UNIT-2

Public Key Infrastructure & Message Authentication

PUBLIC KEY CRYPTOGRAPHY PRINCIPLES & APPLICATIONS

Unlike symmetric key cryptography, we do not find historical use of public-key cryptography.
It is a relatively new concept.

Symmetric cryptography was well suited for organizations such as governments, military,
and big financial corporations were involved in the classified communication.

With the spread of more unsecure computer networks in last few decades, a genuine need
was felt to use cryptography at larger scale. The symmetric key was found to be non-practical
due to challenges it faced for key management. This gave rise to the public key
cryptosystems.
The process of encryption and decryption is depicted in the following illustration:

The most important properties of public key encryption scheme are:

Different keys are used for encryption and decryption. This is a property which set
this scheme different than symmetric encryption scheme.

Each receiver possesses a unique decryption key, generally referred to as his private
key.
Receiver needs to publish an encryption key, referred to as his public key.

Some assurance of the authenticity of a public key is needed in this scheme to avoid
spoofing by adversary as the receiver. Generally, this type of cryptosystem involves
trusted third party which certifies that a particular public key belongs to a specific
person or entity only.

Encryption algorithm is complex enough to prohibit attacker from deducing the

plaintext from the ciphertext and the encryption (public) key.

Though private and public keys are related mathematically, it is not be feasible to
calculate the private key from the public key. In fact, intelligent part of any public-key
cryptosystem is in designing a relationship between two keys.
Public-key cryptography is a radical departure from all that has gone before. Right up to
modern times all cryptographic systems have been based on the elementary tools of
substitution and permutation. However, public-key algorithms are based on mathematical
functions and are asymmetric in nature, involving the use of two keys, as opposed to
conventional single key encryption. Several misconceptions are held about p-k:

1. That p-k encryption is more secure from cryptanalysis than conventional encryp-tion.
In fact the security of any system depends on key length and the computa-tional work
involved in breaking the cipher.

2. That p-k encryption has superseded single key encryption. This is unlikely due to the
increased processing power required.

3. That key management is trivial with public key cryptography, this is not correct.

Principles of Public-Key Cryptosystems

The concept of P-K evolved from an attempt to solve two problems, key distribution
and the development of digital signatures. In 1976 Whitfield Diffie and Martin Hell-
man achieved great success in developing the conceptual framework. For
conventional encryption the same key is used for encryption and decryption. This is
not a necessary condition. Instead it is possible to develop a cryptographic system
that relies on one key for encryption and a different but related key for decryption.
Furthermore these algorithms have the following important characteristic:
o It is computationally infeasible to determine the decryption key given
only knowledge of the algorithm and the encryption key.
o In addition, some algorithms such as RSA, also exhibits the following
characteristics:
Either of the two related keys can be used for encryption, with the other used
for decryption.

The steps are:

1. Each system generates a pair of keys.

2. Each system publishes its encryption key (public key) keeping its companion key private.
3. If A wishes to send a message to B it encrypts the message using B‟s public key.
4. When B receives the message, it decrypts the message using its private key. No one else
can decrypt the message because only B knows its private key.
There are three types of Public Key Encryption schemes.

RSA Cryptosystem

This cryptosystem is one the initial system. It remains most employed cryptosystem even
today. The system was invented by three scholars Ron Rivest, Adi Shamir, and Len
Adleman and hence, it is termed as RSA cryptosystem.

We will see two aspects of the RSA cryptosystem, firstly generation of key pair and secondly
encryption-decryption algorithms.

Generation of RSA Key Pair

Each person or a party who desires to participate in communication using encryption needs to
generate a pair of keys, namely public key and private key. The process followed in the
generation of keys is described below:

Generate the RSA modulus (n)

o Select two large primes, p and q.

o Calculate n=p*q. For strong unbreakable encryption, let n be a large number,

typically a minimum of 512 bits.

Find Derived Number (e)

Number e must be greater than 1 and less than (p − 1)(q − 1).

There must be no common factor for e and (p − 1)(q − 1) except for 1.

In other words two numbers e and (p – 1)(q – 1) are coprime.

Form the public key

o The pair of numbers (n, e) form the RSA public key and is made public.

o Interestingly, though n is part of the public key, difficulty in factorizing a large

prime number ensures that attacker cannot find in finite time the two primes (p &
q) used to obtain n. This is strength of RSA.

Generate the private key

o Private Key d is calculated from p, q, and e. For given n and e, there is unique
number d.

o Number d is the inverse of e modulo (p − 1)(q – 1). This means that d is the
number less than (p − 1)(q − 1) such that when multiplied by e, it is equal to 1
modulo (p − 1)(q − 1).

o This relationship is written mathematically as follows: ed = 1 mod (p − 1)(q − 1)

The Extended Euclidean Algorithm takes p, q, and e as input and gives d as output.
Example
An example of generating RSA Key pair is given below. (For ease of understanding, the
primes p & q taken here are small values. Practically, these values are very high).
Let two primes be p = 7 and q = 13. Thus, modulus n = pq = 7 x 13 = 91.

Select e = 5, which is a valid choice since there is no number that is common factor of
5 and (p − 1)(q − 1) = 6 × 12 = 72, except for 1.

The pair of numbers (n, e) = (91, 5) forms the public key and can be made available to
anyone whom we wish to be able to send us encrypted messages.

Input p = 7, q = 13, and e = 5 to the Extended Euclidean Algorithm. The output will
be d = 29.

Check that the d calculated is correct by computing:

de = 29 × 5 = 145 = 1 mod 72

Hence, public key is (91, 5) and private keys is (91, 29).

Encryption and Decryption

Once the key pair has been generated, the process of encryption and decryption are relatively
straightforward and computationally easy.

Interestingly, RSA does not directly operate on strings of bits as in case of symmetric key
encryption. It operates on numbers modulo n. Hence, it is necessary to represent the plaintext
as a series of numbers less than n.

RSA Encryption
Suppose the sender wish to send some text message to someone whose public key is
(n, e).

The sender then represents the plaintext as a series of numbers less than n.

To encrypt the first plaintext P, which is a number modulo n. The encryption process
is simple mathematical step as:

e
C = P mod n

In other words, the ciphertext C is equal to the plaintext P multiplied by itself e times
and then reduced modulo n. This means that C is also a number less than n.

Returning to our Key Generation example with plaintext P = 10, we get ciphertext C:

5
C = 10 mod 91

RSA Decryption
The decryption process for RSA is also very straightforward. Suppose that the receiver
 of public-key pair (n, e) has received a ciphertext C.

Receiver raises C to the power of his private key d. The result modulo n will be the
plaintext P.

d
Plaintext = C mod n
Returning again to our numerical example, the ciphertext C = 82 would get decrypted
to number 10 using private key 29:

29
Plaintext = 82 mod 91 = 10

RSA Analysis
The security of RSA depends on the strengths of two separate functions. The RSA
cryptosystem is most popular public-key cryptosystem strength of which is based on the
practical difficulty of factoring the very large numbers.

Encryption Function: It is considered as a one-way function of converting plaintext

into ciphertext and it can be reversed only with the knowledge of private key d.

Key Generation: The difficulty of determining a private key from an RSA public key
is equivalent to factoring the modulus n. An attacker thus cannot use knowledge of an
RSA public key to determine an RSA private key unless he can factor n. It is also a
one way function, going from p & q values to modulus n is easy but reverse is not
possible.

If either of these two functions are proved non one-way, then RSA will be broken. In fact, if a
technique for factoring efficiently is developed then RSA will no longer be safe.

The strength of RSA encryption drastically goes down against attacks if the number p and q
are not large primes and/ or chosen public key e is a small number.

TYPES OF CRYPTOGRAPHIC FUNCTIONS

Hash functions

Hash functions are extremely useful and appear in almost all information security
applications.

A hash function is a mathematical function that converts a numerical input value into another
compressed numerical value. The input to the hash function is of arbitrary length but output

is always of fixed length.

Values returned by a hash function are called message digest or simply hash values. The
following picture illustrated hash function:
Features of Hash Functions
The typical features of hash functions are:
Fixed Length Output (Hash Value)
Hash function coverts data of arbitrary length to a fixed length. This process is often referred
to as hashing the data.

In general, the hash is much smaller than the input data, hence hash functions are sometimes
called compression functions.

Since a hash is a smaller representation of a larger data, it is also referred to as a digest.

o Hash function with n bit output is referred to as an n-bit hash function. Popular
hash functions generate values between 160 and 512 bits.

Efficiency of Operation
o Generally for any hash function h with input x, computation of h(x) is a fast
operation.

o Computationally hash functions are much faster than a symmetric encryption.

Properties of Hash Functions

In order to be an effective cryptographic tool, the hash function is desired to possess
following properties:
Pre-Image Resistance
o This property means that it should be computationally hard to reverse a hash
function.

o In other words, if a hash function h produced a hash value z, then it should be a

difficult process to find any input value x that hashes to z.

o This property protects against an attacker who only has a hash value and is trying to
find the input.
Second Pre-Image Resistance
o This property means given an input and its hash, it should be hard to find a different
input with the same hash.

o In other words, if a hash function h for an input x produces hash value h(x), then it
should be difficult to find any other input value y such that h(y) = h(x).

o This property of hash function protects against an attacker who has an input value
and its hash, and wants to substitute different value as legitimate value in place of
original input value.
 Collision Resistance
o This property means it should be hard to find two different inputs of any length that
result in the same hash. This property is also referred to as collision free hash
function.

o In other words, for a hash function h, it is hard to find any two different inputs x and
y such that h(x) = h(y).

o Since, hash function is compressing function with fixed hash length, it is

impossible for a hash function not to have collisions. This property of collision
free only confirms that these collisions should be hard to find.

o This property makes it very difficult for an attacker to find two input values with
the same hash.

o Also, if a hash function is collision-resistant then it is second pre-image resistant.

Design of Hashing Algorithms

At the heart of a hashing is a mathematical function that operates on two fixed-size blocks of
data to create a hash code. This hash function forms the part of the hashing algorithm.

The size of each data block varies depending on the algorithm. Typically the block sizes are
from 128 bits to 512 bits. The following illustration demonstrates hash function:

Hashing algorithm involves rounds of above hash function like a block cipher. Each round
takes an input of a fixed size, typically a combination of the most recent message block and
the output of the last round.

This process is repeated for as many rounds as are required to hash the entire message.
Schematic of hashing algorithm is depicted in the following illustration:

Since, the hash value of first message block becomes an input to the second hash operation,
output of which alters the result of the third operation, and so on. This effect, known as an
avalanche effect of hashing.

Avalanche effect results in substantially different hash values for two messages that differ by
even a single bit of data.
Understand the difference between hash function and algorithm correctly. The hash function
generates a hash code by operating on two blocks of fixed-length binary data.

Hashing algorithm is a process for using the hash function, specifying how the message will
be broken up and how the results from previous message blocks are chained together.

Popular Hash Functions

Let us briefly see some popular hash functions:

Message Digest (MD)

MD5 was most popular and widely used hash function for quite some years.

The MD family comprises of hash functions MD2, MD4, MD5 and MD6. It was
adopted as Internet Standard RFC 1321. It is a 128-bit hash function.

MD5 digests have been widely used in the software world to provide assurance about
integrity of transferred file. For example, file servers often provide a pre-computed
MD5 checksum for the files, so that a user can compare the checksum of the
downloaded file to it.

In 2004, collisions were found in MD5. An analytical attack was reported to be

successful only in an hour by using computer cluster. This collision attack resulted in
compromised MD5 and hence it is no longer recommended for use.

MD5

The MD5 function is a cryptographic algorithm that takes an input of arbitrary length and
produces a message digest that is 128 bits long. The digest is sometimes also called the
"hash" or "fingerprint" of the input. MD5 is used in many situations where a potentially long
message needs to be processed and/or compared quickly. The most common application is the
creation and verification of Digital Signature.

MD5 was designed by well-known cryptographer Ronald Rivest in 1991. In 2004, some
serious flaws were found in MD5. The complete implications of these flaws has yet to be
determined.
How MD5 works
Preparing the input

The MD5 algorithm first divides the input in blocks of 512 bits each. 64 Bits are inserted at
the end of the last block. These 64 bits are used to record the length of the original input. If
the last block is less than 512 bits, some extra bits are 'padded' to the end.
Next, each block is divided into 16 words of 32 bits each. These are denoted as M0 ...
M15.

MD5 helper functions

The buffer

MD5 uses a buffer that is made up of four words that are each 32 bits long. These
words are called A, B, C and D. They are initialized as

word A: 01 23 45 67
word B: 89 ab cd ef
word C: fe dc ba 98
word D: 76 54 32 10
 The table
MD5 further uses a table K that has 64 elements. Element number i is
indicated as Ki. The table is computed beforehand to speed up the
computations. The elements are computed using the mathematical sin
function:
32
Ki = abs(sin(i + 1)) * 2

Four auxiliary functions

In addition MD5 uses four auxiliary functions that each take as input three 32-bit
words and produce as output one 32-bit word. They apply the logical operators and,
or, not and xor to the input bits.

F(X,Y,Z) = (X and Y) or (not(X) and Z)

G(X,Y,Z) = (X and Z) or (Y and not(Z))

H(X,Y,Z) = X xor Y xor Z

I(X,Y,Z) = Y xor (X or not(Z))

Processing the blocks

The contents of the four buffers (A, B, C and D) are now mixed with the words of
the input, using the four auxiliary functions (F, G, H and I). There are four rounds,
each involves 16 basic operations. One operation is illustrated in the figure below.

The figure shows how the auxiliary function F is applied to the four buffers (A, B, C
and D), using message word Mi and constant Ki. The item "<<<s" denotes a binary left
shift by s bits.
The output
After all rounds have been performed, the buffers A, B, C and D contain the MD5 digest
of the original input.
 Secure Hash Function (SHA)
Family of SHA comprises of four SHA algorithms; SHA-0, SHA-1, SHA-2, and SHA-3
Though from same family, there are structurally different.

The original version is SHA-0, a 160-bit hash function, was published by the
National Institute of Standards and Technology (NIST) in 1993. It had few
weaknesses and did not become very popular. Later in 1995, SHA-1 was
designed to correct alleged
weaknesses of SHA-0.

SHA-1 is the most widely used of the existing SHA hash functions. It is employed in
several widely used applications and protocols including Secure Socket Layer (SSL)
security.

Background Theory

• SHA was designed by NIST & NSA in 1993, revised 1995 as SHA-1
• US standard for use with DSA signature scheme
– standard is FIPS 180-1 1995, also Internet RFC3174
– note: the algorithm is SHA, the standard is SHS
• produces 160-bit hash values
• now the generally preferred hash algorithm
• based on design of MD4 with key differences

SHA – OVERVIEW
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 5-word (160-bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
4. process message in 16-word (512-bit) chunks:
– expand 16 words into 80 words by mixing & shifting
– use 4 rounds of 20 bit operations on message block & buffer
– add output to input to form new buffer value
5. output hash value is the final buffer value

SHA-1 (160 bit message) - Algorithm Framework

 Step 1: Append Padding Bits….

Message is “padded” with a 1 and as many 0‟s as necessary to bring the message
length to 64 bits fewer than an even multiple of 512.

 Step 2: Append Length....

64 bits are appended to the end of the padded message. These bits hold the binary
format of 64 bits indicating the length of the original message.

 Step 3: Prepare Processing Functions….

SHA1 requires 80 processing functions defined as:
f(t;B,C,D) = (B AND C) OR ((NOT B) AND D) ( 0 <= t <= 19)
f(t;B,C,D) = B XOR C XOR D (20 <= t <= 39)
f(t;B,C,D) = (B AND C) OR (B AND D) OR (C AND D) (40 <= t <=59)
f(t;B,C,D) = B XOR C XOR D (60 <= t <= 79)
  Step 4: Prepare Processing Constants....
SHA1 requires 80 processing constant words defined as:
K(t) = 0x5A827999 ( 0 <= t <= 19)
K(t) = 0x6ED9EBA1 (20 <= t <= 39)
K(t) = 0x8F1BBCDC (40 <= t <= 59)
K(t) = 0xCA62C1D6 (60 <= t <= 79)

 Step 5: Initialize Buffers….

SHA1 requires 160 bits or 5 buffers of words (32 bits):
H0 = 0x67452301
H1 = 0xEFCDAB89
H2 = 0x98BADCFE
H3 = 0x10325476
H4 = 0xC3D2E1F0

 Step 6: Processing Message in 512-bit blocks (L blocks in total message)….

This is the main task of SHA1 algorithm which loops through the padded and appended
message in 512-bit blocks. Input and predefined functions:

M[1, 2, ..., L]: Blocks of the padded and appended message

f(0;B,C,D), f(1,B,C,D), ..., f(79,B,C,D): 80 Processing Functions

K(0), K(1), ..., K(79): 80 Processing Constant Words

H0, H1, H2, H3, H4, H5: 5 Word buffers with initial values

SHA-1 Compression Function

• each round has 20 steps which replaces the 5 buffer words thus:

(A,B,C,D,E) <- (E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,(B<<30),C,D)

• a,b,c,d,e refer to the 5 words of the buffer

• t is the step number
• f(t,B,C,D) is nonlinear function for round
• Wt is derived from the message block
• Kt is a constant value derived from sin

SHA-1 Compression Function

 PUBIC KEY INFRASTRUCTURE
DIGITAL SIGNATURES

Digital signatures are the public-key primitives of message authentication. In the physical world,
it is common to use handwritten signatures on handwritten or typed messages. They are used to
bind signatory to the message.

Similarly, a digital signature is a technique that binds a person/entity to the digital data. This
binding can be independently verified by receiver as well as any third party.

Digital signature is a cryptographic value that is calculated from the data and a secret key known
only by the signer.

In real world, the receiver of message needs assurance that the message belongs to the sender
and he should not be able to repudiate the origination of that message. This requirement is very
crucial in business applications, since likelihood of a dispute over exchanged data is very high.

Model of Digital Signature

As mentioned earlier, the digital signature scheme is based on public key cryptography. The
model of digital signature scheme is depicted in the following illustration:

The following points explain the entire process in detail:

Each person adopting this scheme has a public-private key pair.

Generally, the key pairs used for encryption/decryption and signing/verifying are
different. The private key used for signing is referred to as the signature key and the
public key as the verification key.
Signer feeds data to the hash function and generates hash of data.

Hash value and signature key are then fed to the signature algorithm which produces the
digital signature on given hash. Signature is appended to the data and then both are sent
to the verifier.

Verifier feeds the digital signature and the verification key into the verification algorithm.
The verification algorithm gives some value as output.

Verifier also runs same hash function on received data to generate hash value.

For verification, this hash value and output of verification algorithm are compared.
Based on the comparison result, verifier decides whether the digital signature is valid.

Since digital signature is created by „private‟ key of signer and no one else can have this
key; the signer cannot repudiate signing the data in future.

It should be noticed that instead of signing data directly by signing algorithm, usually a hash of
data is created. Since the hash of data is a unique representation of data, it is sufficient to sign the
hash in place of data. The most important reason of using hash instead of data directly for
signing is efficiency of the scheme.

Let us assume RSA is used as the signing algorithm. As discussed in public key encryption
chapter, the encryption/signing process using RSA involves modular exponentiation.

Signing large data through modular exponentiation is computationally expensive and time
consuming. The hash of the data is a relatively small digest of the data, hence signing a hash is
more efficient than signing the entire data.

Importance of Digital Signature

Out of all cryptographic primitives, the digital signature using public key cryptography is
considered as very important and useful tool to achieve information security.

Apart from ability to provide non-repudiation of message, the digital signature also provides
message authentication and data integrity. Let us briefly see how this is achieved by the digital
signature:

Message authentication – When the verifier validates the digital signature using public
key of a sender, he is assured that signature has been created only by sender who possess
the corresponding secret private key and no one else.

Data Integrity – In case an attacker has access to the data and modifies it, the digital
signature verification at receiver end fails. The hash of modified data and the output
provided by the verification algorithm will not match. Hence, receiver can safely deny
the message assuming that data integrity has been breached.

Non-repudiation – Since it is assumed that only the signer has the knowledge of the
signature key, he can only create unique signature on a given data. Thus the receiver can
present data and the digital signature to a third party as evidence if any dispute arises in
the future.

By adding public-key encryption to digital signature scheme, we can create a cryptosystem that
can provide the four essential elements of security namely: Privacy, Authentication, Integrity, and
Non-repudiation.

Encryption with Digital Signature

In many digital communications, it is desirable to exchange an encrypted messages than plaintext to

achieve confidentiality. In public key encryption scheme, a public (encryption) key of sender is
available in open domain, and hence anyone can spoof his identity and send any encrypted message
to the receiver.

This makes it essential for users employing PKC for encryption to seek digital signatures along
with encrypted data to be assured of message authentication and non-repudiation.

This can archived by combining digital signatures with encryption scheme. Let us briefly discuss
how to achieve this requirement. There are two possibilities, sign-then-encrypt and encrypt-then-
sign.

However, the crypto system based on sign-then-encrypt can be exploited by receiver to spoof
identity of sender and sent that data to third party. Hence, this method is not preferred. The process
of encrypt-then-sign is more reliable and widely adopted. This is depicted in the following
illustration:

PUBLIC KEY INFRASTRUCTURE

The receiver after receiving the encrypted data and signature on it, first verifies the signature using
sender‟s public key. After ensuring the validity of the signature, he then retrieves the data through
decryption using his private key.

The most distinct feature of Public Key Infrastructure (PKC) is that it uses a pair of keys to achieve
the underlying security service. The key pair comprises of private key and public key.

Since the public keys are in open domain, they are likely to be abused. It is, thus, necessary to
establish and maintain some kind of trusted infrastructure to manage these keys.
Key Management

It goes without saying that the security of any cryptosystem depends upon how securely its keys
are managed. Without secure procedures for the handling of cryptographic keys, the benefits of the
use of strong cryptographic schemes are potentially lost.

It is observed that cryptographic schemes are rarely compromised through weaknesses in their
design. However, they are often compromised through poor key management.
There are some important aspects of key management which are as follows:

Cryptographic keys are nothing but special pieces of data. Key management refers to the
secure administration of cryptographic keys.

Key management deals with entire key lifecycle as depicted in the following illustration:

There are two specific requirements of key management for public key cryptography.

o Secrecy of private keys. Throughout the key lifecycle, secret keys must remain secret
from all parties except those who are owner and are authorized to use them.

o Assurance of public keys. In public key cryptography, the public keys are in open
domain and seen as public pieces of data. By default there are no assurances of whether
a public key is correct, with whom it can be associated, or what it can be used for. Thus
key management of public keys needs to focus much more explicitly on assurance of
purpose of public keys.

The most crucial requirement of „assurance of public key‟ can be achieved through the public-key
infrastructure (PKI), a key management systems for supporting public-key cryptography.
Public Key Infrastructure (PKI)

PKI provides assurance of public key. It provides the identification of public keys and their
distribution. An anatomy of PKI comprises of the following components.
Public Key Certificate, commonly referred to as „digital certificate‟.
Private Key tokens.
Certification Authority.
Registration Authority.
Certificate Management System.

Digital Certificate

For analogy, a certificate can be considered as the ID card issued to the person. People use ID
cards such as a driver's license, passport to prove their identity. A digital certificate does the
same basic thing in the electronic world, but with one difference.

Digital Certificates are not only issued to people but they can be issued to computers, software
packages or anything else that need to prove the identity in the electronic world.

Digital certificates are based on the ITU standard X.509 which defines a standard certificate
format for public key certificates and certification validation. Hence digital certificates are
sometimes also referred to as X.509 certificates
Public key pertaining to the user client is stored in digital certificates by The Certification
Authority (CA) along with other relevant information such as client information,
expiration date, usage, issuer etc.

CA digitally signs this entire information and includes digital signature in the certificate.

Anyone who needs the assurance about the public key and associated information of
client, he carries out the signature validation process using CA‟s public key. Successful
validation assures that the public key given in the certificate belongs to the person whose
details are given in the certificate.
The process of obtaining Digital Certificate by a person/entity is depicted in the following
illustration.
As shown in the illustration, the CA accepts the application from a client to certify his public
key. The CA, after duly verifying identity of client, issues a digital certificate to that client.