Foundation of Information

Security
Lecture-7 (PKC)
Today’s Topics
• Public Key Cryptography
• RSA Cryptosystem
• Diffie-Hellman Key Exchange
• Digital Certificate
Public Key Cryptography
• Also known as “asymmetric cryptography”
• Concept proposed by Diffie and Hellman in 1976
• Requires usage of two different keys between the sender and the
receiver
• Public Key and Private Key
• Remember symmetric crypto requires only a single key
Public Key Cryptography
• Also known as “asymmetric cryptography”
• Concept proposed by Diffie and Hellman in 1976
• Requires usage of two different keys between the sender and the
receiver
• Public Key and Private Key
• Remember symmetric crypto requires only a single key
• Can be used to achieve
• Confidentiality
• Authentication
• Non-Repudiation
Why Public Key Cryptography (PKC) ?
• How to share the secret key between sender and recipient before
using symmetric crypto ?
1. Meet physically beforehand and decide – Not a practical solution
Why Public Key Cryptography (PKC) ?
• How to share the secret key between sender and recipient before
using symmetric crypto ?
1. Meet physically beforehand and decide – Not a practical solution
2. Use a key distribution center(KDC)
• Role of KDC is to distribute the session
key (secret key) between the sender and
the receiver
• But, that means KDC knows our secret
key which is undesirable !!!
Why Public Key Cryptography (PKC) ?
• How to share the secret key between sender and recipient before
using symmetric crypto ?
1. Meet physically beforehand and decide – Not a practical solution
2. Use a key distribution center (KDC)
• Role of KDC is to distribute the session key
(secret key) between the sender and the
receiver
• But, that means KDC knows our secret key
which is undesirable !!!
• PKC helps us achieve total secrecy
over our communication
Basic Framework of PKC
• Each user generates a pair of keys
• Public key (denoted as PU) – Known to all
• Private key (denoted as PR) – Known only
to the owner
Basic Framework of PKC
• Each user generates a pair of keys
• Public key (denoted as PU) – Known to all
• Private key (denoted as PR) – Known only
to the owner
• Encryption
• Sender encrypts the plaintext using
recipient’s public key
Basic Framework of PKC
• Each user generates a pair of keys
• Public key (denoted as PU) – Known to all
• Private key (denoted as PR) – Known only
to the owner
• Encryption
• Sender encrypts the plaintext using
recipient’s public key
• Decryption
• Recipient decrypts the ciphertext using
her private key
• Since only recipient knows the corr.
private key, only she can decrypt the
ciphertext back and nobody else
Basic Framework of PKC
• Digital Signature: Authentication with Public Key

• Encryption of message with sender’s Private Key

• Decryption is with sender’s Public Key
• Only the person with the Private Key can generate the encrypted message
called the Digital Signature of the message
Basic Framework: Digital Signature in Practice
Basic Requirements of PKC
1. It is computationally easy for a party B to generate a pair (public key
PUb, private key PRb)
Basic Requirements of PKC
1. It is computationally easy for a party B to generate a pair (public key
PUb, private key PRb)
2. It is computationally easy for a sender A, knowing the public key
and the message to be encrypted to generate the corresponding
ciphertext:
𝐶 = 𝐸 𝑃𝑈𝑏 , 𝑀
Basic Requirements of PKC
1. It is computationally easy for a party B to generate a pair (public key
PUb, private key PRb)
2. It is computationally easy for a sender A, knowing the public key
and the message to be encrypted to generate the corresponding
ciphertext:
𝐶 = 𝐸 𝑃𝑈𝑏 , 𝑀
3. It is computationally easy for the receiver B to decrypt the resulting
ciphertext using the private key to recover the original message:
M = 𝐷 𝑃𝑅𝑏 , 𝐶 = 𝐷(𝑃𝑅𝑏 , 𝐸 𝑃𝑈𝑏 , 𝑀 )
Basic Requirements of PKC
4. It is computationally infeasible for an adversary, knowing the public
key PUb, to determine the corr. private key PRb
Basic Requirements of PKC
4. It is computationally infeasible for an adversary, knowing the public
key PUb, to determine the corr. private key PRb
5. It is computationally infeasible for an adversary, knowing the public
key PUb, and a ciphertext C to recover the original message M
Basic Requirements of PKC
4. It is computationally infeasible for an adversary, knowing the public
key PUb, to determine the corr. private key PRb
5. It is computationally infeasible for an adversary, knowing the public
key PUb, and a ciphertext C to recover the original message M
6. The two keys can be applied in either order:
M = 𝐷 𝑃𝑅𝑏 , 𝐸 𝑃𝑈𝑏 , 𝑀 = 𝐷 𝑃𝑈𝑏 , 𝐸 𝑃𝑅𝑏 , 𝑀
Examples of public key cryptosystems
• RSA
• Elliptic Curve Cryptosystem
• Diffie Hellman
• Digital Signature Standard (DSS)
• El Gamal
Examples of public key cryptosystems
• RSA √
• Elliptic Curve Cryptosystem
• Diffie Hellman √
• Digital Signature Standard (DSS)
• El Gamal
Modular Arithmetic
• 32 mod 5 = 2
• ‘mod’ is the remainder operator
Modular Arithmetic
• 32 mod 5 = 2
• ‘mod’ is the remainder operator
• (a mod b) ∈ {0, 1, 2, … ,(b-1)}
• (a mod n + b mod n) mod n = (a + b) mod n
• (a mod n x b mod n) mod n = (a x b) mod n
Modular Arithmetic
• 32 mod 5 = 2
• ‘mod’ is the remainder operator
• (a mod b) ∈ {0, 1, 2, … ,(b-1)}
• (a mod n + b mod n) mod n = (a + b) mod n
• (a mod n x b mod n) mod n = (a x b) mod n
Example. Since 71 mod 4 = 3 and 126 mod 4 = 2
• 71 x 126 = 8946
• (71 x 126) mod 4 = 8946 mod 4 = ( 3 x 2) mod 4 = 2
Inverse Modulo n
• Additive inverse modulo n
• In 𝑍𝑛 , two numbers 𝑎 and b are additive inverses of each other if
𝑎 + 𝑏 ≡ 0 𝑚𝑜𝑑 𝑛
• E.g., the additive inverse of 4 in 𝑍10 is 6
• In modular arithmetic, the additive inverse of 𝑎 can be calculated as b = n-
𝑎
Inverse Modulo n
• Additive inverse modulo n
• In 𝑍𝑛 , two numbers 𝑎 and b are additive inverses of each other if
𝑎 + 𝑏 ≡ 0 𝑚𝑜𝑑 𝑛
• E.g., the additive inverse of 4 in 𝑍10 is 6
• In modular arithmetic, the additive inverse of 𝑎 can be calculated as b = n-
𝑎
• In modular arithmetic, each integer has an additive inverse
• The inverse is always unique, i.e., each number has one and only one additive
inverse
• The inverse of the number may be the number itself
Inverse Modulo n
• Multiplicative inverse modulo n
• In 𝑍𝑛 , two numbers 𝑎 and b are multiplicative inverses of each other if
𝑎 × 𝑏 ≡ 1 𝑚𝑜𝑑 𝑛
• E.g., the multiplicative inverse of 3 in 𝑍10 is 7
• What is multiplicative inverse of 9 modulo 10 ?
• In modular arithmetic, an integer may or may not have a multiplicative
inverse
• 𝑎 has a multiplicative inverse in 𝑍𝑛 if and only if gcd(n, 𝑎) = 1, i.e., 𝑎 and n are
relatively prime
• E.g., there is no multiplicative inverse of 8 in 𝑍10 because gcd(8,10) = 2
Extended Euclidean Algorithm
• For large numbers, it becomes difficult to find its inverse
• Extended Euclidean Algorithm helps in finding the inverse
• Let us see how …
Euclidean Algorithm
Algorithm
Euclidean Algorithm
Example
Algorithm
Extended Euclidean (EE) Algorithm

• To determine: x, y, d
• Solving the congruence 𝑎x≡ 1 (mod m) is equivalent
to solving 𝑎x− my = 1.
 Extended Euclidean (EE) Algorithm
Algorithm Example
• 𝑟1 ← 𝑛; 𝑟2 ← 𝑏;
Find the multiplicative inverse of 23 (b) modulo 100 (n)
• 𝑡1 ← 0; 𝑡2 ← 1;
While(𝑟2 > 0)
{ q r1 r2 r t1 t2 t
𝑞 ← 𝑟1 /𝑟2 ; 4 100 23 8 0 1 -4
2 23 8 7 1 -4 19
𝑟 ← 𝑟1 − 𝑞 × 𝑟2 ;
𝑟1 ← 𝑟2 ; 𝑟2 ← 𝑟; 1 8 7 1 -4 9 -13
7 7 1 0 9 -13 100
t ← 𝑡1 − 𝑞 × 𝑡2 ; 1 0 -13 100
𝑡1 ← 𝑡2 ; 𝑡2 ← 𝑡;
}
• Note that gcd (100,23) is 1 which means inverse of 23
If 𝑟1 = 1 𝑡ℎ𝑒𝑛 𝑏 −1 ← 𝑡1 exists.
• From above, 𝑡1 = -13 or (-13) mod 100 = 87
• Thus, 87 is the multiplicative inverse of 23 modulo 100
Euler’s Totient
• Defined as the number of positive integers less than n and relatively
prime to n
• Denoted as ϕ n . By convention, ϕ 1 = 1
Euler’s Totient
• Always remember that for a prime number p,
ϕ p =𝑝−1
• Let n = pq , where p and q are prime numbers and p≠ 𝑞, then
𝜙 𝑛 = 𝜙 𝑝𝑞 = 𝜙 𝑝 × 𝜙 𝑞 = (𝑝 − 1)(𝑞 − 1)

• For example, 𝜙 15 = 𝜙 5 × 𝜙 3 = 4 × 2 = 8
RSA Cryptosystem
• Developed in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at MIT
• Based on modular exponentiation and factorization of large numbers
• In RSA block cipher, plaintext (and ciphertext) are integers between 0
and n-1 for some n
• Typically |n| = 1024 bits
• Means, 𝑛 ≤ 21024 or 309 decimal digits
RSA Cryptosystem
• Developed in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at MIT
• Based on modular exponentiation and factorization of large numbers
• In RSA block cipher, plaintext (and ciphertext) are integers between 0
and n-1 for some n
• Typically |n| = 1024 bits
• Means, 𝑛 ≤ 21024 or 309 decimal digits

• Encryption: 𝐶 = 𝑀𝑒 𝑚𝑜𝑑 𝑛 Decryption: M = 𝐶 𝑑 𝑚𝑜𝑑 𝑛

RSA Cryptosystem
• Developed in 1977 by Ron Rivest, Adi Shamir, and Len Adleman at MIT
• Based on modular exponentiation and factorization of large numbers
• In RSA block cipher, plaintext (and ciphertext) are integers between 0
and n-1 for some n
• Typically |n| = 1024 bits
• Means, 𝑛 ≤ 21024 or 309 decimal digits

• Encryption: 𝐶 = 𝑀𝑒 𝑚𝑜𝑑 𝑛 Decryption: M = 𝐶 𝑑 𝑚𝑜𝑑 𝑛

• Public Key: (e,n) Private Key: (d)
RSA Requirements
How to generate RSA parameters ?
Q. What should be the values of e, d and n ?
Ans. Lets focus on values of e and d first
How to generate RSA parameters ?
Q. What should be the values of e, d and n ?
Ans. Lets focus on values of e and d first
• Assume n is a composite number
• Means, n = pq where p and q are prime numbers
• ⇒ ∅ 𝑛 = ∅ 𝑝𝑞 = (𝑝 − 1)(𝑞 − 1)
How to generate RSA parameters ?
Q. What should be the values of e, d and n ?
Ans. Lets focus on values of e and d first
• Assume n is a composite number
• Means, n = pq where p and q are prime numbers
• ⇒ ∅ 𝑛 = ∅ 𝑝𝑞 = (𝑝 − 1)(𝑞 − 1)
• We will show later why n should be composite
How to generate RSA parameters ?
Q. What should be the values of e, d and n ?
Ans. Lets focus on values of e and d first
• Assume n is a composite number
• Means, n = pq where p and q are prime numbers
• ⇒ ∅ 𝑛 = ∅ 𝑝𝑞 = (𝑝 − 1)(𝑞 − 1)
• We will show later why n should be composite
• We want M = 𝐶 𝑑 𝑚𝑜𝑑 𝑛 or, M = 𝑀𝑒𝑑 𝑚𝑜𝑑 𝑛
How to generate RSA parameters ?
Q. What should be the values of e, d and n ?
Ans. Lets focus on values of e and d first
• Assume n is a composite number
• Means, n = pq where p and q are prime numbers
• ⇒ ∅ 𝑛 = ∅ 𝑝𝑞 = (𝑝 − 1)(𝑞 − 1)
• We will show later why n should be composite
• We want M = 𝐶 𝑑 𝑚𝑜𝑑 𝑛 or, M = 𝑀𝑒𝑑 𝑚𝑜𝑑 𝑛
• We say above relationship holds, if
𝑒𝑑 𝑚𝑜𝑑 ∅ 𝑛 = 1
How to generate RSA parameters ?
Q. What should be the values of e, d and n ?
Ans. Lets focus on values of e and d first
• Assume n is a composite number
• Means, n = pq where p and q are prime numbers
• ⇒ ∅ 𝑛 = ∅ 𝑝𝑞 = (𝑝 − 1)(𝑞 − 1)
• We will show later why n should be composite
• We want M = 𝐶 𝑑 𝑚𝑜𝑑 𝑛 or, M = 𝑀𝑒𝑑 𝑚𝑜𝑑 𝑛
• We say above relationship holds, if
𝑒𝑑 𝑚𝑜𝑑 ∅ 𝑛 = 1
• This is equivalent to saying,
𝑒𝑑 ≡ 1 𝑚𝑜𝑑 𝜙 𝑛
or, 𝑑 ≡ 𝑒 −1 𝑚𝑜𝑑 𝜙 𝑛
How to generate RSA parameters ?
Q. What should be the values of e, d and n ?
Ans. Lets focus on values of e and d first
• Assume n is a composite number
• Means, n = pq where p and q are prime numbers
• ⇒ ∅ 𝑛 = ∅ 𝑝𝑞 = (𝑝 − 1)(𝑞 − 1)
• We will show later why n should be composite
• We want M = 𝐶 𝑑 𝑚𝑜𝑑 𝑛 or, M = 𝑀𝑒𝑑 𝑚𝑜𝑑 𝑛
• We say above relationship holds, if
𝑒𝑑 𝑚𝑜𝑑 ∅ 𝑛 = 1
• This is equivalent to saying,
𝑒𝑑 ≡ 1 𝑚𝑜𝑑 𝜙 𝑛
or, 𝑑 ≡ 𝑒 −1 𝑚𝑜𝑑 𝜙 𝑛
• That is, e and d are multiplicative inverses with respect to 𝑚𝑜𝑑 𝜙 𝑛
How to generate RSA parameters ?
Q. What should be the values of e, d and n ?
Ans. Lets focus on values of e and d first
• Assume n is a composite number
• Means, n = pq where p and q are prime numbers
• ⇒ ∅ 𝑛 = ∅ 𝑝𝑞 = (𝑝 − 1)(𝑞 − 1)
• We will show later why n should be composite
• We want M = 𝐶 𝑑 𝑚𝑜𝑑 𝑛 or, M = 𝑀𝑒𝑑 𝑚𝑜𝑑 𝑛
• We say above relationship holds, if
𝑒𝑑 𝑚𝑜𝑑 ∅ 𝑛 = 1
• This is equivalent to saying,
𝑒𝑑 ≡ 1 𝑚𝑜𝑑 𝜙 𝑛
or, 𝑑 ≡ 𝑒 −1 𝑚𝑜𝑑 𝜙 𝑛
• That is, e and d are multiplicative inverses with respect to 𝑚𝑜𝑑 𝜙 𝑛
• Remember, inverse of e only exists if e is relatively prime to 𝜙 𝑛
How to generate RSA parameters ?
• Lets focus on value of n now
How to generate RSA parameters ?
• Lets focus on value of n now
• Case 1. If n is prime
• We want 𝑒𝑑 ≡ 1 𝑚𝑜𝑑 𝜙 𝑛 or 𝑑 ≡ 𝑒 −1 𝑚𝑜𝑑 𝜙 𝑛
• Remember, n is part of the public key, i.e., known to all
• As n is prime, we can compute 𝜙 𝑛 = n-1 (however, big n is)
How to generate RSA parameters ?
• Lets focus on value of n now
• Case 1. If n is prime
• We want 𝑒𝑑 ≡ 1 𝑚𝑜𝑑 𝜙 𝑛 or 𝑑 ≡ 𝑒 −1 𝑚𝑜𝑑 𝜙 𝑛
• Remember, n is part of the public key, i.e., known to all
• As n is prime, we can compute 𝜙 𝑛 = n-1 (how big n is)
• Therefore, it is easy to find d (which was supposed to be secret) using an
algorithm known as Extended Euclidean Algorithm !!
How to generate RSA parameters ?
• Lets focus on value of n now
• Case 2. If n is composite
• Again we want 𝑑 ≡ 𝑒 −1 𝑚𝑜𝑑 𝜙 𝑛
• The extended Euclidean algorithm is an efficient algorithm to find d, but we
need to know 𝜙 𝑛 , otherwise it won’t work!!
How to generate RSA parameters ?
• Lets focus on value of n now
• Case 2. If n is composite
• Again we want 𝑑 ≡ 𝑒 −1 𝑚𝑜𝑑 𝜙 𝑛
• The extended Euclidean algorithm is an efficient algorithm to find d, but we
need to know 𝜙 𝑛 , otherwise it won’t work!!
• Finding 𝜙 𝑛 for large composite n is computationally hard

to make the 3rd and 2nd formula work, we have to break the composite n,
into its primes, currently we dont have any such algo that can do it efficiently
How to generate RSA parameters ?
• Lets focus on value of n now
• Case 2. If n is composite
• Again we want 𝑑 ≡ 𝑒 −1 𝑚𝑜𝑑 𝜙 𝑛
• The extended Euclidean algorithm is an efficient algorithm to find d, but we
need to know 𝜙 𝑛 , otherwise it won’t work!!
• Finding 𝜙 𝑛 for large composite n is computationally hard
• However, if we use n = pq, and know the factorization, we can calculate 𝜙 𝑛 =
𝜙 𝑝𝑞 = (𝑝 − 1)(𝑞 − 1) and thus d
How to generate RSA parameters ?
• Lets focus on value of n now
• Case 2. If n is composite
• Again we want 𝑑 ≡ 𝑒 −1 𝑚𝑜𝑑 𝜙 𝑛
• The extended Euclidean algorithm is an efficient algorithm to find d, but we
need to know 𝜙 𝑛 , otherwise it won’t work!!
• Finding 𝜙 𝑛 for large composite n is computationally hard
• However, if we use n = pq, and know the factorization, we can calculate 𝜙 𝑛 =
𝜙 𝑝𝑞 = (𝑝 − 1)(𝑞 − 1) and thus d
• So RSA uses a large composite n = pq that cannot be factored efficiently
• Factorization of large numbers is NP Hard !!
RSA Algorithm
RSA Numerical
Problem of non-repudiation
Problem of non-repudiation

• There is no way to verify who is speaking the truth !!!

• Digital Signatures help us achieve non-repudiation
Digital Signature Numerical
Public Key Encryption

• Only provides confidentiality

• Does not provide authentication
Public Key Encryption

• Only provides confidentiality

• Does not provide authentication
• Anybody can encrypt message using Bob’s public key and claim to be Bob
Public Key Authentication

• Authentication is achieved
• Only Alice could have encrypted the message using her private key
• In broader terms, this is what a digital signature is – encrypting with the
private key of sender
Public Key Authentication

• Authentication is achieved
• Only Alice could have encrypted the message using her private key
• In broader terms, this is what a digital signature is – encrypting with the private key
of sender
• But now there is no confidentiality
• Anybody can decrypt using Alice’s public key
Sign-then-Encrypt
• Message from Alice to Bob would be:
𝐴 → 𝐵: 𝐸𝑃𝑈𝐵 (𝐸𝑃𝑅𝐴 (𝑀))
• Alice cannot now deny signing the message
Sign-then-Encrypt
• Message from Alice to Bob would be:
𝐴 → 𝐵: 𝐸𝑃𝑈𝐵 (𝐸𝑃𝑅𝐴 (𝑀))
• Alice cannot now deny signing the message
• However, another attack possible:
• Surreptitious Forwarding
Sign-then-Encrypt
• Message from Alice to Bob would be:
𝐴 → 𝐵: 𝐸𝑃𝑈𝐵 (𝐸𝑃𝑅𝐴 (𝑀))
• Alice cannot now deny signing the message
• However, another attack possible:
• Surreptitious Forwarding
• Consider the scenario,
• Originally: 𝐴 → 𝐵: 𝐸𝑃𝑈𝐵 (𝐸𝑃𝑅𝐴 (𝑇ℎ𝑒 𝑑𝑒𝑎𝑙 𝑖𝑠 𝑜𝑓𝑓))
• Because Bob wants to take revenge, he will send the same signed message to
Charlie by encrypting with Charlie’s public key
Sign-then-Encrypt
• Message from Alice to Bob would be:
𝐴 → 𝐵: 𝐸𝑃𝑈𝐵 (𝐸𝑃𝑅𝐴 (𝑀))
• Alice cannot now deny signing the message
• However, one attack is possible:
• Consider the scenario,
• Originally: 𝐴 → 𝐵: 𝐸𝑃𝑈𝐵 (𝐸𝑃𝑅𝐴 (𝑇ℎ𝑒 𝑑𝑒𝑎𝑙 𝑖𝑠 𝑜𝑓𝑓))
• Because Bob wants to take revenge, he will send the same signed message to Charlie
by encrypting with Charlie’s public key
• Now: B → 𝐶: 𝐸𝑃𝑈𝐶 (𝐸𝑃𝑅𝐴 (𝑇ℎ𝑒 𝑑𝑒𝑎𝑙 𝑖𝑠 𝑜𝑓𝑓))
• Even though Alice didn’t want to disclose the deal, but to Charlie it will look like as if
Alice wants to do so
Sign-then-Encrypt
• However, Alice can prevent this type of attack
Sign-then-Encrypt
• However, Alice can prevent this type of attack
• Now: 𝐴 → 𝐵: 𝐸𝑃𝑈𝐵 (𝐸𝑃𝑅𝐴 (𝑇ℎ𝑒 𝑑𝑒𝑎𝑙 𝑖𝑠 𝑜𝑓𝑓| 𝐼𝐷𝐵 |𝑇))
• Alice appends an unique identifier of Bob to the original message as well as the
timestamp when the message was sent
Diffie Hellman Key Exchange

Image source: wikipedia

Diffie Hellman Key Exchange
• Proposed by Diffie and Hellman in 1976
• Allows two users (A and B) to securely exchange a secret key (Ks)
• A and B can subsequently use the secret key for encryption of messages
 Diffie Hellman Key Exchange
• Steps of Diffie Hellman Key Exchange. It uses the multiplicative group
of integers modulo a prime q, and g is a primitive root modulo q.
1. A and B using insecure communication, agree on a large prime
number q and one of its primitive roots g
• Property: Every group of order prime has multiple primitive roots
• q and g are public parameters … known to all
Scenario:
1. You attacker know A,B,g,p. Now to get the secret key there is 1 way
a) get a or b, computationally infeasible, other way explained in the picture below, isn't possible
Diffie hellman : both parties get the same key because both parties have equal part in deciding the other's key, since
you the attacker can't send (if you could then the system would fail) to either party you neither get to know or decide
the secret key, so that is the necessary condition for diffie hellman to work, an attacker can at most observe the
channel, if he is able to alter data along channel, as we see later in the example the algo falls apart
Maximizes the number of possible keys

A primitive root generates all nonzero values modulo

p before repeating.
This ensures that every possible key can be derived, making the
system more secure.
Prevents weak keys

If a non-primitive root is used, it may only generate a small subset

of possible keys, making it easier for an attacker to guess the key.
Diffie Hellman Key Exchange
2. User A selects a random integer X < q and computes:
Diffie Hellman Key Exchange
2. User A selects a random integer X < q and computes:
• 𝑍𝐴 = 𝑔 𝑋 𝑚𝑜𝑑 𝑞
Diffie Hellman Key Exchange
2. User A selects a random integer X < q and computes:
• 𝑍𝐴 = 𝑔 𝑋 𝑚𝑜𝑑 𝑞
• 𝑋 is private to user A (a secret value)
Diffie Hellman Key Exchange
2. User A selects a random integer X < q and computes:
• 𝑍𝐴 = 𝑔 𝑋 𝑚𝑜𝑑 𝑞
• 𝑋 is private to user A (a secret value)
• A makes 𝑍𝐴 publicly available to B
3. Independently, user B selects a random integer Y < q and computes:
Diffie Hellman Key Exchange
2. User A selects a random integer X < q and computes:
• 𝑍𝐴 = 𝑔 𝑋 𝑚𝑜𝑑 𝑞
• 𝑋 is private to user A (a secret value)
• A makes 𝑍𝐴 publicly available to B
3. Independently, user B selects a random integer Y < q and computes:
• 𝑍𝐵 = 𝑔𝑌 𝑚𝑜𝑑 𝑞
Diffie Hellman Key Exchange
2. User A selects a random integer X < q and computes:
• 𝑍𝐴 = 𝑔 𝑋 𝑚𝑜𝑑 𝑞
• 𝑋 is private to user A (a secret value)
• A makes 𝑍𝐴 publicly available to B
3. Independently, user B selects a random integer Y < q and computes:
• 𝑍𝐵 = 𝑔𝑌 𝑚𝑜𝑑 𝑞
• Y is private to user B (a secret value)
Diffie Hellman Key Exchange
2. User A selects a random integer X < q and computes:
• 𝑍𝐴 = 𝑔 𝑋 𝑚𝑜𝑑 𝑞
• 𝑋 is private to user A (a secret value)
• A makes 𝑍𝐴 publicly available to B
3. Independently, user B selects a random integer Y < q and computes:
• 𝑍𝐵 = 𝑔𝑌 𝑚𝑜𝑑 𝑞
• Y is private to user B (a secret value)
• B makes 𝑍𝐵 publicly available to A
Diffie Hellman Key Exchange
2. User A selects a random integer X < q and computes:
• 𝑍𝐴 = 𝑔 𝑋 𝑚𝑜𝑑 𝑞
• 𝑋 is private to user A (a secret value)
• A makes 𝑍𝐴 publicly available to B
3. Independently, user B selects a random integer Y < q and computes:
• 𝑍𝐵 = 𝑔𝑌 𝑚𝑜𝑑 𝑞
• Y is private to user B (a secret value)
• B makes 𝑍𝐵 publicly available to A
4. User A computes 𝐾𝑠 = 𝑍𝐵𝑋 𝑚𝑜𝑑 𝑞
Diffie Hellman Key Exchange
2. User A selects a random integer X < q and computes:
• 𝑍𝐴 = 𝑔 𝑋 𝑚𝑜𝑑 𝑞
• 𝑋 is private to user A (a secret value)
• A makes 𝑍𝐴 publicly available to B
3. Independently, user B selects a random integer Y < q and computes:
• 𝑍𝐵 = 𝑔𝑌 𝑚𝑜𝑑 𝑞
• Y is private to user B (a secret value)
• B makes 𝑍𝐵 publicly available to A
4. User A computes 𝐾𝑠 = 𝑍𝐵𝑋 𝑚𝑜𝑑 𝑞
5. User B computes 𝐾𝑠 = 𝑍𝐴𝑌 𝑚𝑜𝑑 𝑞
Diffie Hellman Key Exchange
• Why both A and B have identical key ?
Diffie Hellman Key Exchange
• Why both A and B have identical key ?
• For user A, 𝐾𝑠 = 𝑍𝐵𝑋 𝑚𝑜𝑑 𝑞 = (𝑔𝑌 𝑚𝑜𝑑 𝑞)𝑋 = 𝑔𝑌𝑋 𝑚𝑜𝑑 𝑞
• For user B, 𝐾𝑠 = 𝑍𝐴𝑌 𝑚𝑜𝑑 𝑞 = (𝑔 𝑋 𝑚𝑜𝑑 𝑞)𝑌 = 𝑔 𝑋𝑌 𝑚𝑜𝑑 𝑞
Diffie Hellman Key Exchange
• Why both A and B have identical key ?
• For user A, 𝐾𝑠 = 𝑍𝐵𝑋 𝑚𝑜𝑑 𝑞 = (𝑔𝑌 𝑚𝑜𝑑 𝑞)𝑋 = 𝑔𝑌𝑋 𝑚𝑜𝑑 𝑞
• For user B, 𝐾𝑠 = 𝑍𝐴𝑌 𝑚𝑜𝑑 𝑞 = (𝑔 𝑋 𝑚𝑜𝑑 𝑞)𝑌 = 𝑔 𝑋𝑌 𝑚𝑜𝑑 𝑞
• For Eve the attacker:
• She only knows q, g, 𝑍𝐴 , 𝑍𝐵
• To know the secret key 𝐾𝑠 , she needs to know 𝑋 𝑜𝑟 𝑌 (private keys of A or B resp.)
Diffie Hellman Key Exchange
• Why both A and B have identical key ?
• For user A, 𝐾𝑠 = 𝑍𝐵𝑋 𝑚𝑜𝑑 𝑞 = (𝑔𝑌 𝑚𝑜𝑑 𝑞)𝑋 = 𝑔𝑌𝑋 𝑚𝑜𝑑 𝑞
• For user B, 𝐾𝑠 = 𝑍𝐴𝑌 𝑚𝑜𝑑 𝑞 = (𝑔 𝑋 𝑚𝑜𝑑 𝑞)𝑌 = 𝑔 𝑋𝑌 𝑚𝑜𝑑 𝑞
• For Eve the attacker:
• She only knows q, g, 𝑍𝐴 , 𝑍𝐵
• To know the secret key 𝐾𝑠 , she needs to know 𝑋 𝑜𝑟 𝑌 (private keys of A or B resp.)
• For the same, she needs to calculate:
𝑋 = 𝑑𝑙𝑜𝑔𝑔,𝑞 (𝑍𝐴 )
𝑌 = 𝑑𝑙𝑜𝑔𝑔,𝑞 (𝑍𝐵 )
• For large primes, finding discrete log is a hard problem.
Numerical Example
• Let q = 353, g = 3
• Both are global public elements
Numerical Example
• Let q = 353, g = 3
• Both are global public elements
• Let private key of A, i.e., 𝑋 = 97 and private key of B, i.e., Y = 233
• A computes its public key 𝑍𝐴 = 397 𝑚𝑜𝑑 353 = 40
• B computes its public key 𝑍𝐵 = 3233 𝑚𝑜𝑑 353 = 248
Numerical Example
• Let q = 353, g = 3
• Both are global public elements
• Let private key of A, i.e., 𝑋 = 97 and private key of B, i.e., Y = 233
• A computes its public key 𝑍𝐴 = 397 𝑚𝑜𝑑 353 = 40
• B computes its public key 𝑍𝐵 = 3233 𝑚𝑜𝑑 353 = 248
• After exchanging 𝑍𝐴 and 𝑍𝐵 with each other, A and B can compute
the secret key 𝐾𝑠 as:
• 𝐾𝑠 (for A) = 24897 𝑚𝑜𝑑 353 = 160
• 𝐾𝑠 (for B) = 40233 𝑚𝑜𝑑 353 = 160
Man-in-the-Middle Attack
Man-in-the-Middle Attack
• Even though brute force attack is not possible, DH key exchange
scheme suffers from another type of attack know as Man-in-the-
Middle-Attack
Man-in-the-Middle Attack
• Even though brute force attack is not possible, DH key exchange
scheme suffers from another type of attack know as Man-in-the-
Middle-Attack
• Type of eavesdropping attack that occurs when a malicious attacker
inserts himself as a proxy into a communication session between 2
people or systems
Man-in-the-Middle Attack
• Even though brute force attack is not possible, DH key exchange
scheme suffers from another type of attack know as Man-in-the-
Middle-Attack
• Type of eavesdropping attack that occurs when a malicious attacker
inserts himself as a proxy into a communication session between 2
people or systems
• Allow attackers to intercept, send and receive data never meant to be
for them without either legitimate party knowing until it is too late
Man-in-the-Middle Attack
• Once Eve is able to launch Man-in-the-Middle-Attack
• Alice and Bob think that they share a secret key
• However, in reality, Alice and Eve share one secret key (K1) and Bob and Eve
share another secret key (K2)
Man-in-the-Middle Attack
• Once Eve is able to launch Man-in-the-Middle-Attack
• Alice and Bob think that they share a secret key
• However, in reality, Alice and Eve share one secret key (K1) and Bob and Eve
share another secret key (K2)
• All subsequent communications are now compromised as follows:
• Alice sends encrypted message CA = E(M, K1)
• Eve intercepts the encrypted message and decrypts it to recover M
Man-in-the-Middle Attack
• Once Eve is able to launch Man-in-the-Middle-Attack
• Alice and Bob think that they share a secret key
• However, in reality, Alice and Eve share one secret key (K1) and Bob and Eve
share another secret key (K2)
• All subsequent communications are now compromised as follows:
• Alice sends encrypted message CA = E(M, K1)
• Eve intercepts the encrypted message and decrypts it to recover M
• Eve sends Bob either
• E(M,K2) – Eve just wants to eavesdrop the communication between Alice and Bob or
• E(M’, K2) – Eve wants to modify the message that Alice has sent to Bob
• Bob receives the message and decrypts it using K2 thinking Alice has sent him
the message
Man-in-the-Middle Attack
Man-in-the-Middle Attack
• This attack happened because DH key exchange scheme does not
authenticate the participants
• Bob has no way to know that the message/public key he is receiving is not
from Alice but from Eve
• Same holds true for Alice
Man-in-the-Middle Attack
• This attack happened because DH key exchange scheme does not
authenticate the participants
• Bob has no way to know that the message/public key he is receiving is not
from Alice but from Eve
• Same holds true for Alice
• This vulnerability can be countered if Alice and Bob can authenticate
each other
• Accomplished through digital signatures
Digital Certificates help us prove our identity in cyber world
How ??
 You use bank's public key to send encrypted info to them,
and it is secure because bank has been verified by ca, so it's public key
of the bank

Essentially, certificates allows you to verify whether the information you are
getting is unaltered or not, to prevent cases like mitm
Detailed Explanation of the PDF Content

The document primarily discusses Public Key Certificates, their structure, importance, and
revocation process. Here's a detailed breakdown of each section:

Public Key Certificates

Public key certificates are used to exchange cryptographic keys securely without requiring direct
contact with a public key authority. These certificates bind a public-private key pair to a specific
individual or organization.

Key Points About Public Key Certificates:

1. A certificate consists of:

o A public key.

o An identifier of the key owner.

o A digital signature from a trusted Certification Authority (CA).

2. The CA acts as a trusted third party that verifies and signs the certificate.

3. A user can securely present their public key to a CA and obtain a certificate.

4. Once issued, the certificate can be published for others to verify the key owner’s identity.

5. Anyone needing the public key can obtain the certificate and check its validity using the
CA’s signature.

Requirements of a Certificate Scheme

For a certificate system to work effectively, it must ensure:

• Uniqueness of public-private key bindings.

• Security against key misuse.

• Verification via a trusted authority.

General Certificate Scheme

A widely accepted standard for public key certificate formatting is X.509.

X.509 Standard

• Definition: X.509 is a standard that defines the format of digital certificates.

 • Use Cases:

o S/MIME (Secure/Multipurpose Internet Mail Extensions)

o SSL/TLS (Secure Sockets Layer / Transport Layer Security) – used in web

security.

Certificate Format

The document does not elaborate on the exact structure but implies that it follows the X.509
format.

Certificate Revocation

A certificate must be revoked in certain situations, such as:

1. Expiration of the user’s certificate.

2. A new certificate is issued before the old one expires.

3. Private key is compromised (hacked or leaked).

4. The user is no longer certified by the CA.

5. The CA’s certificate is compromised (e.g., if an attacker gains control of the CA).

Revocation Process

• When a certificate is revoked, it is added to a Certificate Revocation List (CRL) maintained

by the CA.

• A CRL contains:

o Serial numbers of revoked certificates.

o The revocation date for each certificate.

• Users should always check a certificate against the CRL before trusting it.
Public Key Cryptography
• Two users A and B need to know each other’s public key
• How can they know that ??
• How can they trust the credibility of the public key ?
• If the binding is erroneous, someone other than the intended recipient could read the
message.
• Several techniques have been proposed for it!
Public key certificates
• Certificates can be used to exchange keys without contacting a public
key authority
• They bind a public-private key pair to a specific person or
organization
Public key certificates
• Certificates can be used to exchange keys without contacting a public
key authority
• They bind a public-private key pair to a specific person or
organization
• Essentially it consists of a public key plus an identifier of the key
owner, with the whole block signed by a trusted third party known as
certifying authority (CA)
Public key certificates
• Certificates can be used to exchange keys without contacting a public
key authority
• They bind a public-private key pair to a specific person or
organization
• Essentially it consists of a public key plus an identifier of the key
owner, with the whole block signed by a trusted third party known as
certifying authority (CA)
• A certification authority (CA) is an entity that issues certificates.
• A user can present his public key to the authority in a secure manner
and obtain a certificate. He can then publish his certificate
Public key certificates
• Certificates can be used to exchange keys without contacting a public key
authority
• They bind a public-private key pair to a specific person or organization
• Essentially it consists of a public key plus an identifier of the key owner,
with the whole block signed by a trusted third party known as certifying
authority (CA)
• A certification authority (CA) is an entity that issues certificates.
• A user can present his public key to the authority in a secure manner and
obtain a certificate. He can then publish his certificate
• Anyone needing this user’s public key can obtain the certificate and verify
that it is valid by way of attached signature
Requirements of Certificate Scheme
General Certificate Scheme
General Certificate Scheme
One scheme that
has become
universally
accepted for
formatting public
key certificates: the
X.509 standard
General Certificate Scheme
One scheme that
has become
universally
accepted for
formatting public
key certificates: the
X.509 standard
X.509
• Is a standard that defines the format of digital certificates
• Used in many internet protocols like S/MIME, SSL/TLS etc.
Certificate Format
Certificate Format
Certificate Revocation
• What happens in the following cases ?
• User’s certificate has expired
• A new certificate is issued before the expiry
• User’s private key is compromised
• The user is no longer certified by the CA
• The CA’s certificate has been compromised
Certificate Revocation
• What happens in the following cases ?
• User’s certificate has expired
• A new certificate is issued before the expiry
• User’s private key is compromised
• The user is no longer certified by the CA
• The CA’s certificate has been compromised
• The digital certificate is revoked !!
Certificate Revocation
• What happens in the following cases ?
• User’s certificate has expired
• A new certificate is issued before the expiry
• User’s private key is compromised
• The user is no longer certified by the CA
• The CA’s certificate has been compromised
• The digital certificate is revoked !!
• Each CA maintains a list of revoked certificates
• Certificate revocation list (CRL)
• Contains an entry for each revoked certificate
• Each entry consists of the serial number of a
certificate and revocation date for that certificate
• Users should check certificates with CA’s CRL
Key Points
• Symmetric encryptions are used for securing data at rest and in
transition by maintaining confidentiality.
• Pseudo Random Number Generator algorithms are used for generating
random numbers.
• Hash functions are used for data integrity.
• MAC functions are used for data integrity and source authentication.
• Public key encryption is used for key exchange, source authentication
(digital Signature).
Symmetric-Key Cryptography
AES (Advanced Encryption Standard) – Secure block cipher used for encryption. ✅
Confidentiality
DES (Data Encryption Standard) – Older block cipher, now insecure. ✅
Confidentiality
3DES (Triple DES) – Extended DES with better security but inefficient. ✅
Confidentiality
ChaCha20 – Stream cipher alternative to AES with high performance. ✅
Confidentiality
Blowfish – Flexible key-length block cipher, replaced by AES. ✅ Confidentiality
Asymmetric-Key Cryptography
RSA – Public-key encryption and digital signatures. ✅ Confidentiality, ✅
Authenticity, ✅ Non-repudiation
Diffie-Hellman (DH) – Key exchange protocol for secure communication. ✅
Confidentiality
Elliptic Curve Cryptography (ECC) – Efficient alternative to RSA with shorter keys.
✅ Confidentiality, ✅ Authenticity, ✅ Non-repudiation
Hash Functions
SHA-2 (SHA-256, SHA-512) – Secure cryptographic hash functions. ✅ Integrity
SHA-3 – Newer secure hash function alternative to SHA-2. ✅ Integrity
MD5 – Broken hash function, insecure for integrity. ❌ Integrity
SHA-1 – Weak and deprecated hash function. ❌ Integrity
Message Authentication Codes (MACs)
HMAC (Hash-based MAC) – Combines hashing and a secret key for integrity. ✅
Integrity, ✅ Authenticity
CMAC (Cipher-based MAC) – Uses block cipher for message authentication. ✅
Integrity, ✅ Authenticity
Digital Signatures
RSA Signatures – Digital signatures using RSA. ✅ Authenticity, ✅ Integrity, ✅
Non-repudiation
ECDSA (Elliptic Curve Digital Signature Algorithm) – Efficient ECC-based digital
signature. ✅ Authenticity, ✅ Integrity, ✅ Non-repudiation
EdDSA (Ed25519, Ed448) – More secure and efficient alternative to ECDSA. ✅
Authenticity, ✅ Integrity, ✅ Non-repudiation
Key Exchange Protocols
TLS Handshake (RSA/DH/ECDH) – Establishes secure sessions over the internet.
✅ Confidentiality, ✅ Authenticity
IKE (Internet Key Exchange, used in IPsec) – Secure key exchange for VPNs. ✅
Confidentiality, ✅ Authenticity
Zero-Knowledge Proofs
ZK-SNARKs – Used in privacy-focused cryptocurrencies (e.g., Zcash). ✅
Confidentiality