CB3491 CRYPTOGRAPHY AND CYBER SECURITY
SYLLABUS
UNIT I INTRODUCTION TO SECURITY
Computer Security Concepts – The OSI Security Architecture – Security Attacks – Security
Services and Mechanisms – A Model for Network Security – Classical encryption techniques:
Substitution techniques, Transposition techniques, Steganography – Foundations of modern
cryptography: Perfect security – Information Theory – Product Cryptosystem – Cryptanalysis.
UNIT II SYMMETRIC CIPHERS
Number theory – Algebraic Structures – Modular Arithmetic – Euclid‘s algorithm – Congruence
and matrices – Group, Rings, Fields, Finite Fields SYMMETRIC KEY CIPHERS: SDES – Block
Ciphers – DES, Strength of DES – Differential and linear cryptanalysis – Block cipher design
principles – Block cipher mode of operation – Evaluation
criteria for AES – Pseudorandom Number Generators – RC4 – Key distribution.
UNIT III ASYMMETRIC CRYPTOGRAPHY
MATHEMATICS OF ASYMMETRIC KEY CRYPTOGRAPHY: Primes – Primality Testing –
Factorization – Euler’s totient function, Fermat’s and Euler’s Theorem – Chinese Remainder
Theorem – Exponentiation and logarithm ASYMMETRIC KEY CIPHERS: RSA cryptosystem –
Key distribution – Key management – Diffie Hellman key exchange -– Elliptic curve arithmetic –
Elliptic curve cryptography.
UNIT IV INTEGRITY AND AUTHENTICATION ALGORITHMS
Authentication requirement – Authentication function – MAC – Hash function – Security of hash
function: HMAC, CMAC – SHA – Digital signature and authentication protocols – DSS – Schnorr
Digital Signature Scheme – ElGamal cryptosystem – Entity Authentication: Biometrics,
Passwords, Challenge Response protocols – Authentication applications – Kerberos
MUTUAL TRUST: Key management and distribution – Symmetric key distribution using
symmetric and asymmetric encryption – Distribution of public keys – X.509 Certificates.
UNIT V CYBER CRIMES AND CYBER SECURITY
Cyber Crime and Information Security – classifications of Cyber Crimes – Tools and Methods –
Password Cracking, Keyloggers, Spywares, SQL Injection – Network Access Control – Cloud
Security – Web Security – Wireless Security
1
INTRODUCTION
UNIT I INTRODUCTION TO SECURITY
Computer Security Concepts – The OSI Security Architecture – Security Attacks – Security
Services and Mechanisms – A Model for Network Security – Classical encryption techniques:
Substitution techniques, Transposition techniques, Steganography – Foundations of modern
cryptography: Perfect security – Information Theory – Product Cryptosystem – Cryptanalysis.
1.1 Introduction
➢ Human being from ages had two inherent needs − (a) to communicate and share
information and (b) to communicate selectively. These two needs gave rise to the art
of coding the messages in such a way that only the intended people could have access
to the information. Unauthorized people could not extract any information, even if the
scrambled messages fell in their hand.
➢ The art and science of concealing the messages to introduce secrecy in information
security is recognized as cryptography.
➢ The word ‘cryptography’ was coined by combining two Greek words, ‘Krypto’
meaning hidden and ‘graphene’ meaning writing.
1.1.1 History of Cryptography
➢ The art of cryptography is considered to be born along with the art of writing. As
civilizations evolved, human beings got organized in tribes, groups, and kingdoms.
This led to the emergence of ideas such as power, battles, supremacy, and politics.
These ideas further fueled the natural need of people to communicate secretly with
selective recipient which in turn ensured the continuous evolution of cryptography as
well.
➢ The roots of cryptography are found in Roman and Egyptian civilizations.
➢ Hieroglyph − The Oldest Cryptographic Technique
➢ The first known evidence of cryptography can be traced to the use of ‘hieroglyph’.
Some 4000 years ago, the Egyptians used to communicate by messages written in
hieroglyph. This code was the secret known only to the scribes who used to transmit
messages on behalf of the kings. One such hieroglyph is shown below.
➢ Later, the scholars moved on to using simple mono-alphabetic substitution ciphers
during 500 to 600 BC. This involved replacing alphabets of message with other
alphabets with some secret rule. This rule became a key to retrieve the message
back from the garbled message.
1.2 Security Trends
➢ Computer data often travels from one computer to another, leaving the safety of its
protected physical surroundings. Once the data is out of hand, people with bad intention
could modify or forge your data, either for amusement or for their own benefit.
➢ Cryptography can reformat and transform our data, making it safer on its trip between
computers. The technology is based on the essentials of secret codes, augmented by
modern mathematics that protects our data in powerful ways.
• Computer Security - Generic name for the collection of tools designed to
protect data and to thwart hackers.
• Network Security - Measures to protect data during their transmission.
• Internet Security - Measures to protect data during their transmission over a
collection of interconnected networks
1.2.1 Basic Concepts of Cryptography
➢ The Cryptography is the art or science encompassing the principles and methods of
transforming an intelligible message into one that is unintelligible, and then
retransforming that message back to its original form.
• Plaintext: The original intelligible message.
• Ciphertext: The transformed message or coded message.
• Cipher: An algorithm for transforming an intelligible message into one that is
unintelligible by transposition and/or substitution methods.
• Key: Some critical information used by the cipher, known only to the sender&
receiver.
• Encryption (encode): The process of converting plaintext to cipher text using a
cipher and a key.
• Decryption (Decode): The process of converting cipher text back into plaintext
using a cipher and a key.
• Cryptanalysis: The study of principles and methods of transforming an
unintelligible message back into an intelligible message without knowledge of the
key. Also called code breaking.
• Cryptology: The area of cryptography and cryptanalysis together are called
cryptology.
• Code: An algorithm for transforming an intelligible message into an unintelligible
one using a code-book.
• Cryptography: Cryptographic systems are generally classified along 3
independent dimensions:
➢ Type of operations used for transforming plain text to cipher text:
• All the encryption algorithms are based on two general principles:
substitution, in which each element in the plaintext is mapped into another
element, and transposition, in which elements in the plaintext are rearranged.
➢ The number of keys used
• If the sender and receiver use same key then it is said to be symmetric key
(or) single key (or) conventional encryption.
• If the sender and receiver use different keys then it is said to be public key
encryption.
➢ The way in which the plain text is processed
• A block cipher processes the input and block of elements at a time, producing
output block for each input block.
• A stream cipher processes the input elements continuously, producing output
element one at a time, as it goes along.
➢ Cryptanalysis: The process of attempting to discover X or K or both is known as
cryptanalysis. The strategy used by the cryptanalysis depends on the nature of the
encryption scheme and the information available to the cryptanalyst.
➢ There are various types of cryptanalytic attacks based on the amount of information
known to the cryptanalyst. They are:
• Cipher text only – A copy of cipher text alone is known to the cryptanalyst.
• Known plaintext – The cryptanalyst has a copy of the cipher text and the
corresponding plaintext.
• Chosen plaintext – The cryptanalysts gain temporary access to the encryption
machine. They cannot open it to find the key, however; they can encrypt a
large number of suitably chosen plaintexts and try to use the resulting cipher
texts to deduce the key.
• Chosen cipher text – The cryptanalyst obtains temporary access to the
decryption machine, uses it to decrypt several strings of symbols, and tries to
use the results to deduce the key.
1.3 Model of network security
➢ When we send our data from source to destination, we have to use some transfer
method like the internet or any other communication channel.
➢ The two parties, who are the principals in this transaction, must cooperate for each
other to the exchange the message. When the transfer of data happened from one
source to another source some logical information channel is established between
them by defining a route through the internet from source to destination and by the
cooperative use of communication protocols (e.g., TCP/IP) by the two principals.
➢ It is necessary to protect the information from various types of attackers, who may
launch a threat to confidentiality, authenticity, DoS and so on. All the technique
providing some security components:
• A security-related transformation on the information to be sent. That means,
the encryption of the message, which scrambles the message so that it is
unreadable by the attacker.
• Some of the secret information shared by the two parties. So, it is hoped,
unknown to the attacker.
• A trusted third party may be needed to achieve secure transmission. For
example, a third party may be responsible for distributing the secret
information to the two principals while keeping it from any attacker.
Figure 1.1 Network Security Model
This model (Figure 1.1) shows that there are four basic tasks in designing a particular security
service:
1. Design an algorithm for performing the security-related transformation.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of secret information.
4. Specify a protocol to be used by the two principals that make use of the
security algorithm and the secret information to achieve a particular security
service.
➢ A network access security model is illustrated by Figure 1.2, which reflects a
concern for protecting an information system from unwanted access. The hackers,
who attempt to penetrate systems that can be accessed over a network. The hacker
can be someone who, with no malign intent, simply gets satisfaction from breaking
and entering a computer system. The intruder can be a disgruntled employee who
wishes to do damage or a criminal who seeks to exploit computer assets for
financial gain (e.g., obtaining credit card numbers or performing illegal money
transfers).
Figure 1.2 Network Access Security Model
➢ Another type ofunwanted access can affect the application programs. The Viruses
and Worms are two types of software attacks. There are two kinds of threat:
• Information access threats: Intercept or modify data on behalf of users who
should not have access to that data.
• Service threats: Exploit service flaws in computers to inhibit use by
legitimate users.
1.4 OSI Security Architecture
➢ The OSI Security Architecture is a framework that provides a systematic way of
defining the requirements for security and characterizing the approaches to satisfying
those requirements. X. 800 recommends this architecture for OSI.
➢ The OSI security architecture mainly focuses on:
• Security attacks- Any action that compromises the security of information
• Security services- The services are intended to counter security attacks, and
they make use of one or more security mechanisms to provide the service
• Security mechanisms- A process that is designed to detect, prevent, or recover
from a security attack.
1.6.1 Security Attacks
An assault on system security that derives from an intelligent threat; that is, an intelligent act
that is a deliberate attempt (especially in the sense of a method or technique) to evade
security services and violate the security policy of a system. The security attacks are broadly
classified into two types:
1. Passive Attack
2. Active Attack
Passive Attack
➢ A passive attack is a network attack in which a system is monitored and sometimes
scanned for open ports and vulnerabilities. It attempts to learn or make use of
information from the system but does not affect system resources. The attacker aims
to obtain information that is in transit. The attacker does not perform any modification
of data. There are two types of passive attacks.
1. Release of Message Contents
2. Traffic Analysis
Release of Message Contents
➢ For a release of message content (Figure 1.3), a telephonic conversation, an E-
mail message or a transferred file may contain confidential data.
➢ A passive attack monitors the contents of the transmitted data. When the messages are
exchanged neither the sender nor the receiver is aware that a third party may capture
the messages. We have to prevent an opponent from learning the contents of these
transmissions.
Figure 1.3 Release of Message Contents
Traffic Analysis
➢ Traffic analysis is the process of intercepting and examining network traffic in order
to deduce information from patterns in communication. It can be performed even
when the traffic is encrypted and cannot be decrypted by the party performing
the analysis. Figure 1.4 shows the traffic analysis attack.
Figure 1.4 Traffic Analysis
➢ Passive attacks are very difficult to detect, because they do not involve any alteration
of the data. But, using strong encryption algorithm we can prevent this attack.
Active Attack
➢ Active attacks involve some modification of the data stream or the creation of a false
data and inject into the network.
➢ It can be subdivided into four categories:
• Masquerade
• Replay
• Modification of messages
• Denial of Service (DoS)
Masquerade
➢ A masquerade is a type of attack where the attacker pretends to be an authorized user
of a system in order to gain access to it or to gain greater privileges than they are
authorized for. Figure 1.5 shows this attack.
Figure 1.5 Masquerade
Replay
➢ A replay attack is a form of network attack in which a valid data transmission is
maliciously or fraudulently repeated or delayed.
➢ This is carried out either by the originator or by an adversary who intercepts the data
and re-transmits it, possibly as part of a masquerade attack by IP packet substitution.
Figure 1.6 shows replay attack.
Figure 1.6 Replay
Modification of messages
➢ It simply means that some portion of an authorized message is altered, or
that messages are delayed or reordered, to produce an unauthorized effect.
➢ For example, a message meaning "Allow Roy to read confidential file accounts" is
changed to "Allow Darwin to read confidential file accounts". Figure 1.7 shows this
attack.
Figure 1.7 Moddification of Message
Denial of Service
➢ A Denial-of-Service attack (DoS attack) is an attack where an attacker attempts to
disrupt the services provided by a host, by not allowing its intended users to access
the host from the Internet.
➢ If the attack succeeds, the targeted computer will become unresponsive and nobody
will be able to connect with it.
Figure 1.8 Denial of Service (DoS)
1.6.2 Security Services
➢ Security service is a service, provided by a layer of communicating open systems,
which ensures adequate security of the systems or of data transfers as defined by ITU-
T X. 800 Recommendation.
➢ X.800 divides security services into five different categories:
• Authentication
• Access control
• Data confidentiality
• Data integrity
• Nonrepudiation
• Availability Service
Authentication
➢ Authentication is the process of recognizing a user's identity. It is the mechanism
of associating an incoming request with a set of identifying credentials. The
Identification phase provides a user identity to the security system. This identity
is provided in the form of a user ID.
➢ Two specific authentication services are defined in X.800:
• Peer entity authentication: Provides for the corroboration of the identity
of a peer entity in an association. Two entities are considered peers if they
implement to same protocol in different systems; e.g., two TCP modules in
two communicating systems. It attempts to provide confidence that an
entity is not performing either a masquerade or an unauthorized replay of a
previous connection.
• Data origin authentication: Provides for the corroboration of the source
of a data unit. It does not provide protection against the duplication or
modification of data units. This type of service supports applications like
electronic mail, where there are no prior interactions between the
communicating entities.
Access control
➢ The goal of access control is to minimize the risk of unauthorized access to physical
and logical systems.
➢ Access control is a fundamental component of security compliance programs that
ensures security technology and access control policies are in place to protect
confidential information, such as customer data.
Data confidentiality
➢ Confidentiality refers to protecting information from being accessed by unauthorized
parties. In other words, only the people who are authorized to do so can gain access to
sensitive data. Such a failure of confidentiality, commonly known as a breach,
typically cannot be remedied.
➢ Confidentiality is classified into
• Connection Confidentiality
▪ The protection of all user data on a connection.
• Connectionless Confidentiality
▪ The protection of all user data in a single data block
• Selective-Field Confidentiality
▪ The confidentiality of selected fields within the user data on a
connection or in a single data block.
• Traffic Flow Confidentiality
▪ The protection of the information that might be derived from
observation of traffic flows.
Data integrity
➢ Ensures that only authorized parties are able to modify computer system assets and
transmitted information. Modification includes writing, changing status, deleting,
creating and delaying or replaying of transmitted messages.
➢ Data Integrity can be classified into
• Connection Integrity with Recovery
▪ Provides for the integrity of all user data on a connection and detects
any modification, insertion, deletion, or replay of any data within an
entire data sequence, with recovery attempted.
• Connection Integrity without Recovery
▪ It provides only detection without recovery.
• Selective-Field Connection Integrity
▪ Provides for the integrity of selected fields within the user data of a
data block transferred over a connection and takes the form of
determination of whether the selected fields have been modified,
inserted, deleted, or replayed.
• Connectionless Integrity
▪ Provides for the integrity of a single connectionless data block and
may take the form of detection of data modification. Additionally, a
limited form of replay detection may be provided.
• Selective-Field Connectionless Integrity
▪ Provides for the integrity of selected fields within a single
connectionless data block; takes the form of determination of whether
the selected fields have been modified.
Nonrepudiation
➢ Nonrepudiation Provides protection against denial by one of the entities involved in a
communication of having participated in all or part of the communication.
➢ Nonrepudiation can be related to
• Nonrepudiation, Origin
▪ Proof that the message was sent by the specified party.
• Nonrepudiation, Destination
▪ Proof that the message was received by the specified party.
Example: Imagine a user of online banking who has made a transaction, but later denied that.
How the bank can protect itself in a such situation?
Availability Service
➢ An availability service is one that protects a system to ensure its availability.
This service addresses the security concerns raised by denial-of-service attacks. It
depends on proper management and control of system resources and thus depends on
access control service and other security services.
1.6.3 Security Mechanisms
➢ Security mechanisms are technical tools and techniques that are used to
implement security services.
➢ A mechanism might operate by itself, or with others, to provide a particular service.
Examples of common security mechanisms are as follows: Cryptography, Message
digests and digital signatures.
Difference between Active attack and Passive attack
Difference between Threat and Attack
Threat
A potential for violation of security, which exists when there is a circumstance,
capability, action, or event that could breach security and cause harm. That is, a threat is a
possible danger that might exploit a vulnerability.
Attack
An assault on system security that derives from an intelligent threat; that is, an intelligent
act that is a deliberate attempt (especially in the sense of a method or technique) to evade
security services and violate the security policy of a system.
1.5 Classical Encryption Techniques
➢ Classical cryptography is based on the mathematics and it relies on the computational
difficulty of factorizing large number. The security of classical cryptography is based
on the high complexity of the mathematical problem for the instance factorization of
large number.
1.7.1 Symmetric Cipher Model
➢ Single key is used for both encryption and decryption. A symmetric encryption
scheme has five ingredients
➢ Plaintext: This is the original intelligible message or data that is fed into the
algorithm as input. (Figure 1.9)
➢ Encryption algorithm: The encryption algorithm performs various substitutions and
transformations on the plaintext.
➢ Secret key: The secret key is also input to the encryption algorithm. The key is a
value independent of the plaintext and of the algorithm. The algorithm will produce a
different output depending on the specific key.
➢ Ciphertext: This is the scrambled message produced as output. It depends on the
plaintext and the secret key.
➢ Decryption algorithm: This is essentially the encryption algorithm run in reverse. It
takes the ciphertext and the secret key and produces the original plaintext
Figure 1.9 Symmetruc Cipher Model
Transmission Over Secure Channel
➢ Two requirements for secure use of symmetric encryption:
o A strong encryption algorithm
o A secret key known only to sender / receiver
➢ The message X and the encryption key K as input, the encryption algorithm forms the
ciphertext Y = [Y1, Y2, YN].
Y = E (K, X)
➢ Here, Y that is produced by using encryption algorithm E as a function of the
plaintext X, with the specific function determined by the value of the key K.
➢ The receiver, in possession of the key, is able to reverse the transformation:
X = D (K, Y)
Figure 1.10 Transmission Over Secure Channel
➢ An opponent, observing Y but not having access to K or X, may attempt to recover X
or Y or both X and Y. It is assumed that the opponent knows the encryption (E) and
decryption (D) algorithms.
1.7.2 Cryptanalysis and Brute-Force Attack
Cryptanalysis
➢ Cryptanalysis is the investigation of systems, ciphertext, and ciphers in order to
reveal the hidden meaning or details of the system itself. The goal of this type of
study is to discover the hidden aspects even if the key or main algorithm is unable to
be deciphered.
Brute-Force Attack
➢ The attacker tries every possible key on a piece of ciphertext until an intelligible
translation into plaintext is obtained. On average, half of all possible keys must be
tried to achieve success.
➢ There are two basic building blocks of all encryption techniques:
• Substitution
• Transposition
1.7.3 Substitution Techniques
➢ A substitution technique is one in which the letters of plaintext are replaced by other
letters or by numbers or symbols. If the plaintext is viewed as a sequence of bits, then
substitution involves replacing plaintext bit patterns with cipher text bit patterns.
Caesar cipher (or) shift cipher
➢ The earliest known use of a substitution cipher and the simplest was by Julius Caesar.
The Caesar cipher involves replacing each letter of the alphabet with the letter
standing 3 places further down the alphabet. The plaintext will be written in
lowercase, ciphertext will be written in uppercase. Let as assign a numerical
equivalent to each letter.
Where a= 0, z = 25
Example
Plaintext: Pay more money
Ciphertext: SDB PRUH PRQHB
The general Caesar algorithm is,
Example
Let k = 3
C = E (3, P)
C = (P+3) mod 26
Encryption
Plaintext = cat
Let K = 3, C= 2
C = 2+ 3
C=5
C=F
Next letter, a= 0
C = 0 +3
C=D
Next, t = 19
So, C = w
Ciphertext = FDW
Now, Decryption is just reverse process of Encryption
Drawbacks
• Bruteforce cryptanalysis can be easily performed by trying all the 25 possible keys.
• The language of the plaintext was english.
Monoalphabetic Ciphers
➢ Rather than just shifting the alphabet
➢ Could shuffle (jumble) the letters arbitrarily
➢ Each plaintext letter maps to a different random ciphertext letter
➢ Hence, key is 26 letters long
➢ Now have a total of 26! = 4 x 1026 keys
➢ with so many keys, might think is secure
Drawback
➢ It is easy to break because they reflect the frequency data of the original alphabet.
Playfair Cipher
➢ The best-known multiple letter encryption cipher is the Playfair, which treats
diagrams in the plaintext as single units and translates these units into cipher text
diagrams. The Playfair algorithm is based on the use of 5x5 matrix of letters
constructed using a keyword. The technique encrypts pairs of letters instead of single
letters.
Example
Key: Monarchy
Plaintext: instruments
The Playfair Cipher Encryption Algorithm
The Algorithm consists of 2 steps:
1. Generate the key Square(5×5):
➢ The key square is a 5×5 grid of alphabets that acts as the key for encrypting the
plaintext. Each of the 25 alphabets must be unique and one letter of the alphabet
(usually J) is omitted from the table (as the table can hold only 25 alphabets). If the
plaintext contains J, then it is replaced by I.
➢ The initial alphabets in the key square are the unique alphabets of the key in the order
in which they appear followed by the remaining letters of the alphabet in order.
The key is "monarchy"
Thus the initial entires are
'm', 'o', 'n', 'a', 'r', 'c', 'h', 'y'
followed by remaining characters of a-z(except 'j') in that order.
2. Algorithm to encrypt the plain text: The plaintext is split into pairs of two letters
(digraphs). If there is an odd number of letters, a Z is added to the last letter.
PlainText: "instruments"
After Split: 'in' 'st' 'ru' 'me' 'nt' 'sz'
Rules for Encryption:
• If both the letters are in the same column: Take the letter below each one (going
back to the top if at the bottom).
For example:
Diagraph: "me"
Encrypted Text: cl
Encryption:
m -> c
e -> l
If both the letters are in the same row: Take the letter to the right of each one (going back
to the leftmost if at the rightmost position).
For example:
Diagraph: "st"
Encrypted Text: tl
Encryption:
s -> t
t -> l
If neither of the above rules is true: Form a rectangle with the two letters and take the
letters on the horizontal opposite corner of the rectangle.
For example:
Diagraph: "nt"
Encrypted Text: rq
Encryption:
n -> r
t -> q
For example:
Plain Text: "instrumentsz"
Encrypted Text: gatlmzclrqtx
Encryption:
i -> g
n -> a
s -> t
t -> l
r -> m
u -> z
m -> c
e -> l
n -> r
t -> q
s -> t
z -> x
Decryption
Plain Text: "gatlmzclrqtx"
Decrypted Text: instrumentsz
Decryption:
(red)-> (green)
ga -> in
tl -> st
mz -> ru
cl -> me
rq -> nt
tx -> sz
Advantages
➢ Play fair cipher is a great advance over simple mono alphabetic ciphers.
➢ Since there are 26 letters, 26 X 26 = 676 diagrams are possible, so identificaion of
individual diagram is more difficult.
➢ Frequency analysis is much more difficult.
Hill Cipher
➢ It is developed by the mathematician Lester Hill in 1929. Hill cipher is a polygraphic
substitution cipher based on linear algebra.Each letter is represented by a number
modulo 26. Often the simple scheme A = 0, B = 1, …, Z = 25 is used, but this is not
an essential feature of the cipher.
➢ To encrypt a message, each block of n letters (considered as an n-component vector)
is multiplied by an invertible n × n matrix, against modulus 26. To decrypt the
message, each block is multiplied by the inverse of the matrix used for encryption.
➢ The matrix used for encryption is the cipher key, and it should be chosen randomly
from the set of invertible n × n matrices (modulo 26).
➢ The hill cipher can be expressed as
C = KP mod 26
Example
Input : Plaintext: ACT
Key: GYBNQKURP
Output : Ciphertext: POH
Encryption
We have to encrypt the message ‘ACT’ (n=3).The key is ‘GYBNQKURP’ which can be
written as the nxn matrix:
The message ‘ACT’ is written as vector:
The enchipered vector is given as:
The Ciphertext is POH
Decryption
➢ To decrypt the message, we turn the ciphertext back into a vector, then simply
multiply by the inverse matrix of the key matrix (IFKVIVVMI in letters).The inverse
of the matrix used in the previous example is:
For the previous Ciphertext ‘POH’:
The plaintext is ACT
One Time Pad Cipher
➢ It is an unbreakable cryptosystem. It represents the message as a sequence of 0s and
1s. this can be accomplished by writing all numbers in binary, for example, or by
using ASCII. The key is a random sequence of 0‟s and 1‟s of same length as the
message.
➢ Once a key is used, it is discarded and never used again. The system can be expressed
as follows:
➢ Thus the cipher text is generated by performing the bitwise XOR of the plaintext and
the key. Decryption uses the same key. Because of the properties of XOR, decryption
simply involves the same bitwise operation:
Advantages
➢ Encryption method is completely unbreakable.
Disadvantages
➢ It requires a very long key which is expensive to produce and expensive to transmit.
➢ Once a key is used it is dangerous to reuse it for second message.
Vigenere Cipher
➢ Vigenere Cipher is a method of encrypting alphabetic text. It uses a simple form
of polyalphabetic substitution. A polyalphabetic cipher is any cipher based on
substitution, using multiple substitution alphabets .The encryption of the original text
is done using the Vigenère square or Vigenère table.
➢ The table consists of the alphabets written out 26 times in different rows, each
alphabet shifted cyclically to the left compared to the previous alphabet,
corresponding to the 26 possible Caesar Ciphers.
➢ At different points in the encryption process, the cipher uses a different alphabet from
one of the rows.
➢ The alphabet used at each point depends on a repeating keyword.
Example:
Input : Plaintext : GEEKSFORGEEKS
Keyword : AYUSH
Output : Ciphertext : GCYCZFMLYLEIM
For generating key, the given keyword is repeated in a circular manner until it matches the
length of the plain text.
The keyword "AYUSH" generates the key "AYUSHAYUSHAYU"
The plain text is then encrypted using the process explained below.
Encryption
➢ The first letter of the plaintext, G is paired with A, the first letter of the key. So use
row G and column A of the Vigenère square, namely G. Similarly, for the second
letter of the plaintext, the second letter of the key is used, the letter at row E and
column Y is C. The rest of the plaintext is enciphered in a similar fashion.
Table to encrypt Geeks
Decryption
➢ Decryption is performed by going to the row in the table corresponding to the key,
finding the position of the ciphertext letter in this row, and then using the column’s
label as the plaintext.
➢ For example, in row A (from AYUSH), the ciphertext G appears in column G, which
is the first plaintext letter. Next we go to row Y (from AYUSH), locate the ciphertext
C which is found in column E, thus E is the second plaintext letter.
➢ A more easy implementation could be to visualize Vigenère algebraically by
converting [A-Z] into numbers [0–25].
Encryption
The plaintext(P) and key(K) are added modulo 26.
Ei = (Pi + Ki) mod 26
Decryption
Di = (Ei - Ki + 26) mod 26
1.7.4 Transposition Techniques
➢ A very different kind of mapping is achieved by performing some sort of permutation
on the plaintext letters. This technique is referred to as a transposition cipher.
transposition technique rearranges the characters to form a ciphertext
Rail fence
➢ It is simplest of such cipher, in which the plaintext is written down as sequence of
diagonals and then read off as a sequence of rows.
➢ The rail fence cipher offers essentially no communication security, and it will be
shown that it can be easily broken even by hand.
Example
The key for the railfence cipher is just the number of rails. To encrypt a piece of text, e.g.
defend the east wall of the castle
We write it out in a special way on a number of rails (the key here is 3)
The ciphertext is read off along the rows:
dnetlhseedheswloteateftaafcl
With a key of 4
The ciphertext is again read off along the rows:
dttfsedhswotatfneaalhcleelee
Row Transposition Ciphers
➢ In a transposition cipher, the order of the alphabets is re-arranged to obtain
the cipher-text. The message is written out in rows of a fixed length, and then read
out again column by column, and the columns are chosen in some scrambled order.
Example
Encryption
Input : Geeks for Geeks
Key = HACK
Output : e kefGsGsrekoe_
Decryption
Input : e kefGsGsrekoe_
Key = HACK
Output : Geeks for Geeks
Encryption
In a transposition cipher, the order of the alphabets is re-arranged to obtain the cipher-text.
1. The message is written out in rows of a fixed length, and then read out again column
by column, and the columns are chosen in some scrambled order.
2. Width of the rows and the permutation of the columns are usually defined by a
keyword.
3. For example, the word HACK is of length 4 (so the rows are of length 4), and the
permutation is defined by the alphabetical order of the letters in the keyword. In this
case, the order would be “3 1 2 4”.
4. Any spare spaces are filled with nulls or left blank or placed by a character
5. Finally, the message is read off in columns, in the order specified by the keyword.
1.7.5 Steganography
➢ Steganography is data hidden within data. Steganography is an encryption technique
that can be used along with cryptography as an extra-secure method in which to
protect data. At any rate, steganography protects from pirating copyrighted materials
as well as aiding in unauthorized viewing.
How is it different from cryptography?
➢ Cryptography and steganography are both methods used to hide or protect secret data.
However, they differ in the respect that cryptography makes the data unreadable, or
hides the meaning of the data, while steganography hides the existence of the data.
➢ In layman’s terms, cryptography is similar to writing a letter in a secret language:
people can read it, but won’t understand what it means. However, the existence of a
(probably secret) message would be obvious to anyone who sees the letter, and if
someone either knows or figures out your secret language, then your message can
easily be read.
➢ If you were to use steganography in the same situation, you would hide the letter
inside a pair of socks that you would be gifting the intended recipient of the letter. To
those who don’t know about the message, it would look like there was nothing more
to your gift than the socks. But the intended recipient knows what to look for, and
finds the message hidden in them.
➢ Similarly, if two users exchanged media files over the internet, it would be more
difficult to determine whether these files contain hidden messages, than if they were
communicating using cryptography.
Image Steganography
➢ As the name suggests, Image Steganography refers to the process of hiding data
within an image file. The image selected for this purpose is called the cover-
image and the image obtained after steganography is called the stego-image.(Figure
1.11)
Working Principle
➢ An image is represented as an N*M (in case of greyscale images) or N*M*3 (in case
of colour images) matrix in memory, with each entry representing the intensity value
of a pixel.
➢ In image steganography, a message is embedded into an image by altering the values
of some pixels, which are chosen by an encryption algorithm. The recipient of the
image must be aware of the same algorithm in order to known which pixels he or she
must select to extract the message.
Figure 1.11 Steganography
➢ Detection of the message within the cover-image is done by the process
of steganalysis.
➢ This can be done through comparison with the cover image, histogram plotting, or by
noise detection. While efforts are being invested in developing new algorithms with a
greater degree of immunity against such attacks, efforts are also being devoted
towards improving existing algorithms for steganalysis, to detect exchange of secret
information between terrorists or criminal elements.
1.6 Foundations of modern cryptography
➢ Modern encryption is the key to advanced computer and communication security.
This stream of cryptography is completely based on the ideas of mathematics such as
number theory and computational complexity theory as well as concepts of
probability.
Characteristics of Modern Cryptography
There are four major characteristics that separate modern cryptography from the classical
approach.
Context of Cryptography
Cryptology, the study of cryptosystems, can be subdivided into two branches −
• Cryptography
• Cryptanalysis
Cryptography
➢ Cryptography is the art and science of making a cryptosystem that is capable of
providing information security.
➢ Cryptography deals with the actual securing of digital data. It refers to the design of
mechanisms based on mathematical algorithms that provide fundamental information
security services.
Cryptanalysis
➢ The art and science of breaking the cipher text is known as cryptanalysis.
➢ Cryptanalysis is the sister branch of cryptography and they both co-exist. The
cryptographic process results in the cipher text for transmission or storage. It
involves the study of cryptographic mechanism with the intention to break them.
Cryptanalysis is also used during the design of the new cryptographic techniques to
test their security strengths.
Note − Cryptography concerns with the design of cryptosystems, while cryptanalysis
studies the breaking of cryptosystems.
Types of Modern Cryptography
➢ Different algorithms have come up with powerful encryption mechanisms
incorporated in them. It gave rise to two new ways of encryption mechanism for data
security. These are:
• Symmetric key encryption
• Asymmetric key encryption
Key
➢ It can be a number, word, phrase, or any code that will be used for encrypting as well
as decrypting any ciphertext information to plain text and vice versa.
➢ Symmetric and asymmetric key cryptography is based on the number of keys and the
way these keys work. Let us know about both of them in details:
Symmetric key encryption
➢ Symmetric key encryption technique uses a straight forward method of encryption.
Hence, this is the simpler among these two practices. In the case of symmetric key
encryption, the encryption is done through only one secret key, which is known as
"Symmetric Key", and this key remains to both the parties.
➢ The same key is implemented for both encodings as well as decoding the information.
So, the key is used first by the sender prior to sending the message, and on the
receiver side, that key is used to decipher the encoded message.
➢ One of the good old examples of this encryption technique is Caesar's Cipher. Modern
examples and algorithms that use the concept of symmetric key encryption are RC4,
QUAD, AES, DES, Blowfish, 3DES, etc.
Asymmetric Key Encryption
➢ Asymmetric Encryption is another encryption method that uses two keys, which is a
new and sophisticated encryption technique. This is because it integrates two
cryptographic keys for implementing data security. These keys are termed as Public
Key and Private Key.
➢ The "public key", as the name implies, is accessible to all who want to send an
encrypted message. The other is the "private key" that is kept secure by the owner of
that public key or the one who is encrypting.
➢ Encryption of information is done through public key first, with the help of a
particular algorithm. Then the private key, which the receiver possesses, will use to
decrypt that encrypted information. The same algorithm will be used in both
encodings as well as decoding.
➢ Examples of asymmetric key encryption algorithms are Diffie-Hellman and RSA
algorithm.
Security Services of Cryptography
• Confidentiality of information.
• Data Integrity.
• Authentication.
▪ Message authentication.
▪ Entity authentication.
• Non-repudiation.
Cryptography Primitives
➢ Cryptography primitives are nothing but the tools and techniques in Cryptography
that can be selectively used to provide a set of desired security services −
• Encryption
• Hash functions
• Message Authentication codes (MAC)
• Digital Signatures
The following table shows the primitives that can achieve a particular security service on
their own.
1.8.1 Perfect Security
➢ Perfect Secrecy (or information-theoretic secure) means that the ciphertext conveys
no information about the content of the plaintext. ... However, part of being
provably secure is that you need as much key material as you have plaintext to
encrypt.
1.8.2 Information Theory
➢ Information theory studies the quantification, storage,
and communication of information.
➢ It was originally proposed by Claude Shannon in 1948 to find fundamental limits
on signal processing and communication operations such as data compression.
➢ Its impact has been crucial to the success of the Voyager missions to deep space, the
invention of the compact disc, the feasibility of mobile phones, the development of
the Internet, the study of linguistics and of human perception, the understanding
of black holes, and numerous other fields.
➢ The field is at the intersection of mathematics, statistics, computer science, physics,
neurobiology, information engineering, and electrical engineering.
➢ The theory has also found applications in other areas, including statistical
inference, natural language processing, cryptography, neurobiology, human vision,
the evolution and function of molecular codes (bioinformatics), model selection in
statistics, thermal physics, quantum computing, linguistics, plagiarism detection,
pattern recognition, and anomaly detection.
➢ Important sub-fields of information theory include source coding, algorithmic
complexity theory, algorithmic information theory, information-theoretic
security, Grey system theory and measures of information.
➢ Applications of fundamental topics of information theory include lossless data
compression (e.g. ZIP files), lossy data compression (e.g. MP3s and JPEGs),
and channel coding (e.g. for DSL).
➢ Information theory is used in information retrieval, intelligence gathering, gambling,
and even in musical composition.
➢ A key measure in information theory is entropy. Entropy quantifies the amount of
uncertainty involved in the value of a random variable or the outcome of a random
process. For example, identifying the outcome of a fair coin flip (with two equally
likely outcomes) provides less information (lower entropy) than specifying the
outcome from a roll of a die (with six equally likely outcomes). Some other important
measures in information theory are mutual information, channel capacity, error
exponents, and relative entropy.
1.8.3 Product Cryptosystems
➢ A product cipher combines two or more transformations in a manner intending that
the resulting cipher is more secure than the individual components to make it resistant
to cryptanalysis.
➢ The product cipher combines a sequence of simple transformations such
as substitution (S-box), permutation (P-box), and modular arithmetic.
➢ For transformation involving reasonable number of n message symbols, both of the
foregoing cipher systems (the S-box and P-box) are by themselves wanting.
➢ The combination could yield a cipher system more powerful than either one alone.
This approach of alternatively applying substitution and permutation transformation
has been used by IBM in the Lucifer cipher system, and has become the standard for
national data encryption standards such as the Data Encryption Standard and
the Advanced Encryption Standard.
➢ A product cipher that uses only substitutions and permutations is called a SP-
network. Feistel ciphers are an important class of product ciphers.
1.7 Cryptanalysis
➢ Cryptanalysis is the art of trying to decrypt the encrypted messages without the use of
the key that was used to encrypt the messages. Cryptanalysis uses mathematical
analysis & algorithms to decipher the ciphers.
➢ The success of cryptanalysis attacks depends
• Amount of time available
• Computing power available
• Storage capacity available
The following is a list of the commonly used Cryptanalysis attacks;
• Brute force attack– this type of attack uses algorithms that try to guess all the
possible logical combinations of the plaintext which are then ciphered and compared
against the original cipher.
• Dictionary attack– this type of attack uses a wordlist in order to find a match of
either the plaintext or key. It is mostly used when trying to crack encrypted
passwords.
• Rainbow table attack– this type of attack compares the cipher text against pre-
computed hashes to find matches.
Other Attacks using Cryptanalysis
• Known-Plaintext Analysis (KPA): Attacker decrypt ciphertexts with known partial
plaintext.
• Chosen-Plaintext Analysis (CPA): Attacker uses ciphertext that matches arbitrarily
selected plaintext via the same algorithm technique.
• Ciphertext-Only Analysis (COA): Attacker uses known ciphertext collections.
• Man-in-the-Middle (MITM) Attack: Attack occurs when two parties use message or
key sharing for communication via a channel that appears secure but is actually
compromised. Attacker employs this attack for the interception of messages that pass
through the communications channel. Hash functions prevent MITM attacks.
• Adaptive Chosen-Plaintext Attack (ACPA): Similar to a CPA, this attack uses chosen
plaintext and ciphertext based on data learned from past encryptions.
Important Questions
PART B
1) Explain about Security trends in detail.
2) Discuss in detail about Legal, Ethical and Professional Aspects of Security.
3) Summarize the for Security at Multiplelevels.
4) Explain the various Security Policies in detail.
5) Describe in detail about the Model of network security.
6) Discuss in detail about various security attacks and explain the services and mechanisms
7) Explain the OSI security architecture.
8) Explain classical encryption techniques with symmetric cipher model.
9) Discuss any four Substitution Technique and list their merits and demerits
10) Explain the various transposition techniques with example.
11) Explain steganography in detail.
12) Describe in detail about the Foundations of modern cryptography.
13) Explain the following.
i) Perfect security
ii) Information theory
iii) Product cryptosystem
14) Explain in detail about cryptanalysis.
UNIT II SYMMETRIC CIPHERS
2
Number theory – Algebraic Structures – Modular Arithmetic – Euclid‘s algorithm – Congruence
and matrices – Group, Rings, Fields, Finite Fields SYMMETRIC KEY CIPHERS: SDES – Block
Ciphers – DES, Strength of DES – Differential and linear cryptanalysis – Block cipher design
principles – Block cipher mode of operation – Evaluation
criteria for AES – Pseudorandom Number Generators – RC4 – Key distribution.
2.1 Mathematics of Symmetric Key Cryptography
➢ Cryptology is the mathematics, such as number theory, and the application of
formulas and algorithms, that underpin cryptography and cryptanalysis.
➢ Since the cryptanalysis concepts are highly specialized and complex, we concentrate
here only on some of the key mathematical concepts behind cryptography.
➢ In order for data to be secured for storage or transmission, it must be transformed in
such a manner that it would be difficult for an unauthorized individual to be able to
discover its true meaning.
➢ To do this, certain mathematical equations are used, which are very difficult to solve
unless certain strict criteria are met. The level of difficulty of solving a given
equation is known as its intractability. These types of equations form the basis of
cryptography.
➢ Symmetric ciphers use symmetric algorithms to encrypt and decrypt data.
These ciphers are used in symmetric key cryptography.
➢ A symmetric algorithm uses the same key to encrypt data as it does to decrypt data.
The study of symmetric cryptosystems is referred to as symmetric cryptography.
➢ Symmetric cryptosystems are also sometimes referred to as secret key cryptosystems.
➢ A few well-known examples of symmetric key encryption methods are − Digital
Encryption Standard (DES), Triple-DES (3DES), IDEA, and BLOWFISH.
2.2 Algebraic structures
➢ Cryptography requires sets of integers and specific operations that are defined for
those sets. The combination of the set and the operations that are applied to the
elements of the set is called an algebraic structure. Figure 2.1 shows the common
algebraic structures.
Figure 2.1 Common Algebraic Structures
2.2.1 Groups
➢ A group is an algebraic structure conssting of a set of elements together with an
operation that combines any two elements to form a third element.
➢ A group G, sometimes denoted by {G, .} is a set of elements with a binary
operation, denoted by ·,that associates to each ordered pair (a, b) of elements in G
an element (a · b) in G, such that the following axioms are obeyed:
• Closure: If a and b belong to G, then a · b is also in G.
• Associative: a · (b · c) = (a · b) · c for all a, b, c in G.
• Identity element: There is an element e in G such that a · e = e · a = a for
all a in G.
• Inverse element: For each a in G there is an element a' in G such that
a · a' = a' · a = e.
➢ If a group has a finite number of elements, it is referred to as a finite group, and the
order of the group is equal to the number of elements in the group. Otherwise, the
group is an infinite group.
➢ A group is said to be abelian if it satisfies the following additional condition:
• Commutative: a · b = b · a for all a, b in G.
Cyclic Subgroups
➢ If a subgroup of a group can be generated using the power of an element, the
subgroup is called the cyclic subgroup.
Example 1:
Four cyclic subgroups can be made from the group G = <Z6, +>. There are H1 = < {0}, + >,
H2 = <{0, 2, 4}, +>, H3 = <{ 0, 3}, +> and H4 = G.
Example 2:
Three cyclic subgroups can be made from the group G = <Z10 *, x>. G has only four
elements: 1, 3, 7 and 9. The Cyclic sub groups are H1 = <{1}, x >, H2 = <{1, 9}, x>, H3 = G.
2.2.2 Rings
➢ A ring R, sometimes denoted by {R, +, x}, is a set of elements with two binary
operations, called addition and multiplication, such that for all a, b, c in R the
following axioms are obeyed:
• Closure under multiplication: If a and b belong to R, then ab is also in R.
• Associativity of multiplication: a (bc) = (ab) c for all a, b, c in R.
• Distributive laws:
▪ a (b + c) = ab + ac for all a, b, c in R.
▪ (a + b) c = ac + bc for all a, b, c in R.
➢ A ring is said to be commutative if it satisfies the following additional condition:
• Commutativity of multiplication: ab = ba for all a, b in R.
➢ An integral domain, which is a commutative ring that obeys the following axioms:
• Multiplicative identity: There is an element 1 in R such that a1 = 1a = a for
all a in R.
• No zero divisors: If a, b in R and ab = 0, then either a = 0 or b = 0.
2.2.3 Fields
➢ A field F, sometimes denoted by {F, +, x}, is a set of elements with two binary
operations, called addition and multiplication, such that for all a, b, c in F the
following axioms are obeyed:
➢ F is an integral domain; that is, F satisfies axioms of Groups and Rings.
• Multiplicative inverse: For each a in F, except 0, there is an element a-1 in F
such that aa-1 = (a-1) a = 1.
➢ A field is a set in which we can do addition, subtraction, multiplication, and division
without leaving the set. Division is defined with the following rule:
• a/b = a(b-1)
2.3 Finite Fields
➢ Finite Fields, also known as Galois Fields, are cornerstones for understanding
any cryptography.
➢ A field can be defined as a set of numbers that we can add, subtract, multiply and
divide together and only ever end up with a result that exists in our set of numbers.
➢ Galois showed that for a field to be finite, the number of elements should be pn, where
p is a prime and n is a positive integer.
➢ A Galois field, GF(pn), is a finite field with pn elements.
2.3.1 Finite Fields of Order p
➢ For a given prime, p, the finite field of order p, GF(p) is defined as the set Zp of
integers {0, 1,..., p- 1}, together with the arithmetic operations modulo p.
➢ A very common field in this category is GF(2) with the set {0, 1} and two operations,
addition and multiplication, as shown in Figure 2.2
Figure 2.2 GF(2) field
➢ We can define GF(5) on the set Z5 (5 is a prime) with addition and multiplication
operators as shown in Figure 2.3.
Figure 2.3 GF(5) field
2.4 Modular Arithmetic
➢ Modular arithmetic is a system of arithmetic for integers, where values reset to zero
and begin to increase again, after reaching a certain predefined value, called the
modulus (modulo). Modular arithmetic is widely used in computer science
and cryptography.
2.4.1 The Modulus
➢ If a is an integer and n is a positive integer, we define a mod n to be the remainder
when a is divided by n. The integer n is called the modulus.
Example
• 11 mod 7 = 4
• -5 mod 3 = 1
By using counter clockwise method
Let n = 3 and p = -5 so the values are taken 0, 1, 2. If these values are put in clockwise
the numbers are 2 1 0 1 2 because p is 5. The starting from the counter clockwise
direction the values are moved to n = 3, so it stop at 1. So, the answer is 1.
2.4.2 Congruence
➢ Congruences are an important and useful tool for the study of divisibility.
➢ If a and b are integers and n > 0, we write
a ≡ b mod n
to mean n| (b − a). We read this as “a is congruent to b modulo (or mod) n.
Properties of congruences
• a ≡ a (mod n)
• if a ≡ b (mod n) then b ≡ a (mod n)
• if a ≡ b (mod n) and b ≡ c (mod n), then a ≡ c (mod n)
Example 1: 29 ≡ 8 mod 7, and 60 ≡ 0 mod 15.
➢ The notation is used because the properties of congruence “≡” are very similar to the
properties of equality “=”.
Example 2: 38 ≡ 14 (mod 12)
➢ Because 38 − 14 = 24, which is a multiple of 12, or, equivalently, because both 38 and
14 have the same remainder 2 when divided by 12.
➢ The same rule holds for negative values:
▪ -8 ≡ 7 (mod 5)
▪ 2 ≡ -3 (mod 5)
▪ -3 ≡ -8 (mod 5)
Example 3: Find 17341 mod 5.
We have 17 ≡ 2 mod 5
Squaring, we have
172 ≡ 4 ≡ −1 mod 5
Squaring again, we find
174 ≡ 1 mod 5
Now, 1 to any power is 1, so we raise this last congruence to the 85th power. Why
85? Just wait a moment to find out. We then find
17340 ≡ 1 mod 5
Finally, multiply by the first congruence to obtain
17341 ≡ 2 mod 5
So, the required remainder is 2.
The strategy is to find some power of 17 to be 1 mod 5. Here, the power 4 worked.
The we divided 4 into 341 to get a quotient 85, and this is the power we used on the
congruence 174 ≡ 1 mod 5. Note also the little trick of replacing 4 by −1 mod 5. This
gives an easier number to square.
2.5 Modular Arithmetic Operations
Properties of Modular Arithmetic
1. [(a mod n) + (b mod n)] mod n = (a + b) mod n
2. [(a mod n) (b mod n)] mod n = (a b) mod n
3. [(a mod n) x (b mod n)] mod n = (a x b) mod n
2.5.1 Modular Addition
• Add two numbers
• Divide the sum and find modular
Example
Given a = 35, b = 10 and n = 12
(a + b) mod n
= (35 + 10) mod 12
= 45 mod 12
=9
2.5.2 Modular Subtraction
• Subtract two numbers
• Find the mod value
Example 1:
a = 25, b = 8, and n = 12
(a - b) mod n
= (25 - 10) mod 12
= 17 mod 12
=5
Example 2:
a = 11, b = 50, and n = 15
(a - b) mod n
= (11 - 50) mod 15
= -39 mod 15
=6
2.5.3 Modular Multiplication
• Multiple two numbers
• Find the mod value
Example
a = 5, b = 8, and n = 12
= 40 mod 12
=4
2.5.4 Modular Division
Example
Compute 5/7 mod 12
x = 5/7 mod 12
7x = 5 mod 12
Here, x takes the values from 0 to 11
If we put x = 11, we get
(7 x 11) mod 12 = 5 mod 12
= 77 mod 12
=5
2.6 Euclid's algorithm
➢ The Euclid's algorithm (or Euclidean Algorithm) is a method for
efficiently finding the greatest common divisor (GCD) of two numbers.
The GCD of two integers X and Y is the largest number that divides both of X and
Y (without leaving a remainder).
➢ For every non-negative integer, a and any positive integer b
gcd (a, b) = gcd (b, a mod b)
Example 1:
gcd (55, 22) = gcd (22, 55 mod 22)
= gcd (22, 11)
= gcd (11, 22 mod 11)
= gcd (11, 0)
gcd (55, 22) is 11
Example 2:
gcd (30, 50) = gcd (50, 30 mod 50)
= gcd (50, 30)
= gcd (30, 50 mod 30)
= gcd (30, 20)
= gcd (20, 30 mod 20)
= gcd (20, 10)
= gcd (10, 20 mod 10)
= gcd (10, 0)
gcd (30, 50) is 10
Another Method
Examples:
Find the GCD
• GCD (12, 8)
• GCD (200, 1000)
• GCD (7, 122)
2.7 Symmetric Key Ciphers
➢ Symmetric ciphers use the same cryptographic keys for both encryption of
plaintext and decryption of ciphertext. They are faster than
asymmetric ciphers and allow encrypting large sets of data. However, they require
sophisticated mechanisms to securely distribute the secret keys to both parties
Types of keys are used in symmetric key cryptography
➢ Symmetric encryption (figure 2.4) uses a single key that needs to be shared
among the people who need to receive the message while
asymmetrical encryption uses a pair of public key and a private key to encrypt and
decrypt messages when communicating.
Figure 2.4 Simplified Model of Symmetric Encryption
2.8 Simplified Data Encryption Standard (S-DES)
➢ The overall structure of the simplified DES shown in Figure 2.5. The S-DES
encryption algorithm takes an 8-bit block of plaintext (example: 10111101) and a 10-
bit key as input and produces an 8-bit block of ciphertext as output.
➢ The S-DES decryption algorithm takes an 8-bit block of ciphertext and the same 10-
bit key used to produce that ciphertext as input and produces the original 8-bit block
of plaintext.
Figure 2.5 Overview of S-DES Algorithm
The encryption algorithm involves five functions:
• An initial permutation (IP)
• A complex function labeled fk, which involves both permutation and
substitution operations and depends on a key input.
• A simple permutation function that switches (SW) the two halves of the
data.
• The function fk again.
• A permutation function that is the inverse of the initial permutation
➢ The function fk takes as input not only the data passing through the encryption
algorithm, but also an 8-bit key. Here a 10-bit key is used from which two 8-bit
subkeys are generated.
➢ The key is first subjected to a permutation (P10). Then a shift operation is performed.
The output of the shift operation then passes through a permutation function that
produces an 8-bit output (P8) for the first subkey (K1).
➢ The output of the shift operation also feeds into another shift and another instance of
P8 to produce the second subkey (K2).
➢ The encryption algorithm can be expressed as a composition composition1 of
functions:
IP-1 ο fK2 ο SW ο fk1 ο IP, which can also be written as
Ciphertext = IP-1 (fK2 (SW (fk1 (IP (plaintext)))))
Where
o K1 = P8 (Shift (P10 (Key)))
o K2 = P8 (Shift (shift (P10 (Key))))
➢ Decryption can be shown as Plaintext = IP-1 (fK1 (SW (fk2 (IP(ciphertext)))))
2.8.1 S-DES Key Generation
➢ S-DES depends on the use of a 10-bit key shared between sender and receiver. From
this key, two 8-bit subkeys are produced for use in particular stages of the encryption
and decryption algorithm.(Figure 2.6)
Figure 2.6 S-DES Key Generation
➢ First, permute the key in the following fashion. Let the 10-bit key be designated as
(k1, K2, k3, k4, k5, k6, k7, k8, k9, k10). Then the permutation P10 is defined as:
P10 (k1, K2, k3, k4, k5, k6, k7, k8, k9, k10) = (k3, k5, K2, k7, k4, k10 10, k1, k9, k8,
k6).
➢ P10 can be concisely defined by the display:
➢ This table is read from left to right; each position in the table gives the identity of the
input bit that produces the output bit in that position. So, the first output bit is bit 3 of
the input; the second output bit is bit 5 of the input, and so on.
Example
➢ The 10 bit key is (1010000010), now find the permutation from P10 for this key so it
becomes (10000 01100).
➢ Next, perform a circular left shift (LS-1), or rotation, separately on the first five bits
and the second five bits. In our example, the result is (00001 11000).
➢ Next, apply P8, which picks out and permutes 8 of the 10 bits according to the
following rule:
➢ So, The result is subkey 1 (K1). In our example, this yield (10100100).
➢ Then go back to the pair of 5-bit strings produced by the two LS-1 functions and
performs a circular left shift of 2 bit positions on each string. In our example, the
value (00001 11000) becomes (00100 00011).
➢ Finally, P8 is applied again to produce K2. In our example, the result is (01000011).
2.8.2 S-DES Encryption
➢ Encryption involves the sequential application of five functions (Figure 2.7).
1. Initial Permutations
➢ The input to the algorithm is an 8-bit block of plaintext, which we first permute using
the IP function
The plaintext is 10111101
Permutated output is 01111110
Figure 2.7 S-DES Encryption
2. The Function fk
➢ The most complex component of S-DES is the function fk, which consists of a
combination of permutation and substitution functions. The functions can be
expressed as follows. Let L and R be the leftmost 4 bits and rightmost 4 bits of the 8-
bit input to f K, and let F be a mapping (not necessarily one to one) from 4-bit strings
to 4-bit strings. Then we let
Fk (L, R) = (L⊕ F (R, SK), R)
Where SK is a sub key and ⊕ is the bit-by- bit exclusive OR function
➢ Now, describe the mapping F. The input is a 4-bit number (n1 n2 n3 n4). The first
operation is an expansion/permutation operation:
➢ Now, find the E/P from IP
IP = 01111110, it becomes
E/P = 01111101
➢ Now, XOR with K1
=> 01111101 ⊕ 10100100 = 11011001
➢ The first 4 bits (first row of the preceding matrix) are fed into the S-box S0 to produce
a 2- bit output, and the remaining 4 bits (second row) are fed into S1 to produce
another 2-bit output.
➢ These two boxes are defined as follows:
➢ The S-boxes operate as follows. The first and fourth input bits are treated as a 2-bit
number that specify a row of the S-box, and the second and third input bits specify a
column of the S-box. Each s box gets 4-bit input and produce 2 bits as output. It
follows 00- 0, 01-1, 10-2, 11-3 scheme.
Here, take first 4 bits, Second 4 bits
S0 => 1101 S1 => 1001
11 - > 3 11 -> 3
10 -> 2 => 3 =>11 00 -> 0 = > 2 => 10
So, we get 1110
➢ Now, find P4
After P4, the value is 1011
Now, XOR operation 1011⊕ 0111 => 1100
3. The Switch function
➢ The switch function (sw) interchanges the left and right 4 bits.
1100 1110
1110 1100
4. Second function fk
➢ First, do E/P function and XOR with K2, the value is 01101001⊕01000011, the
answer is 00101010
➢ Now, find S0 and S1
S0 => 00 - > 0 S1 = > 10 -> 2
01 -> 1 => 0 = 00 01 -> 1 = > 0 => 00
Value is 0000
➢ Now, find P4 and XOR operation
After P4 => 0000 ⊕ 1110 = 1110, then concatenate last 4 bits after
interchange in sw.
➢ Now value is 11101100
5. Find IP-1
So, value is 01110101
The Ciphertext is 01110101
2.8.3 S-DES Decryption
➢ Decryption involves the sequential application of five functions.
1. Find IP
• After IP, value is 11101100
2. Function fk
• After step 2, the answer is 11101100
3. Swift
• The answer is 11001110
4. Second fk
• The answer is 01111110
5. Find IP-1
• 101111101 -> Plaintext
2.9 Block Cipher Principles
➢ All symmetric block encryption algorithms in current use are based on a structure
referred to as Fiestel block cipher.
Stream Ciphers and Block Ciphers
➢ A stream cipher is one that encrypts a digital data stream one bit or one byte at a
time. E.g, vigenere cipher. Figure (2.8a)
➢ A block cipher is one in which a block of plaintext is treated as a whole and used to
produce a cipher text block of equal length. Typically, a block size of 64 or 128 bits
is used. Figure (2.8b)
Figure 2.8 Stream Cipher and Block Cipher
➢ Many block ciphers have a Feistel structure. Such a structure consists of a number of
identical rounds of processing.
➢ In each round, a substitution is performed on one half of the data being processed,
followed by a permutation that interchanges the two halves.
➢ The original key is expanded so that a different key is used for each round.
➢ The Data Encryption Standard (DES) has been the most widely used encryption
algorithm. It exhibits the classic Feistel structure.
➢ The DES uses a 64-bit block and a 56-bit key. Two important methods of
cryptanalysis are differential cryptanalysis and linear cryptanalysis. DES has been
shown to be highly resistant to these two types of attack.
➢ A block cipher operates on a plaintext block of n bits to produce a ciphertext block of
n bits. There are possible different plaintext blocks and, for the encryption to be
reversible (i.e., for decryption to be possible), each must produce a unique ciphertext
block. Such a transformation is called reversible, or nonsingular
➢ In particular, Feistel proposed the use of a cipher that alternates substitutions and
permutations, where these terms are defined as follows:
• Substitution: Each plaintext element or group of elements is uniquely replaced
by a corresponding ciphertext element or group of elements.
• Permutation: A sequence of plaintext elements is replaced by a permutation
of that sequence. That is, no elements are added or deleted or replaced in the
sequence, rather the order in which the elements appear in the sequence is
changed.
➢ Two methods for frustrating statistical cryptanalysis are:
• Diffusion – Each plaintext digit affects many ciphertext digits, or each
ciphertext digit is affected by many plaintext digits.
• Confusion – Make the statistical relationship between a plaintext and the
corresponding ciphertext as complex as possible in order to thread attempts to
deduce the key.
2.9.1 Feistel cipher structure
➢ The left-hand side of figure 2.9 depicts the structure proposed by Feistel.
➢ The input to the encryption algorithm is a plaintext block of length 2w bits and a key
K. the plaintext block is divided into two halves L0 and R0.
➢ The two halves of the data pass through n rounds of processing and then combine to
produce the ciphertext block. Each round i has inputs Li-1 and Ri-1, derived from the
previous round, as well as the subkey Ki, derived from the overall key K.
➢ In general, the subkeys Ki are different from K and from each other. All rounds have
the same structure.
➢ A substitution is performed on the left half of the data (as similar to S-DES). This is
done by applying a round function F to the right half of the data and then taking the
XOR of the output of that function and the left half of the data.
➢ The round function has the same general structure for each round but is parameterized
by the round subkey ki. Following this substitution, a permutation is performed that
consists of the interchange of the two halves of the data.
➢ This structure is a particular form of the substitution-permutation network.
Figure 2.9 Feistel Encryption and Decryption (16 rounds)
The features of Feistel network are:
• Block size - Increasing size improves security, but slows cipher
• Key size - Increasing size improves security, makes exhaustive key searching
harder, but may slow cipher
• Number of rounds - Increasing number improves security, but slows cipher
• Subkey generation - Greater complexity can make analysis harder, but slows
cipher
• Round function - Greater complexity can make analysis harder, but slows
cipher
➢ The process of decryption is essentially the same as the encryption process.
➢ The rule is as follows: use the cipher text as input to the algorithm, but use the subkey
ki in reverse order. i.e., kn in the first round, kn-1 in second round and so on.
➢ For clarity, we use the notation LEi and REi for data traveling through the decryption
algorithm and LDi and RDi.
➢ The above diagram indicates that, at each round, the intermediate value of the
decryption process is same (equal) to the corresponding value of the encryption
process with two halves of the value swapped.
i.e., REi || LEi (or) equivalently RD16-i || LD16-i
➢ After the last iteration of the encryption process, the two halves of the output are
swapped, so that the cipher text is RE16 || LE16.
➢ The output of that round is the cipher text. Now take the cipher text and use it as input
to the same algorithm.
➢ The input to the first round is RE16 || LE16, which is equal to the 32-bit swap of the
output of the sixteenth round of the encryption process.
➢ Now we will see how the output of the first round of the decryption process is equal
to a 32-bit swap of the input to the sixteenth round of the encryption process.
➢ First consider the encryption process,
➢ Finally, the output of the last round of the decryption process is RE0 || LE0. A 32-bit
swap recovers the original plaintext.
2.10 Data Encryption Standard (DES)
➢ The Data Encryption Standard (DES) is a symmetric-key block cipher published by
the National Institute of Standards and Technology (NIST).
➢ DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure. The
block size is 64-bit. Though, key length is 64-bit, DES has an effective key length of
56 bits, since 8 of the 64 bits of the key are not used by the encryption algorithm.
These 8 bits can be used as parity bits or simply set arbitrarily
➢ The general Structure of DES is depicted in the following illustration −Figure 2.10
Figure 2.10 General Structure of DES Encryption Algorithm
2.10.1 DES Encryption
➢ The processing of the plaintext proceeds in three phases. First, the 64-bit plaintext
passes through an initial permutation (IP) that rearranges the bits to produce the
permuted input.
➢ Second phase consisting of sixteen rounds of the same function, which involves both
permutation and substitution functions. The output of the last (sixteenth) round
consists of 64 bits that are a function of the input plaintext and the key. The left and
right halves of the output are swapped to produce the preoutput.
➢ Finally, the preoutput is passed through a permutation [IP-1] that is the inverse of the
initial permutation function, to produce the 64-bit ciphertext.
➢ Figure 2.10 shows the way in which the 56-bit key is used. Initially, the key is passed
through a permutation function. Then, for each of the sixteen rounds, a subkey (Ki) is
produced by the combination of a left circular shift and a permutation. The
permutation function is the same for each round, but a different subkey is produced
because of the repeated shifts of the key bits.
Initial Permutation
➢ The initial permutation and its inverse are defined by tables, as shown in Tables 2.1(a)
and 2.1(b), respectively.
➢ The input to a table consists of 64 bits numbered from 1 to 64. The 64 entries in the
permutation table contain a permutation of the numbers from 1 to 64. Each entry in
the permutation table indicates the position of a numbered input bit in the output,
which also consists of 64 bits.
➢ Consider the following 64-bit input M:
Where Mi is a binary digit. Then the permutation X = (IP(M) is as follows:
If we then take the inverse permutation, Y = IP-1(X) = IP-1(IP(M)) it can be seen that the
original ordering of the bits is restored.
Table 2.1 Permutation Tables for DES
2.10.2 Details of Single Round
➢ Figure 2.11 shows the internal structure of a single round. The left and right halves of
each 64-bit intermediate value are treated as separate 32-bit quantities, labeled L (left)
and R (right).
➢ The overall processing at each round can be summarized in the following formulas:
Li = Ri-1
Ri = Li-1 ⊕ F(Ri-1, Ki)
➢ The round key Ki is 48 bits. The input R is 32 bits. This input R is first expanded to
48 bits by using a table that defines a permutation plus an expansion that involves
duplication of 16 of the R bits (Table 2.1c).The resulting 48 bits are XORed with K i
This 48-bit result passes through a substitution function that produces a 32-bit output,
which is permuted as defined by Table 2.1d.
Figure 2. 11 Single Round of DES Algorithm
2.10.3 Key Generation
➢ A 64-bit key is used as input to the algorithm. The bits of the key are numbered from
1 through 64; every eighth bit is ignored, as indicated by the lack of shading in Table
2.2a.
➢ The key is first subjected to a permutation governed by a table labeled Permuted
Choice One (Table 2.2b).
➢ The resulting 56-bit key is then treated as two 28-bit quantities, labelled C0 and D0.
➢ At each round, and are separately subjected to a circular left shift or (rotation) of 1 or
2 bits, as governed by Table 2.2d.
➢ These shifted values serve as input to the next round.
➢ They also serve as input to the part labeled Permuted Choice Two (Table 2.2c), which
produces a 48-bit output that serves as input to the function F(Ri-1, Ki)
Table 2.2 DES Key Calculation
2.10.4 S Boxes
➢ The substitution consists of a set of eight S-boxes (Figure 2.12), each of which
accepts 6 bits as input and produces 4 bits as output.
➢ The 32-bit output from the eight S-boxes is then permuted, so that on the next round,
the output from each S-box immediately affects as many others as possible.
Figure 2.12 Calculation of F (R. K)
2.10.5 Avalanche Effect
➢ A desirable property of any encryption algorithm is that a small change in either the
plaintext or the key should produce a significant change in the ciphertext.
➢ In particular, a change in one bit of the plaintext or one bit of the key should produce
a change in many bits of the ciphertext. Figure 2.13 shows the avalanche effect.
Figure 2.13 Avalanche Effect in DES
2.11 The Strength of DES
➢ The Use of 56-Bit Keys With a key length of 56 bits, there are 256 possible keys,
which is approximately 7.2 X 1016 keys.
➢ Thus, on the face of it, a brute-force attack appears impractical. Assuming that, on
average, half the key space has to be searched, a single machine performing one DES
encryption per microsecond would take more than a thousand years to break the
cipher.
➢ DES finally and definitively proved insecure in July 1998, when the Electronic
Frontier Foundation (EFF) announced that it had broken a DES encryption using a
special-purpose “DES cracker” machine that was built for less than $250,000. The
attack took less than three days.
➢ The EFF has published a detailed description of the machine, enabling others to build
their own cracker and hardware prices will continue to drop as speeds increase,
making DES virtually worthless.
➢ There are a number of alternatives to DES, the most important of which are AES and
triple DES.
2.12 Differential and Linear Cryptanalysis
➢ The DES algorithm is vulnerability against brute-force attack because of its relatively
short (56 bits) key length.
➢ The increasing popularity of block ciphers with longer key lengths, including triple
DES, brute-force attacks have become increasingly impractical. Thus, there has been
increased emphasis on cryptanalytic attacks on DES and other symmetric block
ciphers.
2.12.1 Differential Cryptanalysis
➢ Differential cryptanalysis is a general form of cryptanalysis applicable primarily to
block ciphers, but also to stream ciphers and cryptographic hash functions. In the
broadest sense, it is the study of how differences in information input can affect the
resultant difference at the output.
➢ Differential cryptanalysis is the first published attack that is capable of breaking DES
in less than 255encryptions. The scheme can successfully cryptanalyze DES with an
effort on the order of 247encryptions, requiring chosen plaintexts. Although 247 is
certainly significantly less than 255, the need for the adversary to find 247 chosen
plaintexts makes this attack of only theoretical interest.
2.12.2 Linear Cryptanalysis
➢ This attack is based on finding linear approximations to describe the transformations
performed in DES.
➢ This method can find a DES key given 243 known plaintexts, as compared 247 to
chosen plaintexts for differential cryptanalysis. Although this is a minor improvement,
because it may be easier to acquire known plaintext rather than chosen plaintext, it
still leaves linear cryptanalysis infeasible as an attack on DES.
2.13 Block Cipher Design Principles
➢ There are three critical aspects of block cipher design:
• The number of rounds
• Design of the function F
• Key scheduling
DES Design Criteria
➢ The criteria used in the design of DES, focused on the design of the S-boxes and on
the P function that takes the output of the S-boxes. The criteria for the S-boxes are as
follows.
• No output bit of any S-box should be too close a linear function of the input
bits. Specifically, if we select any output bit and any subset of the six input
bits, the fraction of inputs for which this output bit equals the XOR of these
input bits should not be close to 0 or 1, but rather should be near 1/2.
• Each row of an S-box (determined by a fixed value of the leftmost and
rightmost input bits) should include all 16 possible output bit combinations.
• If two inputs to an S-box differ in exactly one bit, the outputs must differ in at
least two bits.
• If two inputs to an S-box differ in the two middle bits exactly, the outputs
must differ in at least two bits.
• If two inputs to an S-box differ in their first two bits and are identical in their
last two bits, the two outputs must not be the same.
• For any nonzero 6-bit difference between inputs, no more than eight of the 32
pairs of inputs exhibiting that difference may result in the same output
difference.
• This is a criterion similar to the previous one, but for the case of three S-
boxes.
➢ The S-boxes are the only nonlinear part of DES. If the S-boxes were linear (i.e., each
output bit is a linear combination of the input bits), the entire algorithm would be
linear and easily broken.
2.13.1 Number of Rounds
➢ The greater the number of rounds, the more difficult it is to perform cryptanalysis,
even for a relatively weak F.
➢ In general, the criterion should be that the number of rounds is chosen so that known
cryptanalytic efforts require greater effort than a simple brute-force key search attack.
➢ This criterion was certainly used in the design of DES. It observes that for 16-round
DES, a differential cryptanalysis attack is slightly less efficient than brute force.
➢ The differential cryptanalysis attack requires 255.1 operations, whereas brute force
requires 255. If DES had 15 or fewer rounds, differential cryptanalysis would require
less effort than a brute-force key search.
2.13.2 Design of Function F
➢ The heart of a Feistel block cipher is the function F. The function DES relies on the
use of S-boxes.
Design Criteria for F
➢ The function F provides the element of confusion in a Feistel cipher. Thus, it must be
difficult to “unscramble” the substitution performed by F. One obvious criterion is
that F be nonlinear. If so, it will be very difficult any type of cryptanalysis. Several
other criteria should be considered in designing F.
➢ The algorithm to have good avalanche properties. That means, a change in one bit of
the input should produce a change in many bits of the output. A more stringent
version of this is the Strict Avalanche Criterion (SAC) which states that any output
bit of an S-box should change with probability 1/2 when any single input bit i is
inverted for all i, j.
➢ Another criterion is the Bit Independence Criterion (BIC), which states that output
bits j and k should change independently when any single input bit i is inverted for all
i, j and k.
S -Box Design
➢ One of the most intense areas of research in the field of symmetric block ciphers is
that of S-box design.
➢ One obvious characteristic of the S-box is its size. An n x m S-box has n input bits
and m output bits. DES has 6 x 4 S-boxes.
➢ The encryption algorithm Blowfish, has 8 x 32 S-boxes. Larger S-boxes, by and large,
are more resistant to differential and linear cryptanalysis. The S-box design suggests
the following approaches:
• Random: Use some pseudorandom number generation or some table of
random digits to generate the entries in the S-boxes. This may lead to boxes
with undesirable characteristics for small sizes (e.g.,6 x 4) but should be
acceptable for large S-boxes (e.g.,8 x 32).
• Random with testing: Choose S-box entries randomly, then test the results
against various criteria.
• Human-made: This is a more or less manual approach with only simple
mathematics to support it. It is apparently the technique used in the DES
design. This approach is difficult to carry through for large S-boxes.
• Math-made: Generate S-boxes according to mathematical principles. By
using mathematical construction, S-boxes can be constructed that offer proven
security against linear and differential cryptanalysis, together with good
diffusion.
2.13.3 Key Scheduling
➢ A final area of block cipher design is the key schedule algorithm. With any Feistel
block cipher, the key is used to generate one subkey for each round. In general, select
subkeys to maximize the difficulty of deducing individual subkeys and the difficulty
of working back to the main key.
2.14 Block Cipher Mode of Operation
➢ Encryption algorithms are divided into two categories based on input type, as block
cipher and stream cipher.
➢ Block cipher is an encryption algorithm which takes fixed size of input say b bits and
produces a ciphertext of b bits again.
➢ If input is larger than b bits it can be divided further. For different applications and
uses, there are several modes of operations for a block cipher.
➢ The five standard Modes of Operation:
• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feedback (CFB)
• Output Feedback (OFB)
• Counter (CTR)
Electronic Code Book (ECB)
➢ Electronic code book is the easiest block cipher mode of functioning. It is easier
because of direct encryption of each block of input plaintext and output is in form of
blocks of encrypted ciphertext (Figure 2.14).
➢ Generally, if a message is larger than b bits in size, it can be broken down into bunch
of blocks and the procedure is repeated. In this approach, the plaintext is handled one
block at a time and each block of plaintext is encrypted using the same key.
➢ The term codebook is used because, for a given key, there is a unique ciphertext for
every b-bit block of plaintext.
Advantages
➢ Parallel encryption of blocks of bits is possible, thus it is a faster way of
encryption.
➢ Simple way of block cipher.
Disadvantages
➢ Prone to cryptanalysis since there is a direct relationship between plaintext and
ciphertext.
Cj = E (K, Pj) j = 1…, N
Pj = D (K, Cj) j = 1…, N
Figure 2.14 Electronic Code Book
Cipher Block Chaining (CBC)
➢ This approach overcome the security deficiencies of ECB. In this scheme (Figure
2.15), the input to the encryption algorithm is the XOR of the current plaintext block
and the preceding ciphertext block; the same key is used for each block.
➢ In effect, we have chained together the processing of the sequence of plaintext blocks.
➢ The CBC mode requires that the last block be padded to a full bits if it is a partial
block.
➢ To produce the first block of ciphertext, an Initialization Vector (IV) is XORed with
the first block of plaintext.
➢ On decryption, the IV is XORed with the output of the decryption algorithm to
recover the first block of plaintext.
➢ The IV is a data block that is that same size as the cipher block. The IV must be
known to both the sender and receiver but be unpredictable by a third party. In
particular, for any given plaintext, it must not be possible to predict the IV that will be
associated to the plaintext in advance of the generation of the IV. For maximum
security, the IV should be protected against unauthorized changes.
Figure 2.15 Cipher Block Chaining
Advantages
➢ CBC works well for input greater than b bits.
➢ CBC is a good authentication mechanism.
➢ Better resistive nature towards cryptanalysis than ECB.
Disadvantages
➢ Parallel encryption is not possible since every encryption requires previous
cipher.
Cipher Feedback (CFB)
➢ In this approach (figure 2.16), the input to the encryption function is a b-bit shift
register that is initially set to some initialization vector (IV).
➢ The leftmost (most significant) s bits of the output of the encryption function are
XORed with the first segment of plaintext P1 to produce the first unit of
ciphertext C1, which is then transmitted.
➢ In addition, the contents of the shift register are shifted left by s bits, and C1 is
placed in the rightmost (least significant) s bits of the shift register. This process
continues until all plaintext units have been encrypted.
➢ For decryption, the same scheme is used, except that the received ciphertext unit
is XORed with the output of the encryption function to produce the plaintext
unit. Let MSBs (X) be defined as the most significant s bits of X. Then,
C1 = P1 ⊕ MSBs [E (K, IV)]
P1 = C1 ⊕MSBs [E (K, IV)]
Figure 2.16 Cipher Feedback
Advantages
➢ Since, there is some data loss due to use of shift register, thus it is difficult for
applying cryptanalysis.
Output Feedback (OFB)
➢ The output feedback (OFB) mode is similar in structure to that of CFB (Figure 2.17),
it is the output of the encryption function that is fed back to the shift register in OFB,
whereas in CFB, the ciphertext unit is fed back to the shift register.
➢ The other difference is that the OFB mode operates on full blocks of plaintext and
ciphertext, not on an s bit subset. Encryption and Decryption can be expressed as
Cj = Pj ⊕ E (K, [Cj-i_ Pj-1])
Pj = Cj ⊕E (K, [Cj-1 _ Pj-1])
Figure 2.17 Output Feedback
Advantages
➢ Bit errors in transmission do not propagate
Disadvantages
➢ It is more vulnerable to a message stream modification attack than is CFB.
Counter (CTR)
➢ A counter equal to the plaintext block size is used. The only requirement stated is that
the counter value must be different for each plaintext block that is encrypted (Figure
2.18).
➢ Typically, the counter is initialized to some value and then incremented by 1 for each
subsequent block (modulo, where is the block size).
➢ For encryption, the counter is encrypted and then XORed with the plaintext block to
produce the ciphertext block; there is no chaining.
➢ For decryption, the same sequence of counter values is used, with each encrypted
counter XORed with a ciphertext block to recover the corresponding plaintext block.
Thus, the initial counter value must be made available for decryption.
➢ Given a sequence of counters T1, T2, …, TN, we can define CTR mode as follows.
➢ For the last plaintext block, which may be a partial block of bits, the most significant
bits of the last output block are used for the XOR operation; the remaining bits are
discarded.
Figure 2.18 Counter
Advantages
➢ Hardware efficiency
➢ Software efficiency
➢ Preprocessing
➢ Random access
➢ Provable security
➢ Simplicity
2.15 Evaluation criteria for AES
➢ AES has been subjected to more scrutiny than any other encryption algorithm over a
longer period of time, and no effective cryptanalytic attack based on the algorithm
rather than brute force has been found.
➢ The principal 3DES is that the algorithm is relatively sluggish in software. The
original DES was designed in 1970, the hardware implementation does not produce
efficient software code. 3DES which has three times as many rounds as DES, is
correspondingly slower. The secondary drawback is that both DES and 3DES use a 64
bits block size.
➢ Because of these drawbacks 3DES is not a reasonable for long time use. As a
replacement, proposed a new symmetric encryption algorithm which is called
Advanced Encryption Standard, which should have security strength equal to or better
than 3DES and significantly improved efficiency. The three categories of criteria
were:
• Security: This refers to the effort required to cryptanalyze an algorithm. The
emphasis in the evaluation was on the practicality of the attack. Because the
minimum key size for AES is 128 bits, brute-force attacks with current and
projected technology were considered impractical. Therefore, the emphasis,
with respect to this point, is cryptanalysis other than a brute-force attack.
• Cost: NIST intends AES to be practical in a wide range of applications.
Accordingly, AES must have high computational efficiency, so as to be usable
in high-speed applications, such as broadband links.
• Algorithm and implementation characteristics: This category include a variety
of considerations, including flexibility; suitability for a variety of hardware
and software implementations; and simplicity, which will make an analysis of
security more straightforward.
2.16 Advanced Encryption Standard (AES)
➢ The more popular and widely adopted symmetric encryption algorithm likely to be
encountered nowadays is the Advanced Encryption Standard (AES). It is found at
least six time faster than triple DES.
➢ The AES algorithm developed by two Belgian cryptographers, Vincent
Rijmen and Joan Daemen.
➢ The cipher takes a plaintext block size of 128 bits, or 16 bytes. The key length can be
16, 24, or 32 bytes (128, 192, or 256 bits). The algorithm is referred to as AES-128,
AES-192, or AES-256, depending on the key length.
Overall Structure of AES
➢ The AES is an iterative rather than Feistel cipher. It is based on ‘substitution–
permutation network’. It comprises of a series of linked operations, some of which
involve replacing inputs by specific outputs (substitutions) and others involve
shuffling bits around (permutations).
➢ Interestingly, AES performs all its computations on bytes rather than bits. Hence,
AES treats the 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged
in four columns and four rows for processing as a matrix.
➢ Unlike DES, the number of rounds in AES is variable and depends on the length of
the key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14
rounds for 256-bit keys. Each of these rounds uses a different 128-bit round key,
which is calculated from the original AES key.
➢ The overall structure of AES (figure 2.19) focus particularly on the four steps used in
each round of AES:
• Byte Substitution
• Shift Rows
• Mix Columns
• Add Round Key
Figure 2.19 Overal Structure of AES
2.16.1 Encryption Process
Byte Substitution (SubBytes)
➢ Uses an S-box to perform a byte-by-byte substitution of the block. The forward
substitute byte transformation, called SubBytes, is a simple lookup the S-box table
and replace the value (Figure 2.20). AES defines a 16 X 16 matrix of byte values,
called an S-box that contains a permutation of all possible 256 8-bit values.
➢ Each individual byte of State is mapped into a new byte in the following way: The
leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as
a column value. These row and column values serve as indexes into the S-box to
select a unique 8-bit output value.
Figure 2.20 Substitute Byte Transformation
➢ For example (Table 2.3), the hexadecimal value {86} references row 8, column 6 of
the S-box, which contains the value {44}. Accordingly, the value {44} is mapped into
the value {86} from Inverse S-box at decryption stage.
Table 2.3
Example of SubBytes transformation
Shift Rows Transformation
➢ In Shift Rows transformation (figure 2.21), the first row of State is not altered. For the
second row, a 1-byte circular left shift is performed. For the third row, a 2-byte
circular left shift is performed. For the fourth row, a 3-byte circular left shift is
performed.
Figure 2.21 Shift Row Transformation
Example of Shift Rows Tranformation
MixColumns Transformation
➢ It operates on each column individually. Each byte of a column is mapped into a new
value that is a function of all four bytes in that column. The transformation can be
defined by the following matrix multiplication on State (Figure 2.22)
Figure 2.22 MixColumns Transformation
Example of MixColumns Transsormation
AddRoundKey Transormation
➢ It is a simple bitwise XOR of the current block with a portion of the expanded key.
The 128 bits of State are bitwise XORed with the 128 bits of the round key. As
shown in Figure 2.23, the operation is viewed as a columnwise operation between the
4 bytes of a State column and one word of the round key; it can also be viewed as a
byte-level operation.
Figure 2.23 AddRoundKey Transformation
Example of AddRoundKey
2.16.2 AES Key Expansion Algorithm
➢ This algorithm takes as input a four-word (16-byte) key and produces a linear array of
44 words (176 bytes).
➢ This is sufficient to provide a four-word round key for the initial AddRoundKey stage
and each of the 10 rounds of the cipher.
➢ The key is copied into the first four words of the expanded key. The remainder of the
expanded key is filled in four words at a time. Each added word w[i] depends on the
immediately preceding word w[i-1], and the word four positions back, w[i-4].
➢ In three out of four cases, a simple XOR is used. For a word whose position in the w
array is a multiple of 4, a more complex function is used. Figure 2.24 illustrates the
generation of the expanded key, using the symbol g to represent that complex
function.
Figure 2.24 AES Key Expansion
2.17 RC4
➢ RC4 is an encryption algorithm created in 1987 by Ronald Rivest of RSA Security. It
is a stream cipher (figure 2.25), which means that each digit or character is encrypted
one at a time. A cipher is a message that has been encoded.
➢ A key input is pseudorandom bit generator that produces a stream 8-bit number that is
unpredictable without knowledge of input key.
➢ The output of the generator is called key-stream, is combined one byte at a time with
the plaintext stream cipher using X-OR operation.
Figure 2.25 Stream Cipher Diagram
Example
2.17.1 Key Generation Algorithm
➢ A variable-length key from 1 to 256 byte is used to initialize a 256-byte state vector S,
with elements S[0] to S[255]. For encryption and decryption, a byte k is generated
from S by selecting one of the 255 entries in a systematic fashion, then the entries in S
are permuted again(Figure 2.26).
Initialization of S
➢ The entries of S are set equal to the values from 0 to 255 in ascending order, a
temporary vector T, is created. If the length of the key k is 256 bytes, then k is
assigned to T. Otherwise, for a key with length(k-len) bytes, the first k-len elements
of T as copied from K and then K is repeated as many times as necessary to fill T.
// Initialization
for
i = 0 to 255 do S[i] = i;
T[i] = K[i mod k - len];
➢ Next, use T to produce the initial permutation of S. Starting with S[0] to S[255], and
for each S[i] algorithm swap it with another byte in S according to a scheme dictated
by T[i], but S will still contain values from 0 to 255:
// Initial Permutation of S
j = 0;
for
i = 0 to 255 do
{
j = (j + S[i] + T[i]) mod 256;
Swap(S[i], S[j]);
}
Pseudo random generation algorithm (Stream Generation)
➢ Once the vector S is initialized, the input key will not be used. In this step, for each
S[i] algorithm swap it with another byte in S according to a scheme dictated by the
current configuration of S. After reaching S[255] the process continues, starting from
S[0] again
//Stream Generation
i, j = 0;
while (true)
i = (i + 1)mod 256;
j = (j + S[i])mod 256;
Swap(S[i], S[j]);
t = (S[i] + S[j])mod 256;
k = S[t];
Figure 2.26 RC4 Algorithm
Encrypt using XOR
➢ To encrypt, XOR the value k with the next byte of plaintext.
Decrypt using XOR
➢ To decrypt, XOR the value k with the next byte of ciphertext.
Advantage
➢ It is faster and more suitable for streaming application
2.18 Key Distribution
Symmetric Key Distribution Using Symmetric Encryption
➢ In Symmetric key encryption, the two parties to an exchange must share the
same key, and that key must be protected from access by others. Therefore, the
term that refers to the means of delivering a key to two parties who wish to
exchange data, without allowing others to see the key.
➢ For two parties A and B, key distribution can be achieved in a number of ways,
as follows:
1. A can select a key and physically deliver it to B.
2. A third party can select the key and physically deliver it to A and B.
3. If A and B have previously and recently used a key, one party can transmit
the new key to the other, encrypted using the old key.
4. If A and B each has an encrypted connection to a third-party C, C can deliver
a key on the encrypted links to A and B.
➢ Physical delivery (1 & 2) is simplest - but only applicable when there is personal
contact between recipient and key issuer. This is fine for link encryption where
devices & keys occur in pairs, but does not scale as number of parties who wish to
communicate grows. 3 is mostly based on 1 or 2 occurring first.
➢ A third party, whom all parties trust, can be used as a trusted intermediary to mediate
the establishment of secure communications between them (4). Must trust
intermediary not to abuse the knowledge of all session keys. As number of parties
grow, some variant of 4 is only practical solution to the huge growth in number of
keys potentially needed.
Key Distribution Centre
➢ The use of a key distribution center is based on the use of a hierarchy of keys. At a
minimum, two levels of keys are used.
➢ Communication between end systems is encrypted using a temporary key, often
referred to as a Session key.
➢ Typically, the session key is used for the duration of a logical connection and then
discarded
➢ Master key is shared by the key distribution center and an end system or user and
used to encrypt the session key.
Key Distribution Scenario
➢ Let us assume that user A wishes to establish a logical connection with B and
requires a one-time session key to protect the data transmitted over the connection.
A has a master key, Ka, known only to itself and the KDC; similarly, B shares the
master key Kb with the KDC(Figure 2.27). The following steps occur:
Figure 2.27 Key Distribution Scenario
1. An issue a request to the KDC for a session key to protect a logical connection to B.
The message includes the identity of A and B and a unique identifier, N1, for this
transaction, which we refer to as a nonce. The nonce may be a timestamp, a
counter, or a random number; the minimum requirement is that it differs with each
request. Also, to prevent masquerade, it should be difficult for an opponent to guess
the nonce. Thus, a random number is a good choice for a nonce.
2. The KDC responds with a message encrypted using Ka Thus, A is the only one who
can successfully read the message, and A knows that it originated at the KDC. The
message includes two items intended for A:
• The one-time session key, Ks, to be used for the session
• The original request message, including the nonce, to enable A to match this
response with the appropriate request
Thus, A can verify that its original request was not altered before reception by the
KDC and, because of the nonce, that this is not a replay of some previous request.
In addition, the message includes two items intended for B:
• The one-time session key, Ks to be used for the session
• An identifier of A (e.g., its network address), IDA
These last two items are encrypted with Kb (the master key that the KDC shares
with B). They are to be sent to B to establish the connection and prove A's identity.
3. A store the session key for use in the upcoming session and forwards to B the
information that originated at the KDC for B, namely, E (Kb, [Ks || IDA]). Because this
information is encrypted with Kb, it is protected from eavesdropping. B now knows the
session key (Ks), knows that the other party is A (from IDA), and knows that the
information originated at the KDC (because it is encrypted using Kb).
At this point, a session key has been securely delivered to A and B, and they may
begin their protected exchange. However, two additional steps are desirable:
4. Using the newly minted session key for encryption, B sends a nonce, N2, to A.
5. Also using Ks, A responds with f(N2), where f is a function that performs some
transformation on N2 (e.g., adding one).
Session Key Lifetime
➢ The distribution of session keys delays the start of any exchange and places a
burden on network capacity. A security manager must try to balance these
competing considerations in determining the lifetime of a particular session key.
➢ For connection-oriented protocols, one obvious choice is to use the same session
key for the length of time that the connection is open, using a new session key
for each new session.
➢ If a logical connection has a very long lifetime, then it would be prudent to
change the session key periodically, perhaps every time the PDU (protocol data
unit) sequence number cycles.
➢ For a connectionless protocol, such as a transaction-oriented protocol, there is no
explicit connection initiation or termination.
➢ Thus, it is not obvious how often one needs to change the session key. The most
secure approach is to use a new session key for each exchange.
➢ A better strategy is to use a given session key for a certain fixed period only or for a
certain number of transactions.
PART B
1) Explain in detail about symmetric key cryptography.
2) Explain the following in detail.
i) Algebraic structures in cryptography.
ii) Modular arithmetic in cryptography.
3) Write notes on Euclid’s algorithm.
4) Discuss in detail about Congruence and matrices.
5) Explain the following in detail
i) Groups
ii) Rings
iv) Fields
v) Finite fields
6) Explain Data Encryption Standard (DES) in detail.
7) Explain about Block cipher Principles of DES.
8) Discuss in detail about Differential and linear cryptanalysis.
9) Describe in detail about Block cipher design principles.
10) Explain the Block cipher mode of operation.
11) How AES is used for encryption/decryption? Discuss with example.
12) List the evaluation criteria defined by NIST for AES.
13) Explain in detail the key generation in AES algorithm and its expansion format.
14) Explain the Key Generation, Encryption and Decryption of DES algorithm in detail
15) Explain about RC4 in detail.
16) Explain the Key Generation, Encryption and Decryption of DES algorithm in detail.
17) Explain in detail about RSA algorithm with suitable example.
3
UNIT III ASYMMETRIC CRYPTOGRAPHY
MATHEMATICS OF ASYMMETRIC KEY CRYPTOGRAPHY: Primes – Primality
Testing – Factorization – Euler’s totient function, Fermat’s and Euler’s Theorem – Chinese
Remainder Theorem – Exponentiation and logarithm
ASYMMETRIC KEY CIPHERS: RSA cryptosystem – Key distribution – Key management
– Diffie Hellman key exchange -– Elliptic curve arithmetic – Elliptic curve cryptography.
3.1 Mathematics of Asymmetric Key Cryptography
3.1.1 Number Theory
➢ Number Theory plays an important role in encryption algorithm. It is a vast and
fascinating field of mathematics, sometimes called "higher arithmetic," consisting of
the study of the properties of whole numbers.
➢ Primes and Prime Factorization are especially important in number theory, as are a
number of functions including the Totient function.
➢ Cryptography is the practice of hiding information, converting some secret
information to not readable texts.
➢ Cryptography is the study of methods to send and receive the secret messages. In
general, we have a sender who is trying to send a message to receiver. There is also an
adversary, who wants to steal the message. We are successful if sender is able to
communicate a message to the receiver without adversary learning what the message
was.
➢ Applications of number theory in cryptography are very important in constructions of
public key cryptosystems.
➢ The most popular public key cryptosystems are based on the problem of factorization
of large integers and discrete logarithm problem in finite groups, in particular in the
multiplicative group of finite fields and the group of points on elliptic curve over
finite field.
3.2 Important concepts in Number Theory
3.2.1 Prime Numbers
➢ A positive integer p is said to be a prime if it has only two factors namely 1 and p
itself.
For Example: 2, 3, 5, 7, 11, 13, 17 are prime numbers. 4,6,8,9,10 are not.
➢ Prime numbers are central to number theory
➢ List of prime number less than 200 is:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103
107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199
3.2.2 Relatively Prime Numbers
➢ Two integers are relatively prime (or coprime) if there is no integer greater than
one that divides them both (that is, their greatest common divisor is one).
For example, 12 and 13 are relatively prime, but 12 and 14 are not.
3.2.3 Divisors
➢ A positive integer a is said to divide an integer b if there exist an integer c such
that b = a.c and written as a | b.
For Example, 2 |10 as 10 = 2.5 but 3 do not divide 10 as there does not exist any
integer c such that 10 = 3. C
3.2.4 Greatest Common Divisor
➢ Let a and b be two positive integers then an integer d is called greatest common
divisor of a and b if d | a and d | b i.e. d is common divisor of a and b. And if any
integer c is such that c | a and c | b then c | d, i.e. any other common divisor of a
and b will divide d it is denoted by d = (a, b)
➢ Conversely can determine the greatest common divisor by comparing their prime
factorizations and using least powers
For Example, 300=21x31x52 18=21x32 hence GCD (18, 300) = 21x31x50=6
Using Euclid's algorithm
➢ A much more efficient method is the Euclidean algorithm, which uses the division
algorithm in combination with the observation that the gcd of two numbers also
divides their difference.
gcd(a,0) =a
gcd (a, b) =gcd (b, a mod b)
➢ For example,
Program 1: Write C++ program to find GCD of two numbers using Euclidean algorithm
#include <iostream>
using namespace std;
// Recursive function to return gcd of a and b
int gcd(int a, int b)
{
if (b == 0)
return a;
return gcd(b, a % b);
// Driver program to test above function
int main ()
{
int a = 98, b = 56;
cout<<"GCD of "<<a<<" and "<<b<<" is "<<gcd(a, b);
return 0;
}
Output:
GCD of 98 and 56 is 14
3.3 Primality Testing
➢ A primality test is an algorithm for determining whether an input number is prime.
Among other fields of mathematics, it is used for cryptography. Unlike integer
factorization, primality tests do not generally give prime factors, only stating whether
the input number is prime or not.
The Fermat Test
➢ By Fermat’s Theorem, if n is prime, then for any a we have
an−1 = 1(mod n). This suggests the Fermat test for a prime: pick a random a
∈{1,...,n−1} a ∈ {1,...,n−1} and see if an−1=1 (mod n). If not, then n must be
composite.
However, we may still get equality even when n is not prime.
For example, take n = 561 = 3 × 11 × 17. By the Chinese Remainder Theorem
Z561=Z3×Z11×Z17
thus, each a ∈ Z* 561 corresponds to some
(x, y, z) ∈ Z∗3 ×Z∗1×
1 Z∗ 17
By Fermat’s Theorem, x2 = 1, y10 = 1 and z16 =1. Since 2, 10, and 16 all divide 560, this
means (x, y, z)560= (1, 1, 1) in other words, a560 = 1 for any a ∈ Z∗561
.
Thus, no matter what “a” we pick, 561 always passes the Fermat test despite being composite
so long as aa is coprime to n. Such numbers are called Carmichael numbers, and it turns out
there are infinitely many of them.
If a is not coprime to n then the Fermat test fails, but in this case, we may as well forgo tests
and recover a factor of n simply by computing gcd (a, n).
3.4 Factorization
➢ Prime Factorization (or integer factorization) is a commonly used mathematical
problem often used to secure public-key encryption systems. A common practice is to
use very large semi-primes (that is, the result of the multiplication of
two prime numbers) as the number securing the encryption.
3.4.1 Fundamental Theorem of Arithmetic
➢ Any positive integer greater than one can be written uniquely in the following prime
factorization form where P1, P2…., Pk are primes and e1, e2…ek are positive integers.
Applications of factorization
➢ Greatest Common Divisor
• The GCD of two numbers, gcd (a, b). This value can also be found if we know
the factorization of a and b.
➢ Least Common Multiplier
• The least common multiplication, lcm (a, b), is the smallest integer that is
multiple of both a and b. using factorization, can also find lcm (a, b).
• It can be proved that gcd (a, b) and lcm (a, b) are related to each other as
shown below.
3.4.2 Factorization Methods
➢ Although there are several algorithms that can factor a number, none are capable of
factoring a very large number in a reasonable amount of time.
Trial Division Method
➢ It is the simplest and least efficient algorithm.
➢ The essential idea behind trial division tests to see if an integer n, the integer to be
factored, can be divided by each number in turn that is less than n. For example, for
the integer n = 12, the only numbers that divide it are 1, 2, 3, 4, 6, 12. Selecting only
the largest powers of primes in this list gives that 12 = 3 × 4 = 3 × 22.
➢ The algorithm 3.4.2 shows the pseudocode for this method. The algorithm has two
loops, outer and inner. The outer loop finds unique factors and the inner loop finds
duplicates of a factor.
➢ For example, 24=23*3. The outer loop finds the factors 2 and 3. The inner loop finds
that 2 is a multiple factor.
Algorithm 3.4.2 Pseudocode for trial-division factorization
➢ Example 1: Use the trial division algorithm to find the factors of 1233.
Solution
We run a program based on the algorithm and get the following result.
1233=32 * 137
3.4.3 Fermat Method
➢ The Fermat’s Factorization method is based on the representation of an odd integer as
the difference of two squares. For an integer n, we want a and b such as:
n = a2 - b2 = (a + b) (a - b)
where (a + b) and (a - b) are the factors of the number n
➢ Example:
Input: n = 6557
Output: [79,83]
Explanation:
For the above value, the first try for a is ceil value of square root of 6557,
which is 81.
Then,
b2 = 812 - 6557 = 4, as it is a perfect square.
So, b = 2
So, the factors of 6557 are:
(a - b) = 81 - 2 = 79 &
(a + b) = 81 + 2 = 83.
3.4.4 Pollard p – 1 Method
➢ This method finds a prime factor p of a number based on the condition that p-1 hasno
factor larger than a predefined value B, which is called bound.
➢ Algorithm 3.4.4 shows the pseudocode for pollard p - 1 factorization method.
Algorithm 3.4.4 Pseudocode for Pollard p – 1 factorization
Example
Use the Pollard p − 1 method to find a factor of 57247159 with the bound B = 8.
Solution
We run a program based on the algorithm and find that p = 421. As a matter of fact
57247159 = 421 × 135979. Note that 421 is a prime and p − 1 has no factor greater
than 8
421 − 1 = 22 × 3 × 5 × 7
3.4.5 Pollard's rho algorithm
➢ Pollard's rho algorithm is an algorithm for integer factorization. It was invented by
John Pollard in 1975. It uses only a small amount of space, and its expected running
time is proportional to the square root of the size of the smallest prime factor of the
composite number being factorized.
➢ Given a positive integer n, and that it is composite, find a divisor of it.
➢ Example:
Input: n = 12;
Output: 2 [OR 3 OR 4]
Input: n = 187;
Output: 11 [OR 17]
Concepts used in Pollard’s Rho Algorithm
1. Two numbers x and y are said to be congruent modulo n (x = y modulo n) if
• their absolute difference is an integer multiple of n, OR,
• each of them leaves the same remainder when divided by n.
2. The Greatest Common Divisor is the largest number which divides evenly into each
of the original numbers.
3. Birthday Paradox: The probability of two persons having same birthday is
unexpectedly high even for small set of people.
4. Floyd’s cycle-finding algorithm: If tortoise and hare start at same point and move in a
cycle such that speed of hare is twice the speed of tortoise, then they must meet at
some point.
3.5 Fermat’s and Euler’s Theorem
➢ Two theorems that play important roles in public-key cryptography are Fermat's
theorem and Euler's theorem.
Fermat’s Theorem (Fermat’s Little Theorem)
➢ If p is prime and a is a positive integer not divisible by p, then
ap-1 ≡ 1 (mod p)
where p is prime and gcd (a, p) = 1
Example 1:
If a = 2 and p = 7, then 26 = 64, and 64 − 1 = 63 = 7 × 9 is thus a multiple of 7.
Example 2:
If a =7 and p = 19 solve using Fermat’s theorem
a18 ≡ 1 mod P
a2 = 72 = 49 ≡ 11 mod 19
74 = 121 mod 19 = 7
78 = 74 * 74
= 7 * 7 = 49 mod 19 = 11
716 = 78 * 78
= 11 * 11 = 121 mod 19 = 7
718 = 716 * 72
= 7 * 11
= 77 mod 19
=1
Euler ‘s Totient Function
➢ Euler's totient function is a multiplicative function, meaning that if two numbers m
and n are relatively prime, then φ(mn) = φ(m)φ(n).
➢ This function gives the order of the multiplicative group of integers modulo n (the
group of units of the ring ℤ/nℤ).
➢ It is also used for defining the RSA encryption system.
➢ The Euler's totient function, or phi (φ) function is a very important number theoretic
function having a deep relationship to prime numbers and the so-called order of
integers.
➢ The totient φ(n) of a positive integer n greater than 1 is defined to be the number of
positive integers less than n that are coprime to n. φ(1) is defined to be 1.
➢ The following table shows the function values for the first several natural numbers:
Table 3.5 Some values of Euler’s Totient Function φ(n)
➢ Table 3.5 lists the first 15 values of φ(n). the value φ(1) is without meaning but is
defined to have the value 1.
➢ For the prime number p,
φ(p) = p-1
➢ Now, two prime numbers p and q with p ≠ q. Then we can show that, for n=pq.
φ(n) = φ(pq)= φ(p)* φ(q) = (p-1) * (q-1)
➢ For example, φ(10) = φ(5) * φ(2) = (5-1) * (2-1) = 4 * 1 = 4
φ(15) = φ(5) * φ(3) = (5-1) * (3-1) = 4 * 2 = 8
Euler’s Theorem
➢ Euler's theorem states that, “if p and q are relatively prime, then”, where φ
is Euler's totient function for integers. That is, is the number of non-negative numbers
that are less than q and relatively prime to q.
a(n) ≡ 1 (mod n)
▪ for any a, n where gcd (a, n) = 1
Example 1:
a=3, n= 10 prove Euler’s theorem
Solution
φ(n) = φ(10) => φ(p * q)
= φ(2) * φ(5 ) // 2 and 5 are relative prime numbers for 10
= (2-1) * (5-1) =4
= 34 mod 10
= 81 mod 10 = 1
Example 2:
a=2; n=11 prove Euler’s theorem
Solution
ø(11) = 10;
hence 210 = 1024 = 1 mod 11
3.6 Chinese Remainder Theorem (CRT)
➢ The Chinese Remainder Theorem is an ancient, which is developed in 3rd centuries
by Chinese mathematician Sun-tzu.
➢ The CRT is a result about congruences in number theory and its generalization in abstract
algebra.
➢ It enables one to solve simultaneous equation with respect to different moduli in considerable
generality.
Theorem
➢ Chinese Remainder Theorem: If m1, m2, .., mk are pairwise relatively prime
positive integers, and if a1, a2, .., ak are any integers, then the simultaneous
congruences
x ≡ a1 (mod m1),
x ≡ a2 (mod m2),
.
.
.
x ≡ ak (mod mk)
have a solution, and the solution is unique modulo m, where m = m1, m2⋅⋅⋅mk. That is
a unique solution x with 0 ≤ x ≤ m.
Algorithm
• Let m = m1, m2, ..., mk
• Let Mk = m / mk for all K = 1, 2, 3, … k
• For all K = 1, 2, 3, … k find integers 1 / K such Mk, Yk ≡ (1 mod mk)
Since gcd (Mk, mk) = 1
• Euclid’s extended algorithm can be used to find yk
• The integer x ≡ (a1 M1 y1 + a2 M2 y2 + ... + akMkYk) (mod M) is a uniquesolution.
Example 1:
x ≡ 1 (mod 4)
x ≡ 2 (mod 5)
x ≡ 4 (mod 7)
solve the value for x using Chinese Remainder Theoren.
Solution
m1 = 4 a1 = 1
m2 = 5 a2 = 2
m3 = 7 a3 = 4
Step 1:
m = m1 * m2 * m3
=4*5*7
m = 140
Step 2:
M1 = m/ m1 => 140/4 = 35
M2 = m/m2 => 140/5 = 28
M3 = m/m3 => 140/7 = 20
Step 3:
MkYk ≡ 1 (mod mk)
Put k=1
M1y1 ≡ 1(mod m1)
35y1 ≡ 1 (mod 4)
Put k = 2
M2y2 ≡ 1(mod m2)
28y2 ≡ 1 (mod 5)
Put k = 3
M3y3 ≡ 1(mod m3)
20y3 ≡ 1 (mod 7)
35y1 ≡ 1 (mod 4)
28y2 ≡ 1 (mod 5)
20y3 ≡ 1 (mod 7)
To find y1
35y1 ≡ 1 (mod 4)
gcd (Mk, mk)
gcd (35, 4)
gcd (4, 35 mod 4)
gcd (4, 3)
gcd (3, 4 mod 3)
gcd (3, 1) when n = 1
y1 = 3 gcd (m, n) = n
Similarly,
Find y2 and y3
Here, y2 = 2
y3 = 6
Step 4:
x = (a1 M1 y1 + a2 M2 y2 + a3M3Y3) (mod m)
= ((1 * 35 * 3) + (2 * 28 * 2) + (4 * 20 * 6)) mod 140
= (105 + 112 + 480) mod 140
= 697 mod 140
x = 137
Example 2:
x ≡ 3 (mod 4)
x ≡ 2 (mod 3)
x ≡ 4 (mod 5)
solve the value for x using Chinese Remainder Theoren.
Solution
m1 = 4 a1 = 3
m2 = 3 a2 = 2
m3 = 5 a3 = 4
Step 1:
m = m1 * m2 * m3
=4*3*5
m = 60
Step 2:
M1 = m/ m1 => 60/4 = 15
M2 = m/m2 => 60/3 = 20
M3 = m/m3 => 60/5 = 12
Step 3:
MkYk ≡ 1 (mod mk)
Put k=1
M1y1 ≡ 1(mod m1)
15y1 ≡ 1 (mod 4)
Put k = 2
M2y2 ≡ 1(mod m2)
20y2 ≡ 1 (mod 3)
Put k = 3
M3y3 ≡ 1(mod m3)
12y3 ≡ 1 (mod 5)
15y1 ≡ 1 (mod 4)
20y2 ≡ 1 (mod 3)
12y3 ≡ 1 (mod 5)
Find y1 =3
y2 =2
y3 = 3
Step 4:
x = (a1 M1 y1 + a2 M2 y2 + a3M3Y3) (mod m)
= ((3 * 15 * 3) + (2 * 20 * 2) + (4 * 12 * 3)) mod 60
= (135 + 80 + 144) mod 60
= 359 mod 60
x = 59
3.7 Exponentiation and Logarithm
3.7.1 Modular Exponentiation
➢ Modular exponentiation is a type of exponentiation performed over a modulus.
➢ It is useful in computer science, especially in the field of cryptography. The
operation of modular exponentiation calculates the remainder when an
integer b (the base) raised to the eth power (the exponent), be, is divided by
a positive integer m (the modulus).
➢ In symbols, given base b, exponent e, and modulus m, the modular
exponentiation c is: c = be mod m.
➢ From the definition of c, it follows that 0 ≤ c < m. For example, given b = 5, e =
3 and m = 13, the solution c = 8 is the remainder of dividing 53 = 125 by 13.
➢ Modular exponentiation can be performed with a negative exponent e by finding
the modular multiplicative inverse d of b modulo m using the extended Euclidean
algorithm.
➢ That is: c = be mod m = d−e mod m, where e < 0 and b ⋅ d ≡ 1 (mod m).
➢ Modular exponentiation similar to the one described above is considered easy to
compute, even when the integers involved are enormous.
➢ On the other hand, computing the modular discrete logarithm – that is, the task of
finding the exponent e when given b, c, and m – is believed to be difficult.
➢ This one-way function behaviour makes modular exponentiation a candidate for
use in cryptographic algorithms.
3.7.2 Discrete Logarithms
➢ In the mathematics of the real numbers, the logarithm logb a is a number x such
that bx = a, for given numbers a and b. Analogously, in any group G, powers bk can be
defined for all integers k, and the discrete logarithm logb a is an integer k such
that bk = a.
➢ In number theory, the more commonly used term is index: we can write x =
indr a (mod m) (read the index of a to the base r modulo m) for rx ≡ a (mod m) if r is
a primitive root of m and gcd(a, m) = 1.
➢ Discrete logarithms are quickly computable in a few special cases. However, no
efficient method is known for computing them in general.
➢ Several important algorithms in public-key cryptography base their security on the
assumption that the discrete logarithm problem over carefully chosen groups has no
efficient solution.
➢ Let G be any group. Denote its group operation by multiplication and its identity
element by 1. Let b be any element of G. For any positive integer k, the
expression bk denotes the product of b with itself k times:
➢ Similarly, let b-k denote the product of b−1 with itself k times. For k = 0, the kth power
is the identity: b0 = 1.
➢ Let a also be an element of G. An integer k that solves the equation bk = a is termed
a discrete logarithm (or simply logarithm, in this context) of a to the base b. One
writes k = logb a.
3.8 Asymmetric Key Ciphers
➢ Asymmetric cryptography, also known as public key cryptography, uses public and
private keys to encrypt and decrypt data.
➢ The keys are simply large numbers that have been paired together but are not identical
(asymmetric). One key in the pair can be shared with everyone; it is called the public
key.
3.8.1 Public Key Cryptography
➢ Symmetric cryptography was well suited for organizations such as governments,
military, and big financial corporations were involved in the classified
communication.
➢ With the spread of more unsecure computer networks in last few decades, a genuine
need was felt to use cryptography at larger scale.
➢ The symmetric key was found to be non-practical due to challenges it faced for key
management. This gave rise to the public key cryptosystems.
➢ The process of encryption and decryption is depicted in the following illustration −
Figure 3.1 Public Key Cryptosystem
The most important properties of public key encryption scheme are:
• Different keys are used for encryption and decryption. This is a property which
set this scheme different than symmetric encryption scheme.
• Each receiver possesses a unique decryption key, generally referred to as his
private key.
• Receiver needs to publish an encryption key, referred to as his public key.
• Some assurance of the authenticity of a public key is needed in this scheme to
avoid spoofing by adversary as the receiver. Generally, this type of cryptosystem
involves trusted third party which certifies that a particular public key belongs to
a specific person or entity only.
• Encryption algorithm is complex enough to prohibit attacker from deducing the
plaintext from the ciphertext and the encryption (public) key.
• Though private and public keys are related mathematically, it is not be feasible to
calculate the private key from the public key. In fact, intelligent part of any
public-key cryptosystem is in designing a relationship between two keys.
3.9 RSA Cryptosystem
➢ This cryptosystem is one the initial system. It remains most employed cryptosystem
even today. The system was invented by three scholars Ron Rivest, Adi
Shamir, and Len Adleman and hence, it is termed as RSA cryptosystem.
➢ We will see two aspects of the RSA cryptosystem, firstly generation of key pair and
secondly encryption-decryption algorithms.
Generation of RSA Key Pair
➢ Each person or a party who desires to participate in communication using encryption
needs to generate a pair of keys, namely public key and private key. The process
followed in the generation of keys is described below −
• Generate the RSA modulus (n)
▪ Select two large primes, p and q.
▪ Calculate n=p*q. For strong unbreakable encryption, let n be a large
number, typically a minimum of 512 bits.
▪ note ø(n) = (p-1) (q-1)
• Find Derived Number (e)
▪ Number e must be greater than 1 and less than (p − 1) (q − 1).
▪ There must be no common factor for e and (p − 1) (q − 1) except for 1.
In other words, two numbers e and (p – 1) (q – 1) are co-prime.
• Form the public key
▪ The pair of numbers (n, e) form the RSA public key and is made
public.
▪ Interestingly, though n is part of the public key, difficulty in factorizing
a large prime number ensures that attacker cannot find in finite time the
two primes (p & q) used to obtain n. This is strength of RSA.
• Generate the private key
▪ Private Key d is calculated from p, q, and e. For given n and e, there is
unique number d.
▪ Number d is the inverse of e modulo (p - 1) (q – 1). This means that d is
the number less than (p - 1) (q - 1) such that when multiplied by e, it is
equal to 1 modulo (p - 1) (q - 1).
▪ Calculate d, d ≡ e-1(mod ø(n))
▪ This relationship is written mathematically as follows –
▪ ed = 1 mod (p − 1) (q − 1)
• Public key PU = {e, n}
• Private key PR = {d, n}
Figure 3.2 The RSA Algorithm
Encryption and Decryption
➢ To encrypt a message M the sender:
• Computes: C=Me mod N, where 0≤M<N
➢ To decrypt the ciphertext C the receiver
• Computes: M=Cd mod N
Example
• Select primes: p=17 & q=11
• Compute n = p × q =17 × 11 = 187
• Compute ø(n) = (p–1) (q-1) = 16 × 10 = 160
• Select e: gcd (e,160) = 1; choose e=7
• Determine d: de = 1 mod 160 and d < 160 Value is d = 23 since
23×7=161= 10×16+1
• Publish public key PU = {7, 187}
• Keep secret private key PR = {23, 187}
Encryption
Given message (Plaintext) M = 88
887 mod 187 = [(884 mod 187) x 882 mod 187) x 881 mod 187)] mod 187
881 mod 187 = 88
882 mod 187 = 7744 mod 187 = 77
884 mod 187 = 59,969,536 mod 187 = 132
887 mod 187 = (88 x 77 x 132) mod 187
= 8,94432 mod 187
= 11
So, Ciphertext C = 11
Decryption
M = 1123 mod 187
1123 mod 187 = [(111 mod 187) x (112 mod 187) x (114 mod 187) x
(118 mod 187) x (118 mod 187)] mod 187
111 mod 187 = 11
112 mod 187 = 121
114 mod 187 = 14641 mod 187 = 55
118 mod 187 = 2,14, 358, 881 mod 187 = 33
118 mod 187 = 2,14, 358, 881 mod 187 = 33
1123 mod 187 = (11 x 121 x 55 x 33 x 33) mod 187
= 79, 720, 245 mod 187
= 88
So, Plaintext M =88
RSA Analysis
➢ The security of RSA depends on the strengths of two separate functions. The RSA
cryptosystem is most popular public-key cryptosystem strength of which is based on
the practical difficulty of factoring the very large numbers.
Encryption Function − It is considered as a one-way function of converting
plaintext into ciphertext and it can be reversed only with the knowledge of
private key d.
Key Generation − The difficulty of determining a private key from an RSA
public key is equivalent to factoring the modulus n. An attacker thus cannot
use knowledge of an RSA public key to determine an RSA private key unless
he can factor n. It is also a one-way function, going from p & q values to
modulus n is easy but reverse is not possible.
➢ If either of these two functions are proved non one-way, then RSA will be broken. In
fact, if a technique for factoring efficiently is developed then RSA will no longer be
safe.
➢ The strength of RSA encryption drastically goes down against attacks if the number p
and q are not large primes and/ or chosen public key e is a small number.
3.10 Key Management
➢ Key management refers to management of cryptographic keys in a cryptosystem.
Figure 3.4 illustrates the lifecycle of key management.
Fig. 3.4 Lifecycle of Key Management
➢ This includes dealing with the generation, exchange, storage, use, crypto-shredding
(destruction) and replacement of keys. Successful key management is critical to the
security of a cryptosystem.
➢ In cryptography it is a very tedious task to distribute the public and private key
between sender and receiver.
➢ If key is known to the third party (forger/eavesdropper) then the whole security
mechanism becomes worthless. So, there comes the need to secure the exchange of
keys.
➢ There are 2 aspects for Key Management:
Distribution of public keys.
Use of public-key encryption to distribute secret.
3.10.1 Distribution of Public Keys
➢ Several techniques have been proposed for the distribution of public keys which can
mostly be grouped into the categories shown.
Public announcement
Publicly available directory
Public-key authority
Public-key certificates
Public Announcement
➢ The point of public-key encryption is that the public key is public, hence any
participant can send his or her public key to any other participant, or broadcast the
key to the community at large. eg. append PGP keys to email messages or post to
news groups or email list.
➢ Figure 3.5 illustrates the public key distribution
Figure 3.5 Uncontrolled Public Key Distribution
➢ Its major weakness is forgery, anyone could pretend to be user A and send a public
key to another participant or broadcast such a public key. Until the forgery is
discovered they can masquerade as the claimed user.
Publicly Available Directory
➢ The user obtains greater security by registering keys with a public directory.
➢ The directory must be trusted with properties:
The authority maintains a directory with a {name, public key} entry for each
participant.
Each participant registers a public key with the directory authority.
A participant may replace the existing key with a new one at any time because
the corresponding private key has been compromised in some way.
Participants could also access the directory electronically. For this purpose,
secure, authenticated communication from the authority to the participant is
mandatory.
Figure 3.6 illustrates the public key publication
Figure 3.6 Public Key Publication
➢ This scheme is clearly more secure than individual public announcements but still has
vulnerabilities.
➢ If an adversary succeeds in obtaining or computing the private key of the directory
authority, the adversary could authoritatively pass out counterfeit public keys and
subsequently impersonate any participant and eavesdrop on messages sent to any
participant.
➢ Another way to achieve the same end is for the adversary to tamper with the records
kept by the authority.
Public-Key Authority
➢ Stronger security for public-key distribution can be achieved by providing tighter
control over the distribution of public keys from the directory.
➢ It requires users to know the public key for the directory, and that they interact with
directory in real-time to obtain any desired public key securely.
➢ Totally seven messages are required.
➢ Figure 3.7 illustrates the public key distribution Scenario
1. A sends a timestamped message to the public-key authority containing a request for the
current public key of B.
2. The authority responds with a message that is encrypted using the authority's private
key, PRauth Thus, A is able to decrypt the message using the authority's public key.
Therefore, A is assured that the message originated with the authority. The message
includes the following:
• B's public key, PUb which A can use to encrypt messages destined for B.
• The original request, to enable A to match this response with the corresponding
earlier request and to verify that the original request was not altered before
reception by the authority.
• The original timestamp, so A can determine that this is not an old message from
the authority containing a key other than B's current public key.
Figure 3.7 Public key distribution Scenario
3. A stores B's public key and also uses it to encrypt a message to B containing an
identifier of A (IDA) and a nonce (N1), which is used to identify this transaction
uniquely.
4. B retrieves A's public key from the authority in the same manner as A retrieved B's
public key.
5. At this point, public keys have been securely delivered to A and B, and they may begin
their protected exchange. However, two additional steps are desirable:
6. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a
new nonce generated by B (N2) Because only B could have decrypted message (3), the
presence of N1 in message (6) assures A that the correspondent is B.
7. A returns N2, encrypted using B's public key, to assure B that its correspondent is A.
Public-Key Certificates
➢ A user must appeal to the authority for a public keyfor every other user that it wishes
to contact and it is vulnerable to tampering too.
➢ Public key certificates can be used to exchange keys without contacting a public-key
authority.
➢ Figure 3.8 illustrates the public key Certificate exchanges
➢ A certificate binds an identity to public key, with all contents signed by a trusted
Public- Key or Certificate Authority (CA).
➢ This can be verified by anyone who knows the public-key authorities public-key.
➢ A participant can also convey its key information to another by transmitting its
certificate.
➢ Other participants can verify that the certificate was created by the authority. We can
place the following requirements on this scheme:
1. Any participant can read a certificate to determine the name and public key of the
certificate's owner.
2. Any participant can verify that the certificate originated from the certificate
authority and is not counterfeit.
3. Only the certificate authority can create and update certificates.
4. Any participant can verify the currency of the certificate.
➢ One scheme has become universally accepted for formatting public-key certificates.
➢ The X.509 standard. X.509 certificates are used in most network security applications,
including IP security, secure sockets layer (SSL), secure electronic transactions
(SET), and S/MIME.
Figure 3.8 Public Key Certificates
3.10.2 Symmetric Key Distribution using Public Key Cryptography
➢ Once public keys have been distributed or have become accessible, secure
communication that thwarts eavesdropping, tampering, or both, is possible.
➢ The Public-key encryption provides for the distribution of secret keys to be used for
conventional encryption.
Simple Secret Key Distribution
➢ A generates a public/private key pair {PUa, PRa} and transmits a message to B
consisting of PUa and an identifier of A, IDA.
➢ B generates a secret key, Ks, and transmits it to A, encrypted with A's public key.
➢ A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can
decrypt the message, only A and B will know the identity of Ks.
➢ A discards PUa and PRa and B discards PUa.
Figure 3.9 Simple Secret Key Distribution
➢ Figure 3.9 illustrates the simple secret key distribution
➢ Here third party can intercept messages and then either relay the intercepted message
or substitute another message Such an attack is known as a man-in-the-middle
attack. Figure 3.10 shows the mam-in-the-middle attack.
Figure 3.10 Man-in-the-Middle Attack
Secret Key Distribution with Confidentiality and Authentication
➢ A uses B's public key to encrypt a message to B containing an identifier of A (IDA)
and a nonce (N1), which is used to identify this transaction uniquely.
➢ B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as
a new nonce generated by B (N2) Because only B could have decrypted message (1),
the presence of N1 in message (2) assures A that the correspondent is B.
➢ Figure 3.11 illustrates the secret key distribution
Figure 3.11 Secret Key Distribution
➢ A returns N2 encrypted using B's public key, to assure B that its correspondent is A.
➢ A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this
message with B's public key ensures that only B can read it; encryption with A's
private key ensures that only A could have sent it.
➢ B computes D(PUa, D(PRb, M)) to recover the secret key.
A Hybrid Scheme
➢ Another way to use public-key encryption to distribute secret keys is a hybrid
approach.
➢ This scheme retains the use of a Key Distribution Center (KDC) that shares a secret
master key with each user and distributes secret session keys encrypted with the
master key.
➢ A public key scheme is used to distribute the master keys.
➢ The addition of a public-key layer provides a secure, efficient means of distributing
master keys.
3.11 Diffie-Hellman Key Exchange Algorithm
• The Diffie–Hellman key exchange or Key Agreement is a method of securely
exchanging cryptographic keys over a public channel.
• It was developed by Whitfield Diffie and Martin Hellman in 1976.
• This protocol allows two users to exchange a secret key over an untrusted
network without any prior secrets. Security of transmission is critical for many
network and Internet applications.
• A number of commercial products employ this exchange technique.
• The purpose of the algorithm is to enable two users to securely exchange a key
that can be used for subsequent encryption of messages. So, two persons can
talk in untrusted network.
• The D-H, Based on the difficulty of computing discrete logarithms of large
numbers.
• Suppose A and B wish to exchange a secret key, the following steps are
needed.
o There are two publicly known numbers: one is prime number q and an integer
α that is primitive root of q.
o Suppose the user A and B wish to exchange a key.
o User A selects a random integer XA < q and
▪ computes YA = αxA mod q.
o Similarly, user B selects a random integer XB < q and
▪ computes YB = αxB mod q.
• Then user A computes the key as K= (YB)xA mod q
• User B computes K= (YA)xB mod q
• Then two calculations produce identical results.
Figure 3.12 The D-H Algorithm
Example 1:
• Choose global public elements
q=23, α = 9
• User A select value XA is 4
• Calculate public YA
YA= αxA mod q
= 94 mod 23
= 6561 mod 23
YA = 6
• User B select value XB is 3
• Calculate public YB
YB = αxB mod q
= 93 mod 23
= 729 mod 23
YB = 16
▪ Now, exchange their public keys
▪ Figure 3.13 shows the exchange of keys
Figure 3.13 Diffie- Hellmam Key Exchange
After exchange their public keys, each can compute the common key.
• A compute K = (YB)xA mod q
= 164 mod 23
= 65536 mod 23
K=9
• B compute K = (YA)xB mod q
= 63 mod 23
= 216 mod 23
K=9
Now A and B can talk securely
Example 2:
➢ users Alice & Bob who wish to swap keys:
➢ agree on prime q=353 and a=3
➢ select random secret keys:
• A chooses XA=97, B chooses XB=233
➢ compute respective public keys:
• YA=397 mod 353 = 40 (Alice)
• YB=3233 mod 353 = 248 (Bob)
➢ compute shared session key as:
• KAB= YBxA mod 353 = 24897 = 160 (Alice)
• KAB= YAxB mod 353 = 40233 = 160 (Bob)
Advantages
➢ The sender and receiver don’t need any prior knowledge of each other.
➢ Once the keys are exchanged, the communication of data can be done through an
insecure channel.
➢ The sharing of the secret key is safe.
Disadvantages
➢ The algorithm cannot be sued for any asymmetric key exchange.
➢ Similarly, it cannot be used for signing digital signatures.
➢ Since it doesn’t authenticate any party in the transmission, the Diffie Hellman key
exchange is susceptible to a man-in-the-middle attack.
Man-in-the-Middle Attack
Figure 3.14 Man-in-the-Middle Attack
1. Darth prepares by creating two private / public keys
2. Alice transmits her public key to Bob
3. Darth intercepts this and transmits his first public key to Bob. Darth also calculates a
shared key with Alice
4. Bob receives the public key and calculates the shared key (with Darth instead of
Alice)
5. Bob transmits his public key to Alice
6. Darth intercepts this and transmits his second public key to Alice. Darth calculates a
shared key with Bob
7. Alice receives the key and calculates the shared key (with Darth instead of Bob)
Now, Darth can then intercept, decrypt, re-encrypt, forward all messages between
Alice & Bob
Applications
➢ Diffie-Hellman is currently used in many protocols, namely:
• Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
• Secure Shell (SSH)
• Internet Protocol Security (IPSec)
• Public Key Infrastructure (PKI)
3.12 ElGamal cryptosystem
➢ In cryptography, ElGamal encryption is an public-key cryptosystem. It uses
asymmetric key encryption for communicating between two parties and encrypting the
message, which is based on the Diffie–Hellman key exchange algorithm.
➢ It is developed by Elgamal in 1984.
➢ The Elgamal algorithm consists of three components.
• Key Generation
• Encryption Algorithm
• Decryption Algorithm
Key Generation
➢ Like D-H algorithm, generate of global elements are a prime number q and α
➢ User A generate private/public key pair as follows:
• Generate a random integer XA, 1 < XA < q-1
• Compute their public key YA = α XA mod q
• A’s private key is XA; and public key {q, α, YA}
Encryption
➢ User B that has access to A’s public key can encrypt a message as follows
• Represent message M in range 0 ≤ M ≤ q-1
• Longer messages are sent as a sequence of blocks, with each block being an
integer less than q.
• Choose random integer k with 1 ≤ k ≤ q-1
• Compute one-time key K = (YA)k mod q
• Encrypt M as a pair of integers (C1, C2) where
▪ C1 = α k mod q; C2 = KM mod q
Decryption
➢ User A recovers the plaintext.
• Recover the key by computing K as K = (C1)XA mod q
• computing M as M = (C2 K-1) mod q
Example
➢ Alice generates a public/private key pair; Bob encrypts using Alice’s public key and
Alice decrypts using her private key
➢ Global elements q = 19, α = 10
Alice Generates a key pair as follows:
➢ Alice chooses XA=5
➢ Computes YA = α XA mod q => YA =105 mod 19
= 10000 mod 19
YA = 3
➢ Alice private key is 5; public key {q, α, YA}= {19, 10, 3}
Suppose Bob wants to send the message with the value M = 17, then
Encryption
➢ Bob choose K = 6
o k = (YA)k mod q => 36 mod 19
= 729 mod 19
k=7
➢ Calculate C1
o C1 = α k mod q = > 106 mod 19
= 1000000 mod 19
C1 = 11
➢ Calculate C2
o C2 = KM mod q => 7 * 17 mod 19
= 119 mod 19
C2 = 5
➢ Bob sends the ciphertext (11, 5)
Decryption
➢ Alice Calculates recover K = (C1)xA mod q = 115 mod 19 = 7
➢ Compute inverse K-1 = 7-1 = 11
➢ Finally, M = (C2 K-1) mod q = 5 *11 mod 19
= 55 mod 19
M= 17
3.13 Elliptic Curve Arithmetic
➢ Most of the products and standards that use public-key cryptography for
encryption and digital signatures use RSA.
➢ The key length for secure RSA use has increased over recent years, and this has
put a heavier processing load on applications using RSA. This burden has
ramifications, especially for electronic commerce sites that conduct large numbers
of secure transactions.
➢ The principal attraction of ECC, compared to RSA, is that it appears to offer equal
security for a far smaller key size, thereby reducing processing overhead.
3.13.1 Why the name Elliptic Curve?
➢ The mathematical properties of certain cubic equations that are today known as
elliptic curves were seen to be generalizations of those of conics.
➢ However, the advent of calculus helped highlight marked differences between
conics and elliptic curves. While conic sections can be parameterized by rational
functions, elliptic curves cannot be parameterized by rational functions.
➢ The simplest functions that can parameterize elliptic curves are elliptic functions
encountered in calculus as the inverses of so-called elliptic integrals.
➢ The Elliptic integrals are called so, as a typical example is the integral for the arc
length of an ellipse. Thus, the name elliptic curve.
3.13.2 Abelian Groups
➢ An abelian group G, sometimes denoted by {G, •}, is a set of elements with a binary
operation, denoted by •, that associates to each ordered pair (a, b) of elements in G an
element (a • b) in G, such that the following axioms are obeyed:
• Closure: If a and b belong to G, then a • b is also in G.
• Associative: a • (b • c) = (a • b) • c for all a, b, c in G.
• Identity element: There is an element e in G such that a • e = e • a = a for all a
in G.
• Inverse element: For each a in G there is an element a' in G such that a • a' =
a' • a = e.
• Commutative: a • b = b • a for all a, b in G.
➢ A number of public-key ciphers are based on the use of an abelian group. For
example, Diffie-Hellman key exchange involves multiplying pairs of nonzero integers
modulo a prime number q.
➢ The Keys are generated by exponentiation over the group, with exponentiation
defined as repeated multiplication. For example, ak mod q
mod q.
➢ To attack Diffie-Hellman, the attacker must determine k given a and ak;
➢ For elliptic curve cryptography, an operation over elliptic curves, called addition, is
used. Multiplication is defined by repeated addition. For example,
where the addition is performed over an elliptic curve. The Cryptanalysis involves
determining k given a and (a x k).
3.13.3 Elliptic Curves over Real Numbers
➢ Elliptic curves are not ellipses. They are so named because they are described by
cubic equations, similar to those used for calculating the circumference of anellipse.
➢ In general, cubic equations for elliptic curves take the form
y2 + axy + by = x3 + cx2 + dx + e
where a, b, c, d, and e are real numbers and x and y take on values in the real
numbers. For our purpose, it is sufficient to limit ourselves to equations of the form
y2 = x3 + ax+ b
➢ Such equations are said to be cubic, or of degree 3, because the highest exponent they
contain is a 3. Also included in the definition of an elliptic curve is a single element
denoted O and called the point at infinity or the zero point, which we discuss
subsequently. To plot such a curve, we need to compute
➢ For given values of a and b, the plot consists of positive and negative values of y for
each value of x. Thus, each curve is symmetric about y = 0. Figures 3.15 shows two
examples of elliptic curves.
Figure 3.15 Examples of Elliptic Curve
3.14 Elliptic curve cryptography (ECC)
➢ Diffie-Hellman and RSA cryptographic methods are based on the creation of keys by
using very large prime numbers. Hence, key creation requires a lot computational
power.
➢ Elliptic curve cryptography (ECC) is a public key encryption technique based on
an elliptic curve theory that can be used to create faster, smaller, and more
efficient cryptographic keys.
➢ ECC generates keys through the properties of the elliptic curve equation instead
of the traditional method of generation as the product of very large prime
numbers.
➢ The technology can be used in conjunction with most public key encryption methods,
such as RSA and Diffie-Hellman.
➢ The ECC can achieve the same level of security with a 164-bit key that other systems
require a 1,024-bit key. Because ECC helps to establish equivalent security with lower
computing power and battery resource usage, it is becoming widely used for mobile
applications. The use of elliptic curves in cryptography was suggested independently
by Neal Koblitz and Victor S. Miller in 1985 and elliptic curve cryptography
algorithms entered wide use around 2004.
3.14.1 How Does ECC work?
➢ An elliptic curve is the set of points that satisfy a specific mathematical equation. The
equation for an elliptic curve looks like this y2=x3+ax+b and is being represented
graphically like the image below.
Figure 3.16 Elliptic Curve
➢ Multiplying a point on the curve by a number will produce another point on the curve,
but it is very difficult to find what number was used, even if you know the original
point and the result.
➢ The Equations based on elliptic curves have a characteristic that is very valuable for
cryptography purposes: they are relatively easy to perform, and extremely difficult to
reverse.
➢ The addition operation in ECC is the counterpart of modular multiplication in RSA,
and multiple addition is the counterpart of modular exponentiation. To form a
cryptographic system using elliptic curves, we need to find a "hard problem"
corresponding to factoring the product of two primes or taking the discretelogarithm.
➢ Consider the equation Q = kP where Q, P Ep (a, b) and k < p. It is relatively easy to
calculate Q given k and P, but it is relatively hard to determine k given Q and P. This
is called the discrete logarithm problem for elliptic curves.
➢ Consider the group E23 (9, 17). This is the group defined by the equation y2 mod 23 =
(x3 + 9x + 17) mod 23. What is the discrete logarithm k of Q = (4, 5) to the base P =
(16.5)? The brute-force method is to compute multiples of P until Q is found. Thus,
P = (16, 5); 2P = (20, 20); 3P = (14, 14); 4P = (19, 20); 5P = (13, 10); 6P = (7, 3); 7P
= (8, 7); 8P (12, 17); 9P = (4, 5).
Because 9P = (4, 5) = Q, the discrete logarithm Q = (4, 5) to the base P = (16, 5) is k
= 9. In a real application, k would be so large as to make the brute-force approach
infeasible.
PART B
1) Explain in detail about asymmetric key cryptography.
2) Explain the following.
i) Primes.
ii) Primality Testing and Factorization.
3) Write short notes on
(i)Fermat and Eluer’s theorem
(ii)Chinese Remainder theorem
4) Discuss about Euler‘s totient function in detail.
5) Explain Exponentiation and logarithm in detail.
6) Explain RSA algorithm in detail with an example?
7) Identify the possible threats for RSA algorithm and list their counter measures.
8) Perform decryption and encryption using RSA algorithm with p=3, q=11, e=7 and N=5.
9) Explain the key management of public key encryption in detail.
10) Explain ECC - Diffie Hellman key Exchange with both keys in detail with an example.
11) Write about elliptic curve architecture in detail and how they are useful for cryptography.
12) Write about key distribution in detail.
13) Explain about ElGamal cryptosystem in detail.
UNIT IV INTEGRITY AND AUTHENTICATION
4
ALGORITHMS
Authentication requirement – Authentication function – MAC – Hash function – Security of
hash function: HMAC, CMAC – SHA – Digital signature and authentication protocols – DSS
– Schnorr Digital Signature Scheme – ElGamal cryptosystem – Entity Authentication:
Biometrics, Passwords, Challenge Response protocols – Authentication applications –
Kerberos
MUTUAL TRUST: Key management and distribution – Symmetric key distribution using
symmetric and asymmetric encryption – Distribution of public keys – X.509 Certificates.
4.1 Authentication and Authorization
Authentication
➢ Authentication techniques are used to verify identity. It prevents unauthorized users
from gaining access to the systems.
➢ Validating the identity of user, service or application
➢ Data authentication- providing data integrity
Authorization
➢ It is a procedure of controlling the access of authenticated users to the system
resources. An authorization system provides each user with exactly those rights
granted to them by the administrator
➢ Controls user privileges such as access to files, directories, etc...
4.2 Authentication Requirements
➢ Another type of threat that exist for data is the lack of message authentication.
➢ In this threat, the user is not sure about the originator of the message.
➢ Message authentication can be provided using the cryptographic techniques that use
secret keys as done in case of encryption.
➢ In the context of communications across a network, the following attacks can be
identified.
• Disclosure: Release of message contents to any person or process not possessing
the appropriate cryptographic key.
• Traffic analysis: Detection of the pattern of traffic between parties. In a
connection-oriented application, the frequency and duration of connections
could be determined, in which, the number and length of messages between
parties could be determined.
• Masquerade: Insertion of messages intothe network froma fraudulent source.
This includes the creation of messages by an opponent that are purported to
come from an authorized entity. Also included are fraudulent
acknowledgements of message receipt or nonreceipt by someone other than
the message recipient.
• Contentmodification: Changes to the contents of a message, including
insertion, deletion, transposition, and modification
• Sequence modification: Any modification to a sequence of messages between
parties, including insertion, deletion, and reordering
• Timing modification: Delay or replay of messages. In a connection-oriented
application, an entire session or sequence of messages could be a replay of
some previous valid session, or individual messages in the sequence could be
delayed or replayed. In a connectionless application, an individual message
(e.g., datagram) could be delayed or replayed
• Source repudiation: Denial of transmission of message by source.
• Destinationrepudiation: Denialofreceipt ofmessagebydestination.
4.3 Authentication Function
4.3.1 Message Authentication
➢ A mechanism or service used to verify the integrity of a message.
➢ Assures that data received are exactly as sent (i.e., contain no modification, insertion,
deletion, or replay).
➢ When a hash function is used to provide message authentication, the hash function
value is often referred to as a message digest.
4.3.2 Authentication function is of two levels of functionality
Lower Level
➢ Produces an authenticator: a value to be used to authenticate a message.
Higher-Level
➢ enables a receiver to verify the authenticity of a message
4.3.3 Grouped into Three Classes
Message Encryption
➢ The ciphertext of the entire message serves as its authenticator
Message authentication code (MAC)
➢ A function of the message and a secret key that produces a fixed-length value that
serves as the authenticator
Hash function
➢ A function that maps a message of any length into a fixed-length hash value, which
serves as the authenticator
Message Encryption
Symmetric Encryption
Symmetric encryption: confidentiality and authentication: A -> B:E(K, M)
Figure 4.1 Symmetric encryption: confidentiality and authentication
Public-key encryption: confidentiality: A ->B:E(PUb, M)
Figure 4.2 Public Key Encrypton: Confidentiality
Public-key encryption: authentication and signature: A ->B:E(PRa, M)
Figure 4.3 Public-key encryption: authentication and signature
Public-key encryption: confidentiality, authentication, and signature:
A ->B : E(PUb, E(PRa, M))
Figure 4.4 Public-key encryption: confidentiality, authentication, and signature
4.3 Message Authentication Code (MAC)
➢ MAC stands for Message Authentication Code.
➢ Here in MAC, sender and receiver share same key where sender generates a fixed size
output called Cryptographic checksum or Message Authentication code and appends
it to the original message.
➢ On receiver’s side, receiver also generates the code and compares it with what he/she
received thus ensuring the originality of the message.
➢ This technique assumes that two communicating parties, say A and B, share a
common secret key K.
Theory of operation
➢ When A has a message to send to B, it calculates the MAC as a function of the
message and the key:
MAC = C (K, M), where
M = input message
C = MAC function
K = shared secret key
MAC = Message Authentication Code
➢ The message plus MAC are transmitted to the intended recipient.
➢ The recipient performs the same calculation on the received message, using the
same secret key, to generate a new MAC.
➢ The received MAC is compared to the calculated MAC
➢ if the received MAC matches the calculated MAC, then
➢ The receiver is assured that the message has not been altered
➢ The receiver is assured that the message is from the alleged sender
Basic Uses of Message Authentication Code (MAC)
(a) Message authentication: A->B: M||C(K, M)
Figure 4.5 Message Authentication
➢ Provides authentication: Only A and B share K
(b) Message authentication and confidentiality; authentication tied to
plaintext
Figure 4.6 Message Authentication and Confidentiality
➢ A ->B:E(K2, [M||C(K, M)])
➢ Provides authentication
Only A and B share K1
➢ Provides confidentiality
Only A and B share K2
(c) Message authentication and confidentiality; authentication tied to ciphertext
Figure 4.7 Message Authentication and Confidentiality; authentication tied to ciphertext
➢ A -> B: E (K2, M) ||C (K1, E (K2, M))
➢ Provides authentication Using K1
➢ Provides confidentiality Using K2
4.3.1 MAC properties
➢ A MAC is a cryptographic checksum
MAC = CK(M)
– condenses a variable-length message M
– using a secret key K
– produce a fixed-sized authenticator
➢ MAC is a many-to-one function
potentially many messages have same MAC
100-bit M, and 20-bit MAC
but finding key K to be very difficult
4.3.2 Requirements for MACs
➢ Message replacement attacks, in which an attacker can construct a new message to
match a given MAC code, even though the attacker does not learn the key.
➢ Deals with need to prevent a brute-force attack based on chosen plaintext.
➢ Authentication algorithm should not be weaker.
Need the MAC to satisfy the following:
• knowing a message and MAC, is infeasible to find another message with same
MAC
• MACs should be uniformly distributed
• MAC should depend equally on all bits of the message
Limitations of MAC
There are two major limitations of MAC, both due to its symmetric nature of operation −
• Establishment of Shared Secret.
o It can provide message authentication among pre-decided legitimate users
who have shared key.
o This requires establishment of shared secret prior to use of MAC.
• Inability to Provide Non-Repudiation
o Non-repudiation is the assurance that a message originator cannot deny any
previously sent messages and commitments or actions.
o MAC technique does not provide a non-repudiation service. If the sender and
receiver get involved in a dispute over message origination, MACs cannot
provide a proof that a message was indeed sent by the sender.
o Though no third party can compute the MAC, still sender could deny having
sent the message and claim that the receiver forged it, as it is impossible to
determine which of the two parties computed the MAC.
Both these limitations can be overcome by using the public key based digital signatures
4.4 Hash function
➢ Hash functions are extremely useful and appear in almost all information security
applications.
➢ A hash function is a mathematical function that converts a numerical input value into
another compressed numerical value. A hash function accepts a variable-size message
M as input and produces a fixed size output, referred to as a hash code H(M).
➢ A hash code does not use a key but is a function only of the input message
➢ The hash code is also referred to as a message digest or hash value.
➢ Figure 4.8 shows the generation of hash value.
Figure 4.8 Generation Hash Value
4.4.1 Features of Hash Functions
The typical features of hash functions are
➢ Fixed Length Output (Hash Value)
• Hash function coverts data of arbitrary length to a fixed length. This process
is often referred to as hashing the data.
• In general, the hash is much smaller than the input data, hence hash functions
are sometimes called compression functions.
• Since a hash is a smaller representation of a larger data, it is also referred to as
a digest.
• Hash function with n bit output is referred to as an n-bit hash function.
Popular hash functions generate values between 160 and 512 bits.
➢ Efficiency of Operation
• Generally, for any hash function h with input x, computation of h(x) is a fast
operation.
• Computationally hash functions are much faster than a symmetric encryption.
Basic Uses of Hash Function
a) Encrypt message plus hash code
Figure 4.9 Encrypt message plus hash code
➢ A -> B:E(K, [M||H(M)])
➢ Provides confidentiality
• Only A and B share K
➢ Provides authentication
➢ H(M) is cryptographically protected
(b) Encrypt hash code shared secret key
Figure 4.10 Encrypt hash code shared secret key
➢ A -> B: M||E(K, H(M))
➢ Provides authentication
➢ H(M) is cryptographically protected
(c) Encrypt hash code sender's private key
Figure 4.11 Encrypt hash code sender's private key
➢ A ->B: M||E(PRa, H(M))
➢ Provides authentication and digital signature
➢ H(M) is cryptographically protected
➢ Only A could create E(PRa, H(M))
(d) Encrypt result of (c) shared secret key
Figure 4.12 Encrypt Result of (c) shard secret key
➢ A ->B: E(K, [M||E(PRa, H(M))])
➢ Provides authentication and digital signature
➢ Provides confidentiality
o only A and B shared k
(e) Compute hash code of message plus secret value
Figure 4.13 Compute hash code of message plus secret value
➢ A ->B: M||H(M||S)
➢ Provides authentication
• Only A and B share S
Applications of Hash Functions
There are two direct applications of hash function based on its cryptographic properties.
Password Storage
Hash functions provide protection to password storage.
• Instead of storing password in clear, mostly all logon processes store the hash values
of passwords in the file.
• The Password file consists of a table of pairs which are in the form (user id, h(P)).
• An intruder can only see the hashes of passwords, even if he accessed the password.
He can neither logon using hash nor can he derive the password from hash value
since hash function possesses the property of pre-image resistance.
Data Integrity Check
• Data integrity check is a most common application of the hash functions. It is used to
generate the checksums on data files. This application provides assurance to the user
about correctness of the data.
4.5 Security of hash function and MAC
There are two types attacks on hash functions and MAC.
1. Brute-force attacks
2. Cryptanalysis
Brute-force attacks
• A brute-force attack on a MAC has cost related to min (2k, 2n), similar to symmetric
encryption algorithms. As with encryption algorithms, cryptanalytic attacks on hash
functions and MAC algorithms seek to exploit some property of the algorithm to
perform some attack other than an exhaustive search.
• The strength of a hash function against brute-force attacks depends solely on the
length of the hash code produced by the algorithm.
• A brute-force attack on a MAC is a more difficult because it requires known message-
MAC pairs
• Suppose there are N possible hash values from a set of strings X, and suppose that the
output of a hash function is randomly distributed in this space. Take a subset of n
strings.
• How big does n have to be in order to have a probability >0.5 of some string in that
subset having a given hash value?
• The answer is: choosing n = N+1 n = N+1, I have the certainty to find almost one of
such I have the certainty to find almost one of such strings. A more refined answer
gives: n= (ln 2) *N (for a large N).
• For a 128-bit hash function, you need to test 2128 inputs (approximately 1038) to get a
0.5 chance of pre-imaging the hash, that is to say, of getting a given hash value.
• How big does n have to be in order to have a probability >0.5 of two strings in that set
having the same hash value?
• The probability of no duplicate is: (N-1)/N * (N-2)/N * . . . * (N-n+1)/N = = (1-(1/N))
* (1-(2/N)) * . . . * (1-((n-1)/N) < e-1/N * e-2/N * . . . * e-(n-1)/N = = e-n(n-1)/2N The middle
inequality comes from 1-x<e-x.
• Setting this to be 0.5, approximating n(n-1) as n 2 and solving for n gives n=sqrt
(2*(ln 2) *N)
• To try to put these numbers into perspective: 1019 microseconds is 317000 years,
while 1038 microseconds is 1024 years
Cryptanalysis
• Cryptanalysis attacks on hash functions and MAC algorithms seek to exploit some
property ofthe algorithm to perform some attacks other than an exhaustive search.
• Cryptanalytic attacks exploit structure
–like block ciphers want brute-force attacks to be the best alternative
• Have a number of analytic attacks on iterated hash functions
–CVi = f [CVi-1, Mi]; H(M)=CVN
• Typically focus on collisions in function f
• Like block ciphers it is often composed of rounds
• Attacks exploit properties of round functions
4.6 Secure Hash Algorithm (SHA)
➢ Security Hash Algorithm (SHA) was developed in 1993 by the National Institute of
Standards and Technology (NIST) and National Security Agency (NSA).
➢ It was designed as the algorithm to be used for secure hashing in the US Digital
Signature Standard.
➢ Hashing function is one of the most commonly used encryption methods. A hash is a
special mathematical function that performs one-way encryption.
➢ It has following versions
• SHA-1
• SHA-224
• SHA-256
• SHA-384
• SHA-512
SHA-1 (Secure Hash Algorithm -1)
➢ SHA-l is a revised version of SHA designed by NIST and was published as a Federal
Information Processing Standard (FIPS).
➢ It works for any input message that is less than 2 64 bits.
➢ Like MD5, SHA-l processes input data in 512-bit blocks.
➢ SHA-l generates a 160-bit message digest. Whereas MD5 generated message digest of
128 bits.
➢ This is designed to be computationally infeasible to:
• Obtain the original message, given its message digest.
• Find two messages producing the same message digest.
Figure 4.14 SHA Structure
➢ The processing consists of the following 5 steps: Figure 4.14 shows the structure of
SHA
Step 1: Appending padding bits.
➢ A b-bit message M is padded in the following manner:
• Add a single “1” to the end of M
• Then pad message with “0’s” until the length of message is congruent to 448,
modulo 512 (which means pad with 0’s until message is 64-bits less than some
multiple of 512).
Step 2: Append Length
➢ A 64-bit representation of the length in bits of the original message (before the
padding) is appended to the result of step 1 (least significant byte first). If the original
length is greater than 264, then only the low-order 64 bits of the length are used. Thus,
field contains the length of the original message, modulo 264.
➢ The outcome of the first two steps yields a message that is an integer multiple of 512
bits in length. From the figure, expended message is represented as the sequence of
512-bit blocks Y0, Y1,Y2,YL−1,
➢ so that the total length of the expanded message is L × 512 bits. Equivalently, the
result is a multiple of 16 (32-bit) words.
➢ N = L ×16.
Step 3: Divide the input into 512-bit Blocks
➢ Divide the original input message into number of 512-bit blocks, M0, M1, …Mj.
Step 4: Initialize the Chaining variable (Buffer Initiation)
• A 512-bit buffer is used to intermediate and final results of the hash function.
• Initialize Message Digest (MD) to these five 32-bit words (buffer) A, B, C, D,
E to
o A = 01 23 45 67
o B = 89 AB CD EF
o C = FE DC BA 98
o D = 76 54 32 10
o E = C3 D2 E1 F0
Step 5: Process Blocks
➢ Process each Mj sequentially, one after the other
Step 5.1: Copy the chaining variables A-E to into variables a-e.
Step 5.2: Divide the current 512- bit block into 16 sub-blocks of 32 bits.
Step 5.3: SHA- 1 has four rounds, each consisting of steps.
• Each round takes 3 inputs.
o 512- bit blocks
o The register abcde
o A constant K[t] (where t= 0 to 79)
Round Value of t between
1 1 to 19
2 20 to 39
3 40 to 59
4 60 to 79
Figure 4.15 SHA-1 Processing of a Single 160-Bit Block
Step 5.4: SHA has a total of 80 iterations (4 rounds * 20 iterations). Each iteration
consists of following operations:
abcde = (e + process P+S5 (a) + W[t] + K [t], a, S30 (b), c, d
where,
abcde = The register made up of 5 variables a, b, c, d, e
Process P = The logic operation
St = Circular-left shift of 32- bit sub-block t bits.
W[t] = A 32-bit derived from the current 32-bit sub-block.
K[t] = One of the five additive constants.
Figure 4.16 SHA-1 Processing of a Single Round
➢ The Process P in each SHA round
➢ The values of W[t] are calculated as follows:
• For the first 16 words of W (i.e. t= 0 to 15), the contents of the input
message of sub-block M[t] become the contents of W[t].
• For the remaining 64 values of W are derived using the equations
W[t]= s1(W[t-16] XOR W[t-14] XOR W[t-8] XOR [ t-3])
SHA-512
➢ The algorithm takes as input a message with a maximum length of less than 2128 bits
and produces as output a 512-bit message digest. The input is processed in 1024-bit
blocks. Figure 4.17 depicts the overall processing of a message to produce adigest.
Figure 4.17 SHA-512 Structure
Step 1: Append padding bits
➢ The message is padded so that its length is congruent to 896 modulo 1024. Padding is
always added, even if the message is already of the desired length. So, the number of
padding bits is in the range of 1 to 1024. The padding consists of a single 1 bit
followed by the necessary number of 0 bits.
Step 2: Append Length
➢ A block of 128 bits is appended to the message. This block is treated as an unsigned
128-bit integer that contains the length of the original message.
➢ The outcome of the first two steps produces a message that is an integer multiple of
1024 bits in length. In figure 4.12, the expanded message is represented as the
sequence of 1024 bit-blocks M1, M2,…. MN, hence that the total length of the
expanded message is N * 1024 bits.
Step 3: Initialize hash buffer
➢ A 512-bit buffer is used to hold intermediate and final results of the hash function.
The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h). These
registers are initialized to the following 64-bit integers (hexadecimal values).
➢ These values are stored in big-endian format, which is the most significant byte of a
word in the low-address byte position.
Step 4: Process message in 1024-bit(128-word ) blocks
➢ It consits of 80 rounds. Each round takes as input the 512-bit buffer value abcdefgh
and updates the contents of the buffer.
Figure 4.18 SHA-1 Processing of a Single 1024-Bit Block
➢ Each round t makes use of a 64-bit value Wt. The output of the last round is added to
the input to the first round (Hi-1) to produce Hi. Fig 4.18 shows the processing of a
single 1024-bit block.
Step 5: Output
➢ After all N 1024-bit blocks have been processed, the output fro the N th stage is the
512-bit message digest.
➢ The behavior of SHA-512 as follows
H0 = IV
Hi = SUM64 (Hi-1, abcdefghi)
MD = HN
Where,
IV = Initial value of the abcdefgh buffer.
abcdefghi = The output of the round of processing of the ith message
block.
N = The number of blocks in the message.
MD = Final message digest value
SUM64 = Addition modulo 264 performed separaately on each word of
the pair or inputs.
SHA-512 round function
➢ Fig. 4.19 shows single round operation.
Figure 4.19 SHA 512 Single Round Function
➢ Each round is defined by the following set of equations
T1 =h + ch (e, f, g) + ) +Wt + Kt
T2 =( ) + Maj (a, b, c)
a = T1 + T2
b =a
c =b
d =c
e = d + T1
f =e
g =f
h =g
Characteristics of Secure Hash Algorithms
Difference between MD5 and SHA-1
4.7 Digital signature
➢ A digital signature is an authentication mechanism that enables the creator of a
message to attach a code, which acts as a signature.
➢ Digital signature is a cryptographic value that is calculated from the data and a secret
key known only by the signer.
➢ Signature is formed by taking the hash of the message and encrypting the message
with creator’s private key
➢ Signatures guarantees, the original content of the message or document that has been
sent is unchanged.
Properties Digital Signature
• Verify author, date & time of signature
• Authenticate message contents at the time of signature
• Be verified by third parties to resolve disputes
Requirements of DS
➢ The signature must be a bit pattern that depends on the message being signed.
➢ The signature must use some information unique to the sender
- to prevent both forgery and denial
➢ It must be relatively easy to produce the DS.
➢ It must be relatively easy to recognize and verify the DS
➢ Be computationally infeasible to forge
• with new message for existing digital signature
• with fraudulent digital signature for given message
Figure 4.20 Model of Digital Signature
➢ Fig. 4.20 is a generic model of the process of making and using digital signatures.
➢ Bob can sign a message using a digital signature algorithm. The inputs to the
algorithm are the message and Bob’s private key. Any other user, say Alice, can
verify the signature using a verification algorithm, whose inputs are the message, the
signature and Bob’s public key.
Approaches of Digital Signature
Two categories
1. Direct Digital Signatures
2. Arbitrated Digital Signature
4.7.1 Direct Digital Signatures
Digital Signature Model
➢ The Direct Digital Signature is only including two parties one to send message and
other one to receive it. According to direct digital signature both parties trust each
other and knows their public key. Figure 4.21 shows that DDS Approach.
Figure 4.21 Direct Digital Signature
➢ The sender generates hash code, which is act as signature and encrypt by
sender’s private key and send to receiver.
➢ The receiver generates hash code from the message and compare with sender’s
hash code.
➢ Here, the message is decrypted by sender’s public key.
Arbitrated Digital Signatures
➢ The Arbitrated Digital Signature includes three parties in which one is sender,
second is receiver and the third is arbiter who will become the medium for sending
and receiving message between them. The messages are less prone to get corrupted
because of timestamp being included by default.
Figure 4.22 Arbitrated Digital Signature
➢ It involves use of an arbiter who
• validates any signed message
• then dated and sent to recipient
➢ Requires suitable level of trust in arbiter
➢ It can be implemented with either private or public-key algorithms
➢ The arbiter may or may not see message
There are three different Arbitrated DS
1) Conventional Encryption, Arbiter Sees Message
In this technique, symmetric encryption is used.
Drawback
A can read the message from X to Y like an eavesdropper
2) Conventional Encryption, Arbiter does not see message
3) Public key Encryption, Arbiter does not see message
4.8 Authentication Protocols
➢ An authentication protocol is a type of computer
communications protocol or cryptographic protocol specifically designed for transfer
of authentication data between two entities. It is the most important layer of protection
needed for secure communication within computer networks.
➢ Also, it is used to convince parties of each other’s identity and to exchange session
keys. They may be one-way or mutual.
➢ The important two issues are
• confidentiality – to protect session keys
• timeliness – to prevent replay attacks
Types of Replay attacks
1. Simply replay: An attacker simply copies a message and relays it later.
2. Repetition that can be logged: Replay time stamped message within valid time.
3. Repetition that cannot be changed: The original message suppressed and it did not
arrive at its destination, that means, only replay messages arrives.
4. Backward replay without modification: This type of attack is possible if symmetric
encryption is used and the sender not able to easily recognize the difference between
messages sent and messages received on the basis of content.
Countermeasures include
• Use of sequence numbers (generally impractical)
• Timestamps (needs synchronized clocks)
• Challenge/response (using unique nonce)
One-Way Authentication
➢ In one-way authentication, one party wishes to be convinced of the identity of
another party.
➢ It required when sender & receiver are not in communications at same time (eg. E-
mail)
Password based authentication
➢ Password is a front-line protection against the unauthorized access(intruder) to the
system.
➢ It authenticates the identifier and provides security to the system.
1. Password Vulnerability
➢ Passwords can often be guessed.
➢ Use of mechanisms to keep passwords secret
Some techniques to protect password
➢ Longer password
➢ System assistance in password selection
2. Encrypted Passwords
➢ Instead of storing the names and passwords in plain text form, they are encrypted and
stored in cipher text form in the table.
3. One-time passwords
➢ When session begins, the system randomly selects the passwords
Password selection strategies
➢ Too short password is too easy to guess.
➢ If the password is 8 random character, it is impossible to crack. In order to eliminate
guessable passwords four techniques are suggested.
1. User education
2. Computer generated password
3. Reactive password checking
4. Proactive password checking
Certificate based authentication
➢ A certificate-based authentication scheme is a scheme that uses a public key
cryptography and digital certificate to authenticate a user.
➢ A digital certificate is an electronic form that contains identification data, public key,
and the digital signature of a certification authority derived from that certification
authority’s private key.
➢ When a user signs on to the server, he provides his digital certificate that has the
public key and signature of the certification authority.
➢ The server then confirms the validity of the digital signature and if the certificate has
been issued by a trusted certificate authority or not. The server then authenticates the
user with public key cryptography to confirm the user is in possession of the private
key associated with the certificate. Fig. 4.23 shows the certificate-based
authentication.
Fig. 4.23 Certificate based authentication
• Step 1: A sends his certificate
• Step 2: B verifies like name, validity period, CA etc.
• Step 3: B then sends his nonce R.
• Step 4: A responds by encrypting the nonce with his private key.
• Step 5: When B receives EA,pr (R), decrypts it with A’s public key and compares it
with the nonce transmitted in message 2.
• Step 6: If they match, he concludes that A has used the private key corresponding to
the public key in his certificate.
Mutual Authentication
➢ Mutual authentication, also called two-way authentication, is a process or technology
in which both entities in a communications link authenticate each other. In a network
environment, the client authenticates the server and vice-versa.
Two techniques
1. Based on a shared secret key
2. Using public key cryptography
Based on a shared secret key
➢ In this authentication approach, secret key is shared with both party such as source
and destination.
➢ The scheme is also known as “Challenge-Response protocol”
➢ Let KA,B be the shared secret key between Alice and Bob
Figure 4.24 The Challenge-Response Protocol
➢ ‘A’ sends her identity to ‘B’
➢ ‘B’ sends a challenge RB back to ‘A’
➢ ‘A’ responds to the challenge by encrypting RB with KA,B (denoted by KA,B (RB)), and
sending it back to ‘B’
➢ ‘A’ challenges ‘B’ by sending RA
➢ ‘B’ responds to the challenge by sending the encrypted message KA,B(RA)
➢ Now A and B are mutually authenticated.
Using public key cryptography
➢ In this approach, Alice sends a random number RA and identity by encrypting. Alice
uses Bob’s public key EB for sending message.
➢ When Bob receives this message, Bob sends Alice back a message containing Alice’s
random number RA and his own random number RB and proposed session key, Ks.
➢ When Alice gets message 2, Alice decrypts it using private key.
➢ After examining message 2, Alice finds out the random number RA. A knows that
message 2 is from Bob only. Then Alice agrees to the session by sending back
message to Bob.
➢ When Bob reads RB encrypted with the session key which is generated by Bob, Bob
knows that A got message 2 and verified RA.
4.9 Digital Signature Standard (DSS)
➢ Digital Signature Standard (DSS) is the digital signature algorithm (DSA) developed
by the U.S. National Security Agency (NSA) to generate a digital signature for
the authentication of electronic documents. The DSS makes use of the Secure Hash
Algorithm (SHA) and present a new digital signature technique.
Two approaches to Digital Signature
• DSS Approach
• RSA Approach
4.9.1 DSS Approach
➢ The DSS approach for generating digital signatures to that used with RSA.
➢ It makes use of hash function. Figure 4.24 shows DSS approach.
➢ The Hash code is provided as input to a signature function along with a random
number K generated for this particular signature.
➢ The signature function also depends on the sender's private key (PRa)and a set of
parameters known to a group of communicating principals and use of a global public
key (PUG).
➢ The Resulting signature contains two components as s and r.
➢ The output of the verification function is s value that is equal to the signature
component r if the signature is valid
Fig: 4.25 DSS Approach
4.9.2 RSA Approach
➢ In the RSA approach, the message to be signed is input to a hash function that
produces a secure hash code of fixed length.
➢ This hash code is then encrypted using the sender's private key to form the signature.
Both the message and the signature are then transmitted.
➢ The recipient takes the message and produces a hash code. The recipient also decrypts
the signature using the sender's public key.
➢ If the calculated hash code matches the decrypted signature, the signature is accepted
as valid.
Fig:4.26 RSA Approach
➢ Because only the sender knows the private key, only the sender could have produced
a valid signature. Figure 4.26 shows RSA approach.
Digital Signature Algorithm
➢ There are three parameters that are public and can be common to a group of users.
➢ A 160-bit prime number q is chosen.
➢ Then, a prime number p is selected with a length between 512 and 1024 bits such that
q divides (P-1).
➢ Choose g = h(p-1)/q where 1<h<p-1 and h(p-1)/q mod p > 1
private key
• choose random private key x where x < q
Public key
• compute public key: y = gx mod p
➢ To create a signature, a user calculates two quantities r and s, that are functions of
public key components (p, q, g) the user's private key (x), the hash code of the
message, H(M), and an additional integer k that should be generated randomly or
pseudorandomly and be unique for each signing.
Computes signature pair
r = (gk mod p) mod q
s = [k-1(H(M)+ xr)] mod q
➢ Now, sends signature (r, s) with message M
Signature Verification
➢ After receiving M and signature (r, s), need to verify a signature. Now recipient
computes:
w = s-1 mod q
u1= [H(M)w] mod q
u2= (rw)mod q
v = [(gu1 yu2) mod p] mod q
➢ if v = r then signature is verified. Figure 4.27 shows DSS Signing and Verifying.
(a) Signing (b) Verifying
Fig: 4.27 DSS Signing and Verifying
4.10 Entity Authentication
➢ Entity authentication is a technique designed to let one party prove the identity of
another party. An entity can be a person, a process, a client, or a server. The entity
whose identity needs to be proved is called the claimant; the party that tries to prove
the identity of the claimant is called the verifier.
Data-Origin Versus Entity Authentication
➢ There are two differences between message authentication (data-origin
authentication), and entity authentication.
1) Message authentication might not happen in real time; entity authentication does.
2) Message authentication simply authenticates one message; the process needs to be
repeated for each new message. Entity authentication authenticates the claimant for
the entire duration of a session.
Verification Categories
➢ In entity authentication, the claimant must identify herself to the verifier. This can be
done with one of three kinds of witnesses.
• Something known
o This is a secret known only by the claimant that can be checked by the
verifier. Examples are a password, a PIN, a secret key, and a private
key.
• Something possessed
o This is something that can be prove the claimant’s identity. Examples
are a passport, a driver’s license, a credit card etc.
• Something inherent
o This is an inherent characteristic of the claimant. Examples are
conventional signatures, fingerprints, voice and handwriting.
4.11 Passwords
➢ The simplest and oldest method of entity authentication is the password-based
authentication, where the password is something that the claimant knows. A password
is used when a user needs to access a system to use the system’s resources (login).
Each user has a user identification that is public, and a password that is private. The
authentication schemes divide into groups.
• Fixed Password
• One-Time Password
4.11.1 Fixed Password
➢ A fixed password is a password that is used over and over again for every access.
First Approach
➢ The system keeps a table (a file) that is sorted by user identification. To access the
system resources, the user sends their identification and password, in plaintext, to the
system. The system uses the identification to find the password in the table. If the
password sent by the user matches the password in the table, access is granted;
otherwise, it is denied. Fig. 4.28 shows this approach.
Figure 4.28 First Approach in Fixed password
Attacks on the First Approach
• Eavesdropping
• Stealing a password
• Accessing a password file
• Guessing
Second Approach
➢ A more secure approach is to store the hash of the password (instead of the plaintext
password) in the password file. Any user can read the contents of the file but the hash
function is a one-way function, it is almost impossible to guess the value of the
password. Figure 4.29 shows this approach, the system hashes it and stores the hash in
the password file when the password is created.
Figure 4.29 Second Approach in Fixed password
➢ When the user sends the ID and the password, the system creates a hash of the
password and then compares the hash value with the one stored in the table. If there is
a match, the user is granted access otherwise access is denied.
Attacks on the second approach
➢ Dictionary Attack
Third Approach
➢ The third approach is called salting the password. When the password string is created
a random string, called the salt, is concatenated to the password. The salt password is
then hashed. The ID, the salt and the hash are then stored in the file. When a user asks
for access, the system extracts the salt concatenates it with the received password,
makes a hash out of the result and compares it with the hash stored in the file. If there
is a match, access is granted otherwise it is denied.
➢ Figure 4.30 shows this approach.
Figure 4.30 Third Approach in Fixed password
➢ Salting makes the dictionary attack more difficult. If the original password is 6 digits
and the salts is 4 digits, then hashing is done over a 10 digit value. To attack this,
needs to make 10 million items to create a hash for each of them.
Fourth Approach
4.11.2 One-Time Password
➢ A one-time password is a password that is used only once.
First Approach
➢ In this approach, the user and the system agree upon a list of passwords. Each
password on the list can be used only once.
Drawbacks
➢ The system and the user must keep a long list of passwords.
➢ If the user does not use the passwords in sequence, the system needs to perform a long
search to find the match.
Second Approach
➢ In the second approach, the user and the system agree to sequentially update the
password.
Third Approach
➢ In the third approach, the user and the system create a sequentially updated password
using a hash function.
➢ In this approach, elegantly devised by Leslie Lamport, the user and the system agree
upon on original password, P0 and a counter n. the system calculates hn(P0), where hn
means applying a hash function n time. Figure 4.31 shows how user access the system
the first time.
Figure 4.31 Third Approach in One-time password
➢ When the system receives the response of the user in the third message, it applies the
hash function to the value received to see if it matches the value stored in the entry.
➢ If there is a match, access is granted otherwise it is denied. The system then
degrements the value of n in the entry and replaces the old value of the password
hn(P0) with the new value hn-1(P0).
➢ When the user tries to access the system for second time, the value of the counter it
receives is n-1. The third message from the user is now hn-2(P0).
➢ When the system receives this message, it applies the hash functions to get h n-1(P0),
which can be compared with the updated entry.
➢ The value of n in the entry is decremented each time there is an access. When the
value becomes 0, the user can no longer access the system; everything must be setup
again. For this reason, the value of n is normally chosen as a large number such as
1000.
4.12 Challenge Response protocols
➢ In challenge-response authentication, the claimant proves that she knows a secret
without sending it to the verifier.
➢ The challenge is a time-varying value sent by the verifier; the response is the result of
a function applied on the challenge.
Using a Symmetric-Key Cipher
➢ Several approaches to challenge-response authentication use symmetric key
encryption. The secret here is the shared secret key, known by both the claimant and
the verifier. The function is the encrypting algorithm applied on the challenge.
First Approach
➢ In this approach, the verifier sends a nonce, a random number used only once, to
challenge the claimant.
➢ A nonce must be time-varying; every time it is created, it is different. The claimant
responses to the challenge using the secret key shared between the claimant and the
verifier. Figure 4.32 shows this first approach.
Figure 4.32 First Approach using Symmetric Key Cipher
➢ The first message is not part of challenge response, only informs the verifier that the
claimant wants to be challenged.
➢ The second message is the challenge, RB is the nonce randomly chosen by the verifier
(Bob) to challenge the claimant.
➢ The claimant encrypts the nonce using the shared the secret key know only to the
claimant and the verifier and sends the result to the verifier.
➢ The verifier decrypts the message. If the nonce obtained from decryption is the same
as the one sent by the verifier, Alice is granted access.
Second Approach
➢ In this approach, the time-varying value is a timestamp, which obivously changes
with time. The challenge message is the current time sent from the verifier to the
claimant.
➢ The claimant knows the current time. The first and second messages can be
combined.
➢ The result is that authentication can be done using one message. The figure 4.33
shows this approach.
Figure 4.33 Second Approach using Symmetric Key Cipher
Third Approach
➢ The first and second approaches are for unidirectionals authentication. Alice is
authenticated to Bob, but not other side.
➢ If Alice also needs to be sure about Bob’s identity, needs bidirectional
authentication. The figure 4.34 shows the third approach.
➢ The second message RB is the challenge from Bob to Alice. In the third message,
Alice responds to Bob’s challenge and at the same time, sends her challenge RA to
Bob. The third message is Bob’s response.
➢ The fourth message the order of RA and RB are switched to prevent a replay attack.
Figure 4.34 Third Approach using Symmetric Key Cipher
Using Keyed-Hash Functions
➢ Instead of using encryption/decryption for entity authentication, we can also use a
keyed-hash function (MAC).
➢ It prevents the integrity of challenge and response messages and at the same time uses
a secret key. Figure 4.35 shows a keyed-hash function, how to create a challenge
response with a timestamp.
Figure 4.35 Keyed Hash Function
➢ Here, the timestamp is sent both as plaintext and as text scrambled by the keyed-hash
function.
➢ When Bob receives the message, he takes the plaintext T, applies the keyed-hash
function and then compares his calculation with what he received to determine the
authenticity of Alice.
Using an Asymmetric-Key Cipher
➢ In this cipher, Verifier encrypts the challenge with the Public key of the claimant.
Then the Claimant decrypts the challenge with her private key.
First Approach
➢ It is the unidirectional approach. Bob encrypts the challenge using Alice’s public key.
➢ Alice decrypts the message with her private key and sends the nonce to Bob. Figure
4.36 shows this approach.
Figure 4.36 First Approach using Asymmetric Key Cipher
Second Approach
➢ It is the bidirectional approach. In this approach, two public keys are used, one in each
direction.
➢ Alice sends her identity and nonce encrypted with Bob’s public key. Bob response
with his nonce encrypted with Alice’s public key.
➢ Finally, Alice, responds with Bob’s decrypted nonce. Figure 4.37 shows this
approach.
Figure 4.37 Second Approach using Asymmetric Key Cipher
Using Digital Signature
➢ Entity authentication can also be achieved using a digital signature. When a digital is
used for entity authentication, the claimant uses her private key for signing.
First approach
➢ In this first approach, Bob uses a plaintext challenge and Alice signs the response.
Figure 4.38 shows this approach.
Figure 4.38 First Approach using Digital Signature
Second Approach
➢ In this approach, Alice and Bob authenticate each other. Figure 4.39 shows this
approach.
Figure 4.39 Second Approach using Digital Signature
4.13 Biometrics
➢ Biometrics is the measurement of physiological or behavioral features that identify a
person (authentication something inherent).
➢ It measures features that cannot be guessed, stolen or shared.
➢ Figure 4.40 shows the classification of biometrics.
Components
➢ Several components are needed for biometrics, including capturing devices,
processors and storage devices.
➢ Capturing devices such as readers or sensors measure biometrics features. Processors
change the measured features to the type of data appropriate for saving.
➢ Storage devices save the result of processing for authentication.
Enrollment
➢ The corresponding feature of each person in the community supposed to be in the
database before using any biometric techniques for authentication. This is referred to
as enrollment.
Authentication
➢ Authentication is done by verification and identification.
Verification
➢ A person’s feature is matched against a single record in the database (one-to-one
matching) to find if she/he is who is claiming to be.
Identification
➢ A person’s feature is matched against all records in the database to find if she/he has a
record in the database.
Techniques
➢ Biometrics techniques can be divided into two broad categories.
o Physiological
o Behaviroal
4.13.1 Physiological Techniques
➢ This technique measures the physical traits of the human body for verification and
identification. The trait should be unique among all and feature should be changeable
due to aging, surgery, illness, disease and so on. There are several physiological
techniques are there.
Finger Print
➢ Fingerprints have been used for a long time. They show a high level of accuracy and
support verification and identification. It can be altered by aging, injury or disease.
Figure 4.40 Classification of Biometrics
Iris
➢ It measures the pattern within the iris that is unique for each person. They are very
accurate and stable over a person’s life. Its support verification and identification.
Retina
➢ The devices for this purpose examine the blood vessels in the back of the eyes. But
these devices are expensive and not common yet.
Face
➢ This technique analyses the geometry of the face based on the distance between facial
features such as the nose, mouth and eyes. It is support for verification and
identification.
Hands
➢ This technique measures the dimension of hands, including the shape and length of
the fingers. It is suitable for verification and identification.
Voice
➢ It is measures pitch, cadence and tone in the voice. It can be used locally or remotely.
This method used for verification.
DNA
➢ It is the chemical found in the nucleus of all cells of humans and most other
organisms. The pattern is persistent throughout life and even after death. It is
extremely accurate. It can be used for verification and identification. The only
problem is that identical twins may share the same DNA.
4.13.2 Behaviroal Techniques
➢ It measures some human behaviour traits. It needs to be monitored to ensure the
claimant behaves normally and does not attempt to impersonate someone else.
Signature
➢ Biometric approaches use signature tablets and special pens to identify the person.
Signature are mostly used for verification.
Keystroke
➢ It is measuring the behaviour of a person related to working with a keyboard. It can
measure the duration of key depression, the time between keystrokes, number and
frequency of errors, the pressure on the keys and so on.
4.14 Authentication Applications
➢ Authentication is the process of recognizing a user's identity. It is the mechanism of
associating an incoming request with a set of identifying credentials.
➢ Most widely used services:
• Kerberos
• X.509
➢ Kerberos – a private-key authentication service
➢ X.509 – a public-key directory authentication service
4.15 Kerberos
➢ It is a network authentication protocol designed to allow users, clients and servers,
authenticate themselves to each other through a trusted third party.
➢ Kerberos was designed and developed as part of Project Athena at MIT.
➢ It is done with Symmetric encryption- using no public keys
➢ It provides centralised private-key third-party authentication in a distributed network
➢ Currently, Kerberos is upto 5. Version 4 being the first version to be released outside
of MIT.
➢ This mutual authentication is done using secret key cryptography with parties proving
to each other their identity across an insecure network
➢ Communication between the client and server can be secure after the client and server
have used Kerberos to prove their identity.
Kerberos Requirements
➢ Security-strong enough to stop potential eavesdroppers from finding it to be a weak
link
➢ Reliability- is highly reliable employing a distributed server where one server is able
to back up another.
➢ Transparency-user is not aware that authentication is taking place beyond providing
passwords.
➢ Scalability – accept and support new clients and servers.
• To meet these requirements, Kerberos designers proposed a third-party trusted
authentication service to arbitrate between the client and server in their mutual
authentication.
Kerberos Version 4
Kerberos Overview
➢ Kerberos Version 4 makes use of DES, to provide the authentication service. Figure
4.41 shows overview of Kerberos.
A Simple Authentication Dialogue
➢ For secure transaction, server should confirm the client and its request. In unprotected
network it creates burden on server, therefore an authentication server (AS) is used.
➢ An authentication server (AS) maintains password of all users in centralized database.
Also, the authentication server shares a unique secret key with each other.
➢ (1) C -> AS : IDC || PC || IDV
❖ C = client
❖ AS = authentication server
❖ IDC = identifier of user on C
❖ PC = password of user on C
❖ IDV = identifier of server V
❖ C asks user for the password
❖ AS checks that user supplied the right password
➢ (2) AS -> C: Ticket
➢ Ticket = E K(V) [IDC || ADC || IDV]
• K(V) = secret encryption key shared by AS and V
• ADC = network address of C
• Ticket cannot be altered by C or an adversary
➢ (3) C -> V: IDC || Ticket
Figure 4.41 Overiew of Kerberos
Secure Authentication Dialogue
➢ The new service, TGS, issues tickets to users who have been authenticated to AS.
Thus, the user first requests a ticket-granting ticket (Tickettgs) from the AS. The client
module in the user workstation saves this ticket. Each time the user requires access to
a new service, the client applies to the TGS, using the ticket to authenticate itself.
➢ The TGS then grants a ticket for the particular service. The client saves each service-
granting ticket and uses it to authenticate its user to a server each time a particular
service is requested. The client requests a ticket-granting ticket on behalf of the user
by sending its user's ID and password to the AS, together with the TGS ID, indicating
a request to use the TGS service.
➢ The AS responds with a ticket that is encrypted with a key that is derived from the
user's password. When this response arrives at the client, the client prompts the user
for his or her password, generates the key, and attempts to decrypt the incoming
message. If the correct password is supplied, the ticket is successfully recovered.
➢ The ticket itself consists of the ID and network address of the user, and the ID of the
TGS.
Once per user logon session:
(1) C -> AS: IDC||IDtgs
(2) AS -> C: E(Kc, Tickettgs)
Once per type of service:
(3) C ->TGS: IDC||IDV||Tickettgs
(4) TGS -> C: Ticketv
Once per service session:
(5) C -> V: IDC||Ticketv
Tickettgs = E(Ktgs, [IDC||ADC||IDtgs||TS1||Lifetime1])
Ticketv = E(Kv, [IDC||ADC||IDv||TS2||Lifetime2])
Kerberos Realms
➢ A Kerberos realm is a set of managed nodes that share the same Kerberos database.
The Kerberos database resides on the Kerberos master computer system, which
should be kept in a physically secure room.
➢ A read-only copy of the Kerberos database might also reside on other Kerberos
computer systems. However, all changes to the database must be made on the master
computer system.
➢ Changing or accessing the contents of a Kerberos database requires the Kerberos
master password.
➢ A Kerberos principal is a service or user that is known to the Kerberos system. Each
Kerberos principal is identified by its principal name. Principal names consist of three
parts: a service or user name, an instance name, and a realm name.
Fig. 4.42 Request for service in another realm
The details of the exchanges illustrated in Figure 4.42 are as follows:
(1) C -> AS: IDc||IDtgs||TS1
(2) AS -> C: E(Kc, [Kc,tgs||IDtgs||TS2||Lifetime2||Tickettgs])
(3) C -> TGS: IDtgsrem||Tickettgs||Authenticatorc
(4) TGS -> C: E(Kc,tgs, [Kc,tgsrem||IDtgsrem||TS4||Tickettgsrem])
(5) C ->TGSrem: IDvrem||Tickettgsrem||Authenticatorc
(6) TGSrem -> C: E(Kc,tgsrem, [Kc,vrem||IDvrem||TS6||Ticketvrem])
(7) C -> Vrem: Ticketvrem||Authenticatorc
Kerberos Version 5
Kerberos Version 5 is specified in RFC 1510 and provides a number of improvements over
version 4.
Version 5 is intended to address the limitations of version 4 in two areas: environmental
shortcomings and technical deficiencies
Environmental Shortcomings
1. Encryption system dependence: Version 4 requires the use of DES. Export restriction on
DES as well as doubts about the strength of DES were thus of concern. In version 5,
ciphertext is tagged with an encryption type identifier so that any encryption technique may
be used. Encryption keys are tagged with a type and a length, allowing the same key to be
used in different algorithms and allowing the specification of different variations on a given
algorithm.
2. Internet protocol dependence: Version 4 requires the use of Internet Protocol (IP)
addresses. Other address types, such as the ISO network address, are not accommodated.
Version 5 network addresses are tagged with type and length, allowing any network address
type to be used.
3. Message byte ordering: In version 4, the sender of a message employs a byte ordering of
its own choosing and tags the message to indicate least significant byte in lowest address or
most significant byte in lowest address. This technique works but does not follow established
conventions. In version 5, all message structures are defined using Abstract Syntax Notation
One (ASN.1) and Basic Encoding Rules (BER), which provide an unambiguous byte
ordering.
4.Ticket lifetime: Lifetime values in version 4 are encoded in an 8-bit quantity in units of
five minutes. Thus, the maximum lifetime that can be expressed is 28 x 5 = 1280 minutes, or
a little over 21 hours. This may be inadequate for some applications (e.g., a long-running
simulation that requires valid Kerberos credentials throughout execution). In version 5,
tickets include an explicit start time and end time, allowing tickets with arbitrary lifetimes.
5. Authentication forwarding: Version 4 does not allow credentials issued to one client to
be forwarded to some other host and used by some other client. This capability would enable
a client to access a server and have that server access another server on behalf of theclient.
6. Interrealm authentication: In version 4, interoperability among N realms requires on the
order of N2 Kerberos-to-Kerberos relationships, as described earlier. Version 5 supports a
method that requires fewer relationships, as described shortly.
Technical Deficiencies
1. Double encryption: The tickets provided to clients are encrypted twice, once with the
secret key of the target server and then again with a secret key known to the client. The
second encryption is not necessary and is computationally wasteful.
2. PCBC encryption: Encryption in version 4 makes use of a nonstandard mode of DES
known as propagating cipher block chaining (PCBC). It has been demonstrated that this mode
is vulnerable to an attack involving the interchange of ciphertext blocks. Version 5 provides
explicit integrity mechanisms, allowing the standard CBC mode to be used for encryption.
3. Session keys: Each ticket includes a session key that is used by the client to encrypt the
authenticator sent to the service associated with that ticket. In addition, the session key may
subsequently be used by the client and the server to protect messages passed during that
session. However, because the same ticket may be used repeatedly to gain service from a
particular server, there is the risk that an opponent will replay messages from an old session
to the client or the server. In version 5, it is possible for a client and server to negotiate a sub-
session key, which is to be used only for that one connection.
4. Password attacks: Both versions are vulnerable to a password attack.
4.16 X.509 Certificate
➢ An X.509 certificate is a digital certificate that uses the widely accepted international
X.509 public key infrastructure (PKI) standard to verify that a public key belongs to
the user, computer or service identity contained within the certificate.
➢ An X.509 certificate contains a public key and an identity (a hostname, or an
organization, or an individual), and is either signed by a certificate authority or self-
signed. When a certificate is signed by a trusted certificate authority, or validated by
other means, someone holding that certificate can rely on the public key it contains to
establish secure communications with another party, or validate documents digitally
signed by the corresponding private key.
Issued by a Certification Authority (CA)
It consists of
• version V (1, 2, or 3)
• serial number SN (unique within CA) identifying certificate
• signature algorithm identifier AI
• issuer X.500 name CA
• period of validity TA (from - to dates)
• subject X.500 name A (name of owner)
• subject public-key info Ap (algorithm, parameters, key)
• issuer unique identifier (v2+)
• subject unique identifier (v2+)
• extension fields (v3)
• signature (of hash of all fields in certificate)
• notation CA<<A>> denotes certificate for A signed by CA
Fig. 4.43 Public-key Certificate
Certificates
➢ The heart of the X.509 scheme is the public-key certificate associated with each user.
These user certificates are assumed to be created by some trusted certification
authority (CA) and placed in the directory by the CA or by the user.
➢ The directory server itself is not responsible for the creation of public keys or for the
certification function. Figure 4.43 illustrates the genration of public key certificates.
Fig. 4.44 X.509 Formats
➢ Version: Differentiates among successive versions (1, 2, and 3) of the certificate
format.
➢ Serial number: An integer value unique within the issuing CA.
➢ Signature algorithm identifier: The algorithm used to sign the certificate together
with any associated parameters.
➢ Issuer name: the name of the CA that created and signed this certificate.
➢ Period of validity: Consists of two dates: the first and last on which the certificate is
valid.
➢ Subject name: The name of the user to whom this certificate refers.
➢ Subject’s public-key information: The public key of the subject, plus an identifier
of the algorithm for which this key is to be used, together with any associated
parameters.
➢ Issuer unique identifier: (optional) used to identify uniquely the issuing CA.
➢ Subject unique identifier :( optional) used to identify uniquely the subject.
➢ Extensions: A set of one or more extension fields.
➢ Signature: it contains the hash code of the other fields encrypted with the CA’s
private key. This field includes the signature algorithm identifier.
The standard uses the following notation to define a certificate: CA<<A>> = CA {V, SN, AI,
CA, TA, A, Ap}
Where Y <<X>> = the certificate of user X issued by certification authority Y
Y {I} = the signing of I by Y. It consists of I with an encrypted hash code append
V- Version of the certificate
SN- serial number of the certificate
AI- identifier of the algorithm used to sign the certificate
CA- name of CA
A- Name of user A
Ap- public key of user A
TA- period of validity of the C
Obtaining a Certificate
➢ Any user with access to CA can get any certificate from it
➢ Only the CA can modify a certificate
➢ Because cannot be forged, certificates can be placed in a public directory
CA Hierarchy
➢ If both users share a common CA then they are assumed to know its public key
➢ Otherwise CA's must form a hierarchy
➢ Use certificates linking members of hierarchy to validate other CA's
⚫ each CA has certificates for clients (forward) and parent (backward)
➢ Each client trusts parents certificates
➢ Enable verification of any certificate from one CA by users of all other CAs in
hierarchy
Certificate Revocation
➢ Certificates have a period of validity
➢ May need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
➢ CA’s maintain list of revoked certificates
1. The Certificate Revocation List (CRL)
➢ Users should check certificates with CA’s CRL.
PART B
Important Questions
1) Explain about Authentication function in detail.
2) Describe in detail about MAC.
3) Explain Security of hash function and MAC in detail.
4) Describe about SHA in detail.
5) Discuss Digital signature and authentication protocols in detail.
6) Explain DSS in detail.
7) Explain the following.
i) Biometrics
ii) Passwords
iii) Challenge Response protocols
8) Explain the various authentication applications in detail.
9) What is Kerberos? Explain how it provides authenticated service.
10) Explain the format of the X.509 certificate