Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

THE USE AND IMPACT OF CRYPTOGRAPHY ON BANKING INDUSTRY, Navneet Kaur

advertisement 
THE USE AND IMPACT OF CRYPTOGRAPHY ON BANKING INDUSTRY,
ESPECIALLY IN ATM AND ONLINE BANKING
Navneet Kaur
B.A., University of California, Santa Cruz, 2008
PROJECT
Submitted in partial satisfaction of
the requirements for the degree of
MASTER OF BUSINESS ADMINISTRATION
at
CALIFORNIA STATE UNIVERSITY, SACRAMENTO
FALL
2010
THE USE AND IMPACT OF CRYPTOGRAPHY ON BANKING INDUSTRY,
ESPECIALLY IN ATM AND ONLINE BANKING
A Project
by
Navneet Kaur
Approved by:
__________________________________, Committee Chair
Ralph Pope, Ph.D.
____________________________
Date
ii
Student: Navneet Kaur
I certify that this student has met the requirements for format contained in the University
format manual, and that this project is suitable for shelving in the Library and credit is to
be awarded for the Project.
_____________________________________________
Monica Lam, Ph.D.
Associate Dean for Graduate and External Programs
College of Business Administration
iii
_____________________
Date
Abstract
of
THE USE AND IMPACT OF CRYPTOGRAPHY ON BANKING INDUSTRY,
ESPECIALLY IN ATM AND ONLINE BANKING
by
Navneet Kaur
This project is done to assess the field of cryptography, how it works, and
different types of ciphers that are used in cryptography for encryption and decryption
with the use of secondary data. After describing various ciphers with examples, there is a
personal recommendation to make a stronger cipher. Then, this project explores the use
and impact of cryptography on banking industry by explaining how cryptography is used
especially in ATMs and online banking and how it affected the banking industry. The
project describes the encryption method that has been a national standard in US and then
it explores the method used specifically by Triton ATM and provides an option that
Triton could implement.
_______________________, Committee Chair
Ralph Pope, Ph.D.
_______________________
Date
iv
TABLE OF CONTENTS
Page
List of Tables ..................................................................................................................... vi
List of Figures ................................................................................................................... vii
Chapter
1. CRYPTOGRAPHY ....................................................................................................... 1
2. ATM MACHINES ....................................................................................................... 31
3. ONLINE BANKING ................................................................................................... 36
4. CONCLUSION ............................................................................................................ 39
Works Cited ...................................................................................................................... 44
v
LIST OF TABLES
Page
1. Table 1: Substitution table ............................................................................................ 5
2. Table 2: Frequency count for a coded message ............................................................ 8
3. Table 3: Plaintext with associated numbers ................................................................ 14
4. Table 4: Plaintext writen in table ................................................................................ 18
5. Table 5: Plaintext with key written on the top ............................................................ 20
6. Table 6: Coded message written in 5 columns and 4 rows ......................................... 21
7. Table 7: Columns 2 and 4 are switched ...................................................................... 22
8. Table 8: Columns 3 and 5 are switched ...................................................................... 22
9. Table 9: Columns are rearranged to make sense ........................................................ 22
10. Table 10: Coded message written in 5 columns and 4 rows ..................................... 24
11. Table 11: Coded message with columns rearranged ................................................ 25
12. Table 12: Coded message with shift by 1 ................................................................. 25
13. Table 13: Coded message with shift by 1 ................................................................. 25
14. Table 14: Substitution table ...................................................................................... 27
15. Table 15: Coded message written in table form ....................................................... 29
16. Table 16: Coded message written in table form ....................................................... 29
vi
LIST OF FIGURES
Page
1. Figure 1: SSL Overview ............................................................................................. 36
vii
1
Chapter 1
CRYPTOGRAPHY
“Cryptography is the study of methods of sending messages in disguised form so
that only the intended recipients can remove the disguise and read the message. The
message we want to send is called the plaintext and the disguised message is called the
ciphertext” (Koblitz 53). The plain text and cipher texts are written in some alphabet
consisting of a certain number of letters. The term “letter” can contain the familiar
alphabets A-Z as well as numerals, blanks, punctuation marks, or any other symbol that
we use while writing the message. The process of converting a plaintext to a cipher text
(converting ordinary information into gibberish) is called enciphering or encryption and
the reverse process i.e. the process of converting coded information back to plain text is
called deciphering.
The plaintext and ciphertext are broken up into message units. A message unit
might be a single letter, a pair of letters (digraph), a triple of letters (trigraph), or a block
of fifty letters. Let’s denote the set of message units of plaintext by P and the set of
message units of cipher text by C. An enciphering transformation is a function that takes
any plaintext message unit and gives us a ciphertext message unit. We assume that
enciphering transformation is a function f: P → C. The corresponding inverse f-1: C → P
is called the deciphering transformation. We shall always assume that f is a 1-1
correspondence (for a given ciphertext message unit, there is one and only one plaintext
message unit for which it is encrypted). The set-up like this is called a cryptosystem.
2
We’ll associate letters with numbers in the following way for ciphers:
A ↔ 0, B ↔ 1, C ↔ 2, . . ., Z ↔ 25, _ (blank) ↔ 26.
There are so many types of ciphers invented to encrypt the information. One of
the simplest examples of ciphers is the Caesar cipher. In this cipher, we choose an
integer k and replace a letter R by the letter associated with R+k-26j. Thus, the Caesar
cipher is a shift cipher because the cipher text is derived from the plain text by shifting
each letter a certain number of spaces. For example if we choose k = 20, then B = 1
could be enciphered as 1 + 20 = 21, which is V. This is called the Caesar code because it
is said to have been used by Julius Caesar to communicate with his army.
Problem:
Show that the message
SEND_TWO_DIVISIONS_TO_POINT_FIVE_SEVENTEEN becomes
MYHXUNQIUXCPCMCIHMUNIUJICHNUZCPYUMYPYHNYYH.
Solution:
In the ciphered message M comes from S, which means the shift is by 20
(distance between S and M) letters i.e. k = 20. Therefore, S = 18 + 20 = 38 - 26 = 12 =
M. Or we can do shift by K = -6 i.e. S = 18 – 6 = 12 = M. The first shift where k = 20 is
called a right shift and the second shift where k = -6 (negative sign) is called a left shift.
Left shift is easy to apply in this particular problem as it’s a smaller number. Hence,
using the left shift:
E = 4 - 6 = -2 + 26 = 24 = Y
3
N = 13 - 6 = 7 = H
D = 3 - 6 =-3 + 26 = 23 = X
_ = 26 - 6 = 20 = U
T = 19 - 6 = 13 = N
W = 22 - 6 = 16 = Q
O = 14 - 6 = 8 = I
_ = 26 - 6 = 20 = U
D = 3 - 6 = -3 = 23 = X
I=8-6=2=C
V = 21 - 6 = 15 = P
I=8-6=2=C
S = 18 - 6 = 12 = M
I=8-6=2=C
O = 14 - 6 = 8 = I
N = 13 - 6 = 7 = H
S = 18 - 6= 12=M
_ = 26 - 6 = 20 = U
T = 19 - 6 = 13 = N
O = 14 - 6 = 8 = I
_ = 26 - 6 = 20 = U
P = 15 - 6 = 9 = J
4
O = 14 - 6 = 8 = I
I=8-6=2=C
N = 13 - 6 = 7 = H
T = 19 - 6 = 13 = N
_ = 26 - 6 = 20 = U
F = 5 - 6 = -1 = Z
I=8-6=2=C
V = 21 - 6 = 15 = P
E = 4 - 6 = -2 + 26 = 24 = Y
_ = 26 - 6 = 20 = U
S = 18 - 6 = 12 = M
E = 4 - 6 = -2 + 26 = 24 = Y
V = 21 - 6 = 15 = P
E = 4 - 6 = -2 + 26 = 24 = Y
N = 13 - 6 = 7 = H
T = 19 - 6 = 13 = N
E = 4 - 6 = -2 + 26 = 24 = Y
E = 4 - 6 = -2 + 26 = 24 = Y
N = 13 - 6 = 7 = H
As a result, the ciphered text is:
MYHXUNQIUXCPCMCIHMUNIUJICHNUZCPYUMYPYHNYYH.
5
The Caesar code is easy to break because there are only 26 such codes and we can
go through all 26 possibilities and choose the one that makes sense. The next code is
simple substitution in which each of the 26 letters is replaced by another in such a way
that no two letters are replaced by the same one. Such a substitution of letters is shown in
the following table.
Table 1: Substitution table
Original Letter
Substitution Letter
A
G
B
P
C
H
D
M
E
N
F
F
G
A
H
I
I
Q
J
S
K
U
L
B
M
O
6
N
C
O
L
P
R
Q
Z
R
X
S
Y
T
D
U
E
V
J
W
T
X
K
Y
W
Z
V
_
_
Problem:
Show that the message in problem # 1 about two divisions becomes
YNCMKDTLKMQJQYQLCYKDLKRLQCDKFQJNKYNJNCDNNC.
Solution:
7
In the preceding table S goes to Y, E goes to N, N goes to C etc. Therefore, by
using the table for substitution we get the cipher text
YNCMKDTLKMQJQYQLCYKDLKRLQCDKFQJNKYNJNCDNNC.
Since we can choose 26 letters to replace A, 25 letters to replace B, and 24 letters
to replace C and so on, there are 26! different possible simple substitution ciphers. With
the addition of blank ( _ ), there would be 27! substitution ciphers. It is difficult to solve
this cipher by working through all the possibilities. However, any message using this
kind of code can be deciphered using statistical properties of the English language,
known as frequency analysis. The most common letter in ordinary English text is _
(space/blank), followed by E, T, A, I, and O. We replace the most frequently occurred
letters in the ciphered text with the most frequently occurred letters in English and then
try to make sense out of the code and replace other letters accordingly.
Problem:
Decipher the following code which is enciphered with simple substitution cipher.
VARHTAOWAOTAJBCOQCAORTHIQOIAWOMZMQAU
MOWLEEOJKJLIOVAOLIQTHNFBANOVFQOLOQCL
IDOQCJQOJIZCHWOQCATAOLMOIHOQLUAORHTO
NABLXCATLIKOBLXCATMOELDAOQCLMOLIOQCA
ORLAENOVARHTAOJIZOHROFMOCJNOQLUAOQHO
NABLXCATOJOQAEAKTJUOELDAOQCAOAOJUXEA
OKLPAIOFMOQCAOBHUXJIZOVJQQJELHIOJINO
8
VTLKJNAOWHFENOEHIKOJKHOCJPAOBAJMANOQ
HOAOLMQOLQOCJMOIHOXTJBQLBJEOMLKILRLB
JIBA
Solution:
Table 2: Frequency count for a coded message
Letter
Number of occurrence of the letter
A
37
B
11
C
16
D
3
E
11
F
5
G
6
H
16
I
18
J
22
K
8
L
26
M
12
N
10
9
O
61
P
2
Q
23
R
7
S
10
T
13
U
6
V
6
W
5
X
6
Y
0
Z
4
Since the most frequently occurred letter in the coded message is O and the
second most frequent is an A, we can guess that O corresponds to _ and A to E. After
substituting these letters, the text becomes:
VeRHTe_We_TeJBC_QCe_RTHIQ_IeW_MZMQeU
M_WLEE_JKJLI_Ve_LIQTHNFBeN_VFQ_L_QCL
ID_QCJQ_JIZCHW_QCeTe_LM_IH_QLUe_RHT_
NeBLXCeTLIK_BLXCeTM_ELDe_QCLM_LI_QCe
10
_RLeEN_VeRHTe_JIZ_HR_FM_CJN_QLUe_QH_
NeBLXCeT_J_QeEeKTJU_ELDe_QCe_e_JUXEe
_KLPeI_FM_QCe_BHUXJIZ_VJQQJELHI_JIN_
VTLKJNe_WHFEN_EHIK_JKH_CJPe_BeJMeN_Q
H_e_LMQ_LQ_CJM_IH_XTJBQLBJE_MLKILRLB
JIBe
Three letter word QCe occurs four times in this short message so it is reasonable
to assume that QCe represents the. Therefore, we replace Q with t, C with h and the text
now becomes:
VeRHTe_We_TeJBh_the_RTHIt_IeW_MZMteU
M_WLEE_JKJLI_Ve_LItTHNFBeN_VFt_L_thL
ID_thJt_JIZhHW_theTe_LM_IH_tLUe_RHT_
NeBLXheTLIK_BLXheTM_ELDe_thLM_LI_the
_RLeEN_VeRHTe_JIZ_HR_FM_hJN_tLUe_tH_
NeBLXheT_J_teEeKTJU_ELDe_the_e_JUXEe
_KLPeI_FM_the_BHUXJIZ_VJttJELHI_JIN_
VTLKJNe_WHFEN_EHIK_JKH_hJPe_BeJMeN_t
H_e_LMt_Lt_hJM_IH_XTJBtLBJE_MLKILRLB
JIBe
11
The new text contains the word thJt suggesting that J corresponds to a, the word
tH signals that H goes to o, and L by itself and Lt suggest that L corresponds to i. With
these substitutions, we get:
VeRoTe_We_TeaBh_the_RToIt_IeW_MZMteU
M_WiEE_aKaiI_Ve_iItToNFBeN_VFt_i_thi
ID_that_aIZhoW_theTe_iM_Io_tiUe_RoT_
NeBiXheTiIK_BiXheTM_EiDe_thiM_iI_the
_RieEN_VeRoTe_aIZ_oR_FM_haN_tiUe_to_
NeBiXheT_a_teEeKTaU_EiDe_the_e_aUXEe
_KiPeI_FM_the_BoUXaIZ_VattaEioI_aIN_
VTiKaNe_WoFEN_EoIK_aKo_haPe_BeaMeN_t
o_e_iMt_it_haM_Io_XTaBtiBaE_MiKIiRiB
AIBe
Looking at the words iM, VattaEioI, aKo, and haPe, we can guess that M
corresponds to s, I to n, K to g, and P to v. The message now reads:
VeRoTe_We_TeaBh_the_RTont_neW_sZsteU
s_WiEE_again_Ve_intToNFBeN_VFt_i_thi
nD_that_anZhoW_theTe_is_no_tiUe_RoT_
NeBiXheTing_BiXheTs_EiDe_this_in_the
_RieEN_VeRoTe_anZ_oR_Fs_haN_tiUe_to_
NeBiXheT_a_teEegTaU_EiDe_the_e_aUXEe
12
_given_Fs_the_BoUXanZ_VattaEion_anN_
VTigaNe_WoFEN_Eong_ago_have_BeaseN_t
o_e_ist_it_has_no_XTaBtiBaE_signiRiB
AnBe
TeaBh suggests substituting c for B,
RTont, suggests substituting f for R and r for T,
SZsteUs suggests substituting y for Z and m for U,
WiEE suggests substituting l for E,
Ve suggests substituting b for V,
IntToNFBeN suggests substituting r for T and d for N, u for F, c for B.
VFt suggests substituting u for F,
ThinD suggests substituting k for D,
anZhoW suggests substituting y for Z and w for W,
theTe suggests substituting r for T.
And the message becomes following after applying all substitutions:
before_we_reach_the_front_new_system
s_will_again_be_introduced_but_i_thi
nk_that_anyhow_there_is_no_time_for_
deciXhering_ciXhers_like_this_in_the
_field_before_any_of_us_had_time_to_
deciXher_a_telegram_like_the_e_amXle
13
_given_us_the_comXany_battalion_and_
brigade_would_long_ago_have_ceased_t
o_e_ist_it_has_no_Xractical_signific
ance
DeciXhering, comXany, ciXhers suggest that X corresponds to p, and e_ample
and e_ist suggest _ corresponds to x in these 2 cases only. After decoding, the message
becomes following after all substitutions:
before_we_reach_the_front_new_system
s_will_again_be_introduced_but_i_thi
nk_that_anyhow_there_is_no_time_for_
deciphering_ciphers_like_this_in_the
_field_before_any_of_us_had_time_to_
decipher_a_telegram_like_the_example
_given_us_the_company_battalion_and_
brigade_would_long_ago_have_ceased_t
o_exist_it_has_no_practical_signific
ance
In the preceding ciphers, message units were broken into single letter. Following
is an example of a digraph, in which a message unit is broken into a pair of letters. For
instance, AA = 0, AB = 1, AC= 2, …, _A = 729, i.e (xy) = (27 * x) + y. AA = 27 * 0 + 0
14
= 0 and _A = 27*27 + 0 = 729. The key to crack a code is k = (a, b) where a belongs to
Z/729Z and b belongs to Z/729Z and plaintext P goes to (a*P) + b = C, ciphertext.
Problem:
Assume the letters A - Z are labeled by 0,…, 25 and the blank _ is labeled by 26.
Encipher the message “everything is ok” using the affine cryptosystem for R = Z/27Z
with the key (a, b) = (8,13).
Solution:
Table 3: Plaintext with associated numbers
E
V
E
R
Y
T
H
I
N
G
_
I
S
_
O
k
4
21
4
17
24
19
7
8
13
6
26
8
18
26
14
10
The message is enciphered as follows:
4 ( 8 ) + 13 = 18 mod 27 = S
21 ( 8 ) + 13 = 19 mod 27 =T
4 ( 8 ) + 13 = 18 mod 27 = S
17 ( 8 ) + 13 = 14 mod 27 = O
24 ( 8 ) + 13 = 16 mod 27 = Q
19 ( 8 ) + 13 = 3 mod 27 = D
7( 8 ) + 13 = 15 mod 27 = P
8 ( 8 ) + 13 = 23 mod 27 = X
13 ( 8 ) + 13 = 9 mod 27 = J
15
6 ( 8 ) + 13 = 7 mod 27 = H
26 ( 8 ) + 13 = 5 mod 27 =F
8 ( 8 ) + 13 = 23 mod 27 = X
18 ( 8 ) + 13 = 22 mod 27 = W
26 ( 8 ) + 13 = 5 mod 27 = F
14 ( 8 ) + 13 = 17 mod 27 = R
10 ( 8 ) + 13 = 12 mod 27 = M
Therefore, the enciphered text is: STSOQDPXJHFXWFRM.
Problem:
Assume that the following message is enciphered with the labeling of letters and
the blank as the above problem using an affine cryptosystem for R = Z/27Z. Try to find
the key (a, b) using frequency analysis. The message is:
15 8 1 17 13 9 17 10 11 1 9 10 22 2 7 17 21 1 24 22 7 12 17 10 1 21 25 24 11 1 2 17 1 17
8 3 22 26 17 3 1 26 19 11 5 1 11 26 22 1 19 8 16 22 21 9 15 11 19 2 7 17 1 23 25 15 7 19
11 19 17 24 1 1 15 1 10 17 24 11 7 17 24 24 1 19 21 15 18 19 8 15 11 19 22 8 1 15 8 3 1
15 1 9 15 11 19 17 8 11 1 9 17 10 11 19 8 15 16 19 11 0 1 1 5 22 26 15 10 3 1 26 1 17 12
17 24.
Solution:
In this ciphered message, 1 occurs the most frequently followed by 17. Therefore,
we’ll assume that blank _ = 26 in the plaintext goes to 1 in the ciphered text, and 4 = e
16
from the plaintext goes to 17 in the ciphertext as_ is the most frequently occurring letter
followed by an e in English language. Then we will get two equations.
(a*P) + b = C
a(26 + 27 Z) + b = 1 + 27 Z
a(4 + 27 Z) + b = 17 + 27 Z
Upon solving them, we get:
a = (-16 + 27 Z) (-11 + 27 Z)
= (176 + 27 Z)
= (14 + 27 Z)
b = (1 + 27 Z) - a(26 + 27 Z)
= (1 + 27 Z) - (14 + 27 Z) (26 + 27 Z)
= (1 + 27 Z) - (13 + 27 Z)
= (-12 + 27 Z)
= (15 + 27 Z)
Therefore, enciphering key (a, b) = (14, 15)
Similarly, we can find a deciphering key using two equations as follows:
26 + 27 Z = p(1 + 27 Z) + q
4 + 27 Z = p(17 + 27 Z) + q
Upon solving them, we get:
p = (22+ 27 Z) (5 + 27 Z)
= (2 + 27 Z)
17
q = (26 + 27 Z) - (2+ 27 Z)
= (24 + 27 Z)
= (-3 + 27 Z)
Therefore, deciphering key is (a, b) = (2, -3). Now, we can decipher the message in the
following way:
2(15) - 3 = (27 + 27 Z) = 0 = a
2(8) - 3 = (13 + 27 Z) = 13 = n
2(1) - 3 = (-1 + 27 Z) = 26 = _
.
.
.
And we get the message:
An_expert_problem_solver_must_be_endowed_with_two_incompatible_qualities_
_a_restless_imagination_and_a_patient_pertinacity_ _ howard_w_eves
In the above mentioned ciphers, English letters were changed into numbers and
the problem was solved to find the ciphered/deciphered text. However, in the following
cipher, we don’t assume that a ↔ 1, b ↔ 2 etc. In this cipher, letters are remained the
same, only their orders are switched. There are different types of transposition ciphers in
which letters within the plaintext are re organized in different ways to form a ciphered
text. One of them is a columnar transposition cipher.
In a columnar transposition, the message is written out in rows of a fixed length
and then read out column by column, which are chosen in some scrambled order to make
a ciphertext. Both the length of the rows and the permutation of the columns are usually
18
defined by a keyword. When the number of letters in the cryptogram is an exact multiple
of the number of columns i.e. when every column has same number of letters, the method
is called complete columnar transposition. When the length of a message is not an exact
multiple, the method is called incomplete columnar transposition. In a regular columnar
transposition cipher, any spare spaces are filled with nulls, and spaces are left blank in an
irregular columnar transposition cipher. For example, we use the message THIS IS A
SAMPLE MESSAGE. In a columnar transposition, we write this into the table as:
Table 4: Plaintext writen in table
T
H
I
S
I
S
A
S
A
M
P
L
E
M
E
S
S
A
G
E
This is complete columnar transposition cipher. If it were a message THIS IS A
SAMPLE MESS, then instead of A G E in the above table we could have written
something else i.e. X X X or just left it blank.
To code this message, the message is taken out of the table reading down the
columns. In the simplest case, we would simply go straight down the columns from left
to right and the result would be TSPS HALS ISEA SAMG IMEE. This is extremely easy
to solve as a decoder just needs to write this message back in the table form and read
19
across rows. Therefore, we’ll just regroup the letters into fives, so the final cipher would
be TSPSH ALSIS EASAM GIMEE.
However, this would also be not too difficult to break. The only thing the decoder
would need to do is guess the number of columns, or just start with 2 columns and work
up. To make a more challenging cryptogram, the order of reading out the columns is
changed. Instead of a fixed order, a key is used to determine the order. A key is the
rearrangement of column numbers. For example, with 5 columns, one possible key is 1,
4, 2, 5, 3. Different keys are used for different messages. A key is written at the top of
the table such that each column is marked with one number from the key. When the text
is read out, the columns are taken in the order prescribed by their marks. However, keys
such as 1, 4, 2, 5, 3 are not easy to memorize for a coder; therefore, a key made up of
words can be used instead. For example, the word ZEBRAS is of length 6. With key,
ZEBRAS, there would be six rows and the permutation of columns is defined by the
alphabetical order of the letters in the keyword, which would be "6 3 2 4 1 5". A comes
before any other letter of zebras followed by B, E,R, S, and Z; therefore, we’ll assume A
= 1, B= 2, E = 3, R = 4, S= 5, Z = 6. Hence, ZEBRAS is equivalent to 6 3 2 4 1 5.
Problem:
Code the sample message: THIS IS A SAMPLE MESSAGE.
Solution:
Using the sample message above and the key 1, 4, 2, 5, 3 we would have the
table:
20
Table 5: Plaintext with key written on the top
1
4
2
5
3
T
H
I
S
I
S
A
S
A
M
P
L
E
M
E
S
S
A
G
E
We’ll first read out column marked 1 then 2,3,4,5 and the coded message would become
TSPS ISEA IMEE HALS SAMG. After regrouping the letters into fives, final coded
message would become TSPSI SEAIM EEHAL SSAMG.
To solve a columnar transposition cipher, decoder would first need to guess the
number of columns. Then, the number of rows is determined by dividing the length of
the message by the guess at the number of columns. For example, if the decoder suspects
there are 8 columns, then the message length, let’s say 50, is divided by 8 to get 6, with a
remainder of 2. So, there would be 6 full rows and an extra row with only 2 letters. One
popular method is to write each of these columns onto a vertical strip of cardboard, and
then play with the order of the strips. At first, decoder would look for likely letter pairs
according to English language. For example, an H is often preceded by T, S or C, and an
E is most commonly followed by A, N, R or S. After a likely pairing has been found, it
can be extended by placing a third strip to the left or right of them. Then, short words
and common fragments of words, like THE, AND and INT should begin to appear. From
21
this point on decoder can start to build words until the complete order of strips is
determined.
Problem:
Decode the coded message from the previous problem: TSPSI SEAIM EEHAL
SSAMG.
Solution:
First, we need to guess the number of columns. Let’s say if we guess 5 numbers
of columns for our ease, then we’ll divide the number of total letters which is twenty by
five, which gives us four and that would be our number of rows. So, we’ll write down
our new table as follows:
Table 6: Coded message written in 5 columns and 4 rows
1
2
3
4
5
T
I
I
H
S
S
S
M
A
A
P
E
E
L
M
S
A
E
S
G
We just marked these columns 1 2 3 4 5 and now try to read the message across
rows TIIHSSSMAA… , which does not make sense. Now, we know that we have to
switch the columns so that the message across rows makes sense. We can try re
arranging the columns according to English language statistics. For example, in English
22
letter h follows t; therefore, we can move column 4 to column 2 and try to make sense.
For such a short message, all possible orders which would be 5! could be done as
follows:
Table 7: Columns 2 and 4 are switched
1
4
3
2
5
T
H
I
I
S
S
A
M
S
A
P
L
E
E
M
S
S
E
A
G
Table 8: Columns 3 and 5 are switched
1
2
5
4
3
T
H
S
I
I
S
A
A
S
M
P
L
M
E
E
S
S
G
A
E
2
5
3
.
.
.
Table 9: Columns are rearranged to make sense
1
4
23
T
H
I
S
I
S
A
S
A
M
P
L
E
M
E
S
S
A
G
E
From those 5! possibilities, we can find a message that makes sense after reading
across the rows. We had to go through only 5! possibilities to find the decoded message
which is not that difficult. To make the coded message difficult to break, a
recommendation would be to combine two ciphers to make one strong cipher. For
example, if we’ll combine columnar transposition cipher with Caesar code of shifting
each letter to a specific number, we’ll have a much stronger code and we will need to go
through 5! * 25 possibilities to decode the message.
For instance, if we decide to code the message using columnar transposition
cipher first and then shifting of 2 according to Caesar cipher, then we’ll get the following
message in the following way.
Problem:
Code the message THIS IS A SAMPLE MESSAGE using a combination of
columnar transposition cipher and Caesar cipher.
Solution:
First, we’ll get the coded message from the previous problem with a key 1 4 2 5 3:
TSPSI SEAIM EEHAL SSAMG. Then, we’ll shift each letter of the coded message by
24
2; for example, T would become V, I would become K, S would become U etc. And our
coded message would become VURUK UGCKO GGJCN UUCOI.
Problem:
Decode the above message VURUK UGCKO GGJCN UUCOI.
Solution:
Now, the decoder would make the table as we did in above problem of decoding
transposition cipher and go through all 5! possibilities. However, after going through all
5! possibilities, decoder would not be able to guess the decoded message. Therefore,
he/she would try shifting a letter by a certain number to make sense. There are 25
possibilities by which we can shift a letter. 5! tables from the coded message VURUK
UGCKO GGJCN UUCOI would look like as follows:
Table 10: Coded message written in 5 columns and 4 rows
1
2
3
4
5
V
K
K
J
U
U
U
O
C
C
R
G
G
N
O
U
C
G
U
I
25
Table 11: Coded message with columns rearranged
1
2
3
5
4
V
K
K
U
J
U
U
O
C
C
R
G
G
O
N
U
C
G
I
U
.
.
.
After making these 5 ! tables, decoder would go through 25 different shifting for each
table. For shifting by one, V would become W and K would become L etc.
Table 12: Coded message with shift by 1
1
2
3
4
5
W
L
L
K
V
V
V
P
D
D
S
H
H
O
P
V
D
H
V
J
3
5
4
Table 13: Coded message with shift by 1
1
2
26
W
L
L
V
K
V
V
P
D
D
S
H
H
P
O
V
D
H
J
V
.
.
.
After doing 25 different shifting of each table, decoder would finally get the message that
would make sense.
Hence, we’ve made a stronger code which is very difficult to break because we
have to go through 5! * 25 possibilities to break the code. A recommendation to make
even more difficult cipher is to combine transposition and substitution code in which
each of the 26 letters is replaced by another in such a way that no two letters are replaced
by the same one.
Problem:
Code the sample message THIS IS A SAMPLE MESSAGE using a combination
of columnar transposition cipher and substitution cipher.
Solution:
Using the transposition cipher first we get the message TSPSI SEAIM EEHAL
SSAMG as we did above. And now we apply the substitution cipher where T would be
replaced by D and S would be replaced by Y etc. using the following table.
27
Table 14: Substitution table
Original Letter
Substitution Letter
A
G
B
P
C
H
D
M
E
N
F
F
G
A
H
I
I
Q
J
S
K
U
L
B
M
O
N
C
O
L
P
R
Q
Z
R
X
28
S
Y
T
D
U
E
V
J
W
T
X
K
Y
W
Z
V
And our final coded message becomes DYRYQ YNGQO NNIGB YYGOA instead of
TSPSI SEAIM EEHAL SSAMG.
Now to break this code, the decoder would go through the same routine of making
a table and go through all 5! possibilities but the message would not make sense as he/she
would try to read across the rows. Then, he would try shifting of Caesar code but that
would also not work. And then he would try substitution code and go through 26!
possibilities for each table which is extremely hard. If the decoder does not know how
the cipher text is coded, then he/she would go through 5! possibilities of transposition
cipher, then 25 possibilities of Caesar cipher, and then 26! possibilities of substitution
cipher which would add up to 5! * 25 * 26! possibilities.
We’ll assume the decoder knows how the message is coded i.e. using columnar
transposition code and substitution code. Let’s see how decoder would break this
29
combination of columnar transposition and substitution cipher. First of all, he would
make 5! tables from the coded message DYRYQ YNGQO NNIGB YYGOA:
Table 15: Coded message written in table form
1
2
3
4
5
D
Q
Q
I
Y
Y
Y
O
G
G
R
N
N
B
O
Y
G
N
Y
A
Table 16: Coded message written in table form
1
2
3
5
4
D
Q
Q
Y
I
Y
Y
O
G
G
R
N
N
O
B
Y
G
N
A
Y
.
.
.
Then, for each table he would have to go through 26! possibilities of substitution
cipher (assume d goes to g, a goes to c etc.). Decoder can use frequency analysis here to
find out the substitution letter. However, it’s hard to use frequency analysis in such a
30
short message because English statistics do not apply on smaller messages. For example,
if decoder would assume that y is decoded as E as y is the most frequently occurred letter
in this coded message, he would be wrong because in our message y is decoded as S.
Therefore, a combination of columnar transposition and substitution cipher is much
difficult to break as there are 5! * 26! possibilities to code/decode the message.
Combination of ciphers shows that cryptography is not limited to only few ciphers as we
can combine different ciphers to make a new cipher, which is usually a stronger cipher as
compared to a single cipher.
31
Chapter 2
ATM MACHINES
“An ATM (Automated Teller Machine) is a computerized telecommunications
device that provides the clients of a financial institution with access to financial
transactions in a public space without the need for a cashier” (“Automated” 1). Main
parts of ATM are: CPU that controls the user interface and transaction devices, magnetic
card reader that reads the information from customer’s ATM card to identify the
customer, function-key buttons or touch screen to select the various aspects of the
transaction, secure crypto-processor that carries cryptographic operations in the machine,
cash cartridges to hold cash, record printer to provide receipt to a customer. ATMs are
connected to banks via secure communication network and encryption methods are built
into the communication network to prevent unauthorized transaction.
To initiate a transaction, customers need to have two things: ATM card and PIN.
ATM card is a plastic card that has information such as customer’s name and bank
account number stored on a magnetic strip. When this card is inserted in the machine, the
machine reads the customer’s information off the magnetic strip and uses it to process
transaction. PIN (Personal Identification Number) acts as a password to the ATM card
and provides double authentication. PIN verifies the identity of the customer as well as
provides security against the misuse of stolen ATM card. Only the cardholder and the
card issuer’s computer system know the PIN. Encryption is used to protect the PIN by
scrambling it and making it unreadable to protect it from a third party interception as it
32
travels through the network. The encryption method that has been a national standard
since 1977 is DES (Data Encryption Standard) as described in ANSI X9.8. DES uses a
single secret key to encrypt the PIN at the ATM and the same key to decrypt the PIN
after it is received by the processor to verify the cardholder’s identity.
DES is the most widely used symmetric cipher designed by IBM in the 1970s in
response to a request for proposals by the National Bureau of Standards (NBS), now the
National Institute of Standards and Technology (NIST). DES is a 64-bit block cipher
with a 56-bit key, where data is encrypted in blocks of 8 bytes. In basic structure of DES,
the plaintext block is split into left and right sections and the following is iterated:
Ln+1 = Rn
Rn+1 = Ln f(Rn, Kn)
Where Kn is a subkey of the main key and f is a mixing function. This mixing function
uses S-Boxes, which are maps from a 6-bit input to a 4-bit output based on a lookup
table.
FIPS 46, DES, specifies the data encryption algorithm for the cryptographic
protection of computer data (provided that it be reviewed within 5 years to assess its
adequacy), became effective in 1977. In 1983, the standard was reaffirmed; in 1987, it
was re-issued as FIPS 46-1 with minor editorial updating; in 1993, it was re-affirmed as
FIPS 46-2, which provided for software implementation in addition to hardware
implementation; and in 1999, it was reaffirmed as FIPS 46-3, which recognized Triple
33
DES, as specified in ANSI X9.52, as FIPS1 approved symmetric encryption algorithm of
choice. Single DES was permitted for legacy systems only. Government organizations
with legacy DES systems were encouraged to transition to Triple DES.
While DES is solid and secure in structure, a group called the Electronic Freedom
Foundation managed to break DES in less than 3 days with specially developed computer
called the DES Cracker in 1998. Due to increase in technology and computing power,
the security required for ATM transactions also needs to be increased. Solution to this
problem is the use of Triple DES, which performs multiple iterations of DES on the
message using different keys. 3DES can provide 168 (56*3) bits of security as compared
to 56 bits of security with single DES. Moreover, it is based on the same algorithm as
single DES; therefore, it can be easily implemented into the existing EFT (Electronic
Funds Transfer) network. After April 1st 2002 and before2003, ATMs were required to
be capable for 3DES encryption i.e. they could use DES for operating but must support
3DES encryption when needed. After April 1st 2003 and before December 31st 2005, all
installed ATMs needed to be 3DES compliant (must support 3DES as well as have 3DES
encryption key installed while operating). After December 31st 2005, all ATMs were
required to support and use 3DES encryption. The key space for DES is too short and is
1
Federal Information Processing Standards Publications (FIPS PUBS) are issued by the
National Institute of Standards and Technology after approval by the Secretary of
Commerce pursuant toSection 5131 of the Information Technology Management Reform
Act of 1996 (Public Law 104-106), and the Computer Security Act of 1987 (Public Law
100-235).
34
susceptible to brute-force attacks; hence, it has been withdrawn now. With the
withdrawal of the FIPS 46-3 standard in 2005, 3DES with keying option 1 and 2 as
described below is recognized as the only FIPS approved DES algorithm. Government
agencies with legacy single DES and 3DES with keying option 3 (described below) are
required to transition to FIPS approved versions of 3DES or AES.
In triple DES or 3DES, multiple iterations of DES are performed on the message
using different keys. All three operations don’t have to be encryption (EEE). The most
popular version of 3DES uses encryption, decryption, encryption (EDE) mode. With
triple DES in Triton ATM, the PIN is encrypted with the first key, decrypted with the
second key, and encrypted again with the first key. When the processor receives a
transaction generated by an ATM, the procedure for decrypting the PIN is the same,
except it is done in reverse as follows:
Encryption: Ek1(Dk2(Ek1(m)))
Decryption: Dk1(Ek2(Dk1(m)))
Other option for Triton ATM could be to use 3DES with 3 different keys in which
the PIN is encrypted with the first key, decrypted with the second key, and encrypted
again with the third key.
Encryption: Ek3(Dk2(Ek1(m)))
Decryption: Dk3(Ek2(Dk1(m)))
Similarly, a message unit can be encrypted, decrypted, and encrypted again using the
same key three times. However, it’s the same as single DES; that’s why, this 3rd option is
35
not FIPS approved DES algorithm. But it also shows that 3DES hardware can be made
to interoperate with DES hardware.
The above recommended option is more secure than the one Triton is using
currently; however, the decision to increase the security and to incur additional cost
should be based on the cost-benefit analysis. If the benefit received by minimizing the
risk of cracking and intervention by 3rd party exceeds the cost in the long run, then 3DES
with 3 different keys should be implemented; otherwise, the option with 2 different keys
works fine, which provides 112 (56*2) bits of security.
36
Chapter 3
ONLINE BANKING
Online Banking allows customers to conduct financial transactions such as
transfer money within accounts, pay bills and other applications such as applying for a
new account or a loan over a secure website. Online transactions are secured with SSL.
When a customer visits online banking sign-in page, customer’s browser establishes a
secure session with the bank server. This secure session is established using a protocol
called SSL.
Browser/
Browser requests secure socket
Customer
Server responds with SSL certificate
Server
Session key seed encrypted with SSL public key
Server indicates all future transactions are encrypted
Server and browser exchange encrypted messages
Figure 1: SSL Overview
“Secure Sockets Layer is a protocol that provides a secure channel between two
machines. It has facilities for protecting data in transit and identifying the machine with
which you are communicating” (Rescorla 44). The secure channel is transparent i.e. it
passes the data through unchanged. The data is encrypted between client and server, but
the data that one end writes is exactly what other end reads. SSL has gone through a
number of revisions, beginning with version 1 and culminating into the Transport Layer
Security (TLS) standard.
37
In general, when an SSL client connects to a server and wishes to use SSL or
TLS, the client sends the server a list of encryption ciphers that it supports. The server
then goes through the list in order and chooses the first match that it also supports.
Usually, the client’s list is in descending order with the most secure methods first so that
the most secure method supported by both the client and server is selected. Sometimes,
the order of the client’s list could be based on other criteria to make a compromise
between security and performance, which could result in the selection of a sub-optimal
cipher. For example, 3 DES would provide maximum security but RC4 would be the
fastest in terms of performance.
SSL supports a variety of cipher suits, specifying the set of algorithms to be used
for the connection. These algorithms vary in strength from very weak such as RC4 in 40bit mode to very strong ciphers such as 3DES. The security of an SSL connection is
dependent on the security of the ciphers it uses. It’s therefore necessary to choose a
cipher suite that is adequate for the value of data. Since both client and server have to
agree on a common cipher suite in order to communicate, the client can limit the set of
cipher suits that it is willing to support to obtain the appropriate level of security.
However, a possible side-effect of this could be that the server and client may not have a
common algorithm set, hence may not be able to communicate. Therefore, the best
policy is typically to allow all cipher suites that provide security above an acceptable
minimum level rather than merely choosing to support the strong algorithms exclusively.
38
To provide confidentiality in SSL/TLS, various symmetric encryption algorithms
such as IDEA, RC4, 3DES, AES are used. IDEA is a block cipher that operates on 64 bit
plaintext blocks and uses a 128-bit key length. It is not FIPS-approved. RC4 is a stream
cipher that uses variable key length which would be anywhere between 8 and 2048 bits
long. SSL and TLS use RC4 with a 128-bit key length. It is most commonly used cipher
in SSL/TLS, but it’s not a FIPS approved cipher. The AES (Advanced Encryption
Standard) is a FIPS-approved symmetric block cipher encryption algorithm that may be
used by U.S. Government organizations and others to protect sensitive but unclassified
information. AES uses 128, 192, or 256 bit keys; however, cipher suites have only been
defined for 128 and 256 bits to reduce over proliferation of cipher suites. The AES (FIPS
197) algorithm is designed to be a successor of DES/3DES.
39
Chapter 4
CONCLUSION
Customers prefer convenience these days. Both ATM and online banking save
time and are very convenient to customers. Through online banking, customers can
transfer money among accounts any time and from anywhere according to their
convenience without having to wait in long queues. Through ATM, customers can
withdraw cash any time. ATM is extremely helpful for emergency situations when banks
are not open after their regular office hours. Furthermore, customers do not need to carry
around extra cash with them on a trip which provides them safety. ATM and online
banking not only save time of customers but also banks. Banks can reduce their office
hours as more customers can get many services without the need of bank’s personnel.
Furthermore, both of them are cost-effective for banks. Banks can save personnel
cost by moving transactional services such as cash withdrawal or fund transferring among
different accounts to ATM and online. This way, ATM and online provide an alternate
delivery channel to customers. After transferring these low skilled jobs to machines,
banks can focus more on high skilled activities and increase efficiency in those activities.
They can focus more on providing customized services (portfolio management,
retirement plans) to their clients which would differentiate them from their competitors.
Customized services and good customer experience would help banks in creating
customer loyalty and enhance repeat business. Also, by making customer as a producer
40
of few services through ATM and online, banks not only save money but also increase
productivity of overall service bundle.
Banks need to have competitive advantage these days as they are in the maturity
stage of their product life cycle. ATM itself does not provide them competitive
advantage but its location may provide them competitive advantage. However, secure
online banking is one of the competitive advantages they can offer besides friendly
customer experience at their physical location. Moreover, online banking allows banks to
reach more customers geographically. They can get a customer from a city without
having a physical branch in that city. Besides geographical reach, online banking
increases demographic reach as well. For example, generation y prefers convenience and
prefers to work from home. Similarly, they would prefer online banking. So, through
online banking, banks can attract generation y customers as well as handle other
generation customers, who prefer physical experience or have problem with technology,
at their physical branch.
It’s almost required now for banks to offer online banking to compete effectively,
which would be almost impossible without cryptography as customer’s banking
information is extremely confidential and number of identity thefts and hacking etc. has
been increasing over time. Without 3DES in ATMs and SSL in online banking,
customer’s sensitive information could be misused for many reasons. For most of the
history, cryptography has been used almost entirely for military and diplomatic purposes.
But the application of cryptography can be seen now in financial institutions, business
41
models, government institutions etc. In fact, there is a separate field knows as financial
cryptography that uses cryptography in applications where financial loss could result
from subversion of the message system. “Financial cryptography includes the
mechanisms and algorithms necessary for the protection of financial transfers, in addition
to the creation of new forms of money” (“Financial” 1).
Financial cryptography followed the guide of cryptography and adopted only the
simplest ideas as part of a business model. Account money system such as PayPal
protected with SSL has been extremely successful under this field. Another widely used
cryptographic mechanism is DES which is used primary for the protection of Electronic
Funds Transfer. Ian Grigg views financial cryptography in seven layers with a
combination of seven distinct disciples: cryptography, software engineering, finance,
value, governance, accounting, rights, where cryptography provides confidentiality,
authentication, and integrity. Business failures can often be traced to the absence of one
or more of these disciplines, or to poor application of them. “The International Financial
Cryptography Association (IFCA) was formed to advance the theory and practice of
financial cryptography and related fields. IFCA's primary activity is the organization of
its annual Financial Cryptography conference, which brings together experts from around
the world to foster cooperation and the exchange of ideas” (“International” 1).
The impact of technology has been great on banking industry as described above
with the invention of ATMs and online banking. They both provide convenience to
customers and cost-effectiveness to banks. However, technology poses security threat as
42
well. For example, in 1996 Andrew Stone, a computer security consultant from
Hampshire in the UK, was convicted of stealing more than $1.6 million by pointing high
definition video cameras at ATMs from a considerable distance and getting the footage of
pin numbers being entered and by recording the card numbers, expiry dates, etc. from the
embossed detail on the ATM cards. After getting all the information from the videotapes,
he produced clone cards to withdraw cash from ATM. In response to that incident,
counter measures against card cloning have been developed by the banking industry.
They started using smart cards which cannot be copied easily. They also tried to make
the outside of their ATMs tamper evident. To avoid shoulder surfing, some banks have
drawn privacy area on the floor and customers waiting in the queue stay behind that area.
For customer security, critics of the banking industry have called for the adoption
of an emergency PIN system for ATMs, where the user would be able to send a silent
alarm in response to a threat. Legislative efforts for that system have appeared in Illinois,
Kansans, and Georgia but none have succeeded as of yet. In response to an ATM crime
wave, three towns outside of Cleveland Ohio adopted ATM Consumer Security
Legislation in 1998 which required the installation of a 9-1-1 switch at all outside ATMs
within their jurisdiction.
Other precautions to prevent the misuse of ATM cards include different methods
such as finger and palm vein patterns, iris, and facial recognition technologies to verify
cardholder’s identity besides just the password. An equipment also has been developed
to install in machines that detects the presence of foreign objects in front of ATMs.
43
Similarly, DES used to be a FIPS approved encryption algorithm; however, after
Electronic Freedom Foundation group managed to break that cipher in 1998, government
changed its requirements as well. They required everyone to implement 3DES, a
successor of DES. AES was also developed to be a successor of DES. As threats
increase with the increase in technology and computer resources, the precautions and
security system to avoid those threats also increase. Hence, it would not be a surprise if a
successor of AES would come in next decade.
44
WORKS CITED
“ATM Machines.” AtmDepot.com. Web. 2 July 2010. <http://www.atmdepot.com/tripledes.aspx>.
“Automated Teller Machine.” Wikipedia, the free encyclopedia. Web. 3 October 2010.
<http://en.wikipedia.org/wiki/Automated_teller_machine>.
“Columnar Transposition Cipher.” Contestcen.com. Web. 4 May 2010.
<http://www.contestcen.com/columnar.htm>.
“Computer Security Division - Computer Security Resource Center.” NIST.gov 14
January 2010. Web. 10 October 2010.
<http://csrc.nist.gov/groups/ST/toolkit/block_ciphers.html>.
“Cryptography.” trincoll.edu. 25 April 2010. Web. 8 June 2010.
<http://starbase.trincoll.edu/~crypto/historical/>.
“Financial Cryptography.” Wikipedia, the free encyclopedia. Web. 4 November 2010.
<http://en.wikipedia.org/wiki/Financial_cryptography>.
“FIPS Changes and Announcements.” NIST. 12 March 2010. Web. 4 October 2010.
<http://www.nist.gov/itl/upload/FIPS-Announcements.pdf>.
“International Financial Cryptography Association.” Ifca.ai. Web. 8 November 2010.
<http://ifca.ai/>.
“Transposition Cipher.” Wikipedia, the free encyclopedia. Web. 9 June 2010.
<http://en.wikipedia.org/wiki/Transposition_cipher>.
45
Barker, William C. “Recommendation of the Triple Data Encryption Algorithm (TDEA)
Block Cipher.” NIST. 19 May 2008. Web. 3 June 2010.
<http://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf >.
Daley, William M., and Raymond G. Kammer. “Data Encryption Standard.” NIST. 25
October 1999. Web. June 2010. <http://csrc.nist.gov/publications/fips/fips463/fips46-3.pdf >.
Fletcher, Peter, and C. Wayne Patty. Foundation of Higher Mathematics. 3rd ed. Brooks
Cole, 1995. Print.
Galbreath, Nick. Cryptography for Internet and Database Applications. Indiana: Wiley
Publishing Inc., 2002. Print.
Koblitz, Neal. A course in Number Theory and Cryptography. 1st ed. New York:
Springer-Verlag, 1987. Print.
Rescorla, Eric. SSL and TLS: Designing and Building Secure Systems. Canada:
Addison-Wesley, 2001. Print.
Related documents
MCA (R+LE) 4th semester (Sessional (Minor I) Examination, April
MCA (R+LE) 4th semester (Sessional (Minor I) Examination, April
homework-02
homework-02
Mathematical Perspectives: Secret Codes: Dr. Morton Ch 3
Mathematical Perspectives: Secret Codes: Dr. Morton Ch 3
Binary Addition and Ceaser Shifts
Binary Addition and Ceaser Shifts
SampleHWSubmission
SampleHWSubmission
LOYOLA COLLEGE (AUTONOMOUS), CHENNAI – 600 034
LOYOLA COLLEGE (AUTONOMOUS), CHENNAI – 600 034
Term Project CMPE 553 Cryptography and Network Security, Spring
Term Project CMPE 553 Cryptography and Network Security, Spring
Homework due 12/22
Homework due 12/22
Transposition Ciphers
Transposition Ciphers
Download
advertisement