Network Security

Major Standardization Bodies Traffic Analysis May be the data is masked, so no

information can be extracted but some
1. IETF: The Internet Engineering Task Force (IETF) is a large patterns like - sender, receiver, message
open international community of network designers, length, time of the message etc. can be
operators, vendors, and researchers concerned with the extracted to make intelligent guesses.
Modification Some portion of a legitimate message is
evolution of the Internet architecture and the smooth operation
altered or the message is delayed.
of the Internet. Standards are available in the form of RFCs Masquerading One entity pretends to be a different entity.
(Request for Comments). E.g. Hoax bank sites.
2. ITU-T: ITU is the United Nations specialized agency for Replaying Subsequent retransmission of a captured
information and communication technologies. ITU-T is one of message to produce an unauthorized effect.
the three sectors of the International Telecommunication E.g. Bill payment fake reminders with fake
Union (ITU); it coordinates standards for telecommunications. links
Repudiation Sender denies that it sent the message or the
3. NIST: National Institute of Standards and Technology (NIST)
receiver denies that it received the message.
is the US federal technology agency that works with industry Denial of Service Slowing down or totally interrupt the
to develop and apply technology, measurements, and service of the system. E.g. multiple requests
standards. to bring an exam result server down.
4. ISO: The International Organization for Standardization (ISO)
is a non-government international standard-setting body
Passive Attacks – The attacker’s goal is to just obtain the
composed of representatives from various national standards
information. The attack does not harm the system.
organizations. It works in several areas including networking
and security. Active Attacks – The attacker changes the data or harms the
system.
Information Security
Security Mechanisms
The protection afforded to an automated information system in
order to attain the applicable objectives of preserving the integrity, Encipherment The use of mathematical algorithms to
availability, and confidentiality of information system resources transform data into a form that is not
(includes hardware, software, firmware, information/data, and readily intelligible.
telecommunications). Digital Signature A data unit that allows a recipient of the
data unit to prove the source.
The OSI Security Architecture Access Control Access rights to the resources restrained.
Data Integrity A mechanism to append a check value
1. Network Security needs some systematic way of defining the with the data. Receiver calculates check
security requirements and approaches to meet them. value on the data and compares it with
2. ITU-T Recommendation X.800, defines a systematic approach the received one.
Authentication Two entities exchange the messages to
for this purpose focusing on the following three aspects:
Exchange prove their identities to each other.
a. Security Attack: Any action that compromises the
Traffic Padding Insertion of bogus data to thwart the
security of information owned by an organization. traffic analysis.
b. Security Mechanism: A process that is designed to Routing Control Discretionary selection of routes between
detect, prevent, or recover from a specific security sender and receiver based of the security
attack. risks.
c. Security Service: A service that makes use of one or Notarization Trusted third party assures the
more security mechanisms and provides specific kind information exchange.
of protection to the system.
Security Services
Security Attacks
Authentication The assurance that the communicating
entity is the one that it claims to be.
1. Peer Entity: Sender/receiver
authentication in connection-oriented
communication.
2. Data Origin: Data source authentication
in connectionless communication.
Access Control The prevention of unauthorized access of a
resource. Access definition could be broad
here and can involve – read, write, modify,
execute etc.
Data The protection of data from unauthorized
Confidentiality disclosure. X.800 is very broad and
Snooping Data is intercepted by an unauthorized
encompasses confidentiality of the whole
person. E.g. Tapping.
1
 message or the part of the message and also The Network Security
protection against traffic analysis.
Data Integrity he assurance that data received is exactly as Model for the Network Security on the previous slide shows that
sent by an authorized entity (i.e. It contains there are four basic tasks in designing a particular security service:
no modification, insertion, deletion, or
replay). 1. Design an algorithm for performing the security-related
Non-Repudiation Provides protection against denial by one of transformation. The algorithm should be such that an
the entities involved in a communication of opponent cannot defeat its purpose (ENCRYPTION/
having participated in all or part of the
DECRYPTION).
communication
2. Generate the secret information to be used with the algorithm
(KEY MANAGEMENT).
Availability & Availability Service 3. Develop methods for the distribution and sharing of the secret
information (KEY DISTRIBUTION).
Availability: X.800 defines availability to be the inherent property 4. Specify a protocol to be used by the two users that makes use
of a system. A system resource must accessible and usable upon of the security algorithm and the secret information to achieve
demand by an authorized entity. A variety of attacks can result in a particular security service (IMPLEMENTATION).
the loss or reduction in availability.
Techniques to Implement Security Mechanisms
The availability service addresses the security concerns raised by
Denial-of-Service attacks. It can be treated as sixth type of security Cryptography: in Greek it means “secret writing”. In the network
service. security it means the science of transforming the messages to make
them secure and immune to attacks.
Security Mechanisms and Services
a. Symmetric-Key Encipherment
Security Service is a processing or communication service that is b. Asymmetric-Key Encipherment
provided by a system to give a specific kind of protection to the c. Data Integrity
system resources. Security services are implemented by security d. Mutual Trust
mechanisms. [RFC-4949]. A mechanism or combination of
mechanisms are used to provide a service. Also a mechanism can Steganography: in Greek it means “covered writing”. In contrast
be used in one or more services. with cryptography, it means concealing the message itself by
covering it with something else. Example: A letter is written on the
Security Service Security Mechanism paper using onion juice or ammonia salts which would not be
Data Confidentiality Encipherment, Routing Control visible unless exposed to heat, message hidden in paintings etc.
Data Integrity Digital Signature
Non- Repudiation Digital Signature, Notarization Symmetric-Key Encipherment
Sender encrypts the message using an encryption algorithm and
A Model for Network Security the receiver decrypts the message using a decryption algorithm.
Symmetric-Key Encipherment uses a single secret key for both
encryption and decryption.

It is analogous to the sender puts the message in a box and locks

the box with a shared key. The receiver opens the box with the
same shared key and gets the message.

1. A logical information channel is established by defining a

route through the Internet from source to destination and by
the cooperative use of communication protocols (e.g.,
TCP/IP) by the sender and receiver.
2. An opponent may present a threat to the confidentiality of the
Asymmetric-Key Encipherment
message that is being transmitted.
3. Using a secret information, sender secures the original To send a secure message, the sender first encrypts the message
message (encrypted or ciphered) and using the same secret using receiver’s public key. To decrypt the message, the receiver
information receiver recovers the original message (decrypted uses its own private key.
or deciphered).
4. A trusted third party distributes the secret information to both
the sender and receiver.
2
 How to Analyze Packets?

Data Integrity and Mutual Trust

Data Integrity: Different cryptographic techniques to ensure data
integrity. E.g. Hashing and Message digest.
Mutual Trust: Different methods for key generation and
distribution. Entity authentication and notarization methods.
Computer Networks: A Layered Architecture
An engineer captured some transmission using a packet capture
tool. The hex dump of a TCP segment starting from the TCP
header is: 00 19 05 BE 05 59 54 39 0D 57 59 A9 50 18 FF FF 7B
2E 00 00 33 35 34 20 67 6F 20 61 68 65 61 64 0D 0A 2E 0D 0A.
The TCP header is without the optional data. What is being
conveyed through this TCP segment?

1. What is the source port address?

1. Similar to the airline functionality, a modern computer
network can be designed in a layered architecture.
2. A layer can be implemented in software, in hardware, or in a
combination of the two. An application (e.g. HTTP) is usually
implemented in software, whereas physical layer
and data link layers are implemented in hardware (e.g.
network interface cards).
3. Rules for the two layers to communicate between two peer
entities (hosts) is called a protocol. When taken together, the
protocols of the various layers are called the protocol stack.
Networking Packetization
The 16 bits for source port address are 00 19 in hexadecimal
that is 25 in decimal.
2. So, who is sending this message?
SMTP Server.
3. How do we know that?
TCP port 25 is a well known port for SMTP server.
4. What is being conveyed by the TCP segment?
The data after 20 bytes of TCP header: 33 35 34 20 67 6F 20
61 68 65 61 64 0D 0A 2E 0D 0A
5. But what is it?
We know SMTP is a ASCII based protocol. The equivalent
ASCII text is 354 go ahead CRLF.CRLF.
Question: Few bytes are captured during some transmission using
a packet capture tool like Wireshark. The hex dump of a IPv4
datagram starting from the IPv4 header is: 45 00 00 49 24 4d 40
00 80 06 30 67 c0 a8 01 04 d9 0c
0b 42 05 be 00 19 0d 57 59 60 05 59 54 29 50 18 ff 3c 1c f1 00 00
4d 41 49 4c 20 46 52 4f 4d 3a 20 3c 78 78 78 78 78 78 40 78 78
78 78 78 2e 63 6f 2e 75 6b 3e 0d 0a.

The IP and TCP headers are without any optional data. Answer the
following questions:

1. What are the source and destination IP addresses? Answer in

dotted decimal notation.
2. From which byte do we know that it is TCP and how?
3. What are the source and destination port numbers?
4. What application protocol data is present in the datagram?
5. What is the direction of the data? Server to client or client to
server?
6. What application message is being conveyed?

Cryptography Terminology
1. Plaintext – An original message in its ‘as-it-is’ form.
2. Ciphertext – Coded message. Cannot be understood just by
reading it.

3
3. Encryption (Enciphering) – The process of converting
plaintext to ciphertext.
4. Decryption (Deciphering) – The process of restoring plaintext
from ciphertext.
5. Cryptographic System (Cipher) - A scheme/algorithm used
for encryption.
6. Cryptography – The area of study of schemes/algorithms used
for encryption/decryption.
7. Cryptanalysis – The area in which techniques are used for
deciphering a message without any knowledge of the
enciphering details. Colloquially called ‘breaking the code’.
Ethical or Unethical?
8. Cryptology - The areas of cryptography and cryptanalysis.

Hash Function
1. In Cryptography, a hash function (H) accepts a variable length
message (M) and produces a fixed size hash value (h).
Mathematically, h=H(M). Here, h is called the hash code,
digest, hash sum etc.
2. A good hash function is expected to produce random and
evenly distributed hash code but of the same size.
3. It is an important concept for Network Security because:
a. Irrespective of the length of the input message, hash
code length is always same. Storage and transmission
overhead can be estimated.
b. Even for a small change in the contents of the
message, the hash code will turn out to be different.
So, it can detect if the message was subject to the
modification attack.
4. The hashing function takes an input m and produces a fixed
size code H(m) as an output. The output is called the hash
code or the digest.
5. Example: Cyclic Redundancy Check (CRC) that is used in
layer-2 networking protocol can be considered as a hashing
function.
6. In network security it is a requirement that it should be
computationally infeasible to find out another message n for
which H(n) = H(m).
7. The above property essentially means that an intruder should
not be able to substitute or modify the original message so that
the hash code remains intact.
8. Hashing function and thus the hash code is used for data
integrity checking.
9. Checksum: an example of a poor hashing function; message is
altered but the checksum (hash-code) does not change:
Digital Signature
1. We have reviewed that in the asymmetric (or public) key
cryptography, there is a concept of public key (PU) and
private key (PR). PR is private to the receiver. PU is shared
with senders who are expected to send encrypted messages to
the receiver.
2. Public (Asymmetric) Key Encipherment Scenario - Let us say,
there is a sender X and a receiver Y. The X encrypts the data
with PU of Y and the Y decrypts the data with its own PR
after receiving the data.
3. Added Digital Signature Scenario – While sending the data, X
also calculates the hash code of the data and encrypts it using
its own PR. This encrypted hash code is called the digital
signature. The data and the signature is sent together to Y.
4. When Y receives the data, it decrypts the data using its PR and
it decrypts the signature using X’s PU.
5. After decryption, Y re-calculates the hash code on the data
and compare it with the decrypted signature. If both match, it
establishes that there was no modification attack on the data.
Otherwise, Y may discard the data.
How Digital Signature Works

4
 Message Authentication Code (MAC) High Level Flow of Events
1. Let us say, there is a sender X and a receiver Y.
2. Both of these two users have a shared secret code β. It is also
called the MAC key.
3. X creates a message m: concatenates it with β, and then
calculates the hash code on the combined data. Hash code is
appended to the m and then transmitted to Y. The calculated
hash code is called the Message Authentication Code (MAC)
using H as the hashing function.
4. So Y receives = [m + H(m, β)] or [m || H(m, β)]
5. Y having the same β, calculates the H(m, β) and compares it
with the received H(m, β) to verify the authenticity of the
sender.
6. Does MAC prove that the message came from the intended How is Certificate Signature verified?
sender?
1. Certificates are issued by CA to the subjects along with CA
7. What if an attacker records this transmission and replay it?
signature value and algorithm which was used to calculate the
8. To avoid the replay attack, sender and receiver can exchange a
signature.
random number (nonce) per session that can be included in
2. Subjects share the certificate with users.
the MAC as β. The value of β can be frequently changed as
3. Users (browsers) verifies the certificates by verifying the CA
desired.
signature value.
9. But how this β is shared then? This can also be subject to the
4. The question is How?
attack!
5. Users (browsers) re-calculate the certificate hash code and
Public Key Certificate compare it with the signature value received in the certificate.
6. CA’s signatures are encrypted hash code, so CA’s public key is
1. Public Key Certificates are issued by an established required for decryption.
Certificate Authority (CA) after a rigorous verification 7. Browsers store/access different CAs’ public keys (run cert
procedure. mgr.msc from
2. ITU-T X.509 specifies the standard and syntax for the public 8. Windows command prompt), which browsers use to decrypt
key certificates. the signature and get the hash code.
3. Once the CA verifies the entity (subject) who needs the 9. Decrypted signature value and calculated hash code are
certificate, a certificate is issued to it and it binds a specific compared to establish the authenticity.
private/public key pair to that entity. Private key is retained by 10. Once certificates are verified, it can be used to get the public
the entity and public key can be shared. key of the subjects.
4. A certificate contains useful information like: subject’s
(owner’s) name, subject public key, issuer name, validity etc.
5. A entity can distribute its certificate to other users (how?). A
certificate may contain a certificate signature value. Which
receiver can verify using the CA’s public key.
6. A CA has provided the certificate to Google Email Server.
7. When users access Gmail, the browser address bar shows the
lock.
8. After clicking the lock, certificate details can be seen.
9. Few important fields are:
a. Subject: to whom the certificate is issued (here it is
Google).
b. Subject Public Key Algorithm: which asymmetric
encryption algorithm is to be used.
c. Subject’s Public Key: value of the public key. Now it
is available to the users.
d. Certificate Signature Algorithm: which algorithm Pretty Good Privacy (PGP)
the CA used to calculate the signature of the
certificate. 1. PGP was created by Phillip R. Zimmermann. He is a member
e. Certificate Signature Value: The value of the and leading advisor with many universities, Internet and
signature. security research groups.
f. Fingerprint (or Thumbprint): A hash value of the 2. It provides protection from Confidentiality and Integrity
complete certificate to compare its uniqueness. attacks on E-Mails and file storage applications.
5
3. First published on the Internet in 1991. E-Mail Confidentiality using PGP
4. Many products and web browser plug-ins use PGP for
providing e-mails security. How to ensure that the confidentiality is maintained for the
5. It is based on cryptographic algorithms that are time tested, email that is received? That is; it was not accessed or viewed by
reviewed and considered extremely safe. anyone else except whom it was sent for.
6. Originally it was not created keeping any standardization in
Approach using Encryption:
mind. But now it is on the standards track with IETF RFC-
4880 and RFC-3156. 1. The sender encrypts the message (along with its encrypted has
code) using a symmetric key encryption that is called the one-
E-Mail Integrity using PGP time session key.
2. The session key itself is encrypted using the public key of the
How to ensure that the integrity is maintained for the email that
receiver (asymmetric key encryption) and prepended along
is received? That is; it was not subjected to unauthenticated
with the encrypted message.
modification or destruction and it is indeed coming from the
3. The receiver uses its private key to decrypt the session key.
source what it claims from.
4. The receiver using the session key decrypts the message.
Approach using Digital Signature:
Server-Side Procedure
1. A hash code (digest) for the message is generated and it is
encrypted with the sender’s private key and sent along
prepended with the message.
2. Receiver decrypts the hash code with the sender’s public key
and recalculates the hash code on the message.
3. Email integrity is maintained if the decrypted hash code and
the recalculated hash code match.
4. Compression can be used over the whole packet to conserve
the bandwidth.

Sender Side Procedure

Receiver side Procedure

Receiver Side Procedure

Exercise

1. A host-A sends few TCP segments to host-B. Segment-M

contains 30 bytes and starts with the sequence number 46,
segment-N contains 99 bytes and starts with the sequence
number 76 and segment–O contains 375 bytes and starts with
the sequence number 375. Assume that host-B acknowledges
each received segment, no segment is lost during the
transmission, and the host-B receives first three segments in
the order of M, N and then O:
a. After receiving the segment-O, what acknowledgment
number will be sent by the host-B?

6
 b. If a segment-P is received after segment-O with sequence Examples:
number 325 containing 50 bytes, with what number it will 1. 23 mod 11 = 1
be acknowledged by the host-B? 2. 19 mod 19 = 0
2. For a user X, KX# represents its public key, KX$ its private 3. 19 mod 22 = 19
key and K a symmetric key that it can use with any other user 4. -13 mod 12 = -1 and final r = -1+12 = 11
who also has K. If X wants to encrypt a message m with its 5. -7 mod 10 = -7 and final r = -7+10 = 3
private key, it is represented as KX$ (m), the message hash 6. In cryptography we will not come across the situations
digest as H(m) and the append operation as + sign. User A where the divisor (modulus) is negative.
sends a message m to user B where the digital signature of the 7. Note: When n is the divisor, the remainder can be from 0
message is appended to the message. The whole data is then to (n-1) only.
encrypted using the symmetric key. Assuming A and B both
have the same symmetric key, obtain the mathematical
expression for what is received by the user B. Use the
notations as explained in the beginning.
3. In PGP why sender used a symmetric key to encrypt the English Letter Encoding
message symmetrically? It had the public key of the receiver,
so it could very well do the asymmetric encryption also. 1. Subsequent slides use the following encoding.
2. 26 alphabets of English language mapped in a sequence
Classical Encryption Techniques from 0 to 25.
3. Few texts and references take plain text in lower case and
Kerckhoffs’ Principle ciphertext in upper case. But that is not really necessary
Kerckhoffs' Principle: Auguste Kerckhoffs, a 19th century unless specified.
professor of languages and an cryptographer in Paris formulated
that one should always assume that an adversary knows the
encryption and decryption algorithm. The resistance of the cipher
to attack must be based only on the secrecy of the key.

Shannon’s Maxim: Kerckhoffs's principle was kind of re-

formulated by Claude Shannon as "the enemy knows the system",
i.e., "one ought to design systems under the assumption that the Substitution Techniques
enemy will immediately gain full familiarity with them".
Caesar Cipher
Security Criteria
1. Caesar cipher is the earliest known and the simplest example
1. An encryption scheme is unconditionally secure if the substitution cipher. It is said to be used by Julius Caesar.
ciphertext generated by the scheme does not contain enough 2. The Caesar cipher involves replacing each letter of the
information to determine uniquely the corresponding alphabet with the letter standing 3 (or k) places further down
plaintext, no matter how much ciphertext is available and no the alphabet.
matter how much time an attacker or analyst has. 3. For example, usage of Caesar Cipher in English using the
2. There is no encryption algorithm that is unconditionally following key (e.g. a is substituted by D):
secure.Therefore, the aim is to meet one of the following a. Plaintext (p): a b c d e f g h i j k l m n o p q r s t u v
criteria: wxyz
a. The cost of breaking the cipher exceeds the value of the b. Ciphertext(C): D E F G H I J K L M N O P Q R S T
encrypted information. UVWXYZABC
b. The time required to break the cipher exceeds the useful 4. Mathematically, plaintext a = 0, so its ciphertext = (0+3) mod
lifetime of the information. 26 = 3 = D
3. An encryption scheme is said to be computationally secure if 5. Similarly, ciphertext E = 4, so its plaintext = (4-3) mod 26 = 1
either of the above two criteria is met. =b
6. If a sentence meet me after party is to be encrypted, its Caesar
mod Function
cipher will be: PHHW PH DIWHU SDUWB
1. mod is a type of remainder function that is widely used in 7. How x is substituted by A, y by B and z by C (the last 3
Cryptography. alphabets in plaintext)?
2. r = a mod n, where: 8. x is equal to 23, so its ciphertext will be (23+3) mod 26 = 0
3. r is called the remainder or residue. that is A. Similarly for y and z also.
4. a is called the dividend. 9. Mod function provides a mechanism to wrap around the same
5. n is called the divisor or modulus. range.
6. If a < n, then r = a
7. If a is negative, then the final r = (obtained r) + n
7
10. Let us say p is an plaintext alphabet, C would be its
corresponding ciphertext when the Encryption function E with
key k=3 is applied, so the relationship can be expressed as:
a. C = E (p, 3) = (p + 3) mod 26
11. Similarly decryption function (D) can be written as:
a. p = D (C, 3) = (C - 3) mod 26
12. Instead of 3, it can be generalized with any number k:
a. C = E (p, k) = (p + k) mod 26 for encryption
b. p = D (C, k) = (C - k) mod 26 for decryption
Examples
1. Using k = 15 and Caesar Cipher, encrypt the message “hello”.
2. Using k = 15 and Caesar Cipher, decrypt the message
“WTAAD”.
Playfair Cipher
Introduction
1. Playfair cipher was developed by British scientist Sir Charles
Wheatstone in 1854, but he named it after his friend Baron
Playfair. Its steps follow as below.
2. It uses a 5x5 matrix of letters using a key word. For example,
a matrix is constructed below using a keyword NETWORK.
The matrix is constructed by filling in the letters of the
keyword (minus duplicates) from left to right and from top to
bottom, and then filling in the remainder of the matrix with
the remaining letters in alphabetic order. The letters I and J
count as one letter. If I or J is in the keyword, two other
consecutive letters can be selected and counted as one.
3. Playfair cipher works on the pairs of the two-letters at a time
which are called Diagrams. E.g. word RARE is encrypted
taking the pairs as RA and RE.
4. It was used during World War – I and II by British and US
armies.
Procedure
1. If the two letters of the digram fall in the same row, their next
letters to the right is (wraparound fashion) taken as their
replacement. E.g. ac = BR, rk = KA. While decrypting, left
letter is taken.
8
2. If the two letters of the digram fall in the same column, the
letters beneath them (wraparound fashion) are taken as their
replacement. E.g. nu = RN, gp = PX. While decrypting upper
letter is taken.
3. Otherwise, each plaintext letter in a pair is replaced by the
letter that lies in its own row and the column occupied by the
other plaintext letter. E.g. fq = HM, gs = IP (or JP). Same
while decrypting.
4. Repeating plaintext letters that are in the same digram are
separated with a filler letter, such as x. E.g. balloon would be
treated as ba lx lo on and its corresponding ciphertext will be
CB PU SN NE. Filler is removed after decrypting.
5. Filler can also be used to complete the incomplete digram (the
last one). Filler is removed after decrypting. E.g. digram for
pet will be pe tx and the ciphertext will be MT-AT.
6. Filler alphabet can be mutually decided by sender and
receiver. Decryption of a filler would provide a redundant
plaintext alphabet, but the message can still be understood.
Exercise
1. Using a keyword LGDBAQ decrypt DCSKBO using Playfair
cipher.
2. Why are two English letters counted as one in Playfair cipher
(e.g. I/J in the given example)?
3. Are there any advantages of Playfair cipher over Caesar
cipher? What are those? (Clue – different keywords and
different keys)
4. Considering space as the 27th character, decrypt the
EQOGBQP using Caesar Cipher with k = 2. (Answer =
COME ON).
Matrix: Multiplication
Two matrices can be multiplied if number of columns in the first
one is same as the number of rows in the second one. So, matrix
Amxn can be multiplied with Bnxq and the result will be Cmxq.
Matrix: Determinant
The determinant is defined only for a square matrix. For a square
matrix A of size m x m, it is denoted as det (A). It is a scalar
quantity and calculated recursively as shown below:
Where Aij is a matrix obtained from A by deleting i th row and j th Residue Matrix & Multiplicative Inverse
column.
1. When a number is divided by n; the remainder is always from
0 to (n-1).
For a 2x2 matrix, the determinant can be calculated
2. Residue Set: Zn represents this set of 0 to (n-1) elements. E.g.
quickly as det(A) = (a.d - b.c)
Z5= {0, 1, 2, 3, 4} and Z26 = {0, 1, ……25}.
Matrix: Identity and Inverse 3. Multiplicative Inverse: Two Zn elements are multiplied and
divided by n. If the remainder is 1, these two elements are
1. In an identity matrix I, all the elements are 0 except main called multiplicative inverse of each other in the set of Zn.
diagonal elements from upper left to lower right which are all Examples: 3 and 2 in Z5 are two such elements because (3x2)
1. mod 5 = 1.
19 and 11 in Z26 are two such elements because (19x11) mod
26 = 1.
4. Test for Multiplicative Inverse: If there is an element x from
Zn, it will have a multiplicative inverse in Zn if GCD (x, n) =
1. Here x and n are called relatively prime.
5. Residue Matrix: Cryptography uses residue matrices
2. We represent a matrix with an uppercase alphabet (e.g. M, A, extensively. It is the matrix where all the elements are drawn
K etc.) from Zn. If n = 26, it means all elements of a Z26 matrix will
3. Inverse M-1 of a square matrix M is defined in such a way be drawn from {0, 1, 2......25}.
that M x M-1 = M-1 x M = I, where I is the identity matrix. 6. A residue matrix M of Zn will have a multiplicative inverse
4. If the matrix determinant is 0, it is called the singular matrix, matrix (𝑀−1 ) so that M x 𝑀 −1 = I:
and such matrix will not have an inverse. a. If the determinant (let us say d) of that matrix M has
a multiplicative inverse in set Zn.
Illustration b. In other words, if GCD (d, n) = 1, there would be a
multiplicative inverse matrix of M.
Is the following matrix an Identity Matrix in mod-26 mathematics?
Multiplicative Inverse in Zn

Extended Euclidean Method

Answer:

Yes; because 105 mod 26 = 1, 78 mod 26 = 0, 130 mod 26 = 0, 79

mod 26 = 1. So the given matrix reduces to: which is an

Identity Matrix.

Greatest Common Divisor (GCD)

1. Let us say we need to find if 11 has a multiplicative inverse in
Euclidean Method Z26, if yes, what is it?
2. It can be found out using Extended Euclidean Method.
3. Let n1=26, and n2 = 11. Here, q = quotient and r = remainder.
Other values of t1, t2 and t are shown.
4. After all the steps, since n1 and n2 reduces to 1 and 0, so their
GCD is 1 and hence there is a multiplicative inverse of 11 in
Z26.
1. The process terminates when one of the elements becomes 0. 5. Multiplicative inverse = (last t1) mod 26 = -7 mod 26 = 19
Then, the other element is called the GCD of two numbers 6. Verification: (19x11) mod 26 = 209 mod 26 = 1.
which were originally taken. 7. Hence, 11 and 19 are multiplicative inverse in Z26.
2. So, 12 is the GCD for 108 and 60.
3. GCD is also called the Highest Common Factor (HCF).
Matrix -Multiplicative Inverse
1. We know for a square matrix (K) whose elements are drawn
from Zn , will have a multiplicative inverse matrix if GCD(det
(K), n) = 1.
2. Multiplicative Inverse Matrix can be found using the
following procedure:

9
Where: multiplicative inverse but still there is a large count of key
possibilities. It makes cryptanalysis more difficult.
1. (𝐝𝐞𝐭(𝑲))−𝟏 = Multiplicative inverse of det(K) in Z26. It can
be found out using Extended Euclidean Method. Illustration
2. Dji = Determinant of the matrix deleting the jth row and ith
Hill Cipher -Encryption
column.
1. In this illustration, K and 𝐾 −1 will be used as obtained in the
Illustration
previous illustration.
Multiplicative Inverse of a Matrix in Z26

1. There is a Z26 residue matrix K as shown :

2. Determinant of K, det(K) = 15 - 6 = 9
3. Let us find out if there will be a multiplicative inverse of this 2. Let us say there is a plaintext: NETWORK arranged in a 4x2
matrix in Z26 using Extended Euclidean method. matrix as shown. It is arranged in this order so that it has 2
4. Since GCD of 9 and 26 is 1, there will be a multiplicative columns and can be multiplied with K which has 2 rows. A
inverse of K in Z26 and its determinant value (𝐝𝐞𝐭(𝑲))−𝟏 will dummy character is added in the end as X because the
be = final t1 = 3. plaintext needs 8 letters for the matrix arrangement. Each
5. It can be quickly verified also as (9x3) mod 26 = 1. alphabet is replaced with sequence from 0-25.
6. Now we have to find out the multiplicative inverse matrix
(𝑲)−𝟏 using the shown formula.

3. Now as per the Hill Cipher algorithm the Encrypted matrix

(C) will be: PUZIFTDZ

Hill Cipher -Decryption

1. Now given that:
7.
8. Verification:

2. Encrypted text will be decrypted to get the plaintext (P) using

Hill Cipher
𝑲−𝟏 as shown below:
1. Hill Cipher was developed by US mathematician Lester Hill
in 1929.
2. For the encryption of English language plaintext, encryption
Key (K) in Hill Cipher algorithm is m x m matrix. The key
matrix is Z26 residue matrix. 3. The original plaintext NETWORK is retrieved from the
3. Key is selected in such a way that its multiplicative inverse ciphertext.
(𝑲)−𝟏 in Z26 residue matrix form also exists. This
Exercise
multiplicative inverse will be used for decryption.
4. The corresponding numerals for English plaintext letters (a to Follow the detailed solved example of Hill Cipher Encryption in
z as 0 to 25) are arranged in the p x m matrix (P). the worksheet provided through BITS Pilani eLearn to practice the
5. The encryption function to get the ciphertext matrix of size p following:
x m is defined as: C= P.K, where all the values in matrix C
are also in mod 26 form. (1) Matrix Mathematics.
6. The decryption function to get the plaintext from ciphertext is (2) Hill Cipher Encryption and Decryption.
defined as: P= C. 𝑲−𝟏 , where all the values in matrix P are in
mod 26 form.

Hill Cipher algorithm provides a large count of key possibilities.

Although, a key is to be selected in such a way which has

10
 Polyalphabetic Cipher
1. Caesar Cipher is a monoalphabetic substitution cipher. A
character in plaintext will be substituted by a fixed
replacement character every time as long as the key k is fixed.
2. One of the ways to improve the simple monoalphabetic
technique is to use different monoalphabetic substitutions as
one processes the plaintext message – character by character.
3. The general name for this approach is polyalphabetic
substitution cipher.
4. These techniques have the following features in common:
a. A set of related monoalphabetic substitution rules is
used.
b. A key determines which particular rule is chosen for
a given transformation.
3. To explain the procedure of Vernam Cipher, let us say it has to
be applied on English language of 26 alphabets which are
numbered from 0 to 25 respectively.
4. For encryption: the plaintext alphabets are added to the key
alphabets one at a time. If the resulting number is >= 26, then
26 is subtracted from it. The resulting numbers
5. are the ciphertext alphabets.
6. For decryption: the key alphabets are subtracted from
ciphertext alphabets. If the resulting number is < 0, then 26 is
added. The resulting numbers are the plaintext.

Vigenère Cipher
1. One of the simplest polyalphabetic cipher. Named after Blaise
de Vigenère, a 19th century cryptographer in France.
2. There is a sequence of n plaintext letters: Vernam Cipher with XOR Operation
P = p0 , p1 , p2 , p3 ,...pn-1
3. There is a key consisting of m letters (assuming m < n) 1. In the binary systems, Vernam Cipher operation is equivalent
K = k0 , k1 , k2 , k3 ,...km-1 of using XOR (⊕) operation.
4. The sequence of n ciphertext letters are calculated as: 2. Example XOR operation for binary numbers:
Ci = (pi + ki mod m) mod 26; where i = 0 to (n-1) 110011 ⊕ 001100 = 111111
5. Similarly, the plaintext is restored from ciphertext as: 111111 ⊕ 001100 = 110011
pi = (Ci - ki mod m) mod 26; where i = 0 to (n-1) 3. It can be observed that the XOR operation between any two
6. Since we assumed that m < n, so (i mod m) will wraparound numbers would result the third number. This property can be
(reuse) the values of key letters. used in the Vernam Cipher.
4. Vernam Cipher proposed a key stream generator to generate
Example
the key which would eventually repeat the sequence.
Keyword = deceptive

Plaintext message = we are discovered save yourself

Ciphertext will be calculated as follows:

key: deceptivedeceptivedeceptive

plaintext: wearediscoveredsaveyourself

ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
One Time Pad
1. A US army officer Joseph Mauborgne proposed an
improvement over Vernam Cipher in 1914.
2. Mauborgne suggested using a random key that is as long as
the message, so that the key need not be repeated. In addition,
the key is to be used to encrypt and decrypt a single message,
and then it is discarded.

Vernam Cipher 3. One Time Pad is considered as ultimate security in

1. If the key is as long as the plaintext, it could provide an cryptography. But these two issues make it practically
ultimate defence against attack. unusable:
2. AT&T Engineer Gilbert Vernam devised such a system in a. Large number of random keys and its generation
1918. mechanism.
b. Key distribution mechanism.
11
 What Next? English Letters (Relative Frequency)
We have reviewed:

1. Substitution Cipher: something is replaced with something

else.
2. Mono-alphabetic like Caesar and Playfair Cipher.
3. Poly-alphabetic like Vigenère, Vernam and One Time Pad.

Let us review now the Transposition Techniques, where:

1. Substitution does not take place.

2. But the original plaintext is scrambled to create the ciphertext.
Transposition Techniques
1. All the techniques examined so far involve the substitution of
a plain text symbol that produces a ciphertext symbol.
2. It is also possible to perform some sort of permutation on the
plaintext letters. This technique is referred to as a
transposition cipher.
3. E.g. plaintext is written row wise and encrypted reading it
column wise based on the key. Multiple iteration can be done
to make the forged reconstruction difficult.
The above table shows the relative frequency of the English letters
in decreasing order. E is used most and Q/X/Z are used the least.
Relative Performance
1. Normalized relative frequency = frequency of a letter in
plaintext (or a specific ciphertext) / frequency of letter E in the
plaintext.
2. The line labelled as plain text is also the frequency
distribution of any monoalphabetic substitution cipher,
because the frequency values for individual letters are the
same, just with different letters substituted for the original
letters.
3. While other ciphers have a tendency similar to plaintext,
Random Polyalphabetic algorithms yield best results with no
correlation of most frequently used letters in the plaintext and
their corresponding ciphertexts.

Rotor Machine (Conceptual Overview)

1. Rotor machine had multiple cylinders where the alphabets on
one side of a cylinder will map to a different sequence of
alphabets on the other side of the same cylinder.
2. Sender and receiver will know the initial setting as the key.
3. Let us say there is only 1 cylinder that has 6 input pins and 6
output pins, with internal wiring that connects each input pin
to a unique output pin. (In actual machine there will be 26
pins for the English language with multiple cylinders)
4. A simple operating procedure could be: first plaintext
character will be encrypted as the initial position. Second
character as the result of the first rotation, third character after Prime Numbers
the second rotation and so on.
5. For example if the plain text is: bed. This will encrypt into 1. An integer p which is > 1 is a prime number if and only if its
BCB. only divisors are 1 and p.
6. The rotor machine and its derivate applications (e.g. Enigma 2. 2 is the smallest prime and it is the only prime number that is
Machines) were used in World Wars. even.
3. So other than 2 all other prime numbers are odd. So, if p ≠ 2,
(p-1) is an even number.
4. Prime numbers are practically infinite.
5. Quick and dirty way to check if an integer (n) is prime:
a. Take the square root of n and take the floor of the
square root value. Let us say that is x.
b. Find out all the prime numbers <=x

12
 c. If n is not divisible by any of these prime numbers, 2. Examples:
then n is a prime number. 91 = 71 x 131
6. Example-1: 3600 = 24 x 32 x 52
a. Floor of 97 = 9 // 97 is 9.8488... But when we 11011 = 71 x 112 x 131
take floor we take greatest integer <= 9.8488.
b. Prime numbers <= 9 are 2, 3, 5, and 7. Fermat’s Theorem
c. 97 is not divisible by any one of these. So 97 is 1. Named after 17th century French mathematician
prime. 2. Pierre de Fermat.
7. Example-2: 3. Also called Fermat’s Little Theorem.
a. Floor of 301 = 17 // 301 is 17.3493... But when 4. It states that if p is a prime number and a is a positive integer,
we take floor we take greatest integer <= 17.3493. then:
b. Prime numbers <= 17 are 2, 3, 5, 7, 11, 13 and 17.
c. 301 is divisible by 7. So 301 is not prime.

Primality Testing Note:

a. The congruence symbol (≡) will be interchangeably
Miller-Rabin Algorithm –A Probabilistic Algorithm! used with the equal to (=) symbol in Cryptography.
b. The second version is obtained by multiplying a on
both the sides of the first version.
c. The result will be always 0 when a is divisible by p.
So effectively no point in applying the Fermat’s
Theorem in that case (when a is divisible by p) in
Cryptography.

How the algorithm works

1. The Miller-Rabin Algorithm has probabilistic nature and there

could be several random values of a. So how to check the
primality of a given number of n? Specially if n is large; it is
Fermat’s theorem eliminates the need for Extended Euclidean’s
difficult to ascertain.
Algorithm if modulus is prime by calculating multiplicative
2. Select t different random values of a such that 1 < a < (n-1).
inverse in the following way:
Ensure that t is a large set of random values.
3. Repeatedly invoke the test using randomly chosen values for
a.
4. If at any point, it returns not-prime then then n is determined How it eliminates the need of Extended Euclidean Algorithm:
to be not-prime.
• Multiplying both the sides with a
5. If the test continues to return prime for t tests, assume that n is
• a x a −1 mod p = a x (𝑎)𝒑−𝟐 mod p
prime.
o = (𝑎)𝒑−𝟏 mod p
6. It is shown by DE Knuth of Stanford University that if n is
o = 1 mod p (from Fermat’s Theorem 1 st version)
not-prime then the probability that testing gives inconclusive
for all t random values is less than (1/4) t . A very small • Or, a x (𝑎)−𝟏 = 1 in modulus p; the same as Extended
probability of error. Euclidian’s Algorithm.

Prime Factorization Number Theory

Zn and Zn*
1. Any integer a (other than prime) can be factorised in an 1. We have reviewed the set of residue Zn for n. For example:
unique way using prime numbers: • Z6 = {0, 1, 2, 3, 4, 5}
a = p1 a1 x p2 a2 x p3 a3 x .........x pn an • Z7 = {0, 1, 2, 3, 4, 5, 6}
Where, p1 < p2 < p3 ........... pn are prime numbers and a1, 2. All elements drawn from Zn, which have the GCD with n as 1
a2....... an are positive integers or in other words which have multiplicative inverse present is

13
 called the set of multiplicative inverses for n. This subset of
Zn is represented by Zn*. For example:
• Z6*= {1, 5} // E.g. (1*1) mod 6 = 1 and (5*5) mod 6 = 1
• Z7*= {1, 2, 3, 4, 5, 6} // E.g. (3*5) mod 7 = 1, (6*6) mod
7 = 1 etc.
3. If n is a prime number, then all elements from 1 to (n-1) will
be present in Zn*.

Abelian Group

1. An Abelian Group (G) is a set of elements with an operator #

that satisfies the following five properties:
a. Closure: If a and b are elements of G, then c = a # b is
also an element of G.
b. Associativity: If a, b and c are elements of G, then
a. (a # b) # c = a # (b # c) Euler’s Theorem
c. Identity: For all elements a in G, and identity element e For every a and n, the following relationship exists:
exists such that e # a = a # e
d. Inverse: For all elements a in G, and inverse element a’
exists such that a # a’ = a’ # a = e
e. Commutativity: For all a and b in G, a # b = b # a
2. Example: 1. Example 1:
Find out the value of 624 mod 35.
a. The group G = <Zn*, *> is an abelian group with
Because, ɸ(35) = ɸ(5) x ɸ(7) = 4 x 6 = 24
multiplication (*) as an operator, 1 as an identity and
So, 624 mod 35 = 6𝑓(35) mod 35 = 1
multiplicative inverse as an inverse function.
b. Let us say, G = <Z5*, *> where Z5*= {1, 2, 3, 4}, for all 2. Example 2:
of its elements it can be shown: Find out the value of 661 mod 77.
c. Closure: for example, if 3 and 4 are present in the group, Because, ɸ(77) = ɸ(7) x ɸ(11) = 6 x 10 = 60
so 3*4 = 2 (mod 5) is also present. So, 661 mod 77 = 6𝑓(77)+1 mod 77 = 6
d. Associativity: (2*3) * 4 = 2 * (3*4)
3. Example 3 (a and n are not relatively prime):
e. Identity: 4 *1 = 1* 4
Find out the value of 1312 mod 26.
f. Inverse: 3 and 2 are multiplicative inverse as (3*2) mod Because ɸ(26) = ɸ(2) x ɸ(13) = 1 x 12 = 12
5 = 1. It can be shown for all elements also. So, 1312 mod 26 = 13𝑓(26) mod 26 = 13
g. Commutativity: 2*3 = 3*2 1st version does not hold.

Euler’s Totient Function 4. Example 4 (a and n are not relatively prime):

Find out the value of 1313 mod 26.
1. Named after 18th century Swiss mathematician Leonhard Because, ɸ(26) = ɸ(2) x ɸ(13) = 1 x 12 = 12
Euler who extensively worked in mathematics including So, 1313 mod 26 = 13𝑓(26)+1 mod 26 = 13
prime numbers. The constant e (=2.71828…) was named in 2nd version holds.
his honour.
2. Euler’s Totient Function, ɸ(n), which is sometimes called the
Euler’s theorem eliminates the need for Extended Euclidean’s
Euler’s Phi-Function plays a very important role in
Algorithm by calculating multiplicative inverse in the following
cryptography.
way:
3. We have reviewed Zn as residue set. Also, the Zn * is a set of
integers having less than n elements, each having
multiplicative inverse in mod n mathematics.
4. Since each of the elements (say x) of Zn * is having a
multiplicative inverse, it means GCD (n, x) = 1.
5. Euler’s Totient Function, ɸ(n) calculates the count of elements
in this set Zn * with the following properties:

Order of an Element & Primitive Root

1. The order of an element a in a group G = <Zn*, *> is the
smallest integer m such that: 𝑎𝑚 = 1
2. From the Euler’s Theorem if a and n are relatively prime:
𝑎 𝑓(𝑛) = 1
14
3. Combining the above two: m = ɸ(n) 2. n = 6, so ɸ(6) = 2 and ɸ(2) = 1, so there will be 1 primitive
4. It may be possible that even when m < ɸ(n), 𝑎𝑚 = 1. root of 6.
5. Example: n=19, so ɸ(n) = 18 and for a = 7: 3. n = 10, so ɸ(10) = 4 and ɸ(4) = 2, so there will be 2 primitive
roots of 10.

Example-1

Find out the primitive roots of 7:

In this example the smallest value of m = 3, so the order of 7 is 3.
1. 7 is a prime number, so it will have primitive roots.
6. In the group G = <Zn*, *>, when the order of an element a is 2. These primitive roots will be drawn from Z7* = {1, 2, 3, 4, 5,
same as ɸ(n), the element is called the Primitive Root of the 6}.
group G. 3. Required order of the elements from Z7* need to be (for
becoming primitive roots): ɸ(7) = 6.
Primitive Roots: Insight 4. Count of such primitive roots: ɸ( ɸ (7)) = ɸ(6) = 2
1. The table shows powers of a in mod-19 form. Notice the
following:
2. All sequences end in 1 and after that sequences repeat
themselves.
3. The length of a sequence divides ɸ(19) = 18.
4. Some sequences have lengths that is equal to ɸ(19). For a = 2,
3, 10, 13, 14, and 15. (marked in blue rows)
5. Each of these having full length up to ɸ(19) is called primitive
roots of 19. Find out the primitive roots of 6.

1. 6 can be represented in the form of 2p^x with p = 3 and x = 1.

So it will have primitive roots.
2. These primitive roots will be drawn from Z6* = {1, 5}.
3. Required order of the elements from Z6* need to be (for
becoming primitive roots): ɸ (6) = 2.
4. Count of such primitive roots: ɸ (ɸ (6)) = ɸ(2) = 1.

Basic Logarithms
1. logx(1) = 0
2. logx(x) = 1
3. logx(y.z) = logx(y) + logx(z)
Note: 4. logx(𝑚𝑛 ) = n. logx(m)

1. Not all integers will have primitive roots. Discrete Logarithms

2. Integers 2, 4, p* and 2p* have primitive roots. Where p is any
Let us say, 𝑎𝑖 (mod p) ≡ b (mod p)
odd prime and x is a positive integer (in this example: 191)
3. If n is prime, then all the elements from 1 to (n-1) will appear The exponent i is referred to as discrete logarithm (dlog) of the
in the sequence in the primitive root. number b for the base a (mod p), iff a is a primitive root of p, and
represented as
Count of Primitive Roots

1. ɸ(n) is the count of elements in Zn*.

2. ɸ(ɸ(n)) will give the count of primitive roots for n.

Examples:

1. n = 19, so ɸ(19) = 18 and ɸ(18) = 6, so there will be 6

primitive roots of 19.

15
Example-1 Property-3:

1. Rewrite in dlog form: 1. dloga,p (x.y) ≡ [dloga,p (x) + dloga,p(y)] mod [ɸ (p)]
2. 26 (mod 19) ≡ 7 2. dlog14,19 (18) ≡ [dlog14, 19 (3) + dlog14, 19(6)] mod [ɸ(19)]
3. 6 = dlog2,19(7) 3. Because 9 = 7 + 2

Example-2 Property-4:

1. What is the value of dlog13,19(2)? 1. dloga,p(mn) ≡ [n . dloga p(m)] mod [ɸ (p)]

2. Since, 1311 (mod 19) ≡ 2, so 2. dlog15, 19 (23) ≡ [3 . dlog15, 19 (2)] mod [ɸ (19)] Because, 15 =
3. dlog13,19(2) = 11 3x5.

Example-3

1. What is the value of dlog7, 19(11)?

2. None, because 7 is not a primitive root of 19.

Example-4

What is the value of dlog3, 19(16)?

1. Since, 16 ≡ 3
2. 10 (mod 19), so
3. dlog3,19(16) = 10

Example-5

1. Find out the discrete log of 16 for the primitive root 10 of 19.
2. dlog10, 19(16) is to be found out.
3. Since, 16 ≡ 1014 (mod 19), so dlog10, 19(16) = 14

Chinese Remainder Theorem

Chinese Remainder Theorem (CRT) is used to solve congruent
equations with one variable but multiple moduli which are
relatively prime (no common factors). E.g. x is a variable, a1 ..ak
are dividends and m1 ..mk are moduli which are relatively prime
and the equations are:

x = a1 in mod m1
x = a2 in mod m2
……………..
x = ak in mod mk

So, x can be found out using the formula below:

Where,
Property-1: M = m1 x m2 x m3 x ……x mk and
Mk = M/mk
1. dloga, p(1) ≡ 0 mod [ɸ (p)]
Mk^-1 is the multiplicative inverse of Mk in the
2. dlog2, 19 (1) ≡ 18 mod [ɸ (19)] = 0
corresponding modulus.
3. True for all primitive roots of 19.
Example: Solve the following equations for x:
Property-2:
1. x = 2 in mod 3
1. dloga,p (a)≡ 1 mod [ɸ(p)]
2. x = 3 in mod 5
2. dlog13,19(13) ≡ 1
3. x = 2 in mod 7
3. True for all primitive roots of 19.
Moduli 3, 5 and 7 are relatively prime and there is only one
variable x, so CRT is applicable.

M = 3 x 5 x 7 = 105
16
 M1 = 105/3 = 35, M2 = 105/5 = 21, M3 = 105/7 = 15
M1^(-1)= 2, M2^-1 = 1, M3^-1 = 1
x = [(a1 x M1 x M1^-1) + (a2 x M2 x M2^-1)+ (a3 x M3 x
M3^-1)] mod M
[(2x35x2) + (3x21x1) + (2x15x1)] mod 105
[140+63+30] mod 105
233 mod 105
23

Asymmetric (Public) Key Cryptography

1. Asymmetric key cryptography uses two separate keys: one

private and one public.
2. Public key is made available with all the senders to encrypt
and send the data to a receiver.
3. Private key is available only with the receiver to decrypt and
consume the message.
4. There is a key generation procedure and a public key
distribution mechanism.
5. In the diagram above, Bob (as a receiver) needs only one
private key to receive the messages from anyone and he can
share his public key to the community (though nothing stops
Bob to have multiple public and privatekeys also - i.e. one for
each sender.)
6. On the other hand, Alice needs n public keys to send messages
to n different receivers - a ring of public keys.
7. In practice, key generation and distribution procedure can be
governed by Certificate Authorities (CA).
The RSA Algorithm
1. Plaintext and ciphertext are treated as a sequence of integers:
a. E.g. if the plaintext is ABC it is treated as 000102.
b. That is, each character in two digit integers ranging
from 00 to 25 for English language.
c. ASCII equivalents or some other mapping can also
be taken which is known to sender and receiver.
2. Let us say, there is some plaintext character P and its
corresponding ciphertext character is C.
3. Two exponents e and d and a large n are chosen. Note n
should be large enough so that all P characters individually <
n.
4. There should be relations (constraints) like:
C = 𝑷𝒆 mod n -------- (i)
P = 𝑪𝒅 mod n -------- (ii)
5. Replacing the value of C in (ii) from (i)
P = (𝑷𝒆 𝐦𝐨𝐝 𝐧)𝒅 mod n
= 𝑷𝒆𝒅 mod n // e.g. (23 mod 5) 2 mod 5 = 26 mod 5 = 4
6. Where, both sender and receiver know the value of n (the
modulus), and the sender knows the value of e, and only the
receiver knows the value of d.
7. This is an asymmetric (public) key encryption algorithm
where public-key PU = {e, n} and private key PR = {d, n}.
8. But how the constraints for above relations will stand?

Mathematics

1. C = 𝑷𝒆 mod n for encryption

2. P = 𝑪𝒅 mod n for decryption.

17
3. C = 𝑷𝒆 mod n and decryption private key (d, n) is safely kept 5. C = 𝑷𝒆𝒅 mod n
with the receiver. 6. We selected e and d in a way such that e.d = 1 mod ɸ(n)
4. Assume C is being transmitted. Attacker can get C, but how = {k.ɸ(n) + 1} mod ɸ(n)
will he get P from it? 7. // for some integer k
5. So for an attacker to decipher the message it is required to 8. So:
calculate the following: P = 𝑪𝟏/𝒆 mod n, that is the eth root of P1 = 𝑷𝒆𝒅 mod n
C in modular arithmetic. 𝑷𝒌ɸ(𝒏)+𝟏 mod n
6. It is not feasible to calculate it in the available time and cost if P mod n // Generalized form of the Euler’s Theorem second
n is very large. It has to be Computationally Secure. version
7. P = 𝑷𝒆𝒅 mod n for this equation to be true, e and d are 9. Hence, P1 = P
selected from Zɸ(n)* in such a way so that e and d are
multiplicative inverse of each other in modulo ɸ(n): Strength
e.d = 1 mod ɸ(n) 1. RSA is based on the idea that modulus (n) is to be so large
d = 𝒆−𝟏 mod ɸ(n) that it can not be factorized into primes in feasible time. This
8. In other terms, d and e is relatively prime to ɸ(n). is NP (Non-deterministic Polynomial) class of problem.
9. That is, gcd (ɸ(n), d) = 1 and gcd (ɸ(n), e) = 1. 2. If an attacker finds the factors of n, it needs to calculate the
value of ɸ(n).
Procedure
3. Then finally the decryption key is to be found out as d = e -1
1. Select a large number n. mod ɸ(n), assuming e is known as public key exponent.
2. Factorize n into prime numbers# . 4. RSA algorithm can be considered secure as long as a time
3. For the sake of example, let us say n = p.q efficient algorithm for finding out prime factors of a large
4. Calculate ɸ(n) = (p-1)(q-1) number is not found.
5. Select integer e such that gcd (ɸ(n), e) = 1
6. Calculate d such that d = 𝒆−𝟏 mod ɸ(n) Diffie-Hellman Key Exchange
7. Public Key (PU) = {e, n} 1. We have reviewed that a shared secret is used in MAC.
8. Private Key (PR) = {d, n} 2. Not just in MAC, in Network Security a symmetric key is also
9. For encryption, ciphertext C = 𝑷𝒆 mod n required many times whenever a symmetric encryption is
10. For decryption, plaintext P = 𝑪𝒅 mod n utilized.
Example 3. We will also review that shared secret is used to generate
other keys in transport layer security.
1. Let us say n = 77 4. Let us take a break from asymmetric key cryptography and
2. So, n = p x q where, p = 7, q= 11 review a mathematical approach to exchange a shared secret
3. φ(n) = (7 − 1) (11 − 1) = 60 (or a shared key) without divulging any secret.
4. Two values (e, d) are to be chosen from the elements of Z60∗ 5. Why are we reviewing it in this module?
which are multiplicative inverse 6. Because it utilizes the concepts of prime numbers and
5. of each other in mod φ(n) mathematics, where φ(n) = 60. primitive roots which in general are used in asymmetric key
e = 13 cryptography.
d = 37 7. Developed by W. Diffie and M. E. Hellman professors of
6. Note that e and d could be chosen same also (but usually not). Stanford University in 1976.
E.g. 5 and 5 in mod 6. 8. Extensively used even today!
7. Let us say sender wants to send an alphabet ‘F’ which can be
represented as 05 as an integer. Formulation
8. Sender will encrypt it as 𝑷𝒆 mod n 1. There are two publicly known numbers: a prime number p and
= 513 mod 77 = 26 e a primitive root of it. Users A and B want to create a shared
9. Receiver will decrypt it as 𝑪𝒅 mod n secret key.
= 2637 mod 77 = 5 2. User A selects a random number XA < p and calculates
YA = 𝒆𝑿𝑨 mod p.
Mathematical Insight
3. Similarly, user B selects a random number XB < p and
1. Receiver of the message restores some plaintext (P1) as: calculates YB = 𝒆𝑿𝑩 mod p.
P1 = 𝑪𝒅 mod n ----- (i) 4. User A keeps XA with himself and shares YA with B.
2. Where C was calculated over the original plaintext (P) as: 5. Similarly, user B keeps XB with him and shares YB with A.
C = 𝑷𝒆 mod n ----- (ii) 6. Now A computes a key KA as: KA = 𝒀𝑩𝑿𝑨 mod p.
3. How are we so sure that P1 = P? What was sent is equal to 7. B also computes a key KB as: KB = 𝒀𝑨𝑿𝑩 mod p.
what is restored? 8. Both the keys KA and KB are same as proved below:
4. We know that: P1 = 𝑪𝒅 mod n KA = 𝒀𝑩𝑿𝑨 mod p
(𝑷𝒆 𝒎𝒐𝒅 𝒏 )𝒅 mod n // replacing the value of C from (ii) = (𝒆𝑿𝑩 𝒎𝒐𝒅 𝒑)𝑿𝑨 mod p
18
 = 𝒆𝑿𝑩.𝑿𝑨 mod p 7. Attack (volunteers passing the buckets of water hop by hop!).
= (𝒆𝑿𝑨 𝒎𝒐𝒅 𝒑)𝑿𝑩 mod p To avoid this attack, legitimate users can use authentication
= (𝒀𝑨)𝑿𝑩 mod p techniques.
= KB
9. The key K (= KA = KB is the shared secret key) which is
generated without sharing the individual random numbers XA
and XB and its value is K = 𝒆𝑿𝑩.𝑿𝑨 mod p.

Flow of Events

ElGamal Cryptographic System

Example 1. ElGamal Cryptosystems was developed in 1985 by Dr. Taher

ElGamal, during his HP tenure.
1. Let us say p = 23 and one of its primitive roots e = 7. 2. He is considered the father of SSL (Secure Socket Layer).
2. User A selects XA = 3. SSL is replaced now with TLS (Transport Layer Security).
3. User A calculates YA = 𝒆𝑿𝑨 mod p = 𝟕𝟑 mod 23 = 21. 3. He is the present security CTO-Security of salesforce.com.
4. User B selects XB = 6. 4. It is a public-key scheme based on primitive roots.
5. User B calculates YB = 𝒆𝑿𝑩 mod p = 𝟕𝟔 mod 23 = 4. 5. The ElGamal Cryptosystem is used in many network security
6. User A sends the number 21 to B. implementations like Digital Signature Standard (DSS) and
7. User B sends the number 4 to A. the S/MIME e-mail.
8. A calculates the shared secret as K = 𝒀𝑩𝑿𝑨 mod p = 𝟒𝟑 mod
23=18. Formulation
9. B calculates the shared secret as K =𝒀𝑨𝑿𝑩 mod p = = 𝟐𝟏𝟔 1. Receiver of the message (Key Generation):
mod 23=18. a. Selects a large prime number p and a primitive root of it
Both and A and B individually calculate the same shared key e1
(K) as 18. b. Generates a random number d such that 1 < d < (p-1)
10. If an attacker finds out p, XA and XB, he would also calculate c. Calculates e2 = 𝒆𝟏𝒅 mod p.
K as: d. The private key of the receiver PR ={p, e1 , e2, d}
K = 𝒆𝑿𝑨.𝑿𝑩 mod p e. The public key for the sender is PU = {p, e1 , e2 }
= 𝟕𝟑𝒙𝟔 mod 23 = = 𝟕𝟏𝟖 mod 23 = 18 2. Sender of the message (Encryption):
a. Represents the message as an integer P in the range 0 <=
Man-In-The-Middle Attack
P <= (p – 1)
1. There is an attacker C who poses a risk as man-in-the middle. b. Longer messages are sent as a sequence of blocks, with
2. Attacker intercepts YA from user A, calculates YC and shares it each block being an integer less than p.
with both A and B. c. Generates a random number r such that 1 <= r <= p-1
3. User B shares YB with C. d. Calculates two ciphertexts C1 and C2 as:
4. A, B and C calculates shared keys and the system end up i. C1 = (𝒆𝟏)𝒓 mod p
having two sets of shared keys – one between A and C and ii. C2 = (P x (𝒆𝟐)𝒓 ) mod p
another between C and B. e. Sends C1 and C2 to the receiver.
5. Attacker C is controlling the communication and legitimate 3. Receiver of the message (Decryption):
users A and B and are not aware of this attack. a. Restores the plaintext as P = [𝑪𝟐 x(𝑪𝟏𝒅 )−𝟏 ] mod p
6. It is also known as Bucket Brigade

19
Mathematics & Logic a. Uniform Distribution: The distribution of bits in the
sequence should be uniform; that is, the frequency of
Sender sends two ciphertexts:
occurrence of ones and zeros should be approximately
i. C1 = (𝒆𝟏)𝒓 mod p -----------(i) equal.
b. Independence: No subsequence in the sequence can be
ii. C2 = (P x (𝒆𝟐)𝒓 ) mod p -----------(ii) inferred from the others.
2. Pseudo Random Numbers (PRN): Cryptographic
Receiver decrypts it as:
applications typically make use of algorithmic techniques for
P = [𝑪𝟐 x(𝑪𝟏𝒅 )−𝟏 ] mod p -----------(iii) random number generation. These algorithms are
deterministic and therefore produce sequences of numbers that
Sender does not know d and the receiver does not know r so how are not statistically random. However, if the algorithm is
does the logic work? good, the resulting sequences will generate a sequence of
“near random numbers” which are called pseudo random
numbers.
3. True Random Numbers (TRN): A true random number is
generated taking inputs from sources that are effectively
random. These sources are called Entropy Sources. The
entropy source could be drawn from the physical environment
of the computer and could include things such as keystroke
Example
timing patterns, hard disk activity, mouse movements,
1. Receiver selects a prime number p = 19 temperature of the PCB etc. These are used to generate true
2. Primitive roots# of 19 = {2, 3, 10, 13, 14, 15} random numbers.
3. Receiver selects e1 = 10 (one of the primitive roots) and a
random number d = 5
Blum Blum Shub (BBS)
4. Then, e2 = e1 d mod p = 105 mod 19 = 3 1. Named after US Computer Scientists and Mathematicians
5. The private key for the receiver PR = {19, 10, 3, 5} // {p, e1 , who developed it - Lenore Blum, Manuel Blum and Michael
e2 , d} Shub.
6. The public key for the sender PU = {19, 10, 3} // {p, e1 , e2 } 2. Strongest cryptographic strength as proved publically
7. The sender wants to send P = 17 and selects random number r (experience so far).
=6 3. First, choose two large prime numbers, p and q, such that both
8. Sender then calculates C1 and C2 as below: have a remainder of 3 when divided by 4. That is p = q = 3
C1 = 𝑒1𝑟 mod p = 106 mod 19 = 11 (mod 4). Details Link.
C2 = (P x 𝑒2𝑟 ) mod p = (17 x 36 ) mod 19 = 5 E.g. 7 = 11 = 3 (mod 4)
9. The receiver decrypts C1 and C2 as: 4. Let n = p x q
P = [C2 x (𝐶1𝑑 )−1 ] mod p 5. Choose a random number (initial seed) s, such that s is
= [5 x (115 )−1 ] mod 19 relatively prime to n; this is equivalent to saying that neither
= [5 x 11] mod 19 p nor q is a factor of s.
= 17 (the original plaintext) 6. Then the BBS generator produces a sequence of random
numbers (Xi ) and random bits (Bi ) according to the
Usage of Random Numbers following algorithm:
1. Cryptographic Key Generation: Many systems use
random numbers to use a key for encryption and decryption.
These include both symmetric and public key algorithms.
2. To Avoid Replay Attacks: Random numbers are used for
handshaking to prevent replay attacks in many network
security protocols. This is called nonce. The use of random Example:
numbers for the nonces frustrates an opponent’s efforts to
determine or guess the nonce, in order to repeat an obsolete
transaction. Example: TLS/SSL protocol.
3. Bit Stream Generation: a bit stream for symmetric stream
encryption Example: RC4 stream cipher.

Randomness & Types

1. The following two criteria are used to validate that a sequence
of numbers is random:

20
Next Bit Test Design Considerations

1. The BBS is referred to as a Cryptographically Secure Pseudo 1. The key stream generator sequence should have a large
Random Bit Generator (CSPRBG). A CSPRBG is defined as period.
one that passes the next-bit test. a. A pseudorandom number generator uses a function that
2. Next-Bit Test: produces a deterministic stream of bits that eventually
a. The first m bits are captured that are generated by a might repeat itself.
random number generator (RNG). b. The longer the period of repeat the more difficult it would
b. Let us say there is some polynomial time algorithm that be to do the cryptanalysis.
can predict the next bit given the few previous generated 2. The key stream should approximate the properties of a true
bits. random number stream as close as possible.
c. Using the m random bits and such algorithms the next 3. The output of the pseudorandom number generator is
(m+1) th bit cannot be predicted with probability more conditioned on the value of the input key (K). To guard
than 50%. against brute-force attacks, this key needs to be sufficiently
d. Then such RNG that generated the m random bits is long and random.
considered to have passed the Next-Bit Test.
RC4 Stream Cipher
True Random Number Generator (TRNG)
1. Rivest Cipher-4 (RC4) was designed in 1987 by Ron Rivest
1. True Random Number Generator (TRNG) uses a for RSA Security.
nondeterministic source to produce randomness. Most operate 2. It is a variable key size stream cipher with byte-oriented
by measuring unpredictable natural processes, such as gas operations.
discharge tubes, leaky capacitors, computer peripheral sound 3. RC4 was kept as a trade secret by RSA Security. In September
and movements. 1994, the RC4 algorithm was anonymously posted on the
2. Intel has developed a commercially available chip that Internet.
samples thermal noise by amplifying the voltage measured 4. RC4 is used in the following security protocols (not limited
across hardware circuitry. to):
3. RFC-4086 specifies some possible sources of randomness: a. Transport Layer Security (TLS) until 2015.
a. The input from a sound digitizer with no source plugged b. Wired Equivalent Privacy (WEP) protocol and the newer
in or from a camera with the lens cap on. WiFi Protected Access (WPA) protocol that are part of the
b. Random fluctuations in disk drive rotational speed due to IEEE 802.11 wireless LAN standards.
chaotic air turbulence surrounding the disk. 5. The RC4 algorithm is simple and easy to explain and
4. Example: an online service (random.org), can deliver random implement.
sequences securely over the Internet for variety of purpose –
RC4 Operations
lotteries, games, key generation etc.
1. S is a state vector to store 256 bytes, with elements S[0],
Stream Cipher
S[1]........S[255].
1. A stream cipher may be designed to operate on one bit at a 2. The entries of S are set equal to the values from 0 through 255
time or on units larger than a bit at a time (bytes, words etc.). in ascending order; that is, S[0] = 0, S[1] = 1, ...... S[255] =
But usually not large like 64-bit blocks! 255.
2. In the figure below, a key (K) is input to a pseudorandom byte 3. A key (K) of variable length <= 256 bytes is chosen.
generator that produces a stream of bytes (k) that are expected 4. A temporary vector T of 256 bytes is filled with the values of
to be random. Notice K and k. K. If K = 256, then all of K is filled in T, else K is repeated as
3. The output of the generator, called a key stream (k), is required to fill T.
combined one byte at a time with the plaintext stream (P)
using the bitwise exclusive-OR (XOR) operation.
4. Decryption requires the use of the same pseudorandom byte
sequence to restore the plaintext.

21
Initial Permutation 3. RC4 algorithm strength depends on the key. Many research
and studies demonstrated that a weak key makes the RC4
1. T is used to produce the initial permutation of S.
system vulnerable.
2. This involves starting with S[0] and going through to S[255],
and for each S[i], swapping S[i] with another byte in S Web Security Threats
according to a scheme dictated by T[i].
Bob is surfing the Web and arrives at the Alice Inc. website, which
is selling electronic goods. The Alice Inc. site displays a form in
which Bob is supposed to enter the type of item and quantity
desired, address, and his payment card number. Bob enters this
information, clicks on submit, and expects to receive the goods at
some time in future.

a. If no confidentiality (encryption) is used, an intruder

could intercept Bob’s order and obtain his payment card
information. The intruder could then make purchases at
Bob’s expense. Attack on Confidentiality.
Stream Generation b. If no data integrity is used, an intruder could modify
Bob’s order, having him purchase ten times more items
1. Once the S vector is initially permuted, the input key (K) is no than desired. Attack on Integrity.
longer used. c. A competitor can flood bogus requests to bring Alice
2. Stream generation involves cycling through all the elements Inc’s web server down. Attack on Availability.
of S[i], and for each S[i], swapping S[i] with another byte in S d. If no server authentication is used, a fake server could
according to a scheme dictated by the current configuration of display Alice Inc’s famous logo when in reality the site is
S. maintained by crooks, who are masquerading as Alice
3. As an output a random stream bytes values (k) are generated. Inc. Attack on Authenticity.
1. These are common day-to-day scenarios. How these attacks n
be foiled?
2. The above example is related to Web application that uses
HTTP, but a similar situation can occur in any type of
application that uses an Internet transport service.
3. Binding security to specific application (browser) is not a
good idea. How can we achieve security with application
independence? At least up to some extent.

i = (i + 1) mod 256 Transport Layer Security (TLS)

=1
1. One of the most widely used security services is Transport
j = (j + S[i]) mod 256
Layer Security (TLS).
=9
2. The latest version of TLS is 1.3 (RFC-8446) but TLS-1.2
swap (S[i], S[j]);
(RFC-5246) is prevalent.
t = (S[i] + S[j]) mod 256;
3. TLS evolved from a protocol called Secure Socket Layer
= 30
(SSL).
k = S[t];
4. SSL was developed by Dr. Taher ElGamal, present security
= 37
CTO of salesforce.com, advisor and co-founder of many
networking companies.
5. IETF deprecated the usage of SSL because security reasons. It
is unlikely to see the usage of SSL in the commercial systems
now.
6. The purpose of TLS is to enhance the capability of TCP with
confidentiality, data integrity, server authentication and client
authentication features to protect from the security threats
discussed in the previous slides.
Encryption & Decryption
7. TLS is often used to provide security to the transactions that
1. A continuous stream of k is received as part of the stream take place over HTTP. However, because TLS secures TCP, it
generation. can be employed by any application that runs over TCP.
2. To encrypt, the value of k is XORed with the next byte of Security having application independence is the prime
plaintext (P), and to decrypt, the value k is XORed with the motivation behind TLS.
same byte of ciphertext (C).
22
8. TLS provides a simple Application Programmer Interface
(API) with sockets, which is similar and analogous to TCP’s
socket API. When an application wants to employ TLS, the
application needs to include TLS classes/libraries (historically
the name could still be SSL libraries).
Seeding Ideas of TLS
1. Bob wants to have a secure and reliable communication with
Alice. For reliability he chooses TCP transport (recollect 3-
way handshake) and sends a hello message to Alice to initiate
the dialogue.
2. Alice in response sends her certificate which contains her
public key. Since this certificate is issued by a trusted
Certification Authority (CA), Bob can be sure that the public
key in the certificate belongs to Alice.
3. Bob generates a Pre-Master Secret (PM), encrypts it with
Alice’s public key and sends it to Alice. Alice decrypts it with
her private key. Both Bob and Alice now know the PM.
4. Using this PM a master secret is generated (M) at both the
ends and then using some additional mechanism (?), Bob and
Alice generates following keys each:
a. Symmetric encryption key
b. MAC key (secret ingredient)
5. Now, both Bob and Alice can send secured data to each other.
6. Data for TCP is a byte stream of variable length,where the
MAC will be put?
a. The data stream is broken into records of equal size.
b. MAC is calculated for each record using MAC key
and a hash function. MAC appended with the record.
c. Then the (record + MAC) is encrypted using
encryption key and sent over the TCP transport.
7. Where these processing take place?
8. Receiver decrypts the received data using symmetric key –
confidentiality.
23
9. Receiver verifies the MAC using the corresponding MAC key
– integrity.
10. Approach seems to provide a combination of
symmetric/asymmetric key cryptography along with few other
mechanisms to achieve the security objectives with
application independence.
1. TLS seeds provide a high level overview but it does not
answer the following:
2. Is TLS protocol versions used by Bob and Alice compatible?
3. How Bob and Alice decide which cryptographic algorithms
they use?
4. If one of them wants to use compression and the other does
not support that?
5. If they agree upon the above things, can both of them keep
using it indefinitely – as long as they want?
6. Can Alice also demand Bob’s certificate?
7. If there is an error condition during message exchanges, how
will it be reported? If error is fatal - then?
8. How this procedure is protected from:
9. Replay attacks?
10. Truncation attacks? (A hacker is sending TCP FIN to close the
connection between Alice and Bob)
TLS Architecture
1. TLS is not a single protocol but rather two sublayers of
protocols.
2. These two sublayers can be seen sandwiched between the
application and the transport layers.
3. Handshake Protocol allows server and client to exchange
different security parameters.
4. This protocol performs its job before application data starts
transmitting.
5. Change Cipher Spec Protocol is used to update the cipher
specifications to be used for the connection based on the
recent handshake.
6. Alert Protocol is used to convey TLS related alarms between
the client and the server.
7. Heartbeat Protocol is used to check if the other host is alive
and during the idle duration to avoid the premature closure of
the connections. This protocol was added later in TLS through
RFC-6520.
8. Record Protocol based on the exchanged cipher parameters
by the handshake protocol, this layer provides confidentiality
and integrity services to the upper layers.
TLS Handshake Protocol
1. TLS Handshake Protocol is triggered first before any data
transmission takes place on TLS.
2. It allows client and server to do the following:
a. Negotiate encryption algorithms
b. Negotiate MAC algorithms
c. Authenticate each other
d. Assist in generating cryptographic keys
3. It consists of a series of messages exchanged by client and
server. These messages can be grouped into four phases:
a. Phase-1: Establishing Security Capabilities
b. Phase-2: Server Authentication and Key Exchange
c. Phase-3: Client Authentication and Key Exchange
d. Phase-4: Finalizing Handshake Protocol
4. Each message with these four phases has few fields:
Handshake Type (1 byte), Length (3 bytes) and Content (>=0
bytes).
Phase-1: Establishing Security Capabilities
This phase is used to exchange security capabilities and started by
client_hello message sent by the client to the server. It contains the
following parameters:
1. Version: The highest TLS version understood by the client in
2 bytes.
24
1. Client Random or nonce (CR): This field contains 4 bytes
Unix time stamp (epoch) + 28 bytes of random number
generated by the client. Used to prevent replay attacks.
2. Session Id: Variable length session identifier. If empty
(null/0), indicates a new connection on a new session,
otherwise indicates that client wants to updates the existing
connection parameters or wants to have a new connection on
this existing session. Note that Client can send client_hello
message during a connection also to re-negotiate the security
parameters from its end during the existing connection.
3. Cipher Suites: Combination of cryptographic algorithms in
decreasing order of preference in two bytes. Each combination
conveys – key exchange, encryption and hash algorithms.
4. Compression Methods: List of compression method that
client supports.
Server responds with server_hello message with the following
parameters:
1. Version: Lower of the two: version proposed by the client and
highest that the server can support. For some reason, if the
client does not support this version, it may raise protocol
version alert message and close the connection.
2. Server Random or nonce (SR): Similar fields like what
client sent but independent of the client’s.
3. Session Id: If client’s id was empty, server put a new id
indicating a new session otherwise same as client’s (if server
is fine to continue on older).
4. Cipher Suite: the selected cipher suite from the client list:
key exchange, cipher and MAC algorithms.
5. Compression Method: the selected one from the client’s list.
Note: Sometimes, server may send hello_request message which
is a simple notification that the client should begin the negotiation
process afresh. It does not contain any parameter. This message
will be ignored by the client if it is already negotiating a session,
or the client does not wish to renegotiate a session. Client may also
respond with a no-renegotiation alert message.
 Key Exchange Algorithms 4. server_hello_done: This is a mandatory message. This
message is sent by the server to indicate the end of the
1. Client and the server negotiated a Cipher Suite in Handshake associated handshake messages from its end. After sending
phase-1 which has a element of key exchange algorithm. What this message, the server will wait for the client’s response.
it is used for?
2. This key exchange algorithm negotiated in phase-1 is not to This message means that the server is done sending messages to
exchange the key for encryption but to exchange the Pre- support the key exchange, and the client can proceed with its phase
Master Secret (PM). of the key exchange.
3. Following types of key exchange algorithms are used:
There are no parameters in this message.
a. RSA: Client generates a random number which works as
PM, encrypts it with server’s public key and then sends it
to the server. So server must send the certificate to the
client for public key.
b. Fixed Diffie-Hellman (DH): The server provides the DH
public parameters to calculate the PM in a CA signed
certificate to the client. Client also provides the DH
public parameters subsequently.
c. Ephemeral Diffie-Hellman (DH): Both sides exchange
the signed DH parameters. So it means both sides must
exchange their certificates to sign. Considered as the
strongest.
d. Anonymous Diffie-Hellman (DH): Each side exchange
unsigned DH parameters. Considered the weakest –
susceptible to man-in-the middle attacks.
e. There are other methods (e.g. Fortezza) also. Note: The
first 3 algorithms involve certificates.

Phase-2: Server Authentication and Key Exchange

The phase-2 is used by the server to send the following messages
to the client:
1. certificate: An optional message. This message conveys the
server's certificate to the client. The server must send this
message whenever the agreed- upon key exchange method
uses certificates (all except anonymous DH). This message
will be sent immediately after the server_hello message.
2. server_key_exchange: An optional message. Sever does not
send it if key exchange algorithms are negotiated as RSA or
Fixed DH. Otherwise message is sent. It contains signed DH
parameters in case of ephemeral DH and unsigned DH
parameters in case of anonymous DH.
3. certificate_request: A server that is not using anonymous DH
key exchange can request a certificate from the client. There
are two parameters in this message:
a. Certificate Types: A list of the types of certificate that
the client should offer (for signature, for fixed DH public
parameters).
b. Certificate Authorities: A list of the distinguished names
of acceptable Certificate Authorities (CA).
The server can also send server_key_exchange message even
when the key exchange algorithm is negotiated as RSA. Refer to
the text book and find out in which case it happens and how this
procedure works.
Phase-3: Client Authentication and Key Exchange
After receiving server_hello_done, this phase is used by the client
to send the following messages to the server:
1. certificate: This message is sent if the server requested a
certificate. If no suitable certificate is available, the client
must send a certificate message containing NULL. If some
aspect of the certificate is unacceptable (e.g. un-trusted CA),
the server may at its discretion continue the handshake. In
these cases, it is server’s discretion to continue or alert a
handshake failure.
2. client_key_exchange: Depending on the key exchange
lgorithm in cipher suite selected in phase-1 the following is
sent:
a. RSA: 48 bytes PM encrypted with server’s public key.
b. Fixed Diffie-Hellman: NULL, because they are included
in the client’s certificate.
c. Ephemeral Diffie-Hellman: Client’s DH parameters –
signed.
d. Anonymous Diffie-Hellman: Client’s DH parameters –
unsigned.

25
 4. A(i) is defined as:

5. In the above definitions, + is the concatenation operator and

TLS-1.2 RFC-5246 uses hash based MAC (HMAC) as SHA-
256.

Key Material Generation

1. Variable length Key Material (KM) is generated from Master

Secret (M) using the Pseudo Random Function (PRF):
3. certificate_verify: It is an optional message and sent if client KM = PRF M,"key expansion", Client Random + Server
has sent its certificate that had signing capabilities. It contains Random)
the following: 2. From the KM, the following keys are generated through
a. A hash code is calculated using Master Secret and all the partitioning (first x bits, then y bits and so on):
handshake messages exchanged (sent and received) until a. Client and Server MAC Keys
now. b. Client and Server Symmetric Encryption Keys
b. This hash code is encrypted using client’s private key. c. Client and Server Initialization Vectors (used in block
c. Since the server has received the public key of the client cipher chaining)
in the certificate, it can verify the client signature.
Phase-4: Finalizing Handshake Protocol
d. This mechanism helps so that the client need not have the
CA signed certificate. The fourth phase is used by the client and the server to finalize the
handshake protocol by exchanging the following mandatory
After phase-3 both client and server have the following:
messages:
1. Master Secret (M) from using Pre Master-Secret (PM).
1. change_cipher_spec: This message is sent first by the client
2. Using M the different keys are also calculated:
to notify the server that the subsequent messages will be
a. Client and server-side encryption keys and MAC keys.
protected under the newly negotiated cryptographic
b. Initialization Vector (IV) that is used for chaining in block
parameters and the generated keys. This message is
cipher algorithm.
considered part of the Change Cipher Spec Protocol.
2. finished: This message is always sent immediately after a
change_cipher_spec message to verify that the key exchange
and the authentication processes were successful.
a. The finished message is the first one protected with the
just negotiated algorithms, and generated keys. The
content of the finished message is calculated as: PRF (M,
“client finished”, HMAC_Hash (All handshake
messages)).
b. In response of the above two messages, server also sends
its change_cipher_spec and finished messages. The
content of the finished is prepared using the string “server
finished”.
c. Once a side has sent its finished message, it may begin to
send and receive application data over the connection.
Master Secret (M) Generation
d. Recipients of finished message must verify the content of
1. 48 bytes of Master Secret (M) is generated from Pre-master this message from the other end. Otherwise an alert
Secret (PM) using a Pseudo Random Function (PRF): would be raised.
a. M = PRF PM,"master secret", Client Random +
Server Random
2. PRF is defined as:
a. PRF secret, string, seed = P_Hash(secret, string +
seed)
3. P_Hash is defined as:
a. P_Hash secret, seed = HMAC_Hash(secret, A 1 +
seed) +
b. HMAC_Hash(secret, A 2 + seed) +
c. HMAC_Hash(secret, A 3 + seed) + …
26
 TLS Session and Connection
Change Cipher Spec: Protocol or Message?
Session:
1. The Change Cipher Spec protocol exists to signal transitions
1. An association between a client and a server. in ciphering strategies.
2. Session is created by the TLS Handshake Protocol. 2. It is kept and termed as a logically separate protocol because it
3. A session is defined by cryptographic parameters. indicates that new Cipher Specification is in force henceforth.
4. A session parameters can be used across multiple connections Though it contains a single message only.
to avoid time consuming establishment of new security 3. If handshake is successfully done but change_cipher_spec is
parameters. not exchanged, the new Cipher Spec will not come in force.

Resuming Sessions
1. Client in the client_hello message can use an older session id
that indicates that it wants to re-use an older session:
a. The client wants to refresh the keys of the ongoing
session.
b. Or, the client wants to have a new connection on an older
session.
2. In this case if server is not willing to reuse the session or if it
Connection: is expired with it, a new session id value will be put in the
server_hello message.
1. In TLS, peer-to-peer relationship is transport. E.g. A client can 3. When a connection is established by resuming a session, new
exchange application data with a server, so there is a Client Random (CR) and Server Random (SR) values
connection. (exchanged through Hello Messages) are hashed with the old
2. Connection is transient and associated with a session. session's master secret (M). The generated hash is used to
create encryption and MAC keys.
4. An upper limit of 24 hours is suggested in RFC-5246 for
session ID lifetime for having a new connection over an old
sessions. After which session id should expire.
5. On the other hand, if client is using an empty session id, and
server can continue with the handshake, the server will put a
new session id indicating a new session. In this case, all
phases of handshake will take place afresh.
6. If the server responds with empty session id value, it indicates
that the server is no going cache the session details.

TLS Alert Protocol

TLS Change Cipher Spec (CCS) Protocol 1. This protocol is used to convey TLS related alerts to the peer
entities.
1. This is one of the TLS Protocol which uses the services of 2. Alert messages raised during handshake phase will be in
TLS Record Protocol. plaintext.
2. The phase-4 message of TLS Handshake Protocol 3. Alert messages would be protected after a connection is in
change_cipher_spec actually belongs to this protocol. progress.
3. Consists of a single message with one byte which is set to 1. 4. Each message is of two bytes.
4. Once this message is sent, the pending state is copied to the a. The first bytes tell warning (0x01) or fatal (0x02) to
current state which updates the cipher suite to be used for this convey the severity of the message.
connection. b. The second byte indicates the specific alert description
code.
27
 c. In case of the fatal severity, the TLS immediately 5. Resulting Packet is encrypted using symmetric key
terminates the connection. Other ongoing connections on encryption. Symmetric encryption keys are obtained using key
this session may continue but no new connection may be material.
established for this session. 6. TLS Record Protocol Header is calculated and added to the
resulting packet.
7. Resulting packet is pushed to the TCP layer.

TLS Heartbeat Protocol

TLS Record Protocol – Header
1. In computer networks, a heartbeat is a periodic signal
generated to indicate the normal operation or to synchronize TLS Record Protocol Header contains the following fields:
the other parts of the system.
1. Content Type/Protocol (8 bits): The higher layer protocol
2. The Heartbeat Protocol in TLS was added later through RFC-
which is using this record layer. The types are:
6520 and its protocol type is defined in TLS-1.3.
a. Change_cipher_spec (20)
3. It serves two purposes in TLS:
b. Alert (21)
a. It assures the sender that receiver is still alive, even if
c. Handshake (22)
there is no TCP traffic between the hosts for a while.
d. application data (23)
b. It can also avoid pre-mature closure through firewalls
e. Heartbeat (24): added in TLS-1.3
during longer idle periods.
f. Invalid (0): added in TLS-1.3
4. The use of heartbeat is negotiated through the handshake
Note: no distinction is made among various applications (e.g.
protocol via an extension parameter of TLS-1.3.
HTTP, FTP etc). The content of application data is not visible
5. The protocol consists of two messages: heartbeat_request
to TLS. Application Independence.
and heartbeat_response.
2. Major Version (8 bits): Major Version of the TLS protocol.
6. The heartbeat_request message included payload length,
For TLS-1.2, it is 0x03.
payload and padding field.
3. Minor Version (8 bits): Minor Version of the TLS protocol.
7. The heartbeat_response message must include the exact
For TLS-1.2, it is also 0x03.
copy of the received payload.
4. Length (16 bits): The length in bytes of the compressed (if
TLS Record Protocol – Operation compression used) or uncompressed plaintext fragment.
Should not exceed 214 bytes (when uncompressed) or (214 +
1. TLS Record Protocol provides two services to the application 1024 ) bytes (when compressed).
layer data:
a. Integrity – through Message Authentication Code Note:
(MAC).
1. Compression sometimes may increase the length for small
b. Confidentiality – through Encryption.
packets for formatting/ lookup table reasons. It must not
2. First each upper layer message is fragmented into 2^14 bytes
exceed more than 1024 bytes, otherwise must report error
or less (if data is less).
through Alert protocol.
3. Lossless compression is applied. It is optional. It should not
2. Symmetric encryption may also increase the length by 1024
increase the length by more than 1024 bytes.
bytes because of padding. If it exceeds it must report error
4. MAC is calculated and appended using MAC keys obtained
through Alert protocol.
from the key material.

28
3. Therefore, the total packet length before adding TLS Record TLS Protocol Message Formats
Protocol Header must not exceed 214 +2048 bytes, otherwise
must report error through Alert protocol. Handshake Protocol
4. On the receiver side, it throws an alert fatal error if the
decompressed fragment is larger than 214 bytes.

TLS Protocol Header Structures

TLS Handshake Protocol Types

Calculation of MAC
Calculation of MAC is defined as follows:

HMAC_Hash (MAC Key,

Sequence Number +
Content Type +
Version +
Length +
A Typical Client Hello Message
Fragment)
1. MAC Key: it is obtained from the Key Material. Application Data
2. Sequence Number: it is put by the sender record protocol
sequentially from 0 264 -1 for each record. It helps the receiver
to detect missing or re-ordered TLS record.
3. Content Type: one of the Change_cipher_spec (20), Alert
(21), Handshake (22), Application data (23), Heartbeat (24) or
invalid (0).
4. Version: Major and Minor Versions.
5. Length: length of the record fragment.
6. Fragment: the fragment itself.
TLS Connection Closure
TLS Protocol Message Examples - Change Cipher
Spec and Alert Protocols 1. If any of the client or server wants to close the connection, it
can send TCP FIN segment to indicate that.
2. This solution is not elegant, because an intruder may also can
come as the man-in-the-middle and send TCP FIN. This is
called a Truncation Attack.
3. TLS is not truncation attack safe.
4. TLS alert provides an elegant way by using Alert Code: 0
(close_notify) through TLS Alert Protocol.
5. Reception of TCP_FIN before close_notify is an indication of
abnormal termination.
6. If a peer receives TCP FIN before TLS alert close_notify, it
can take preventive measures for graceful closure e.g.

29
 generating the close_notify from its end and clearing the 34 cd 86 75 00 00 16 03 03 0a f5 0b. Identify who is sending
resources allocated. this message and all the message bytes (with meaning) carried
in this TCP segment.
Transport Layer Security for UDP
Remote Login and Security
1. Unlike TCP, UDP suffers from issues like packet reordering
and loss. 1. Remote Login is a client-server program and protocol that
2. Any protocol expected to provide security services for UDP provides an interactive command line interface to a remote
first need to deal with these above issues. computer, using a protocol over a computer network,
3. IETF RFC-6347 is an attempt to standardize Datagram simulating a locally attached terminal.
Transport Layer Security (DTLS). 2. There are remote login facilities like telnet and rlogin, which
4. Example: WebRTC uses DTLS (a free, open project that are insecure.
provides browsers and mobile applications with Real-Time 3. Secure Shell (SSH) is aimed to provide a secure login to a
Communications (RTC) capabilities via simple APIs). remote server.
4. SSH allows a user to run commands on a machine's command
TLS Handshake Protocol: Summary prompt without them being physically present near the
machine. It also allows a user to establish a secure channel
over an insecure network in a client-server architecture,
connecting an SSH client application with an SSH server

SSH Protocol Stack - IETF RFC-4251

1. SSH is organized as three protocols:
2. Transport Layer Protocol – It provides the following:
a. Server Authentication
b. Data Confidentiality
c. Data Integrity
d. Compression – optional
3. User Authentication Protocol – It authenticates the user to
the server.
4. Connection Protocol - Multiplexes multiple logical channels
over a single underlying SSH connection.
5. These SSH sublayers run typically on top of TCP/IP.

Exercise
1. During the TLS Handshake Protocol, Phase-1 of establishing
security capabilities, random numbers are exchanged. They
are used in calculating the master secret. How
2. this prevents replay attacks?
3. What could be the possible reasons that a client needs to SSH Transport Layer Protocol - IETF RFC-4253
explicitly provide the
Once the TCP connection is established, the following messages
4. verification of its certificate and server does not?
are exchanged between client and server:
5. Do you agree that an intruder may remove the difficult-to-
crack cryptographic 1. ID String Exchange: Client and server exchange SSH
6. algorithms during TLS Handshake Protocol in the phase-1 of protocol and software version identification strings. E.g.
establishing security SSH-2.0-newBranch_3.3.1 <Space> comments <CR><LF>
7. capabilities? Justify your answer. 2. Algorithm Negotiation: List of key exchange methods,
8. Do you agree that an intruder may alter the sequence of TLS Encryption, MAC and compression algorithms are exchanged.
records? Justify your answer. 3. Key Exchange: Using client and server side messages
9. Few bogus clients try to bring down an e-commerce server by exchanged in step-1 and 2 and Diffie-Hellman key exchange
these two ways. How TLS provides protection? parameters, both client and server shares a common master
a. TCP SYN flooding key (K). Client can also optionally authenticate the server. K
b. Sending multiple client_hello messages (interesting is used to generate other keys.
blog for methods)
10. A hex dump is captured starting from TCP header (no
optional fields) as: 01 bb e5 9c 2d 52 f7 09 64 81 29 15 50 18
30
4. End of Key Exchange: It is an indication that each side can
start using encryption, MAC and compression algorithms
using the new keys which are generated K.
5. Service Request: Client signals either User Authentication or
Connection protocol. All data exchanged after this is
encrypted and MAC protected.
Packet Formation
1. Packet Length (4 Bytes): Length of the packet in bytes, not
including MAC or the packet length field itself.
2. Padding Length (1 Byte): Length of padding bytes.
3. Padding (n Bytes): Arbitrary-length padding, such that the
total length of (packet length || padding length || payload ||
padding) is a multiple of the cipher block size or 8, whichever
is larger.
4. Message Authentication Code (MAC-4 Bytes): If MAC is
negotiated, it is a calculated over the entire packet and a
sequence number(Seq #). Sequence number is not included in
the packet. It is maintained separately and reset to 0 with the
first packet and incremented with every packet. MAC is
optional in SSH but in the MAC list it should be mentioned as
none in that case.
31
IETF RFC-4252
1. The SSH server may send an
SSH_MSG_USERAUTH_BANNER message at any time
after this authentication protocol starts and before
authentication is successful.
2. The client sends SSH_MSG_USERAUTH_REQUEST with a
username, service name as connection protocol and requested
authentication method as none.
3. The server checks the username . If the username is not valid,
server returns SSH_MSG_USERAUTH_FAILURE with
partial success value as FALSE.
4. If username is valid, server returns
SSH_MSG_USERAUTH_FAILURE with a list of one or
more authentication methods to be used.
5. The client selects acceptable authentication method and sends
SSH_MSG_USERAUTH_REQUEST with necessary
authentication fields.
6. If authentication succeeds and server needs more
authentication, it again proceeds from step-3 above using
partial success value to TRUE. If authentication failed, it
proceeds from stpe-3 with partial value as FALSE.
7. When all authentication succeed, severer sends
SSH_MSG_USERAUTH_SUCCESS.
SSH User Authentication Protocol
Sample Banner Supplied by the Server before Authentication
Authentication Methods
1. Password: The client sends a message containing a plaintext
password, which is protected by encryption by the Transport
Layer Protocol.
2. Public Key: The client sends a message to the server that
contains the client’s public key signed by the client’s private
key. When the server receives this message, it checks whether
the supplied key is acceptable for authentication and, if so, it
checks whether the signature is correct.
3. Host Based: Authentication is performed on the client’s host 1. Channel Type: the application for this channel.
rather than the client itself. Thus, a host that supports multiple 2. Sender Channel: is the local channel number.
clients would provide authentications for all its clients. This 3. Initial Window Size: how many bytes of channel data can be
method works by having the client send a signature created sent to the sender of this message without adjusting the
with the private key of the client host. Thus, rather than window.
directly verifying the user’s identity, the SSH server verifies 4. Maximum Packet Size: the maximum size of an individual
the identity of the client host. data packet that can be sent to the sender. For example, one
might want to use smaller packets for interactive connections
SSH Connection Protocol to get better interactive response on slow links. (Message
window size can be adjusted, for details refer to RFC-4254)
IETF RFC-4254
Channel Types
1. An authenticated transport layer connection created by SSH is
called a tunnel. A tunnel can be used to multiplex a number of 1. session: The remote execution of a program. The program
logical channels. may be a shell, an application such as file transfer or email, a
2. For each channel, client and server associate a unique channel system command, or some built-in subsystem. Once a session
number (need not be same). channel is opened, subsequent requests are used to start the
3. Channel are flow controlled using a window mechanism. remote program.
4. Life of a channel progresses through three stages: 2. x11: This refers to the X Window System, a computer
a. Opening software system and network protocol that provides a
b. Data Transfer graphical user interface (GUI) for networked computers. X
c. Closing allows applications to run on a network server but to be
5. SSH_MSG_CHANNEL_OPEN: This message is sent when displayed on a desktop machine.
either side wishes to open a channel. 3. forwarded-tcpip: This is remote port forwarding. Details
6. SSH_MSG_CHANNEL_OPEN_CONFIRMATION: This follow.
message is returned when the remote side is able to open the 4. direct-tcpip: This is local port forwarding. Details follow.
channel otherwise
SSH_MSG_CHANNEL_OPEN_FAILURE is returned. Port Forwarding -Local Forwarding
7. SSH_MSG_CHANNEL_DATA: Once the channel is,
SSH has a functionality called SSH port forwarding (or SSH
opened, data is exchanged using this message.
tunnelling), where a connection is forwarded to a different port
8. SSH_MSG_CHANNEL_CLOSE: Either side can close the
where the actual communication is made on the SSH connection.
channel using this message.
This can be done either on the SSH client or the SSH server side.

Local Forwarding (direct_tcpip):

1. Let us say information exchange takes place between client

and destination on an insecure channel.
2. A SSH tunnel is established between a client and a server.
3. SSH client is configured to take any traffic coming to port A
on the client side meant for the destination.
4. SSH client also informs the SSH server to create a connection
to the destination server, which may be insecure.
5. The traffic will be sent over the SSH tunnel to the server.
6. Server will forward it to the destination server.

Sample Message Format

32
Port Forwarding -Remote Forwarding
1. Let us say destination server is behind a firewall and it cannot
be accessed by the client which is at some other location.
2. From the destination side, a SSH tunnel can be established
because it is a secure outward tunnel (note that the firewall
may not allow a SSH tunnel from the other side).
3. From the destination side SSH server is configured (on the
other side) to take the received SSH traffic and divert it to port
A.
Exercise
1. Other than message authentication, what is the other
advantage of using MAC field in the SSH Transport
Protocol? (Clue: MAC calculation of – usage of sequence
number)
2. Unlike TLS Record Protocol, why SSH Transport
Protocol does not do segmentation? (Clue: Initial
Window Size and Maximum packet Size in SSH
Connection Protocol).
3. Research and identify few applications of SSH Port
Forwarding.
4. Do you think, remote port forwarding through SSH itself
is a security threat because it may bypass a firewall? Then
why it may be provided? Justify your answer.
5. Unlike TLS Record Protocol, why it is not required for
the client application (if any required) to have a direct
interface with SSH Transport Layer Protocol?
Message Integrity and Message Authentication
Integrity Attacks
In this session, we would primarily discuss about security from the
first two types of Integrity attacks: Modification and
Masquerading.
33
Hash Function
1. The hashing function takes an input m and produces a fixed
size code H(m) as an output. The output is called the hash
code or the digest.
2. Cyclic Redundancy Check (CRC) that is used in layer-2
networking protocol is a kind of hashing function.
3. For security it is a must requirement that it should be
computationally infeasible to find out another message n for
which H(n) = H(m).
4. The above property essentially means that an intruder should
not be able to substitute or alter the original message so that
the hash code remains intact.
5. Hashing function and thus the hash code is used for data
integrity checking.
6. Checksum: an example of a poor hashing function; message is
altered but the checksum (hash-code) does not change:
7. In Cryptography, a hash function (H) accepts a variable length
message (M) and produces a fixed size hash value (h).
Mathematically, h =H(M). Here, h is called the hash code,
digest, hash sum etc.
8. A good hash function is expected to produce random and
evenly distributed hash code but of same size.
9. It is an important concept for Network Security because:
a. a. Irrespective of the length of the input message,
hash code length is always same. Storage and
transmission overhead can be estimated.
b. b. Even for a small change in the contents of the
message, the hash code will turn out to be different.
So, it can detect if the message was subject to the
modification attack.
Hashing Technique Basic Operation
 Hash Function Properties 4. Padding is always added, even if the message is already of the
desired length. The number of padding bits is in the range of 1
1. A hash function (H) can be applied to a block of message to 1024.
(data) of any size. 5. The padding consists of a single 1 bit followed by the
2. H produces a fixed-length output irrespective of the length of necessary number of 0 bits.
the message. 6. Now to this message, length of the original message before
3. H(x) is relatively easy to compute for any given message x, padding in unsigned 128-bit integer is appended keeping most
making both hardware and software implementations significant byte first.
practical. 7. The message is now a multiple of 1024 bits (896+128=1024)
4. For any given hash code h, it is computationally infeasible to which is treated as blocks of 1024 bits each (M1, M2…….MN
find x such that H(x) = h. A hash function with this property is ).
referred to as one-way or pre-image resistant. 8. Each block of 1024 bits is called a block of 16 words (W)
5. For any given block of message x, it is computationally where each word is 64 bits or 8 bytes.
infeasible to find another message y where y ≠ x and H(y) =
H(x). A hash function with this property is referred to as
second preimage resistant.
6. It is computationally infeasible to find any pair (x, y) such that
H(x) = H(y). A hash function with this property is referred to
as (strong) collision resistant.
7. A hash function that follows all the above six properties is
called strong hash function.

Top Level View

Secure Hash Algorithm (SHA)

1. Most widely used hash function.
2. Developed by NIST in 1993 as part of FIPS-180 and later
known as SHA-0.
3. Iterative improvements:
a. SHA-1 in 1995 (RFC-3174)
b. SHA-2 in 2002 (FIPS-180-2, 3 and 4 and RFC-6234)
i. SHA-2 has variants of producing hash codes of Observations:
256, 384 and 512 bits, which are known as
SHA-256, SHA-384 and SHA-512 respectively. 1. There is some initial value of 512 bits which is an input to the
ii. 224 bits version was published in 2008. first block compression function.
iii. Different SHA-512 variations were published in 2. Each of the original message blocks of size 1024 bits is fed
2015. into each corresponding compression function.
c. SHA-3 in 2012 in FIPS-202. 3. Each block of 1024 bits produces 512 bits after compression
4. Many commercial implementations still use SHA-512. function.
5. Many later SHA versions are adapted variations of Message 4. Output of one compression function is fed to the compression
Digests (MD) algorithms developed by Ron Rivest of MIT. function of the next block.
5. Compression function of the Nth block produces the final 512
SHA-512 bits hash code.

Step-1: Append Padding Bits & Step-2: Append Length Step-3: Initial Value

1. It takes a message which is < 2 128 bits and produces a 512- 1. A 512-bit buffer is used to hold the intermediate and the final
bit message digest. Do not worry; it would be in Yottabytes! results of the hash function.
2. The input is processed in the blocks of 1024 bits. 2. The buffer can be represented as eight 64-bit registers (A, B,
3. The message is first padded so that its length ≡ 896 (mod C, D, E, F, G, H).
1024) bits. 3. These registers are initialized to the following 64-bit integers
in hexadecimal (the initial value):

34
 A = 6A 09 E6 67 F3 BC C9 08 Inside Each Round of Compression Function
B = BB 67 AE 85 84 CA A7 3B
C = 3C 6E F3 72 FE 94 F8 2B
D = A5 4F F5 3A 5F 1D 36 F1
E = 51 0E 52 7F AD E6 82 D1
F = 9B 05 68 8C 2B 3E 6C 1F
G = 1F 83 D9 AB FB 41 BD 6B
H = 5B E0 CD 19 13 7E 21 79
4. These values are obtained by taking the first sixty-four bits of
the fractional parts (after multiplying it with 2^64) of the
square roots of the first eight prime numbers.
• First prime number = 2 it square root is 1.414…
• Multiply the fractional part of it (0.414….) with 2^64
• Convert the whole part of the result in hexadecimal and
take first 64 bits.

Step-4: Compression Function

1. Each compression function consists of 80 rounds 0 to 79.

2. Input is the 512 bits of Initial Value or the output of the
previous block.
3. Input to each round is the output of the previous round.
4. Each round also takes constants K as an input (K0 to K79).
Appendix-A.
5. Each round also takes a value of W as an input (W0 to W79).
6. Output of the round-79 is added with the input of the round-0,
each of the 8 words independently in modulo 2 64 arithmetic.
7. The final output is the input to the next block (or the final
hash code after N blocks).

Derivation of Wi

Exercise:

1. When applied the Majority function on buffers A, B, and C. If

the leftmost hexadecimal digits of these buffers are 0x7, 0xA,

35
 and 0xE, respectively, what is the leftmost digit of the result? 6. A hash function is used on the combined data that generates a
(Answer: 0xE) hash code of n bits.
2. When applied the Conditional function on E, F, and G 7. Using the Initial Value (IV) a hash is calculated and prepended
buffers. If the leftmost hexadecimal digits of these buffers are with 0s to make it b bits long.
0x9, 0xA, and 0xF respectively, what is the leftmost digit of 8. oPAD is fixed 0x5C repeated b/8 times, so it is b bits long.
the result? (Answer: 0xE) 9. K is again XORed with oPAD and the output Sj is prepended
3. Expand the formula to calculate W60 in SHA-512. to padded hash code calculated earlier.
10. Hash is calculated again on this prepared block and the final
Message Digests (MD) hash value is the desired HMAC of the message M using key
K.
1. Message Digest Algorithms (MD2, MD4, MD5 and MD6) are
different hash functions designed by Ron Rivest, professor of
MIT from 1989 onwards. They are standardized by IETF in
the form of RFC and also adapted by NIST for SHA:
a. MD4: RFC-1320
b. MD5: RFC-1321
c. MD-6 proposed to NIST for RSA-3
2. The operational structure of MD is similar to SHA.

Message Authentication
1. A hash code does not authenticate the sender of the message.
2. To provide message authentication, sender needs to provide
proof that it is “the sender” sending the message and not an Polynomial Representation For Binary Words
impostor.
3. The hash code created by a cryptographic hash function (e.g.
SHA) is normally called a Modification Detection Code
(MDC).
4. What we need for message authentication is a Message
Authentication Code (MAC).

Message Authentication Code (MAC)

Polynomial Addition ⊕

• MACS is the MAC calculated by the sender.

• MACR is the MAC calculated by the receiver.
• MACS and MACR are to be same to declare that
message is authenticated.

(Content is unaltered and sender is who it is expected to be)

Types of MAC Polynomial Multiplication ⊗

Hashed MAC (HMAC) Structure
1. Objective is to generate HMAC of n bits.
2. The message (M) is divided into blocks of b bits (M0 to MN ).
3. A shared secret code K is selected. If it is not b bits, it is
prepended with 0s to make b bits long.
4. iPAD is fixed value 0x36 repeated b/8 times, so it is b bits
long.
5. K is XORed with iPAD and the output Si is prepended with
the message blocks.
36
 Polynomial Division GF: Galois or Finite Field with finite count of elements and
operators that follow certain rules.

The concept is the extension of Groups and Rings which are

discussed in Cryptography

Exercise

A students tries to develop a new hashing algorithm. In it the size

of hash code is one byte and its initial value is 0. The hash
function works for English language only and it is case
independent. It takes a character, adds it to the value in modulo-26
and then moves to the next character and so on.
Cipher based MAC (CMAC) Structure
• Calculate the hash code for the word “CRYPT”.
• Explain if you see any flaw in this hash function.

Security at the Network Layer

IP Security: Key Idea

1. The layer-3 network layer (IP Layer in TCP/IP protocol stack)
1. The objective is to generate n bits long CMAC. adds the IP Header to construct a layer-3 PDU.
2. The message M is divided into N blocks each having b bits. If 2. As discussed in the previous slide, the important requirement
the last block is not b bits long, it is padded with one 1 and is complete blanket security coverage. So let us encrypt the
required 0s. whole layer-3 PDU for confidentiality.
3. The first block is encrypted using symmetric key K and the 3. If IP header is also encrypted how the IP datagram will be
output is XORed with the second block of the message. The routed in the network then?
result of XOR is again symmetrically encrypted with K. a. No network element will know what are source and
4. The procedure continues until there is no more block left to destination IP addresses (part of the IP header).
process. b. There may be many intermediate network devices
5. In the last block processing, one more key k is also used as an between source and destination. To who all the
input for XOR. decryption key need to be given?
6. Output of the last block encryption is n bits CMAC. 4. What will happen to the authentication and integrity?
a. We are achieving confidentiality in the above point.
CMAC: Additional Key Generation But destination cannot check authentication and
integrity.

1. b bits all 0s are encrypted with the symmetric key K.

2. The output is multiplied with x, if padding was not applied to
the original message.
3. Otherwise the output is multiplied with x 2 .
4. The multiplication is in GF (2 m).
5. Normally b = 64 or 128. Irreducible polynomials are used as x
64+x4+x3+x+1 and x 128+x7+x2+x+1 respectively to reduce
the multiplication result in the required degree.
6. The output is k which is used in the last block processing in
CMAC.

37
 IP Security: Working 6. Router R2 performs decryption, authenticates and verifies the
integrity stripping off the security header and trailer. Original
IP header is restored after decryption and checking integrity
and verifying authenticity.
7. After original IP header is restored, R2 routes the packet to the
actual destination inside the branch office.
8. The same procedure is followed for the salesperson in hotel
also. But, in this case, there is no second router. Salesman’s
laptop (or any other device) itself performs decryption,
authentication and integrity check.

IP Security: Deeper Dive

IP Security: Open Questions

1. The arrangement discussed in the previous slide is called as
1. What are the different fields of security header and trailer? Tunnel Mode Security Association (SA).
Why are they required? 2. The end devices could be routers, firewalls or individual
2. What are the supported encryption algorithms? How are they machines (salesman’s laptop) which establish this security
negotiated? association.
3. What are the supported message authentication algorithms? 3. In nutshell, the tunnel mode IP security protects the entire IP
How are they negotiated? packet. It takes an IP packet, including the header, applies IP
4. If sender does not want the security for few types of traffic? Is security methods (header, trailer, encryption, message
it supported? authentication) and then adds a new IP header before
5. Is it necessary to have confidentiality, authentication and transmitting it to the lower layer.
integrity all together? No options? 4. Organizations can use this method to establish secured Virtual
6. Who encrypts and who de-crypts? Private Network (VPN). The name is justified because a
7. A new IP header is added. That too un-encrypted. Is it not public network (the Internet) is used to create a private
beating the purpose? Source and destination IP addresses and network. Recollect - intermediate network devices in the
many other IP header fields are exposed again. public network carry forward the packets but do not have any
8. Who encrypts and who de-crypts? visibility inside the packets.
9. What is all about the new IP header?
Questions:

1. How routers R1 and R2 know they need to establish a security

2.
3.
4.
1. Without IP Security, when an IP datagram travels from
headquarters to branch office, source IP address is 212.16.1.24
and destination IP address is 183.46.2.48.
2. One objective is to provide end-to-end security in such a way
so that end points do not have to bother about it. Then who
will have to bother?
3. Router R1 does all of adding security header and trailer,
encryption, preparation of message authentication code and
adding new IP header and send it across to the lower layers.
4. The new source IP address is R1’s address (193.34.2.4) and
the new destination IP address is router R2’s address 1.
(200.168.12.5). R1 also changes the Protocol/Next Header
field in IP header to indicate that it is IP secured data.
5. Through the Internet, it passes through many other network 2.
devices. These devices cannot find out the actual source,
destination and content. Finally, the new IP datagram reaches
to router R2 because it was destined to it.
tunnel?
Even if they know, when is it done?
Once it is established, will it be there forever?
Headquarters and branch office may receive communication
outside of each other also.
a. Can R1 and R2 support that?
b. What happens to this legitimate outside traffic?
How is it routed?
c. If an officer wants to access an external website
from his office? How will it be supported? There
is no need to blanket security.
IP Security: Other Possibilities
Tunnel mode security association sounds more suitable for
organizations that want to establish VPN having a complete
blanket security.
If little relaxation is allowed and encryption and
authentications is done only for the IP payload and not for the
IP header, it is called Transport Mode Security Association.

38
 2. Destination Address (DA): Destination endpoint of the SA.
3. Protocol (P): AH or ESP.
4. Sequence Number (SN): 32-bit value used in security
headers.
5. Overflow (OF): Flag to indicate SN overflow.
6. Anti-Replay Window (ARW): Used to detect replay.
7. AH/ESP: Protocol information (algorithms, keys etc.)
8. Lifetime (LT): Lifetime of an SA.
9. Mode: Tunnel or Transport.
10. Maximum Transfer Unit (MTU): Maximum size of the
secured datagram that does not need fragmentation.
IP Security More Possibilities -Encryption and /or
Authentication?
1. Whatever has been discussed so far, encryption is mandatory,
but authentication is optional. This IP Security protocol is
called Encapsulating Security Payload (ESP) and
standardized through IETF RFC-4303.
2. If encryption is never required, standardization allows it also
through Authentication Header (AH) IP Security Protocol
with IETF RFC-4302.

IP Security: Architecture (IPSec v3)

The usage of these parameters will be clear in Security Header /

Trailer discussion.

Security Policy (SP) and its Database (SPD)

1. In addition to the secure communication, a host in
headquarters may want to access a web server (such as
The figure above shows the IPSec Architecture (source and Amazon or Google) in the public Internet. It is not necessary
destination). Its key elements are: to provide IP Security to the traffic of this type. So, router will
transmit into the Internet both plain IP datagrams and secured
1. Security Association Database (SAD) IPSec datagrams based on some Security Policies.
2. Security Policy Database(SPD) 2. These Security Policies are stored in a database which is
3. Internet Key Exchange (IKE) called Security Policy Database (SPD).
3. An entry within the SPD is identified with some keys (IP
Security Association (SA) and its Database (SAD)
Addresses, Protocols, Ports) and then it is decides what needs
1. Before sending IPSec datagrams from the source to the to be done for the traffic.
destination, the source and destination create a network-layer
SPD and its Parameters
logical connection. This logical connection is called a
Security Association (SA). 1. Remote IP Address: This may be a single IP address, an
2. These Security Associations are stored in a database which is enumerated list or range of addresses, or a wildcard (mask)
called Security Association Database (SAD). address. The latter two are required to support more than one
3. Important parameters are stored in this database: destination system sharing the same SA.
a. Encryption Algorithms 2. Local IP Address: This may be a single IP address, an
b. Authentication Algorithms enumerated list or range of addresses, or a wildcard (mask)
c. Keys address. The latter two are required to support more than one
d. IP Security Protocol – ESP or AH source system sharing the same SA.
e. IP Security Mode – Tunnel or Transport 3. Next Layer Protocol: The IP protocol header includes a field
f. Etc. that designates the protocol operating over IP. If AH or ESP is
used, then this IP protocol header immediately precedes the
SAD and its Parameters
AH or ESP header in the packet.
1. Security Parameter Index (SPI):32-bit index value.

39
4. Name: A symbolic identifier to a security policy entry. Not
shown in the table below.
5. Local and Remote Ports: These may be individual TCP or
UDP port values, an enumerated list of ports, or a wildcard
port.
6. Link to SAD entry (not shown in the table): for outbound
IPSec processing a policy entry also refers to a SAD entry. If
there is no entry, IKE is used to establish new SA. (More
details RFC-2401 section 4.4.3).
If the first matching entry has a policy of Not BYPASS, or if
there is no matching entry, the packet is discarded.
3. For a secured packet, IPSec searches the SAD. If no match is
found, the packet is discarded. Otherwise, IPSec applies the
appropriate ESP or AH processing. Then, the IP header is
processed and stripped off and the packet body is delivered to
the next higher layer, such as TCP.

IP Security Policy
Model for Outbound Packets

1. IPSec searches the SPD for a match to the outgoing packet. If

no match is found, then the packet is discarded, and an error
message is generated.
2. If a match is found, further processing is determined by the
first matching entry in the SPD. If the policy for this packet is ESP: Security Header and Trailer
DISCARD, then the packet is discarded. If the policy is
RFC -4303
BYPASS, then the packet is forwarded to the network for
transmission without any IPSec processing.
3. If the policy is PROTECT, then a search is made of the SAD
for a matching entry. If no entry is found, then IKE is invoked
to create an SA with the appropriate keys and an entry is made
in the SA.
4. The matching entry in the SAD determines the processing for
this packet. Either encryption, authentication, or both can be
performed, and either transport or tunnel mode can be used.
As reviewed, there are two modes of ESP IPSec: Tunnel mode and
The packet is then forwarded to the network for transmission.
Transport Mode. In both of these two modes, security header and
security trailer are added. They are called ESP Header and ESP
Trailer respectively. They consists of the following fields:

1. SPI (Security Parameter Index, 32 bits): One of the key

identifiers for an SA.
2. SN (Sequence Number, 32 bits): Monotonically increasing
number. Assists in anti-replay.
3. Padding (0-255 bytes): Few encryption algorithms need plain
text to be in a multiple of some bytes, so these dummy bytes
may be added.
4. Pad Length (8 bits): The count of dummy padding bytes
added.
5. Next Header (8 bits): Identifies the type of payload in the
secured IP datagram (name is misleading).
Model for Inbound Packets

1. IPSec determines whether this is an unsecured IP packet or

one that has ESP or AH headers/trailers, by examining the IP
Protocol field.
2. If the packet is unsecured, IPSec searches the SPD for a match
to this packet. If the first matching entry has a policy of
BYPASS, the IP header is processed and stripped off and the
packet body is delivered to the next higher layer, such as TCP.

40
 ESP Tunnel Mode Replay Attacks Issues
Issue# 1:

1. An attacker can obtain a copy of a packet and later transmits it

to the intended destination.
2. The receipt of duplicate IP packets may disrupt service in
some way or may have some other undesired consequence.
3. The Sequence Number(SN) field is designed to thwart such
attacks. But, how?

Issue# 2:

1. IP is a connectionless and unreliable service by its own.

2. It does not guarantee that IP datagrams will be delivered in
order or delivered at all.
3. How long the receiver should wait?

Anti-Replay Service
Solution to Issue#1: Usage of SN and OF Fields

1. Whenever an SA is established sender resets the Sequence

ESP Transport Mode Number (SN) counter to 0 and each new IPSec packet is sent
increasing the SN by 1 in the ESP security header.
2. SN is a 32 bit number, so when it cycles past 2 32 -1,
Overflow (OF) flag is set in SAD and SA is re-negotiated.
3. According to RFC-4303: the sender MUST NOT send a
packet on an SA if doing so would cause the sequence number
to cycle. An attempt to transmit a packet that would result in
sequence number overflow is an auditable event.

Solution to Issue#2: Usage of Anti-Replay Window (ARW)

1. The IPSec receiver maintains a window of size W (by default,

2.
3.
Exercise
What is the need of Next Header field in the ESP Security Trailer?
Justify and answer in these two contexts:
1. If tunnel mode is used, the outer most IP header will have
protocol field set as ESP (50) but the original IP header inside
will have the correct protocol type for the payload that is
being carried. So what purpose does Next Header serve?
2. If transport mode is used, the outer most IP header will be the
original IP header. What will be the protocol field in it? How
Next Header field in ESP trailer helps in this context?
41
W=64).
The rightmost slot of the window represents the highest
sequence number (N+W-1) so far received for a valid packet
and the leftmost slot is N.
For any packet with a sequence number in the range from N to
(N+W-1) that has been correctly authenticated, the
corresponding slot in the window will be marked using the
following process:
a. If the received packet falls within the window and is
new, the MAC is checked. If the packet is
authenticated, the corresponding slot in the window
is marked.
b. If the received packet is to the right of the window
and is new, the MAC is checked. If the packet is
authenticated, the window is advanced so that this
sequence number is the right edge of the window,
and the corresponding slot in the window is marked.
c. If the received packet is to the left of the window or
if authentication fails, the packet is discarded.
Exercise
Suppose that the current replay window spans from 120 to 530 for
an IPSec receiver:
i. If the next incoming packet has sequence number 105,
what will the receiver do with the packet, and what will
be the dimensions of the window after that?
ii. If instead the next incoming packet has sequence number
440, what will the receiver do with the packet, and what
will be the dimensions of the window after that?
iii. If instead the next incoming packet has sequence number
540, what will the receiver do with the packet, and what
will be the dimensions of the window after that?
IP Header Provided for Reference
IPv4
IPv6
Few Protocol/Next Header Values:
TCP = 6, UDP= 17, ESP = 50, AH = 51, ICMP = 1, IGMP = 2 etc.
Internet Key Exchange (IKE)
1. The key management portion of IPSec involves the
determination and distribution of secret keys.
2. The IPSec Architecture document (RFC-4301) mandates
support for two types of key management:
a. Manual: A system administrator manually
configures each system with its own keys and with
the keys of other communicating systems. This is
practical for small, relatively static environments.
42
b. Automated: An automated system enables the on-
demand creation of keys for SAs and facilitates the
use of keys in a large distributed system with an
evolving configuration.
3. The latest specification in use is IKEv2 (RFC-7296) which is
transformed from the automated key management protocol for
IPSec - ISAKMP (Internet Security Association and Key
Management Protocol) and Oakley (a DHKE based protocol)
4. It can run over TCP/UDP port 500. Most common
implementations use UDP. Many systems still use older
version (IKEv1) and tools like Wireshark identify these
protocols by ISAKMP name.
IKEv2 Procedure Flow
IKE_SA_INIT
1. Entities in IKEv2 are called Initiator (i)and Responder (r).
2. All IKEv2 messages are in the following format:
a. A field in header identifies the next payload type.
b. Payloads also have a fixed sized header and variable
sized data within. A field in this header, identifies the
next payload type. This field in the last payload says:
NONE/No Next Payload.
3. First Step of Initial Exchange: IKE_SA_INIT:
a. Initiator and responder exchange a message that
establishes a special SA called IKE_SA.
b. All subsequent IKE messages are encrypted and
authenticated using the parameters of IKE_SA.
c. Three items are negotiated through this:
i. Security Association (SA) – Encryption
Algorithms, Integrity Algorithms,
Pseudorandom Number Function (PRF),
key Exchange Algorithm with the prime
number and the generator (primitive root).
This is not used for IPSec messages.
ii. Key Exchange (KE): Public key of the key
exchange (e.g. Y parameter in DHKE)
iii. Nonce (N): A random number.
Establishment of IKE_SA
Initial Exchange: IKE_SA_INIT (RFC-7296 )
1. The first part of the initial exchange is called IKE_SA_INIT.
During this exchange of messages:
2. The Initiator (i) sends the following:
a. IKE Header (HDR)
b. Supported Cryptographic Suites (SA).
c. Its Diffie-Hellman Public Key (KE).
d. Its nonce – the random Number (N).
3. The Responder (r) responds with: to be placed in SADB to protect regular data communication
a. IKE Header between the peers.
b. Selected Cryptographic suite from Initiator’s list.
c. Its Diffie-Hellman Public Key (KE).
d. Its nonce – the random Number (N).
e. Certificate request having the list of its trusted
CA -optional
4. A Shared Key Seed (SKEYSEED) is calculated applying the
Pseudorandom number function (PRF) over Diffie-Hellman
shared secret and nonces. SKEYSEED is used to generate
encryption and authentication keys for each direction.
Completion of this exchange sets up IKE_SA which is a
security association to exchange further IKE messages
securely.

IKEv2 Procedure Flow

IKE_AUTH
1. Second Step of Initial Exchange: IKE_AUTH: Initiator and
Responder authenticate each other (IKE_AUTH) and a first
IPSec SA is created that is stored in SAD. This SA is used for
protecting non-IKE communication going forward.
2. The following additional items that are shared encrypted and
authenticated through this message exchange:
a. Identification (ID): IP address/FQDN/Email etc.
Using this ID, initiator and responder know each
other and can use it for policy lookup.
b. Traffic Selector (TS): range of ports, IP addresses
and protocols that are to protected with IPSec. They
are exchanged over the message as a dynamic check
for new updates.
c. Authentication (AUTH): Authentication data for
initiator and responder calculated over
IKE_SA_INIT messages.
Child SA Creation
(RFC-7296)
1. Anyone of the peers can initiate creation of the child SA.
(CREATE_CHILD_SA). This is used for the following
reasons:
a. Creating new child Security Associations (SA).
b. Providing new key values to IKE SA (rekeying).
c. Providing new key values to Child SA (rekeying).
2. Rekeying: IPSec Security Associations (SA) use secret keys
that should be used only for a limited amount of time and to
protect a limited amount of data. Reestablishment of Security
Associations to take the place of ones that expire is referred to
as "rekeying".
3. During the message exchange, new SA, nonces (Nx),
DiffieHellman Public Key (KEx), Traffic Selectors (TSx) are
exchanged. An option field to notify (N) that the exchange is
for rekey may also be included.

Establishment of SA
Initial Exchange: IKE_AUTH (RFC-7296)

The second part of the initial exchange is called IKE_AUTH.

During this exchange of messages:

The Initiator (i) sends the following parameters and responder (r)
responds with the corresponding answers:

i. IKE Header (HDR)

ii. ii.Its identity (IDi) – IP address or domain name etc
iii. Its certificates - if it was requested
iv. Certificate request having the list of its trusted CA -
optional
v. Responder’s Identity (IDr), it wants to talk to
vi. Authentication data (AUTH)
vii. Cryptographic Suites (SAi2) for the next IPSec message Informational Exchange
exchanges
viii. Traffic Selectors (TSi, TSr) – Range of IP addresses and 1. At various points during the operation of an IKE SA, peers
ports etc. may desire to convey control messages to each other
regarding errors or notifications of certain events.
At the end of this exchange, Initiator and Responder are Toaccomplish this, IKE defines an INFORMATIONAL
authenticated to each other and they have setup the first IPSec SA exchange.
43
2. INFORMATIONAL exchanges MUST ONLY occur after the IKE Payload Header Format
initial exchanges and are cryptographically protected with the
negotiated keys.
3. Few example informational messages may include Notify (N),
Delete (D) and Configure (CP).

IKE Header (HDR)Format

1. Initiator SPI (64 bits): A value chosen by the initiator to
identify a unique IKE security association (SA).
2. Responder SPI (64 bits): A value chosen by the responder to
identify a unique IKE SA.
These SPI are different from Security header SPI
3. Next Payload (8 bits): Indicates the type of the first payload
in the message.
4. Major and Minor Versions (4 bits each): Indicates major
and minor versions of IKE in use.
5. Exchange Type (8 bits): Indicates the type of exchange. E.g.
IKE_SA_INIT, IKE_AUTH, CREATE_CHILD_SA or
INFORMATIONAL.
6. Flags (8 bits): Indicates specific options set for this IKE
exchange. Three bits are defined so far:
a. The initiator bit (I)- whether this packet is sent by the
SA initiator.
b. The version bit indicates (V)- the transmitter is
capable of using a higher major version number than
the one currently indicated.
c. The response bit (R) indicates whether this is a
response to a message containing the same message
ID.
7. Message ID (32 bits): Used to control retransmission of lost
packets and matching of requests and responses.
8. Length (32 bits): Length of total message (header plus all
payloads) in octets.
1. All IKE payloads begin with the same generic payload header
following the IKE header.
2. The Next Payload field has a value of 0 if this is the last
payload in the message; otherwise its value is the type of the
next payload.
3. The Payload Length field indicates the length in octets of this
payload, including the generic payload header.
4. The critical bit (C):
a. It is set to 0 if the sender wants the recipient to skip
this payload if it does not understand the payload
type code in the Next Payload field of the previous
payload.
b. It is set to 1 if the sender wants the recipient to reject
this entire message if it does not understand the
payload type.
Block Ciphering Techniques: Feistel Cipher
Structure and DES
Block Cipher
1. In a block cipher, the message that is to be encrypted is
processed in blocks of k bits each.
2. E.g. if k = 64, the message is broken down in the blocks of 64
bits each and then each block is encrypted individually.
3. As an obvious choice, a cipher can use one-to-one mapping
between plaintext and the ciphertext. That means a plaintext
block of 64 bits maps to another ciphertext block of 64 bits.
4. Let us say k = 2, so one possible plaintext and corresponding
ciphertext would be as follows.
5. Obviously, reversible mapping is of interest here because it
produces unique ciphertext block for each plaintext block.

44
 2. In 1970s, he was instrumental in developing the Data
Encryption Standard (DES) – a first application based on the
Feistel Cipher Structure.
3. In Feistel Cipher structure two operations are performed
alternatively for a number of times:
a. Substitution: A plaintext element is replaced by
corresponding ciphertext.
b. Permutation: The sequence in which the plaintext
Challenges in this Approach element appears is changed several times.

Feistel Cipher Structure

Encryption and Decryption

1. The plaintext is divided into two equal halves LEi and REi .
(E stands for Encryption)
2. A subkey Ki+1 is derived from the key K.
3. A function F is defined which takes subkey Ki+1 and right
1. The sender and receiver need to share the key table.
half REi of the data as inputs.
2. Notice that for a given k, there would be 2𝑘 entries in the key
4. The output of the function F is XORed with the left half of the
table. E.g. there are 22 =4 entries in the table shown in the
data (LEi ) and made the new right half (REi+1 ).
previous slide. For k = 3, there would be 23 =8 entries, and so
5. Right half (REi ) of the previous round makes the left half for
on. the next round (LEi+1 ).
3. Since each entry is k bits, it would need minimum 2.k.2𝑘 bits 6. The iteration is repeated 16 times and the left and right halves
to store plaintext and ciphertext combinations. are swapped.
4. The value k is required to be large otherwise cryptanalysts can 7. The final output is the ciphertext.
do brute force attacks. 8. The same steps are used for decryption. (D stands for
5. For k = 64, the key table size is 2x64x264 ; 256 exabytes - an Encryption)
enormously large value! 9. In all steps, substitution is performed on the left half XORing
6. The first value in the shown table can be 1-of-4, second can be it with the output of function F and then permutation is
1-of-3 and so on. So, the values in the table can be permuted performed by swapping the right and left halves.
in 4! ways (or 2𝑘! ) 10. In another words, Confusion and Diffusion is attempted to be
7. So the sender and receiver will be sharing one of these 2𝑘! induced through multiple iterations.
combinations and store it.
8. How one of such key combination out of 264! will be agreed
upon and shared – even a bigger challenge!

Diffusion and Confusion

1. The terms diffusion and confusion in cryptography were
introduced by Claude Shannon.
2. An attacker can explore some characteristics of the plaintext
in the ciphertext doing some cryptanalysis. E.g. Human
readable language words and frequency distribution of
different letters.
3. An attacker may be able to deduce the encryption key or part
of the key or a set of keys through this cryptanalysis.
4. Shannon suggested diffusion; which means, when represented
in binary, each ciphertext digit is affected by many plaintext
digits.
5. Shannon also suggested confusion; which means the
statistical relationship between the key and the ciphertext
should be as complex as possible.

Substitution and Permutation

Choice of Parameters and Design features
1. Horst Feistel, a German born cryptographer developed a
1. Block Size: Larger block means greater security but reduced
Feistel Cipher Structure based on the Diffusion and Confusion
encryption and decryption speed. 64 bits has been considered
theory of Shannon.
reasonable and used for most block ciphers.
45
2. Key Size: Larger key size means greater security but reduced 3. The table is to be read left to right and top to bottom. E.g. 58 th
encryption and decryption speed. 64 bit key size is considered bit will become 1st bit and 7th th bit will become 64th bit after
inadequate now and 128 bits is the common key size. permutation.
3. Number of Rounds: Multiple rounds can offer increased
security. 16 is considered adequate.
4. Subkey Generation: Greater complexity leads to more
difficult cryptanalytics.
5. Function: Greater complexity leads to more difficult
cryptanalytics. The Key Transformation
Two other considerations:
1. 64-bit DES Key is reduced to 56 bits by ignoring every 8th
a. Fast Encryption and Decryption: Choice of bit.
implementing the algorithm either in hardware or in
software as utility functions.
b. Ease of Analysis: The analysis of a Cryptographic
Algorithm should be easy to find out vulnerabilities for
improvements.
2. Then 56-bit key is divided into two 28-bits half sets.
Exercise 3. These half sets are circularly rotated left individually either by
1 bit or 2 bits depending on the round (iteration).
1. In the Feistel Cipher Structure, prove mathematically that the
output of the first decryption process is the swap of the input
to the 16th round of encryption. That is LD16 = RE15 and
RD16 = LE15.
2. Prove the following equations mathematically for Feistel 4. After circular shift, 48 bits out of 56 are selected using the
Cipher Structure: table below.
a. REi-1 = LEi
b. LEi-1 = Rei ɸ(LEi, Ki)

Data Encryption Standard (DES)

1. DES was first specified by NIST in 1977. It is based on 5. This key transformation is called Compression Permutation
Feistel Cipher Structure and until the introduction of because it compresses from 64 to 56 and then to 48 doing a
Advanced Encryption Standard (AES) in 2001, DES was the permutation of the bits.
most widely used encryption standard.
2. Many new systems still use 3-DES which is basically three The Expansion Permutation
times DES.
1. 64-bit block of data is divided into two sets right (R) and left
3. DES block size is 64 bits and it expects 64 bit long key where
(L) of 32 bits each. Now 32 bits of right block is expanded
only 56 bits are used.
into 48 bits using the procedure as mentioned below.
4. There are 3 phases of DES:
2. 32 bit long right block is seen as 8 sub-blocks of 4 bits each.
a. Initial Permutation (IP) rearranges the bits to
3. 1st and 4th bit from each sub-block represent 2 bits each while
produce the permuted input.
2nd and 3rd bits represent 1 bit each. So 4 bits are crating 6 bits
b. This is followed by a phase consisting of sixteen
or total 32 bits are creating 48 bits. Because of this expansion
rounds of the same function, which involves both
and bit selection this procedure is called The Expansion
permutation and substitution.
Permutation.
c. The output of the 16th round is swapped (32 bit
4. For example:
halves) of and passed through a final Inverse
a. 5th bit is making 6th and 8th bits in the output.
Permutation (IP-1 ) function to produce a
b. 8th bit is making 11th and 13th bits in the output.
ciphertext.
c. 6th and 7th bits are making 9th and 10th bits
5. Other than the Initial and Final permutations (IP and IP-1 ),
respectively in the output.
the DES has the comparable structure as Feistel Cipher.
5. By allowing one bit to affect two substitutions; the
The Initial Permutation (IP) dependency of output on input spreads faster.

1. Many DES implementations skip this initial permutation and

directly move to the next step.
2. The Initial Permutation (IP) transposes the input plaintext
block as per the table shown below.

46
 XOR Operation
Between Compressed Key and Expanded Right Half of the
Data

1. The compressed key is XORed with the expanded right half of

the data.
2. The output of XOR operation is fed to the S-Box Substitution
to create 32 bits.

Sum Up -One DES Round

S-Box Substitution
1. The 48 bit input is divided into 8 groups of 6 bits each.
2. Each group acts as an input to an individual S-Box (S1 to S8).
3. Each S-Box produces 4 bits of output. So total 48 bits produce
32 bits.
4. Each S-Box is a 4x16 matrix. Each matrix element is 4 bit
number.
5. Let us assume b1 b2 b3 b4 b5 b6 are six input bits. Values of
b1b6 decide the row number (0 to 3) in a S-Box and b2 b3 b4
b5 decide the column number (0 to 15) in that S-Box. E.g. if 6
input bits are 010111, so row number is 01 (decimal 1) and The Final Permutation
column number is 1011 (decimal 11).
Two halves of the output of 16th round are swapped and passed
6. So essentially, 6 input bits select a 4 bit matrix element in a S-
through the Inverse Permutation (IP-1 ) using the table below to
Box and that element becomes the output of that S-Box.
get the final ciphertext.
7. The matrix elements of eight S-boxes are provided in
Appendix-A.

DES Decryption
P-Box Permutation
DES Decryption steps are same as Encryption except the
The 32 bits from S-Box permutation are permuted using the table following:
below:
• The sub-keys are used in the reversed order (K16....K1).
• IP and IP −1 are used in the reverse order.

DES: Design Criticism

1. The output of the P-Box permutation is XORed with the 1. Key Length: With a key length of 56 bits, there are 256
original 32-bit left half of the data and forms the right half for possible keys, which is approximately 7.2 * 1016 keys. A
the next round. single machine performing one DES encryption per
2. Original 32-bit right half of the data forms the left half for the microsecond would take more than a thousand years to break
next round. the cipher. But as processing speed is increasing year-by-year;
this key length is not considered adequate.
2. Number of Rounds: DES with any number of rounds less
than 16 has higher probability to be broken down easily.
(Differential cryptanalysis of DES-like cryptosystems by
Biham and Shamir, 1991).
47
3. S-Boxes: Though appear simple, no one has so far succeeded
in discovering any of the supposedly fatal weaknesses in the
S-boxes.
Exercise
1. The 32 bits of the right half a block is 0xABCD1234. Find out
the 48 bits after expansion permutation.
2. Study from the Text Book-1 (T1): what is Avalanche Effect in
DES?
3. The function F in DES produce 32-bit all 1’s irrespective of
the value of key input and right half of the data. After four
rounds what shape will data take?
4. A student develops a cipher system which is a tailored down
method of Feistel or DES Cipher. Block size is 4 bits and the
key size is 3 bits. The function takes the first and the third bits
of the key, interprets them as a decimal number and convert
this decimal number to binary 4 bits. Output of the function is
then XORed with the plaintext to get the ciphertext. There is
only one round.
a. Taking few examples, show the working of this
cipher system.
b. Is it achieving reversible mapping?
c. Draw a block diagram of the cipher system.
8. Option (iv) is most suitable and adopted in the communication
networks using a Key Distribution Centre (KDC).
Key Distribution Scenario
With KDC in the loop
1. Users A and B have master keys KA and KB respectively
shared with only KDC.
2. User A wants to establish the connection with B and contacts
KDC with its own ID, B’s ID and its nonce NA .
3. KDC responds with a message having two data items:
a. One time session key KS and the original A’s
message encrypted with A’s master key (KA ) known
only to A and KDC.
b. Same session key KS and A’s ID encrypted with B’s
master key (KB ) known only to B and KDC.
4. A stores the session key KS and forwards the second data item
to B. Session Key KS is delivered to both the parties.
5. Using the new session key, B sends its encrypted nonce NB to
A.
6. After receiving NB , A performs some function on NB and
sends it to B encrypted with KS .

Key Management & Distribution

Distribution of Symmetric Key

Using Symmetric Encryption

1. For symmetric key encryption, sender and receiver must share

the same key.
2. Frequent changes (renewals) would be desirable in this shared
key, to avoid attacks.
3. So delivering the shared key to two parties “securely” is
crucial for symmetric encryption to sustain successfully. This
is called Key Management and Distribution for Symmetric
Encryption.
4. In a large network of N parties, it would need (N(N-1)/2) keys
Exercise
for symmetric encryption. The count of keys grows rapidly as
N becomes large. Analyse and Answer the following questions for Key Distribution
5. If the two parties are A and B, there are different possibilities Scenario in the previous slide:
to share the key:
a. A can select a key and physically deliver it to B. 1. Do you see any vulnerability because initiator did not encrypt
b. A third party can select the key and physically the very first message?
deliver it to A and B. 2. Why initiator A included a its own id and B’s id in its original
c. If A and B have previously and recently used a key, first message to KDC?
one party can transmit the new key to the other, 3. Why initiator A included a nonce NA in its original first
encrypted using the old key. message to KDC?
d. If A and B each has an encrypted connection to a 4. Why KDC replied with the session key Ks in the first data
third party C, C can deliver a key on the encrypted element encrypted in A’s master key?
links to A and B. 5. Why KDC included A’s original message in its response to A
6. The possibilities (i) and (ii) are not feasible in the modern in the first data item?
communication world. 6. Why KDC prepared second data item encrypted with B’s
7. Option (iii) is a possibility, but if an attacker gains access to master key?
one key, all other subsequent keys will be compromised. 7. Why KDC included A’s identity in the data item that was
Initial distribution of the first key will still be a challenge. encrypted with B’s master key?
8. Why B also sent it nonce NB only to A and not to KDC?

48
9. Why A performed some function on NB and sent it back to B?
10. Why A and B used session key KS for the last two messages?
11. Could A and B use their respective master keys (KA and KB)
for the last two messages for encryption?
12. A and B are authenticated with KDC as they shared master
keys (KA and KB) with KDC. Are A and B authenticating
each other? If this is an issue, was it being taken care of?
How?
Hierarchical Key Control
1. There can be local KDCs, each responsible for a small domain
of the overall internetwork. E.g. single LAN or a single
building.
2. If two entities in different domains desire a shared key, then
the corresponding local KDCs can communicate through a
global KDC and one of them actually select the key. E.g.
entities in the different states.
3. The same concept can be extended depending on the
complexity of the geographic scope and population.
Decentralized Key Control
1. In a decentralized operations there is no KDC.
2. Using shared master key each node establish session key for
encryption.
3. Initiator A first sends its IDA and nonce NA .
4. B responds with a message that is encrypted using the shared
master key Km. The response also includes the session key
KS selected by B, B’s identifier, the value of function (NA ),
and another nonce, NB .
5. Using the new session key KS , A returns function(NB ) to B.
6. Disadvantage – The N user system needs to maintain N.(N-
1)/2 master keys.
7. Session keys are used for only a limited time to protect the
short messages.
49
Modus Operandi:
• Generate a shared master key between two users.
• Use this master key to protect session key for securing
messages. Probably one session key per message.
• Alter keys frequently to protect the system.
Distribution of Symmetric Key
Using Asymmetric Encryption (Public) Keys –Simple Mode
1. User A generates its public/private key pair (PUA /PRA ) and
sends the public key PUA and its id IDA to B.
2. B generates a secret session key, KS , and transmits it to A,
which is encrypted with A’s public key.
3. Only A can decrypt it using its private key PRA and make use
of the session key KS .
4. A and B can discard PUA , PRA and KS after the session.
Exercise
Show that a man-in-the-middle attack is possible with symmetric
key distribution using public/private keys and an attacker can gain
access to the shared session key.
Hint: Review Diffie-Hellman Key Exchange (DHKE) to get the
basic idea of the man-in the-middle attack and apply the same
concept. Attacker will also use his public/private key pair.
Using Asymmetric Encryption Keys -Maintaining
Confidentiality and Authentication
1. It is assumed that A and B have exchanged their public keys.
(more details later in this slide deck for sharing the public
keys).
2. A uses B’s public key to encrypt a message containing its id
(IDA ) and a nonce (NA ) and sends it to B.
3. B sends a message to A encrypted with PUA and containing
A’s nonce (NA ) as well as its nonce (NB ).
4. A returns NB , encrypted using B’s public key.
5. A selects a secret shared key KS , encrypts it with its private
key and then encrypt the whole message with B’s public key
and sends it to B.
B decrypts the message first with its own private key and the
result with A’s public key to get the KS .
Exercise
Analyse and answer the following questions for Key Distribution
Scenario in the previous slide:
• How is A ensured about the authenticity of B from the
messages?
• How is B ensured about the authenticity of A from the
messages?
• When A sends the shared secret key KS to B, how A
ensures that only B can read it and how B ensures that
only A could send it?
Distribution of Public Keys
Public Announcement
Any participant can send his or her Public Key (PU) to any other
participant or broadcast the key to the community at large.
Drawback: Anyone can forge such a public announcement. E.g.
some users could pretend to be user A and send a public key to
another participant or broadcast such a public key. Until such time
as user A discovers the forgery and alerts other participants, the
forger is able to read all encrypted messages intended for A.
Publicly Available Directory
1. A trusted organization or authority maintains a directory with
a {Name, Public Key} entry for each participant.
50
2. Each participant registers a public key with the directory
authority. Registration would have to be in person or by some
form of secure authenticated communication.
3. A participant may replace the existing key with a new one at
any time, either because of the desire to replace a public key
that has already been used for a large amount of data, or
because the corresponding private key has been compromised
in some way.
4. Participants could also access the directory electronically. For
this purpose, secure, authenticated communication from the
authority to the participant is mandatory.
5. Safer than public announcement but confidentiality and
integrity of the directory is crucial.
Public Key Authority
1. Initiator A requests the Public-Key Authority (PKA) the
public key of B. The message is time stamped TA
2. PKA sends an encrypted response with its private key. The
message contains the public key of B (PUB) and the original
request and time stamp sent by A.
3. A saves B’s public key and sends an encrypted message with
B’s public key (PUB) to B. The message contains A’s identity
(IDA ) and a nonce generated by A (NA).
4. B also gets the public key of A (PUA) in the same manner
from PKA.
5. At this point of time, both A and B have each other’s public
keys.
6. B sends an encrypted message with the public key of A. The
message contains the nonce generated by A and a new nonce
generated by B.
7. A responds with the nonce generated by B encrypted with the
public key of B.
Exercise 3. B also receives its certificate from CA in the same manner.
4. A and B now can exchange their certificates directly without
Analyse and answer the following questions for Public Key
CA in between.
Distribution Scenario in the previous slide:
5. B can decrypt the certificate of A using the public key of CA
1. Why A time stamped his first message and why PKA included and retrieve TA , IDA and PUA . In the same manner, A can
this time stamp in his response to A? also decrypt the certificate of B.
2. When PKA provided B’s public key to A, the message was 6. If time stamp (T) is old the certificate must be considered
encrypted with the private key of the PKA itself. How will A expired
decrypt it?
3. Why A contacted B with its id and its nonce in a message
encrypted with B’s public key?
4. Why B responded to A with A’s nonce and its own nonce?
5. Why A replied to B with B’s nonce and why the message was
encrypted with the public key of B?
6. Can we conclude for PKA mechanism to work, PKA’s public
key must be known to the other users first?
7. What are the disadvantages of this scheme?
Answer:
a. Overhead of approaching PKA for every public key.
b. Confidentiality and integrity of the public key
database with PKA.

Public-Key Certificates
1. Certificates can be used by participants to exchange keys Public Key Certificates
without contacting a public-key authority, in a way that is as
reliable as if the keys were obtained directly from a public- 1. s reviewed in the previous slides, certificates is the most
key authority. prominent way to distribute the public keys.
2. A certificate consists of a public key, an identifier of the key 2. In place of encrypting the whole message, only the calculated
owner, and the whole block signed by a trusted third party. hash code is encrypted by the Certification Authority (CA)
3. A user can present his or her public key to the authority in a using its private key and verified by the user to establish the
secure manner and obtain a certificate. authenticity using CA’s public key.
4. The user can then publish the certificate. Anyone needing this 3. X.509 is part of the ITU-T X.500 series. It defines a directory
user’s public key can obtain the certificate and verify that it is service. Directory is a server or distributed set of servers that
valid by way of the attached trusted signature. maintains a database of information about users. X.509
5. Requirements of Public-Key Certificate: defines the certificate structure and other details.
a. Any participant can read a certificate to determine
Basic Concept –Establishing CA’s Authenticity
the name and public key of the certificate’s owner.
b. Any participant can verify that the certificate
originated from the certificate authority and is not
counterfeit.
c. Only the certificate authority can create and update
certificates.
d. Any participant can verify the currency (freshness) of
the certificate.

Exchange of Public-Key Certificates

Basic Idea
1. A applies to the Certificate Authority (CA), supplying its
public key (PUA ) and requesting a certificate.
2. Certificate Authority (CA) prepares a certificate CA for A
which is an encrypted message of the following using its
private key (PRCA):
a. Time stamp (TA )
b. ID of A (IDA ) as known to CA.
c. Public Key of A (PUA ) supplied by A.

51
 X.509 Certificate Structure Revocation of X.509 Certificates
ITU-T X.509 Structure of Certificate Revocation List (CRL)

1. Each CA must maintain a list consisting of all revoked but not

expired certificates issued by that CA, including both those
issued to users and to other CAs. These lists should also be
posted on the directory. The reasons could be many like:
a. User’s private key is compromised.
b. The user is temporarily suspended.
c. The certificate was not issued conformed to the
policies.
2. Each certificate revocation list (CRL) posted to the directory
is signed by the issuer CA and includes
a. The issuer’s name.
b. The date the list was created.
c. The date the next CRL is scheduled to be issued.
Obtaining and Verifying Certificates d. An entry for each revoked certificate - consists of the
serial number of a certificate and revocation date.
With many users, it may be more practical for there to be a number
3. When a user receives a certificate in a message, the user must
of CAs, each of which securely provides its public key to some of
determine whether the certificate has been revoked. The user
the users. If the two CAs have securely sign each other’s public
could check the directory each time a certificate is received.
key, the users among them can also exchange key securely. E.g.
User could also maintain a local cache of certificates and lists
1. Representation: M <<N>> means certificate of N is issued by of revoked certificates to save delays.
M.
2. A has obtained a certificate from certification authority X1
and B has obtained a certificate from CA X2. So, X1 <<A>>
and X2 <<B>>. X1 and X2 are CA, while A and B are users.
3. The certificate of X2 is signed by X1. So X1 <<X2>> but the
reverse is not true.
4. A obtains the certificate of X2 from the X.500 directory. Since
A securely knows X1’s public key, A can obtain X2’s public
key from its certificate and verify it by means of X1’s
signature on the certificate.
5. A then goes back to the directory and obtains the certificate of
B signed by X2. Because A now has a trusted copy of X2’s
public key, A can verify the signature and securely obtain B’s
public key.
6. Note that B cannot verify the certificate of A in the similar
manner because X1’s certificate is not signed by X2 in the
given example (though it is also possible to have a situation
like this).

More Information on CRL

1. Now a days OCSP (Online Certificate Status Protocol) is
being used if a certificate does not have CRL endpoint.
2. Using OCSP, a host can query the revocation status of a
certificate from a CA.

Base-64 Encoding
The X.509 certificates can be stored in the PEM (Privacy
Enhanced Mail) format. That uses Base-64 encoding. Other
formats are binary as Distinguished Encoding Rules (DER) and
Public Key Cryptography System (PKCS) variants as binary and
base-64.
52
 4. Registration authority (RA): An optional component that
can assume a number of administrative functions from the
CA.
5. CRL issuer: An optional component that a CA can delegate to
publish CRLs.
6. Repository: A generic term used to denote any method for
storing certificates and CRLs

The management functions defined in PKI (Protocols

implemented in RFC-2510):

• Registration
• Initialization
• Certification
Examples and Observations • Key Pair Recovery
• Key Pair Update
1. 8 bit byte stream (characters) is converted into 6 bits
• Revocation Request
characters in base-64 conversion.
• Cross Certification
2. If the bit stream does not have a bit count that is multiple of 6,
dummy 0s are appended. X.509 Version-3 Extensions
3. The final base-64 encoding must have 4 characters or multiple
of it. If not, padding characters (=) are added for the required 1. here are certain limitations in X.509 version-2 to meet the
count. requirements of new network implementation:
4. When base-64 characters are decoded, padding (=) is dropped a. Subject field need to carry e-mail or URL type of
and 8 bits characters are decoded doing a reverse procedure. identities.
Dummy 0s are also dropped. b. To carry security policy information.
5. Important Observations: c. Differentiation among different keys by the same
a. If there are 2 padding characters out of 4, there will owner.
be only one 8 bit decoded character. 2. Version-3 of X.509 facilitate providing a flexible extension
b. If there is only 1 padding character in 4, there will be format in place of fixed fields.
two 8 bit decoded characters 3. The certificate extensions fall into three main categories:
a. Key and policy information.
b. Subject and issuer attributes.
c. Certification path constraints.

Key and Policy Information

Public Key Infrastructure (PKI) 1. Authority and Subject key identifier: The same user
(subject) can have multiple public keys certified by the same
1. IETF and ITU-T working groups jointly defined a Public Key CA for different purpose. These fields support to differentiate
Infrastructure. With the following entities: among them.
2. End Entity: A generic term used to denote end users. 2. Key Usage: Defines or imposes restrictions for what a
3. Certification Authority (CA): The issuer of certificates and particular public key can be used – signature, non-repudiation,
CRLs. data encryption etc.
3. Private Key Usage Period: Indicates the duration of a private
key that can be used for a public key associated with the
53
 certificate. E.g. Duration for the private key for digital
signature could be shorter than for anything else, so
differentiation may be required.
4. Certificate Policy: Data to be used in the situation where
multiple policies apply.
5. Policy Mappings: Indicates when multiple CA exist who can
certify which CA etc.
6. The policies combine set of rules into one object and
identified by an Object Identifier (OID).

Subject and Issuer Attributes

1. Subject’s and Issuer’s Alternative Name: Certain
applications use multiple name formats and aliases. This
additional field can carry alternative names to support that.
E.g. IPSec, Email etc.
2. Subject directory attributes: To convey additional
parameters from X.500 directory for the subject.

Certification Path Constraints

1. Basic Constraint: Indicates if a subject can act as a CA.
Certification path length could also be there. E.g. Certification
could not be more than 4 laps longer.
2. Name Constraints: Sequence of name that must be there in
the certification path.
3. Policy constraints: Specifies constraints that may require
explicit certificate policy identification or inhibit policy
mapping for the remainder of the certification path.

54