hackers and thieves at bay. The SET protocol includes Certification
Authorities for making use of standard Digital Certificates like X.509 Certificate.
Before discussing SET further, let’s see a general scenario of electronic
transactions, which includes client, payment gateway, client financial institution,
merchant, and merchant financial institution.

Requirements in SET :
 It has to provide mutual authentication i.e., customer (or cardholder)
authentication by confirming if the customer is an intended user or not, and
merchant authentication.
 It has to keep the PI (Payment Information) and OI (Order Information)
confidential by appropriate encryptions.
 It has to be resistive against message modifications i.e., no changes should be
allowed in the content being transmitted.
 SET also needs to provide interoperability and make use of the best security
mechanisms.
Participants in SET :
1. Cardholder – customer
2. Issuer – customer financial institution
3. Merchant
4. Acquirer – Merchant financial
5. Certificate authority – Authority that follows certain standards and
issues certificates(like X.509V3) to all other participants.
SET functionalities :
1. Provide Authentication
 Merchant Authentication – To prevent theft, SET allows customers
to check previous relationships between merchants and financial

Page 13 of 14
Computer Security (504) Shree Adarsh BCA College, Radhanpur M.T.CHAUDHARY

institutions. Standard X.509V3 certificates are used for this

verification.
 Customer / Cardholder Authentication – SET checks if the use of
a credit card is done by an authorized user or not using X.509V3
certificates.
2. Provide Message Confidentiality:
Confidentiality refers to preventing unintended people from reading the
message being transferred. SET implements confidentiality by using encryption
techniques. Traditionally DES is used for encryption purposes.
3. Provide Message Integrity:
SET doesn’t allow message modification with the help of signatures.
Messages are protected against unauthorized modification using RSA digital
signatures with SHA-1 and some using HMAC with SHA-1,
4. Dual Signature
The dual signature is a concept introduced with SET, which aims at
connecting two information pieces meant for two different receivers :
Order Information (OI) for merchant
Payment Information (PI) for bank
You might think sending them separately is an easy and more secure way,
but sending them in a connected form resolves any future dispute possible.

What is Cryptanalysis?
The art and science of breaking the cipher text is known as cryptanalysis.

Page 14 of 14