Network Security and Cryptography: Fundamentals of Cryptography and Security Architecture and Algorithms

Module Introduction and Administration

  • Module Purpose: The Network Security and Cryptography module provides students with the underlying theory and practical skills required to secure networks and ensure the safe transmission of data over communications channels. This includes the security of common Internet services.
  • Module Syllabus: The course content is divided into several key areas:
    • Cryptography Fundamentals.
    • Public-Key Infrastructure (PKI).
    • Web Security.
    • Email Security.
    • Data Protection.
    • Vulnerability Assessment.
    • Authentication.
    • Access Control.
    • Firewalls.
    • Virtual Private Networks (VPN).
    • Remote Access.
    • Wireless Security.
  • Module Delivery:
    • Lectures: These are designed to introduce each topic. Students are expected to be active participants by raising questions and engaging in discussions.
    • Laboratory Sessions: These follow each lecture and involve practical tutorials and exercises to apply the concepts learned.
    • Private Study: Students are required to consolidate and extend their understanding through exercises provided in the Student Guide.
  • Assessment Structure:
    • Examination: Worth 50%50\% of the total mark.
    • Assignment: Worth 50%50\% of the total mark.

Foundational Definitions of Security

  • Computer Security (NIST Definition): As defined by the National Institute of Standards and Technology (NIST) in Special Publication 80012800-12 (October 19951995), computer security is "the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications)."
  • Cryptography (NIST Definition): As defined in NIST Special Publication 80059800-59 (August 20032003), cryptography is "the discipline that embodies the principles, means, and methods for the transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification."

The CIA Triad and Security Objectives

  • The FIPS 199 Objectives: NIST provides three primary objectives in FIPS 199199:
    • Confidentiality: This involves preserving authorized restrictions on information access and disclosure. It includes mechanisms for protecting personal privacy and proprietary data.
      • Loss of Confidentiality: This occurs when there is an unauthorized disclosure of information.
    • Integrity: This involves guarding against improper information modification or destruction. It ensures information non-repudiation and authenticity.
      • Loss of Integrity: This occurs when there is an unauthorized modification or destruction of information.
    • Availability: This ensures timely and reliable access to and use of information.
      • Loss of Availability: This occurs when access to or use of information or information systems is disrupted.
  • Extended Security Requirements: While the CIA triad is standard, critiques suggest it is incomplete. Two common additional requirements are:
    • Authenticity: The quality of being genuine, verified, and trusted. It provides confidence in the validity of a transmission, a message, or the originator of a message. It involves verifying that users are who they claim to be and that messages originate from trusted sources.
    • Accountability: The ability to trace the actions of an entity uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection/prevention, recovery, and legal action.

OSI Security Architecture (ITU-T X.800)

  • The Recommendation: The ITU-T (International Telecommunication Union Telecommunication Standardization Sector) Recommendation X.800X.800, titled "Security Architecture for OSI (Open Systems Interconnection)," provides a systematic framework for defining security requirements and identifying approaches to satisfy them.
  • Core Concepts:
    • Security Attack: Any action that compromises the security of information owned by a person or an organization.
    • Security Mechanism: A tool or process designed to detect, prevent, or recover from a security attack.
    • Security Service: A service that enhances the security of data processing systems and information transfers. These services utilize one or more security mechanisms to function.

Classification of Security Attacks

  • Passive Attacks: These involve the extraction or use of information from a system without affecting system resources.
    • Release of Message Contents: When the information within a message is read by an unauthorized party.
    • Traffic Analysis: When message content cannot be read, but traffic patterns are analyzed to gain information.
  • Active Attacks: These involve the alteration of system resources or the disruption of their operation.
    • Masquerade: One entity pretends to be a different entity.
    • Replay: The passive capture of data and its subsequent retransmission to produce an unauthorized effect.
    • Message Modification: The alteration of a message to produce an unauthorized effect.
    • Denial of Service (DoS): Preventing or hindering the legitimate use of network resources.

Categories of Security Services and Mechanisms

  • Security Services (X.800 Categories):
    • Authentication.
    • Access Control.
    • Data Confidentiality.
    • Data Integrity.
    • Non-repudiation.
  • Security Mechanisms: These are used to implement the services and include:
    • Encipherment.
    • Digital Signatures.
    • Access Control mechanisms.
    • Data Integrity mechanisms.
    • Authentication Exchange.
    • Traffic Padding.
    • Routing Control.
    • Notarization.

Mathematical Foundations: Number Theory

  • Divisors: For integers aa and bb (where b0b \neq 0), bb is a divisor of aa if there exists an integer mm such that a=mba = mb.
  • Prime Numbers: An integer pp is a prime number if its only divisors are 11, 1-1, pp, and p-p.
  • Greatest Common Divisor (gcd):
    • gcd(a,b)\gcd(a, b) is the largest number that divides both aa and bb.
    • Example: gcd(12,15)=3\gcd(12, 15) = 3.
    • Example: gcd(49,14)=7\gcd(49, 14) = 7.
  • Relatively Prime Numbers: Parameters aa and bb are relatively prime if gcd(a,b)=1\gcd(a, b) = 1.
    • Example: gcd(9,14)=1\gcd(9, 14) = 1.
  • Modular Arithmetic:
    • If aa is an integer and nn is a positive integer, a(modn)a \pmod n is defined as the remainder when aa is divided by nn.
    • Example: 10(mod3)=110 \pmod 3 = 1.
    • Congruence: If (a(modn))=(b(modn))(a \pmod n) = (b \pmod n), then aa and bb are congruent modulo nn. This occurs if nn is a divisor of aba - b.

Symmetric Encryption Principles

  • Overview: Symmetric encryption (or symmetric key encryption) uses a single secret key shared by both the sender and the recipient for both encryption and decryption.
  • Elements of Symmetric Encryption:
    1. Plaintext: The original input data (XX).
    2. Encryption Algorithm: The process applied to the plaintext (e.g., AES).
    3. Secret Key: A piece of information (KK) or sequence of bits known only to sender/receiver.
    4. Ciphertext: The encrypted text output (Y=E(K,X)Y = E(K, X)).
    5. Decryption Algorithm: The inverse of the encryption algorithm (X=D(K,Y)X = D(K, Y)).
  • Security Priorities: Security depends entirely on the secrecy of the key, not the secrecy of the algorithm. This is because creating new secret algorithms is difficult, while producing keys is relatively simple.
  • Requirements for Success:
    • Strong Algorithm: The attacker should be unable to decrypt ciphertext even if they possess matching pairs of plaintext and ciphertext.
    • Key Secrecy: The private key must be obtained and maintained securely by both parties.
  • Cryptosystem Classification:
    • Operations Used: Substitution (mapping elements to other elements) and Transposition (re-arranging elements of the plaintext).
    • Processing Style:
      • Block Cipher: Transforms a block of elements into an output block in one go.
      • Stream Cipher: Processes input elements continuously, one at a time.

Modern Block Cipher Algorithms

  • The Feistel Cipher: A design framework used by most modern block ciphers. The input is split into Left (LL) and Right (RR) blocks. A function (ff) is applied to the RR block and key, XORed into the LL block, and then the blocks are swapped for the next cycle.
  • Data Encryption Standard (DES):
    • Approved in 19771977 by the U.S. government.
    • Uses a 56-bit56\text{-bit} key (often stored as 64-bit64\text{-bit} with parity).
    • Encrypts 64-bit64\text{-bit} blocks.
    • Now considered insecure; a cracker broke it in 3 days3\text{ days} in 19981998.
  • Advanced Encryption Standard (AES):
    • Official U.S. standard since 20022002; replaced DES.
    • Fast block cipher with independent key and block lengths of 128128, 192192, or 256 bits256\text{ bits}.
    • Open and public algorithm with no royalties.
    • Design and Steps: Based on finite field theory. Blocks are represented as a 4×44 \times 4 array of bytes. Each round includes:
      1. SubBytes: Non-linear substitution via a lookup table.
      2. ShiftRows: Transposition where rows are cyclically shifted.
      3. MixColumns: Mixing operation combining four bytes in each column.
      4. AddRoundKey: Combining state bytes with the round key using bitwise XOR.

Asymmetric (Public-Key) Cryptography

  • Concept: Uses two different keys mathematically related such that finding the private key from the public key is prohibitively expensive.
    • Public Key: Publicly distributed, used to encrypt messages.
    • Private Key: Kept secret by the recipient, used to decrypt messages.
  • The Mailbox Analogy: The public key is like a street address and a mail slot. Anyone can find the address and drop mail through the slot, but only the person with the physical key can open the box to read the mail.
  • Applications:
    1. Encryption/Decryption: Ensuring confidentiality.
    2. Digital Signatures: Ensuring authenticity.
    3. Key Exchange: Co-operating to establish a session key.
  • The RSA Algorithm:
    • Named after Rivest, Shamir, and Adleman.
    • Key Generation:
      1. Choose two large distinct primes pp and qq.
      2. Compute n=pqn = pq.
      3. Compute ϕ(n)=(p1)(q1)\phi(n) = (p - 1)(q - 1).
      4. Select integer ee such that 1<e<ϕ(n)1 < e < \phi(n) and gcd(e,ϕ(n))=1\gcd(e, \phi(n)) = 1.
      5. Solve for dd such that (d×e)(modϕ(n))=1(d \times e) \pmod{\phi(n)} = 1.
    • Encryption: c=me(modn)c = m^{e} \pmod n.
    • Decryption: m=cd(modn)m = c^{d} \pmod n.
    • Security: Relies on the complexity of factoring large numbers.

Hash Functions and Data Integrity

  • Overview: A mathematical function that converts variable-sized data into a small, fixed-length fixed datum. It acts like sealing wax on an envelope; tampering becomes apparent if the seal is broken.
  • Required Properties for Message Authentication:
    • Applicable to any size data block.
    • Produces fixed-length output.
    • H(x)H(x) is easy to compute.
    • One-Way property: Infeasible to find xx given hh (H(x)=hH(x) = h).
    • Collision Resistance: Infeasible to find two different inputs that produce the same output.
  • Secure Hash Algorithm (SHA-1):
    • Accepts input <264 bits< 2^{64}\text{ bits}.
    • Produces a 160-bit160\text{-bit} message digest.
    • Processed in 512-bit512\text{-bit} blocks.
    • High sensitivity: A small change in input (e.g., "dog" to "cog") produces a completely different hash output.

Cryptanalysis and Brute Force

  • Objective: Attackers aim to recover the key rather than just the plaintext.
  • Computational Security: A scheme is secure if the cost of breaking it exceeds the information's value OR the time to break it exceeds the information's lifetime.
  • Brute Force Statistics:
    • Key size of 32 bits32\text{ bits}: Requires 2322^{32} keys (35.8 minutes35.8\text{ minutes} at 1\text{ decryption/\mu s}; 2.15 ms2.15\text{ ms} at 1\text{ million decryptions/\mu s}).
    • Key size of 56 bits56\text{ bits} (DES): Requires 2562^{56} keys (1142 years1142\text{ years} at 1\text{ decryption/\mu s}; 10.01 hours10.01\text{ hours} at 1\text{ million decryptions/\mu s}).
    • Key size of 128 bits128\text{ bits} (AES): Requires 21282^{128} keys (3.4×1038 years3.4 \times 10^{38}\text{ years} at 1\text{ decryption/\mu s}).

Questions & Discussion

  • This section concludes the logic for Topic 1: Cryptography Fundamentals. The lecture encourages active student interaction regarding module delivery, security architecture, and algorithm selection.