RMIT Classification: Trusted

Security in Computing & Information Technology

(COSC2536)

Lectorial 1: Basic Cryptographic Techniques

 RMIT Classification: Trusted

Lecture Overview
•During this session, we will discuss:
Introduction to the course
Part -I: Symmetric Key Cryptography
– Concepts of Symmetric Key Cryptography
– One-Time Pad, Stream Cipher, Block Cipher
Part –II: Cryptographic Hash Functions
–Basics of Hash Functions
–How Hash works, properties of Hash
–Applications of Hashes

2
 RMIT Classification: Trusted

Staff
•Course Coordinator and lecturer:
–Shekhar Kalra (SK)
–[email protected]
–Consultation: set up a time via email

•For a detailed list of other staff members

teaching in this course, please look at
–Course Canvas – Modules- Welcome - Teaching
Team page

3
 RMIT Classification: Trusted

Course has been rejuvenated

•Various new topics have been introduced to
make the course relevant to contemporary
industry relevant
–Focus on programming of cryptography using Python
–Discussion on AI cybersecurity
–Discussion on use of Machine Learning (ML) for
detecting and preventing fraud
–Discussion on emerging technologies and careers in
cybersecurity
–Reduction of abstract Math from the course material

4
 RMIT Classification: Trusted

General tone of the course

•Mix of concepts and practice
•Not an entirely theoretical course
•You will need to program in Python
•To do well in assessments, attend both the
lectorial and practical sessions
•Making assumptions and not checking with staff
may lead to an unsatisfactory outcome
•Easy to get a CREDIT as overall grade but
–hard to get a DISCTINCTION and
–harder to get a HIGH DISCTINCTION
5
 RMIT Classification: Trusted

Important advice about assessments

6
 RMIT Classification: Trusted

Group work blues

•Maintain communication logs
•Maintain meeting details
•Create a task allocation list
•Come to me when the problem starts
•Do not complain about your group partner near
or after deadline
•I will need proof to intervene and moderate the
discussion between you the group members

7
 RMIT Classification: Trusted

Do I need my own laptop?

•Yes
•You will need to install Python and Visual Studio
Code
•And other tools, libraries as we advise you
•DO NOT MAKE ASSUMPTIONS ABOUT THE USE
OF TOOLS, LANGUAGES and FRAMNEWORKS
•Use the officially advised tools and software(s).

8
 RMIT Classification: Trusted

Is there a prescribed textbook?

•We will follow
–Security in Computing, Charles Pleeger et al.
–Prentice Hall
–both 5th or 6th edition(s) are fine

9
 RMIT Classification: Trusted

Can I use ChatGPT?

• Yes
• You need to learn how to use generative AI to work
and exist in the contemporary industry
• But use of ChatGPT is NOT THE SAME AS cheating
and using it to do your work
• You need to learn its effective, ethical and efficient
use
• It is a skill
• ChatGPT is NOT a search engine
• If you ask silly questions, it will churn out silly
answers
10
 RMIT Classification: Trusted

Segment 1: Symmetric Key

Cryptography

11
 RMIT Classification: Trusted

How to Speak Crypto

 A cipher or cryptosystem is used to encrypt the plaintext
 The result of encryption is ciphertext
 We decrypt ciphertext to recover plaintext
 A key is used to configure a cryptosystem
 A symmetric key cryptosystem uses the same key to encrypt as to
decrypt
 A public key cryptosystem uses a public key to encrypt and a
private key to decrypt (we will learn these in lectures 3 and 4)
key key

plaintext
plaintext encrypt decrypt
ciphertext

A generic view of symmetric key crypto

12
 RMIT Classification: Trusted
What is XOR and how XOR works

We denote the XOR of bit A with bit B as A B. You can

notice that only 0 1 or 1 0 produces output 1

13
 RMIT Classification: Trusted

One-Time Pad: Encryption

The one-time pad requires a key consisting of a randomly selected
string of bits that is the same length as the message. The key is then
XORed with the key to yield the plaintext

e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111

Encryption: Plaintext Key = Ciphertext

P K=C Or, in some texts

h e i l h i t l e r
Plaintext: 001 000 010 100 001 010 111 100 000 101
Key: 111 101 110 101 111 100 000 101 110 000

Ciphertext: 110 101 100 001 110 110 111 001 110 101

s r l h s s t h s r
14
 RMIT Classification: Trusted

One-Time Pad: Decryption

The ciphertext is XORed with the key to yield the plaintext

e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111

Decryption: Ciphertext Key = Plaintext

C K=P Or, in some texts

s r l h s s t h s r
Ciphertext: 110 101 100 001 110 110 111 001 110 101
Key: 111 101 110 101 111 100 000 101 110 000
Plaintext:
001 000 010 100 001 010 111 100 000 101

h e i l h i t l e r
15
 RMIT Classification: Trusted

One-Time Pad: The Whole Process

key key

P K=C C K=P

plaintext encrypt decrypt plaintext

ciphertext s r l h s s t h s r
h e i l h i t l e r
Ciphertext: 110 101 100 001 110 110 111 001 110 101
Plaintext:
001 000 010 100 001 010 111 100 000 101
Key: 111 101 110 101 111 100 000 101 110 000
Key: 111 101 110 101 111 100 000 101 110 000
Plaintext:
Ciphertext: 110 101 100 001 110 110 111 001 110 101 001 000 010 100 001 010 111 100 000 101

s r l h s s t h s r h e i l h i t l e r

• One-time pad as an example symmetric key crypto

• Key is as large as plaintext
• In fact, size of plaintext= size of key= size of ciphertext

16
 RMIT Classification: Trusted

One-Time Pad: Issues

• The problem with the one-time pad is that, in order to create

such a cipher, its key should be as long or even longer than the
plaintext. In other words, if you have 500 MegaByte video file
that you would like to encrypt, you would need a key that's at
least 4 Gigabits long.

• Clearly, while Top Secret information or matters of national

security may warrant the use of a one-time pad, such a cipher
would just be too impractical for day-to-day public use.

Reference: http://www.jscape.com/blog/stream-cipher-vs-block-cipher

17
 RMIT Classification: Trusted

One-Time Pad: Issues with Plaintext attack

18
 RMIT Classification: Trusted

One-Time Pad Summary

• Provably secure
–Ciphertext gives no useful info about plaintext
–All plaintexts are equally likely
• The One-Time Pad, which is supposed to employ a
purely random key, can potentially achieve "perfect
secrecy". That is, it's supposed to be fully immune to
brute force attacks.
• BUT, only when be used correctly
–Pad must be random, used only once
–Pad is known only to sender and receiver
• Note: pad (key) is same size as message

19
 RMIT Classification: Trusted

Stream Ciphers

 A stream cipher is an encryption algorithm that encrypts 1 bit of plaintext at a

time.
 Stream ciphers are designed to approximate an idealized cipher -One-Time Pad.
• Except that key is relatively short
• Key is stretched into a long keystream
• keystream is used just like a one-time pad

Reference: http://www.jscape.com/blog/stream-cipher-vs-block-cipher

20
 RMIT Classification: Trusted

Stream Ciphers

 It uses an infinite stream of pseudorandom bits as the key.

 For a stream cipher implementation to remain secure, its pseudorandom
generator should be unpredictable and the key should never be reused.
 The key of a stream cipher is no longer as long as the original message. Hence, it
can no longer guarantee "perfect secrecy". However, it can still achieve a strong
level of security.

http://www.jscape.com/blog/stream-cipher-vs-block-cipher

21
 RMIT Classification: Trusted

Usage and Examples of Stream Ciphers

• Stream ciphers are often used for their speed and simplicity
implementation in hardware, and in applications where
plaintext comes in quantities of unknowable length like a
secure wireless connection (e.g. older technology GSM mobile
phones)

• advantage of stream ciphers in military cryptography is that

the cipher stream can be generated in a separate box that is
subject to strict security measures and fed to other devices
such as a radio set, which will perform the XOR operation as
part of their function. The latter device can then be designed
and used in less stringent environments.

• Examples: A5/1, A5/2, RC4 etc.

Reference: https://en.wikipedia.org/wiki/Stream_cipher

22
 RMIT Classification: Trusted

Segment 2: Cryptographic Hash

Functions

23
 RMIT Classification: Trusted

What is Cryptographic Hash

• A "hash" (also called a "digest", and
informally a "checksum") is a kind of
"signature" for a stream of data that
represents the contents.
• The closest real-life analog we can think
is "a tamper-evident seal on a software
package": if you open the box (change
the file), it's detected.
• MD5 was the most well known hash
function.
• But MD5 is now outdated!!
• The SHA-2 family with hash values of
224, 256, 384 or 512 bits: SHA-224,
SHA-256, SHA-384, SHA-512, SHA-
512/224, SHA-512/256

24
 RMIT Classification: Trusted

What is Cryptographic Hash

• Application of popular "MD5" method to streams of
data yields a fixed, 128-bit number that summarizes
that stream
• all input streams yield hashes of the same length.
$ cat smallfile
This is a very small file with a few characters

$ cat bigfile
This is a larger file that contains more characters.
This demonstrates that no matter how big the input
stream is, the generated hash is the same size (but
of course, not the same value). If two files have
a different hash, they surely contain different data.

$ ls ­l empty­file smallfile bigfile linux­kernel

­rw­rw­r­­ 1 steve steve 0 2004­08­20 08:58 empty­file
­rw­rw­r­­ 1 steve steve 48 2004­08­20 08:48 smallfile
­rw­rw­r­­ 1 steve steve 260 2004­08­20 08:48 bigfile
­rw­r­­r­­ 1 root root 1122363 2003­02­27 07:12 linux­kernel

$ md5sum empty­file smallfile bigfile linux­kernel

d41d8cd98f00b204e9800998ecf8427e empty­file
75cdbfeb70a06d42210938da88c42991 smallfile
6e0b7a1676ec0279139b3f39bd65e41a bigfile
c74c812e4d2839fa9acf0aa0c915e022 linux­kernel

25
 RMIT Classification: Trusted

What is Cryptographic Hash

• If we try changing just one character of a small test file, you'll
find that even very small changes to the input yields sweeping
changes in the value of the hash, and this is known as
the avalanche effect.
• The avalanche effect can be best seen by hashing two files with
nearly identical content. We've changed the first character of a
file from T to t, and when looking at the binary values for these
ASCII characters, we see that they differ by just one bit

$ cat file1
This is a very small file with a few characters

$ cat file2
this is a very small file with a few characters

$ md5sum file?
75cdbfeb70a06d42210938da88c42991 file1
6fbe37f1eea0f802bd792ea885cd03e2 file2

26
 RMIT Classification: Trusted
Encryption Vs Hash (IMPORTANT)
Encryption transforms
data from a cleartext to
ciphertext and
back (given the right
keys), and the two texts
should roughly
correspond to each other
in size: big cleartext
yields big ciphertext, and
so on. "Encryption" is
a two-way operation.

This is a common
confusion, especially
because all these words
are in the category of
"cryptography", but it's
important to understand
the difference.

27
 RMIT Classification: Trusted
Encryption Vs Hash (IMPORTANT)

• Hashes compile a
stream of data
into a small
digest, and it's
strictly a one way
operation.
• All hashes of the
same type - this
example shows
the "MD5" variety
- have the same
size no matter
how big the
inputs are.

28
 RMIT Classification: Trusted
Hash Collision
When different chunks of data produce the same hash value, this
is known as a collision.

Hypothetical example of Hash Collision

29
 RMIT Classification: Trusted
Hash Collision: Applications Fail

• Many applications depend on the correctness of hashing.

They would fail.
• If we are able to create two inputs that generate the same
hash, digital signature become suspect. In our example below,
the document signed was "a promise to pay", and being able
to substitute one signed document for another would
certainly lead to havoc

30
 RMIT Classification: Trusted

Properties of Crypto Hash Function

• Crypto hash function h(x) must provide

–Compression  output length is small
–Efficiency  h(x) easy to compute for any x
–One-way  given a value y it is infeasible to find an x such that
h(x) = y. In other words, it is infeasible to generate a message
from its hash value
–Weak collision resistance  given x and h(x), infeasible to find y
 x such that h(y) = h(x)
–Strong collision resistance  infeasible to find any x and y, with
x  y such that h(x) = h(y). In other words, it is infeasible to find
two different messages with the same hash value

• Lots of collisions exist, but hard to find any

31
 RMIT Classification: Trusted
Applications of Hash

• Authentication (HMAC)

• Message integrity (HMAC)

• Message fingerprint

• Data corruption detection

• Digital signature efficiency

• Anything you can do with symmetric crypto

• Also, many, many clever/surprising uses…

32
 RMIT Classification: Trusted
Applications of Hashes: Data integrity

33
 RMIT Classification: Trusted
Applications of Hashes: Passwords

34
 RMIT Classification: Trusted

Testing a proposed password against the stored hash

35
 RMIT Classification: Trusted
Applications of Hashes: Digitally Signing Documents

36
 RMIT Classification: Trusted

Conclusions
• One big issue with using symmetric algorithms is the key
exchange problem, which can present a classic catch-22.
• The other main issue is the problem of trust between two
parties that share a secret symmetric key. Ensuring the
integrity of received data and verifying the identity of the
source of that data can be very important.
• The key exchange problem arises from the fact that
communicating parties must somehow share a secret key
before any secure communication can be initiated, and
both parties must then ensure that the key remains secret.
Of course, direct key exchange is not always feasible due
to risk, inconvenience, and cost factors.
• Fortunately, asymmetric algorithms can be used to solve
these problems by performing the same basic operations
which we will learn in the forthcoming lectorial(s).

Reference: http://www.informit.com/articles/article.aspx?p=102212

37
 RMIT Classification: Trusted
Popular choices of hashing algorithms in
2024

• Python (hashlib module, SHA family)

• Node and other JS frameworks

–Argon2

–scrypt
–bcrypt

38