Cryptography is not easy to understand. Crytography is being adopted in many fields. watch out the video to know more about cryptography. This video movie gives you some idea of cryptography. watch out to learn more….
A cryptogram is a block of text which has been rendered unreadable through the use of what is called a “substitution cypher”. This means that each letter used in the original text has been substituted with another (G becomes A, F becomes P, etc.). Letter/word positions, spaces and punctuation remain unchanged.
Cryptograms have been used as a means of protecting sensitive information for thousands of years, though today computers and more advanced cryptographical methods have made simple substitution cyphers much less practical. Still, they live on in newspapers and puzzle books as a popular form of brain exercise.
There are a lot of other websites out there which offer cryptograms, but I wanted to offer a new type of online cryptogram software which could be played exactly as you would play it on paper. Cryptograms.org requires no special keypunches, pull-down menus, or dragging-and-dropping. You can play these puzzles just as you would with pencil and paper – enter a letter anywhere in the puzzle, and the software will automatically copy it for you across all companion positions.
Cryptograms are solved primarily by two methods. First, pattern recognition. The easiest to recognize are single-letter words, which generally can only be A or I (or, rarely, O). Then there are a limited number of two-letter words such as IN, IS, IT, TO, AN, AT, AS, WE, HE, US, etc. One trick in particular is to look for the common TH- words, i.e. THE, THAT, THEN, THEY, THERE, THEIR.
Secondly, the successful cryptogrammer will use letter frequency to help suss out a difficult puzzle. The twelve most frequently-used letters in the English language are ETAOIN SHRDL, in that order. The least common letters are JXQZ. If you notice a certain letter being used again in again in any given cryptogram, at a frequency much higher than any other letter, its a good bet that its unencrypted form will be one of the ETAOIN group.
More at http://www.cryptograms.org/
 In cryptography, a one-time pad is a system in which a private key generated randomly is used only once to encrypt a message that is then decrypted by the receiver using a matching one-time pad and key. Messages encrypted with keys based on randomness have the advantage that there is theoretically no way to “break the code” by analyzing a succession of messages. Each encryption is unique and bears no relation to the next encryption so that some pattern can be detected. With a one-time pad, however, the decrypting party must have access to the same key used to encrypt the message and this raises the problem of how to get the key to the decrypting party safely or how to keep both keys secure. One-time pads have sometimes been used when the both parties started out at the same physical location and then separated, each with knowledge of the keys in the one-time pad. The key used in a one-time pad is called a secret key because if it is revealed, the messages encrypted with it can easily be deciphered. One-time pads figured prominently in secret message transmission and espionage before and during World War II and in the Cold War era. On the Internet, the difficulty of securely controlling secret keys led to the invention of public key cryptography.
One-time pads don’t make sense for mass-market encryption products. They may work in pencil-and-paper spy scenarios, they may work on the U.S.-Russia teletype hotline, but they don’t work for you. Most companies that claim they have a one-time pad actually do not. They have something they think is a one-time pad. A true one-time pad is provably secure (against certain attacks), but is also unusable.
Elementrix, now defunct, announced a one-time pad product a few years ago, and refused to recant when it was shown that it was no such thing. More recently, TriStrata http://www.tristrata.com jumped on the world’s cryptography stage by announcing that they had a one-time pad. Since then, they’ve been thoroughly trounced by anyone with a grain of cryptographic sense and have deleted the phrase from their Web site. At least they’ve exhibited learning behavior.
The one time pad is a private key method of encryption, and requires the safe and secure distribution of the pad material, which serves as the key in our solution. The security of the key distribution comes down to how secure you want to be — for communicating point-to-point with one other person, we suggest a face-to-face hand-off of the pad material.” Remember that you need to hand off the same volume of bits as the message you want to send, otherwise you don’t have a one-time pad anymore.
Refers to a cryptography or security product that makes exaggerated claims of what the product is capable of, giving the user a false sense of security. The term snake oil, which is credited to Matt Curtin for using in reference to computer security products, comes from the 19th-century American practice of selling cure-all elixirs in traveling medicine shows. Snake oil salesmen would falsely claim that the potions would cure any ailments. The term has been appropriated to mean security and encryption products that make impossible claims, such as unbreakable codes.
The problem with bad security is that it looks just like good security. You can’t tell the difference by looking at the finished product. Both make the same security claims; both have the same functionality. Both might even use the same algorithms: triple-DES, 1024-bit RSA, etc. Both might use the same protocols, implement the same standards, and have been endorsed by the same industry groups. Yet one is secure and the other is insecure.
Many cryptographers have likened this situation to the pharmaceutical industry before regulation. The parallels are many: vendors can make any claims they want, consumers don’t have the expertise to judge the accuracy of those claims, and there’s no real liability on the part of the vendors (read the license you agree to when you buy a software security product).
This is not to say that there are no good cryptography products on the market. There are. There are vendors that try to create good products and to be honest in their advertising. And there are vendors that believe they have good products when they don’t, but they’re just not skilled enough to tell the difference. And there are vendors that are just out to make a quick buck, and honestly don’t care if their product is good or not.
Most products seem to fall into the middle category: well-meaning but insecure. I’ve talked about the reason in previous CRYPTO-GRAM essays, but I’ll summarize: anyone can create a cryptography product that he himself cannot break. This means that a well-meaning person comes up with a new idea, or at least an idea that he has never heard of, cannot break it, and believes that he just discovered the magic elixir to cure all security problems. And even if there’s no magic elixir, the difficulty of creating secure products combined with the ease of making mistakes makes bad cryptography the rule.
Good cryptography is an excellent and necessary tool for almost anyone. Many
good cryptographic products are available commercially, as shareware, or
free. However, there are also extremely bad cryptographic products which not
only fail to provide security, but also contribute to the many
misconceptions and misunderstandings surrounding cryptography and security.
Why “snake oil”? The term is used in many fields to denote something sold
without consideration of its quality or its ability to fulfill its vendor’s
claims. This term originally applied to elixirs sold in traveling medicine
shows. The salesmen would claim their elixir would cure just about any
ailment that a potential customer could have. Listening to the claims made
by some crypto vendors, “snake oil” is a surprisingly apt name.
Superficially, it is difficult to distinguish snake oil from the Real Thing:
all encryption utilities produce garbled output. The purpose of this
document is to present some simple “red flags” that can help you detect
snake oil.
Other factors that can influence the relative security of a product are
related to its environment. For example, in software-based encryption
packages, is there any plaintext that’s written to disk (perhaps in
temporary files)? What about operating systems that have the ability to swap
processes out of memory on to disk? When something to be encrypted has its
plaintext counterpart deleted, is the extent of its deletion a standard
removal of its name from the directory contents, or has it been written
over? If it’s been written over, how well has it been written over? Is that
level of security an issue for you? Are you storing cryptographic keys on a
multi-user machine? The likelihood of having your keys illicitly accessed is
much higher, if so. It’s important to consider such things when trying to
decide how secure something you implement is (or isn’t) going to be.
The process of converting data into a coded form (ciphertext) to prevent it from being read and understood by an unauthorized party.Â
Encryption refers to algorithmic schemes that encode plain text into non-readable form or cyphertext, providing privacy. The receiver of the encrypted text uses a “key” to decrypt the message, returning it to its original plain text form. The key is the trigger mechanism to the alogrithm.
Until the advent of the Internet, encryption was rarely used by the public, but was largely a military tool. Today, with online marketing, banking, healthcare and other services, even the average householder is aware of encryption.
Web browsers will encrypt text automatically when connected to a secure server, evidenced by an address beginning with https. The server decrypts the text upon its arrival, but as the information travels between computers, interception of the transmission will not be fruitful to anyone “listening in.” They would only see unreadable gibberish.
There are many types of encryption and not all of it is reliable. The same computer power that yeilds strong encryption can be used to break weak encryption schemes. Initially, 64-bit encryption was thought to be quite strong, but today 128-bit encryption is the standard, and this will undoubtedly change again in the future.
Simple Encryption with XOR: Now depending on the encryption algorithm, we may also need a decryption key. Public-key encryption has two keys- this is assymetrical encryption. A simple xor though can use the same password for both encryption and decryption as the XOR operator has the property that when
C = A XOR B
then
B = A XOR C
and
A = B XOR C.
Any algorithm can be used that takes the original text and processes it using the encryption key so long as there is a corresponding decryption key. For the strongest encryption, one of the well-tested algorithms such as AES (Advanced Encryption Standard) should be used.
A cipher is a way to make a word or message secret by changing or rearranging the letters in the message. (A code affects the word, not the individual letters.)
One type of cipher, called a TRANSPOSITION CIPHER, is created by simply rearranging the letters in the word itself. For example, CHYPRAGTOPRY can be unscrambled to reveal the word CRYPTOGRAPHY. Another cipher, the SUBSTITUTION CIPHER, is a bit harder. It involves changing the letters of your message into something else: other letters, numbers, or symbols. Using a substitution cipher, the word CRYPTOGRAPHY might look like this: DOHQMRZOFQYH. In this example C=D, R=O, Y=H, and so on.
For your friends to understand the message, they must know your system. In our substitution cipher, your friend would need to know the KEY, or how the system is set up (a=f, etc.). If only you and your friend have the key, then it is very difficult for others to read your message.
Cryptanalysis is the art of deciphering encrypted communications without knowing the proper keys. Some of the more important cryptanalytic techniques are:
Cipher text only attack: This is the situation where the attacker does not know anything about the contents of the message, and must work from cipher text only. In practice it is quite often possible to make guesses about the plain text contents of messages, as many types of messages have fixed-format headers. Even ordinary letters and documents begin in a very predictable way. It may also be possible to guess that some cipher text block contains a common word.
Known plain text attack: The attacker knows or can guess the plain text for some parts of the message. The task is to decrypt the rest of the cipher text blocks using this information. This may be done by determining the key used to encrypt the data, or via some shortcut.
Chosen plain text attack: The attacker is able to have any text he likes encrypted with the unknown key. The task is to determine the key used for encryption. Some encryption methods, particularly RSA, are extremely vulnerable to chosen-plain text attacks. When such algorithms are used, extreme care must be taken to design the entire system so that an attacker can never have chosen plain text encrypted.
Man-in-the-middle attack: This attack is relevant for cryptographic communication and key exchange protocols. When two parties are exchanging keys for secure communications (e.g., using Diffie-Hellman), an adversary puts himself between the parties on the communication line. The adversary then performs a separate key exchange with each party, decrypts communications, and encrypts them again for sending to the other party. The parties think that they are communicating securely, but in fact the adversary is hearing everything.
Man-in-the-middle attacks can be averted if each party computes a cryptographic hash function of the key exchange (or at least the encryption keys), signs it using a digital signature algorithm, and sends the signature to the other. The recipient then verifies that the signature came from the other party, and that the hash in the signature matches the one computed locally.
Timing Attack: This attack is based on repeatedly measuring the exact execution times of modular exponentiation operations. It is relevant to at least RSA, Diffie-Hellman, and Elliptic Curve methods.
Users may be concerned that the use of biometric authentication will increase the
danger that they will find themselves targeted by ruthless criminals who are intent on
gaining entry to the assets protected by the biometric. With non-biometric
authentication, cards, keys, and passwords could be stolen and used by criminals
without the presence of the user. If biometrics are employed so that the physical
presence of the user is required, this may place the user at more risk.
It is hard to produce a definitive analysis of the situation, in the absence of any long
term experience with widely deployed biometric systems. One is left to a speculative
consideration on likely scenarios and outcomes. Nowadays, even low grade crimes
are frequently accompanied with physical assault (e.g. muggings) for small gains such
as cash, mobile phones or credit cards. If biometrics were used to provide
authentication for (say) credit card transactions and mobile phone calls, would this
increase or decrease the likelihood or degree of violence employed? It could
reasonably be argued that petty criminals usually go for “hit and run†attacks and don’t
want to hang around forcing victims to go to ATM machines and withdraw cash etc.
For this type of crime, it seems likely that biometric authentication would act as a
deterrent.
Biometric Security Concerns produced for the UK Biometric Working Group. Last updated September
2003
23
For serious, organised crime, violence is endemic and may be used directly against
victims or their families and friends. Again, it is not clear that the use of biometrics
would make a significant difference to the frequency or degree of coercion and
violence used.
Solutions
Contrary to the concern expressed, the use of biometrics may actually serve to reduce
the likelihood of coercion, because in many cases it would be likely to increase the risk
of arrest for the perpetrator.
Effective liveness checks would act as a countermeasure to the successful use of
cadavers or severed limbs etc. and hence to the motivation for such attempts.
The use of biometrics (and other electronic authentication) provides an opportunity for
the use of duress codes to allow a transaction to take place but alert the authorities
that it is involuntary.
If details of countermeasures employed in biometric systems are publicised, it may
help attackers to avoid or defeat them. Similarly, if attackers know what
countermeasures are not employed, this will help them identify potential weaknesses
in the system, and direct attacks towards those weak areas.
The counter-argument is that public exposure of countermeasures and vulnerabilities
will lead to a more mature and responsible attitude from the biometrics community and
promote the development of more secure systems in the future. Generally, achieving
security through obscurity is not seen as a viable policy as it depends on the assumed
difficulty of analysis which is a hostage to fortune. For example the design of a “secureâ€
Biometric Security Concerns produced for the UK Biometric Working Group. Last updated September
2003
18
mechanism may fall into the hands of an attacker and, if the underlying security is not
adequate, compromise will result. Certainly in the traditional area of cryptography, the
philosophy that is normally adopted is to assume that an opponent will have knowledge
of the design of the cryptographic algorithm, but that knowledge should not
compromise the cryptographic security.
That is not to say that obscurity cannot provide any protection, rather that the protection
is invariably unpredictable and may be short-lived. If we wish to make biometric
devices and applications secure it is necessary to understand the threats and put in
place effective countermeasures, technical and procedural. A parallel may be drawn
with the field of IT vulnerabilities where the world has had time to come to terms with
the idea and not seek to suppress knowledge. Rather, the approach is to report
problems to the developers so that they can be fixed and patches issued. The balance
between (excessive) publicity and suppression has been struck, founded on pragmatic
principles based on experience. If and when biometrics are widely deployed, a similar
approach can be expected to be adopted.
Whatever the merits of the arguments, they are likely to be overtaken by events.
Suppression by governments or companies will not inhibit individual researchers and
consumer magazines from investigating the subject. Already in the biometrics area, a
number of ad-hoc security evaluations have been conducted and the results published.
The following table lists some of them.
This is a sometimes heard expression of concern about the potential misuse of
biometric data stored on central databases. It refers to the threat to privacy that such
centralised collections of personal data could pose if compromised.
Biometric data are regarded as personal data and hence subject to the controls
appropriate to personal data. There is a perceived fear that biometric data may be
shared between applications, perhaps without the knowledge or consent of the
subjects. This concern may be amplified if biometric images are stored, rather than the
coded template data only, particularly for large-scale public applications where there
may be perceived Orwellian overtones. This area is addressed in the UK by the Data
Protection Act -1998 (DPA), which applies to biometric data just as much as to other
personal data. Codes of conduct may be needed to provide specific interpretation of
the DPA for biometric applications.
Biometric data are not usually held in isolation. They are typically associated with other
personal data that may form part of the identification and authentication process itself,
or subsequently for access control permissions. Associated data is normally not
Biometric Security Concerns produced for the UK Biometric Working Group. Last updated September
2003
15
unique to biometric authentication systems, and is commonly stored centrally on nonbiometrics
applications, not apparently eliciting equivalent concern.
Solutions
A potential solution is seen in the storing of personal data on secure tokens or smart
cards that are held by the users themselves. The assumption is that this will obviate the
need for a central database of biometric data, and therefore negate any privacy
concerns. This is attractive because it promotes the idea of anonymous authentication.
However, anonymous authentication has its limits and may not be tenable in many
circumstances. For example in government applications, it will typically not be
sufficient to know that the person applying for the benefit payment/passport/driving
licence is who they claim to be. It will also be necessary to check that they are entitled
to the service or payment requested and not enrolled multiple times under different
identities. To do this a central database of claimants will almost certainly be needed,
even if a token or smart card is used as part of the authentication process. In these
cases, the privacy protection advantage ascribed to user-held tokens or smart cards
will be largely illusory.
To mitigate the risk of functional creep, the biometric data can be bound to the
application through the use of cryptographic signature techniques.