Basic Concepts and Terminology

Security Goals (CIA Triad)

Goal	Description	Threat
Confidentiality	Only authorized parties can access data	Eavesdropping, data theft
Integrity	Data is not altered unauthorizedly	Tampering, modification
Availability	Systems and data are accessible when needed	DoS, DDoS attacks

Additional Security Goals

Authentication: Verifying identity of communicating parties
Non-repudiation: Sender cannot deny sending a message
Access Control: Restricting access based on roles/permissions

Cryptography Terminology

Term	Definition
Plaintext	Original readable message
Ciphertext	Encrypted (unreadable) message
Encryption	Converting plaintext to ciphertext
Decryption	Converting ciphertext back to plaintext
Key	Secret value used for encryption/decryption
Cryptanalysis	Breaking encryption without knowing the key
Cipher	Algorithm for encryption/decryption

Types of Cryptanalytic Attacks

Attack Type	Description
Ciphertext Only	Attacker has only ciphertext
Known Plaintext	Attacker knows some plaintext-ciphertext pairs
Chosen Plaintext	Attacker can encrypt chosen plaintexts
Chosen Ciphertext	Attacker can decrypt chosen ciphertexts
Brute Force	Trying all possible keys (2^n for n-bit key)

Classical Ciphers (For Conceptual Understanding)

Caesar Cipher: Shift each letter by fixed amount (ROT3)
Substitution Cipher: Replace each letter with another
Vigenère Cipher: Polyalphabetic substitution using a keyword
Transposition Cipher: Rearrange letters (e.g., rail fence cipher)

Symmetric Encryption

Same key used for both encryption and decryption. Also called secret key cryptography.

Requirements

Strong encryption algorithm
Secure key distribution mechanism
Key secrecy (security depends entirely on key secrecy)

Data Encryption Standard (DES)

Block Cipher: 64-bit block size, 56-bit key (64 bits with 8 parity bits)
Rounds: 16 rounds of substitution and permutation (Feistel network)
Structure: Initial permutation → 16 rounds → Final permutation
Key Issues:
56-bit key too short (broken in 1998 in < 3 days)
Vulnerable to brute force
3DES (Triple DES): Applies DES 3 times with 2 or 3 different keys
Effective key length: 112 or 168 bits
Slower but more secure
Three modes: EEE3, EDE3, EDE2 (E=Encrypt, D=Decrypt)

Advanced Encryption Standard (AES)

Replacement for DES — adopted by NIST in 2001 (Rijndael algorithm)
Block Size: 128 bits (fixed)
Key Sizes: 128, 192, or 256 bits
Rounds: 10 (128-bit), 12 (192-bit), 14 (256-bit)
Operations per Round:
SubBytes — Byte substitution using S-box (non-linear)
ShiftRows — Cyclic shift of rows
MixColumns — Column mixing (Galois field multiplication)
AddRoundKey — XOR with round key
Last round skips MixColumns
Round Keys: Derived from original key using key expansion algorithm
Advantages: Fast, secure, resistant to known attacks, hardware/software efficient
Modes of Operation:
ECB (Electronic Codebook): Each block encrypted independently (insecure — patterns leak)
CBC (Cipher Block Chaining): Each block XORed with previous ciphertext (needs IV)
CFB (Cipher Feedback): Turns block cipher into stream cipher
OFB (Output Feedback): Similar to CFB; error doesn't propagate
CTR (Counter): Uses counter value; allows parallel encryption
GCM (Galois/Counter Mode): Provides both encryption and authentication

Other Symmetric Ciphers

Blowfish

Block Cipher: 64-bit block, variable key (32-448 bits)
Rounds: 16 rounds (Feistel cipher)
Designer: Bruce Schneier (1993)
Key Feature: Fast, free, unpatented
Successor: Twofish (AES finalist)

RC4 (Rivest Cipher 4)

Stream Cipher: Variable key size (40-2048 bits)
Used in: WEP, WPA (now considered insecure), SSL/TLS (deprecated)
Key Issue: Vulnerable to biases in initial output bytes; broken in practice

Comparison of Symmetric Ciphers

Cipher	Type	Block Size	Key Size	Rounds	Status
DES	Block	64	56	16	Broken
3DES	Block	64	112/168	48	Legacy
AES	Block	128	128/192/256	10/12/14	Current standard
Blowfish	Block	64	32-448	16	Legacy
RC4	Stream	—	40-2048	—	Broken

Asymmetric Encryption

Uses a key pair: public key (shared openly) and private key (kept secret). Also called public key cryptography.

Principles

Encrypt with public key, decrypt with private key (for confidentiality)
Encrypt with private key, decrypt with public key (for authentication/signatures)
Computationally infeasible to derive private key from public key

RSA (Rivest-Shamir-Adleman)

Most widely used public key algorithm
Based on: Difficulty of factoring large composite numbers
Key Generation:
Choose two large primes p and q
Compute n = p × q
Compute φ(n) = (p-1)(q-1) [Euler's totient]
Choose e such that 1 < e < φ(n) and gcd(e, φ(n)) = 1
Compute d = e^(-1) mod φ(n) [modular inverse]
Public Key: (n, e)
Private Key: (n, d)
Encryption: C = M^e mod n
Decryption: M = C^d mod n
Key Size: 1024-4096 bits (2048+ recommended)
Security: Depends on factoring problem — no efficient classical algorithm known

Diffie-Hellman Key Exchange

Purpose: Securely exchange keys over insecure channel
Based on: Discrete logarithm problem
Process:
Agree on public values: large prime p and generator g
Alice chooses private a, sends A = g^a mod p
Bob chooses private b, sends B = g^b mod p
Alice computes: s = B^a mod p = g^(ab) mod p
Bob computes: s = A^b mod p = g^(ab) mod p
Both share secret s without transmitting it!
Vulnerability: Man-in-the-middle attack (no authentication)
Solution: Combine with digital signatures or use authenticated DH

ElGamal Encryption

Based on: Discrete logarithm problem (like Diffie-Hellman)
Probabilistic encryption: Same plaintext produces different ciphertext each time
Used in: GPG, PGP
Process:
Key generation: Choose prime p, generator g, private key x, public key y = g^x mod p
Encryption: Choose random k; ciphertext = (g^k mod p, m × y^k mod p)
Decryption: m = c2 × (c1^x)^(-1) mod p

Elliptic Curve Cryptography (ECC)

Based on: Elliptic curve discrete logarithm problem
Key Advantage: Shorter keys for equivalent security
256-bit ECC ≈ 3072-bit RSA
Key Generation:
Choose elliptic curve E over finite field and base point G
Private key: random number d
Public key: Q = d × G (elliptic curve point multiplication)
Advantages: Faster computation, smaller keys, less bandwidth
Used in: Bitcoin, TLS, mobile devices, IoT
Curves: P-256 (NIST), Curve25519, secp256k1

Asymmetric Cipher Comparison

Algorithm	Based On	Key Size	Speed	Use Case
RSA	Factoring	1024-4096	Slow	Encryption, signatures
Diffie-Hellman	Discrete log	1024-4096	Slow	Key exchange
ElGamal	Discrete log	1024-4096	Slow	Encryption
ECC	EC discrete log	160-521	Fast	Mobile, TLS, blockchain

Hash Functions

Properties of Good Hash Functions

Fixed output size regardless of input size
Deterministic: Same input → same output
Efficient computation
Pre-image resistance: Given hash h, hard to find m such that H(m) = h
Second pre-image resistance: Given m₁, hard to find m₂ ≠ m₁ with H(m₁) = H(m₂)
Collision resistance: Hard to find any two messages with same hash

MD5 (Message Digest 5)

Output: 128-bit hash
Rounds: 64 operations (4 rounds of 16)
Status: Broken — collisions found in seconds
Use: Only for checksums (not security)

SHA Family (Secure Hash Algorithm)

Algorithm	Output Size	Block Size	Rounds	Status
SHA-1	160 bits	512	80	Broken (2017 — SHAttered attack)
SHA-224	224 bits	512	64	Secure (SHA-2 family)
SHA-256	256 bits	512	64	Secure
SHA-384	384 bits	1024	80	Secure
SHA-512	512 bits	1024	80	Secure

SHA-3 (Keccak)

Winner of NIST competition (2012)
Different structure: Uses sponge construction (not Merkle-Damgård)
Resistant to length extension attacks
Flexible output length

HMAC (Hash-based Message Authentication Code)

Purpose: Message authentication using hash functions
Formula: HMAC(K, m) = H((K' ⊕ opad) || H((K' ⊕ ipad) || m))
K' = key padded/derived to block size
opad = outer padding (0x5c repeated)
ipad = inner padding (0x36 repeated)
Properties: Integrity + authentication (doesn't provide non-repudiation)
TLS, IPsec, and many protocols use HMAC

Digital Signatures and Certificates

Digital Signature Properties

Authentication: Verifies sender identity
Integrity: Detects message modification
Non-repudiation: Sender cannot deny sending

How Digital Signatures Work

Signing: Sender hashes message → encrypts hash with private key
Verification: Receiver has message + signature → decrypts signature with sender's public key → compares with hash of message
Match = Message authentic and unmodified

Digital Signature Standard (DSS)

Algorithm: DSA (Digital Signature Algorithm)
Based on: Discrete logarithm problem
Parameters: Prime p, prime q (divides p-1), generator g
Components: Key generation, signing, verification

RSA Digital Signature

Sign: Signature = Hash(m)^d mod n (private key)
Verify: Hash(m) = Signature^e mod n (public key)
Compare computed hash with received hash

Digital Certificates (X.509)

Purpose: Binds public key to an identity
Issued by: Certificate Authority (CA)
Contents:
Subject name and public key
Issuer (CA) name
Validity period (not before / not after)
Serial number
CA's digital signature
Version, extensions (key usage, subject alternative name)
Format: X.509v3 (most common)
Verification Chain: Root CA → Intermediate CA → End-entity certificate

PKI (Public Key Infrastructure)

Components

Component	Role
CA (Certificate Authority)	Issues and signs certificates
RA (Registration Authority)	Verifies identity before CA issues certificate
Certificate Repository	Stores and distributes certificates (LDAP)
CRL / OCSP	Certificate revocation checking
Certificate	Binds public key to identity

Certificate Lifecycle

Registration: User generates key pair → submits CSR (Certificate Signing Request) to RA
Verification: RA verifies identity
Issuance: CA signs and issues certificate
Distribution: Certificate stored in repository
Usage: Used for encryption, authentication, signing
Renewal: Before expiry
Revocation: If compromised → added to CRL or marked via OCSP

Certificate Revocation

CRL (Certificate Revocation List): List of revoked certificates (periodic)
OCSP (Online Certificate Status Protocol): Real-time revocation check
OCSP Stapling: Server provides OCSP response during TLS handshake

Network Security Protocols

SSL/TLS (Secure Sockets Layer / Transport Layer Security)

Purpose: Secure communication over network (application layer)
SSL versions: 2.0 (broken), 3.0 (broken — POODLE attack)
TLS versions: 1.0, 1.1 (deprecated), 1.2 (widely used), 1.3 (current)
TLS Handshake:
ClientHello (supported cipher suites, random)
ServerHello (chosen cipher suite, random, certificate)
Key Exchange (Diffie-Hellman or RSA)
Session keys derived
Encrypted communication begins
TLS 1.3 Improvements: Fewer round trips (1-RTT), removes insecure algorithms, perfect forward secrecy mandatory
Port: HTTPS = TCP 443

IPsec (Internet Protocol Security)

Purpose: Secures IP communications at network layer
Two Modes:
Transport Mode: Encrypts only payload (host-to-host)
Tunnel Mode: Encrypts entire packet (gateway-to-gateway, VPN)
Two Protocols:
AH (Authentication Header): Provides authentication and integrity only (no encryption)
ESP (Encapsulating Security Payload): Provides encryption + authentication + integrity
IKE (Internet Key Exchange): Negotiates security associations and exchanges keys
Phase 1: Establish secure channel (IKE SA)
Phase 2: Negotiate IPsec SA

SSH (Secure Shell)

Purpose: Secure remote login and command execution
Port: TCP 22
Replaces: Telnet (unencrypted), rlogin, rsh
Authentication: Password-based or public key-based
Features: Port forwarding (tunneling), SFTP, SCP
Key Exchange: Diffie-Hellman
Encryption: AES, ChaCha2o

PGP (Pretty Good Privacy) / GPG

Purpose: Email/file encryption and signing
Uses: Hybrid encryption (symmetric + asymmetric)
Web of Trust: Decentralized trust model (vs PKI's hierarchical)
Process:
Generate random session key
Encrypt message with session key (AES)
Encrypt session key with recipient's public key (RSA)
Send both encrypted message and encrypted session key

Firewalls

A firewall is a network security device that monitors and filters incoming/outgoing traffic based on security rules.

Types of Firewalls

Packet Filtering Firewall (Stateless)

Operates at: Network layer (Layer 3)
Filters based on: Source/destination IP, port number, protocol
Advantages: Fast, low cost, transparent
Disadvantages: No state tracking, vulnerable to IP spoofing
Example rule: ALLOW TCP ANY → 192.168.1.0/24 PORT 80

Stateful Inspection Firewall

Tracks: Connection state (TCP handshake, session state)
Maintains: State table of all active connections
More secure than packet filtering
Can detect: Invalid packet sequences, session hijacking

Application-Level Gateway (Proxy Firewall)

Operates at: Application layer (Layer 7)
Acts as: Proxy between client and server
Deep packet inspection: Inspects actual content
Advantages: Can filter based on application data
Disadvantages: Slower, protocol-specific

Next-Generation Firewall (NGFW)

Features: Deep packet inspection, IDS/IPS, application awareness
Can identify: Applications regardless of port used
Includes: SSL/TLS inspection, sandboxing, threat intelligence

Circuit-Level Gateway

Operates at: Session layer (Layer 5)
Validates: TCP handshake and session rules
Does not examine: Data content

Firewall Architectures

Screened Host Firewall

Single firewall with DMZ (demilitarized zone) for public servers

Screened Subnet Firewall (DMZ)

Two firewalls: External (internet → DMZ) and Internal (DMZ → private network)
Most secure architecture
Servers in DMZ accessible from internet but protected from internal network

Firewall Rules Example

# Rule format: ACTION PROTOCOL SOURCE DESTINATION PORT
ALLOW TCP ANY 10.0.0.0/24 80,443    # Allow HTTP/HTTPS to internal network
DENY TCP ANY ANY 23                  # Block Telnet
ALLOW TCP 10.0.0.0/24 ANY ANY        # Allow all outbound
DENY IP ANY ANY ANY                  # Default deny (implicit)

IDS/IPS

Intrusion Detection System (IDS)

Monitors network/system for malicious activity and alerts.

Types by Deployment

Type	Scope	Example
NIDS (Network-Based)	Monitors entire network segment	Snort, Suricata
HIDS (Host-Based)	Monitors single host	OSSEC, Tripwire

Types by Detection Method

Method	Description	Pros	Cons
Signature-Based	Matches known attack patterns	Low false positives	Cannot detect zero-day
Anomaly-Based	Detects deviations from normal behavior	Can detect new attacks	Higher false positives
Hybrid	Combines both	Best of both worlds	More complex

Intrusion Prevention System (IPS)

Same as IDS but can actively block detected threats.

Inline deployment (directly in traffic path)
NIPS: Network-based inline
HIPS: Host-based (blocks system calls)
WIPS: Wireless IPS (detects rogue access points)

IDS/IPS Comparison

Feature	IDS	IPS
Action	Alert only	Alert + Block
Deployment	Passive (port mirror)	Inline
Impact on traffic	None	Adds latency
Risk of false positive	Low impact	Can block legitimate traffic

VPN

Virtual Private Network creates an encrypted tunnel over public networks.

Types

Type	Description	Use Case
Site-to-Site VPN	Connects entire networks	Branch offices
Remote Access VPN	Individual user to corporate network	Work from home
Client-to-Site VPN	Software-based remote access	Mobile workers

VPN Protocols

Protocol	Encryption	Port	Notes
IPsec	AES	50/4500	Most secure; used in site-to-site
SSL/TLS VPN	TLS	443	No client needed (browser-based)
PPTP	MPPE	1723	Weak; deprecated
L2TP/IPsec	IPsec	1701	No encryption alone; uses IPsec
OpenVPN	OpenSSL	1194/443	Open source; very popular
WireGuard	ChaCha20	UDP	Modern; fast; simple

VPN Tunneling

Full Tunnel: All traffic goes through VPN
Split Tunnel: Only corporate traffic goes through VPN; internet direct

Authentication Methods

Authentication Factors

Something you know: Password, PIN
Something you have: Smart card, token, phone
Something you are: Biometrics (fingerprint, iris, face)
Somewhere you are: Location-based
Something you do: Behavioral biometrics (typing pattern)

Kerberos

Purpose: Network authentication protocol
Based on: Symmetric key cryptography + trusted third party (KDC)
Components:
KDC (Key Distribution Center): AS + TGS
AS (Authentication Server): Issues TGT
TGS (Ticket Granting Server): Issues service tickets
Process:
User → AS: Request authentication
AS → User: TGT (encrypted with user's key) + session key
User → TGS: Request service ticket (using TGT)
TGS → User: Service ticket
User → Server: Service ticket + authenticator
Advantage: No password sent over network; tickets time-limited
Used in: Windows Active Directory

OAuth 2.0

Purpose: Authorization (not authentication) — delegated access
Flow: Client → Authorization Server → Access Token → Resource Server
Grant Types: Authorization Code, Implicit, Client Credentials, PKCE
Tokens: Access Token (short-lived), Refresh Token (long-lived)
Used in: "Login with Google/Facebook" features

Biometrics

Type	Feature	Accuracy	Cost
Fingerprint	Ridge patterns	High	Low
Iris Recognition	Iris patterns	Very high	High
Face Recognition	Facial features	Moderate	Moderate
Voice Recognition	Voice patterns	Low-Moderate	Low
Retina Scan	Blood vessel pattern	Very high	High

Multi-Factor Authentication (MFA)

Combines 2+ authentication factors
Example: Password (knowledge) + OTP on phone (possession) + fingerprint (biometric)
OTP Types: TOTP (time-based), HOTP (counter-based), SMS OTP (less secure)

Steganography

Concept

Hiding data within other data (carrier) without detection.

Types

Type	Method
Image Steganography	Modify LSB (Least Significant Bits) of pixel values
Audio Steganography	Modify LSB of audio samples
Text Steganography	Hidden text in whitespace/spacing
Video Steganography	Hide data in video frames
Network Steganography	Hide data in protocol headers

Steganography vs Cryptography

Aspect	Steganography	Cryptography
Goal	Hide existence of message	Scramble message content
Visibility	Hidden	Visible but unreadable
Detection	Steganalysis	Cryptanalysis
Combined	Can encrypt before hiding	Can hide encrypted data

Cyber Attacks

Denial of Service (DoS) / Distributed DoS (DDoS)

DoS: Single source floods target with requests
DDoS: Multiple compromised machines (botnet) flood target
Types:
Volumetric: Flood bandwidth (UDP flood, ICMP flood)
Protocol: Exploit protocol weaknesses (SYN flood, Ping of Death)
Application Layer: HTTP flood, Slowloris
Mitigation: Rate limiting, CDN, DDoS protection services (Cloudflare, AWS Shield)

Phishing

Concept: Fake emails/websites impersonating trusted entities
Types: Spear phishing (targeted), Whale phishing (executives), Vishing (voice), Smishing (SMS)
Mitigation: Email filtering, user awareness, MFA

SQL Injection

Concept: Inject malicious SQL through input fields
Example: admin' OR '1'='1' — (bypasses authentication)
Types: Classic, Blind (boolean-based, time-based), Out-of-band
Mitigation: Parameterized queries, input validation, WAF, least privilege

Cross-Site Scripting (XSS)

Concept: Inject malicious scripts into web pages viewed by others
Types:
Stored XSS: Script permanently stored on server (e.g., in comments)
Reflected XSS: Script reflected from server in response
DOM-based XSS: Manipulation of DOM environment
Mitigation: Input sanitization, output encoding, Content Security Policy (CSP)

Man-in-the-Middle (MitM) Attack

Concept: Attacker intercepts and possibly alters communication between two parties
Types: ARP spoofing, DNS spoofing, SSL stripping
Mitigation: Encryption (TLS/SSL), certificate pinning, mutual authentication

Other Important Attacks

Attack	Description
Ransomware	Encrypts data, demands ransom (WannaCry, REvil)
Trojan Horse	Malware disguised as legitimate software
Worm	Self-replicating malware (no host needed)
Virus	Attaches to host program, spreads when executed
Keylogger	Records keystrokes to steal credentials
Spoofing	Faking identity (IP, email, MAC address)
Session Hijacking	Taking over active session
Brute Force	Trying all password combinations
Dictionary Attack	Using common passwords/words
Buffer Overflow	Writing beyond buffer boundaries; can execute arbitrary code
Zero-Day	Exploiting vulnerability before patch exists

Security Policies and Standards

ISO 27001

Full Name: ISO/IEC 27001 — Information Security Management System (ISMS)
Scope: Systematic approach to managing sensitive information
Key Components:
Risk assessment and treatment
Security policies and procedures
Asset management
Human resource security
Physical security
Access control
Incident management
Business continuity
Compliance
Plan-Do-Check-Act (PDCA) Cycle:
Plan: Establish ISMS, identify risks
Do: Implement security controls
Check: Monitor and review
Act: Maintain and improve

ISO 27002

Guidance document for implementing ISO 27001 controls
14 Domains: Risk assessment, HR security, asset management, access control, cryptography, physical security, operations security, communications security, system acquisition, supplier relationships, incident management, business continuity, compliance

Other Standards

Standard	Description
PCI DSS	Payment Card Industry Data Security Standard — for credit card data
HIPAA	Health Insurance Portability — health information protection (US)
SOX	Sarbanes-Oxley — financial reporting integrity
GDPR	General Data Protection Regulation — EU data privacy
IT Act 2000	Indian IT Act — cyber laws in India
NIST SP 800-53	US federal security controls framework

Indian Cyber Laws

IT Act 2000 (Amended 2008): Legal framework for electronic governance and cybercrime
Key Sections:
Section 43: Unauthorized access, data theft
Section 65: Tampering with computer source code
Section 66: Computer-related offences (hacking)
Section 66A: Struck down by Supreme Court (2015)
Section 66B: Receiving stolen computer resource
Section 66C: Identity theft
Section 66D: Cheating by personation using computer
Section 67: Publishing obscene content
Section 72: Breach of confidentiality

CERT-In (Indian Computer Emergency Response Team)

Role: National agency for cybersecurity incident response
Responsibilities: Incident handling, advisories, vulnerability management
Compliance Mandate: Organizations must report cyber incidents within 6 hours

Key Formulas and Concepts Summary

Concept	Key Point
DES	56-bit key, 64-bit block, 16 rounds (Feistel)
AES	128-bit block, 10/12/14 rounds, SubBytes-ShiftRows-MixColumns-AddRoundKey
RSA	C = M^e mod n; M = C^d mod n; Security based on factoring
Diffie-Hellman	Shared secret: g^(ab) mod p; based on discrete log
HMAC	H((K⊕opad)
Firewall Default	Deny all, allow by exception
Hash	SHA-256 current standard; MD5 and SHA-1 broken
TLS 1.3	1-RTT, mandatory PFS, removed weak ciphers

Exam Tips

Symmetric vs Asymmetric: Know key differences and use cases
AES Structure: Understand the 4 operations per round
RSA Algorithm: Be able to perform key generation with small numbers
Diffie-Hellman: Know the process and MitM vulnerability
Hash Functions: MD5 broken, SHA-1 broken, SHA-256 secure
Digital Certificates: Know X.509 structure and CA/RA roles
TLS vs IPsec: Application layer vs network layer security
Firewall Types: Packet filtering vs stateful vs proxy vs NGFW
IDS vs IPS: Detection vs Prevention; signature vs anomaly
Cyber Attacks: SQL injection, XSS, DDoS, phishing — know mechanisms and mitigation
Kerberos: Understand the AS, TGS, and ticket flow
ISO 27001: PDCA cycle and ISMS concept
Indian IT Act: Key sections (43, 65, 66 series) are commonly asked
VPN Protocols: PPTP weak, IPsec/OpenVPN/WireGuard strong

Practice Questions

12 MCQs for Cryptography Information and Network Security with detailed explanations.

Q1. Regarding the following concept: 'Verifying identity of communicating parties

-...', which statement is correct?

- A. Verifying identity of communicating parties

B. This is defined exclusively at the physical layer of system design
C. This concept applies only to analog systems and not digital ones
D. This approach has been deprecated in all modern implementations

✅ Correct Answer: Option A

Explanation:
The correct answer is Option A — Verifying identity of communicating parties
-.

This concept is covered under Cryptography Information and Network Security in the CBDT Assistant Director Systems syllabus. The answer is established through standard definitions and widely accepted principles in the field.

Why other options are incorrect:
- Option B — This option is factually incorrect or describes a concept from a different domain, making it an invalid choice for this question.
- Option C — This option is factually incorrect or describes a concept from a different domain, making it an invalid choice for this question.
- Option D — This option is factually incorrect or describes a concept from a different domain, making it an invalid choice for this question.

Q2. Which of the following best describes | Systems and data?

A. accessible when needed | DoS, DDoS attacks |
B. not altered unauthorizedly | Tampering, modification |
C. commonly asked
D. a network security device that monitors and filters incoming/outgoing traffic based on security rules.

✅ Correct Answer: Option A

Explanation:
The correct answer is Option A — accessible when needed | DoS, DDoS attacks |.

Q3. Regarding the following concept: '- ESP (Encapsulating Security Payload): Provides encryption + authentication + i...', which statement is correct?

A. This concept applies only to analog systems and not digital ones
B. This approach has been deprecated in all modern implementations
C. - ESP (Encapsulating Security Payload): Provides encryption + authentication + integrity
D. This is defined exclusively at the physical layer of system design

✅ Correct Answer: Option C

Explanation:
The correct answer is Option C — - ESP (Encapsulating Security Payload): Provides encryption + authentication + integrity.

Why other options are incorrect:
- Option A — This option is factually incorrect or describes a concept from a different domain, making it an invalid choice for this question.
- Option B — This option is factually incorrect or describes a concept from a different domain, making it an invalid choice for this question.
- Option D — This option is factually incorrect or describes a concept from a different domain, making it an invalid choice for this question.

Q4. Regarding the following concept: '- OCSP Stapling: Server provides OCSP response during TLS handshake...', which statement is correct?

A. This approach has been deprecated in all modern implementations
B. - OCSP Stapling: Server provides OCSP response during TLS handshake
C. This concept applies only to analog systems and not digital ones
D. This is defined exclusively at the physical layer of system design

✅ Correct Answer: Option B

Explanation:
The correct answer is Option B — - OCSP Stapling: Server provides OCSP response during TLS handshake.

Why other options are incorrect:
- Option A — This option is factually incorrect or describes a concept from a different domain, making it an invalid choice for this question.
- Option C — This option is factually incorrect or describes a concept from a different domain, making it an invalid choice for this question.
- Option D — This option is factually incorrect or describes a concept from a different domain, making it an invalid choice for this question.

Q5. Which of the following best describes | Data?

A. not altered unauthorizedly | Tampering, modification |
B. a network security device that monitors and filters incoming/outgoing traffic based on security rules.
C. commonly asked
D. accessible when needed | DoS, DDoS attacks |

✅ Correct Answer: Option A

Explanation:
The correct answer is Option A — not altered unauthorizedly | Tampering, modification |.

Q6. Regarding the following concept: 'Sender cannot deny sending a message

-...', which statement is correct?

A. This approach has been deprecated in all modern implementations
B. This concept applies only to analog systems and not digital ones
C. Sender cannot deny sending a message
D. This is defined exclusively at the physical layer of system design

✅ Correct Answer: Option C

Explanation:
The correct answer is Option C — Sender cannot deny sending a message
-.

Q7. Which of the following best describes firewall?

A. a network security device that monitors and filters incoming/outgoing traffic based on security rules.
B. accessible when needed | DoS, DDoS attacks |
C. not altered unauthorizedly | Tampering, modification |
D. commonly asked

✅ Correct Answer: Option A

Explanation:
The correct answer is Option A — a network security device that monitors and filters incoming/outgoing traffic based on security rules..

Q8. Regarding the following concept: '| Original readable message |

|...', which statement is correct?

A. This concept applies only to analog systems and not digital ones
B. This is defined exclusively at the physical layer of system design
C. | Original readable message |
|
D. This approach has been deprecated in all modern implementations

✅ Correct Answer: Option C

Explanation:
The correct answer is Option C — | Original readable message |
|.

Q9. Regarding the following concept: '- AH (Authentication Header): Provides authentication and integrity only (no enc...', which statement is correct?

A. This is defined exclusively at the physical layer of system design
B. This concept applies only to analog systems and not digital ones
C. - AH (Authentication Header): Provides authentication and integrity only (no encryption)
D. This approach has been deprecated in all modern implementations

✅ Correct Answer: Option C

Explanation:
The correct answer is Option C — - AH (Authentication Header): Provides authentication and integrity only (no encryption).

Q10. Regarding the following concept: '- GCM (Galois/Counter Mode): Provides both encryption and authentication...', which statement is correct?

A. This concept applies only to analog systems and not digital ones
B. This approach has been deprecated in all modern implementations
C. This is defined exclusively at the physical layer of system design
D. - GCM (Galois/Counter Mode): Provides both encryption and authentication

✅ Correct Answer: Option D

Explanation:
The correct answer is Option D — - GCM (Galois/Counter Mode): Provides both encryption and authentication.

Why other options are incorrect:
- Option A — This option is factually incorrect or describes a concept from a different domain, making it an invalid choice for this question.
- Option B — This option is factually incorrect or describes a concept from a different domain, making it an invalid choice for this question.
- Option C — This option is factually incorrect or describes a concept from a different domain, making it an invalid choice for this question.

Q11. Regarding the following concept: '| Converting plaintext to ciphertext |

|...', which statement is correct?

A. | Converting plaintext to ciphertext |
|
B. This is defined exclusively at the physical layer of system design
C. This concept applies only to analog systems and not digital ones
D. This approach has been deprecated in all modern implementations

✅ Correct Answer: Option A

Explanation:
The correct answer is Option A — | Converting plaintext to ciphertext |
|.

Q12. Regarding the following concept: 'Confidentiality...', which statement is correct?

A. This concept applies only to analog systems and not digital ones
B. Confidentiality
C. This is defined exclusively at the physical layer of system design
D. This approach has been deprecated in all modern implementations

✅ Correct Answer: Option B

Explanation:
The correct answer is Option B — Confidentiality.

Why other options are incorrect:
- Option A — This option is factually incorrect or describes a concept from a different domain, making it an invalid choice for this question.
- Option C — This option is factually incorrect or describes a concept from a different domain, making it an invalid choice for this question.
- Option D — This option is factually incorrect or describes a concept from a different domain, making it an invalid choice for this question.

Cryptography, Information and Network Security

Table of Contents

Basic Concepts and Terminology

Security Goals (CIA Triad)

Additional Security Goals

Cryptography Terminology

Types of Cryptanalytic Attacks

Classical Ciphers (For Conceptual Understanding)

Symmetric Encryption

Requirements

Data Encryption Standard (DES)

Advanced Encryption Standard (AES)

Other Symmetric Ciphers

Blowfish

RC4 (Rivest Cipher 4)

Comparison of Symmetric Ciphers

Asymmetric Encryption

Principles

RSA (Rivest-Shamir-Adleman)

Diffie-Hellman Key Exchange

ElGamal Encryption

Elliptic Curve Cryptography (ECC)

Asymmetric Cipher Comparison

Hash Functions

Properties of Good Hash Functions

MD5 (Message Digest 5)

SHA Family (Secure Hash Algorithm)

SHA-3 (Keccak)

HMAC (Hash-based Message Authentication Code)

Digital Signatures and Certificates

Digital Signature Properties

How Digital Signatures Work

Digital Signature Standard (DSS)

RSA Digital Signature

Digital Certificates (X.509)

PKI (Public Key Infrastructure)

Components

Certificate Lifecycle

Certificate Revocation

Network Security Protocols

SSL/TLS (Secure Sockets Layer / Transport Layer Security)

IPsec (Internet Protocol Security)

SSH (Secure Shell)

PGP (Pretty Good Privacy) / GPG

Firewalls

Types of Firewalls

Packet Filtering Firewall (Stateless)

Stateful Inspection Firewall

Application-Level Gateway (Proxy Firewall)

Next-Generation Firewall (NGFW)

Circuit-Level Gateway

Firewall Architectures

Screened Host Firewall

Screened Subnet Firewall (DMZ)

Firewall Rules Example

IDS/IPS

Intrusion Detection System (IDS)

Types by Deployment

Types by Detection Method

Intrusion Prevention System (IPS)

IDS/IPS Comparison

VPN

Types

VPN Protocols

VPN Tunneling

Authentication Methods

Authentication Factors

Kerberos

OAuth 2.0

Biometrics

Multi-Factor Authentication (MFA)

Steganography

Concept

Types

Steganography vs Cryptography

Cyber Attacks

Denial of Service (DoS) / Distributed DoS (DDoS)

Phishing

SQL Injection

Cross-Site Scripting (XSS)