MCA644 CU-MCA-SEM-II-Network Security & Cryptography

This completes the description of MD2. 3.3 MESSAGE DIGEST ALGORITHM-MD4, MD5 (PADDING, STAGES, DIGEST COMPUTATION) Message digest algorithms A message digest is a fixed-length representation of a variable string of data. This fixed- length value is known as a message digest because it contains a potentially much smaller, yet unique, representation of the original message or data. By comparing the message digest generated in one place with the message digest generated in another place using what is supposed to be the same data, you can tell if the data has actually been changed while moving from one place to the other. If the two message digests are identical, the data has not changed. Thus, because of their fixed and relatively small size, message digests are very convenient to verify the integrity of the original data from which they are generated. Message digest algorithms rely on cryptographic hash functions to generate a unique value that is computed from data and a unique symmetric key. A cryptographic hash function inputs data of arbitrary length and produces a unique value of a fixed length. Because message digest algorithms generate a value that is always used in encrypted form (never decrypted), they are sometimes known as encryption-only algorithms. Adding a unique symmetric key that is shared between a sender and receiver in order to compute a message digest value provides confidentiality to ensure that the message digest cannot be easily changed if the data is changed in an unauthorized or other unexpected manner. Both the sender and receiver of the data (including the senders message digest) must share the same key for the receiver to generate an identical message digest. If some other agent changes the data between the sender and receiver and hashes their own message digest without the correct key, the new message digest, while representing the data, will not be the same as the message digest computed by the receiver using the correct 50 CU IDOL SELF LEARNING MATERIAL (SLM)

symmetric key. The resulting value generated from the symmetric key (or MAC key) and the message digest is known as a Message Authentication Code (MAC) because it can be used to test for unauthorized alteration of both the data and the message digest. Common examples of hash algorithms used to generate MAC values include Message Digest 5 (MD5) and Secure Hash Algorithm SHA-1 (SHA-1) Values returned by a hash function are called message digest or simply hash values. The following picture illustrated hash function. Figure 3.1 Message digest algorithms Java provides a class named MessageDigest which belongs to the package java.security. This class supports algorithms such as SHA-1, SHA 256, MD5 algorithms to convert an arbitrary length message to a message digest. To convert a given message to a message digest, follow the steps given below − Step 1: Create a MessageDigest object The MessageDigest class provides a method named getInstance(). This method accepts a String variable specifying the name of the algorithm to be used and returns a MessageDigest object implementing the specified algorithm. Create MessageDigest object using the getInstance() method as shown below. MessageDigest md = MessageDigest.getInstance(\"SHA-256\"); 51 CU IDOL SELF LEARNING MATERIAL (SLM)

Step 2: Pass data to the created MessageDigest object After creating the message digest object, you need to pass the message/data to it. You can do so using the update() method of the MessageDigest class, this method accepts a byte array representing the message and adds/passes it to the above created MessageDigest object. md.update(msg.getBytes()); Step 3: Generate the message digest You can generate the message digest using the digest() method od the MessageDigest class this method computes the hash function on the current object and returns the message digest in the form of byte array. Generate the message digest using the digest method. byte[] digest = md.digest(); MD4 Message Digest #4, also developed by Ronald Rivest. This message digest algorithm was developed as a fast alternative to MD2. Subsequently, MD4 was shown to have a possible weakness. It may be possible to find a second file that produces the same MD4 as a given file without requiring a brute force search (which would be infeasible for the same reason that it is infeasible to search a 128-bit keyspace). MD4 produces a 128-bit digest. MD4 was designed to be fast, which meant taking a few risks regarding security. By 1992 weaknesses had been found which led Rivest to produce a strengthened, but slower, version known as MD5. In 1998, Dobbertin found the first MD4 collisions, and he gave an algorithm for generating such collisions, with a work factor that is approximately equal to the computation of 2^20 MD4 hashes. The MD4 hash should not be used for any cryptographic purposes. 3.3.1 The Algorithm 52 CU IDOL SELF LEARNING MATERIAL (SLM)

The MD4 algorithm is described by Rivest in RFC 1320, along with an efficient implementation (in C). MD4 operates on 32-bit words. Let M be the message to be hashed. The message M is padded so that its length (in bits) is equal to 448 modulo 512, that is, the padded message is 64 bits less than a multiple of 512. The padding consists of a single 1 bit, followed by enough zeros to pad the message to the required length. Padding is always used, even if the length of M happens to equal 448 mod 512. As a result, there is at least one bit of padding, and at most 512 bits of padding. Then the length (in bits) of the message (before padding) is appended as a 64-bit block. The padded message is a multiple of 512 bits and, therefore, it is also a multiple of 32 bits. Let M be the message and N the number of 32-bit words in the (padded) message. Due to the padding, N is a multiple of 16. A four-word buffer (A, B, C, D) is used to compute the message digest. Here each of A, B, C, D is a 32-bit register. These registers are initialized to the following values in hexadecimal: word A: 01 23 45 67 word B: 89 ab cd ef word C: fe dc ba 98 word D: 76 54 32 10 We first define three auxiliary functions that each take as input three 32-bit words and produce as output one 32-bit word. where is logical and, is logical or and is logical xor. 53 MD 5 CU IDOL SELF LEARNING MATERIAL (SLM)

MD5 message digest algorithm is the 5th version of the Message Digest Algorithm developed by Ron Rivest to produce 128 bit message digest. MD5 is quite fast than other versions of message digest which takes the plain text of 512-bit blocks which is further divided into 16 blocks, each of 32 bit and produces the 128-bit message digest which is a set of four blocks, each of 32 bits. MD5 produces the message digest through five steps i.e. padding, append length, divide input into 512 bit blocks, initialize chaining variables a process blocks and 4 rounds, uses different constant it in each iteration. 3.3.2 Use of MD5 Algorithm It was developed with the main motive of security as it takes an input of any size and produces an output if a 128-bit hash value. To be considered cryptographically secure MD5 should meet two requirements: 1. It is impossible to generate two inputs that cannot produce the same hash function. 2. It is impossible to generate a message having the same hash value. Initially, MD5 was developed to store one way hash of a password and some file servers also provide pre-computed MD5 checksum of a file so that the user can compare the checksum of the downloaded file to it. Most Unix based Operating Systems include MD5 checksum utilities in their distribution packages. How do the MD5 Algorithm works? As we all know that MD5 produces an output of 128-bit hash value. This encryption of input of any size into hash values undergoes 5 steps and each step has its a predefined task. 54 CU IDOL SELF LEARNING MATERIAL (SLM)

Figure 3.2 Use of MD5 Algorithm Step1: Append Padding Bits  Padding means adding extra bits to the original message. So in MD5 original message is padded such that its length in bits is congruent to 448 modulo 512. Padding is done such that the total bits are 64 less being a multiple of 512 bits length.  Padding is done even if the length of the original message is already congruent to 448 modulo 512. In padding bits, the only first bit is 1 and the rest of the bits are 0. Step 2: Append Length After padding, 64 bits are inserted at the end which is used to record the length of the original input. Modulo 2^64. At this point, the resulting message has a length multiple of 512 bits. Step 3: Initialize MD buffer 55 CU IDOL SELF LEARNING MATERIAL (SLM)

A four-word buffer (A, B, C, D) is used to compute the values for the message digest. Here A, B, C, D are 32- bit registers and are initialized in the following way Word A 01 23 45 67 Word B 89 Ab Cd Ef Word C Fe Dc Ba 98 Word D 76 54 32 10 Step 4: Processing message in 16-word block MD5 uses the auxiliary functions which take the input as three 32-bit number and produces a 32-bit output. These functions use logical operators like OR, XOR, NOR. F(X, Y, Z) XY v not (X)Z G(X, Y, Z) XZ v Y not (Z) H(X, Y, Z) X xor Y xor Z I(X, Y, Z) Y xor (X v not (Z)) The content of four buffers is mixed with the input using this auxiliary buffer and 16 rounds are performed using 16 basic operations. Output- After all, rounds have performed the buffer A, B, C, D contains the MD5 output starting with lower bit A and ending with higher bit D. Example: 56 CU IDOL SELF LEARNING MATERIAL (SLM)

Input: This is an article about the cryptography algorithm Output: e4d909c290dfb1ca068ffaddd22cbb0 3.3.3 Advantages and Disadvantages of MD5 Algorithm Below are the advantages and disadvantages explained:  MD5 Algorithms are useful because it is easier to compare and store these smaller hashes than to store a large text of variable length. It is a widely used algorithm for one-way hashes that are used to verify without necessarily giving the original value.MD5 Algorithm is used by Unix systems to store the passwords of the user in a 128-bit encrypted format. MD5 algorithms are widely used to check the integrity of the files.  Moreover, it is very easy to generate a message digest of the original message using this algorithm. It can perform the message digest of a message having any number of bits, it is not limited to message in the multiples of 8, unlike MD5sum which is limited to octets.  But from many years MD5 has prone to hash collision weakness, i.e. it is possible to create the same hash function for two different inputs. MD5 provides no security over these collision attacks. Instead of MD5, SHA (Secure Hash Algorithm, which produces 160-bit message digest and designed by NSA to be a part of digital signature algorithm) is now acceptable in the cryptographic field for generating the hash function as it is not easy to produce SHA-I collision and till now no collision has been produced yet.  Moreover, it is quite slow then the optimized SHA algorithm. SHA is much secure than MD5 algorithm and moreover, it can be implemented in existing technology with exceeding rates, unlike MD5. Nowadays new hashing algorithms are coming up in the 57 CU IDOL SELF LEARNING MATERIAL (SLM)

market keeping in mind higher security of data like SHA256 (which generates 256 bits signature of a text). Secure Hash Algorithms, also known as SHA, are a family of cryptographic functions designed to keep data secured. It works by transforming the data using a hash function: an algorithm that consists of bitwise operations, modular additions, and compression functions. The hash function then produces a fixed-size string that looks nothing like the original. These algorithms are designed to be one-way functions, meaning that once they’re transformed into their respective hash values, it’s virtually impossible to transform them back into the original data. A few algorithms of interest are SHA-1, SHA-2, and SHA-3, each of which was successively designed with increasingly stronger encryption in response to hacker attacks. SHA-0, for instance, is now obsolete due to the widely exposed vulnerabilities. A common application of SHA is to encrypting passwords, as the server side only needs to keep track of a specific user’s hash value, rather than the actual password. This is helpful in case an attacker hacks the database, as they will only find the hashed functions and not the actual passwords, so if they were to input the hashed value as a password, the hash function will convert it into another string and subsequently deny access. Additionally, SHAs exhibit the avalanche effect, where the modification of very few letters being encrypted causes a big change in output; or conversely, drastically different strings produce similar hash values. This effect causes hash values to not give any information regarding the input string, such as its original length. In addition, SHAs are also used to detect the tampering of data by attackers, where if a text file is slightly changed and barely noticeable, the modified file’s hash value will be different than the original file’s hash value, and the tampering will be rather noticeable. 58 CU IDOL SELF LEARNING MATERIAL (SLM)

Figure 3.3 Secure Hash Algorithms 3.4 SUMMARY This Cryptography is one of the most useful fields in the wireless communication area and personal communication systems, where information security has become more and more important area of interest. Cryptographic algorithms take care of specific information on security requirements such as data integrity, confidentiality and data origin authentication. (Iyer & Mandal, 2013) A hash function takes a variable sized input message and produces a fixed-sized output. The output is usually referred to as the hash code or the hash value or the message digest (Kak, 2014), hash functions play a significant role in today's cryptographic applications. SHA (Secure Hash Algorithm) is a famous message compress standard used in computer cryptography, it can compress a long message to become a short message abstract (Iyer & Mandal, 2013). In this paper, SHA-1 is implemented using LabVIEW. Message digest functions distill the information contained in a file, small or large, into a single large number, typically between 128 and 256 bits in length. The best message digest functions combine these mathematical properties: Every bit of the digest function’s output is potentially influenced by every bit of the function’s input If any given bit of the function’s 59 CU IDOL SELF LEARNING MATERIAL (SLM)

input is changed, every output bit has a 50 percent chance of changing. Given an input file and its corresponding message digest, it should be computationally infeasible to find another file with the same message digest value Message digests are also called one-way hash functions because they produce values that are difficult to invert, resistant to attack, effectively unique, and widely distributed. Here is a sampling of more popular functions: MD2, MD4, MD5 These were all developed by Ronald Rivest. All produce message digests and have been shown to have flaws. MD5 is used in SSL and in Microsoft’s Authenticode technology. It produces a 128 bit digest. SHA, SHA-1, SHA-256,384,512 The Secure Hash Algorithm is related to MD4 and designed for use with NIST’s DSS. SHA- 1 is a revised SHA and incorporates minor changes. It is not publicly known if these changes make SHA-1 more secure than SHA, although many people believe that they do. SHA-1 produces a 16- bit digest. SHA-256, 384, and 512 has functions that are designed to be used with 128, 192 and 256 bit encryption algorithms, respectively. These digest were proposed by NIST for use with AES 3.5 KEY WORDS/ABBREVIATIONS  Message Digest A message digest is a cryptographic hash function containing a string of digits created by a one-way hashing formula  Identity confirmation method for risk-based authentication, an authentication method that can be used to confirm a user’s identity.  Identity source A data store containing user and user group data. The data store can be the internal database or an external directory server, such as Microsoft Active Directory.  Instance An installation of RSA Authentication Manager that can be set up as a primary instance or a replica instance. An instance also includes a RADIUS server. 60 CU IDOL SELF LEARNING MATERIAL (SLM)

 Distribution file password A password used to protect the distribution file when the distribution file is sent by email to the user.  Distributor A Token Distributor or an administrator with distributor permissions. 3.6 LEARNING ACTIVITY 1. Draw a comparative chart to study various types of Secure Hash Algorithm. ___________________________________________________________________________ ___________________________________________________________________ 2. Implement MD2 and MD5 to differentiate and study their process and results ___________________________________________________________________________ ___________________________________________________________________ 3.7 UNIT END QUESTIONS (MCQ AND DESCRIPTIVE) A. Descriptive Questions 1. Discuss how MD5 algorithm works. 2. What is Message Digest? 3. Define various Properties of Hashing. 4. Define how Message Digest helps in Cryptography. 5. Discuss various types of Message Digest algorithm. B. Multiple Choice Questions 61 1. MAC stands for_______________ a. Message authentication code b. Message arbitrary connection c. Message authentication control d. Message authentication cipher CU IDOL SELF LEARNING MATERIAL (SLM)

2. Encryption and decryption provide secrecy, or confidentiality, but not_________ a. Authentication b. Integrity c. Privacy d. All of the above 3. SHA-l has a message digest of________________ a. 160 bits b. 512 bits c. 628 bits d. 820 bits 4. Which of the following are used to create a message digest by the network security protocols? a. RSA b. DSA c. DES d. MD5 5. What is the output of the N 1024-bit blocks from the Nth stage in this? a. 512 bits b. 1024 bits c. N x 1024bits d. N x 512 bits 62 CU IDOL SELF LEARNING MATERIAL (SLM)

Answer 1.a 2.b 3.a 4.d 5.a 3.8 REFERENCES  N. Rogier, Pascal Chauvaud, The compression function of MD2 is not collision free, Selected Areas in Cryptography - SAC'95 Ottawa, Canada, May 18–19, 1995 (workshop record).  N. Rogier, Pascal Chauvaud, MD2 is not Secure without the Checksum Byte, Designs, Codes and Cryptography, 12(3), pp245–251, 1997.  Frédéric Muller, The MD2 Hash Function is Not One-Way, ASIACRYPT 2004, pp214–229.  Douglas Stinson, \"Cryptography Theory and Practice\", 2nd Edition, Chapman & Hall/CRC.  Linn, J., \"Privacy Enhancement for Internet Electronic Mail: Part I -- Message Encipherment and Authentication Procedures\", RFC 1113, DEC, IAB Privacy Task Force, August 1989.  Kent, S., and J. Linn, \"Privacy Enhancement for Internet Electronic Mail: Part II -- Certificate-Based Key Management\" RFC 1114, BBNCC, DEC, IAB Privacy Task Force, August 1989.  Linn, J., \"Privacy Enhancement for Internet Electronic Mail: Part III -- Algorithms, Modes, and Identifiers\", RFC 1115 DEC, IAB Privacy Task Force, August 1989. 63 CU IDOL SELF LEARNING MATERIAL (SLM)

UNIT 4: AUTHENTICATION Structure 4.0 Learning Objectives 4.1 Introduction 4.2 Security Handshake pitfalls 4.3 Online vs. offline password guessing 4.4 Key distribution centers and certificate authorities. 4.4.1 The Key Distribution Centre 4.4.2 Kerberos 4.4.3 Public Key Certification 4.4.4 One-Time Session Keys 4.5 Summary 4.6 Key Words/Abbreviations 4.7 Learning Activity 4.8 Unit End Questions (MCQ and Descriptive) 4.9 References 4.0 LEARNING OBJECTIVES At the end of the unit learner will able to understand and have knowledge of following aspects of Authentication:  Explain various aspects of Authentication  Knowledge of Security Handshake pitfalls  Introduction to Online versus offline password guessing techniques  Discuss about Key Distribution centres and Certificate authorities 64 CU IDOL SELF LEARNING MATERIAL (SLM)

4.1 INTRODUCTION Authentication is the process of verifying the identity of user or information. User authentication is the process of verifying the identity of user when that user logs into a computer system. The main objective of authentication is to allow authorized users to access the computer and to deny access to the unauthorized users. Operating Systems generally identifies/authenticates users using following 3 ways: Passwords, Physical identification, and Biometrics. These are explained as following below. 1. Passwords: Passwords verification is the most popular and commonly used authentication technique. A password is a secret text that is supposed to be known only to a user. In password based system, each user is assigned a valid username and password by the system administrator. System stores all username and Passwords. When a user logs in, its user name and password is verified by comparing it with stored login name and password. If the contents are same then the user is allowed to access the system otherwise it is rejected. 2. Physical Identification: This technique includes machine readable badges(symbols), card or smart cards. In some companies, badges are required for employees to gain access to the organization’s gate. In many systems, identification is combined with the use of password i.e. the user must insert the card and then supply his /her password. This kind of authentication is commonly used with ATM. Smart card can enhance this scheme by keeping the user password within the card itself. This allows the authentication without storage of password in the computer system. The loss of such card can be dangerous. 65 CU IDOL SELF LEARNING MATERIAL (SLM)

3. Biometrics: This method of authentication is based on the unique biological characteristics of each user such as finger prints, voice or face recognition, signatures and eyes. Biometric devices often consist of –  A scanner or other devices to gather the necessary data about user.  Software to convert the data into a form that can be compared and stored.  A database that stores information for all authorized users. A number of different types of physical characteristics are –  Facial Characteristics – Humans are differentiated on the basis of facial characteristics such as eyes, nose, lips, eyebrows and chin shape.  Fingerprints – Fingerprints are believed to be unique across the entire human population.  Hand Geometry – Hand geometry systems identify features of hand that includes shape, length and width of fingers.  Retinal pattern – It is concerned with the detailed structure of the eye. –  Signature Every individual has a unique style of handwriting, and this feature is reflected in the signatures of a person. –  Voice This method records the frequency pattern of the voice of an individual speaker. One Time passwords: One-time passwords provide additional security along with normal authentication. In One- 66 CU IDOL SELF LEARNING MATERIAL (SLM)

Time Password system, a unique password is required every time user tries to login into the system. Once a one-time password is used, then it cannot be used again. One-time password is implemented in various ways. Some commercial applications send one-time passwords to user on registered mobile/ email which is required to be entered prior to login. 4.2 SECURITY HANDSHAKE PITFALLS 1. A bad idea  Alice sends name and password in clear (across network) to Bob  Bob verifies name and password and communication proceeds 2. Better idea using shared secret Figure 4.1 Better idea using shared secret  Implications  Authentication is not mutual  How to encrypt subsequent conversation?  If key derived from a password, offline password guessing is possible  Bob knows KAlice-Bob so if Bob's database is compromised, attacker can impersonate Alice 67 CU IDOL SELF LEARNING MATERIAL (SLM)

Figure 4.2  Implications  Requires reversible cryptography (hash will not work)  If R is known and key derived from password, dictionary attack is possible by simply claiming to be Alice  If R has a limited lifetime, Alice can authenticate Bob (mutual authentication) Figure 4.3  Implications  Easy to modify \"bad idea\" to this form, since no additional messages  More efficient  Bob does not need to maintain state  Eavesdropper can impersonate Alice (within acceptable clock skew); might also be possible to impersonate Alice to another server 68 CU IDOL SELF LEARNING MATERIAL (SLM)

 If Bob sets his clock back, intercepted authentication messages can be replayed  Setting time (and agreeing on time) is a security issue Figure 4.4  Implications  Same as above, but using a hash  Why transmit timestamp in the clear? 3. Better idea using public key crypto (Notation: [R]Alice means sign with private key and {R}Alice means encrypt with public key.)  Implications Figure 4.5 CU IDOL SELF LEARNING MATERIAL (SLM) 69

 Compromise of Bob's database will not allow attacker to impersonate Alice  Attacker may be able to trick Alice into signing anything Figure 4.6  Implications  Compromise of Bob's database will not allow attacker to impersonate Alice  Attacker may be able to trick Alice into decrypting anything  Mutual authentication 1. Reflection attack Figure 4.7 70 CU IDOL SELF LEARNING MATERIAL (SLM)

 Implications  Authenticated exchange in each direction  Inefficient? Figure 4.8  Implications  More efficient  Easy to get chosen plaintext  Subject to a reflection attack 71 CU IDOL SELF LEARNING MATERIAL (SLM)

Figure 4.9 Figure 4.10  Attack  Trudy opens 1st session to Bob  Trudy opens 2nd session to Bob in order to get information needed to complete 1st session  Solution?  Alice and Bob should not do exactly the same thing  Have Bob encrypt with KAlice-Bob and Alice encrypt with KAlice-Bob+1 or  Initiator sends odd R, responder sends even R, etc. 72 CU IDOL SELF LEARNING MATERIAL (SLM)

2. Password guessing (chosen plaintext) Figure 4.11  Implications  One \"extra\" message and Alice cannot obtain chosen plaintext 3. Public keys Figure 4.12  Implications  How to obtain public keys?  How can workstation obtain private key from password? (Easy with symmetric key crypto, not so easy with public key crypto.) 73 CU IDOL SELF LEARNING MATERIAL (SLM)

 Identity-based encryption is an active research area 4. Timestamps Figure 4.13  Implications  Only 2 messages  Alice and Bob must encrypt different things  Everyone must agree on the time  Time is now security-critical  How to establish a session key? 1. Shared secret Figure 4.14 74 CU IDOL SELF LEARNING MATERIAL (SLM)

 Implications  Why not use KAlice-Bob as session key?  Why not use KAlice-Bob+1 as session key?  Why not use KAlice-Bob+1 to encrypt R to obtain session key?  Why not use KAlice-Bob to encrypt R+1 to obtain session key? Figure 4.15 2. Two-way public key authentication a. Alice sends {K}Bob to Bob Issues: Trudy can hijack the conversation b. Alice sends [{K}Bob]Alice to Bob Issues: If Trudy records conversation and later overruns Bob, she can recover K c. Alice sends {K1}Bob and Bob sends {K2}Alice to Bob. The session key is K1 ⊕ K2 Issues: Trudy can cause confusion, but cannot recover K 75 CU IDOL SELF LEARNING MATERIAL (SLM)

d. Alice and Bob do a Diffie-Hellman key exchange, and sign the quantities: Alice sends [ga mod p]Alice to Bob and Bob sends [gb mod p]Bob to Alice Issues: Even if Trudy overruns both Alice and Bob, she cannot recover K One-way public key authentication --- similar to two-way public key authentication Privacy and integrity --- key rollover Mediated Authentication with key distribution center (KDC) In priciple Figure 4.16  Implications  KDC does not authenticate Alice but only Alice can decrypt KAB sent to \"Alice\"  Message from Alice to Bob could arrive before Bob gets his key In practice 76 CU IDOL SELF LEARNING MATERIAL (SLM)

Figure 4.17  Implications  Alice and Bob must still mutually authenticate 4.3 ONLINE VS. OFFLINE PASSWORD GUESSING Passwords needs to be strong enough to resist a guessing attack, often named a \"Brute-force\" attack. The brute-force attack comes in two flavours: online and offline. In the online mode of the attack, the attacker must use the same login interface as the user application. In contrast, the offline mode of the attack requires the attacker to steal the password file first, but enables an unconstrained guessing of passwords, free of any application or network related rate limitations. Microsoft researchers had found out that \"an enormous gap exists between the effort needed to withstand online and offline attacks, with probable safety occurring when a password can survive 106(1M) and 1014 (100T) guesses respectively.\" As a result, having a not-so- complicated password such as \"tincan24\" that is \"1M strong\" (i.e. expected to survive a 1M guess attack) is as good as having a \"1T strong\" password \"7Qr&2M\". Both are strong enough to survive an online attack, but expected to surrender under an offline attack. However, the latter password is much harder to remember. Furthermore, by breaking down the use cases that necessitates offline guessing protection, the researcher were able to determine that \"Offline guessing is a threat when the password file leaks, that fact goes undetected, and the passwords have been properly salted and hashed. In other cases, offline guessing is either unnecessary, not possible, or addressable by resetting system passwords.\" 77 CU IDOL SELF LEARNING MATERIAL (SLM)

Figure 4.18 ONLINE VS. OFFLINE PASSWORD GUESSING Online Attacks An attacker can create a script file (i.e., automated program) that will be executed to try each password in list and when matches, an attacker can gain the access to the system. The most popular online attack is man-in-the middle (MITM) attack, also termed as \"bucket-brigade attack\" or sometimes \"Janus attack,\" It is a form of active eavesdropping\" in which the attacker establishes a connection between a victim and the server to which a victim is connected. When a victim client connects to the fraudulent server, the MTM server intercepts the call, hashes the password and passes the connection to the victim server. This type of attack is used to obtain the passwords for E-Mail accounts on public websites such as Yahoo, Hotmail and Gmail and can also use to get the passwords for financial websites that would like to gain the access to banking websites. Offline Attacks Mostly offline attacks are performed from a location other than the target (i.e., either a computer system or while on the network) where these passwords reside or are used. Offline 78 CU IDOL SELF LEARNING MATERIAL (SLM)

attacks usually require physical access to the computer and copying the password file from the system onto removable media. The truth is, there are hundreds of ways an attacker can get your hashed password offline, but let’s look at a few. 1. Sniffing on the network. When you connect to the shared drive to try to access that file you need, you have to prove you have permissions to view the file you are trying to access. This is what prevents the marketing department from reading the HR folder. The way that works over the network is that the shared drive will send you a challenge, and you will compute a new value using your hashed password and the challenge, and send that back to the server for authorization. If an attacker is able to sniff the network and get both the challenge and the response, they can take them offline and perform a password attack. There are also things an attacker can do to increase the likelihood that they can get this hash, known as NETBIOS Name Server Spoofing or Link-Local Multicast Name Resolution Spoofing. In these attacks, the attacker impersonates the file share, and gets you to authenticate to them! We will cover that more in a future blog. 2. Dumping memory contents. Once an attacker gains administrative access to a single server or application, they can dump the contents of memory, including the SAM file. Remember above how I said that your computer saves a hash of your password that it checks every time you login? Well, this is saved in the SAM file (for Window’s computers), and an attacker with admin level access can dump this file, revealing the hashes of all local accounts on the system. Similarly, if an attacker gains access to a database, they can dump the user table which may contain password hashes. 79 CU IDOL SELF LEARNING MATERIAL (SLM)

3. NTDS File. If an attacker is able to get domain administrator credentials and gain access to the domain controller, they can gain access to the NTDS file. This file holds the hashed password for every user on the domain. This is obviously worst case scenario for an organization and a pot of gold for an attacker looking to launch offline password attacks. 4.4 KEY DISTRIBUTION CENTERS AND CERTIFICATE AUTHORITIES We saw that a drawback of symmetric key cryptography was the need for the two communicating parties to have agreed upon their secret key ahead of time. With public key cryptography, this a priori agreement on a secret value is not needed. However, as we saw in our discussion of authentication protocol, public key encryption has its own difficulties, in particular the problem of obtaining someone's true public key. Both of these problems – determining a shared key for symmetric key cryptography, and securely obtaining the public key for public key cryptography – can be solved using a trusted intermediary. For symmetric key cryptography, the trusted intermediary is called a Key Distribution Centre (KDC), which is a single, trusted network entity with whom one has established a shared secret key. We will see that one can use the KDC to obtain the shared keys needed to communicate securely with all other network entities. For public key cryptography, the trusted intermediary is called a Certification Authority (CA). A certification authority certifies that a public key belongs to a particular entity (a person or a network entity). For a certified public key, if one can safely trust the CA that the certified the key, then one can be sure about to whom the public key belongs. Once a public key is certified, then it can be distributed from just about anywhere, including a public key server, a personal Web page or a diskette. 80 CU IDOL SELF LEARNING MATERIAL (SLM)

4.4.1 The Key Distribution Centre Suppose once again that Bob and Alice want to communicate using symmetric key cryptography. They have never met (perhaps they just met in an on-line chat room) and thus have not established a shared secret key in advance. How can they now agree on a secret key, given that they can only communicate with each other over the network? A solution often adopted in practice is to use a trusted Key Distribution Centre (KDC). The KDC is a server that shares a different secret symmetric key with each registered user. This key might be manually installed at the server when a user first registers. The KDC knows the secret key of each user and each user can communicate securely with the KDC using this key. Let's see how knowledge of this one key allows a user to securely obtain a key for communicating with any other registered user. Suppose that Alice and Bob are users of the KDC; they only know their individual key, KA-KDC and KB-KDC, respectively, for communicating securely with the KDC. Alice takes the first step, and they proceed as illustrated in Figure. Figure 4.19 The Key Distribution Centre 81 CU IDOL SELF LEARNING MATERIAL (SLM)

 Using KA-KDC to encrypt her communication with the KDC, Alice sends a message to the KDC saying she (A) wants to communicate with Bob (B). We denote this message, KA-KDC (A, B). As part of this exchange, Alice should authenticate the KDC (see homework problems), e.g., using an authentication protocol (e.g., our protocol ap4.0) and the shared key KA-KDC.  The KDC, knowing KA-KDC, decrypts KA-KDC (A, B). The KDC then authenticates Alice. The KDC then generates a random number, R1. This is the shared key value that Alice and Bob will use to perform symmetric encryption when they communicate with each other. This key is referred to as a one-time session key (see section 7.5.3 below), as Alice and Bob will use this key for only this one session that they are currently setting up. The KDC now needs to inform Alice and Bob of the value of R1. The KDC thus sends back an encrypted message to Alice containing the following: o R1, the one-time session key that Alice and Bob will use to communicate; o a pair of values: A, and R1, encrypted by the KDC using Bob's key, KB-KDC. We denote this KB-KDC (A, R1). It is important to note that KDC is sending Alice not only the value of R1 for her own use, but also an encrypted version of R1 and Alice's name encrypted using Bob's key. Alice can't decrypt this pair of values in the message (she doesn't know Bob's encryption key), but then she doesn't really need to. We'll see shortly that Alice will simply forward this encrypted pair of values to Bob (who can decrypt them). These items are put into a message and encrypted using Alice's shared key. The message from the KDC to Alice is thus KA-KDC (R1, KB-KDC(R1)). 82 CU IDOL SELF LEARNING MATERIAL (SLM)

 Alice receives the message from the KDC, verifies the nonce, extracts R1 from the message and saves it. Alice now knows the one-time session key, R1. Alice also extracts KB-KDC (A, R1) and forwards this to Bob.  Bob decrypts the received message, KB-KDC (A, R1), using KB-KDC and extracts A and R1. Bob now knows the one-time session key, R1, and the person with whom he is sharing this key, A. Of course, he takes care to authenticate Alice 4.4.2 errors Kerberos [RFC 1510, Neuman 1994] is an authentication service developed at MIT that uses symmetric key encryption techniques and a Key Distribution Centre. Although it is conceptually the same as the generic KDC, its vocabulary is slightly different. Kerberos also contains several nice variations and extensions of the basic KDC mechanisms. Kerberos was designed to authenticate users accessing network servers and was initially targeted for use within a single administrative domain such as a campus or company. Thus, Kerberos is framed in the language of users who want to access network services (servers) using application-level network programs such as Telnet (for remote login) and NFS (for access to remote files), rather than human-to-human conversant who want to authenticate themselves to each other, as in our examples above. Nonetheless, the key (pun intended) underlying techniques remains the same. The Kerberos Authentication Server (AS) plays the role of the KDC. The AS is the repository of not only the secret keys of all users (so that each user can communicate securely with the AS) but also information about which users have access privileges to which services on which network servers. When Alice wants to access a service on Bob (who we now think of as a server), the protocol closely follows our example in Figure: 83 CU IDOL SELF LEARNING MATERIAL (SLM)

 Alice contacts the Kerberos AS, indicating that she wants to use Bob. All communication between Alice and the AS is encrypted using a secret key that is shared between Alice and the AS. In Kerberos, Alice first provides her name and password to her local host. Alice's local host and the AS then determine the one-time secret session key for encrypting communication between Alice and the AS.  The AS authenticates Alice, checks that she has access privileges to Bob, and generates a one-time symmetric session key, R1, for communication between Alice and Bob. The Authentication Server (in Kerberos parlance, now referred to as the Ticket Granting Server) sends Alice the value of R1, and also a ticket to Bob's services. The ticket contains Alice's name, the one-time session key, R1, and an expiration time, all encrypted using Bob's secret key (known only by Bob and the AS), as in Figure. Alice's ticket is valid only until its expiration time, and will be rejected by Bob is presented after that time. For Kerberos V4, the maximum lifetime of a ticket is about 21 hours. In Kerberos V5, the lifetime must expire before the end of year 9999 - a definite Y10K problem!  Alice then sends her ticket to Bob. She also sends along an R1-encrypted timestamp that is used as a nonce. Bob decrypts the ticket using his secret key, obtains the session key, decrypts the timestamp using the just-learned session key. Bob sends back the timestamp value plus one (in Kerberos V5) or simply the timestamp itself (in Kerberos V5). The most recent version of Kerberos (V5) provides support for multiple Authentication Servers, delegation of access rights, and renewable tickets. [Kaufman 95] [RFC 1510] provide ample details. 4.4.3 Public Key Certification 84 CU IDOL SELF LEARNING MATERIAL (SLM)

One of the principle features of public key encryption is that it is possible for two entities to exchange secret messages without having to exchange secret keys. For example, when Alice wants to send a secret message to Bob, she simply encrypts the message with Bob's public key and sends the encrypted message to Bob; she doesn't need to know Bob's secret (i.e., private) key, nor does Bob need to know her secret key. Thus, public key cryptography obviates the need for KDC infrastructure, such as Kerberos. Of course, with public key encryption, the communicating entities still have to exchange public keys. A user can make its public key publicly available in many ways, e.g., by posting the key on the user's personal Web page, placing the key in a public key server, or by sending the key to a correspondent by e-mail. A Web commerce site can place its public key on its server in a manner that browsers automatically download the public key when connecting to the site. Routers can place their public keys on public key servers, thereby allowing other browsers and network entities to retrieve them. There is, however, a subtle, yet critical, problem with public key cryptography. To gain insight to this problem, let's consider an Internet commerce example. Suppose that Alice is in the pizza delivery business and she accepts orders over the Internet. Bob, a pizza lover, sends Alice a plaintext message which includes his home address and the type of pizza he wants. In this message, Bob also includes a digital signature (e.g., an encrypted message digest for the original plaintext message). Alice can obtain Bob's public key (from his personal Web page, a public key server, or from an e-mail message) and verify the digital signature. In this manner Alice makes sure that Bob (rather than some adolescent prankster) indeed made the order. This all sounds fine until clever Trudy comes along. As shown in Figure, Trudy decides to play a prank. Trudy sends a message to Alice in which she says she is Bob, gives Bob's home 85 CU IDOL SELF LEARNING MATERIAL (SLM)

address, and orders a pizza. She also attaches a digital signature, but she attaches the signature by signing the message digest with her (i.e., Trudy's) private key. Trudy also masquerades as Bob by sending Alice Trudy's public key but saying that it belongs to Bob. In this example, also will apply Trudy's public key (thinking that it is Bob's) to the digital signature and conclude that the plaintext message was indeed created by Bob. Bob will be very surprised when the delivery person brings to his home a pizza with everything on it! Here, as in the flawed authentication scenario in Figure, the man-in-the-middle attack is the root cause of our difficulties. Figure 4.20 Public Key Certification We see from this example that in order for public key cryptography to be useful, entities (users, browsers, routers, etc.) need to know for sure that they have the public key of the entity with which they are communicating. For example, when Alice is communicating with Bob using public key cryptography, she needs to know for sure that the public key that is supposed to be Bob's is indeed Bob's. 86 CU IDOL SELF LEARNING MATERIAL (SLM)

Binding a public key to a particular entity is typically done by a certification authority (CA), which validates identities and issue certificates. A CA has the following roles:  First to verify that entity (a person, a router, etc) is who it says it is. There are no mandated procedures for how certification is done. When dealing with a CA, one must trust the CA to have performed a suitably rigorous identity verification. For example, if Trudy were able to walk into Fly-by-Night Certificate Authority and simply announce \"I am Alice\" and receive keys associated with the identity of \"Alice,\" then one shouldn't put much faith in public keys offered by the Fly-by-Night Certificate Authority. On the other hand, one might (or might not!) be more willing to trust a CA that is part of a federal- or state-sponsored program. One can trust the \"identify\" associated with a public key only to the extent that one can trust a CA and its identity verification techniques. What a tangled web of trust we spin!  Once the CA verifies the entity of the entity, the CA creates a certificate that binds the public key of the identity to the identity. The certificate contains the public key and identifying information about the owner of the public key (for example a human name or an IP address). The certificate is digitally signed by the CA. These steps are shown in Figure. 87 CU IDOL SELF LEARNING MATERIAL (SLM)

Figure 4.21 Let us now see how certificates can be used to combat pizza-ordering pranksters, like Trudy, and other undesirables. When Alice receives Bob's order, she gets Bob's certificate, which may be on his Web page, in an e-mail message or in a certificate server. Alice uses the CA's public key to verify that the public key in the certificate is indeed Bob's. If we assume that the public key of the CA itself is known to all (for example, it could publish in a trusted, public, and well-known place, such as The New York Times, so that it is known to all and cannot be spoofed), then Alice can be sure that she is indeed dealing with Bob. Both the International Telecommunication Union and the IETF have developed standards for Certification Authorities. ITU X.509 [ITU 1993] specifies an authentication service as well as a specific syntax for certificates. RFC 1422 [RFC 1422] describes CA-based key management for use with secure Internet e-mail. It is compatible with X.509 but goes beyond X.509 by establishing procedures and conventions for a key management architecture. Figure describes some of the important field in a certificate. Selected fields in a X.509 and RFC 1422 public key certificate 88 CU IDOL SELF LEARNING MATERIAL (SLM)

Field name Description Version version number of X.509 specification serial number CA-issued unique identifier for a certificate Signature specifies the algorithm used by Ca to \"sign\" this certificate issuer name identity of CA issuing this certificate, in so-called Distinguished Name(DN) [RFC 1779] format validity period start and end of period of validity for certificate subject name identity of entity whose public key is associated with this certificate, in DN format the subject's public key as well as an indication of the public key subject public key algorithm (and algorithm parameters) to be used with this key Figure 4.22 With the recent boom in electronic commerce and the consequent widespread need for secure transactions, there has been increased interest in Certification Authorities. Among the companies providing CA services are Cybertrust [Cybertrust 1990] Verisign [Verisign 1999] and Netscape [Netscape 1999]. A certificate issued by the US Postal Service, as viewed through a Netscape browser, is shown in Figure. 89 CU IDOL SELF LEARNING MATERIAL (SLM)

Figure 4.23 4.4.4 One-Time Session Keys We have seen above that a one-time session key is generated by a KDC for use in symmetric key encryption of a single session between two parties. By using the one-time session keys from the KDC, a user is freed from having to establish a priori its own shared key for each and every network entity with whom it wishes to communicate. Instead, a user need only have one shared secret key for communicating with the KDC, and will receive one-time session keys from the KDC for all of its communication with other network entities. One-time session keys are also used in public key cryptography. A public key encryption technique such as RSA is orders of magnitude more computationally expensive that a symmetric key system such as DES. Thus, public key systems are often used for 90 CU IDOL SELF LEARNING MATERIAL (SLM)

authentication purposes. Once two parties have authenticated each other, they then use public-key-encrypted communication to agree on a shared one-time symmetric session key. This symmetric session key is then used to encrypt the remainder of the communication using a more efficient symmetric encryption technique, such as DES. 4.5 SUMMARY Networks can sometimes be the weak links in the modern day computing world. They are among the most vulnerable and easily hijacked section of the entire setup. This is why different typologies and network security protocols put so much emphasis on the ability to recognize any user trying to make a connection. The recognition process doesn’t necessarily identify who the user is. It just verifies the validity of the credentials on the user to determine if that user is cleared to use the resources. This, in essence, is the authentication process in network security. Authentication happens in two levels. A user or human visible level and a machine level. The human-level authentication is a simple login where you provide a net ID and a password to gain access. Machine level authentication is however more complex and involves a predetermined ID and password that only a machine authorized to access the network can know. This could occur every time the computer or node in question tries to access the network after the user has finished the initial human authentication. The router or server, in this case, must remember that the machine is authorized to access the network and the machine trying to connect needs to provide its identity (IP address or MAC address) and an accompanying secret key to prove its authority to access the network. 4.6 KEY WORDS/ABBREVIATIONS  Authentication The process of reliably determining the identity of a user or process. 91 CU IDOL SELF LEARNING MATERIAL (SLM)

 Authentication agent A software application installed on a device, such as a domain server, web server, or desktop computer, that enables authentication communication with Authentication Manager on the network server. See agent host.  Authentication method the type of procedure required for obtaining authentication, such as a one-step procedure, a multiple-option procedure (user name and password), or a chained procedure.  Authentication protocol the convention used to transfer the credentials of a user during authentication, for example, HTTP-BASIC/DIGEST, NTLM, Kerberos, and SPNEGO.  Authentication server A component made up of services that handle authentication requests, database operations, and connections to the Security Console.  Authenticator A device used to verify a user's identity to Authentication Manager. This can be a hardware token (for example, a key fob) or a software token.  Authorization The process of determining if a user is allowed to perform an operation on a resource. 4.7 LEARNING ACTIVITY 1. Take an organization security to study Security Handshake pitfalls. ___________________________________________________________________________ ___________________________________________________________________________ 2. Implement Online and offline guessing activities in a security network in an organization and came out with results. ___________________________________________________________________________ ___________________________________________________________________________ 92 CU IDOL SELF LEARNING MATERIAL (SLM)

4.8 UNIT END QUESTIONS (MCQ AND DESCRIPTIVE) 93 A. Descriptive Questions  Define Online vs. offline password guessing process  What are the functions of Key distribution centers?  How certificate authorities process the certification process?  Define Kerberos Authentication Server.  What is Public key certification? B. Multiple Choice Questions 1. Which system uses a trusted third-party interface? a. Public-Key Certificates b. Public announcements c. Publicly available directories d. Public-Key authority 2. Publicly Available directory is more secure than which other system? a. Public-Key Certificates b. Public announcements c. Public-Key authority d. None of the mentioned 3. Public key encryption/decryption is not preferred because a. it is slow b. it is hardware/software intensive CU IDOL SELF LEARNING MATERIAL (SLM)

c. it has a high computational load d. all of the mentioned 4. Which one of the following is not a public key distribution means? a. Public-Key Certificates b. Hashing Certificates c. Publicly available directories d. Public-Key authority 5. What is the PGP stand for? a. Permuted Gap Permission b. Permuted Great Privacy c. Pretty Good Permission d. None of the mentioned Answer 1.a 2.b 3.d 4.b 5.d 4.9 REFERENCES  Turner, Dawn M. \"Digital Authentication: The Basics\". Cryptomathic. Archived from the original on 14 August 2016. Retrieved 9 August 2016.  McTigue, E.; Thornton, E.; Wiese, P. (2013). \"Authentication Projects for Historical Fiction: Do you believe it?\". The Reading Teacher. 66 (6): 495–505. doi:10.1002/trtr.1132. Archived from the original on 2015-07-07.  Douglas Stinson, \"Cryptography Theory and Practice\", 2nd Edition, Chapman & Hall/CRC. 94 CU IDOL SELF LEARNING MATERIAL (SLM)

 \"How to Tell – Software\". microsoft.com. Archived from the original on 20 December 2016. Retrieved 11 December 2016.  Federal Financial Institutions Examination Council (2008). \"Authentication in an Internet Banking Environment\" (PDF). Archived (PDF) from the original on 2010-05- 05. Retrieved 2009-12-31.  Committee on National Security Systems. \"National Information Assurance (IA) Glossary\" (PDF). National Counterintelligence and Security Centre. Archived (PDF) from the original on 21 November 2016. Retrieved 9 August 2016.  European Central Bank. \"Recommendations for the Security of Internet Payments\" (PDF). European Central Bank. Archived (PDF) from the original on 6 November 2016. Retrieved 9 August 2016.  \"FIDO Alliance Passes 150 Post-Password Certified Products\". Info Security Magazine. 2016-04-05. Archived from the original on 2016-06-17. Retrieved 2016- 06-13.  Brocardo ML, Traore I, Woungang I, Obaidat MS. \"Authorship verification using deep belief network systems Archived 2017-03-22 at the Way back Machine\". Int J Commun Syst. 2017. doi:10.1002/dac.3259 95 CU IDOL SELF LEARNING MATERIAL (SLM)

UNIT 5: CRYPTOGRAPHY Structure 5.0 Learning Objectives 5.1 Introduction 5.2 Secret Key Cryptography 5.2.1 Algorithms and Techniques 5.2.2 Substitutions and Transpositions 5.3 Block Encryption 5.3.1 Block Cipher Principles 5.3.2 Block Cipher Modes of Operation 5.4 DES rounds 5.4.1 Initial and Final Permutation 5.4.2 Round Function 5.4.3 Key Generation 5.4.5 DES Analysis 5.5 S-Boxes 5.6 Summary 5.7 Key Words/Abbreviations 5.8 Learning Activity 5.9 Unit End Questions (MCQ and Descriptive) 5.10 References 5.0 LEARNING OBJECTIVES At the end of the unit learner will able to understand and have knowledge of following aspects of Cryptography: 96 CU IDOL SELF LEARNING MATERIAL (SLM)

 Knowledge of basic concepts Cryptography  Introduction to Secret Key Cryptography  Function of Bock Encryption  Concepts of DES rounds  Fundamentals of S-Boxes 5.1 INTRODUCTION The primary purpose of cryptography is to make it difficult for an unauthorized third party to access and understand private communication between two parties. It is not always possible to restrict all unauthorized access to data, but private data can be made unintelligible to unauthorized parties through the process of encryption. Encryption uses complex algorithms to convert the original message, or cleartext, to an encoded message, called ciphertext. The algorithms used to encrypt and decrypt data that is transferred over a network typically come in two categories: secret key cryptography and public key cryptography. These forms of cryptography are explained in the following subsections. Both secret key cryptography and public key cryptography depend on the use of an agreed- upon cryptographic key or pair of keys. A key is a string of bits that is used by the cryptographic algorithm or algorithms during the process of encrypting and decrypting the data. A cryptographic key is like a key for a lock: only with the correct key can you open the lock. Safely transmitting a key between two communicating parties is not a trivial matter. A public key certificate allows a party to safely transmit its public key, while ensuring the receiver of the authenticity of the public key. Cryptosystems use a set of procedures known as cryptographic algorithms, or ciphers, to encrypt and decrypt messages to secure communications among computer systems, devices such as smartphones, and applications. A cipher suite uses one algorithm for encryption, 97 CU IDOL SELF LEARNING MATERIAL (SLM)

another algorithm for message authentication, and another for key exchange. This process, embedded in protocols and written in software that runs on operating systems and networked computer systems, involves public and private key generation for data encryption/decryption, digital signing and verification for message authentication, and key exchange. 5.2 SECRET KEY CRYPTOGRAPHY With secret key cryptography, both communicating parties, Alice and Bob, use the same key to encrypt and decrypt the messages. Before any encrypted data can be sent over the network, both Alice and Bob must have the key and must agree on the cryptographic algorithm that they will use for encryption and decryption. One of the major problems with secret key cryptography is the logistical issue of how to get the key from one party to the other without allowing access to an attacker. If Alice and Bob are securing their data with secret key cryptography, and if Charlie gains access to their key, Charlie can understand any secret messages he intercepts between Alice and Bob. Not only can Charlie decrypt Alice's and Bob's messages, but he can also pretend that he is Alice and send encrypted data to Bob. Bob will not know that the message came from Charlie, not Alice. When the problem of secret key distribution is solved, secret key cryptography can be a valuable tool. The algorithms provide excellent security and encrypt data relatively quickly. The majority of the sensitive data sent in an SSL session is sent using secret key cryptography. Secret key cryptography is also called symmetric cryptography because the same key is used to both encrypt and decrypt the data. Well-known secret key cryptographic algorithms include the Data Encryption Standard (DES), triple-strength DES (3DES), Rivest Cipher 2 (RC2), and Rivest Cipher 4 (RC4). 98 CU IDOL SELF LEARNING MATERIAL (SLM)

5.2.1 Algorithms and Techniques In this section, we examine the most common cryptographic algorithms that are based on the use of a secret key. 5.2.2 Substitutions and Transpositions Some very early cryptographic algorithms manipulated the original plaintext, character by character, using the techniques of substitution and transposition.  A substitution, or permutation, replaces a character of the input stream by a character from the alphabet set of the target ciphertext.  A transposition replaces a character from the original plaintext by another character of that same plaintext. This results in shuffling yet still preserving the characters of the original plaintext. An example of a substitution is the famous Caesar Cipher, which is said to have been used by Julius Caesar to communicate with his army. The Caesar Cipher replaces each character of the input text by the third character to its right in the alphabet set. In Figure the value 3 is added to the position of the input character; then modulo 26 is taken to yield the replacement character. If we assign numerical equivalents of 0–25 to the 26-letter alphabet A–Z, the transformation sends each plain character with position P onto the character with position f(P) := P + 3 (mod 26). 99 CU IDOL SELF LEARNING MATERIAL (SLM)