UNIT I INTRODUCTION

Cryptography and modern cryptography – Setting of private-key encryption – Historical ciphers

and their cryptanalysis – Basic principles of modern cryptography – Services, Mechanisms and
Attacks – OSI security architecture.

1,1 Origin of Cryptography

Human being from ages had two inherent needs − (a) to communicate and share information
and (b) to communicate selectively. These two needs gave rise to the art of coding the
messages in such a way that only the intended people could have access to the information.
Unauthorized people could not extract any information, even if the scrambled messages fell in
their hand.

The art and science of concealing the messages to introduce secrecy in information security is
recognized as cryptography.

The word ‘cryptography’ was coined by combining two Greek words, ‘Krypto’ meaning hidden
and ‘graphene’ meaning writing.

History of Cryptography

The art of cryptography is considered to be born along with the art of writing. As civilizations
evolved, human beings got organized in tribes, groups, and kingdoms. This led to the
emergence of ideas such as power, battles, supremacy, and politics. These ideas further fueled
the natural need of people to communicate secretly with selective recipient which in turn
ensured the continuous evolution of cryptography as well.

The roots of cryptography are found in Roman and Egyptian civilizations.

Hieroglyph − The Oldest Cryptographic Technique

The first known evidence of cryptography can be traced to the use of ‘hieroglyph’. Some 4000
years ago, the Egyptians used to communicate by messages written in hieroglyph. This code
was the secret known only to the scribes who used to transmit messages on behalf of the kings.
One such hieroglyph is shown below.

1
Later, the scholars moved on to using simple mono-alphabetic substitution ciphers during 500 to
600 BC. This involved replacing alphabets of message with other alphabets with some secret
rule. This rule became a key to retrieve the message back from the garbled message.

The earlier Roman method of cryptography, popularly known as the Caesar Shift Cipher, relies
on shifting the letters of a message by an agreed number (three was a common choice), the
recipient of this message would then shift the letters back by the same number and obtain the
original message.

Steganography

Steganography is similar but adds another dimension to Cryptography. In this method, people
not only want to protect the secrecy of an information by concealing it, but they also want to
make sure any unauthorized person gets no evidence that the information even exists. For
example, invisible watermarking.

In steganography, an unintended recipient or an intruder is unaware of the fact that observed

data contains hidden information. In cryptography, an intruder is normally aware that data is
being communicated, because they can see the coded/scrambled message.

2
 1.2 Evolution of Cryptography

It is during and after the European Renaissance, various Italian and Papal states led the rapid
proliferation of cryptographic techniques. Various analysis and attack techniques were
researched in this era to break the secret codes.

 Improved coding techniques such as Vigenere Coding came into existence in the
15th century, which offered moving letters in the message with a number of variable
places instead of moving them the same number of places.
 Only after the 19th century, cryptography evolved from the ad hoc approaches to
encryption to the more sophisticated art and science of information security.
 In the early 20th century, the invention of mechanical and electromechanical machines,
such as the Enigma rotor machine, provided more advanced and efficient means of
coding the information.
 During the period of World War II, both cryptography and cryptanalysis became
excessively mathematical.

With the advances taking place in this field, government organizations, military units, and some
corporate houses started adopting the applications of cryptography. They used cryptography to
guard their secrets from others. Now, the arrival of computers and the Internet has brought
effective cryptography within the reach of common people.
3
1.3 Cryptography Defined/Brief History
If you want to keep information secret, you have two possible strategies: hide the existence of
the information, or make the information unintelligible. Cryptography is the art and science of
keeping information secure from unintended audiences, of encrypting it. Conversely,
cryptanalysis is the art and science of breaking encoded data. The branch of mathematics
encompassing both cryptography and cryptanalysis is cryptology.

Modern cryptography uses sophisticated mathematical equations (algorithms) and secret keys
to encrypt and decrypt data.

Today, cryptography is used to provide secrecy and integrity to our data, and both
authentication and anonymity to our communications.

Modern Historical Overview

Cryptology was a public field in the United States until World War I, when the Army & Navy
realized its value to national security and began working in secret. Through the early 1970s,
cryptology was dominated by the government both because computers were very expensive
and because the government released very little information. It returned to mainstream
academic and scientific communities in a sort of cryptology renaissance when the computer
revolution made computers more readily available and when demand for encryption increased
due to fundamental changes in the ways America communicated.

The increase in demand for cryptography was driven by industry interest (e.g., financial services
required secure electronic transactions and businesses needed to secure trade secrets stored
on computers), and individual interest (e.g., secure wireless communications). Digital
communications were obvious candidates for encryption.

4
1.4 Principles of Modern Cryptography
Modern cryptographers emphasize that security should not depend on the secrecy of the
encryption method (or algorithm), only the secrecy of the keys. The secret keys must not be
revealed when plaintext and ciphertext are compared, and no person should have knowledge of
the key. Modern algorithms are based on mathematically difficult problems - for example, prime
number factorization, discrete logarithms, etc. There is no mathematical proof that these
problems are in fact are hard, just empirical evidence.

Modern cryptographic algorithms are too complex to be executed by humans. Today's

algorithms are executed by computers or specialized hardware devices, and in most cases are
implemented in computer software.
The design of secure systems using encryption techniques focuses mainly on the protection of
(secret) keys. Keys can be protected either by encrypting them under other keys or by
protecting them physically, while the algorithm used to encrypt the data is made public and
subjected to intense scrutiny. When cryptographers hit on an effective method of encryption (a
cipher), they can patent it as intellectual property and earn royalties when their method is used
in commercial products. In the current open environment, many good cryptographic algorithms
are available in major bookstores, libraries and on the Internet, or patent office.

Modern cryptography is the cornerstone of computer and communications security. Its

foundation is based on various concepts of mathematics such as number theory, computational-
complexity theory, and probability theory.

Characteristics of Modern Cryptography

There are three major characteristics that separate modern cryptography from the classical
approach.

5
Classic Cryptography Modern Cryptography

It manipulates traditional characters, It operates on binary bit sequences.

i.e., letters and digits directly.

It is mainly based on ‘security through It relies on publicly known mathematical

obscurity’. The techniques employed
for coding were kept secret and only
the parties involved in communication
knew about them.
algorithms for coding the information. Secrecy
is obtained through a secrete key which is
used as the seed for the algorithms. The
computational difficulty of algorithms, absence
of secret key, etc., make it impossible for an
attacker to obtain the original information even
if he knows the algorithm used for coding.

It requires the entire cryptosystem for Modern cryptography requires parties

communicating confidentially. interested in secure communication to
possess the secret key only.

Context of Cryptography

Cryptology, the study of cryptosystems, can be subdivided into two branches −

 Cryptography
 Cryptanalysis

6
What is Cryptography?

Cryptography is the art and science of making a cryptosystem that is capable of providing
information security.

Cryptography deals with the actual securing of digital data. It refers to the design of
mechanisms based on mathematical algorithms that provide fundamental information security
services. You can think of cryptography as the establishment of a large toolkit containing
different techniques in security applications.

What is Cryptanalysis?

The art and science of breaking the cipher text is known as cryptanalysis.

Cryptanalysis is the sister branch of cryptography and they both co-exist. The cryptographic
process results in the cipher text for transmission or storage. It involves the study of
cryptographic mechanism with the intention to break them. Cryptanalysis is also used during the
design of the new cryptographic techniques to test their security strengths.

Note − Cryptography concerns with the design of cryptosystems, while cryptanalysis studies the
breaking of cryptosystems.

1.5 A MODEL FOR NETWORK SECURITY

A model for much of what we will be discussing is captured, in very general terms, in
Figure 1.1. A message is to be transferred from one party to another across some sort of
Internet service.

A security-related transformation on the information to be sent. Examples include the

encryption of the message, which scrambles the message so that it is unreadable by the
opponent, and the addition of a code based on the contents of the message, which can be used
to verify the identity of the sender

Some secret information shared by the two principals and, it is hoped, unknown to the
opponent. An example is an encryption key used in conjunction with the transformation to
scramble the message before transmission and unscramble it on reception.

7
 Figure 1.1 Model for Network Security

All the techniques for providing security have two components:

This general model shows that there are four basic tasks in designing a particular
security service:
1. Design an algorithm for performing the security-related
transformation. The algorithm should be such that an opponent
cannot defeat its purpose.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of the secret information.
4. Specify a protocol to be used by the two principals that makes use of the security
algorithm and the secret information to achieve a particular security service

A general model of these other situations is illustrated by Figure 1.2, which

reflects a concern for protecting an information system from unwanted access. Most
readers are familiar with the concerns caused by the existence of hackers, who attempt
to penetrate systems that can be accessed over a network. The hacker can be
someone who, with no malign intent, simply gets satisfaction from breaking and entering
a computer system. The intruder can be a disgruntled employee who wishes to do
damage or a criminal who seeks to exploit computer assets for financial gain (e.g.,
obtaining credit card numbers or performing illegal money transfers).

8
 Figure 1.2 Network Access Security Model

Another type of unwanted access is the placement in a computer system of logic that
exploits vulnerabilities in the system and that can affect application programs as well as utility
programs, such as editors and compilers. Programs can present two kinds of threats:
• Information access threats: Intercept or modify data on behalf of users who should not have
access to that data.
• Service threats: Exploit service flaws in computers to inhibit use by legitimate users.

Viruses and worms are two examples of software attacks. Such attacks can be
introduced into a system by means of a disk that contains the unwanted logic concealed
in otherwise useful software.
The security mechanisms needed to cope with unwanted access fall into two
broad categories (see Figure 1.2).The first category might be termed a gatekeeper
function. It includes password-based login procedures that are designed to deny access
to all but authorized users and screening logic that is designed to detect and reject
worms, viruses, and other similar attacks. Once either an unwanted user or unwanted
software gains access,
The second line of defense consists of a variety of internal controls that monitor
activity and analyze stored information in an attempt to detect the presence of unwanted
intruders.

9
1.6. CLASSICAL ENCRYPTION TECHNIQUES
Symmetric encryption is a form of cryptosystem in which encryption and decryption are
performed using the same key. It is also known as conventional encryption.
• Symmetric encryption transforms plaintext into cipher text using a secret key and
an encryption algorithm. Using the same key and a decryption algorithm, the
plaintext is recovered from the cipher text.
• The two types of attack on an encryption algorithm are cryptanalysis, based on
properties of the encryption algorithm, and brute-force, which involves trying all
possible keys.
• Traditional (pre computer) symmetric ciphers use substitution and/or
transposition techniques. Substitution techniques map plaintext elements
(characters, bits) into cipher text elements. Transposition techniques
systematically transpose the positions of plaintext elements.
• Rotor machines are sophisticated pre computer hardware devices that use
substitution techniques.
• Steganography is a technique for hiding a secret message within a larger one in
such a way that others cannot discern the presence or contents of the hidden
message.

An original message is known as the plaintext, while the coded message is called
the cipher text. The process of converting from plaintext to cipher text is known as
enciphering or encryption; restoring the plaintext from the cipher text is deciphering or
decryption. The many schemes used for encryption constitute the area of study known
as cryptography.
Such a scheme is known as a cryptographic system or a cipher. Techniques
used for deciphering a message without any knowledge of the enciphering details fall
into the area of cryptanalysis. Cryptanalysis is what the layperson calls “breaking the
code. ”The areas of cryptography and cryptanalysis together are called cryptology.

10
 1.7 SYMMETRIC CIPHER MODEL
A symmetric encryption scheme has five ingredients (Figure 1.3):
•Plaintext: This is the original intelligible message or data that is fed into the algorithm as
input.
•Encryption algorithm: The encryption algorithm performs various substitutions and
transformations on the plaintext.
•Secret key: The secret key is also input to the encryption algorithm. The key is a
value independent of the plaintext and of the algorithm. The algorithm will produce
a different output depending on the specific key being used at the time. The exact
substitutions and transformations performed by the algorithm
depend on the key.
• Cipher text: This is the scrambled message produced as output. It depends on the
plaintext and the secret key. For a given message, two different keys will produce two
different cipher texts. The cipher text is an apparently random stream of data and, as it
stands, is unintelligible.
• Decryption algorithm: This is essentially the encryption algorithm run in reverse. It
takes the cipher text and the secret key and produces the original plaintext.

Figure 1.3 Simplified Model of Symmetric Encryption

11
PANIMALAR ENGINEERING COLLEGE

There are two requirements for secure use of conventional encryption:

1. We need a strong encryption algorithm. At a minimum, we would like the algorithm to

be such that an opponent who knows the algorithm and has access to one or more
cipher texts would be unable to decipher the cipher text or figure out the key. This
requirement is usually stated in a stronger form: The opponent should be unable to
decrypt cipher text or discover the key even if he or she is in possession of a number of
cipher texts together with the plaintext that produced each cipher text.

2. Sender and receiver must have obtained copies of the secret key in a secure fashion
and must keep the key secure. If someone can discover the key and knows the
algorithm, all communication using this key is readable.

Figure 1.4: Model of Symmetric Cryptosystem

With the message X and the encryption key K as input, the encryption algorithm
forms the cipher text Y=[Y1,Y2,…….YN] .We can write this as Y=E(K,X)This notation
indicates that is produced by using encryption algorithm E as a function of the plaintext
X , with the specific function determined by the value of the key K .
The intended receiver, in possession of the key, is able to invert the transformation:
X=D(K,Y)

12
An opponent, observing Y but not having access K to X or , may attempt to recover X or
K or both X and K . It is assumed that the opponent knows the encryption (E) and
decryption (D) algorithms. If the opponent is interested in only this particular message,
then the focus of the effort is to recover X by generating a plaintext estimate X. Often,
however, the opponent is interested in being able to read future messages as well, in
which case an attempt is made to recover K by generating an estimate K .
Cryptography
Cryptographic systems are characterized along three independent dimensions:
1. The type of operations used for transforming plaintext to cipher text. All
encryption algorithms are based on two general principles: substitution, in which each
element in the plaintext (bit, letter, group of bits or letters) is mapped into another
element, and transposition, in which elements in the plaintext are rearranged. The
fundamental requirement is that no information be lost (that is, that all operations are
reversible). Most systems, referred to as product systems, involve multiple stages of
substitutions and transpositions.
2. The number of keys used. If both sender and receiver use the same key, the system
is referred to as symmetric, single-key, secret-key, or conventional encryption. If the
sender and receiver use different keys, the system is referred to as asymmetric, two-
key, or public-key encryption.
3. The way in which the plaintext is processed. A block cipher processes the input one
block of elements at a time, producing an output block for each input block. A stream
cipher processes the input elements continuously, producing output one element at a
time, as it goes along. Cryptanalysis and Brute-Force Attack
Typically, the objective of attacking an encryption system is to recover the key in use
rather than simply to recover the plaintext of a single cipher text. There are two general
approaches to attacking a conventional encryption scheme:

• Cryptanalysis: Cryptanalytic attacks rely on the nature of the algorithm plus perhaps
some knowledge of the general characteristics of the plaintext or even some sample
plaintext– cipher text pairs. This type of attack exploits the characteristics of the
algorithm to attempt to deduce a specific plaintext or to deduce the key being used.

13
• Brute-force attack: The attacker tries every possible key on a piece of cipher text until
an intelligible translation into plaintext is obtained. On average, half of all possible keys
must be tried to achieve success.

Table 1.1 Types of Attacks on Encrypted Messages

Table 1.1 summarizes the various types of cryptanalytic attacks based on the amount of
information known to the cryptanalyst. The most difficult problem is presented when all
that is available is the cipher text only.

A brute-force attack involves trying every possible key until an intelligible translation of
the cipher text into plaintext is obtained.

14
1.8 SERVICES

X.800 defines a security service as a service that is provided by a protocol layer of

communicating open systems and that ensures adequate security of the systems or of data
transfers. Perhaps a clearer definition is found in RFC 2828, which provides the following
definition: a processing or communication service that is provided by a system to give a specific
kind of protection to system resources; security services implement security policies and are
implemented by security mechanisms.

X.800 divides these services into five categories and fourteen specific services (Table 1.2)

Table1.2 Security Services (X.800)

15
 1.9 MECHANISMS

Table 1.3 lists the security mechanisms defined in X.800. The mechanisms are divided into
those that are implemented in a specific protocol layer, such as TCP or an application-layer
protocol, and those that are not specific to any particular protocol layer or security service

Table 1.3 Security Mechanisms (X.800)

16
1.10 ATTACKS
The security attacks can be classified into two types passive attacks and active attacks.
A passive attack attempts to learn or make use of information from the system but does
not affect system resources. An active attack attempts to alter system resources or
affect their operation.
Passive Attacks
Two types of passive attacks are the release of message contents and traffic analysis.
The release of message contents is easily understood (Figure 1.5a).A telephone
conversation, an electronic mail message, and a transferred file may contain sensitive
or confidential information. We would like to prevent an opponent from learning the
contents of these transmissions.
A second type of passive attack, traffic analysis, is subtler (Figure 1.5b). Suppose that
we had a way of masking the contents of messages or other information traffic so that
opponents, even if they captured the message, could not extract the information from
the message. The common technique for masking contents is encryption. If we had
encryption protection in place, an opponent might still be able to observe the pattern of
these messages.

Figure 1.5 Passive Attacks

17
Passive attacks are very difficult to detect, because they do not involve any alteration
of the data. Typically, the message traffic is sent and received in an apparently normal
fashion, and neither the sender nor receiver is aware that a third party has read the
messages or observed the traffic pattern.

Active Attacks
Active attacks involve some modification of the data stream or the creation of a false
stream and can be subdivided into four categories: masquerade, replay, modification of
messages, and denial of service.

Figure 1.6 Active Attacks

18
A masquerade takes place when one entity pretends to be a different entity (Figure 1.6
a). A masquerade attack usually includes one of the other forms of active attack. For
example, authentication sequences can be captured and replayed after a valid
authentication sequence has taken place, thus enabling an authorized entity with few
privileges to obtain extra privileges by impersonating an entity that has those privileges.

Replay involves the passive capture of a data unit and its subsequent retransmission to
produce an unauthorized effect (Figure 1.6 b).

Modification of messages simply means that some portion of a legitimate message is

altered, or that messages are delayed or reordered, to produce an unauthorized effect
(Figure 1.6 c). For example, a message meaning “Allow John Smith to read confidential
file accounts” is modified to mean “Allow Fred Brown to read confidential file account.

The denial of service prevents or inhibits the normal use or management of

communications facilities (Figure 1.6 d). This attack may have a specific target.

Active attacks present the opposite characteristics of passive attacks. Whereas passive
attacks are difficult to detect, measures are available to prevent their success.

19
1.11 THE OSI SECURITY ARCHITECTURE

ITU-T Recommendation X.800, Security Architecture for OSI, defines such a

systematic approach. The OSI security architecture is useful to managers as a way of
organizing the task of providing security. This architecture was developed as an
international standard, computer and communications vendors have developed security
features for their products and services that relate to this structured definition of
services and mechanisms.
The OSI security architecture focuses on security attacks, mechanisms, and services.
These can be defined briefly as

• Security attack: Any action that compromises the security of information owned by an
organization.

• Security mechanism: A process (or a device incorporating such a process) that is

designed to detect, prevent, or recover from a security attack.

• Security service: A processing or communication service that enhances the security of

the data processing systems and the information transfers of an organization. The
services are intended to counter security attacks, and they make use of one or more
security mechanisms to provide the service .In the literature, the terms threat and attack
are commonly used to mean more or less the same thing.

Table 1.4 provides definitions taken from RFC 2828, Internet Security Glossary.

Threat
A potential for violation of security, which exists when there is a circumstance,
capability, action, or event that could breach security and cause harm. That is, a threat
is a possible danger that might exploit vulnerability.
Attack
An assault on system security that derives from an intelligent threat; that is, an
intelligent act that is a deliberate attempt (especially in the sense of a method or
technique) to evade security services and violate the security policy of a system.
Table 1.4 Threats and Attacks (RFC 2828)

20
 Part –A
1. Compare active attacks and passive attacks.
2. Define Steganography.
3. Define cryptanalysis.
4. Why Random numbers are used in Network Security?
5. List the four categories of security threats.
6. Define cryptography
7. Explain why Modular arithmetic has been used in cryptography.
8. Classify the basic functions used in encryption algorithms.
9. Describe security mechanism
10. Generalize why network need security.
11. Specify the four categories of security threats.
12. Define integrity and non repudiation.
13. Differentiate symmetric and asymmetric encryption?
14. Define cryptanalysis?
15. Define security mechanism
16. Define steganography
17. Why network need security?
18. Define confidentiality and authentication
19. Specify the basic task for defining a security service.
20. Define network security
21. Define computer security
22. List-out the types of attack in ceaser cipher

Part – B & C
1. Generalize the security services classifications and security mechanisms in detail.
2. List the different types of attacks and explain in detail.
3. Describe in detail about the types of cryptanalytic attack.
4. What is Steganography? Briefly examine any three techniques used.
5. With a neat block diagram, explain the network security model and the important parameters
associated with it.
6. Differentiate active and passive security attacks. Categorize these attacks and explain one
examples of each.
7. Discuss the following
a) Message Integrity
b) Denial of Service
c) Availability
d) Authentication
8. Experiment how the ITU-T3 Recommendation X.800, Security Architecture for OSI, defines such
a systematic approach.(15)

21
UNIT II: SYMMETRIC TECHNIQUES
Definition – Substitution ciphers – Transposition ciphers - Stream and block ciphers - A5, RC4 -
Characteristics of good ciphers - Data Encryption Standard (DES) – International Data
Encryption Algorithm – Advanced Encryption Standard – Block cipher modes of operation –
Confidentiality using symmetric encryption.

2.1 SUBSTITUTION TECHNIQUES

The two basic building blocks of all encryption techniques are substitution and
transposition. A substitution technique is one in which the letters of plaintext are
replaced by other letters or by numbers or symbols.1 If the plaintext is viewed as a
sequence of bits, then substitution involves replacing plaintext bit patterns with cipher
text bit patterns.
Caesar Cipher
The earliest known, and the simplest, use of a substitution cipher was by Julius
Caesar. The Caesar cipher involves replacing each letter of the alphabet with the letter
standing three places further down the alphabet. For example,

plain: meet me after the toga party

cipher: PHHW PH DIWHU WKH WRJD SDUWB

Note that the alphabet is wrapped around, so that the letter following Z is A. We can
define the transformation by listing all possibilities, as follows:
plain: abc defg h i j k l m n o p q r s t u v w x y z
cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Let us assign a numerical equivalent to each letter:
1When letters are involved; the following conventions are used in this book. Plaintext is
always in lowercase; cipher text is in uppercase; key values are in italicized lowercase.
Let us assign a numerical equivalent to each letter:

22
Then the algorithm can be expressed as follows. For each plaintext letter, substitute
the cipher text letter:
C = E(3, p) = (p + 3) mod 26
A shift may be of any amount, so that the general Caesar algorithm is
C = E(k, p) = (p + k) mod 26
where takes on a value in the range 1 to 25.The decryption algorithm is simply
p = D(k, C) = (C - k) mod 26
If it is known that a given cipher text is a Caesar cipher, then a brute-force cryptanalysis
is easily performed: simply try all the 25 possible keys. Three important characteristics
of this problem enabled us to use a brute force cryptanalysis:
1. The encryption and decryption algorithms are known.
2. There are only 25 keys to try.
3. The language of the plaintext is known and easily recognizable.

Fig: 2.1 Brute-Force Cryptanalysis of Caesar Cipher

23
 Mono alphabetic Ciphers
With only 25 possible keys, the Caesar cipher is far from secure. A dramatic
increase in the key space can be achieved by allowing an arbitrary substitution. A
permutation of a finite set of elements is an ordered sequence of all the elements of ,
with each element appearing exactly once. For example, if S = {a,b,c} , there are six
permutations of :
abc, acb, bac, bca, cab, cba
In general, there are n! permutations of a set of elements, because the first
element can be chosen in one of n ways, the second in n-1 ways, the third in n-2 ways,
and so on.
Recall the assignment for the Caesar cipher:
plain: a b c d e f g h I j kl m n o p q r s t u v w x y z
cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
If, instead, the “cipher” line can be any permutation of the 26 alphabetic
characters, then there are 26! or greater than 4*10 26 possible keys. This is 10 orders of
magnitude greater than the key space for DES and would seem to eliminate brute-force
techniques for cryptanalysis. Such an approach is referred to as a mono alphabetic
substitution cipher, because a single cipher alphabet (mapping from plain alphabet to
cipher alphabet) is used per message.
The cipher text to be solved is
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMET
SXAIZ
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ

As a first step, the relative frequency of the letters can be determined and compared to
a standard frequency distribution for English, such as is shown in Figure 1.12. If the
message were long enough, this technique alone might be sufficient, but because this is
a relatively short message,

24
We cannot expect an exact match. In any case, the relative frequencies of the letters in the
cipher text (in percentages) are as follows:

Figure 2.2 Relative Frequencies of Letters in English Text

That cipher letters P and Z are the equivalents of plain letters e and t, but it is not
certain which is which. The letters S,U,O, M, and H are all of relatively high frequency
and probably correspond to plain letters from the set {a, h, i, n, o, r, s}. The letters with
the lowest frequencies (namely ,A, B,G,Y, I, J) are likely included in the set {b, j, k, q, v,
x, z}.

25
 A powerful tool is to look at the frequency of two-letter combinations, known as
diagrams. The most common such diagram is the. In our cipher text, the most common
diagram is ZW, which appears three times. So we make the correspondence of Z with t
and W with h. Then, by our earlier hypothesis, we can equate P with e. Now notice that
the sequence ZWP appears in the cipher text, and we can translate that sequence as
“the.”This is the most frequent trigram (three- letter combination). Next, notice the
sequence ZWSZ in the first line. We do not know that these four letters form a complete
word, but if they do, it is of the form that. If so, Sequates with a.
So far, then, we have

Only four letters have been identified, but already we have quite a bit of the message.
Continued analysis of frequencies plus trial and error should easily yield a solution from
this point. The complete plaintext, with spaces added between words, follows:
it was disclosed yesterday that several informal
but direct contacts have been made with political
representatives of the Viet Cong in Moscow
Mono alphabetic ciphers are easy to break because they reflect the frequency data of
the original alphabet. A countermeasure is to provide multiple substitutes, known as
homophones, for a single letter.
Play fair Cipher
The best-known multiple-letter encryption cipher is the Play fair, which treats
diagrams in the plaintext as single units and translates these units into cipher text
diagrams. The Play fair algorithm is based on the use of a 5 × 5 matrix of letters
constructed using a keyword. Here is an example, solved by Lord Peter Wimsey in

26
 Dorothy Sayers‟s Have His Carcase

In this case, the keyword is monarchy. The matrix is constructed by filling in the letters
of the keyword (minus duplicates) from left to right and from top to bottom, and then
filling in the remainder of the matrix with the remaining letters in alphabetic order. The
letters I and J count as one letter. Plaintext is encrypted two letters at a time, according
to the following rules:

1. Repeating plaintext letters that are in the same pair are separated with a filler letter,
such as
x, so that balloon would be treated as ba lx lo on.

2. Two plaintext letters that fall in the same row of the matrix are each replaced by the
letter to the right, with the first element of the row circularly following the last. For
example, ar is encrypted as RM.

3. Two plaintext letters that fall in the same column are each replaced by the letter
beneath, with the top element of the column circularly following the last. For example,
mu is encrypted as CM.

4. Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its own
row and the column occupied by the other plaintext letter. Thus, hs becomes BP and ea
becomes IM (or JM, as the en cipher er wishes).

The Playfair cipher is a great advance over simple mono alphabetic ciphers. For one
thing, whereas there are only 26 letters, there are 26 × 26 = 676 diagrams, so that
identification of individual diagrams is more difficult. Furthermore, the relative
frequencies of individual letters exhibit a much greater range than that of diagrams,
making frequency analysis much more difficult. For these reasons, the Play fair cipher
was for a long time considered unbreakable. It was used as the standard field system

27
by the British Army in World War I and still enjoyed considerable use by the U.S. Army
and other Allied forces during World War II.

Hill Cipher
Another interesting multi letter cipher is the Hill cipher, developed by the
mathematician Lester Hill in 1929. Define the inverse M-1of a square matrix M by the
equation M(M-1)= M-1M=I, where I is the identity matrix. I is a square matrix that is all

zeros except for ones along the main

diagonal from upper left to lower right. The inverse of a matrix does not always exist,
but when it does, it satisfies the preceding equation. For example,
To explain how the inverse of a matrix is computed, we begin by with the concept
of determinant. For any square matrix (m × m), the determinant equals the sum of all
the products that can be formed by taking exactly one element from each row and
exactly one element from each column, with certain of the product terms preceded by a
minus sign. For a 2 × 2 matrix,

The determinant is k11k22 -k12k21. For a 3×3 matrix, the value of the determinant is
.k11k22k33 + k21k32k13 + k31k12k23 - k31k22k13 - k21k12k33 - k11k32k23. If a square matrix A has a
nonzero determinant, then the inverse of the matrix is computed as [A -1]ij=(det A)-1 (-1)i+j
(Dij)where (Dij ) is the sub determinant formed by deleting the jth row and the ith column
of A, det(A) is the determinant of A, and (det A)-1 is the multiplicative inverse of (det A)
mod 26.

28
Continuing our example,

We can show that9-1mod26=3, because9×3=27mod26=1.Therefore, we

compute the inverse of A as

THE HILLALGORITHM This encryption algorithm takes m successive plaintext letters

and substitutes for them m cipher text letters. The substitution is determined by m linear
equations in
which each character is assigned a numerical value (a=0,b=1,…z=25). For m=3, the
system can
be described as

This can be expressed in terms of row vectors and matrices:

or
C = PK mod 26
Where C and P are row vectors of length 3 representing the plaintext and cipher text, and K is
a3
×3 matrix representing the encryption key. Operations are performed mod 26.For
example, consider the plaintext “pay more money” and use the encryption Key

29
 As with Play fair, the strength of the Hill cipher is that it completely hides single-
letter frequencies. Indeed, with Hill, the use of a larger matrix hides more frequency
information. Thus, a 3 ×3 Hill cipher hides not only single-letter but also two-letter
frequency information.
Consider this example. Suppose that the plaintext “hill cipher” is encrypted using
a Hill cipher to yield the cipher text HCRZSSXNSP.Thus, we know that (78) Kmod26=
(72)11 11) K mod26=(17 25); and so on. Using the first two plaintext–cipher text pairs,
we have

The inverse of X can be computed

This result is verified by testing the remaining plaintext–cipher text pairs.

30
 Poly alphabetic Ciphers
Another way to improve on the simple mono alphabetic technique is to use
different mono alphabetic substitutions as one proceeds through the plaintext message.
The general name for this approach is poly alphabetic substitution cipher. All these
techniques have the following features in common:

1. A set of related mono alphabetic substitution rules is used.

2. A key determines which particular rule is chosen for a given transformation.

VIGEN`ERE CIPHER The best known, and one of the simplest, poly alphabetic ciphers
is the Vigenère cipher. In this scheme, the set of related mono alphabetic substitution
rules consists of the 26 Caesar ciphers with shifts of 0 through 25. Each cipher is
denoted by a key letter, which is the cipher text letter that substitutes for the plaintext
letter a. Thus, a Caesar cipher with a shift of 3 is denoted by the key value .
Express the Vigenère cipher in the following manner. Assume a sequence of
plaintext letters and a key consisting of the sequence of letters , where typically < .The
sequence of cipher text letters is calculated as follows

Thus, the first letter of the key is added to the first letter of the plaintext, mod 26, the
second letters are added, and so on through the first letters of the plaintext. For the next
letters of the plaintext, the key letters are repeated. This process continues until all of
the plaintext sequence is encrypted. A general equation of the encryption process is

Ci = (pi + kimod m)mod 26

decryption is a generalization of Equation
pi= (Ci - kimod m)mod 26

31
 To encrypt a message, a key is needed that is as long as the message. Usually,
the key is a repeating keyword. For example, if the keyword is deceptive, the message
“we are discovered save you” is encrypted as
key: deceptivedeceptivedeceptive
plaintext:
wearediscoveredsaveyourself
ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

2.2 TRANSPOSITION TECHNIQUES

All the techniques examined so far involve the substitution of a cipher text symbol
for a plaintext symbol. A very different kind of mapping is achieved by performing some
sort of permutation on the plaintext letters. This technique is referred to as a
transposition cipher. The simplest such cipher is the rail fence technique, in which the
plaintext is written down as a sequence of diagonals and then read off as a sequence of
rows. For example, to encipher the message “meet me after the toga party” with a rail
fence of depth 2, we write the following:

mematrhtgpryetefet
eoaat

The encrypted message MEMATRHTGPRYETEFETEOAAT

is
This sort of thing would be trivial to cryptanalyze. A more complex scheme is to
write the message in a rectangle, row by row, and read the message off, column by
column, but permute the order of the columns. The order of the columns then becomes
the key to the algorithm. For example,

32
 Thus, in this example, the key is 4312567.To encrypt, start with the column that
is labeled 1, in this case column 3.Write down all the letters in that column. Proceed to
column 4, which is labeled 2, then column 2, then column 1, then columns 5, 6, and 7.A
pure transposition cipher is easily recognized because it has the same letter
frequencies as the original plaintext.

For the type of columnar transposition just shown, cryptanalysis is fairly

straightforward and involves laying out the cipher text in a matrix and playing around
with column positions. Diagram and trigram frequency tables can be useful.
The transposition cipher can be made significantly more secure by performing
more than one stage of transposition. The result is a more complex permutation that is
not easily reconstructed. Thus, if the foregoing message is re encrypted using the same
algorithm,

To visualize the result of this double transposition, designate the letters in the
original plaintext message by the numbers designating their position. Thus, with 28
letters in the message, the original sequence of letters is
01 02 03 04 05 06 07 08 09 10 11 12 13 14
15 16 17 18 19 20 21 22 23 24 25 26 27 28
After the first transposition, we have
03 10 17 24 04 11 18 25 02 09 16 23 01 08
15 22 05 12 19 26 06 13 20 27 07 14 21 28
MEMATRHTGPRYETEFETEOAAT
message is used to convey the hidden message.

33
34
2. 3 Block Ciphers
• A block cipher is an encryption/decryption scheme in which a block of plaintext is treated as a
wholeand used to produce a cipher text block of equal length.

• A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Examples
of classical stream ciphers are the auto keyed Vigenère cipher and the Vernam cipher.

• A block cipher is one in which a block of plaintext is treated as a whole and used to produce a cipher
text block of equal length

• Many block ciphers have a Feistel structure. Such a structure consists of a number of identical
roundsof processing. In each round, a substitution is performed on one half of the data being
processed, followed by a permutation that interchanges the two halves. The original key is expanded so
that a different key is used for each round.

.
Block Cipher Principles

 Most symmetric block ciphers are based on a Feistel Cipher Structure

 Using idea of a product cipher
 Performing of two or more basic ciphers in sequence in such a way that the final result or
product is cryptographically strong.

Claude Shannon and Substitution-Permutation Ciphers

 Claude Shannon introduced idea of substitution-permutation (S-P) networks
 S-P networks are based on the two primitive cryptographic operations we have seen before:

 Substitution (S-box)
 A binary word is replaced by some other binary word
 Whole substitution function forms the key
 If use n bit words, The key space is 2n!

 Permutation (P-box)
 A binary word has its bits reordered (permuted)
 The re-ordering forms the key
 If we use n bit words,
 The key space is n! (Less secure than substitution)

Substitution-permutation Network:
 Shannon combined these two primitives
 He called these mixing transformations
34
  A special form of product ciphers where
o S-boxes -Provide confusion of input bits
o P-boxes -Provide diffusion across s-box inputs
Confusion and Diffusion:
 More practically Shannon suggested combining elements to obtain:
Diffusion

 The statistical structure of plaintext is dissipated into long range statistics of cipher text. This is
achieved by having each plaintext digit affect the value of many ciphertext digits;

 Generally this is equivalent to having each cipher text digit be affected by many plaintext digits

Confusion
 Seeks to make the relationship between the statistics of the cipher text and the value of the
encryption key as complex as possible, again to thwart attempts to discover the key.

 Thus, even if the attacker can get some handle on the statistics of the cipher text, the way in
which the key was used to produce that cipher text is so complex as to make it difficult to
deduce the key.

Feistel Cipher Structure

 Horst Feistel devised the Feistel cipher
Concept:
 Input to the encryption algorithm.
Plaintext block of length 2w bits and key K.
Plaintext is divided into two halves L0 and R0.
The two halves of the data pass through n rounds of processing.
Then combine to produce the cipher text block.
Each round i has as inputs Li-1 and Ri-1, derived from the previous rounds, as well as a subkey
Ki derived from the overall K.

 Substitution : is performed on the left half of the data

o By applying round function F to the right half of the data
o Then taking the XOR of the output of that function and the left half of the data.
 Permutation: is performed that consists of interchange of the two halves of the data.

Feistel Cipher Design Principles

 Block size - Increasing size improves security, but slows cipher
 Keysize-Increasing size improves security, makes exhaustive key searching harder,
but may slow cipher
35
  Number of rounds -Increasing number improves security, but slows cipher
 Subkey generation -Greater complexity can make analysis harder
 Round function - Greater complexity can make analysis harder
 Fast software en/decryption & ease of analysis - Are more recent concerns for execution
speed, practical use and testing

Feistel Cipher Encryption & Decryption

For ith iteration of the encryption algorithm,
LE0 = REi-1
REi = LEi-1XOR F(REi-1,Ki)

36
2.4 Stream Cipher

A stream cipher is a cipher that encrypts (and decrypts) with the flow — the data flow, that is.
Unlike block ciphers, which require the formation of blocks prior to encryption, stream ciphers
encrypt data in long, pseudorandom streams. Basically, this means you can process one bit of
data at a time instead of waiting for a data block to form.

In their book “Domain Specific High-Level Synthesis for Cryptographic Workloads,” Ayesha Khalid,
Goutam Paul and Anupam Chattopadhyay describe stream ciphers as finite state machines, or
FSMs, and stateful ciphers. The reason for the first description (FSM) is because these ciphers
take in plaintext bits of data one by one and spit out ciphertext symbols in the same way. The
reason they’re also called stateful ciphers is because they rely on their internal state for their
keystream functions.

But did you know there are actually two types of stream ciphers?

Synchronous stream ciphers (aka key auto-key, or KAK) — These types of ciphers generate
keystreams independently of any previous plaintext or ciphertexts.

Self-synchronizing stream ciphers (aka asynchronous stream ciphers, ciphertext autokey or

CTAK) — These ciphers, on the other hand, rely on previous ciphertext bits to generate
keystreams.

How Stream Ciphers Work

So, how does a stream cipher actually work in a more technical sense? As mentioned earlier, a
stream cipher encrypts data one bit at a time instead of in blocks. But a key part of this process is
generating a stream of pseudorandom bits based on an encryption key and a seed, aka a nonce
(a unique randomly generated number — “nonce” = number-only-used-once). Together, they
create a keystream (that stream of pseudorandom bits we just mentioned) that gets XORed with
your plaintext input, which encrypts it and results in your ciphertext output.

37
This rinse-and-repeat process happens over and over again with each bit of plaintext data.
However, it’s important to not use the same exact key-nonce combination again because it can
result in a duplicate keystream.

Feeling a bit confused? Here’s a visual of the process to provide a little clarity:

Stream cipher example: This is a basic illustration to showcase the basic operations of a stream
cipher.

To better understand this, let’s walk through an example. Let’s consider an alternative phrase to
the example we used earlier: “For the Horde!” (See? I haven’t forgotten you guys.) The binary
version of this plaintext message would look like this:

010001100110111101110010001000000111010001101000011001010010000001001000011011
1101110010011001000110010100100001

38
So, if we use a stream cipher to encrypt the message, we’ll do so one bit at a time. So, the
plaintext data would be broken down into individual bits, which would look something like this:

Block cipher vs stream cipher graphic: This image illustrates a message being divided up into
individual bits for encryption.

Yeah, take a moment to let your eyes adjust after reading that, uh, colorful graphic.

So, the next step here would be to generate the sequence of pseudorandom bits (i.e., the
keystream). This is typically based on an internal state.

Once you have your keystream, you XOR the pseudorandom bits with the binary of your plaintext
message. Thinking back to the XOR table from earlier, this means that if the first bit of the plaintext
message was 1 and the first bit for the keystream was a 0, then the output would be a 1. If the
second bit of the plaintext message was another 1 and the first bit of the keystream was also a 1,
then the output would also be a 0. Get it? Yeah, that’s basically how a stream cipher works.

Stream algorithms are faster and more efficient than block ciphers because they’re encrypting only
one bit of data at a time into individual symbols rather than entire blocks. So, they’re better suited
for devices that have fewer resources. Also, as a result of this single-bit-of-data approach, it
means that if there’s an error in one symbol, it’ll be less likely to affect the next. However, some
stream ciphers are vulnerable to bit-flipping attacks and key reuse attacks.

A very basic example of a stream cipher is the Caesar cipher, which is a cipher that that
39
substitutes one character with another individually. But that’s a really archaic and outdated
example of a cipher. So, what sorts of stream ciphers can we find in use today?

Examples of Stream Ciphers

Salsa20 (software and hardware implementations),

ChaCha20 (the modified version of Salsa20; ChaCha20 is supported in TLS 1.3),

RC4 (for wireless networks), and

A5 (for GSM cellular networks).

2.5 A5 and RC 4 Algorithm

A5/1 is a stream cipher used to provide over-the-air communication privacy in the GSM cellular telephone
standard. It is one of several implementations of the A5 security protocol. It was initially kept secret, but
became public knowledge through leaks and reverse engineering. A number of serious weaknesses in the
cipher have been identified.

A5/1 is used in Europe and the United States. A5/2 was a deliberate weakening of the algorithm for certain
export regions.[1] A5/1 was developed in 1987, when GSM was not yet considered for use outside Europe,
and A5/2 was developed in 1989. Though both were initially kept secret, the general design was leaked in
1994 and the algorithms were entirely reverse engineered in 1999 by Marc Briceno from a GSM telephone.
In 2000, around 130 million GSM customers relied on A5/1 to protect the confidentiality of their voice
communications.[citation needed]

Security researcher Ross Anderson reported in 1994 that "there was a terrific row between the NATO
signal intelligence agencies in the mid-1980s over whether GSM encryption should be strong or not. The
Germans said it should be, as they shared a long border with the Warsaw Pact; but the other countries
didn't feel this way, and the algorithm as now fielded is a French design.

A GSM transmission is organised as sequences of bursts. In a typical channel and in one direction, one
burst is sent every 4.615 milliseconds and contains 114 bits available for information. A5/1 is used to
produce for each burst a 114 bit sequence of keystream which is XORed with the 114 bits prior to
modulation. A5/1 is initialised using a 64-bit key together with a publicly known 22-bit frame number. Older
fielded GSM implementations using Comp128v1 for key generation, had 10 of the key bits fixed at zero,
resulting in an effective key length of 54 bits. This weakness was rectified with the introduction of
Comp128v3 which yields proper 64 bits keys. When operating in GPRS / EDGE mode, higher bandwidth
40
radio modulation allows for larger 348 bits frames, and A5/3 is then used in a stream cipher mode to
maintain confidentiality.

The A5/1 stream cipher uses three LFSRs. A register is clocked if its clocking bit (orange) agrees with the
clocking bit of one or both of the other two registers.

A5/1 is based around a combination of three linear-feedback shift registers (LFSRs) with irregular clocking.
The bits are indexed with the least significant bit (LSB) as 0.

The registers are clocked in a stop/go fashion using a majority rule. Each register has an associated
clocking bit. At each cycle, the clocking bit of all three registers is examined and the majority bit is
determined. A register is clocked if the clocking bit agrees with the majority bit. Hence at each step at least
two or three registers are clocked, and each register steps with probability 3/4.

RC4 is a stream cipher and variable-length key algorithm. This algorithm encrypts one byte at a time (or
larger units at a time). A key input is a pseudorandom bit generator that produces a stream 8-bit number
that is unpredictable without knowledge of input key, The output of the generator is called key-stream, is
combined one byte at a time with the plaintext stream cipher using X-OR operation.

Key-Generation Algorithm – A variable-length key from 1 to 256 bytes is used to initialize a 256-byte state
vector S, with elements S[0] to S[255]. For encryption and decryption, a byte k is generated from S by
selecting one of the 255 entries in a systematic fashion, then the entries in S are permuted again.

41
Key-Scheduling Algorithm: Initialization: The entries of S are set equal to the values from 0 to 255 in
ascending order, a temporary vector T, is created. If the length of the key k is 256 bytes, then k is assigned
to T. Otherwise, for a key with length(k-len) bytes, the first k-len elements of T as copied from K, and then K
is repeated as many times as necessary to fill T.

we use T to produce the initial permutation of S. Starting with S[0] to S[255], and for each S[i] algorithm
swap it with another byte in S according to a scheme dictated by T[i], but S will still contain values from 0 to
255 :

Pseudo random generation algorithm (Stream Generation): Once the vector S is initialized, the input key
will not be used. In this step, for each S[i] algorithm swap it with another byte in S according to a scheme
dictated by the current configuration of S. After reaching S[255] the process continues, starting from S[0]
again

Features of the RC4 encryption algorithm:

Symmetric key algorithm: RC4 is a symmetric key encryption algorithm, which means that the same key is
used for encryption and decryption.

Stream cipher algorithm: RC4 is a stream cipher algorithm, which means that it encrypts and decrypts data
one byte at a time. It generates a key stream of pseudorandom bits that are XORed with the plaintext to
produce the ciphertext.
42
Variable key size: RC4 supports variable key sizes, from 40 bits to 2048 bits, making it flexible for different
security requirements.

Fast and efficient: RC4 is a fast and efficient encryption algorithm that is suitable for low-power devices and
applications that require high-speed data transmission.

Widely used: RC4 has been widely used in various applications, including wireless networks, secure
sockets layer (SSL), virtual private networks (VPN), and file encryption.

Vulnerabilities: RC4 has several vulnerabilities, including a bias in the first few bytes of the keystream,
which can be exploited to recover the key. As a result, RC4 is no longer recommended for use in new
applications

Advantages:

Fast and efficient: RC4 is a very fast and efficient encryption algorithm, which makes it suitable for use in
applications where speed and efficiency are critical.

Simple to implement: RC4 is a relatively simple algorithm to implement, which means that it can be easily
implemented in software or hardware.

Variable key size: RC4 supports variable key sizes, which makes it flexible and adaptable for different
security requirements.

Widely used: RC4 has been widely used in various applications, including wireless networks, secure
sockets layer (SSL), virtual private networks (VPN), and file encryption.

Disadvantages:

Vulnerabilities: RC4 has several known vulnerabilities that make it unsuitable for new applications. For
example, there is a bias in the first few bytes of the keystream, which can be exploited to recover the key.

Security weaknesses: RC4 has some inherent weaknesses in its design, which make it less secure than
other encryption algorithms, such as AES or ChaCha20.

Limited key length: The maximum key length for RC4 is 2048 bits, which may not be sufficient for some
applications that require stronger encryption.

Not recommended for new applications: Due to its vulnerabilities and weaknesses, RC4 is no longer
recommended for use in new applications. Other more secure stream cipher algorithms, such as AES-CTR
or ChaCha20, should be used instead.

43
2.6 Modes of Operation
 Block ciphers encrypt fixed size blocks
 Eg. DES encrypts 64-bit blocks, with 56-bit key
 Need way to use in practice, given usually have arbitrary amount of information to
encrypt
 Four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use
 Have block and stream modes

Electronic Codebook Book (ECB):

 Message is broken into independent blocks which are encrypted
 Each block is a value which is substituted, like a codebook (hence name)
 Each block is encoded independently of the other blocks
 Ci = DESK1 (Pi)
 Uses: secure transmission of single values

Advantages and Limitations of ECB

 Repetitions in message may show in ciphertext
 If aligned with message block
 Particularly with data such graphics
 Or with messages that change very little, which become a code-book analysis
problem
 Weakness due to encrypted message blocks being independent
 Main use is sending a few blocks of data

44
 Cipher Block Chaining (CBC)
 Message is broken into blocks
 But these are linked together in the encryption operation
 Each previous cipher blocks is chained with current plaintext block (hence name)
 Use Initial Vector (IV) to startprocess
 Ci= DESK1(Pi XOR Ci-1)
 C-1 = IV
 Uses: bulk data encryption, authentication

Advantages and Limitations of CBC

 Each ciphertext block depends on all message blocks before it
 Thus a change in the message affects all ciphertext blocks
 Need Initial Value (IV)
 Which must be known to sender & receiver
 If IV is sent in the clear, an attacker can change bits of the first block,
and change IV to compensate
 Hence either IV must be a fixed value (as in EFTPOS) or it must be
sentencrypted in ECB mode before rest of message

45
Message Padding:
 At end of message, handle possible last short block which is not as large as block size
of cipher.
 Pad either with known non-data value (eg nulls)
 Or pad last block with count of pad size
 Eg. [ b1 b2 b3 0 0 0 0 5]
 Means have 3 data bytes, then 5 bytes pad + count

Cipher Feed Back (CFB)

 Message is treated as a stream of bits
 Added to the output of the block cipher
 Result is feedback for next stage (hence name)
 Standard allows any number of bit (1,8 or 64 or whatever) to be feed back
 Denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
 Is most efficient to use all 64 bits in block
 Ci = PiXOR DESK1(Ci-1)
 C-1 = IV
 Uses: stream data encryption, authentication

Advantages and Limitations of CFB

 Appropriate when data arrives inbits/bytes
 Most common stream mode
 Limitation is need to stall while do block encryption after every n-bits
 Note that the block cipher is used in encryption mode at both ends
 Errors propagate for several blocks after the error

46
Output Feed Back (OFB)
 Message is treated as a stream of bits
 Output of cipher is added to message
 Output is then feedback (hence name)
 Feedback is independent of message
 Can be computed in advance
 Ci = PiXOR Oi
 Oi = DESK1(Oi-1)
 O-1 = IV
 Uses: stream encryption on noisy channels
Advantages and Limitations of OFB
 Used when error feedback a problem or where need to encryptions before message is
available
 More vulnerable to message stream modification
 But feedback is from the output of cipher and is independent of message
 A variation of a vernam cipher
 Hence must never reuse the same sequence (key + IV)
 Sender and receiver must remain in sync, and some recovery method is needed to
ensure this occurs
 Originally specified with m-bit feedback in the standards
 Subsequent research has shown that only full block feedback (i.e., CFB-64 or CFB-
128) should ever be used
 Subsequent research has shown that only full block feedback (i.e., CFB-64 or CFB-
128) should ever be used

47
Counter (CTR)
 A “new” mode, though proposed early on
 Similar to OFB but encrypts counter value rather than any feedback value
 Must have a different key & counter value for every plaintext block (never reused)
 Ci = Pi XOR Oi
 Oi = DESK1(i)
 Uses: high-speed network encryptions

Advantages and Limitations of CTR

 Efficiency
 Can do parallel encryptions in hardware or software
 Can preprocess in advance of need
 Good for bursty high speed links
 Random access to encrypted data blocks
 Provable security (good as other modes)
 But must ensure never reuse key/counter values, otherwise could break (cf OFB)

48
2.7 SIMPLIFIED DES
 Encryption takes an 8-bit block plaintext, a 10 –bit key and produces an
8-bit block of cipher text
 Decryption takes the 8-bit block of cipher text, the same 10-bit key and
produces the original 8-bit block of plaintext
 The encryption algorithm involves five functions
 IP – an initial permutation
 fk - a complex function, which involves both permutation and substitution

o operations and depends on a key input.

 SW – a simple permutation that swaps the two halves of the data.
 fk - a complex function again

-1
 IP – inverse initialpermutation

Block diagram of S-DES

 Cipher text = IP
-1
(fK2(SW(fK1(IP(Plaintext)))))

 Plaintext = IP
-1
(fK1(SW(fK2(IP(Cipher text)))))

49
 ES Key Generation:

Generate two 8-bit subkeys from the original 10-bit key

50
The key is first subjected to a permutation (P10).

Divide the output of P10 in to two halves and perform circular left shift one bit position (LS-1) on the two
halves and then passes through a permutation function (P8) that produces an 8-bit output for the first
subkey (K1).
The output of the shift operation is given as input into another shift
(LS-2)(left shift by 2 bits on the two halves of the data) and another instance of (P8) to produce the
second subkey (K2)
K1 = P8(Shift(P10(key)))
K2 = P8(Shift(Shift(P10(key)

The first and fourth bits are treated as a 2 bit number that specify a row of the s-box and the second and
third bits specify a column of the S-boxes.

Example

Plain text –

10111101Key –

1010000010

Key Generation

 Applying P10 on key, we get: 1000001100

 Applying circular left shift by 1 bit on two 5 bits part, we get: 00001 11000

 Applying P8, we get K1: 10100100

 Applying circular left shift by 2 bits: 00100 00011

 Applying P8, we get K2: 01000011

51
Steps for S-DES encryption

Initial Permutation on plain text IP (plain text)= 0111 1110

Now applying FK1 on 01111110
i) Apply E/P on 1110: 0111 1101

ii) XOR with K1:11011001

iii) Pass 1101 to S0 box: 11

iv) Pass 1001 to S1 box: 10

v) Combining both results from s. boxes: 1101

vi) Applying P4 on it: 1011

Now we have an intermediary output: 1100 1110
Applying SW: 1110 1100.
Applying fK2 on 11101100

i) Apply E/P on 1100: 0110 1001

vii) XOR with K2:0010 1010

viii) Pass 0010 to S0 box: 00

ix) Pass 1010 to S1 box: 00

x) Combining both results from s. boxes: 0000

xi) Applying P4 on it:

0000 Now we have at the end: 1110 1100
-1
Apply IP on it we get: 0111 0101 which is our ciphertext.

Cipher text= 0111 0101

Inverse operation for this cipher text will give plain text.

52
 2.8 Data Encryption Standard (DES)
The most widely used encryption scheme is based on the Data Encryption Standard (DES)adopted in 1977 by the
National Bureau of Standards, now the National Institute of Standards and Technology (NIST), as Federal
Information Processing Standard 46 (FIPS PUB 46).
The algorithm itself is referred to as the Data Encryption Algorithm (DEA).
For DES, data are encrypted in 64-bit blocks using a 56-bit key.
The same steps, with the same key, are used to reverse the encryption.

DES Encryption:
The basic process consists of:
 An initial permutation (IP)
 16 rounds of a complex key dependent calculation f
 A final permutation, being the inverse of IP
DES key schedule: (Operation on key)
The bits are numbered from 1 to 64, every 8 bit is ignored.
64 bit key is used as an input to the algorithm.
Forms sub keys used in eachround
Consists of:
 Initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves C0 and D0
 16 stages consisting of:
 At each round, the two halves are separately subjected to circular shift or
rotation of 1 or 2 bits.
 These shifted values serve as input to the next round.
 They also serve as input to permuted choice 2 (PC2), which produces a 48 bit
output that serves as input to the function F (Ri-1 , Ki )
 General depiction of DES encryption algorithm

53
 Initial Permutation IP:
This is the first step of the data computation

IP reorders the input data bits& it changes the even bits to LH half, odd bits to RH half

The initial permutation and its inverse are defined by tables. The tables are to be interpreted as follows.
The input to a table consists of 64 bits numbered left to right from 1 to 64. The 64 entries in the
permutation table contain a permutation of the numbers from 1 to 64. Each entry in the permutation table
indicates the position of a numbered input bit in the output, which also consists of 64 bits.
Note that the bit numbering for DES reflects IBM mainframe practice, and is the opposite of what we now
mostly use - so be careful! Numbers from Bit 1 (leftmost, most significant) to bit 32/48/64 etc (rightmost,
least significant).
For example, a 64-bit plaintext value of “675a6967 5e5a6b5a” (written in left & right halves) after
permuting with IP becomes “ffb2194d 004df6fb”. Note that example values are specified using
hexadecimal.

DES Round Structure:

 Input is divided into 2 halves Li–1 and Ri–1

 Li = Ri–1

 Ri = Li–1 xor F(Ri–1, Ki)

 F takes 32-bit R half and 48-bit roundkey and:
 Expands R to 48-bits using Expansion permutation (E)
 The resulting 48 bits are XORed with Ki
 48 bit result passes through 8 Subtitution function (S-boxes) to get 32-bit result
 Finally permutes this using 32-bit perm P and produces 32 bit output.
54
We now review the internal structure of the DES round function F, which takes R half & subkey, and
processes them. The round key Ki is 48 bits. The R input is 32 bits. This R input is first expanded to
48 bits by using a table that defines a permutation plus an expansion that involves duplication of 16 of
the Rbits . The resulting 48 bits are XORed with Ki This 48-bit result passes through a substitution function
that produces a 32-bit output, which is permuted . This follows the classic structure for a feistel cipher.Note
that the s-boxes provide the “confusion” of data and key values, whilst the permutation P then spreads this
as widely as possible, so each S-box output affects as many S-box inputs in the next round as
possible, giving “diffusion”.

Substitution Boxes S:
Substitution has eight S-boxes, each of which accepts 6 bits as input and produces 4 bitsas
output.
Outer bits 1 & 6 (row bits) select one row of 4. Thefirst and last bits of the input box Si form a
2 bit binary number to select one of four substitutions defined by the four rows inthe table Si.
Inner bits 2-5 (column bits) are substituted. Themiddle four bits select one of the 16
columns.
The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and
produces 4 bits as output. The first and last bits of the input to box Si form a 2-bit binary
number to select one of four substitutions defined by the four rows in the table forSi. The
middle four bits select one of the sixteen columns. The decimal value in the cell selected by
the row and column is then converted to its 4-bit representation to produce
the output. For example, in S1, for input 011001, the row is 01 (row 1) and the column
is1100 (column 12). The value in row 1, column 12 is 9, so the output is 1001.
The example lists 8 6-bit values (ie 18 in hex is 011000 in binary, 09 hex is 001001 binary,
12 hex is 010010 binary, 3d hex is 111101 binary etc), each of which is replacedfollowing
the process detailed above using the appropriate S-box. ie
S1(011000) lookup row 00 col 1100 in S1 to get 5
S2(001001) lookup row 01 col 0100 in S2 to get 15 = f in hex
S3(010010) lookup row 00 col 1001 in S3 to get 13 = d in hex
S4(111101) lookup row 11 col 1110 in S4 to get 2 etc

55
 Calculation of F(R,K):

The R input is first expanded to 48 bits by using expansion table E that defines a permutation plus an
expansion that involves duplication of 16 of the R bits . The resulting 48 bits are XORed with key Ki . This
48-bit result passes through a substitution function comprising 8 S-boxes which each map 6 input bits to 4
output bits, producing a 32-bit output, which is then permuted by permutation P .

Single Round of DES

1. Key transformation
2. Expansion permutation
3. S-box substitution
4. Permutation
5. XOR and swap

56
 1. Key transformation: 56-bit key is divided into two halves. Each of 28 bits are circularly shifted one or
two positions based on the round. After appropriate shifts 48 bits of 56 bits are selected as key for each
round.
2. Expansion permutation: In this step Right Plain text is expanded from 32bits to 48 bits. 48 bit key is
XOR with 48 bit Right Plain text and resulting output is given to next step.
3. Substitution Boxes S: S-box substitution is a process that accepts 48-bit input from XOR operation and
produces 32 bit output.
4. Permutation: The output of s-box consists of 32 bits. These 32 bits are permuted using p-box.
5. XOR and swap: All the above operations are performed only on 32 bits Right Plain text. Now Left Plain
text is XOR with p-box output. The result of XOR operation becomes the new right half. The old right half
becomes the new left half.

DES Round in Full

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Right Half i-1

31 2 3 4 5 4 5 6 7 8 9 8 9 1111111111111122222222222222223331
2 012323456767890101234545678989012
Round Key i
O
+ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

input symbol input symbol input symbol input symbol input symbol input symbol input symbol input symbol
control

control

control

control

control

control

control

control
S1 S2 S3 S4 S5 S6 S7 S8

output symbol output symbol output symbol output symbol output symbol output symbol output symbol output symbol

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

12 3 45 6 78 9 11111111112222222222333
01234567890123456789012

16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25
57
Left Half i-1
O
+ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

Right Half i
12 3 45 6 78 9 11111111112222222222333
01234567890123456789012
DES Decryption:

 With Feistel design, decryption uses the same algorithm as encryption, except that the
application of sub keys is reversed (SK16 … SK1)
Avalanche Effect:

 DES exhibits strong avalanche effect.

 Key desirable property of encryption algorithm is that a change in either the

plaintext or key should produce a significant change in the ciphertext.

 In particular, a change in one bit of the plaintext or one bit of the key should
produce a change in many bits of the ciphertext.
 If the change were small, this might produce a way to reduce the size of the plaintext or
keyspace to be searched.

Strength of DES – Key Size:

 56-bit key length have 256 key values

 Brute force search looks hard

Strength of DES – Analytic Attacks:

 Now have several analytic attacks on DES

 These utilize some deep structure of the cipher

 By gathering information about encryptions
 Can eventually recover some/all of the sub-key bits
 If necessary then exhaustively search for the rest
 Generally these are statistical attacks includes

 Differential cryptanalysis – It is capable of breaking DES in less than 255chosen plaintext.

o This scheme can cryptanalyze DESwith an effort on the order of 247,
requiring 247chosen plaintext.
 Linear cryptanalysis – This method can find a DES key given
243knownplaintext, as compared to 247chosen plaintexts for differential
cryptanalysis.
o It may be easier to acquire known plaintext rather than chosen plaintext.
2.9 Advanced Encryption Standard (AES) Evaluation Criteria
Origins:
Clear a replacement for DES was needed
 Have theoretical attacks that can break it
 Have demonstrated exhaustive key search attacks
Can use Triple-DES – but slow, has small
blocksAES Evaluation Criteria
 Initial criteria:
 Security – Effort required for practical cryptanalysis
 Cost – AES must have high computational efficiency
 Algorithm & implementation characteristics – Includes flexibility, suitability for
a variety of h/w and s/w implementations and simplicity.
 Final criteria
 General security
 Software & hardware implementation ease
 Implementation attacks and Flexibility (in en/decrypt, keying, other factors)
AES Cipher - Rijendael
Designed by Rijmen - Daemen in Belgium
Has 128/192/256 bit keys, 128 bit data
An iterative rather than Feistel cipher
 Processes data as block of 4 columns of 4 bytes
 Operates on entire data block in every round
Designed to be:
 Resistant against known attacks
 Speed and code compactness on wide range of platforms
Rijndael:
Data block of 4 columns of 4 bytes (state)
Key is expanded to array of forty four 32 bit words
Four different stages are used, one of permutation and three of substitution
 Byte substitution Usesan S-box to perform a byt-by-byte substitution of the
block
 Shift rows A simplepermutation
 Mix columns A substitution that makes use of arithmetic over GF(28)
 Add round key A simple bitwise XOR of the current block with a portion of the
expanded key
 All operations can be combined into XOR and table lookups - hence very fast &
efficient

AES encryption and decryption:

Byte Substitution:
A simple substitution of each byte
AES defines 16x16 matrix of byte values containing a permutation of all 256 8-bit values
Each individual byte of state is mapped into a new byte in the following way:
row (left most 4-bits) & column (right most 4-bits)
 Eg. Byte {95} is replaced by row 9 col 5 byte
 which has the value {2A}
Shift Rows:
A circular byte shift ineach
 1st row is unchanged
 2nd row does 1 byte circular shift to left
 3rd row does 2 byte circular shift to left
 4th row does 3 byte circular shift to left
Decrypt does shifts to right

Mix Columns:
Each column is processed separately
Each byte is mapped into a new value that is a function of all 4 bytes in the column.
Effectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1
Can express each col as 4 equations
 To derive each new byte in col
 In GF(28) addition is bitwise XOR operation and that multiplication can
be performed according to the rule.
Decryption requires use of inverse matrix
 With larger coefficients, hence a little harder

61
Add Round Key:
Lastly is the Add Round Key stage, in which the 128 bits of state are bitwise XOR ed with the
128 bits of the round key.
The first matrix is state and the 2nd matrix is the round key.
Inverse for decryption is identical since XOR is own inverse, just with correct round key.

AES Round

62
AES Key Expansion
Takes 4 word (16-byte) key and expands into array of 44 words (156 bytes)

Key expansion algorithm:

KeyExpansion (byte key[16], word w[44])
{ Word temp
For(i=0;i<4;i++)
W[i]= (key[4*i],key[4*i+1], key[4*i+2], key [4*i+3]); For
(i=4;i<44;i++)
{ Temp =w[i-1];
If(i mod 4=0)
Temp =SubWord (RotWord (temp) XOR Rcon[i/4]; W[i]=w[i-
4] XOR temp
}}
Start by copying key into first 4 words
Remainder of the expanded key is filled in four words at a time.
Each word w[i] depends on the immediately preceding word w[i-1] and the word four
positions back, w[i-4].
Symbol g represents the complex function. It contains the following sub function.

1. Rotword performs a one byte circular left shift on a word.

2. Subword performs a byte substitution on each byte of its i/p word using S box.
3. Result of steps 1 and 2 is XORed with a round constant, Rcon[j].

63
 AES Decryption

 AES decryption is not identical to

encryption since steps done in reverse
 but can define an equivalent inverse cipher
with steps as for encryption
• but using inverses of each step
• with a different key schedule
 works since result is unchanged when
• swap byte substitution & shift rows
• swap mix columns & add (tweaked)
round key

64

2.10 CONFIDENTIALITY USING SYMMETRIC ENCRYPTION

Before examining some of these more recent topics, we concentrate in this chapter on the
use of symmetric encryption to provide confidentiality.

We begin with a discussion of the location of encryption logic; the main choice
here is between what are known as link encryption and end-to-end encryption. Next, we look
at the use of encryption to counter traffic analysis attacks. Then we discuss the difficult problem
of key distribution. Finally, we discuss the principles underlying an important toolin providing a
confidentiality facility: random number generation.

Placement of Encryption Function

If encryption is to be used to counter attacks on confidentiality, we need to decide what to

encrypt and where the encryption function should be located. To begin, this section examines the
potential locations of security attacks and then looks at the two major approaches to encryption
placement: link and end to end.

There are a large number of locations at which an attack can occur. Furthermore, for wide
area communications, many of these locations are not under the physical control of the end user.

64
 Even in the case of local area networks, in which physical security measures are possible,
there is always the threat of the disgruntled employee.

Link versus End-to-End Encryption

The most powerful and most common approach to securing the points of vulnerability
highlighted in the preceding section is encryption. If encryption is to be used to counter these
attacks, then we need to decide what to encrypt and where the encryption gear should be
located. There are two fundamental alternatives: link encryption and end-to-end encryption.

Basic Approaches
Link to Link Encryption:

With link encryption, each vulnerable communications link is equipped on both ends with
an encryption device. Thus, all traffic over all communications links is secured. One of its
disadvantages is that the message must be decrypted each time it enters a switch because the
switch must read the address (logical connection number) in the packet header in order to route
the frame. Thus, the message is vulnerable at each switch. If working with a public network, the
user has no control over the security of the nodes.

Several implications of link encryption should be noted. For this strategy to be effective, all
the potential links in a path from source to destination must use link encryption. Each pair of
nodes that share a link should share a unique key, with a different key used on each link.

Thus, many keys must be provided.

65
 End-To-End Encryption

With end-to-end encryption, the encryption process is carried out at the two end systems.
The source host or terminal encrypts the data. The data in encrypted form are then transmitted
unaltered across the network to the destination terminal or host. The destination shares a key
with the source and so is able to decrypt the data. This plan seems to secure the transmission
against attacks on the network links or switches. Thus, end-to-end encryption relieves the end
user of concerns about the degree of security of networks and links that support the
communication. There is, however, still a weak spot.

Consider the following situation. A host connects to a frame relay or ATM network, sets
up a logical connection to another host, and is prepared to transfer data to that other host by
using end-to-end encryption. Data are transmitted over such a network in the form of packets that
consist of a header and some user data. What part of each packet will the host encrypt? Suppose
that the host encrypts the entire packet, including the header. This will not work because,
remember, only the other host can perform the decryption. The frame relay or ATM switch will
receive an encrypted packet and be unable to read the header. Therefore, it will not be able to
route the packet. It follows that the host may encrypt only the user data portion of the packet and
must leave the header in the clear.
Thus, with end-to-end encryption, the user data are secure. However, the traffic pattern is
not, because packet headers are transmitted in the clear. On the other hand, end-to-end encryption
does provide a degree of authentication. If two end systems share an encryption key, then a recipient
is assured that any message that it receives comes from the alleged sender, because only that
sender shares the relevant key. Such authentication is not inherent in a link encryption scheme.

To achieve greater security, both link and end-to-end encryptions a r e needed, as is shown in
Figure. When both forms of encryption are employed, the host encrypts the user data portion of a
packet using an end-to-end encryption key. The entire packet is then encrypted using a link
encryption key. As the packet traverses the network, each switch decrypts the packet,
using a link encryption key to read the header, and then encrypts the entire packet again for
sending it out on the next link. Now the entire packet is secure except for the time that the packet
is actually in the memory of a packet switch, at which time the packet header is in the clear.

66
Link Encryption End-to-End Encryption
Link encryption encrypts all the data along a end-to-end encryption, the headers,
specific communication path. Not only is the addresses, routing, and trailer information are
user information encrypted, but the header, not encrypted, enabling attackers to learn
trailers, addresses, and routing data that more about a captured packet and where it
are is
part of the packets are also encrypted. headed.
All data are encrypted, including headers, Headers, addresses, and routing
information
addresses, and routing information.
are not encrypted, and therefore not
protected.
It works at a lower layer in the OSI model. It works at Network layer.
All of the information is encrypted, and the The packets do not need to be decrypted and
packets must be decrypted at each hop so then encrypted again at each hop, because
the router, or other intermediate device, the headers and trailers are not encrypted.
knows where to send the packet next.

Characteristics of Link and End-to-End Encryption

67
 Logical Placement of End-to-End Encryption Function

With link encryption, the encryption function is performed at a low level of the
communications hierarchy i.e. physical or link layers.

For end-to-end encryption, several choices are possible for the logical placement of the
encryption function. At the lowest practical level, the encryption function could be performed at
the network layer.

With network-layer encryption, Each end system can engage in an encrypted exchange
with another end system if the two share a secret key. All the user processes and applications
within each end system would employ the same encryption scheme with the same key to reach a
particular target end system.
Figure illustrates the issues involved. In this example, an electronic mail gateway is used to
interconnect an internetwork that uses a TCP/IP-based architecture. In such a configuration, there
is no end-to-end protocol below the application layer. The transport and network connections from
each end system terminate at the mail gateway, which sets up new transport and network
connections to link to the other end system. Even if both end systems use TCP/IP or OSI, there are
plenty of instances in actual configurations in which mail gateways sit between otherwise isolated
internetworks. Thus, for applications like electronic mail that have a store-and-forward capability,
the only place to achieve end-to-end encryption is at the application layer

68
With application-level encryption (Figure a), only the user data portion of a TCP segment is
encrypted. The TCP, IP, network-level, and link-level headers and link-level trailer are in the clear.
By contrast, if encryption is performed at the TCP level (Figure b), then, on a single end-to-end
connection, the user data and the TCP header are encrypted. The IP header remains in the clear
because it is needed by routers to route the IP datagram from source to destination. Note,
however, that if a message passes through a gateway, the TCP connection is terminated and a
new transport connection is opened for the next hop. Furthermore, the gateway is treated as
a destination by the underlying IP. Thus, the encrypted portions of the data unit are decrypted at
the gateway. If the next hop is over a TCP/IP network, then the user data and TCP header are
encrypted again before transmission. However, in the gateway itself the data unit is buffered
entirely in the clear. Finally, for link-level encryption (Figure c), the entire data unit except for the
link header and trailer is encrypted on each link, but the entire data unit is in the clear at each
router and gateway.
69
 Traffic Confidentiality

The following types of information that can be derived from a traffic analysis attack:

 Identities of partners
 How frequently the partners are communicating
 Message pattern, message length, or quantity of messages that suggest important
information is being exchanged
 The events that correlate with special conversations between particular partners

Another concern related to traffic is the use of traffic patterns to create a covert
channel. Typically, the channel is used to transfer information in a way that violates a security
policy. For example, an employee may wish to communicate information to an outsider in a way
that is not detected by management and that requires simple eavesdropping on the part of the
outsider.

Link Encryption Approach

With the use of link encryption, network-layer headers (e.g., frame or cell header) are
encrypted, reducing the opportunity for traffic analysis. However, it is still possible in those
circumstances for an attacker to assess the amount of traffic on a network and to observe the
amount of traffic entering and leaving each end system. An effective countermeasure to this
attack is traffic padding, illustrated in Figure.
Traffic padding produces ciphertext output continuously, even in the absence of plaintext. A
continuous random data stream is generated. When plaintext is available, it is encrypted and
transmitted. When input plaintext is not present, random data are encrypted and transmitted. This
makes it impossible for an attacker to distinguish between true data flow and padding and
therefore impossible to deduce the amount of traffic.

End-to-End Encryption Approach

Traffic padding is essentially a link encryption function. If only end-to-end encryption is

employed, then the measures available to the defender are more limited. For example, if
encryption is implemented at the application layer, then an opponent can determine which
transport entities are engaged in dialogue.

70
 One technique that might prove useful is to pad out data units to a uniform length at either
the transport or application level. In addition, null messages can be inserted randomly into the
stream. These tactics deny an opponent knowledge about the amount of data exchanged
between end users and obscure the underlying traffic pattern.

Key Distribution

For symmetric encryption to work, the two parties to an exchange must share the same
key, and that key must be protected from access by others. Furthermore, frequent key changes
are usually desirable to limit the amount of data compromised if an attacker learns the key.
Therefore, the term that refers to the means of delivering a key to two parties who wish to
exchange data, without allowing others to see the key. For two parties A and B, key distribution
can be achieved in a number of ways, as follows:
1. A can select a key and physically deliver it to B.
2. A third party can select the key and physically deliver it to A and B.
3. If A and B have previously and recently used a key, one party can transmit the new keyto
the other, encrypted using the old key.
4. If A and B each has an encrypted connection to a third party C, C can deliver a key onthe
encrypted links to A and B.
Physical delivery (1 & 2) is simplest - but only applicable when there is personal
contact between recipient and key issuer. This is fine for link encryption where devices & keys
occur in pairs, but does not scale as number of parties who wish to communicate grows. 3 is
mostly based on 1 or 2 occurring first.

A third party, whom all parties trust, can be used as a trusted intermediary to mediate the
establishment of secure communications between them (4). Must trust intermediary not to abuse
the knowledge of all session keys. As number of parties grow, some variant of 4 is only practical
solution to the huge growth in number of keys potentially needed.

Key distribution centre:

 The use of a key distribution center is based on the use of a hierarchy of keys. At a
minimum, two levels of keys are used.
 Communication between end systems is encrypted using a temporary key, often referred toas
a session key.
 Typically, the session key is used for the duration of a logical connection and thendiscarded

71
 master key is shared by the key distribution center and an end system or user and used to
encrypt the session key.

Let us assume that user A wishes to establish a logical connection with B and requires a
one-time session key to protect the data transmitted over the connection. A has a master key, Ka,
known only to itself and the KDC; similarly, B shares the master key K b with the KDC. The
following steps occur:

1. A issues a request to the KDC for a session key to protect a logical connection to B. The
message includes the identity of A and B and a unique identifier, N 1, for this transaction,
which we refer to as a nonce. The nonce may be a timestamp, a counter, or a random
number; the minimum requirement is that it differs with each request. Also, to prevent
masquerade, it should be difficult for an opponent to guess the nonce. Thus, a random
number is a good choice for a nonce.

72
2. The KDC responds with a message encrypted using Ka Thus, A is the only one who can
successfully read the message, and A knows that it originated at the KDC. The message
includes two items intended for A:
 The one-time session key, Ks, to be used for the session
 The original request message, including the nonce, to enable A to match thisresponse
with the appropriate request

Thus, A can verify that its original request was not altered before reception by the KDCand,
because of the nonce, that this is not a replay of some previous request.

In addition, the message includes two items intended for B:

 The one-time session key, Ks to be used for the session

 An identifier of A (e.g., its network address), IDA

These last two items are encrypted with Kb (the master key that the KDC shares with B).They
are to be sent to B to establish the connection and prove A's identity.

3. A stores the session key for use in the upcoming session and forwards to B the information
that originated at the KDC for B, namely, E(Kb, [Ks || IDA]). Because this information is
encrypted with Kb, it is protected from eavesdropping. B now knows the session key (Ks),
knows that the other party is A (from IDA), and knows that the information originated at the
KDC (because it is encrypted using Kb).

At this point, a session key has been securely delivered to A and B, and they may begintheir
protected exchange. However, two additional steps are desirable:

4. Using the newly minted session key for encryption, B sends a nonce, N2, to A.

5. Also using Ks, A responds with f(N2), where f is a function that performs some transformation
on N2 (e.g., adding one).

These steps assure B that the original message it received (step 3) was not a replay.

Note that the actual key distribution involves only steps 1 through 3 but that steps 4 and 5, aswell
as 3, perform an authentication function.

73
 Major Issues with KDC:

For very large networks, a hierarchy of KDCs can be established. For communication
among entities within the same local domain, the local KDC is responsible for key distribution.
Itwo entities in different domains desire a shared key, then the corresponding local KDCs can
communicate through a (hierarchy of) global KDC(s)

To balance security & effort, a new session key should be used for each new connection-
oriented session. For a connectionless protocol, a new session key is used for a certain fixed
period only or for a certain number of transactions.

An automated key distribution approach provides the flexibility and dynamic characteristics
needed to allow a number of terminal users to access a number of hosts and for the hosts to
exchange data with each other, provided they trust the system to act on theirbehalf.

The use of a key distribution center imposes the requirement that the KDC be trusted and
be protected from subversion. This requirement can be avoided if key distribution is fully
decentralized.

In addition to separating master keys from session keys, may wish to define different types
of session keys on the basis of use.

74
 Part - A
1. Assess the following cipher text using brute force attack:
CMTMROOEOORW (Hint: Algorithm-Rail fence).
2. Compare Substitution and Transposition techniques.
3. Give examples for substitution cipher.
4. Compare Block cipher and Stream cipher.
5. Give examples for transposition cipher.
6. Show how to convert the given text “VALLIAMMAI” into cipher text using Rail fence Technique.
7. Plan how many keys are required by two people to communicate via a cipher.
8. Compare Substitution and Transposition techniques.
9. Define Diffusion & Confusion.
10. Specify the design criteria of block cipher.
11. Define Reversible mapping.
12. List the five modes of operation of block cipher.
13. List the function of state array.
14. Differentiate symmetric and asymmetric encryption
15. Show how to convert the given text “CRYPTOGRAPHY” into cipher text using Rail fence Technique
Part – B & C

1. Tabulate the substitution Techniques in detail.

2. Describe the Transposition Techniques in detail.
3. Apply Caesar cipher and k=5 decrypt the given Cipher text “YMJTYMJWXNIJTKXNQJSHJ”.
4. Apply Vigenere cipher, encrypt the word “explanation” using the key “leg”.
5. Differentiate between transposition cipher and substitution cipher. Apply two stage
transpositions Cipher on the “treat diagrams as single units” using the keyword “sequence”.
6. What is mono-alphabetic cipher? Examine how it differs from Caesar cipher?
7. Solve using playfair cipher. Encrypt the word “Semester Result” with the keyword “Examination”.
List the rules used.
8. Demonstrate the encryption of the message “PAY” using hill cipher with the following key matrix
and show the decryption.
|17 17 5 |
K= |21 18 21|
|2 2 19|
9. Formulate ceaser cipher for the cipher Text: PHHW PH DIWHU WKH WRJD SDUWB to identify
the plain text with the default key K=3 and also give at least three important characteristics of
this problem that is enabled to brute force cryptanalysis.

75
UNIT III: ASYMMETRIC TECHNIQUES
Principles of Public Key Cryptosystems – The RSA Algorithm – Key Management – Diffie
Hellman Key Exchange – Elliptic Curve Cryptography – Prime fields and binary fields,
Applications, Practical considerations. Cryptography in Embedded Hardware.

3.1 Public key cryptography: Principles of public key cryptosystems:

We will now discuss the radically different public key systems, in which two keys
are used. Public-key cryptography provides a radical departure from all that has gone
before. The development of public-key cryptography is the greatest and perhaps the only
true revolution in the entire history of cryptography. It is asymmetric, involving the use of
two separate keys, in contrast to symmetric encryption, that uses only one key. Anyone
knowing the public key can encrypt messages or verify signatures, but cannot decrypt
messages or create signatures, counter- intuitive though this may seem. The use of
two keys has profound consequences in the areas of confidentiality, key distribution,
and authentication. It works by the clever use of number theory problems that are
easy one way but hard the other. Note that public key schemes are neither more nor
less secure than private key (security depends on the key size for both), nor do they
replace private key schemes (they are too slow to do so), rather they complement them.
Both also have issues with key distribution, requiring the use of some suitable protocol.
The concept of public-key cryptography evolved from an attempt to attack two of
the most difficult problems associated with symmetric encryption: key distribution and
digital signatures. The first problem is that of key distribution, which under symmetric
encryption requires either (1) that two communicants already share a key, which
somehow has been distributed to them; or (2) the use of a key distribution center. This
seemed to negated the very essence of cryptography: the ability to maintain total secrecy
over your own communication. The second was that of "digital signatures." If the use
of cryptography was to become widespread, not just in military situations but for
commercial and private purposes, then electronic messages and documents would need
the equivalent of signatures used in paper documents.
The idea of public key schemes, and the first practical scheme, which was for key
distribution only, was published in 1976 by Diffie & Hellman. The concept had been
previously described in a classified report in 1970 by James Ellis (UK CESG) - and
subsequently declassified [ELLI99]. Its interesting to note that they discovered RSA
first, then Diffie-Hellman, opposite to the order of public discovery! There is also a
claim that the NSA knew of the concept in the mid-60‟s [SIMM93].
76
Asymmetric algorithms rely on one key for encryption and a different but related key
for decryption. These algorithms have the following important characteristic:
• It is computationally infeasible to determine the decryption key given only
knowledge of the cryptographic algorithm and the encryption key.
In addition, some algorithms, such as RSA, also exhibit the following characteristic:
• Either of the two related keys can be used for encryption, with the other used for
decryption. Anyone knowing the public key can encrypt messages or verify signatures,
but cannot decrypt messages or create signatures, thanks to some clever use of
number theory.

“Public-Key Cryptography”, shows that a public-key encryption scheme has six ingredients:
• Plaintext: the readable message /data fed into the algorithm as input.
• Encryption algorithm: performs various transformations on the plaintext.
• Public and private keys: a pair of keys selected so that if one is used for encryption, the
other is used for decryption. The exact transformations performed by the algorithm
depend on the public or private key that is provided as input.
• Ciphertext: the scrambled message produced as output. It depends on the plaintext and
the key. For a given message, two different keys will produce two different ciphertexts.
• Decryption algorithm: accepts the ciphertext and matching key and produces the
original plaintext.
Consider the following analogy using padlocked boxes: traditional schemes involve the
sender putting a message in a box and locking it, sending that to the receiver, and
somehow securely also sending them the key to unlock the box. The radical advance in
public key schemes was to turn this around, the receiver sends an unlocked box (their
public key) to the sender, who puts the message in the box and locks it (easy - and
having locked it cannot get at the message), and sends the locked box to the receiver
who can unlock it (also easy), having the (private) key. An attacker would have to pick
the lock on the box (hard).

77
Symmetric vs Public-Key

“Public-Key Cryptosystems: Secrecy and Authentication” illustrates the essential elements

of a public-key encryption scheme.
Note that public-key schemes can be used for either secrecy or authentication, or both (as

78
shown here). There is some source A that produces a message in plaintext X The M
elements of X are letters in some finite alphabet. The message is intended for
destination B. B generates a related pair of keys: a public key, PUb, and a private key,
PRb. PRb is known only to B, whereas PUb is publicly available and therefore accessible
by A. With the message X and the encryption key PUb as input, A forms the ciphertext Y
= E(PUb, X) The intended receiver, in possession of the matching private key, is able
to invert the transformation: X = D(PRb, Y) An adversary, observing Y and having access
to PUb, but not having access to PRb or X, must attempt to recover X and/or PRb. This
provides confidentiality. Can also use a public-key encryption to provide authentication: Y
= E(PRa, X); X = D(PUa, Y) To provide both the authentication function and confidentiality
have a double use of the public-key scheme (as shown here): Z = E(PUb, E(PRa, X))
X = D(PUa, D(PRb, Z)) In this case, separate key pairs are used for each of these
purposes. The receiver owns and creates secrecy keys, sender owns and creates
authentication keys.

In practice typically DO NOT do this, because of the computational cost of public-key

schemes. Rather encrypt a session key which is then used with a block cipher to
encrypt the actual message, and separately sign a hash of the message as a digital
signature

79
Security of Public Key Schemes
Public key schemes are no more or less secure than private key schemes - in both cases
the size of the key determines the security. As with symmetric encryption, a public-key
encryption scheme is vulnerable to a brute-force attack. The countermeasure is the same:
Use large keys. However, there is a tradeoff to be considered. Public-key systems
depend on the use of some sort of invertible mathematical function. The complexity of
calculating these functions may not scale linearly with the number of bits in the key but
grow more rapidly than that. Thus, the key size must be large enough to make brute-force
attack impractical but small enough for practical encryption and decryption. In practice,
the key sizes that have been proposed do make brute-force attack impractical but
result in encryption/decryption speeds that are too slow for general-purpose use. Instead,
as was mentioned earlier, public-key encryption is currently confined to key management
and signature applications. Another form of attack is to find some way to compute the
private key given the public key. To date, it has not been mathematically proven that
this form of attack is infeasible for a particular public-key algorithm.
Note also that you can't compare key sizes - a 64-bit private key scheme has very roughly
similar security to a 512-bit RSA - both could be broken given sufficient resources. But
with public key schemes at least there is usually a firmer theoretical basis for
determining the security since its based on well-known and well studied number theory
problems.

80
3.2 RSA Algorithm:
RSA is the best known, and by far the most widely used general public key
encryption algorithm, and was first published by Rivest, Shamir & Adleman of MIT in
1978 [RIVE78]. The Rivest-Shamir-Adleman (RSA) scheme has since that time
reigned supreme as the most widely accepted and implemented general-purpose
approach to public-key encryption. It is based on exponentiation in a finite (Galois)
field over integers modulo a prime, using large integers (eg. 1024 bits). Its security is
due to the cost of factoring large numbers.
 Introduced by Rivest, Shamir & Adleman of MIT in 1977

 Best used public-key scheme

 It is a block cipher in which plaintext and ciphertext are integers between 0 to

n-1 for some n.
 Typical size of n is 1024

 RSA makes use of expressions with exponentials

 Security due to cost of factoring large numbers

 Factorization takes o(e log n log log n) operations (hard)

RSA algorithm:
The ingredients of RSA algorithm are as follows:
1. p, q, two prime numbers private, chosen
2. n= pq public, calculated
3. e, with gcd (e , ø(n))=1 , Where 1<e<ø(n) public, chosen

4. d ≡ e-1 mod ø(n) private, calculated

RSA Key generation:
Each user generates a public/private key pair by:
1. Select p , q p and q are prime numbers , p is not equal to q
2. Calculate n = p * q
3. Calculate ø(n)=(p-1)(q-1)
4. Select integer e
gcd (e , ø(n))=1 , Where 1<e<ø(n)
5. Calculate d

d ≡ e-1 mod ø(n)

6. Public key: KU={e , n}
7. Private key: KR={d , n}

81
 RSA Encryption and decryption:
 Encryption:
Plaintext:M<n Ciphertext:

C=Me mod N
 Decryption: Ciphertext: C

Plaintext: M=C d modN

RSA example:
1. Select primes: p=17 & q=11 2.
Compute n = pq =17×11=187
3. Compute ø(n)=(p–1)(q-1)=16×10=160
4. Select e : gcd (e,160)=1; choose e=7
5. Determine d:

d ≡ e-1 mod ø(n)

d ≡ 7-1 mod 160 = 23 (Using EEA)

6. Publish public key KU={7,187}
7. Private key KR={23,187}
 Given message M = 88
 Encryption:

C = 887 mod 187 = 11

 Decryption:

M = 1123 mod 187 = 88

Computational aspects of RSA:

 Consider two issues in RSA:

o Encryption and decryption
o Key generation

82
 Encryption and decryption:
 Both encryption and decryption in RSA involves raising an integer to an integer
power mod n (exponentiation)
 Another consideration is the efficiency of exponentiation
 RSA makes use of large exponents and fast modular exponentiation algorithm is
used to compute ab mod n.
 Variable c is not needed. It is included for explanatory purposes. The value of c is
the value of the exponent.

Key generation:
 Users of RSA must:
o Determine two primesat random - p, q
o Select either e or d and compute the other
 Primes p , q must not be easily derived from modulus n=p . q
o Means must be sufficiently large
 Exponents e, d are inverses, so use inverse algorithm to compute the other
(Extended Euclid‟s algorithm)

RSA security:
 Three approaches to attacking RSA:
o Brute force key search (trying all possible private keys)
o Mathematical attacks (factoring the product of two primes)
o Timing attacks (depends on running of decryption algorithm)
 Factoring problem:
o Factor n into its two prime factors p and q. Calculate of ø(n) and find d
o Determine ø(n) directly and compute d
o Determine d directly, without first determining ø(n)
 Have seen slow improvements over the years
o As of aug-99 best is 512 bit with GNFS
 Biggest improvement comes from improved algorithm
o “quadratic sieve” to “generalized number field sieve”
 Ensure p, q of similar size and matching other constraints
 The threat to larger key sizes is twofold: the continuous increase in
computing power and the continuing refinement of factoring problems.
83
 Timing attack:
 Attacker can determine a private key by keeping track of how long a computer
takes to decipher the message.
o Attack may be from completely unexpected direction
o And it may be a ciphertext only attack
 Exploit timing variations in operations using fast modular exponentiation algorithm
o Eg. Multiplying by small vs large number
 If the observed time to execute the decryption algorithm is always slow
when the particular iteration is slow with a bit 1, then it is assumed to be 1.
 If the observed time for the entire algorithm is fast, then this bit is assumed to be 0.
 Countermeasures:
o Constant exponentiation time ensure that all exponentiations take the
same amount of time before returning a result.
o Randomdelay better performance can be achieved byadding a random
delay to the exponentiation algorithm to confuse the timing attack.
o Blinding multiply the ciphertext by random number before
performing exponentiation. This process prevents the attacker from
knowing what ciphertext bits are being processes inside the computer
and therefore prevents the bit by bit analysis essential to the timing
attack.

3.3 Key management - Diffie Hellman Key exchange

The first published public-key algorithm appeared in the seminal paper by Diffie and Hellman
that defined public-key cryptography and is generally referred to as Diffie-Hellman key
exchange. The concept had been previously described in a classified report in 1970 by
Williamson and subsequently declassified in 1987. The purpose of the algorithm is to enable
two users to securely exchange a key that can then be used for subsequent encryption of
messages. The algorithm itself is limited to the exchange of secret values. A number of
commercial products employ this key exchange technique.
The purpose of the algorithm is to enable two users to securely exchange a key that can then
be used for subsequent encryption of messages. The algorithm itself is limited to the exchange
of secret values, which depends on the value of the public/private keys of the participants. The
Diffie-Hellman algorithm uses exponentiation in a finite field and depends for its effectiveness on
the difficulty of computing discrete logarithms.

84
 In the Diffie-Hellman key exchange algorithm, there are two publicly known numbers: a
prime number q and an integer a that is a primitive root of q. The prime q and primitive root a
can be common to all using some instance of the D-H scheme. Note that the primitive root a is a
number whose powers successively generate all the elements mod q. Users Alice and Bob
choose random secrets x's, and then "protect" them using exponentiation to create their public
y's. For an attacker monitoring the exchange of the y's to recover either of the x's, they'd need
to solve the discrete logarithm problem, which is hard.
The actual key exchange for either party consists of raising the others "public key' to
power of their private key. The resulting number (or as much of as is necessary) is used as the
key for a block cipher or other private key scheme. For an attacker to obtain the same value
they need at least one of the secret numbers, which means solving a discrete log, which is
computationally infeasible given large enough numbers. Note that if Alice and Bob subsequently
communicate, they will have the same key as before, unless they choose new public-keys.

The simplest, and original, implementation of the protocol uses the multiplicative group
of integers modulo p, where p is prime and g is primitive root mod p. Here is an
example of the protocol, with non-secret values and secret values:

85
 1. Alice and Bob agree to use a prime number p=23 and base g=5.
2. Alice chooses a secret integer a=6, then sends Bob A = ga mod p
o A = 56 mod 23
o A = 15,625 mod 23
o A=8

3. Bob chooses a secret integer b=15, then sends Alice B = gb mod p

o B = 515 mod 23
o B = 30,517,578,125 mod 23
o B = 19
4. Alice computes s = B a mod p
o s = 196 mod23
o s = 47,045,881 mod 23
o s=2
5. Bob computes s = A b mod p
o s = 815 mod 23
o s = 35,184,372,088,832 mod 23
o s=2

6. Alice and Bob now share a secret: s = 2. This is because 6*15 is the same as
15*6. So somebody who had known both these private integers might also have
calculated s as follows:
o s = 56*15 mod
23 o s = 515*6
mod 23 o s = 590
mod 23
o s=
807,793,566,946,316,088,741,610,050,849,573,099,185,363,389,551,639,55
6,884,765,625 mod 23
o s =2

Both Alice and Bob have arrived at the same value, because (ga)b and (gb)a are equal
mod p. Note that only a, b and gab = gba mod p are kept secret. All the other values – p,
g, ga mod p, and gb mod p – are sent in the clear. Once Alice and Bob compute the
shared secret they can use it as an encryption key, known only to them, for sending
messages across the same open communications channel. Of course, much larger
values of a, b, and p would be needed to make this example secure, since it is easy to try
all the possible values of gab mod
23. There are only 23 possible integers as the result of mod 23. If p were a prime of at
least 300 digits, and a and b were at least 100 digits long, then even the best

86
algorithms known today could not find a given only g, p, gb mod p and ga mod p, even
using all of mankind's computing power. The problem is known as the discrete
logarithm problem. Note that g need not be large at all, and in practice is usually either
2 or 5.

Here's a more general description of the protocol:

1. Alice and Bob agree on a finite cyclic group G and a generating element g in G.
(This is usually done long before the rest of the protocol; g is assumed to be
known by all attackers.) We will write the group G multiplicatively.
2. Alice picks a random natural number a and sends ga to Bob.
3. Bob picks a random natural number b and sends gb to Alice.
4. Alice computes (gb)a.
5. Bob computes (ga)b.

Both Alice and Bob are now in possession of the group element gab, which can serve
as the shared secret key. The values of (gb)a and (ga)b are the same because groups
are power associative.

3.5 Elliptic curve arithmetic-Elliptic curve cryptography:

A major issue with the use of Public-Key Cryptography, is the size of numbers used, and
hence keys being stored. Recently, an alternate approach has emerged, elliptic curve
cryptography (ECC), which performs the computations using elliptic curve arithmetic instead
of integer or polynomial arithmetic. Already, ECC is showing up in standardization efforts,
including the IEEE P1363 Standard for Public-Key Cryptography. The principal attraction of
ECC, compared to RSA, is that it appears to offer equal security for a far smaller key size,
thereby reducing processing overhead. Although the theory of ECC has been around for
some time, it is only recently that products have begun to appear and that there has been
sustained cryptanalytic interest in probing for weaknesses. Accordingly, the confidence
level in ECC is not yet as high as that in RSA.
An elliptic curve is defined by an equation in two variables, with coefficients. For
cryptography, the variables and coefficients are restricted to elements in a finite field, which
results in the definition of a finite abelian group. Before looking at this, we first look at
elliptic curves in which the variables and coefficients are real numbers. This case is
perhaps easier to visualize.
Elliptic curves are not ellipses. They are so named because they are described by cubic
equations, similar to those used for calculating the circumference of an ellipse. For our
purpose, we can consider cubic equations for elliptic curves of the form shown here. Also
included in the definition of an elliptic curve is a single element denoted O and called the

87
 point at infinity or the zero point. Now, consider the set of points E(a, b) consisting of all of
the points (x, y) that satisfy this equation together with the element O. Using a different
value of the pair (a, b) results in a different set E(a, b). See text for detailed rules of
addition and relation to zero point O. Can derive an algebraic interpretation of addition,
based on computing gradient of tangent and then solving for intersection with curve. There
is also an algebraic description of additions over elliptic curves

“Example of Elliptic Curves”, illustrates the geometric interpretation of elliptic curve

addition, as follows: If three points on an elliptic curve lie on a straight line, their sum is O.
hence define addition as:
1. O serves as the additive identity. Thus O = –O; for any point P on the elliptic curve, P +
O = P. In what follows, we assume P <> O and Q <> O.
2. The negative of a point P is the point with the same x coordinate but the negative of
the y coordinate; that is, if P = (x, y), then –P = (x, –y). These two points can be joined
by a vertical line & that P + (–P) = P – P = O.
3. To add two points P and Q with different x coordinates, draw a straight line between
them and find the third point of intersection R. There is a unique point R that is the point
of intersection (unless the line is tangent to the curve at either P or Q, in which case we
take R = P or R = Q, respectively). To form a group structure, we need to define addition
on these three points as follows: P + Q = –R. ie. P + Q to be the mirror image (with
respect to the x axis) of the third point of intersection as shown on slide.
4. The geometric interpretation of the preceding item also applies to two points, P and –
P, with the same x coordinate. The points are joined by a vertical line, which can be
viewed as also intersecting the curve at the infinity point. We therefore have P + (–P)
= O, consistent with item (2).
5. To double a point Q, draw the tangent line and find the other point of intersection S. Then
Q+Q
= 2Q = –S.

88
 With the preceding list of rules, it can be shown that the set E(a, b) is an abelian group.

Elliptic Curve Cryptography uses addition as an analog of modulo multiply, and

repeated addition as an analog of modulo exponentiation. The “hard” problem is the elliptic
curve logarithm problem.
Consider the group E23(9, 17). This is the group defined by the equation y2 mod 23 = (x3 + 9x +
17) mod
23. What is the discrete logarithm k of Q = (4, 5) to the base P = (16, 5)? The brute-force
method is to compute multiples of P until Q is found. Thus P = (16, 5); 2P = (20, 20); 3P = (14,
14); 4P = (19, 20); 5P
= (13, 10); 6P = (7, 3); 7P = (8, 7); 8P = (12, 17) ; 9P = (4, 5). Because 9P = (4, 5) = Q, the
discrete
logarithm Q = (4, 5) to the base P = (16, 5) is k = 9. In a real application, k would be so large as
to make the brute-force approach infeasible.

ECC Diffie-Hellman

 can do key exchange analogous to D-H

 users select a suitable curve Eq(a,b)
 select base point G=(x1,y1)
 with large order n s.t. nG=O
 A & B select private keys nA<n, nB<n
 compute public keys: PA=nAG, PB=nBG
 compute shared key: K=nAPB, K=nBPA
 same since K=nAnBG
 attacker would need to find k, hard
Here the elliptic curve analog of Diffie-Hellman key exchange, which is a close analogy given
elliptic curve multiplication equates to modulo exponentiation. Key exchange using elliptic
curves can be done in the following manner. First pick a large integer q, which is either a prime
number p or an integer of the form 2m and elliptic curve parameters a and b. This defines the
elliptic group of points Eq(a, b). Next, pick a base point G = (x1, y1) in Eq(a, b) whose order is a
very large value n. The order n of a point G on an elliptic curve is the smallest positive integer n
such that nG = O. So Eq(a, b) and G are parameters of the cryptosystem known to all
participants. A key exchange between users A and B can then be accomplished as shown. To
break this scheme, an attacker would need to be able to compute k given G and kG, which is
assumed hard.

89
ECC Encryption/Decryption

 several alternatives, will consider simplest

 must first encode any message M as a point on the elliptic curve Pm
 select suitable curve & point G as in D-H
 each user chooses private key nA<n
 and computes public key PA=nAG
 to encrypt Pm : Cm={kG, Pm+kPb}, k random
 decrypt Cm compute:
Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
Several approaches to encryption/decryption using elliptic curves have been analyzed in the
literature. This one is an analog of the ElGamal public-key encryption algorithm. The sender
must first encode any message M as a point on the elliptic curve Pm (there are relatively
straightforward techniques for this). Note that the ciphertext is a pair of points on the elliptic
curve. The sender masks the message using random k, but also sends along a “clue” allowing
the receiver who know the private-key to recover k and hence the message. For an attacker to
recover the message, the attacker would have to compute k given G and kG, which is assumed
hard.

ECC Security
The security of ECC depends on how difficult it is to determine k given kP and P. This is
referred to as the elliptic curve logarithm problem. The fastest known technique for taking the
elliptic curve logarithm is known as the Pollard rho method. Compared to factoring integers or
polynomials, can use much smaller numbers for equivalent levels of security.
 relies on elliptic curve logarithm problem
 fastest method is “Pollard rho method”
 compared to factoring, can use much smaller key sizes than with RSA etc
 for equivalent key lengths computations are roughly equivalent
 hence for similar security ECC offers significant computational advantages

90
 PART A
1. Give the applications of the public key crypto systems.
2. Explain any one attacking technique in RSA.
3. Discover the Difference between public key and conventional encryption.
4. Illustrate the purpose of Diffie Hellman key exchange.
5. Define the principle elements of a public key crypto system
6. List four general characteristics of schema for the distribution of the public key.
7. Show what requirements must a public key crypto system to fulfil security.
8. Evaluate the formula for encryption and decryption using RSA algorithm
9. Generalize elliptic curve cryptography.
10. Define avalanche effect.
11. Differentiate unconditionally secured and computationally secured
12. What are the design parameters of Feistel cipher network?
13. Give the five modes of operation of Block cipher.
14. State advantages of counter mode.
15. Specify the basic task for defining a security service
16. What is the difference between link and end to end encryption?
17. List the evaluation criteria defined by NIST for AES?
18. List the schemes for the distribution of public keys
19. List out the attacks to RSA.

Part B & C
1. Evaluate using Diffie-Hellman key exchange technique. Users A and B use a common prime q=11
and a primitive root alpha=7.
(i) If user A has private key XA=3.What is A’s public key YA?
(ii)If user B has private key XB=6. What is B’s public key YB?
(iii) What is the shared secret key? Also write the algorithm.
2. Describe RSA Algorithm.
3. Estimate the encryption and decryption values for the RSA algorithm parameters. P=7, Q=11, E=17,
M=8.
4. Summarize the role of discrete log in the Diffie-Hellman key exchange in exchanging the secret key
among two users.
5. What are elliptic curves? Describe how the elliptic curves are useful for Cryptography?
6. Describe the key management of public key encryption in detail.
7. Apply the mathematical foundations of RSA algorithm. Perform encryption decryption for the following
data. P=17, q=7, e=5, n=119, message=”6”. Use Extended Euclid’s algorithm to find the private key.
8. Explain briefly about Diffie-Hellman key exchange algorithm with its pros and cons.
9. Explain public key cryptography and when is it preferred.
10. (i) User A and B use Diffie-Hellman key exchange a common prime q=71 and a primitive root
a=7.Calculate the following. If user A has private key XA=5, what is A’s public key YA. If user A has
private key XB=12, what is B’s public key YB and what is shared secret key?
11. Consider the elliptic curve E11 (1, 6); that is the curve is defined by y2=x3+x+6 with a modules of
P=11. Calculate all the points in E11 (1, 6). Start by calculation the right hand side of the
equation of all the values of n?

91
UNIT IV : MESSAGE AUTHENTICATION
Authentication requirements – Authentication functions – Message
Authentication Codes (MAC) – Hash functions – Security of hash functions and
MACs.

Authentication requirement One of the most fascinating and complex an area of

cryptography is that of message authentication and the related area of digital signatures.
We now consider how to protect message integrity (ie protection from modification), as
well as confirming the identity of the sender. Generically this is the problem of message
authentication, and in eCommerce applications is arguably more important than secrecy.
Message Authentication is concerned with: protecting the integrity of a message,
validating identity of originator, & non-repudiation of origin (dispute resolution). There
are three types of functions that may be used to produce an authenticator: a hash
function, message encryption, message authentication code (MAC). Hash functions,
and how they may serve for message authentication. In the context of communications
across a network, the attacks listed above can be identified, with more detail given in
the text. The first two requirements (Disclosure: Release of message contents; and
Traffic analysis: Discovery of the pattern of traffic between parties) belong in the realm
of message confidentiality, and are handled using the encryption techniques already
discussed. Measures to deal with items 3 through 6 (Masquerade: Insertion of
messages into the network from a fraudulent source; Content modification: of the
contents of a message; Sequence modification: to a sequence of messages between
parties; and Timing modification: Delay or replay of messages) are generally regarded
as message authentication. Mechanisms for dealing specifically with item 7 (Source
repudiation: Denial of transmission of message by source) come under the heading of
digital signatures. Generally, a digital signature technique will also counter some or all
of the attacks listed under items 3 through
6. Dealing with item 8 (Destination repudiation: Denial of receipt of message by
destination) may require a combination of the use of digital signatures and a protocol
designed to counter this attack. Symmetric Message Encryption Message encryption
by itself can provide a measure of authentication. The analysis differs for symmetric and
public-key encryption schemes. If use symmetric encryption, If no other party knows the
92
key, then confidentiality is provided. As well, symmetric encryption provides
authentication as well as confidentiality, since only the other party can have encrypted a
properly constructed message (Stallings Figure 12.1a). Here, the ciphertext of the entire
message serves as its authenticator, on the basis that only those who know the
appropriate keys could have validly encrypted the message. This is provided you can
recognize a valid message (ie if the message has suitable structure such as
redundancy or a checksum to detect any changes).

Public-Key Message Encryption

With public-key techniques, can use a digital signature which can only have been
created by key owner to validate the integrity of the message contents. To provide both
confidentiality and authentication, A can encrypt M first using its private key, which
provides the digital signature, and then using B's public key, which provides
confidentiality. The disadvantage of this approach is that the public-key algorithm, which
is complex, must be exercised four times rather than two in each communication.

Message Authentication and Hash Functions

* It helps to establish trust by identifying a particular user or a system.

Message authentication is a procedure to verify that received messages come from the
alleged source and have not been altered. - Also sequencing and timeliness may be
authenticated. Authentication mechanism:
93
  Password

 Smart cards

 Biometrics

 Certification

Authentication Requirements

* In the context of communication across a network the following attacks can be identified:

1. Disclosure : release of message contents to any person not possessing the

appropriate cryptographic key.
2. Traffic analysis : discovery of pattern of traffic b/w parties. In connection
oriented: the frequency and duration are determined. In connectionless or
connection oriented : thenumber and length of message b/w parties could be
determined.

3. Masquerade:
• insertion of messages into the network from a fraudulent source
• fraudulent acknowledgement of a message receipt

4. Content modification
• insertion, deletion, transposition, modification

5. Sequence modification
• modification to a sequence of messages between parties, i-e- reordering

6. Timing modification
• delay or replay of messages

7. Repudiation
• Measures against attacks 1 and 2 involve achieving confidentiality.
• Measures against attacks 3, 4,5 and 6 are generally regarded as
messageauthentication.
• Mechanisms dealing specifically with attack 7 use digital signatures.
Authentication Functions

There are three types of functions used to produce the authenticator

1. Message encryption: the cipher text of the whole message is the authenticator

2. Message authentication code (MAC): a public function and a secret key produces a fixed
length value that is the authenticator

94
3. Hash function: a public function that maps the message into a fixed-length hash-value
serving as authenticator

• MACs and hash-functions can be applied to any length messages.

95
Authentication functions – MACs

Using a MAC involves the use of a secret key to generate a small fixed size block of data,
a cryptographic checksum.

Communicating parties A and B share a secret key K. The MAC is calculated as MAC
= C,(M). The algorithm C is public.

Note that a MAC does not provide a digital signature because both the sender and
receiver have the same secret key.

Authentication functions — hash functions

A one-way hash function is a variation on the

MAC A secret key is not used

Hash function accepts variable size message M as input and produces a fixed-size
hash codeH(M) as output. H(M) is often called a massage digest.

A hash code is a function of all the bits of the message, thus providing an error detection
capability.

* The hash-function itself is not secret; some means is required to protect the hash value.

* The hash-function can be used in a variety of ways to provide message authentication

96
A hash value is generated by a one-way function H of the form

h=H(M),where M is the variable length Message

Hash functions are in general very complex. Thus we examine simple functions to get a
fee theissues involved.
Requirements for a hash-function
1. He can be applied to a block of any size

2. H produces a fixed length output

97
3. H(x) is easy to compute for any given x, making hardware and software
implementations possible
4. One-way property: for any given code A, it is computationally infeasible to find x such that
h
=H(x).
5. Weak collision resistance: for any given block x, it is computationally infeasible to
find block y ≠x s.t. H(y) = H(x).
6. Strong collision resistance: it is computationally infeasible to find a pair (x,y) .t. H{x) = H(y).
• The first three properties are needed for practical use of the hash-function
• The fourth property is needed if the authentication technique involves the use of a
secret value S, The opponent could learn $ from S| |M = HC), if he obtains C = H(S|
|M).
• The weak collision property guarantees that an alternative message yielding the
same code cannot be found. This prevents forgery when an encrypted hash code is
used . The strong collision property refers to how resistant the hash function is to a
class of attacks known as the birthday attack.

Security of MACs and Hash Functions

Just as with symmetric and public-key encryption, we can group attacks on hash
functions and MACs into two categories: brute-force attacks and cryptanalysis.

A brute-force attack on a MAC is a more difficult undertaking than a brute-force attack

on a hash function because it requires known message-tag pairs. The strength of a hash
function against brute-force attacks depends solely on the length of the hash code
produced by the algorithm, with cost O(2^m/2). A brute-force attack on a MAC has cost
related to min(2^k, 2^n), similar to symmetric encryption algorithms. It would appear
reasonable to require that the key length and MAC length satisfy a relationship such as
min(k, n) >= N, where N is perhaps in the range of 128 bits.

As with encryption algorithms, cryptanalytic attacks on hash functions and MAC

algorithms seek to exploit some property of the algorithm to perform some attack other
than an exhaustive search. The way to measure the resistance of a hash or MAC
algorithm to cryptanalysis is to compare its strength to the effort required for a brute-
force attack. That is, an ideal hash or MAC algorithm will require a cryptanalytic effort
greater than or equal to the brute-force effort. There is much more variety in the
structure of MACs than in hash functions, so it is difficult to generalize about the
cryptanalysis of MACs. Further, far less work has been done on developing such
attacks.

In recent years, there has been increased interest in developing a MAC derived from a
cryptographic hash function, because they generally execute faster in software than
symmetric block ciphers, and because code for cryptographic hash functions is widely
98
available. A hash function such as SHA was not designed for use as a MAC and cannot
be used directly for that purpose because it does not rely on a secret key. There have
been a number of proposals for the incorporation of a secret key into an existing hash
algorithm, originally by just pre-pending a key to the message. Problems were found
with these earlier, simpler proposals, but they resulted in the development of HMAC.

99
 Part - A

1. What do you mean by one-way property in hash function?

2. Define: Replay attack
3. What you meant by hash function?
4. Differentiate MAC and Hash function
5. Write any three hash algorithm.
6. What is message authentication?
7. What you meant by Message Authentication Code?
8. Specify the techniques for distribution of public key.
9. Specify the requirements for message authentication.
10. List the requirements of hash functions.
11. State any three requirements for authentication
12. What is the role of compression function in hash function?
13. Define the classes of message authentication function.
14. List the authentication message requirements.
15. How is the security of a MAC function expressed?

Part – B & C
1. Here hash functions are used? What characteristics are needed in secure hash
function?
2. Write about the security of hash functions and MACs.
3. Discuss the classification of authentication function in detail.
4. How Hash function algorithm is designed? Explain their features and properties.
5. Explain in detail message authentication code and its requirements.
6. Illustrate the security of hash functions and MACs.
7. Explain the different approaches to message authentication.
8. Describe about the class of message authentication function.
9. Briefly explain about the Authentication applications with suitable example.
10. Enumerate the properties of Hash Function.
11. Evaluate the authentication protocol and list its limitations.

100
UNIT V: HASH AND DIGITAL SIGNATURES 9

MD5 Message Digest Algorithm – Secure Hash Algorithm (SHA) –RIPMED160 - HMAC
– Digital Signatures – Authentication Protocols – Digital Signature Standard (DSS).

MD5 Message Digest Algorithm:

 MD5 message digest algorithm was developed by Ron Rivest. MD5logic:

 The algorithm takes a variable length of input and produces a
128 bit message digest.
 The input is processed 512 bit blocks.

Processing of MD5 consists of the following

Steps:
Step 1: Append padding bits:
4. Message is padded so that its length in bits is congruent to 448 mod
512. i.e.,length mod 512 =448
5. Padding is always added, even if the message is already of the desired length.

6. For example, if the message is 448 bit long, it is padded by 512 bits to a length of 960
bits.
7. Thus the number of padding bits is in the range 1 to 512.

8. The padding consists of a single 1 bit followed by the necessary number of 0 bits.

Step 2: Append length:

1. 64 bit representation of the length of the original message

(before padding) is appended to the result of step 1.

2. This field contains the length of the original message mod 264

101
  The outcome of the first 2 steps yields a message that is an integer multiple of 512 bits.

 The expanded message is represented as the sequence of 512 bit

blocks Y0, Y1, ..,YL- 1, so that the total length of the expanded
message is L * 512 bits.
 The result is a multiple of sixteen 32 bits words.

Step 3: Initialize MD buffer:

1. A 128 bits buffer is used to hold intermediate value and final results of
the hash function.
2. The buffer can be represented as four 32 bit registers (A, B,
C, D) A= 67452301
B = FCDAB89
C= 8BADCFE
D= 0324576
3. The values are stored in little-endian format, which is the least significant byte of a
word in the low address byte position.
Word A= 01 23 45 67
102
 Word B= 89 AB CD EF
Word C= FE DC BA 98
Word D= 76 45 32 10

Step 4: Processing message in 512 bit blocks:

1. Heart of the algorithm is a compression function that consists of four

roundsof processing of 16 steps.
2. Four rounds have a similar structure, but each uses a different
primitive logical function, referred to as F, G, H and I.
3. Each round takes as input the current 512 bit block being processed
(Yq) and the 128 bit buffer value ABCD and updates the contents of
the buffer.
4. Each round also makes use of one fourth of a 64 element table
T[1…64],constructed from the sine function.

5. T[i] has the value equal to the integer part of 232 * abs(sin(i)), where I is in radians.

6. Output of the fourth round is added to the input to the first round
(CVq) to produce CVq+1

Step 5: Output:

1. After all L512 blocks have been processed, the output from the Lth
stage is the128 bit message digest.
2. We can summarize the behavior of
MD5 as follows: CV0= IV
CVq+1= SUM 32[CVq, RFI, (Yq, RFH (Yq, RFG(Yq, RFF( Yq,
CVq))))] MD= CVL-1

103
Where

IV= initial value of the ABCD buffer

Yq= qth 512 bit block of the message

L = number of blocks in the message

CVq = chaining variable processed with the qthblock of the message
RFI = round function using primitive logical function
I MD = final message digest value

SUM32 = addition mod 232 performed separately on each word of the pair of inputs

104
 MD5 Compression Function:

 Each round has 16 steps of the form:

 A = b+((a + g(b, c, d)+x[k]+t[i])<<<s)

Where

a, b, c, d refer to the 4 words of the

buffer g one of the primitive functions
F, G, H, I
<<<s circular shift of the 32 bit argument by s bit

X[k] M [q *16 + k] = kth 32 bit word in the qth 512 bit block of the
message. T[i] ith 32 bit word in matrix T
+ Addition modulo 232

105
 1. One of the four primitive logical functions is used for each of the four rounds of the
algorithm.
2. Each primitive function takes three 32 bit words as input and produces a 32 bit word
output.
3. Each performs a set of bitwise logical operations.

The logical operators (AND, OR, NOT, XOR) are represented by the symbols.

 Function F: If b then c else d.

 Function G: If d then b else c

 Function H: Produces parity bit

1. The array of 32 bit words X[0…15] holds the value of the current 512 bit input
block beingprocessed.
2. Within a round, each of the 16 words of X[i] is used exactly once.

3. In the first round, the words are used in their original order. The following
permutations are defined for rounds 2 through 4:

106
STRENGTH OFMD5

• MD5 has his dependent on all message bits

• Rivest claims security is good as can be

• known attack sare:

 Berson92attackedany1roundusingdifferential cryptanalysis(but can’text end)

 Boer&Bosselaers93foundapseudocollision (again unable to extend)

 Dobbertin 96 created collisions on MD compression function(but initial constants prevent

exploit)
 Conclusion is that MD 5looks vulnerable soon

107
Secure Hash Algorithm:

The Secure Hash Algorithm was developed by the National Security Agency
(NSA) and given to the National Institute of Standards and Technology (NIST). The
original version, often referred to as SHA or SHA-0, was published in 1993 as a
Federal Information Processing Standard (FTPS 180).SHA contained a weakness that
was later uncovered by the NSA, which led to the a revised standards document
(FIPS 180-t) that was released in 1995. This revised document describes the
improved version, SHA-1, Which is now the hash algorithm recommended by NIST.
SHA-1 Logic:

 This algorithm takes as input a maximum length of less than 264 bits.

 And produces as output a 160 message digest.

 Input is processed in 512 bitblocks.

Word C= 98 BA DC
FE Word D= 10 32
45 76 Word E= C3
D2 E1 F0
Step 1: Append padding bits:

1. The message is padded so that its length is congruent to 448 mod 512 (length mod 512
= 448)
2. Padding is always added, even if the message is already of the desired length.
3. Thus the number of padding bits is in the range 1 to 512.
4. The padding consists of a single 1 bit followed by the necessary number of 0 bits.

Step 2: Append length:

1. 64 bit representation of the length of the original message (before padding) is
appended tothe result of step 1.
2. This field contains the length of the original message mod 264

108
Step 3: Initialize MD buffer:

1. A 160 bits buffer is used to hold intermediate value and final

results of the hash function.
2. The buffer can be represented as five 32 bit registers (A, B, C, D, E)
A=
67452301 B
= EFCDAB89
C=
98BADCFE
D=
10324576 E
=C3D2E1F0

Step 4: Processing message in 512 bit blocks:

1. Heart of the algorithm is a compression function that consists of four rounds

of processing of 20 steps.
2. Four rounds have a similar structure, but each uses a different primitive
logical function, referred to as f1, f2, f3 and f4.

3. Each round takes as input the current 512 bit block being processed (Yq)
and
the 160 bit buffer value ABCDE and updates the contents of the buffer.

4. Each round also makes use of an additive constant Kt for 80 steps.

5. In fact only 4 distinct constants are used.

STEP NO HEXADECIMAL
0≤ t ≤19 Kt = 5A817999
20 ≤ t ≤ 39 Kt = 6ED9EBA1
40 ≤ t ≤ 59 Kt =8F1BBCDC

60 ≤ t ≤ 79 Kt =CA62C1D6

109
 6. Output of the fourth round is added to the input to the first round (CVq) to
produce CVq+1

Step 5: Output:
1. After all L 512 blocks have been processed, the output from the Lth stage is the
160 bit message digest.
2. We can summarize the behavior of SHA-1as
follows: CV0= IV
CVq+1= SUM32[CVq, ABCDEq]
MD= CVL
Where

IV= initial value of the ABCDE buffer

ABCDEq= qth512 bit block of the message

L = number of blocks in the message

CVq = chaining variable processed with the qth block of the message
MD = final message digest value

SUM32 = addition mod 232 performed separately on each word of the pair of inputs

110
 SHA-1 Compression Function:
 Each round has 20 steps of the form:
 A, B, C, D, E = E + f(t, B, C, D) + S5(A) + W t + Kt), A, S30(B), C, D
Where
A, B, C, D, E refers to the 5 words of the
buffer t
step number 0 to 79

f(t, B, C, D) primitive logical functions for step t Sk

circular left shift of the 32 bit argument by k bits W t

32 bit word derived from the current 512 bit block Kt
additive constant, 4 distinct values are used+

Addition modulo 232

111
1. Each primitive function takes three 32 bit words as input and produces a 32 bit word
output.
2. Each function performs a set of bitwise logical operations

Step Function Name Function Value

0-19 f1 = f(t, B, C, (b ∧c) ∨(b’∧d)
D)
20-39 f2 = f(t, B, C, b || c ⊕ d
D)
40-59 f3 = f(t, B, C, (b ∧c) ∨(b ∧d) ∨(c ∧d)
D)
60-79 F4 = f(t, B, C, b || c || d
D)

1. The 32 bit values of the W t is derived from the 512 bit message

112
 2. The first 16 values of W t are taken directly from the 16 words of the current block.
3. The remaining values are defined as follows:

4. W t = S1 (W t-16 || W t-14 || W t-8 || W t-3)

 In the first 16 steps of processing, the value of W t is equal to the corresponding word in
the message block.

 For the remaining 64 steps, the value of W t consists of the circular left shift by one
bit of theXOR of four of the preceding values of W t.

Comparison of SHA-1 and MD5

 SHA-1 harder for brute force (160 vs 128 bit)

 SHA-1 is slower (80 vs64 steps)

 SHA-1 uses big-endian (vs. little-endian)

 Both are simple and compact

 MD5 is more vulnerable

 SHA-1 flaws discovered, currently impractical

113
HMAC

RFC 2104 lists the following design objectives for HMAC:

• To use, without modifications, available hash functions. In particular, hash

functions that perform well in software, and for which code is freely and widely
available.
• To allow for easy replace ability of the embedded hash function in case faster
or more secure hash functions are found or required.
• To preserve the original performance of the hash function without incurring a
significant degradation.
• To use and handle keys in a simple way.

• To have a well understood cryptographic analysis of the strength of the

authentication mechanism based on reasonable assumptions about the
embedded hash function.
The idea of a keyed hash evolved into HMAC, designed to overcome some
problems with the original proposals. It involves hashing padded versions of the
key concatenated with the message, and then with another outer hash of the result
prep ended by another padded variant of the key. The hash function need only be
used on 3 more blocks than when hashing just the original message (for the two
keys + inner hash). HMAC can use any desired hash function, and has been
shown to have the same security as the underlying hash function. Can choose the
hash function to use based on speed/security concerns.

114
The above Figure illustrates the overall operation of HMAC:

HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)

|| M)] where:
K+ is K padded with zeros on the left so that the result is b bits in
length ipad is a pad value of 36 hex repeated to fill block
opad is a pad value of 5C hex repeated to fill block

M is the message input to HMAC (including the padding specified in the embedded
hash function)

Note that the XOR with ipad results in flipping one-half of the bits of K. Similarly, the
XOR with opad results in flipping one-half of the bits of K, but a different set of bits. In

115
effect, pseudo randomly generated two keys from K. HMAC should execute in
approximately the same time as the embedded hash function for long messages. HMAC
adds three executions of the hash compression function (for Si, So, and the block
produced from the inner hash). A more efficient implementation is possible by pre
computing the internal hash function on (K+ XOR opad) and (K+ XOR ipad) and
inserting the results into the hash processing at start & end. With this implementation,
only one additional instance of the compression function is added to the

processing normally produced by the hash function. This is especially worthwhile if most
of the messages for which a MAC is computed are short.

HMAC Security

The appeal of HMAC is that its designers have been able to prove an exact relationship
between the strength of the embedded hash function and the strength of HMAC. The
security of a MAC function is generally expressed in terms of the probability of
successful forgery with a given amount of time spent by the forger and a given number
of message-MAC pairs created with the same key. Have two classes of attacks: brute
force attack on key used which has work of order 2^n; or a birthday attack which
requires work of order 2^(n/2) - but which requires the attacker to observe 2^n blocks of
messages using the same key - very unlikely. For a hash code length of 128 bits, this
requires 264 observed blocks (272 bits) generated using the same key. On a 1-Gbps link,
one would need to observe a continuous stream of messages with no change in key for
about 150,000 years in order to succeed. So even MD5 is still secure for use in HMAC
given these constraints.

116
DIGITAL SIGNATURE

“Digital Signature “is the best solution for authenticity in various fields.

A digital signature is nothing but an attachment to any piece of electronic

information, which represents the content of the document and the identity of
the owner of that document uniquely.

A digital code (generated and authenticated by public key encryption) which is

attached to an electronically transmitted document to verify its contents and these
Ender's identity.
Digital Signature of a person therefore document thus ensuring authenticity of document.

The most important development from the work on public-key cryptography is the digital
signature. Message authentication protects two parties who exchange messages from
any third party. However, it does not protect the two parties against each other either
fraudulently creating, or denying creation, of a message. A digital signature is analogous
to the handwritten signature, and provides a set of security capabilities that would be
difficult to implement in any other way. It must have the following properties:
• It must verify the author and the date and time of the signature

• It must to authenticate the contents at the time of the signature

• It must be verifiable by third parties, to resolve disputes

Thus, the digital signature function includes the authentication function.

117
The above figure is a generic model of the process of making and using digital
signatures. Bob can sign a message using a digital signature generation algorithm. The
inputs to the algorithm are the message and Bob's private key. Any other user, say
Alice, can verify the signature using a verification algorithm, whose inputs are the
message, the signature, and Bob's public key.

Here A denotes the user whose signature is being attacked and C denotes the attacker.

• Key-only attack: C only knows A's public key.

• Known message attack: C is given access to a set of messages and signatures.

• Generic chosen message attack: C chooses a list of messages before attempting to

breaks A's signature scheme, independent of A's public key. C then obtains from A valid
signatures for the chosen messages. The attack is generic because it does not depend
on A's public key; the same attack is used against everyone.

118
• Directed chosen message attack: Similar to the generic attack, except that the list of
messages is chosen after C knows A's public key but before signatures are seen.

• Adaptive chosen message attack: C is allowed to use A as an "oracle." This means

the A may request signatures of messages that depend on previously obtained
message-signature pairs.

then defines success as breaking a signature scheme as an outcome in which C can do

any of the following with a non-negligible probability:

• Total break: C determines A's private key. • Universal forgery: C finds an efficient
signing algorithm that provides an equivalent way of constructing signatures on arbitrary
messages.

• Selective forgery: C forges a signature for a particular message chosen by C.

• Existential forgery: C forges a signature for at least one message. C has no control
over the message. Consequently this forgery may only be a minor nuisance to A.

A variety of approaches has been proposed for the digital signature function. A secure
hash function, embedded in a scheme such as that shown in figure, provides a basis for
satisfying these requirements. However care must be taken in the design of the details
of the scheme. These approaches fall into two categories: direct and arbitrated.

The term direct digital signature refers to a digital signature scheme that involves only
the communicating parties (source, destination). It is assumed that the destination
knows the public key of the source. Direct Digital Signatures involve the direct
application of public-key algorithms involving only the communicating parties. A digital
signature may be formed by encrypting the entire message with the sender’s private
key, or by encrypting a hash code of the message with the sender’s private key.
Confidentiality can be provided by further encrypting the entire message plus signature
using either public or private key schemes. It is important to perform the signature
function first and then an outer confidentiality function, since in case of dispute, some
third party must view the message and its signature. But these approaches are
dependent on the security of the sender’s private-key. Will have problems if it is
lost/stolen and signatures forged. The universally accepted technique for dealing with
these threats is the use of a digital certificate and certificate authorities.
119
DSA is the US Govt approved signature scheme, which is designed to provide strong
signatures without allowing easy use for encryption. The National Institute of Standards
and Technology (NIST) published Federal Information Processing Standard FIPS 186,
known as the Digital Signature Standard (DSS). The DSS makes use of the Secure
Hash Algorithm (SHA) and presents a new digital signature technique, the Digital
Signature Algorithm (DSA). The DSS was originally proposed in 1991 and revised in
1993 in response to public feedback concerning the security of the scheme. There was
a further minor revision in 1996. In 2000, an expanded version of the standard was
issued as FIPS 186-2. This latest version also incorporates digital signature algorithms
based on RSA and on elliptic curve cryptography. In this section, we discuss the original
DSS algorithm. The DSS uses an algorithm that is designed to provide only the digital
signature function. Unlike RSA, it cannot be used for encryption or key exchange.
Nevertheless, it is a public-key technique.

The above figure contrasts the DSS approach for generating digital signatures to that
used with RSA. In the RSA approach, the message to be signed is input to a hash
function that produces a secure hash code of fixed length. This hash code is then

120
encrypted using the sender's private key to form the signature. Both the message and
the signature are then transmitted. The recipient takes the message and produces a
hash code. The recipient also decrypts the signature using the sender's public key. If
the calculated hash code matches the decrypted signature, the signature is accepted as
valid. Because only the sender knows the private key, only the sender could have
produced a valid signature. The DSS approach also makes use of a hash function. The
hash code is provided as input to a signature function along with a random number k
generated for this particular signature. The signature function also depends on the
sender's private key (PR a) and a set of parameters known to a group of communicating
principals. We can consider this set to constitute a global public key (PUG). The result is
a signature consisting of two components, labeled s and r. At the receiving end, the
hash code of the incoming message is generated. This plus the signature is input to a
verification function. The verification function also depends on the global public key as
well as the sender's public key (PUa), which is paired with the sender's private key. The
output of the verification function is a value that is equal to the signature component r if
the signature is valid. The signature function is such that only the sender, with
knowledge of the private key, could have produced the valid signature.

The DSA is based on the difficulty of computing discrete logarithms and is based on
schemes originally presented by ElGamal and Schnorr. The DSA signature scheme has
advantages, being both smaller (320 vs 1024bit) and faster (much of the computation
is done modulo a 160 bit number), over RSA. Unlike RSA, it cannot be used for
encryption or key exchange. Nevertheless, it is a public-key technique

DSA typically uses a common set of global parameters (p,q,g) for a community of
clients, as shown. A 160-bit prime number q is chosen. Next, a prime number p is
selected with a length between 512 and 1024 bits such that q divides (p – 1). Finally, g
is chosen to be of the form h(p– 1)/q
mod p where h is an integer between 1 and (p – 1)
with the restriction that g must be greater than 1. Thus, the global public key
components of DSA have the same for as in the Schnorr signature scheme.

121
Then each DSA uses chooses a random private key x, and computes their public key as
shown. The calculation of the public key y given x is relatively straightforward.
However, given the public key y, it is computationally infeasible to determine x, which
is the discrete logarithm of y to base g, mod p.

To create a signature, a user calculates two quantities, r and s, that are functions of the
public key components (p,q,g), the user’s private key (x), the hash code of the message
H(M), and an additional integer k that should be generated randomly or pseudo-
randomly and be unique for each signing. This is similar to ElGamal signatures, with the
use of a per message temporary signature key k, but doing calculations first mod p, then
mod q to reduce the size of the result. The signature (r,s) is then sent with the message
to the recipient. Note that computing r only involves calculation mod p and does not
depend on message, hence can be done in advance. Similarly with randomly choosing
k’s and computing their inverses.

At the receiving end, verification is performed using the formulas shown. The receiver
generates a quantity v that is a function of the public key components, the sender’s
public key, and the hash of the incoming message. If this quantity matches the r
component of the signature, then the signature is validated. Note that the difficulty of
computing discrete logs is why it is infeasible for an opponent to recover k from r, or x
from s. Note also that nearly all the calculations are mod q, and hence are much faster
save for the last step.

The structure of this function is such that the receiver can recover r using the incoming
message and signature, the public key of the user, and the global public key. It is
certainly not obvious that such a scheme would work. A proof is provided in Stallings
appendix K.

122
The above figure depicts the functions of signing and verifying. The structure of the
algorithm, as revealed here is quite interesting. Note that the test at the end is on the
value r, which does not depend on the message at all. Instead, r is a function of k and
the three global public-key components. The multiplicative inverse of k (mod q) is
passed to a function that also has as inputs the message hash code and the user's
private key. The structure of this function is such that the receiver can recover r using
the incoming message and signature, the public key of the user, and the global public
key.

ELGAMAL & SCHNORR SIGNATURE SCHEMES

Elgamal announced a public-key scheme based on discrete logarithms, closely related

to the Diffie-Hellman technique. The ElGamal encryption scheme is designed to enable
encryption by a user's public key with decryption by the user's private key. The ElGamal
signature scheme involves the use of the private key for encryption and the public key
for decryption. The ElGamal cryptosystem is used in some form in a number of
standards including the digital signature standard (DSS) and the S/MIME email
123
standard. As with Diffie-Hellman, the global elements of ElGamal are a prime number q
and a, which is a primitive root of q. User A generates a private/public key pair as
shown. The security of ElGamal is based on the difficulty of computing discrete
logarithms, to recover either x given y, or k given K.

To sign a message M, user A first computes the hash m = H(M), such that m is an
integer in the range 0 <= m <= q – 1. A then forms a digital signature as shown.

The basic idea with El Gamal signatures is to again choose a temporary random signing
key, protect it, then use it solve the specified equation on the hash of the message to
create the signature (in 2 pieces). Verification consists of confirming the validation
equation that relates the signature to the (hash of the) message (see text for proof).
Again note that El Gamal encryption involves 1 modulo exponentiation and
multiplications (vs 1 exponentiation for RSA).

Here is an example of creating and verifying an ElGamal signature from the text using
the prime field GF(19); that is, q = 19. It has primitive roots {2, 3, 10, 13, 14, 15}, We
choose a = 10. Alice generates a key pair as shown, which is = {19, 10, 4}. Alice can
sign a message with hash m =
14 as shown to compute the signature pair (3,4). Any user B can verify the signature by
computing confirming the validation equation as shown.

124
Schnorr signature scheme

The Schnorr signature scheme is based on discrete logarithms [SCHN89,

SCHN91]. The Schnorr scheme minimizes the message dependent amount of
computation required to generate a signature. The main work for signature generation
does not depend on the message and can be done during the idle time of the
processor. The message dependent part of the signature generation requires
multiplying a 2n-bit integer with an n-bit integer. The scheme is based on using a prime
modulus p, with p – 1 having a prime factor q of appropriate size; that is p – 1 = 1 (mod
q). Typically, we use p approx 21024 and q approx 2160. Thus, p is a 1024-bit number and
q is a 160-bit number, which is also the length of the SHA-1 hash value.

The first part of this scheme is the generation of a private/public key pair, which consists
of the following steps:

1. Choose primes p and q, such that q is a prime factor of p – 1.

2. Choose an integer a such that aq = 1 mod p. The values a, p, and q comprise a

global public key that can be common to a group of users.

3. Choose a random integer s with 0 < s < q. This is the user's private key.

4. Calculate v = a–s mod p. This is the user's public key.

A user with public key s and private key v generates a signature as follows:

1. Choose a random integer r with 0 < r < q and compute x = ar mod p. This is
independent of any message M, hence can be pre-computed.

2. Concatenate message with x and hash result to compute: e = H(M || x)

3. Compute y = (r + se) mod q. The signature consists of the pair (e, y).

125
Any other user can verify the signature as follows:

1. Compute x' = ayve mod p.

2. Verify that e = H(M || x').

See text for details of why the verification works.

126
 PART-A

1. Write short notes on MD5.

2. What is a hash in cryptography?
3. How digital signatures differ from authentications protocol?
4. Differentiate internal and external error control.
5. Define the classes of message authentication function.
6. What do you mean by strong collision resistance in hash function?
7. What do you mean by weak collision resistance in hash function?
8. What are the two approaches of digital signatures?
9. Point out the properties a digital signature
10. Define the term message digest.
11. Identify the security services provided by digital
12. How digital signatures differ from authentication protocols?
13. How do you specify various types of authentication protocol?
14. Summarize the Classes of message authentication function.
15. Demonstrate the authentication applications.
16. What is DSS? Specify its requirements.
17. State hash function

PART-B & C
1. Explain Hash Functions.
2. How Hash function algorithm ids designed? Explain their features and properties.
3. Explain Digital Signature Standard?
4. Explain the steps in DSA
5. What are digital signatures? Explain DSA algorithm to generate the same.
6. Explain the concepts of Digital signature algorithm with key generation and verification in detail.
7. Explain the steps in MD5 message digest algorithm.
8. How MD5 method provide security to the system? Explain with suitable diagram.
9. With a neat diagram, explain the MD5 processing of a single 512 bit block.
10. Explain the secure hash algorithm to generate message digest in detail.
11. Illustrate about the SHA algorithm and explain
12. Compare the performance of RIPEMD-160 algorithm and SHA-1 algorithm.
13. Write notes on birthday attack .
14. Explain ElGamal Public key Cryptosystems with an example.
15. Write down the steps involved in
i) Elgamal Digital Signature Scheme
ii) Schnorr Digital Signature Schemeusedfor authenticating a person.

127