Chapter 1 Introduction to Cryptography

CONTENTS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Introduction to Security Security Attacks Security Services Security Mechanisms Conventional Encryption Model Substitution Ciphers Transposition Ciphers Cryptanalysis Steganography Review Questions UPTU Questions

Chapter 1 Introduction to Cryptography

Introduction to Security The need for security in communication networks is not new. In the late nineteenth century an American undertaker named Almon Strowger discovered that h e was losing business to his rivals because telephone operators, responsible for the manual connection of call requests, were unfairly diverting calls from the newly bereaved to his competitors. Strowger developed switching systems that led

to the introduction of the first automated telephone exchanges in 1897. This en abled users to make their own connections using rotary dialing to signal the req uired destination. In more recent years, security needs have intensified. Data communications and e -commerce are reshaping business practices and introducing new threats to corpor ate activity. National defense is also vulnerable as national infrastructure sys tems, for example transport and energy distribution, could be the target of terr orists or, in times of war, enemy nation states. On a less dramatic note, reasons why organizations need to devise effective netw ork security strategies include the following: Security breaches can be very expensive in terms of business disruption and the financial losses that may result. Increasing volumes of sensitive information are transferred across the internet or intranets connected to it. Networks that make use of internet links are becoming more popular because they are cheaper than dedicated leased lines. This, however, involves different users sharing internet links to transport their data. Directors of business organizations are increasingly required to provide effecti ve information security. For an organization to achieve the level of security that is appropriate and at a cost that is acceptable, it must carry out a detailed risk assessment to deter mine the nature and extent of existing and potential threats. Countermeasures to the perceived threats must balance the degree of security to be achieved with t heir acceptability to system users and the value of the data systems to be prote cted. Standards and legislation ISO/IEC 17799 (2000) Information Technology Code of Practice for Information Sec urity Management sets out the management responsibility for developing an approp riate security policy and the regular auditing of systems. BS 77992 (2002) Inform ation Security Management Systems Specification with Guidance for Use gives a st andard specification for building, operating, maintaining and improving an infor mation security management system, and offers certification of organizations tha t conform. Directors of UK businesses should report their security strategy in a nnual reports to shareholders and the stock market; lack of a strategy or one th at is ineffective is likely to reduce the business share value. Organizations in the UK must conform to the Data Protection Act of 1998. These r equires that information about people, whether it is stored in computer memory o r in paper systems, is accurate and protected from misuse and also open to legit imate inspection. Vulnerabilities in OSI Model How does the security framework works? The security architecture is mapped to th e customers enterprise architecture using Open Systems Interconnect (OSI) network ing model. The Security framework has security solutions for all pieces of that enterprise infrastructure that supports the goals of organization. The security framework operates and protects that infrastructure at each of the operational levels of the OSI model. As transactions take place from end-to-end of the enterprise architecture, these transactions utilize technologies that ope rate at all levels of the OSI model as well. Since security extends into procedu res and policies and supports business driven goals, the security framework has added two additional layers to the model, the financial and political layers. Th ese layers began as tongue-in-cheek joke at the National Security Agency in midnineties However, the security of information systems really does have to match the budge t and business objectives of an organization and these layers have achieved legi timacy in their own right. Security features at various layers of OSI Model 1. Physical Layer: At this layer, the security framework protects the cable plant, the wiring, and telecommunications infrastructure. The physical layer is protected by redundant power and WAN connection. It also means protecting the p hysical hardware in network closets, server farms and systems in raised floor sp

aces. Protecting the physical layer entails locks, alarms on entrances, climate controls and access to data centers. 2. Data Link and Network Layers: At Data Link and Network layers, the secur ity framework protects systems with a number of technologies. VPNs protect infor mation by encrypting it and sending it through encrypted tunnels through network s or the internet. Network intrusion detection systems watch traffic flowing ove r the wires looking for bit stream patterns that could indicate attacks or malic ious intent. Host Intrusion detection systems monitor bit streams entering the h ost machine at Network Interface Card (NIC) level, also looking for suspicious p atterns. Virus scanning at this level looks for patterns that indicate malicious code that fits signatures for know viruses. 3. Network and Transport Layers: Here, the security framework uses firewall s to do stateful inspection of packets entering and leaving network. Routers, us ing Access Control Lists filters IP Packets, preventing traffic from going to sy stems that have no need for it. 4. Session, Presentation and Application Layer: In these layers, the securi ty framework uses a number of techniques and tools to protect the system. Some o f these are policies for System Management such as hardening the OS, keeping pat ch levels and OS revisions up to date, running with only services needed to supp ort the business process and turning of all other process, running processes wit h limited system privileges, etc. 5. Presentation and Application Layers: The security framework utilizes use r account management to control access to network, systems and applications. Vir us scanning applications to scan hard drive and system memory for malicious code , updating scan engines and virus signatures are used. Host Intrusion Detection Systems are also amongst other options to be used. These vulnerabilities of the various networking layers can be classified into va rious security attacks and to attacks and improve the security of the network th ere are many security services and mechanisms designed. Security Attacks Any action that compromise the security of information owned by an organization is know as an attack. An intelligent act that is a deliberate attempt to evade s ecurity services and violate security policy of a system can be said as a securi ty attack. Security attacks are of two types: 1. Passive Attacks 2. Active Attacks Passive Attacks A passive attack on a communications system is one in which the attacker only ea vesdrops; he may read messages he is not supposed to see and monitors the networ k traffic but he does not alter messages. The term passive indicates that the at tacker does not attempt to perform modifications to the data. A passive attack a ttempts to learn or make use of information from the system but does not affect system resources. The attacker aims to obtain information that is in transit. Tw o most common types of passive attacks are: 1. Release of message contents: In release of message contents the attacker gains the knowledge of the confident ial message being transferred from sender to receiver. For e.g. :- the e-mails, messages or telephone conversation being tapped by the attacker and thus the se cret message contents going from sender to receiver are leaked out to attacker i n between. Fig 1.1 represents how the release of message contents work.

Figure 1.1

2. Traffic Analysis: Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication as represented in Fig 1.2. It can be performed even when the messages are encrypted and cannot be decrypted . In general, the greater the number of messages observed, or even intercepted a nd stored, the more can be inferred from the traffic. Traffic analysis can be pe rformed in the context of military intelligence or counter-intelligence, and is a concern in security. Traffic analysis is also a concern in computer security. An attacker can gain important information by monitoring the frequency and timin g of network packets. A timing attack on the SSH protocol can use timing informa tion to deduce information about passwords since, during interactive session, SS H transmits each keystroke as a message. The time between keystroke messages can be studied using hidden Markov models. Figure 1.2 There are two other passive attacks Brute Force Attack Try all possible keys. A brute force or exhaustive search att ack is an attempt to break a cipher by trying all possible keys. This is always possible in theory , but it becomes practical only if the key size is inadequate . Brute force is therefore used as a sort of benchmark in evaluating any other a ttack. An attack that is more expensive than brute force is of little interest t o the theorist, or to the cryptanalyst trying to crack a cipher, since he alread y knows a cheaper attack. Any attack significantly better than brute force, howe ver, indicates a weakness in the cipher that is certainly of interest to the the orist and may be to the cryptanalyst. For an ideal cipher, there is no attack be tter than brute force. If the key size is enough to make brute force impractical , then all attacks on such a cipher will be impractical. In practice, the requir ement is often reduced to "no known attack significantly better than brute force ". In the simplest brute force attack, the attacker has some known plaintext so that he can tell which is the correct key Algebric Attack writes the cipher as a system of equations and solve for the key . An algebraic attack on a cipher involves: Expressing the cipher operations as a system of equations (in whatever algebraic system works best for the attacker) , substituting in known data for some of the variables and solving for the key. What makes this attack impractical is a combination of the sheer size of the sys tem of equations and nonlinearity in the relations involved. In any algebra, sol ving a system of linear equations is more-or-less straightforward provided there are more equations than variables. However, solving nonlinear systems of equati ons is far harder. Cipher designers therefore strive to make their ciphers highl y nonlinear. Countermeasure for Traffic Analysis: It is difficult to defeat traffic analysis without both encrypting messages and masking the channel. When no actual message s are being sent, the channel can be masked by sending dummy traffic, similar to the encrypted traffic, thereby keeping bandwidth usage constant. It is very har d to hide information about the size or timing of messages. The known solutions require sender to send a continuous stream of messages at the maximum bandwidth sender will ever use. This might be acceptable for military applications, but it is not for most civilian applications. The military-versus-civilian problem app lies in situations where the user is charged for the volume of information sent. Even for Internet access, where there is not a per-packet charge, ISPs make sta tistical assumption that connections from user sites will not be busy 100% of th e time. The user cannot simply increase the bandwidth of the link, since masking would fill that as well. If masking, which often can be built into end-to-end e ncryptoion, becomes common practice, ISPs will have to change their traffic assu mptions.

Active Attacks

An active attack is one in which an unauthorized change of the network m essages is attempted. This could include, for example, the modification of trans mitted or stored data, or the creation of new data streams. There are four basic active attacks which are as follows: 1. Masquerade attack: As the name suggests, it relate to an entity (usually a computer or a person) taking on a false identity in order to acquire or modif y information, and in effect achieve an unwarranted privilege status. Masquerade takes place when one entity pretends to be a different entity as shown in Fig 1 .3. A masquerade attacks is usually one of the other forms of active attack. For example, authentication sequence can be captured or replayed often a valid auth entication sequence has taken place, thus enabling authorized entity with few pr ivileges to obtain extra privileges by impersonating an entity that has those pr ivileges.

Figure 1.3 2. Message replay: It involves the re-use of captured data at a later time than originally intended, in order to repeat some action of benefit to the attac ker: for example, the capture and replay of an instruction to transfer funds fro m a bank account into one under the control of an attacker. This could be foiled by confirmation of the freshness of a message. Replay involves the passive capt ure of a data unit and its subsequent retransmission to produce an unauthorized effect 3. Message modification: This involves modifying a packet header address fo r the purpose of directing it to an unintended destination or modifying the user data. Modification of messages simply means that some portion of messages are m odified, or delayed or recorded to produce an unauthorized effect 4. Denial-of-service attacks : This attack prevent the normal use or manage ment of communication services, and may take the form of either a targeted attac k on a particular service or a broad, incapacitating attack. For example, a netw ork may be flooded with messages that cause a degradation of service or possibly a complete collapse if a server shuts down under abnormal loading. Another exam ple is rapid and repeated requests to a web server, which bar legitimate access to others. Denial-of-service attacks are frequently reported for internet-connec ted services. It is actually denying the services to the user. This attack actua lly prevents the user from using the services he/she is required of may be block ing his/her network flooding the network by unnecessary traffic. Denial of Servi ce is wastage of network resource in real terms. Distributed denial-of-service (DDoS) In a distributed denial-of-service (DDoS) attack, an attacker may use your compu ter to attack another computer. By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a web site or send spam to particular email addresses. The attack is "distributed" because the attacker is using multiple computers, including yours, to launch the denial-of-service a ttack. How do you avoid being part of the problem? Unfortunately, there are no effective ways to prevent being the victim of a DoS or DDoS attack, but there are steps you can take to reduce the likelihood that a n attacker will use your computer to attack other computers: Install and maintain anti-virus software Install a firewall, and configure it to restrict traffic coming into and leaving your computer. Follow good security practices for distributing your email address for more. App lying email filters may help you manage unwanted traffic. How do you know if an attack is happening? Not all disruptions to service are the result of a denial-of-service attack. The

re may be technical problems with a particular network, or system administrators may be performing maintenance. However, the following symptoms could indicate a DoS or DDoS attack: unusually slow network performance (opening files or accessing web sites) unavailability of a particular web site inability to access any web site dramatic increase in the amount of spam you receive in your account

Security Services Security services are the method used to enhance the security of the network. It helps in implementing security policies and uses various security mechanisms. A security mechanism is a method which is used to protect your message from unaut horized entity. There are five types of security services: 1. Authentication: Authentication ensures that the entity sending or receiv ing the messages is the one it is actually pretending to be. Two types of authen tications mainly used in network are: Peer entity authentication used in association with a logical connection to prov ide confidence in the identity of the entities connected. Data origin authentication, in a connection less transfer, provide assurance tha t the source of received data is as claimed 2. Access Control: Access Control prevents the unauthorized use of resources (i.e., this se rvice control who can have access to a resource, under what conditions accesses can occur, and what those accessing that resource are allowed to do). In other w ords access control can be defined as the ability to permit or deny the use of s omething by someone. 3. Data Confidentiality: Data confidentiality avoids ensures that the data is being received safely the b y the original receiver for whom it was actually meant for. Various types of con fidentiality are as follows: Connection Confidentiality: The protection of all user data on a connection. Connectionless Confidentiality: The protection of all user data in a single data

block. Selective-Field Confidentiality: The confidentiality of selected fields within t he user data on a connection or a single data block. Traffic Flow Confidentiality: The protection of the information that might be de rived from observation of traffic flows. 4. Data Integrity Data integrity ensure that data received is exactly the same as sent by an autho rized entity (i.e., contain no modification, insertion, deletion, or replay). Connection integrity with recovery: Provide integrity of all user data on a conn ection and detects any modification, insertion, deletion, or replay of any data within an entry data sequence, with recovery attempted. Connection integrity without recovery: As above but provide without recovery. Selective-Fields connectionless integrity: Provide for the integrity of selected fields within the user data of data block transferred over a connection and tak es the form of determination of whether the selected field have been modified, i nserted, detected, or replayed. Connectionless integrity: Provide for the integrity of single connectionless dat a block and may take a form of detection of data modification. Additionally, a l imited form of replay detection may be provided. Selective-Field connectionless integrity: Provides for the integrity of selected field within a single connectionless data block; take the form of determination of whether the selected fields have been modified.

5. Non Repudiation: It prevents either sender or receiver from denying a transmitted message. Thus, when a message is sent, the receiver can prove that the message was in fact send by alleged sender. Similarly, when a message is received, the sender can prove that the message was in fact received by the alleged receiver Security Mechanisms Security mechanisms deal with identification of any security breech (break in se curity) and after identification it also helps in removing the security breakdow n. It is different from Security services as security services just help to enha nce the security of the information and data transferred but the security mechan isms are used to identify and recover from various security attacks. Various sec urity mechanisms are as follows: Encipherment: Encipherment is also known as encryption. It is the process of usi ng mathematical formulas, algorithms and the keys to transform the simple messag e into a message that is not easily understood by each and everyone. Digital Signatures: These are similar to signatures on paper done in real life b ut are done in computer documents and in cryptographic formats to ensure the sou rce and integrity of adapt. Access Control: Access control includes a variety of techniques used to avoid un authorized access or granting only limited access to data and network resources. Data Integrity: It ensures that the data received on racier side is same as send by the original data sender. Routing Control: Routing Control is a computer network technique that uses varie ty of techniques to avoid the traffic congestion in the network. It thus helps i n Denial Of Service attack

Cryptography Cryptography is a science which is used in encryption and decryption of data. Cryptography enables you to store sensitive information or transmit it acr oss insecure networks (like the Internet) so that it cannot be read by anyone ex cept the intended recipient. The term cryptography comes from Greek y s "hidden," d grf "to wr t ". I th s mpl st cas , th s d r crypts a m ssag us g a s c k y a d th r c v r d crypts t b for r ad g. Som o who t rc pts th m s sag s s o ly appar tly ra dom symbols; w thout th k y h ca ot r ad t. Cryptography s a pract c a d study of h d g format o . I mod r t m s, cry ptography s co s d r d to b a bra ch of both math mat cs a d comput r sc c , a d s aff l at d clos ly w th format o th ory, comput r s cur ty, a d g r g. Cryptography s us d appl cat o s pr s t t ch olog cally adva c d soc t s; xampl s clud th s cur ty of ATM cards, comput r passwords, a d l ctro c comm rc , wh ch all d p d o cryptography. Co v t o al E crypt o Mod l I th co v t o al crypt o mod l th m ssag s s t ov r th twork us g th follow g st ps: 1. Th s d r d c d s a m ssag to b s d ov r th twork. Th s m ssag a y la guag s l ct d by th us r s k ow as Pla t xt. 2. Now th s d r p rforms th crypt o . E crypt o s th proc ss of co v rt g th pla t xt m ssag to c ph rt xt us g cryptograph c k ys. C ph rt xt s th crypt d m ssag ot u d rstood by a y u author z d us r. E crypt o us s a algor thm for m ssag co v rs o a d a k y. 3. F ally th c ph rt xt m ssag s s d ov r th twork or cha l us d for commu cat o . 4. Wh m ssag s r c v d by th r c v r f rstly th d crypt o s p rfo rm d. D crypt o s just th r v rs of crypt o . Th c ph rt xt m ssag s co v rt d back to th or g al pla t xt m ssag . Th co v t o al crypt o mod l s show F g 1.4 F gur 1.4

(Th r ar d ff r t d f t o s for th modulo op rat o . I th abov , th r s ult s th ra g 0...25. I. ., f x+ or x- ar ot th ra g 0...25, w hav to subtract or add 26.) Br ak g th c ph r D crypt o sh ft Ca d dat pla t xt 0 xx go xsrg 1 dwwdf dwrqfh 2 cvvc mcvqp g 3 buubdlbupodf 4 attackato c 5 zsszbjzs mbd 6 yrrya yrmlac ... 23 haahjrhavujl

D crypt o

s p rform d s m larly,

Ca sar C ph r: I cryptography, Ca sar c ph r, also k ow as a Ca sar's c ph r, th sh ft c ph r, Ca sar's cod or Ca sar sh ft, s o of th s mpl st a d most w d ly k ow crypt o t ch qu s. It s a typ of subst tut o c ph r wh ch ach l tt r th pla t xt s r plac d by a l tt r som f x d umb r of pos t o s dow th alphab t. For xampl , w th a sh ft of 3, A would b r plac d by D, B would b co m E, a d so o . Th m thod s am d aft r Jul us Ca sar, who us d t to commu cat w th h s g rals. As w th all s gl alphab t subst tut o c ph rs, th Ca sar c ph r s as ly brok a d pract c off rs ss t ally o commu cat o s cur ty. Exampl Th pla t xt s g v as: Pla t xt: ABCDEFGHIJKLMNOPQRSTUVWXYZ A d th k y s 3.So th c ph rt xt com s out as: C ph r: DEFGHIJKLMNOPQRSTUVWXYZABC Wh crypt g, a p rso looks up ach l tt r of th m ssag th "pla " l a d wr t s dow th corr spo d g l tt r th "c ph r" l . D c ph r g s do r v rs . Pla t xt: th qu ck brow fox jumps ov r th lazy dog C ph rt xt: WKH TXLFN EURZQ IRA MXPSV RYHU WKH ODCB GRJ Th crypt o ca also b r pr s t d us g modular ar thm t c by f rst tra sfo rm g th l tt rs to umb rs, accord g to th sch m , A = 0, B = 1,..., Z = 2 5. E crypt o of a l tt r x by a sh ft ca b d scr b d math mat cally as

Susbst tut o C ph rs As th am sugg sts th tut th pla t xt l tt rs. H r , th l tt rs subst tut o c ph rs ar

subst tut o c ph rs ar thos wh r w cha g or subst rs w th som oth r l tt rs form g th c ph rt xt l tt pla t xt ar o ly ar subst tut d. Som of th commo as follows:

Th r ar two typ s of cryptograph c mod ls: 1. Symm tr c Cryptograph c Mod l: H r , th crypt o a d d crypt o ar d o us g th sam k y am d as shar d k y. Shar d k y s th u qu k y for a s ss o a d s o ly d sclos d to s d r a d r c v r. 2. Asymm tr c Cryptograph c Mod l: I th s cryptography th crypt o s d o us g publ c k y of s d r or pr vat k y of r c v r a d d crypt o s do us g pr vat k y of th s d r or publ c k y of th r c v r r sp ct v ly. Th publ c k y s d sclos d to all us rs a twork. Pr vat k y s th s cr t k y k ow o ly to a part cular us r.

24 gzzg qgzut k 25 fyyfhpfytshj Th Ca sar c ph r ca b as ly brok v a c ph rt xt-o ly sc ar o. Two s tuat o s ca b co s d r d: 1. a attack r k ows (or gu ss s) that som sort of s mpl subst tut o c p h r has b us d, but ot sp c f cally that t s a Ca sar sch m ; 2. a attack r k ows that a Ca sar c ph r s us , but do s ot k ow th sh ft valu . I th f rst cas , th c ph r ca b brok us g th sam t ch qu s as for a g ral s mpl subst tut o c ph r, such as fr qu cy a alys s or patt r words. Wh l solv g, t s l k ly that a attack r w ll qu ckly ot c th r gular ty th solut o a d d duc that a Ca sar c ph r s th sp c f c algor thm mploy d. Th d str but o of l tt rs a typ cal sampl of E gl sh la guag t xt has a d st ct v a d pr d ctabl shap . A Ca sar sh ft "rotat s" th s d str but o , a d t s poss bl to d t rm th sh ft by xam g th r sulta t fr qu cy gra ph. I th s co d sta c , br ak g th sch m s v mor stra ghtforward. S c th r ar o ly a l m t d umb r of poss bl sh fts (26 E gl sh), th y ca ac h b t st d tur a brut forc attack. O way to do th s s to wr t out a s pp t of th c ph rt xt a tabl of all poss bl sh fts a t ch qu som t m s k ow as "compl t g th pla compo t". Th xampl g v s for th c ph rt xt "EXXEGOEXSRGI"; th pla t xt s sta tly r cog sabl by y at a sh ft of four. A oth r way of v w g th s m thod s that, u d r ach l tt r of th c ph rt xt, th t r alphab t s wr tt out r v rs start g at that l tt r . Th s attack ca b acc l rat d us g a s t of str ps pr par d w th th alphab t wr tt dow th m r v rs ord r. Th str ps ar th al g d to form th c ph rt xt alo g o row, a d th pla t xt should app ar o of th oth r rows . A oth r brut forc approach s to match up th fr qu cy d str but o of th l tt rs. By graph g th fr qu c s of l tt rs th c ph rt xt, a d by k ow g th xp ct d d str but o of thos l tt rs th or g al la guag of th pla t xt, a huma ca as ly spot th valu of th sh ft by look g at th d splac m t of part cular f atur s of th graph. Th s s k ow as fr qu cy a alys s. Fo r xampl th E gl sh la guag th pla t xt fr qu c s of th l tt rs E, T, (usually most fr qu t), a d Q, Z (typ cally l ast fr qu t) ar part cularly d st ct v . Comput rs ca also do th s by m asur g how w ll th actual fr qu c y d str but o match s up w th th xp ct d d str but o ; for xampl , th ch -s quar stat st c ca b us d. For atural la guag pla t xt, th r w ll, all l k l hood, b o ly o plaus bl d crypt o , although for xtr m ly short pla t xts, mult pl ca d dat s ar poss bl . For xampl , th c ph r t xt MPQY could, plaus bly, d crypt to th r "ad " or "k ow" (assum g th pla t xt s E gl sh); s m larly, "ALIIP" to "dolls" or "wh l"; a d "AFCCP" to "jolly" or "ch r" Mult pl crypt o s a d d crypt o s prov d o add t o al s cur ty. Th s s b c aus two crypt o s of, say, sh ft A a d sh ft B, w ll b qu val t to a cr ypt o w th sh ft A + B. I math mat cal t rms, th crypt o u d r var ous k y s forms a group D sadva tag s: 1. Th crypt o a d d crypt o algor thms ar k ow . 2. Th r ar o ly 25 k ys to try 3. Th la guag of pla t xt s k ow a d as ly r cog zabl . Mo oalphab t c c ph rs: It subst tut s o l tt r of th alphab t w th a oth r l tt r of th alphab t. H ow v r, rath r tha subst tut g accord g to a r gular patt r , a y l tt r ca b subst tut d for a y oth r l tt r, as lo g as ach l tt r has a u qu subst t ut l ft a d v c v rsa.Ca s r c ph rs ar b st xampl of mo oalphab t c c ph r s. Pla t xt L tt r a b c D f g

Playfa r c ph rs: Th Playfa r c ph r s also call d as Playfa r squar . It s a ma ual symm tr c crypt o t ch qu . Th sch m was v t d 1854 by Charl s Wh atsto , but b ars th am of Lord Playfa r who promot d th us of th c ph r. Th t ch q u crypts pa rs of l tt rs (d graphs), st ad of s gl l tt rs as th s m pl subst tut o c ph r a d rath r mor compl x. Th Playfa r s thus s g f ca tly hard r to br ak s c th fr qu cy a alys s us d for s mpl subst tut o c ph rs do s ot work w th t. Fr qu cy a alys s ca st ll b u d rtak , but o th 600 poss bl d graphs rath r tha th 26 poss bl mo ographs. Th fr qu cy a alys s of d graphs s poss bl , but co s d rably mor d ff cult a d t g ral ly r qu r s a much larg r c ph rt xt ord r to b us ful. Lord Playfa r, who h av ly promot d ts us .D sp t ts v t o by Wh atsto , t b cam k ow as th Playfa r c ph r aft r Lord Playfa r, who h av ly promot d ts us . Th f rst r cord d d scr pt o of th Playfa r c ph r was a docum t s g d by Wh atst o o 26 March 1854.It was r j ct d by th Br t sh For g Off c wh t was d v lop d b caus of ts p rc v d compl x ty. Wh Wh atsto off r d to d mo st rat that thr out of four boys a arby school could l ar to us t 15 m ut s, th U d r S cr tary of th For g Off c r spo d d, "That s v ry poss bl , but you could v r t ach t to attachs." Th Playfa r c ph r us s a 5 by 5 tabl co ta g a k y word or phras . M mor z at o of th k yword a d 4 s mpl rul s was all that was r qu r d to cr at th 5 by 5 tabl a d us th c ph r. To g rat th k y tabl , o would f rst f ll th spac s th tabl w th th l tt rs of th k yword (dropp g a y dupl cat l tt rs), th f ll th r ma g spac s w th th r st of th l tt rs of th alphab t ord r (usually om tt g "Q" to r duc th alphab t to f t, oth r v rs o s put both "I" a d "J" th sam spac ). Th k y ca b wr tt th top rows of th tabl , from l ft to r ght, or som oth r patt r , such as a sp ral b g g th upp r-l ft-h a d cor r a d d g th c t r. Th k yword tog th r w th th co v t o s f or f ll g th 5 by 5 tabl co st tut th c ph r k y. To crypt a m ssag , o would br ak th m ssag to d graphs (groups of 2 l t t rs) such that, for xampl , "H lloWorld" b com s "HE LL OW OR LD", a d map th m out o th k y tabl . Th two l tt rs of th d graph ar co s d r d as th opp os t cor rs of a r cta gl th k y tabl . Not th r lat v pos t o of th cor rs of th s r cta gl . Th apply th follow g 4 rul s, ord r, to ach pa r of l tt rs th pla t xt: If both l tt rs ar th sam (or o ly o l tt r s l ft), add a "X" aft r th f rst l tt r. E crypt th w pa r a d co t u . Som var a ts of Playfa r us " Q" st ad of "X".Th s ar call d f ll r l m ts. If th l tt rs app ar o th sam row of your tabl , r plac th m w th th l tt rs to th r mm d at r ght r sp ct v ly (wrapp g arou d to th l ft s d of th row f a l tt r th or g al pa r was o th r ght s d of th row). If th l tt rs app ar o th sam colum of your tabl , r plac th m w th th l tt rs mm d at ly b low r sp ct v ly (wrapp g arou d to th top s d of th col um f a l tt r th or g al pa r was o th bottom s d of th colum ). If th l tt rs ar ot o th sam row or colum , r plac th m w th th l tt rs o th sam row r sp ct v ly but at th oth r pa r of cor rs of th r cta gl d f d by th or g al pa r. Th ord r s mporta t th f rst l tt r of th cr ypt d pa r s th o that l s o th sam row as th f rst l tt r of th pla

h j k l r s t u v C ph rt xt L tt r M N A S D F G O I U Y T Pla t xt m ssag : h llo how ar you C ph rt xt m ssag : acggk akr moc wky D sadva tag s: 1. Mo oalphab t c c ph rs ar asy of or g al alphab t.

m w B H R

N x V J E

o y C K W

p Z X L Q

q Z P

to br ak as th y r fl ct fr qu

cy data

t xt pa r. To d crypt, us th v rs of th s 4 rul s (dropp g a y xtra "X"s (or "Q"s) that do 't mak s s th f al m ssag wh you f sh). Exampl Us g "playfa r xampl " as th k y, th tabl b com s: P I B K T L R C N U A E D O V Y X G Q W F M H S Z

E crypt g th m ssag "H d th gold th tr stump": HI DE TH EG OL DI NT HE TR EX ES TU MP ^ 1. Th pa r HI forms a r cta gl , r plac t w th BM 2. Th pa r DE s a colum , r plac t w th OD 3. Th pa r TH forms a r cta gl , r plac t w th ZB 4. Th pa r EG forms a r cta gl , r plac t w th XD 5. Th pa r OL forms a r cta gl , r plac t w th NA 6. Th pa r DI forms a r cta gl , r plac t w th BE 7. Th pa r NT forms a r cta gl , r plac t w th KU 8. Th pa r HE forms a r cta gl , r plac t w th DM 9. Th pa r TR forms a r cta gl , r plac t w th UI 10. Th pa r EX (X s rt d to spl t EE) s a row, r plac t w th XM 11. Th pa r ES forms a r cta gl , r plac t w th MO 12. Th pa r TU s a row, r plac t w th UV 13. Th pa r MP forms a r cta gl , r plac t w th IF BM OD ZB XD NA BE KU DM UI XM MO UV IF Thus th m ssag "H d th gold th tr stump" b com s "BMODZBXDNABEKUDMUIXM MOUVIF". Playfa r crypta alys s L k most pr -mod r ra c ph rs, th Playfa r c ph r ca b as ly crack d f t h r s ough t xt. Obta g th k y s r lat v ly stra ghtforward f both pla t xt a d c ph rt xt ar k ow . Wh o ly th c ph rt xt s k ow , brut forc crypta alys s of th c ph r volv s s arch g through th k y spac for match s b tw th fr qu cy of occurr c of d grams (pa rs of l tt rs) a d th k ow fr qu cy of occurr c of d grams th assum d la guag of th or g al m ss ag . Crypta alys s of Playfa r s s m lar to that of four-squar a d two-squar c ph rs, though th r lat v s mpl c ty of th Playfa r syst m mak s d t fy g ca d dat pla t xt str gs as r. Most otably, a Playfa r d graph a d ts r v rs ( .g. AB a d BA) w ll d crypt to th sam l tt r patt r th pla t xt ( .g. RE a d ER). I E gl sh, th r ar ma y words wh ch co ta th s r v rs d d gra phs such as REc vER a d DEpartED. Id t fy g arby r v rs d d graphs th c ph rt xt a d match g th patt r to a l st of k ow pla t xt words co ta g th patt r s a asy way to g rat poss bl pla t xt str gs w th wh ch to b g co struct g th k y. A d ff r t approach to tackl g a Playfa r c ph r s th shotgu h ll cl mb g m thod. Th s starts w th a ra dom squar of l tt rs. Th m or cha g s ar tr oduc d ( . . sw tch g l tt rs, rows, or r fl ct g th t r squar ) to s f th ca d dat pla t xt s mor l k sta dard pla t xt tha b for th cha g (p rhaps by compar g th d graphs to a k ow fr qu cy chart). If th w squar s d m d to b a mprov m t, th t s adopt d a d th furth r mutat d to f d a v b tt r ca d dat . Ev tually, th pla t xt or som th g v ry clos s fou d to ach v a max mal scor by what v r grad g m thod s chos . Th s s obv ously b yo d th ra g of typ cal huma pat c , but comput rs ca adop t th s algor thm to crack Playfa r c ph rs w th a r lat v ly small amou t of t x t. A oth r asp ct of Playfa r that s parat s t from four-squar a d two-squar c p

K y=

24 13 20

1 16 17 10 15

6 24 13 16 (mod 26) 20 17

1 10 15

0 2 19

Wh ch corr spo ds to a c ph rt xt of 'POH'. Now, suppos that our m ssag s st ad 'CAT', or: 2 0 19 Th s t m , th c ph r d v ctor s g v by: 6 24 1 2 31 5 13 16 10 0 = 216 (mod 26) = 8 (mod 26) 20 17 15 19 325 13 wh ch corr spo ds to a c ph rt xt of 'FIN'. Ev ry l tt r has cha g d. Th H ll c ph r has ach v d Sha o 's d ffus o , a d a -d m s o al H ll c ph r ca d f fus fully across symbols at o c . D crypt o I ord r to d crypt, w tur th c ph rt xt back to a v ctor, th s mply mult ply by th v rs matr x of th k y matr x (IFKVIVVMI l tt rs). (Th r ar sta dard m thods to calculat th v rs matr x; s matr x v rs o for d ta ls.) Pl t xt= [K-1]*[C ph rt xt] mod 26 W f d that th v rs matr x of th o th pr v ous xampl s: 8 5 10 21 8 21 21 12 8

Thus th

c ph r d v ctor

s g v

by: 67 222 319 (mod 26) = 15 14 7

h rs s th fact that t w ll v r co ta a doubl -l tt r d graph, .g. EE. If th r ar o doubl l tt r d graphs th c ph rt xt a d th l gth of th m s sag s lo g ough to mak th s stat st cally s g f ca t, t s v ry l k ly th at th m thod of crypt o s Playfa r. H ll c ph rs: I class cal cryptography, th H ll c ph r s a polygraph c subst tut o c ph r bas d o l ar alg bra. I v t d by L st r S. H ll 1929, t was th f rst po lygraph c c ph r wh ch t was pract cal (though bar ly) to op rat o mor th a thr symbols at o c . Op rat o Each l tt r s f rst cod d as a umb r. Oft th s mpl st sch m s us d: A = 0, B =1, ..., Z=25, but th s s ot a ss t al f atur of th c ph r. A block of l tt rs s th co s d r d as a v ctor of d m s o s, a d mult pl d by a matr x wh ch s k ow as k y, modulo 26. (If o us s a larg r umb r tha 26 for th modular bas , th a d ff r t umb r sch m ca b us d to cod t h l tt rs, a d spac s or pu ctuat o ca also b us d.) Th whol matr x s co s d r d th c ph r k y, a d should b ra dom prov d d that th matr x s v rt bl (to sur d crypt o s poss bl ). E crypt o : C ph rt xt=[KEY]*[Pla t xt]mod 26 Co s d r th m ssag 'ACT', S c 'A' s 0, 'C' s 2 a d 'T' s 19, th m ssag s th v ctor: 0 2 19

Tak g th pr v ous xampl c ph rt xt of 'POH', w g t: 8 5 10 15 260 21 8 21 14 = 574 (mod 26) (mod26) 21 12 8 7 539

wh ch g ts us back to 'ACT', just as w hop d. W hav ot y t d scuss d o compl cat o that x sts p ck g th crypt g matr x. Not all matr c s hav a v rs . Th matr x w ll hav a v rs f a d o ly f ts d t rm a t s ot z ro, a d do s ot hav a y commo factors w th th modular bas . Thus, f w work modulo 26 as abov , th d t rm a t must b o z ro, a d must ot b d v s bl by 2 or 13. If th d t rm a t s 0, or has c ommo factors w th th modular bas , th th matr x ca ot b us d th H ll c ph r, a d a oth r matr x must b chos (oth rw s t w ll ot b poss bl to d crypt). Fortu at ly, matr c s wh ch sat sfy th co d t o s to b us d th H ll c ph r ar fa rly commo .

So, modulo 26, th d t rm a t s 25. S c th s has o commo factors w th 26, th s matr x ca b us d for th H ll c ph r. Th r sk of th d t rm a t hav g commo factors w th th modulus ca b l m at d by mak g th modulus pr m . C o s qu tly a us ful var a t of th H ll c ph r adds 3 xtra symbols (such as a spac , a p r od a d a qu st o mark) to cr as th modulus to 29. S cur ty U fortu at ly, th bas c H ll c ph r s vul rabl to a k ow -pla t xt attack b caus t s compl t ly l ar. A oppo t who t rc pts 2 pla t xt/c ph rt xt charact r pa rs ca s t up a l ar syst m wh ch ca (usually) b as ly solv d; f t happ s that th s syst m s d t rm at , t s o ly c ssary to add a f w mor pla t xt/c ph rt xt pa rs. Calculat g th s solut o by sta dard l ar alg bra algor thms th tak s v ry l ttl t m . Wh l matr x mult pl cat o alo do s ot r sult a s cur c ph r t s st ll a us ful st p wh comb d w th oth r o -l ar op rat o s, b caus matr x mult pl cat o ca prov d d ffus o . For xampl , a appropr at ly chos matr x ca guara t that small d ff r c s b for th matr x mult pl cat o w ll r sult larg d ff r c s aft r th matr x mult pl cat o . Som mod r c ph rs us d d a matr x mult pl cat o st p to prov d d ffus o . For xampl , th M xColum s st p AES s a matr x mult pl cat o . Th fu ct o g Twof sh s a comb at o of o -l ar S-bo x s w th a car fully chos matr x mult pl cat o (MDS). Adva tag s: 1. It compl t ly h d s s gl l tt r fr qu cy. 2. H ll c ph r s stro g aga st a c ph rt xt o ly attack. 3. By us g lag r matr x, mor fr qu cy format o s poss bl . D sadva tag s: 1. Eas ly brok w th a k ow pla t xt. Polyalphab t c C ph rs: Th d a of us g subst tut o c ph rs that cha g dur g th cours of a m ssag was a v ry mporta t st p forwards cryptography. Dav d Kah 's book, Th Cod br ak rs, g v s a full accou t of th or g s of th s d a dur g th Ital a R a ssa c . Th arl st form of polyalphab t c c ph r was d v lop d by L o Bat t sta Alb rt by 1467. H s syst m volv d wr t g th c ph rt xt small l tt rs, a d us g cap tal l tt rs as symbols, call d d cators, to d cat wh th subst tut o cha g s, ow a d th through a m ssag . Th pla t xt alphab t o h s c ph r d sk was ord r, a d clud d th d g ts 1 through 4 for form g cod words from a small vocabulary. Subs qu tly, mor mod r forms w r d v s d, wh ch cha g th subst tut o for ach l tt r:

For our xampl 6 24 13 16 20 17

k y matr x: 1 10 = 15 =

6(16*15-10*17)-24(13*15-10*20) +1(13*17-16*20) 441(mod 26) =25(mod 26)

0 2 19

A progr ss v -k y syst m, wh r k ys ar us d o aft r th oth r ormal ord r. Th s was f rst publ sh d posthumously, a book by Joha s Tr th m us that app ar d 1518. Th k y ABCD...Z was us d w th r gular alphab ts th form d p ct d th r . A k yword d cat g th alphab ts to us tur . Although th s syst m s what s call d th V g r , t or g at d w th G ova Bat sta B laso 1553. I 1563, G ova Batt sta Porta add d th us of m x d alphab ts to th s syst m. Th autok y syst m, wh r a k y starts th cho c of alphab t, but th m ssag ts lf d t rm s th alphab ts to us for lat r parts of th m ssag . Although a u usabl form of th s was f rst propos d by G rolamo Carda o, t was Bla s d V g r who propos d th mod r form of th autok y c ph r 1585. E crypt o : Mak a tabl of 24*24 wr t g th l tt rs from A to Z v ry row a c rcular fash o . Th , tak a l tt r from pla t xt as row a d corr spo d g l tt r fro m k y as colum of tabl a d s th t rs ct o of th l tt rs. Th l tt r at th t rs ct o forms th c ph rt xt l tt r at that corr spo d g pos t o Exampl : Th m ssag "W sh you w r h r " ca b crypt d by th thr poss bl m thods, us g SIAMESE as th k y: Stra ght k yword: M ssag : WISHYOUWEREHERE K y: SIAMESESIAMESES C ph r: OQSTCGYOMRQLWVW KEY A B C D E F G H I J K L M N O P Q R S T U V W X Y B C D E F G H I J K L M N O P Q R S T U V W X Y Z C D E F G H I J K L M N O P Q R S T U V W X Y Z A D E F G H I J K L M N O P Q R S T U V W X Y Z A B E F G H I J K L M N O P Q R S T U V W X Y Z A B C F G H I J K L M N O P Q R S T U V W X Y Z A B C D G H I J K L M N O P Q R S T U V W X Y Z A B C D E H I J K L M N O P Q R S T U V W X Y Z A B C D E F I J K L M N O P Q R S T U V W X Y Z A B C D E F G J K L M N O P Q R S T U V W X Y Z A B C D E F G H K L M N O P Q R S T U V W X Y Z A B C D E F G H I L M N O P Q R S T U V W X Y Z A B C D E F G H I J

M W G N X H O Y I P Z J Q A K R B L S C M T D N U E O V F P W G Q X H R Y I S Z J T

N X H O Y I P Z J Q A K R B L S C M T D N U E O V F P W G Q X H R Y I S Z J T A K U

O Y I P Z J Q A K R B L S C M T D N U E O V F P W G Q X H R Y I S Z J T A K U B L V

P Z J Q A K R B L S C M T D N U E O V F P W G Q X H R Y I S Z J T A K U B L V C M W

Q A K R B L S C M T D N U E O V F P W G Q X H R Y I S Z J T A K U B L V C M W D N X

R B S C T D U E V F W G X H Y I Z J A K B L C M D N E O

S C T D U E V F W G X H Y I Z J A K B L C M D N E O F P

T D U E V F W G X H Y I Z J A K B L C M D N E O F P G Q

U E V F W G X H Y I Z J A K B L C M D N E O F P G Q H R

V F W G X H Y I Z J A K B L C M D N E O F P G Q H R I S

Progr ss v k y: M ssag : WISHYOUWEREHERE K y: SIAMESETJBNFTFU C ph r: OQSTCGYPNSRMXWY Autok y: M ssag : WISHYOUWEREHERE K y: SIAMESEWISHYOUW C ph r: OQSTCGYSMJLFSLA

I cas of Stra ght K yword m thod th t xt s ov r.

k y s wr tt

r p at dly u t l th pla

O t m Pad C ph rs: I cryptography, th o -t m pad (OTP) s a crypt o algor thm wh ch th pla t xt s comb d w th a s cr t ra dom k y or pad, wh ch s us d o ly o c . A modular add t o s typ cally us d to comb pla t xt l m ts w th pad l m ts. (For b ary data, th op rat o XOR amou ts to th sam th g.) It was v t d 1917 a d pat t d a coupl of y ars lat r. If th k y s truly ra dom, as larg as th pla t xt, v r r us d whol or part, a d k pt s cr t, th o -t m pad prov d s p rf ct s cr cy. It has also b prov that a y c ph r w th th p rf ct s cr cy prop rty must us k ys w th ff ct v ly th sam r qu r m ts as OTP k ys. Th k y ormally co s sts of a ra dom str am of umb rs, ach of wh ch d cat s th umb r of plac s th alphab t (or umb r str am, f th pla t xt m ssag s um r cal form) wh ch th corr spo d g l tt r or umb r th pla t xt m ssag should b sh ft d. For m ssag s th Lat alphab t, for xampl , th k y w ll co s st of a ra dom str g of umb rs b tw 0 a d 25; for b ary m ssag s th k y w ll co s st of a ra dom str g of 0s a d 1s; a d so o . Th "pad" part of th am com s from arly mpl m tat o s wh r th k y mat r al was d str but d as a pad of pap r, so th top sh t could b as ly tor off a d d stroy d aft r us . For asy co c alm t, th pad was som t m s r duc d to such a small s z that a pow rful mag fy g glass was r qu r d to us t. Photo s acc ss bl o th I t r t show captur d KGB pads that f t th palm of o ' s ha d, or a wal ut sh ll. To cr as s cur ty, o -t m -pads w r som t m s pr t d o to sh ts of h ghly flammabl troc llulos . Th o -t m pad s d r v d from th V r am c ph r, am d aft r G lb rt V r am, o of ts v tors. V r am's syst m was a c ph r that comb d a m ssag w th a k y r ad from a pap r tap loop. I ts or g al form. V r am's syst m was ot u br akabl b caus th k y could b r us d. O -t m us cam a l ttl lat r w h Jos ph Mauborg r cog z d that f th k y tap was totally ra dom, crypta alyt c d ff culty would b cr as d. Th r s som amb gu ty to th t rm du to th fact that som authors us th t rm "V r am c ph r" sy o ymously for th "o -t m -pad", wh l oth rs r f r to a y add t v str am c ph r as a "V r am c ph r", clud g thos bas d o a cryptograph cally s cur ps udora dom umb r g rator (CSPRNG). Exampl Suppos s d r w sh s to s d th m ssag 'HELLO' to r c v r. Th f d th um r c pos t o of th alphab ts th E gl sh d ct o ary. Do th sam for ach a lphab t of th k y. Th , add ach m ssag alphab t w th th k y alphab t. If th r sulta t alphab t um r c pos t o s b tw A to Z th t s okay ls tak mod26 a d th f d th corr spo d g alphab t. M ssag or Pla t xt s HELLO. K y s XMCKL 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) m ssag + 23 (X) 12 (M) 2 (C) 10 (K) 11 (L) k y = 30 16 13 21 25 m ssag + k y = 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) m ssag + k y (m od 26) C ph rt xt=EQNVZ Th c ph rt xt to b s t s thus "EQNVZ." a d th sam proc ss s r p at d, but r v rs , to obta th pla t xt. H r th k y s subtract d from th c ph r t xt, aga us g modular ar thm t c: E Q N V Z c ph rt xt 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) c ph rt xt

th k y s follow d by th s mpl pla t xt m ssag s f sh d.

pla t xt l tt rs a

I cas of Progr ss v K y of k y by 1 a d add t s qu c t l th pla t xt f f sh d I cas of AutoK y m thod, ft r th k y s f sh d u t l th

aft r th k y s f sh d, th just sh ft ach l tt r of k y.P rform th sh ft g of l tt r by 1 u

Any di i al da a s o a e device can be sed o ans o one ime ad da a. The heo e ical e ec sec i y o he one ime ad a lies only in a heo e ic ally e ec se in ; no eal wo ld im lemen a ion o any c y osys em can ovi de e ec sec i y beca se ac ical conside a ions in od ce o en ial v lne a bili ies. These ac ical conside a ions o sec i y and convenience have mean ha he one ime ad is, in ac ice, li le sed. One ime ads solve ew c en ac ical oblems in c y o a hy. Hi h q ali y ci he s ha have nde one i o o s blic eview a e widely available and he i sec i y is no conside ed a majo wo y a esen . S ch ci he s a e almos always easie o em loy han one ime ads; he amo n o ey ma e ial which m s be o e ly ene a ed and sec ely dis ib ed is a smalle , and blic ey c y o a hy ove comes his oblem. Hi h q ali y andom n mbe s can be ha d o ene a e. The andom n mbe ene a io n nc ions in mos o ammin lan a e lib a ies a e no s i able o c y o a hic se. Even hose ene a o s ha is s i able o no mal c y o a hic se, incl din /dev/ andom and many ha dwa e andom n mbe ene a o s, ma e some se o c y o a hic nc ions whose sec i y is n oven. Dis ib in ve y lon one ime ad eys is inconvenien and s ally oses a si ni ican sec i y is . The ad is essen ially he enc y ion ey, b nli e e ys o mode n ci he s, i m s be ex emely lon and is m ch oo di ic l o h mans o emembe . S o a e media s ch as h mb d ives, D D Rs o e sonal di i a

23 (X) 12 (M) 2 (C) 10 (K) 11 (L) k y -19 4 11 11 14 c ph rt xt - k y = 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) c ph rt xt - k y (mod 26) M ssag =HELLO S m lar to th abov , f a umb r s gat v th 26 s add d to mak th umb r pos t v . S cur ty O -t m pads ar " format o -th or t cally s cur " that th crypt d m ssa g ( . ., th c ph rt xt) prov d s o format o about th or g al m ssag to a crypta alyst ( xc pt th l gth of th m ssag ). Th s s a v ry stro g ot o of s cur ty f rst d v lop d dur g WWII by Claud Sha o a d prov d, math mat c ally, to b tru of th o -t m pad by Sha o about th sam t m . H s r sult was publ sh d th B ll Labs T ch cal Jour al 1949. Prop rly us d o -t m pads ar s cur th s s s v aga st adv rsar s w th f t computat o al pow r. To co t u th xampl from abov , suppos Ev t rc pts Al c 's c ph rt xt: "EQNVZ." If Ev had f t comput g pow r, sh would qu ckly f d t hat th k y "XMCKL" would produc th pla t xt "HELLO", but sh would also f d that th k y "TQURI" would produc th pla t xt "LATER", a qually plaus bl m ssag : 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) c ph rt xt 19 (T) 16 (Q) 20 (U) 17 (R) 8 (I) ossible ey = 15 0 7 4 17 ci he ex ey = 11 (L) 0 (A) 19 (T) 4 (E) 17 (R) ci he ex ey (mod 26) In ac , i is ossible o "dec y " o o he ci he ex any messa e wha soeve wi h he same n mbe o cha ac e s, sim ly by sin a di e en ey, and he e is no in o ma ion in he ci he ex which will allow Eve o choose amon he va io s ossible eadin s o he ci he ex . Conven ional symme ic enc y ion al o i hms se com lex a e ns o s bs i io n and ans osi ions. Fo he bes o hese c en ly in se, i is no nown wh e he he e can be a c y analy ic oced e which can eve se (o , se lly, a ially eve se) hese ans o ma ions wi ho nowin he ey sed d in enc y ion. Asymme ic enc y ion al o i hms de end on ma hema ical oblems ha a e ho h o be di ic l o solve, s ch as in e e ac o iza ion and disc e e lo a i hms. Howeve he e is no oo ha hese oblems a e ha d and a ma hema i cal b ea h o h co ld ma e exis in sys ems v lne able o a ac . A licabili y o one ime ads

  

            

                     

l a dio laye s can be sed o ca y a ve y la e one ime ad om lace o la ce in a (somewha ) non s s icio s way, b even so he need o ans o he ad hysically is a b den com a ed o he ey ne o ia ion o ocols o a mode n blic ey c y osys em, and s ch media canno eliably be e ased sec ely by any means sho o hysical des c ion (e , incine a ion). A 4.7 GB D D R ll o o ne ime ad da a, i sh edded in o a icles 1 mm in size, leaves ove 100 ilobi s o (admi edly ha d o ecove , b no im ossibly so) da a on each a icle. In addi ion, he is o com omise d in ansi ( o exam le, a ic oc e s wi in , co yin and e lacin he ' ad') is li ely m ch ea e in ac ice han he li elihood o com omise o a ci he s ch as AES. Finally, he e o need ed o mana e one ime ad ey ma e ial scales ve y badly o la e ne wo s o c omm nican s. The n mbe o ads eq i ed oes as he sq a e o he n mbe o se s exchan in messa es eely amon s each o he . Fo comm nica ion be ween o nly wo e sons, o a s a ne wo o olo y, his is somewha less o a oblem.

The ey ma e ial m s be sec ely dis osed o a e se, o ens e he ey ma e ial is neve e sed and o o ec he messa es sen . Beca se he ey ma e ial m s be ans o ed om one end oin o ano he , and e sis n il he messa e i s sen o eceived, i can be mo e v lne able o o ensic ecove y han he an sien lain ex i o ec s. As adi ionally sed, one ime ads ovide no messa e a hen ica ion, he lac o which can ose a sec i y h ea in eal wo ld sys ems. The s ai h o wa d XORin wi h he eys eam c ea es a o en ial v lne abili y in messa e in e i y es ecially sim le o ex loi o exam le, an a ac e who nows ha he mess a e con ains "Mee Jane and me omo ow a 3:30 m" a a a ic la oin can e lace ha con en by any o he con en o he exac same len h, s ch as "3:30 mee in is cancelled, s ay home", wi ho havin access o he one ime ad. Uni ve sal hashin ovides a way o a hen ica e messa es o an a bi a y sec i y bo nd (i.e. o any >0, a la e eno h hash ens es ha even a com a iona lly nbo nded a ac e 's li elihood o s ccess l o e y is less han ), b his ses addi ional andom da a om he ad, and emoves he ossibili y o im lemen in he sys em wi ho a com e . T ans osi ion Ci he s: In c y o a hy, a ans osi ion ci he is a me hod o enc y ion by which he osi ions held by ni s o lain ex (which a e commonly cha ac e s o o s o cha ac e s) a e shi ed acco din o a e la sys em, so ha he ci he ex co ns i es a e m a ion o he lain ex . Tha is, he o de o he ni s is cha n ed. Ma hema ically a bijec ive nc ion is sed on he cha ac e s' osi ions o enc y and an inve se nc ion o dec y . Rail Fence ci he The Rail Fence ci he is a o m o ans osi ion ci he ha e s i s name om he way in which i is encoded. In he ail ence ci he , he lain ex is w i en downwa ds on s ccessive " ails" o an ima ina y ence, hen movin when we e o he bo om. The messa e is hen ead o in ows. Fo exam le, sin h ee " ails" and a messa e o 'WE ARE DISCO ERED. FLEE AT ONCE', he ci he e w i es o : W . . . E . . . C . . . R . . . L . . . T . . . E . E . R . D . S . O . E . E . F . E . A . O . C . . . A . . . I . . . . . . D . . . E . . . N . . Then eads o : WECRL TEERD SOEEF EAOCA I DEN (The ci he e has b o en his ci he ex in o bloc s o ive o hel avoid e o s.) Ro e ci he In a o e ci he , he lain ex is i s w i en o in a id o iven dimensi ons, and hen ead o in a a e n iven in he ey. Fo exam le, sin he sam e lain ex ha we sed o ail ence: W R I O R F E O E E E S E L A N J A D C E D E T C X

                             

                    

The ey mi h s eci y "s i al inwa ds, cloc wise, s a in om he o i h ". Tha wo ld ive a ci he ex o : EJXCTEDECDAEWRIORFEONALE SE Ro e ci he s have many mo e eys han a ail ence. In ac , o messa es o e asonable len h, he n mbe o ossible eys is o en ially oo ea o be en m e a ed even by mode n machine y. Howeve , no all eys a e eq ally ood. Badly c hosen o es will leave excessive ch n s o lain ex , o ex sim ly eve sed, and his will ive c y analys s a cl e as o he o es. An in e es in va ia ion o he o e ci he was he Union Ro e Ci he , sed by Union o ces d in he Ame ican Civil Wa . This wo ed m ch li e an o dina y o e ci he , b ans osed whole wo ds ins ead o individ al le e s. Beca se his wo ld leave ce ain hi hly sensi ive wo ds ex osed, s ch wo ds wo ld i s b e concealed by code. The ci he cle may also add en i e n ll wo ds, which we e o en chosen o ma e he ci he ex h mo o s. Col mna ans osi ion In a col mna ans osi ion, he messa e is w i en o in ows o a ixed len h, and hen ead o a ain col mn by col mn, and he col mns a e chosen in some sc ambled o de . Bo h he wid h o he ows and he e m a ion o he col mns a e s ally de ined by a eywo d. Fo exam le, he wo d ZEBRAS is o len h 6 (so he ows a e o len h 6), and he e m a ion is de ined by he al habe ical o de o he le e s in he eywo d. In his case, he o de wo ld be "6 3 2 4 1 5". In a e la col mna ans osi ion ci he , any s a e s aces a e illed wi h n l ls; in an i e la col mna ans osi ion ci he , he s aces a e le blan . Fi nally, he messa e is ead o in col mns, in he o de s eci ied by he eywo d . Fo exam le, s ose we se he eywo d ZEBRAS and he messa e WE ARE DISCO ER ED. FLEE AT ONCE. In a e la col mna ans osi ion, we w i e his in o he id as: 6 3 2 4 1 5 W E A R E D I S C O E R E D F L E E A T O N C E Q K J E U P ovidin ive n lls (QKJEU) a he end. The ci he ex is hen ead o as: E LNE ACDTK ESEAQ ROFOJ DEECU WIREE In he i e la case, he col mns a e no com le ed by n lls: 6 3 2 4 1 5 W E A R E D I S C O E R E D F L E E A T O N C E This es l s in he ollowin ci he ex : E LNA CDTES EAROF ODEEC WIREE To deci he i , he eci ien has o wo o he col mn len hs by dividin he messa e len h by he ey len h. Then he can w i e he messa e o in col mns a ain, hen e o de he col mns by e o min he ey wo d. Col mna ans osi ion con in ed o be sed o se io s oses as a com onen o mo e com lex ci he s a leas in o he 1950's. Do ble ans osi ion A sin le col mna ans osi ion co ld be a ac ed by essin ossible col mn le n hs, w i in he messa e o in i s col mns (b in he w on o de , as he e y is no ye nown), and hen loo in o ossible ana ams. Th s o ma e i s on e , a do ble ans osi ion was o en sed. This is sim ly a col mna ans os i ion a lied wice. The same ey can be sed o bo h ans osi ions, o wo di e en eys can be sed. As an exam le, we can a e he es l o he i e la col mna ans osi ion in he evio s sec ion, and e o m a second enc y ion wi h a di e en eywo d, STRIPE, which ives he e m a ion "564231":

         

 

               

                    

5 6 4 2 3 1 E L N A C D T E S E A R O F O D E E C W I R E E As be o e, his is ead o col mnwise o ive he ci he ex : CAEEN SOIAE DRLEF WEDRE E TOC D in Wo ld Wa I, he Ge man mili a y sed a do ble col mna ans osi ion ci he . The sys em was e la ly solved by he F ench, namin i bchi, who we e y i cally able o ind he ey in a ma e o days a e a new one had been in od c ed. Howeve , he F ench s ccess became widely nown and, a e a blica ion in Le Ma in, he Ge mans chan ed o a new sys em on 18 Novembe 1914. D in Wo ld Wa II, he do ble ans osi ion ci he was sed by D ch Resis anc e o s, he F ench Maq is and he B i ish S ecial O e a ions Exec ive (SOE), which was in cha e o mana in nde o nd ac ivi ies in E o e. I was also s ed by a en s o he Ame ican O ice o S a e ic Se vices and as an eme ency ci he o he Ge man A my and Navy. Un il he inven ion o he IC ci he , do ble ans osi ion was ene ally e a d ed as he mos com lica ed ci he ha an a en co ld o e a e eliably nde di ic l ield condi ions. Mysz ows i ans osi ion A va ian o m o col mna ans osi ion, o osed by mile ic o Thodo e Mysz ows i in 1902, eq i es a eywo d wi h ec en le e s. In s al ac ice, s bseq en occ ences o a eywo d le e a e ea ed as i he nex le e in al hab e ical o de , e. ., he eywo d TOMATO yields a n me ic eys in o "532164." In Mysz ows i ans osi ion, ec en eywo d le e s a e n mbe ed iden ically, TOMATO yieldin a eys in o "432143." 4 3 2 1 4 3 W E A R E D I S C O E R E D F L E E A T O N C E Plain ex col mns wi h niq e n mbe s a e ansc ibed downwa d; hose wi h ec in n mbe s a e ansc ibed le o i h : ROFOA CDTED SEEEA CWEI RLENE

Exam le 1 Unencoded Rea an ed Col mn #: 4 2 5 3 1 A C U P O F P R O P E R C O F F E E I N A C O P P E R C O F F E E C U P T K Q 1 2 3 4 5 O C P A U P P O F R

 

A col mna ans osi ion ci he , also nown as a a ve y easy ci he o e o m by hand. The messa ixed len h c ea in col mns, hese col mns a e ead o a ain col mn by col mn. Bo h he len h a an emen o he col mns a e de ined by ei he a e la col mna ans osi ion ci he , any s a ; in an i e la col mna ans osi ion ci he , lly, he messa e is ead o in col mns, in he o

ow col mn ans ose ci he , is e is w i en o in ows o a hen ea an ed and he messa e o he ows and he s bseq en a eywo d o n me ical ey. In e s aces a e illed wi h n lls he s aces a e le blan . Fina de s eci ied by he ey.

 

                

      

F N P F U

R E C R E T

O I P O C Q

E F A E F P

C E O C E K

Exam le 2 Unencoded Rea an ed Col mn #: H E L P U S W E A R E D I S C O E R E D F L E E A T O N C E E H L P S U E W A R D E S I C O E E R D F E L A E T O C N E Exam le 2: I e la wi h Keywo d In his exam le I have a en he h ase "We a e discove ed lee a once" wi h a six le e eywo d, HELP US. To enc y , he eywo d's le e s a e laced in al habe ical o de ; EHLPSU hen he me hod is exac ly he same as he n me ical exam le shown above, ivin he encoded messa e "ESEA WIREE ACDT ROFO DEEC E LN". The only di e ence is ha in he encode below eywo ds do no have o s aced li e n me ic eys. I have he in o ma ion in o he encode o yo : Encode o Decode

To deci he a col mna ans osi ion ci he , he eci ien m s o wo o he col mn len hs by dividin he messa e len h by he ey len h. The messa e can hen be w i en o in col mns a ain and he col mns e o de ed by e o min h e ey wo d. This col mna ans osi ion ci he im lemen a ion will also move s aces a o nd, so yo can a e "a b c" wi h a ey o "2 1" and e " abc" (no e he wo s aces in on ). I s es yo emove all s aces be o e yo encode he ex , b hey sho ld be ese ved even i yo don' . New lines a e i no ed and no a en in o conside a ion. Col mna ans osi ion con in ed o be sed o se io s oses, as a com onen o mo e com lex ci he s, a leas in o he 1950's. This ci he is ac ally sed in he K y os sc l e, a he CIA headq a e s in i inia, in wha is ene ally nown as K3 ( he hi d sec ion o he sc l e), b his encode will no ive yo he answe di ec ly. Yo s ill need o do wo o see he decoded mess a e. C y analysis

                    

    

   

Exam le 1: Re la wi h N me ical Key I have sed he on e wis e , "A c o o e co ee in a co e co ee c " wi h a ive col mn ey o 4 2 5 3 1. W i e o he messa e wi ho s aces ma in s e o i in o col mns, n mbe each one and ill he em y s aces wi h an dom le e s, I sed TKQ . To enc y he messa e, ead he col mns down in he o de ha yo n mbe ed he m. W i e down he las col mn i s , hen he second, hen he o h, he i s , and inally he las ., his will ive "OPFNPFU CPRECRET POOIPOCQ AFEFAEFP URC EOCEK". I can he exam le's in o ma ion in o he encode o yo : Encode o Decode

C y analysis ( om he G ee y s, "hidden", and analein, " o loosen" o " o n ie") is he s dy o me hods o ob ainin he meanin o enc y ed in o ma ion , wi ho access o he sec e in o ma ion which is no mally eq i ed o do so. Ty ically, his involves nowin how he sys em wo s and indin a sec e ey. In non echnical lan a e, his is he ac ice o code b ea in o c ac in he code, al ho h hese h ases also have a s ecialized echnical meanin (see cod e). "C y analysis" is also sed o e e o any a em o ci c mven he sec i y o o he y es o c y o a hic al o i hms and o ocols in ene al, and no j s enc y ion. Howeve , c y analysis s ally excl des me hods o a ac ha do no ima ily a e wea nesses in he ac al c y o a hy, s ch as b ibe y, hy sical coe cion, b la y, eys o e lo in , and social en inee in , al ho h h ese y es o a ac a e an im o an conce n and a e o en mo e e ec ive han adi ional c y analysis. Gene al y es o c y analy ic a ac s The e a e a wide va ie y o c y analy ic a ac s, and hey can be classi ied in any o seve al ways. One dis inc ion ns on wha an a ac e nows and can do . \ Ci he ex only The ci he ex only a ac is he case whe e he c y analys has access only o he ci he ex . Mode n c y osys ems a e ene ally e ec ively imm ne o ci he ex only a ac s. P e ci he ex only a ac s a e a e in ac ice beca se he analys is o en able o ess some lain ex . This conve s a ci he ex only si a ion in o a nown lain ex a ac ; see nex sec ion. Known lain ex In a nown lain ex a ac , he c y analys has access o a ci he ex and i s co es ondin lain ex (o oo many s ch ai s). Some imes i is eno h o h e a ac e o have a ial nowled e o he lain ex e ha s ha i is ASCII ex wi h he o bi o eve y by e ze o, o ha i is ada da a in a nown o ma . This ives him some hin o o on, a way o chec i a dec y ion o a ia l dec y ion is co ec ; ha may be all he needs. O en he a ac e can ess some lain ex . In B i ish Wo ld Wa II ULTRA code b ea in , s ch esses we e nown as "c ibs". Many messa es con ain ixed ex li e da es o o mal h ases l i e "yo h mble and obedien se van ", and va io s sys ems s ch as com ession al o i hms o email handle s inse ixed o ma heade s; all hese a e ee i s o he c y analys . In wa , names o enemy o ice s, bases, shi s o ni s ( o hei codenames) a e ood esses, also e ha s wo ds li e "o de " and "amm n i ion". An in elli ence o aniza ion ha nows he enemy well may have addi ion al c ibs available, loo in o "con a la ions" o a omo ed o ice . "Ha y bi hday" o a ene al and so on. Lan a e s c e may also ovide c ibs. Con side o dina y En lish ex , whe e abo one in seven cha ac e s a e s aces, and " he" and "o " a e he mos common wo ds. S ose he ci he ses 64 bi (8 cha ac e ) bloc s. The chance ha one o hem encodes he 8 cha ac e s in " o he " is si ni ican . I he ci he se ( oolishly) sends la e vol mes o da a wi h he same ey and he a ac e has he de e mina ion and he (h e) eso c es o es hem all, his c ib is almos ce ain o b ea he ci he even ally. Mo e la sibly, an a ac e may be able o se ex s a is ics as a en y oin : s ace is he mos common cha ac e , "e" he mos common le e , "q" is o en ollowed by " ", and so on. Gene ally, i a e nown lain ex a ac (whe e h e a ac e ac ally nows some lain ex ) is easible, hen va ian s based on essed lain ex o on a ial nowled e o lain ex will be mo e di ic l , b no ohibi ively so. S ose he e is a nown lain ex a ac ha b ea s he ci he a easonable cos , b he a ac e has only some essed lain ex ha has a 10% chance o bein i h . Tha ives him a one in en chance o solvin he ci he on he i s y. I he has many s ch essed c ibs available, he is almos ce ain o solve i even ally a some cos no ho i ically mo e han he cos o a e nown lain ex a ac . O s ose he only nows he lain ex is ASCII; he o bi o eve y by e is ze o. S ose we a e dealin wi h a bloc ci he ha has 64 bi bloc s. I he e is a easible nown lain ex a ac , hen an enemy who nows only 64 bi s o lain ex in a sin le bloc can b ea h

                                   

       

            

                                           

e ci he . Howeve , i he da a is nown ASCII and he enemy has in e ce ed N bl oc s, hen he nows ha 8N bi s o he lain ex a e ze o. Whe he his le s hi m b ea he ci he o no is an ex emely com lex q es ion de endin on all he de ails o he ci he and on any addi ional nowled e he a ac e may have. How eve , i yo a e yin o ee he da a sec e, yo sho ld ess "yes" and choo se a ci he ha is sec e a ains nown lain ex a ac s.. In ene al, i he e is an e ec ive nown lain ex a ac on he ci he . hen he ci he m s be conside ed insec e. A n mbe o a ac s eq i e nown (incl din essed) lain ex o wo : A b e o ce sea ch ies all ossible eys; yo need o now one bloc o lai n ex so yo can ell when yo have o nd he i h ey A mee in he middle a ac inds a middle val e in wo ways, by hal enc y in a bloc o nown lain ex and hal dec y in he ma chin ci he ex , and sea ches o ma chin "middle" es l s; his is m ch mo e e icien han b e o c e b is no a licable o mos ci he s An al eb aic a ac w i es he ci he o e a ions as eq a ions in some al eb aic sys em, s ally Boolean, hen l s in nown val es o lain ex and ci he ex and solves o he ey. De endin on va io s de ails, his may need anywhe e om one o a ew dozen lain ex s A code boo a ac eq i es h e n mbe s o nown lain ex s, a leas 2bloc siz e/2 be o e i becomes se l. Linea c y analysis and di e en ial c y analysis a e o en ve y e icien in e ms o he a ac e 's e o , si ni ican ly be e han b e o ce. Howeve , hey eq i e la e n mbe s o nown o chosen lain ex s. All hese sho ld be com le ely im ac ical a ains any well desi ned ci he , o e ly sed. An im o an sa e eca ion is o e ey o en eno h o even c ode boo , linea and di e en ial a ac s; his is s anda d ac ice. Chosen lain ex In a chosen lain ex a ac , he c y analys may choose a lain ex and lea n i s co es ondin ci he ex ( e ha s many imes); an exam le is he a denin sed by he B i ish d in WWII. A chosen lain ex a ac (CPA) is an a ac mod el o c y analysis which es mes ha he a ac e has he ca abili y o choo se a bi a y lain ex s o be enc y ed and ob ain he co es ondin ci he ex . The oal o he a ac is o ain some he in o ma ion which ed ces he se c i y o he enc y ion scheme. In he wo s case, a chosen lain ex a ac co ld eveal he scheme's sec e ey. This a ea s, a i s lance, o be an n e alis ic model; i wo ld ce ainly be nli ely ha an a ac e co ld e s ade a h man c y o a he o enc y la e amo n s o lain ex s o he a ac e 's cho osin . Mode n c y o a hy, on he o he hand, is im lemen ed in so wa e o ha dwa e and is sed o a dive se an e o a lica ions; o many cases, a chosen lain ex a ac is o en ve y easible. Chosen lain ex a ac s become ex eme ly im o an in he con ex o blic ey c y o a hy, whe e he enc y ion ey is blic and a ac e s can enc y any lain ex hey choose. Any ci he ha can even chosen lain ex a ac s is hen also a an eed o be sec e a ains nown lain ex and ci he ex only a ac s; his is a conse va ive a oach o sec i y. Two o ms o chosen lain ex a ac can be dis in ished: Ba ch chosen lain ex a ac , whe e he c y analys chooses all lain ex s be o e any o hem a e enc y ed. This is o en he meanin o an nq ali ied se o "chosen lain ex a ac ". Ada ive chosen lain ex a ac , whe e he c y analys ma es a se ies o in e ac ive q e ies, choosin s bseq en lain ex s based on he in o ma ion om he evio s enc y ions. Non andomized (de e minis ic) blic ey enc y ion al o i hms a e v lne able o sim le "dic iona y" y e a ac s, whe e he a ac e b ilds a able o li ely messa es and hei co es ondin ci he ex s. To ind he dec y ion o some obs e ved ci he ex , he a ac e sim ly loo s he ci he ex in he able. As a es l , blic ey de ini ions o sec i y nde chosen lain ex a ac eq i e obabilis ic enc y ion (i.e., andomized enc y ion). Conven ional symme ic ci he s, in which he same ey is sed o enc y and dec y a ex , may also

  

                                                          

be v lne able o o he o ms o chosen lain ex a ac , o exam le, di e en i al c y analysis o bloc ci he s. A echniq e e med Ga denin was sed by Alli ed code b ea e s in Wo ld Wa II who we e solvin messa es enc y ed on he Eni ma machine. Ga denin can be viewed as a chosen lain ex a ac . Chosen ci he ex In a chosen ci he ex a ac , he c y analys may choose ci he ex s and lea n hei co es ondin lain ex . Also im o an , o en ove whelmin ly so, a e mis a es ( ene ally in he desi n o se o one o he o ocols involved; see ULTR A o some his o ical exam les o his). In c y o a hy, a ci he ex only a a c (COA) o nown ci he ex a ac is an a ac model o c y analysis whe e he a ac e is ass med o have access only o a se o ci he ex s. The a ac i s com le ely s ccess l i he co es ondin lain ex s can be ded ced, o even be e , he ey. The abili y o ob ain any in o ma ion a all abo he nde lyi n lain ex is s ill conside ed a s ccess. Fo exam le, i an adve sa y is send in ci he ex con in o sly o main ain a ic low sec i y, i wo ld be ve y se l o be able o dis in ish eal messa es om n lls. Even ma in an in o m ed ess o he exis ence o eal messa es wo ld acili a e a ic analysis. In he his o y o c y o a hy, ea ly ci he s, im lemen ed sin en and a e , we e o inely b o en sin ci he ex s alone. C y o a he s develo ed s a is ica l echniq es o a ac in ci he ex , s ch as eq ency analysis. Mechanical en c y ion devices s ch as Eni ma made hese a ac s m ch mo e di ic l (al ho h , his o ically, Polish c y o a he s we e able o mo n a s ccess l ci he ex only c y analysis o he Eni ma by ex loi in an insec e o ocol o indica in he messa e se in s). Eve y mode n ci he a em s o ovide o ec ion a ains ci he ex only a ac s. The ve in ocess o a new ci he desi n s anda d s ally a es many yea s and incl des exha s ive es in o la e q an i ies o ci he ex o any s a is ical de a e om andom noise. See: Advanced Enc y ion S anda d ocess. Also, he ield o s e ano a hy evolved, in a , o develo me hods li e mimic nc ions ha allow one iece o da a o ado he s a is ical o ile o ano he . None heless oo ci he sa e o eliance on home own o ie a y al o i hms ha have no been s bjec o ho o h sc iny has es l ed in many com e a e enc y ion sys ems ha a e s ill s bjec o ci he ex only a ac . Exam les incl de: Ea ly ve sions o Mic oso 's PPTP vi al iva e ne wo so wa e sed he sam e RC4 ey o he sende and he eceive (la e ve sions had o he oblems). I n any case whe e a s eam ci he li e RC4 is sed wice wi h he same ey i is o en o ci he ex only a ac . See: s eam ci he a ac Wi ed Eq ivalen P ivacy (WEP), he i s sec i y o ocol o Wi Fi, oved v lne able o seve al a ac s, mos o hem ci he ex only. Some mode n ci he desi ns have la e been shown o be v lne able o ci he ex only a ac s. Fo exam le, A ela e. Rela ed ey a ac Usin wo o mo e ela ed eys o di e en messa es, di e en lin s, o di e en sessions may ive a c y analys an en y oin . The bes nown ail e o his y e is o he WEP o ocols sed in wi eless ne wo in . WEP ene a es ey s o di e en connec ions by conca ena in a connec ion s eci ic ini ializa io n val e wi h ano he sec e val e, and his c ea es a wea ness. See o exam le, "B ea in 104 bi WEP in less han 60 seconds"[5]. S a e ies a ains symme ic c y osys ems C y analysis o symme ic ey echniq es y ically involves loo in o e icie n a ac s a ains bloc ci he s o s eam ci he s. A ains an ideal ci he , he e is no a ac be e han b e o ce. Fo exam le, a sim le b e o ce a ac a ains DES eq i es one nown lain ex and 255 dec y ions, yin a oxima ely hal o he ossible eys, be o e ch ances a e be e han even he ey will have been o nd. B his may no be eno h ass ance; a linea c y analysis a ac a ains DES eq i es 243 nown lai n ex s and a oxima ely 243 DES o e a ions. This is a conside able im ovemen on b e o ce a ac s. S a e ies a ains asymme ic c y osys ems

  

P blic ey al o i hms a e based on he com a ional di ic l y o va io s obl ems. The mos amo s o hese is in e e ac o iza ion ( he RSA c y osys em is based on a oblem ela ed o ac o in ), b he disc e e lo a i hm oblem is also im o an . M ch blic ey c y analysis conce ns n me ical al o i hms o solvin hese com a ional oblems, o some o hem, e icien ly. Fo ins ance , he bes al o i hms o solvin he elli ic c ve based ve sion o disc e e l o a i hm a e m ch mo e ime cons min han he bes nown al o i hms o ac o i n , a leas o oblems o eq ivalen size. Th s, o he hin s bein eq al, o achieve an eq ivalen s en h o a ac esis ance, ac o in based enc y ion echniq es m s se la e eys han elli ic c ve echniq es. Fo his eason , blic ey c y osys ems based on elli ic c ves have become o la since h ei inven ion in he mid 1990s. Classi yin s ccess in c y analysis The es l s o c y analysis can also va y in se lness. Fo exam le, c y o a he La s Kn dsen (1998) classi ied va io s y es o a ac on bloc ci he s acc o din o he amo n and q ali y o sec e in o ma ion ha was discove ed: To al b ea he a ac e ded ces he sec e ey. Global ded c ion he a ac e discove s a nc ionally eq ivalen al o i hm o enc y ion and dec y ion, b wi ho lea nin he ey. Ins ance (local) ded c ion he a ac e discove s addi ional lain ex s (o ci h e ex s) no evio sly nown. In o ma ion ded c ion he a ac e ains some Shannon in o ma ion abo lain ex s (o ci he ex s) no evio sly nown. Dis in ishin al o i hm he a ac e can dis in ish he ci he om a andom e m a ion. Simila conside a ions a ly o a ac s on o he y es o c y o a hic al o i h m. Com lexi y A ac s can also be cha ac e ised by he amo n o eso ces hey eq i e. This can be in he o m o : Time he n mbe o " imi ive o e a ions" which m s be e o med. This is q i e loose; imi ive o e a ions co ld be basic com e ins c ions, s ch as addi ion, XOR, shi , and so o h, o en i e enc y ion me hods. Memo y he amo n o s o a e eq i ed o e o m he a ac . Da a he q an i y o lain ex s and ci he ex s eq i ed. In academic c y o a hy, a wea ness o a b ea in a scheme is s ally de ined q i e conse va ively. B ce Schneie s ms his a oach: "B ea in a ci he si m ly means indin a wea ness in he ci he ha can be ex loi ed wi h a com lex i y less han b e o ce. Neve mind ha b e o ce mi h eq i e 2128 enc y ions; an a ac eq i in 2110 enc y ions wo ld be conside ed a b ea ...sim ly , a b ea can j s be a ce i ica ional wea ness: evidence ha he ci he d oes no e o m as adve ised." (Schneie , 2000).

                      
The e a e a la e n mbe o s e ano a hic me hods ha mos o s a e amilia wi h (es ecially i yo wa ch a lo o s y movies!), an in om invisible in and mic odo s o sec e in a hidden messa e in he second le e o each wo d o a la e body o ex and s ead s ec m adio comm nica ion. Wi h com e s an

            

S e ano a hy S e ano a hy is he science o hidin in o ma ion. Whe eas he oal o c y o a hy is o ma e da a n eadable by a hi d a y, he oal o s e ano a hy is o hide he da a om a hi d a y. S e ano a hy is he a and science o w i in hidden messa es in s ch a way ha no one, a a om he sende and in ende d eci ien , s s ec s he exis ence o he messa e, a o m o sec i y h o h o bsc i y. The wo d s e ano a hy is o G ee o i in and means "concealed w i in ". The i s eco ded se o he e m was in 1499 by Johannes T i hemi s in his S e ano a hia, a ea ise on c y o a hy and s e ano a hy dis ised as a boo on ma ic. Gene ally, messa es will a ea o be some hin else: ima es, a icle s, sho in lis s, o some o he cove ex and, classically, he hidden messa e may be in invisible in be ween he visible lines o a iva e le e .

     

       

         

     

 

  

d ne wo s, he e a e many o he ways o hidin in o ma ion, s ch as: Cove channels (e. ., Lo i and some dis ib ed denial o se vice ools se he In e ne Con ol Messa e P o ocol, o ICMP, as he comm nica ions channel be we en he "bad y" and a com omised sys em) Hidden ex wi hin Web a es Hidin iles in " lain si h " (e. ., wha be e lace o "hide" a ile han wi h an im o an so ndin name in he c:\winn \sys em32 di ec o y?) N ll ci he s (e. ., sin he i s le e o each wo d o o m a hidden messa e in an o he wise innoc o s ex ) S e ano a hy oday, howeve , is si ni ican ly mo e so his ica ed han he exam les above s es , allowin a se o hide la e amo n s o in o ma ion wi hin i ma e and a dio iles. These o ms o s e ano a hy o en a e sed in conj nc ion wi h c y o a hy so ha he in o ma ion is do bly o ec ed; i s i is enc y ed and hen hidden so ha an adve sa y has o i s ind he in o ma ion (an o en di ic l as in and o i sel ) and hen dec y i . A lica ions: The e a e a n mbe o ses o s e ano a hy besides he me e novel y. One o h e mos widely sed a lica ions is o so called di i al wa e ma in . A wa e ma , his o ically, is he e lica ion o an ima e, lo o, o ex on a e s oc s o ha he so ce o he doc men can be a leas a ially a hen ica ed. A di i al wa e ma can accom lish he same nc ion; a a hic a is , o exam le, mi h os sam le ima es on he Web si e com le e wi h an embedded si na e so ha she can la e ove he owne shi in case o he s a em o o ay he wo as hei own. Advan a es: The advan a e o s e ano a hy, ove c y o a hy alone, is ha messa es do no a ac a en ion o hemselves. Plainly visible enc y ed messa esno ma e how nb ea ablewill a o se s s icion, and may in hemselves be inc imina in in co n ies whe e enc y ion is ille al. The e o e, whe eas c y o a hy o ec s he con en s o a messa e, s e ano a hy can be said o o ec bo h messa es and co mm nica in a ies.

Di i al s e ano a hy echniq es incl de Concealin messa es wi hin he lowes bi s o noisy ima es o so nd iles. Concealin da a wi hin enc y ed da a o wi hin andom da a. The da a o be conc ealed is i s enc y ed be o e bein sed o ove w i e a o a m ch la e bl oc o enc y ed da a o a bloc o andom da a (an nb ea able ci he li e he one ime_ ad ene a e ci he ex s ha loo e ec ly andom i yo don' have he iva e ey). P in ed s e ano a hy Di i al s e ano a hy o may be in he o m o in ed doc men s. A messa e, he lain ex , may be i s enc y ed by adi ional means, od cin a ci he ex . Then, an innoc o s cove ex is modi ied in some way o as o con ain he ci he ex , es l in in he s e o ex . Fo exam le, he le e size, s acin , y e ace, o o he cha ac e is ics o a cove ex can be mani la ed o ca y h

Di i al S e ano a hy S e ano a hy incl des he concealmen o in o ma ion wi hin com e iles. In di i al s e ano a hy, elec onic comm nica ions may incl de s e ano a hic codi n inside o a ans o laye , s ch as a doc men ile, ima e ile, o am o o ocol. Media iles a e ideal o s e ano a hic ansmission beca se o hei la e size. As a sim le exam le, a sende mi h s a wi h an innoc o s ima e ile and adj s he colo o eve y 100 h ixel o co es ond o a le e in he a l habe , a chan e so s b le ha someone no s eci ically loo in o i is nli ely o no ice i . Mode n s e ano a hy en e ed he wo ld in 1985 wi h he adven o he e sonal com e a lied o classical s e ano a hy oblems. Develo m en ollowin ha was slow, b has since a en o , oin by he n mbe o 's e o' o ams available: Ove 725 di i al s e ano a hy a lica ions have been i den i ied by he S e ano a hy Analysis and Resea ch Cen e .

  

  

         

    

     

  

                           

      

       

     

 

             

                                          

e hidden messa e. Only a eci ien who nows he echniq e sed can ecove he messa e and hen dec y i . F ancis Bacon develo ed Bacon's ci he as s ch a e chniq e S e ano a hic Me hods The ollowin o m la ovides a ve y ene ic desc i ion o he ieces o he s e ano a hic ocess: cove _medi m + hidden_da a + s e o_ ey = s e o_medi m In his con ex , he cove _medi m is he ile in which we will hide he hidden_d a a, which may also be enc y ed sin he s e o_ ey. The es l an ile is he s e o_medi m (which will, o co se. be he same y e o ile as he cove _medi m). The cove _medi m (and, h s, he s e o_medi m) a e y ically ima e o a dio iles. In his a icle, I will oc s on ima e iles and will, he e o e, e e o he cove _ima e and s e o_ima e. The sim les a oach o hidin da a wi hin an ima e ile is called leas si ni ican bi (LSB) inse ion. In his me hod, we can a e he bina y e esen a ion o he hidden_da a and ove w i e he LSB o each by e wi hin he cove _ima e. I we a e sin 24 bi colo , he amo n o chan e will be minimal and indisce ni ble o he h man eye. As an exam le, s ose ha we have h ee adjacen ixels (nine by es) wi h he ollowin RGB encodin : 10010101 00001101 11001001 10010110 00001111 11001010 10011111 00010000 11001011 Now s ose we wan o "hide" he ollowin 9 bi s o da a ( he hidden da a is s ally com essed io o bein hidden): 101101101. I we ove lay hese 9 bi s ove he LSB o he 9 by es above, we e he ollowin (whe e bi s in bold have been chan ed): 10010101 00001100 11001001 10010111 00001110 11001011 10011111 00010000 11001011 No e ha we have s ccess lly hidden 9 bi s b a a cos o only chan in 4, o o hly 50%, o he LSBs. S e analysis De ec ion o hysical s e ano a hy eq i es ca e l hysical examina ion, incl din he se o ma ni ica ion, develo e chemicals and l aviole li h . I is a ime cons min ocess wi h obvio s eso ce im lica ions, even in co n ies w he e la e n mbe s o eo le a e em loyed o s y on hei ellow na ionals. Ta e ed mail sc eenin is howeve easible in he case o ce ain s s ec ed individ als o ins i ions, s ch as isons o isone o wa cam s. D in Wo ld Wa II, a echnolo y sed o ease moni o in o POW mail was s ecially ea ed a e ha wo ld eveal invisible in . An a icle in he J ne 24, 1948 iss e o Pa e T ade Jo nal by he Technical Di ec o o he Uni ed S a es Gove nmen P in i n O ice, Mo is S. Kan owi z, desc ibes in ene al e ms he develo men o his a e , h ee o o y es o which we e named Sensicoa , Anili h, and Coa ali h a e . These we e o he man ac e o os al ca ds and s a ione y o be iv en o Ge man isone s o wa in he U.S. and Canada. I POWs ied o w i e a h idden messa e he s ecial a e wo ld ende i visible. A leas wo U.S. a en s we e an ed ela ed o his echnolo y, one o M . Kan owi z, No. 2,515,232 , "Wa e De ec in a e and Wa e De ec in Coa in Com osi ion The e o ", a e n ed J ly 18, 1950, and an ea lie one, "Mois e Sensi ive Pa e and he Man a c e The eo ," No. 2,445,586, a en ed J ly 20, 1948. A simila s a e y is o iss e isone s wi h w i in a e led wi h a wa e sol ble in ha ' ns' wh en in con ac wi h a wa e based invisible in . In com in , de ec ion o s e ano a hically encoded ac a es is called s e ana lysis. The sim les me hod o de ec modi ied iles, howeve , is o com a e hem o nown o i inals. Fo exam le, o de ec in o ma ion bein moved h o h he a hics on a websi e an analys can main ain nown clean co ies o hese ma e i als and com a e hem a ains he c en con en s o he si e. The di e ences, ass min he ca ie is he same, will com ose he ayload. In ene al, sin ex emely hi h com ession a e ma es s e ano a hy di ic l , b no im ossible. While com ession e o s ovide a hidin lace o da a, hi h com ession ed

 

 

                          

ces he amo n o da a available o hide he ayload in, aisin he encodin de nsi y and acili a in easie de ec ion (in he ex eme case, even by cas al obs e va ion). One o m o his analysis is o examine he colo ale e o a a hi cal ima e. In mos ima es, he e will be a niq e bina y encodin o each indivi d al colo . I he ima e con ains hidden da a, howeve , many colo s in he ale e will have d lica e bina y encodin s since, o all ac ical oses, we ca n' co n he LSB. I he analysis o he colo ale e o a iven ile yields m any d lica es, we mi h sa ely concl de ha he ile has hidden in o ma ion. B wha iles wo ld yo analyze? S ose I decide o os a hidden messa e by h idin i in an ima e ile ha I os a an a c ion si e on he In e ne . The i em I am a c ionin is eal so a lo o eo le may access he si e and download he ile; only a ew eo le now ha he ima e has s ecial in o ma ion ha only hey can ead. And we haven' even disc ssed hidden da a inside a dio iles! In deed, he q an i y o o en ial cove iles ma es s e analysis a He c lean as . A lica ions Usa e in mode n in e s S e ano a hy is sed by some mode n in e s, incl din HP and Xe ox b and colo lase in e s. Tiny yellow do s a e added o each a e. The do s a e ba ely v isible and con ain encoded in e se ial n mbe s, as well as da e and ime s am s. Alle ed sa e by e o is s When one conside s ha messa es co ld be enc y ed s e ano a hically in e mail messa es, a ic la ly e mail s am, he no ion o j n e mail a es on a whole new li h . Co led wi h he "cha in and winnowin " echniq e, a sende co ld e messa es o and cove hei ac s all a once.

Review Q es ions:

   

 

  

 

       

        

1. Solve sin one ime ad.Given: lain ex : SECRETMESSAGE one ime ad: CIJTHUUHMLFRU Ans: ci he ex : UMLKLNGLEDFXY 2. Solve sin Polyal habe ic Ci he : Key: MEC Plain ex : WE NEED MORE SUPPLIES FAST Ans: CI he ex : IIOQIFYSTQWWBTNUIUREUF 3. Solve sin PlayFai Ci he Key: CHARLES Plain ex : Mee me a b id e oni h

he ac ical im lemen a ions o S eno a hy in he eal wo ld Ne wo Sec i y? he va io s v lne abili ies o nd in ne wo sec i y?

4. Desc ibe in b ie he ollowin sec i y se vices: Con iden iali y Non Re dia ion Access Con ol Ans: A icle Sec i y Se vices 5. Di e en ia e be ween he ollowin e ms: A hen ica ion and A ho iza ion Ans: A hen ica ion e e s o ovin he iden i y o he ne wo se and ovi n ha he se is he one he/she is e endin o be. A ho iza ion is com le ely di e en , i em owe s he se o se he ne wo eso ce he/she eq i es and he limi o which he se is allowed o access he eso ces. Known lain ex a ac chosen lain ex a ac Ans: A icle C y analysis C y o a hy and S e ano ahy Ans: C y o a hy e e s o he ac o chan in he lain ex messa e in o a o m ha is no easily nde s ood by any na ho ized se . He e, he na ho ized se nows ha he messa e is bein send b does now abo he messa e con e n s as hese a e in n eadable o m. C y o a hy h s chan es he o ma o mes sa e con en s. On he o he hand, S e ano a hy does no chan e he o ma o me ssa e con en s b i conceals o hides he exis ence o messa e con en s. Th s, he na ho ized se does no now whe he he messa e is send o no .

6.

                     

B ie ly desc ibe he Hill Ci he . I a chosen lain ex

a ac can be mo

3. Wha do yo nde s and by ne wo assive sec i y a ac ? Ans: A icle Sec i y A ac s

Sec

2. Ex lain he e m One Time Pad? Ans: A icle One Time Pad in S bs i ion Ci he

i y A ac s? Desc ibe ac ive and

UPTU Q es ions: 1. Wha is a T ans osi ion Ci he ? Ill s a e wi h an exam le. Wha ano a hy? Ans: A icle T ans osi ion Ci he and S e ano a hy

is S e

4. Wha can 5. Di e en 6. Wha is 7. Wha a e 8. Wha a e ci he s? 9. Wha a e C y o a hy and 10. Wha a e

be va io s a lica ions o one ime ad ci he s? ia e be ween Symme ic and Asymme ic c y o a hic model? he di e ence be ween Da a Con iden iali y and Da a In e i y? he va io s y es o c y analysis a ac s? Ex lain. he di e ences be ween s bs i ion Ci he s and T ans osi ion

  

n ed, i is easie o solve Hill Ci he . Desc ibe s ch a ac ? Ans: A ile Hill Ci he in S bs i ion Ci he and C y analysis

K= 3

2 5 7

Ob ain he dec y ion ey o be sed o deci he in he ci he ex . Ans: Dec y ion Key is ob ained by indin he inve se o Key K which is iven o s

7.

A Hill ci he

ses he

ollowin

ey

o enchi he in

he messa e: