Materials of IT: 2013

Random Algorithm Letter & Number

The Algorithm Method is : First - Last Method

For Letter :

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Z Y X W V U T S R Q P O N M L K J I H G F E D C B A

Example :
MEDAN
become
NVWZM

For Number :
26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

Example :

1 2 3 4 5 6 7 8 9 10 11 12 13

26 25 24 23 22 21 20 19 18 17 16 15 14

So, number 1 will be partner with number 26, number 2 will be partner with number 25, and then number 3 will be partner with number 24, etc...

Permutation Based Cryptography

This permutation can be used to encrypt a sequence of five characters by moving each character from its original position to the position defined by the permutation. For example, the sequence "APPLE" would be translated into the string "PLEAP":

Note that we number positions starting at zero just as in C++ arrays — that’s a hint of things to come. What about decrypting the text above? Well, each permutation has an inverse, another permutation that does the exact opposite of the original permutation. For the permutation given above, the inverse permutation is:

Introduction of Encryption with DES

On 15 May 1973, the NBS (National Bureau of Standards, now called NIST – National Institute of Standards and Technology) published a request in the Federal Register for an encryption algorithm that would meet the following criteria:

Have a high security level related to a small key used for encryption and decryption
Be easily understood
Not depend on the algorithm’s confidentiality
Be adaptable and economical
Be efficient and exportable

In late 1974, IBM proposed “Lucifer”, which, thanks to the NSA (National Security Agency), was modified on 23 November 1976 to become the DES (Data Encryption Standard). The DES was approved by the NBS in 1978. The DES was standardized by the ANSI (American National Standard Institute) under the name of ANSI X3.92, better known as DEA (Data Encryption Algorithm).

The DES Algorithm

The main parts of the algorithm are as follows:

Fractioning of the text into 64-bit (8 octet) blocks;
Initial permutation of blocks;
Breakdown of the blocks into two parts: left and right, named L and R;
Permutation and substitution steps repeated 16 times (called rounds);
Re-joining of the left and right parts then inverse initial permutation.

Generation of Keys

Given that the DES algorithm presented above is public, security is based on the complexity of encryption keys. The algorithm below shows how to obtain, from a 64-bit key (made of any 64 alphanumeric characters), 8 different 48-bit keys each used in the DES algorithm :

Convention Cryptosystem

Illustrates the convention a encryption process. The original “plaintext” is converted into apparently random nonsense, called “ciphertext”. The encryption process consists of an algorithm and a key. The key is a value independent of the plaintext. The algorithm will produce a different output depending on the specific key being used at the time.Changing the key changes the output of the algorithm, i.e., the ciphertext. Once the ciphertext is produced, it may be transmitted. Upon reception, the ciphertext can be transformed back to the original plaintext by using a decryption algorithm and the same key that was used for encryption. In conventional cryptography, also called secret-key or symmetric-key encryption, one key is used both for encryption and decryption.

Caesar's Cipher

A substitution cipher is an extremely simple example of conventional cryptography. A substitution cipher substitutes one piece of information for another. This is most frequently done by offsetting letters of the alphabet. In Julius Caesar's cipher, the algorithm is to offset the alphabet and the key is the number of characters to offset it.

For example, if we encode the word "SECRET" using Caesar's key value of 3, we offset the alphabet so that the 3rd letter down (D) begins the alphabet.

Plaintext ABCDEFGHIJKLMNOPQRSTUVWXYZ
Ciphertext DEFGHIJKLMNOPQRSTUVWXYZABC

where A=D (A encrypts as D) , B=E, C=F, and so on.

Using this scheme, the plaintext, "SECRET" encrypts as "VHFUHW." To allow someone else to read the ciphertext, you tell them that the key is 3.

Obviously, it had two weaknesses. The first was that the algorithm was not particularly strong. If trial and error couldn't crack the algorithm, then some simple analysis would. If English text was being encrypted, then it would be relatively simple to compare the frequency of letters in the cipher text against the frequency of letters in standard English. Statistics would soon reveal patterns that pointed out the probable plain text letter associated with each cipher text letter. Once a single association was found the entire algorithm could be cracked. No message would be secure.

Permutations as integers by The Lehmer Code

A permutation of an array is an array that contains the same elements, but possibly in a different order.
For example, given the array :

[ a , b , c ]

All of its permutations are :

[ a , b , c ]
[ a , c , b ]
[ b , a , c ]
[ b , c , a ]
[ c , a , b ]
[ c , b , a ]

Model of Conventional Cryptosystems

The following figure, which is on the next page, illustrates the conventional encryption process. The original “plaintext” is converted into apparently random nonsense, called “ciphertext”. The encryption process consists of an algorithm and a key. The key is a value independent of the plaintext. The algorithm will produce a different output depending on the specific key being used at the time. Changing the key changes the output of the algorithm, i.e., the ciphertext.

Once the ciphertext is produced, it may be transmitted. Upon reception, the ciphertext can be transformed back to the original plaintext by using a decryption algorithm and the same key that was used for encryption.

Model of Conventional Cryptosystem

The security of conventional encryption depends on several factors:

The Encryption Algorithm- It must be powerful enough that it is impractical to decrypt a message on the basis of the ciphertext alone.
Secrecy of the key- It was shown that the security of conventional encryption depends on the secrecy of the key, not the secrecy of the algorithm.

Referring to image above, with the message X and the encryption key K as input, the encryption algorithm forms the ciphertext.

Y=E_k(X)

The intended receiver, in possession of the key is able to invert the transformation

X=D_k(Y)

An opponent, observing Y but not having access to K or X, may attempt to recover X or K or both X and K. It is assumed that the opponent knows the encryption (E) and decryption (D) algorithms. If the opponent is interested in only this particular message, then the focus of the effort is to recover X by generating a plaintext estimate X^. Often, however, the opponent is interested in being able to read future messages as well, in which case an attempt is made to recover K by generating an estimate K^.

Cryptography & Cryptanalysis

Cryptography

Cryptographic systems are characterized along three independent dimensions :

The type of operations used for transforming plaintext to ciphertext.

All encryption algorithms are based on two general principles: substitution, in which each element in the plaintext (bit, letter, group of bits or letters) is mapped into another element, and transposition, in which elements in the plaintext are rearranged. The fundamental requirement is that no information be lost (that is, that all operations are reversible). Most systems, referred to as product systems, involve multiple stages of substitutions and transpositions.

The number of keys used.

If both sender and receiver use the same key, the system is referred to as symmetric, single-key, secret-key, or conventional encryption. If the sender and receiver use different keys, the system is referred to as asymmetric, two-key, or public-key encryption.

The way in which the plaintext is processed.

A block cipher processes the input one block of elements at a time, producing an output block for each input block. A stream cipher processes the input elements continuously, producing output one element at a time, as it goes along.

Cryptanalysis

The process of attempting to discover X or Y or both is known as cryptanalysis. The strategy used by the cryptanalysis depends on the nature of the encryption scheme and the information available to the cryptanalyst.

The following table summarizes the various types of cryptanalytic attacks based on the amount of information known to the cryptanalyst.

Types of Attacks on Encrypted Message

Attack Type	Knowledge Known to Cryptanalyst
Ciphertext only	Encryption algorithm Ciphertext to be decoded
Known Plaintext	Encryption algorithm Ciphertext to be decoded One or more plaintext-ciphertext pairs formed with the same secret key
Chosen Plaintext	Encryption algorithm Ciphertext to be decoded Plaintext message chosen by cryptanalyst, together with its corresponding ciphertext generated with the same secret key
Chosen Ciphertext	Encryption algorithm Ciphertext to be decoded Purported ciphertext chosen by cryptanalyst, together with its corresponding decrypted plaintext generated with the secret key
Chosen text	Encryption algorithm Ciphertext to be decoded Plaintext message chosen by cryptanalyst, together with its corresponding ciphertext generated with the secret key Purported ciphertext chosen by cryptanalyst, together with its corresponding decrypted plaintext generated with the secret key

“X.800 & RFC 2828”, Who know??

ITU-T Recommendation X.800 (Security Architecture for OSI) and IETF RFC 2828 (Internet Security Glossary) are used as references to systematically evaluate and define security requirements. Though coming from different standardization bodies, the two standards have many points in common. X.800 is used to define general security-related architectural elements needed when protection of communication between open systems is required. X.800 establishes guidelines and constraints to improve existing recommendations and/or to develop new recommendations in the context of OSI. Similarly, RFC 2828 provides abbreviations, explanations and recommendations for information system security terminology.

Both X.800 and RFC 2828 are designed to assist security managers in defining security requirements and possible approaches to meeting those requirements. They also help hardware and software manufacturers to develop security features for their products and services that follow certain standards. X.800 and RFC 2828 both mention several aspects of security systems, namely security threat and attack, security services and mechanisms and security management. This section gives a brief introduction to these standards. We urge readers to read the original standard documents for more information.

Security Threats & Attacks

X.800

According to X.800, ‘A threat to a system security includes any of the following: destruction of information and/or other resources; corruption or modification of information; theft, removal or loss of information and/or other resources; disclosure of information and interruption of services’. Another, clearer definition comes from RFC 2828, which defines a threat as ‘A potential violation of security exists when there is a circumstance, capability, action, or event that could breach security and cause harm’. In other words, a threat is a possible danger that might exploit vulnerability.

RFC 2828

Security attacks (Request for Comments RFC 2828, Internet Security Glossary)

Threat – a potential for violation of security which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, threat is a possible danger that might exploit vulnerabilityAttack – an assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.

Security Attacks

X.800 and RFC 2828 distinguish passive and active attacks :
Passive attacks
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions :
a) Release of message contents – encryption is usually used to counter attack

b) Traffic analysis – if contents is closed but the opponent could determine the location and identity of communicating hosts and could observe the frequency and length of messages being exchanged, he may guess the nature of the communication that was taking place.

Passive attacks are very difficult to detect because they do not involve any alteration of data. However, it is feasible to prevent the success of these attacks, usually by means of encryption.

Active attacks

They involve some modification of the data stream or the creation of a false data stream and can be subdivided into 4 categories :

a) A Masquerade takes place when one entity pretends to be a different entity

b) Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect

c) Modification of messages simply means that some portion of a legitimate message is altered

d) The Denial of service prevents or inhibits the normal use or management of communication facilities

What is the OSI ??

OSI [Security Services General Description]
The following are considered to be the security services which can be provided optionally within the framework of the OSI Reference Model. The authentication services require authentication information comprising locally stored information and data that is transferred (credentials) to facilitate the authentication:

Authentication

These services provide for the authentication of a communicating peer entity and the source of data as described below.

Peer entity authentication

This service, when provided by the (N)-layer, provides corroboration to the (N + 1)-entity that the peer entity is the claimed (N + 1)-entity.

Data origin authentication

This service, when provided by the (N)-layer, provides corroboration to an (N + 1)-entity that the source of the data is the claimed peer (N + 1)-entity.

Access control

This service provides protection against unauthorized use of resources accessible via OSI. These may be OSI or non-OSI resources accessed via OSI protocols. This protection service may be applied to various types of access to a resource (e.g., the use of a communications resource; the reading, the writing, or the deletion of an information resource; the execution of a processing resource) or to all accesses to a resource.

Data confidentiality

These services provide for the protection of data from unauthorized disclosure as described below

Connection confidentiality

This service provides for the confidentiality of all (N)-user-data on an (N)-connection

Connectionless confidentiality

This service provides for the confidentiality of all (N)-user-data in a single connectionless (N)-SDU

Selective field confidentiality

This service provides for the confidentiality of selected fields within the (N)-user-data on an (N)-connection or in a single connectionless (N)-SDU.

Traffic flow confidentiality

This service provides for the protection of the information which might be derived from observation of traffic flows.

Data integrity

These services counter active threats and may take one of the forms described below.

Connection integrity with recovery

This service provides for the integrity of all (N)-user-data on an (N)-connection and detects any modification, insertion, deletion or replay of any data within an entire SDU sequence (with recovery attempted).

Connection integrity without recovery

As for the previous one but with no recovery attempted.

Selective field connection integrity

This service provides for the integrity of selected fields within the (N)-user data of an (N)-SDU transferred over a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted or replayed.

Connectionless integrity

This service, when provided by the (N)-layer, provides integrity assurance to the requesting (N + 1)-entity. This service provides for the integrity of a single connectionless SDU and may take the form of determination of whether a received SDU has been modified. Additionally, a limited form of detection of replay may be provided.

Selective field connectionless integrity

This service provides for the integrity of selected fields within a single connectionless SDU and takes the form of determination of whether the selected fields have been modified.

Non-repudiation

This service may take one or both of two forms.

Non-repudiation with proof of origin

The recipient of data is provided with proof of the origin of data. This will protect against any attempt by the sender to falsely deny sending the data or its contents.

Non-repudiation with proof of delivery

The sender of data is provided with proof of delivery of data. This will protect against any subsequent attempt by the recipient to falsely deny receiving the data or its contents.

Introduce with "ITU-T"

The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors (divisions or units) of the International Telecommunication Union (ITU); it coordinates standards for telecommunications.

The standardization work of ITU dates back to 1865, with the birth of the International Telegraph Union. It became a United Nationsspecialized agency in 1947, and the International Telegraph and Telephone Consultative Committee (CCITT, from French: Comite Consultatif International Telephonique et Telegraphique) was created in 1956. It was renamed ITU-T in 1993.

ITU has been an intergovernmental public-private partnership organization since its inception and now has a membership of 191 countries (Member States) and over 700 public and private sector companies as well as international and regional telecommunication entities, known as Sector Members and Associates, which undertake most of the work of the Sector.

ITU-T has a permanent secretariat, the Telecommunication Standardization Bureau (TSB), based at the ITU HQ in Geneva, Switzerland. The elected Director of the Bureau is Malcolm Johnson of the UK. Johnson was elected by the ITU Membership to the directorship for a 4-year term in November 2006 and was reelected for a second term starting January 2011.