Ahmedabad Institute of Technology

1.

IT Department

Hand Book
Cryptography and Network
security (3161609)
Year: 2020-2021

Prepared By: Prof Dhaval Khatri, CE & IT Dept., AIT

 Index
1. Introduction – Security services, security services, security mechanisms Finite fields – group, ring,
fields, modular arithmetic, The Euclidean algorithm.
1. Symmetric Cipher Model, Cryptography, Cryptanalysis and Attacks; Substitution and Transposition
techniques
2. Stream ciphers and block ciphers, Block Cipher structure, Data Encryption standard (DES) with
example, strength of DES, Design principles of block cipher, AES with structure, its transformation
functions, key expansion, example and implementation.

Prepared By: Prof. Dhaval Khatri

Page 2
Cryptography and
Network Security
Sixth Edition
by William Stallings
Prof Dhaval Khatri
Chapter 1
Overview
“The combination of space, time, and strength
that must be considered as the basic elements
of this theory of defense makes this a fairly
complicated matter. Consequently, it is not easy
to find a fixed point of departure.”
— On War,
Carl Von Clausewitz
Cryptographic algorithms and protocols
can be grouped into four main areas:

Symmetric encryption

• Used to conceal the contents of blocks or streams of data of any size,

including messages, files, encryption keys, and passwords

Asymmetric encryption

• Used to conceal small blocks of data, such as encryption keys and hash
function values, which are used in digital signatures

Data integrity algorithms

• Used to protect blocks of data, such as messages, from alteration

Authentication protocols

• Schemes based on the use of cryptographic algorithms designed to

authenticate the identity of entities
 The field of network and
Internet security consists of:

measures to deter,
prevent, detect, and
correct security
violations that involve
the transmission of
information
 Computer Security
• The NIST Computer Security Handbook defines the
term computer security as:

“the protection afforded to an automated

information system in order to attain the
applicable objectives of preserving the
integrity, availability and confidentiality of
information system resources” (includes
hardware, software, firmware, information/
data, and telecommunications)
Computer Security Objectives
Confidentiality
• Data confidentiality
• Assures that private or confidential information is not made available or disclosed
to unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related to them may
be collected and stored and by whom and to whom that information may be
disclosed

Integrity
• Data integrity
• Assures that information and programs are changed only in a specified and
authorized manner
• System integrity
• Assures that a system performs its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized manipulation of the system

Availability
• Assures that systems work promptly and service is not denied to authorized
users
CIA Triad
Possible additional concepts:

Authenticity Accountability
• Verifying that users • The security goal that
are who they say they generates the
are and that each requirement for
input arriving at the actions of an entity to
system came from a be traced uniquely to
trusted source that entity
Breach of Security
Levels of Impact
• The loss could be expected to have a severe or
High catastrophic adverse effect on organizational
operations, organizational assets, or individuals

• The loss could be expected to have a

Moderate serious adverse effect on

organizational operations,
organizational assets, or individuals

• The loss could be expected

to have a limited adverse

Low effect on organizational

operations, organizational
assets, or individuals
Computer Security Challenges
• Security is not simple
• Potential attacks on the
security features need to be
considered
• Procedures used to provide
particular services are often
counter-intuitive
• It is necessary to decide
where to use the various
security mechanisms
• Requires constant monitoring
• Is too often an afterthought
• Security mechanisms typically
involve more than a
particular algorithm or
protocol
• Security is essentially a battle
of wits between a
perpetrator and the designer
• Little benefit from security
investment is perceived until
a security failure occurs
• Strong security is often
viewed as an impediment to
efficient and user-friendly
operation
 OSI Security Architecture
• Security attack
• Any action that compromises the security of information
owned by an organization

• Security mechanism
• A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security
attack

• Security service
• A processing or communication service that enhances the
security of the data processing systems and the information
transfers of an organization
• Intended to counter security attacks, and they make use of
one or more security mechanisms to provide the service
 Table 1.1
Threats and Attacks (RFC 4949)
 Security Attacks
•A means of classifying security
attacks, used both in X.800 and
RFC 4949, is in terms of passive
attacks and active attacks

•A passive attack attempts to

learn or make use of
information from the system
but does not affect system
resources

•An active attack attempts to

alter system resources or affect
their operation
 Passive Attacks

• Are in the nature of

eavesdropping on, or
monitoring of, transmissions

• Goal of the opponent is to • Two types of passive

obtain information that is
being transmitted
attacks are:
• The release of message
contents
• Traffic analysis
 Active Attacks
• Involve some modification of the
data stream or the creation of a
false stream
• Difficult to prevent because of
the wide variety of potential
physical, software, and network
vulnerabilities
• Goal is to detect attacks and to
recover from any disruption or
delays caused by them
• Takes place when one entity
pretends to be a different entity
Masquerade • Usually includes one of the other
forms of active attack
• Involves the passive capture of a
data unit and its subsequent
Replay retransmission to produce an
unauthorized effect
• Some portion of a legitimate
Modification message is altered, or messages are
of messages delayed or reordered to produce an
unauthorized effect
Denial of • Prevents or inhibits the normal use
or management of communications
service facilities
 Security Services
• Defined by X.800 as:
• A service provided by a protocol layer of
communicating open systems and that ensures
adequate security of the systems or of data transfers

• Defined by RFC 4949 as:

• A processing or communication service provided by a
system to give a specific kind of protection to system
resources
X.800 Service Categories

• Authentication

• Access control

• Data confidentiality

• Data integrity

• Nonrepudiation
 Authentication
• Concerned with assuring that a communication is
authentic
• In the case of a single message, assures the recipient
that the message is from the source that it claims to
be from
• In the case of ongoing interaction, assures the two
entities are authentic and that the connection is not
interfered with in such a way that a third party can
masquerade as one of the two legitimate parties

Two specific authentication services are defined in X.800:

• Peer entity authentication

• Data origin authentication
 Access Control

• The ability to limit and control the access to

host systems and applications via
communications links

• To achieve this, each entity trying to gain

access must first be indentified, or
authenticated, so that access rights can be
tailored to the individual
 Data Confidentiality
• The protection of transmitted data from passive
attacks
• Broadest service protects all user data transmitted
between two users over a period of time
• Narrower forms of service includes the protection of a
single message or even specific fields within a message

• The protection of traffic flow from analysis

• This requires that an attacker not be able to observe the
source and destination, frequency, length, or other
characteristics of the traffic on a communications facility
Data Integrity

Can apply to a stream of messages, a single

message, or selected fields within a message

Connection-oriented integrity service, one that

deals with a stream of messages, assures that
messages are received as sent with no duplication,
insertion, modification, reordering, or replays

A connectionless integrity service, one that deals

with individual messages without regard to any
larger context, generally provides protection
against message modification only
 Nonrepudiation
• Prevents either sender or receiver from
denying a transmitted message

• When a message is sent, the receiver can

prove that the alleged sender in fact sent the
message

• When a message is received, the sender can

prove that the alleged receiver in fact received
the message
 Table 1.2

Security
Services
(X.800)

(This table is found on

page 38 in textbook)
Security Mechanisms (X.800)

Specific Security Mechanisms

• Encipherment
• Digital signatures
• Access controls
• Data integrity
Pervasive Security Mechanisms
• Authentication exchange
• Traffic padding • Trusted functionality
• Routing control • Security labels
• Notarization • Event detection
• Security audit trails
• Security recovery
 Table 1.3

Security
Mechanisms
(X.800)

(This table is found on

pages 40-41 in textbook)
Model for Network Security
Network Access Security
Model
 Unwanted Access
• Placement in a computer system of logic that
exploits vulnerabilities in the system and that
can affect application programs as well as
utility programs such as editors and compilers
• Programs can present two kinds of threats:
• Information access threats
• Intercept or modify data on behalf of users who
should not have access to that data
• Service threats
• Exploit service flaws in computers toinhibit use by
legitimate users
Basic Concepts
in
Number Theory
and
Finite Fields
 Overview

1. The Euclidean Algorithm for GCD

2. Modular Arithmetic
3. Groups, Rings, and Fields
4. Galois Fields GF(p)
5. Polynomial Arithmetic
These slides are partly based on Lawrie Brown’s slides supplied with William Stalling’s
book “Cryptography and Network Security: Principles and Practice,” 5th Ed, 2011.
 Euclid's Algorithm
 Goal: To find greatest common divisor
Example: gcd(10,25)=5 using long division
10) 25 (2
20
--
5)10 (2
10
--
00
Test: What is GCD of 12 and 105?
Euclid's Algorithm: Tabular Method

1. Write the first 2 rows. Set i = 2.

2.
3.
 ri = ui x + vi y
 ui = ui-2 - qi ui-1
 vi = vi-2 - qi vi-1
Divide ri-1 by ri, write quotient qi+1 on the next row
Fill out the remaining entries in the new bottom
row:
a. Multiply ri by qi+1 and subtract from ri-1
b. Multiply ui by qi+1 and subtract from ui-1
c. Multiply vi by qi+1 and subtract from previous vi-1

 Finally, If ri = 0, gcd(x,y) = ri-1

 If gcd(x, y)= 1, ui x + vi y = 1  x-1 mod y = ui
 ui is the inverse of x in “mod y” arithmetic.
 Euclid’s Algorithm Tabular Method (Cont)
 Example 2: Fill in the blanks
 Homework
 Find the multiplicative inverse of 5678 mod 8765
 Modular Arithmetic
 xy mod m = (x mod m) (y mod m) mod m
 (x+y) mod m = ((x mod m)+ (y mod m)) mod m
 (x-y) mod m = ((x mod m)- (y mod m)) mod m
 x4 mod m = (x2 mod m)(x2 mod m) mod m
 xij mod m = (xi mod m)j mod m
 125 mod 187 = 125
 (225+285) mod 187 = (225 mod 187) + (285 mod 187) =
38+98 = 136
 1252 mod 187 = 15625 mod 187 = 104
 1254 mod 187 = (1252 mod 187)2 mod 187
= 1042 mod 187 = 10816 mod 187 = 157
 1286 mod 187 = 1254+2 mod 187 = (157 104) mod 187 = 59
 Modular Arithmetic Operations
 Z = Set of all integers = {…, -2, -1, 0, 1, 2, …}
 Zn = Set of all non-negative integers less than n
= {0, 1, 2, …, n-1}
 Z2 = {0, 1}
 Z8 = { 0, 1, 2, 3, 4, 5, 6, 7}
 Addition, Subtraction, Multiplication, and division can all
be defined in Zn
 For Example:
 (5+7) mod 8 = 4

 (4-5) mod 8 = 7

 (5 7) mod 8 = 3

 (3/7) mod 8 = 5

 (5*5) mod 8 = 1
Modular Arithmetic Properties
 Homework
 Determine 128107 mod 187
 Group
 Group: A set of elements that is closed with respect to
some operation.
 Closed  The result of the operation is also in the set
 The operation obeys:
 Obeys associative law:(a.b).c = a.(b.c)
 Has identity e: e.a = a.e = a
 Has inverses a-1: a.a-1 = e
 Abelian Group: The operation is commutative
a.b = b.a
 Example: Z8, + modular addition, identity =0
 Cyclic Group

 Exponentiation: Repeated application of operator

example: a3 = a.a.a
 Cyclic Group: Every element is a power of some fixed
element, i.e.,
b = ak for some a and every b in group
a is said to be a generator of the group
 Example: {1, 2, 4, 8} with mod 12 multiplication, the
generator is 2.

20=1, 21=2, 22=4, 23=8, 24=4, 25=8

 Ring
 Ring:
1. A group with two operations: addition and
multiplication
2. The group is abelian with respect to addition: a+b=b+a
3. Multiplication and additions are both associative:
a+(b+c)=(a+b)+c
a.(b.c)=(a.b).c
1. Multiplication distributes over addition
a.(b+c)=a.b+a.c
 Commutative Ring: Multiplication is commutative, i.e.,
a.b = b.a
 Integral Domain: Multiplication operation has an
identity and no zero divisors
 Homework
 Consider the set S = {a, b, c} with addition and
multiplication defined by the following tables:
+ a b c × a
a a b c a a
b b a c b b
c c c a
Is S a ring? Justify your answer.
 Field
 Field: An integral domain in 
Finite Fields or Galois Fields
Finite Field: A field
with finite number of
elements
Also known as Galois
Field
The number of
elements is always a power
of a prime number. Hence,
denoted as GF(pn)
GF(p) is the set of
integers {0,1, … , p-1} with
arithmetic operations modulo
prime p
Can do addition,
subtraction, multiplication,
and division without leaving
the field GF(p)
GF(2) = Mod 2
arithmetic GF(8) = Mod 8
arithmetic
There is no GF(6) since
6 is not a power of a prime.
Introduction to Cryptography

Symmetric Cipher
Model
Prof. Dhaval Khatri

Department of Computer Engineering and InformationTechnology

Ahmedabad Institute of Technology.
 Cryptography
The word cryptography in Greek means
“secret writing.” The term today refers
to the science and art of transforming
messages to make them secure and
immune to attacks.
 Why Use Cryptography?
The Internet landscape has been
transformed into a binary battlefield.
 Why Use Cryptography?...
 To communicate secret information when other
people (eavesdroppers) are listening.

 When attacker has access to the raw bits

representing the information
 Mitigation: Data encryption

Cryptographic techniques
 Cryptography and
Cryptanalysis?...
Cryptography(Secret Writing) is the process of
protecting information by transforming it into a secure
(unreadable) format.
Hello Cryptography $!Ins

Cryptanalysis is the decryption and analysis of

encrypted text. Cryptanalysis uses mathematical formulas
to search algorithm vulnerabilities and break into
cryptography.

$!Ins Cryptanalysis Hello

 Model for Network Security
Trusted third party
(e.g., arbiter, distributer
of secret information)

Sender Recipient
Security -related Info. Security -related

Message

Message
Message

Message
Transformation Channel Transformation

Secure
Secure

Secret Secret
Information Opponent Information
(Attacker)
 Encryption and Decryption

Hello f5#re Hello

Sender Encryption Decryption Receiver
 Basic Terminologies
 plaintext - original message
 ciphertext - coded message
 cipher - algorithm for transforming plaintext to ciphertext
 key - info used in cipher known only tosender/receiver
 encipher (encrypt) - converting plaintext to ciphertext
 decipher (decrypt) - recovering plaintext from ciphertext
 cryptography - study of encryption principles/methods
 cryptanalysis (codebreaking) - study of principles/ methods
of deciphering ciphertext without knowing key
 cryptology - field of both cryptography and cryptanalysis
 Symmetric Cipher Model
(Conventional Encryption)

Secret key shared by Secret key shared by

sender and recipient sender and recipient
K K
X
Transmitted
cipher text
Y = E(K, X)
X
Plaintext Encryption Algorithm Decryption Algorithm Plaintext
input (e.g. AES) (reverse of encryption output
algorithm)
A symmetric encryption scheme
has five ingredients
• Plaintext: This is the original intelligible message or data
that is fed into the algorithm as input.

• Encryption algorithm: The encryption algorithm performs

various substitutions and transformations on the plaintext.

• Secret key: The secret key is also input to the encryption

algorithm. The key is a value independent of the plaintext and
of the algorithm. The algorithm will produce a different
output depending on the specific key being used at the time.
The exact substitutions and transformations performed bythe
algorithm depend on the key.
A symmetric encryption scheme
has five ingredients
• Cipher text: This is the scrambled message produced as
output. It depends on the plaintext and the secret key. For a
given message, two different keys will produce two different
cipher texts. The cipher text is an apparently random stream
of data and, as it stands, is unintelligible.

• Decryption algorithm: This is essentially the encryption

algorithm run in reverse. It takes the cipher text and the secret
key and produces the original plaintext.
Cryptography components
 Note:

In cryptography, the
encryption/decryption algorithms are
public; the keys are secret.
 Requirements and Assumptions
Requirements for secure use of symmetric encryption:
1. Strong encryption algorithm: Given the algorithm and
cipher text, an attacker cannot obtain key or plaintext.
2. Shared secret keys: sender and receiver both have
shared a secret key; no-one else knows the key(keep it
secret).
Assumptions:
 Cipher is known
 Secure channel to distribute keys
 Cryptanalysis and Brute-Force
Attack
Objective of attacker: recover key (not just message)
Approaches of attacker:
Cryptanalysis: This type of attack exploits the
characteristics of the algorithm to attempt to derive a
specific plaintext or to derive the key being used.
Brute-force attack: The attacker tries every possible key
on a piece of ciphertext until an intelligible translation into
plaintext is obtained.
On average, half of all possible keys must be tried to
achieve success.
 Attacks on Encrypted
Mess
Type of Attack ages
Known to cryptanalyst
Ciphertext Only Encryption algorithm, Ciphertext
 Attacks on Encrypted
Mess
Type of Attack ages
Known to cryptanalyst
Known Plaintext Encryption algorithm, Ciphertext, One or more plaintext-
cipher text pairs formed with the secret key
 Attacks on Encrypted
Mess
Type of Attack ages
Known to cryptanalyst
Chosen Plaintext Encryption algorithm, Ciphertext, Plaintext message chosen by
cryptanalyst
 Attacks on Encrypted
Mess
Type of Attack ages
Known to cryptanalyst
Chosen Encryption algorithm, Ciphertext, Ciphertext chosen by
Ciphertext cryptanalyst, with its corresponding decrypted plaintext
generated with the secret key
 Attacks on Encrypted
Mess
Type of Attack ages
Known to cryptanalyst
Chosen text Encryption algorithm, Ciphertext, Plaintext chosen by
cryptanalyst, with its corresponding ciphertext generated with
the secret key , Ciphertext chosen by cryptanalyst, with its
corresponding decrypted plaintext generated with the secret
key
How does it work?

 Two functions are needed:

7
 Example
 encoder function is next letter in thealphabet

 decoder function is …

“attack at midnight” “buubdl bu njeojhiu”

“buubdl bu njeojhiu” “attack at midnight”

 Encryption and Decryption
-
“attack at midnight”
plaintext

“buubdl bu njeojhiu” -
ciphertext
 Encoding the contents of the message (the plaintext) in such a
way that hides its contents from outsiders is called encryption.
 The process of retrieving the plaintext from the cipher-text is
called decryption.
 Encryption and decryption usually make use of a key, and the
coding method is such that decryption can be performed only by
knowing the proper key.
 The Encryption Process
Aim: to hide a message content by making it unreadable
Key

Ciphertext
:
Scrambling
Plaintext unreadable
data
version
 Encryption and Decryption
 The encryption and decryption functions take a key as an
additional input.

1
1
 Classification of Cryptography
Based on the factors

•Type of operations •Number of Keys •

 Classification of Cryptography…

• Diffie-Hellman
• RSA
• El Gamal
• Elliptic Curve
Cryptography

• Caesar cipher
• Rail-Fence
Technique • Monoalphabetic
•Columnar Cipher
Transition • Playfair cipher
• Polyalphabetic cipher
Technique
• Hill Cipher
• One Time Pad
 Symmetric Cryptosystems
SECRET KEY, SINGLE KEY, PRIVATE KEY

 Use the same key (the secret

key) to encrypt and decrypt a
message
 Note:

In symmetric-key cryptography, the

same key is used by the sender (for
encryption) and the receiver (for
decryption). The key is shared.
 Shared Keys
 In a symmetric cryptosystem the encryption key and
the decryption key are identical.
 A longer key implies stronger encryption.

1
2
Symmetric-key cryptography
 Symmetric Encryption
Shared Key

Encryption
Decryption
Algorithm
Algorithm

Sender and recipient

Must both know the
key.
Alice Bob
This is a weakness!
Symmetric Encryption
Alice would like to send
a confidential file to Bob

1. Agree on a
PASSWORD
Shared Key IS GREEN!

2. Encrypt using
Shared Key

CJG5%jARGONS8 CJG5%jARGONS8*
* %K23##hsgdfey9
%K23##hsgdfey 826.
9 826. 3. Email file

4. Decrypt using
Shared Key

PASSWORD
IS GREEN!
1
8
Emailing an encrypted message

Alice wants to send a confidential

message to Bob
CREDIT CARD
CODE IS 5206
Symmetric Encryption

1. Agree on a
CREDIT CARD
Shared Key CODE IS 5206

2. Encrypt using
Shared Key

CJG5%jARGONS8 CJG5%jARGONS8
* *
%K23##hsgdfey
%K23##hsgdfey
9 826. 3. Email file 9 826.

4. Decrypt using
Shared Key
CREDIT CARD
CODE IS 5206 2
0
 Symmetric Encryption
Private Key Encryption
In Private key encryption data is encrypted
using a single same key that only the sender
and the receiver know.

That is why private key encryption is also called

symmetric key encryption. Because the same
key is used during both side encryption and
decryption of the data.
Symmetric Key Cryptography
Video
Private Key Encryption
The Private Key algorithm is simple
encryption method because both parties are
use same single key.

It is easy to use. But it has disadvantage.

The Biggest Problem with private key

encryption is that need to have a way to get
the key to the party with whom you are
sharing data.

If Someone gets that hands on the key, they

can decrypt everything encrypted with that
key.
 Substitution Techniques
A substitution technique is one in which the letters of plaintext
are replaced by other letters or by numbers or symbols.

If plaintext viewed as sequence of bits, replace plaintext bit

patterns with cipher text bit patterns.
1. Caesar Cipher
2. Monoalphabetic Cipher
3. Playfair Cipher
4. Hill Cipher
5. Polyalphabetic Ciphers
6. One-Time Pad
 1. Caesar Cipher
The Caesar Cipher involves replacing each letter of the
alphabet with the letter standing three places further down
the alphabet.
For encryption algorithm is:

For decryption algorithm is:

C = E(3, P) = (P + 3) mod 26

P = D(3, C) = (C - 3) mod 26
 Caesar Cipher (Cont…)
 Let us assign a numerical equivalent to each letter
a b c d e f g h i j k l m
0 1 2 3 4 5 6 7 8 9 10 11 12
n o p q r s t u v w x y z
13 14 15 16 17 18 19 20 21 22 23 24 25

C = E(3, P) = (P + 3) mod 26
Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
Cipher: d e f g h i j k l m n o p q r s t u v w x y z a b c

Example:
Plaintext: THE SMART BROWN FOX
Ciphertext: WKH UOCTV EURZQ IRA
 Caesar Cipher (Cont…)
Generalised Caesar Cipher
Allow shift by k positions.
Encryption : C = E(K, P) = (P + K) mod 26

Decryption :
P = D(K, C) = (C - K) mod 26

Modulo for negative number is = N- (B%N)

Example :
-11 mod 26 = 15
26-(11%26) = 15
 Caesar Cipher Examples
1. Plaintext: networksecurity 2. Cipher: exxegoexsrgi
Key: 7 Key: 4
Cipher: FIND Plaintext : FIND

3. Cipher: kyzj dvjjrxv zj vetipgkvu

Key: 1F7IND
Plain:
4. Plain: information technology
FIND
Key: l
Cipher:
 Brute force attack on Caesar
Cipher
The encryption and decryption
algorithms are known.
There are only 25 keys to try, e.g.
k=1, k=2, …
The language of the plaintext is
known and easily recognizable.
 Brute force attack on Caesar Cipher

Ciphertext: ZNK WAOIQ HXUCT LUD

Key Transformed text Key Transformed text
1 YMJ VZNHP GWTBS KTC 14 LZW IMAUC TJGOF XGP
2 XLI UYMGO FVSAR JSB 15 KYV HLZTB SIFNE WFO
3 WKH TXLFN EURZQ IRA 16 JXU GKYSA RHEMD VEN
4 VJG SWKEM DTQYP HQZ
17 IWT FJXRZ QGDLC UDM
5 UIF RVJDL CSPXOGPY
18 HVS EIWQY PFCKB TCL
6 THE QUICK BROWN FOX
19 GUR DHVPX OEBJA SBK
7 SGD PTHBJ AQNVM ENW
8 RFC OSGAI ZPMUL DMV 20 FTQ CGUOW NDAIZ RAJ
9 QEB NRFZH YOLTK CLU 21 ESP BFTNV MCZHY QZI
10 PDA MQEYG XNKSJ BKT 22 DRO AESMU LBYGX PYH
11 OCZ LPDXF WMJRI AJS 23 CQN ZDRLT KAXFW OXG
12 NBY KOCWE VLIQH ZIR 24 BPM YCQKS JZWEV NWF
13 MAX JNBVD UKHPG YHQ 25 AOL XBPJR IYVDU MVE
Substitution Techniques
1. Caesar Cipher
2. Monoalphabetic Cipher
3. Playfair Cipher
4. Hill Cipher
5. Polyalphabetic Ciphers
6. One-Time Pad
 2. Monoalphabetic Cipher (Simple
substitution)
It is an improvement to the Caesar Cipher.
Instead of shifting the alphabets by some number, this scheme uses
some permutation of the letters in alphabet.
Use a single alphabet for both plaintext and cipher text.
Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
Cipher: y n l k x b s h m i w d p j r o q v f e a u g t z c

Example:
Cipher: prjrydohynxeml
Plaintext: monoalphabetic
Try Brute force attack :
With 26 letters in alphabet, the possible permutations are 26! Keys
(>4x1026)
 Attack on Monoalphabetic Cipher
The relative frequencies of the letters in the ciphertext (in %) are

Ciphertext:
uzqsovuohxmopvgpozpevsgzwszopfpesxudbmetsxaizvuephzhmdzshz
owsfpappdtsvpquzwymxuzuhsxepyepopdzszufpombzwpfupzhmdjudtm
ohmq
 In our ciphertext, the most common digram is ZW, which appears
three times. So equate Z with t, W with h and P with e.
 Now notice that the sequence ZWP appears in the ciphertext, and
we can translate that sequence as “the.”
 Attack on Monoalphabetic Cipher
(Cont…)
If the cryptanalyst knows the nature of the
plaintext, then the analyst can exploit the
regularities of the language.
The relative frequency of the letters can be
determined and compared to a standard frequency
distribution for English.
If the message were long enough, this technique
alone might be sufficient, but because this is a
relatively short message, we cannot expect an
exact match.
Substitution Techniques
1. Caesar Cipher
2. Monoalphabetic Cipher
3. Playfair Cipher
4. Hill Cipher
5. Polyalphabetic Ciphers
6. One-Time Pad
 3. Playfair Cipher
The Playfair algorithm is based on a 5 × 5 matrix (key) of
letters.
The matrix is constructed by filling in the letters of the
keyword (minus duplicates) from left to right and from top
to bottom, and then filling in the remainder of the matrix with
the remaining letters in alphabetic order. The letters I and J
count as one letter. O C U R E
Example:
N A B D F
Keyword= OCCURRENCE
Plaintext= TALL TREES G H I/J K L
M P Q S T
V W X Y Z
 Playfair Cipher - Encrypt Plaintext
Operate on pair of letters (digram) at a time.
Special: if digram with same letters appears, separate by
special letter (e.g. x)
Plaintext= TALL TREES
Plaintext= TA LX LT RE ES

If there is an odd number of letters, then add uncommon

letter to complete digram, a X/Z may be added to the last
letter.
Plaintext = BALLOON
Plaintext = BALXLOON
Plaintext = BA LX LO ON
 Playfair Cipher - Encrypt Plaintext
Map each pair in key matrix
O C U R E
Plaintext: TA LX LT RE ES
Ciphertext: PF IZ TZ EO RT N A B D F
G H I/J K L
M P Q S T
V W X Y Z
 If the letters appear on the same row, replace them with the letters
to their immediate right respectively, wrapping around to the left
side of the row if necessary.
 For example, using the table above, the letter pair RE would be
encoded as EO.
 Playfair Cipher - Encrypt Plaintext
Map each pair in key matrix
O C U R E
Plaintext: TA LX LT RE ES
Ciphertext: N A B D F
G H I/J K L
M P Q S T
V W X Y Z

 If the letters appear on the same column, replace them with the
letters immediately below, wrapping around to the top if
necessary.
 For example, using the table above, the letter pair LT would be
encoded as TZ.
 Playfair Cipher - Encrypt Plaintext
Map each pair in key matrix
O C U R E
Plaintext: TA LX LT RE ES
Ciphertext: PF IZ TZ EO RT N A B D F
G H I/J K L
M P Q S T
V W X Y Z

 If the letters are on different rows and columns, replace them with
the letters on other corner of the same row.
 The order is important - the first letter of the pair should be
replaced first.
 For example, using the table above, the letter pair TA would be
encoded as PF.
Playfair Cipher - Is it
Breakable?
Better than monoalphabetic: relative frequency of
digrams much less than of individual letters.
But relatively easy (digrams, trigrams, expected
words)
 Playfair Cipher Examples
1. Key= “engineering ” Plaintext= “test this process ”
2. Key= “keyword ” Plaintext= “come to the window”
3. Key= “moonmission ” Plaintext= “greet ”

E N G I R Encrypted Message: K E Y W O Encrypted Message:

A B C D F R D A B C
H K L M O F G H I L
P Q S T U M N P Q S
V W X Y Z T U V X Z
M O N I S Encrypted Message:
A B C D E
F G H K L
P Q R T U
V W X Y Z
 Playfair Cipher Examples
4. Key: EXAMPLE
Ciphertext: UA ARBED EXAPO PR QNX AXANR
E X A M P
L B C D F
G H I/J K N
O Q R S T
U V W Y Z
Pair: UA AR BE DE XA PO PR QN XA XA NR
Plaintext: we wi lx lm ex et at th ex ex it
Plaintext: we wilxl mexet at thex exit
Plaintext: we will meet at the exit
Substitution Techniques
1. Caesar Cipher
2. Monoalphabetic Cipher
3. Playfair Cipher
4. Hill Cipher
5. Polyalphabetic Ciphers
6. One-Time Pad
 4. Hill Cipher
Hill cipher is based on linear algebra
Each letter is represented by numbers from 0 to 25 and calculations are
done using modulo 26.
Encryption and decryption can be given by the following formula:

Encryption: C=PK mod 26

Decryption: P=CK-1 mod 26

 Hill Cipher Encryption
To encrypt a message using the Hill Cipher we must first
turn our keyword and plaintext into a matrix (a 2 x 2 matrix
or a 3 x 3 matrix, etc).
Example: Key = “HILL”, Plaintext = “EXAM”
a b c d e f g h i j k l m
0 1 2 3 4 5 6 7 8 9 10 11 12
n o p q r s t u v w x y z
13 14 15 16 17 18 19 20 21 22 23 24 25
Hill Cipher Encryption (Cont…)

C=PK mod 26

Ciphertext = “ELSC”
 Hill Cipher Decryption
P=CK-1 mod 26

Step 1: Find Inverse of key matrix

Step 2: Multiply the Multiplicative
Inverse of the Determinant by the
Adjoin Matrix
Step 3: Multiply inverse key matrix with
ciphertext matrix to obtain
plaintext matrix
Step 1: Inverse of key matrix
2 X 2 inverse of matrix

3 X 3 inverse of matrix
Step 1: Inverse of key matrix

 -11 mod 26 = 15
 Because, modulo for negative
number is = N- (B%N)
= 26 – (11%26)
 Step 2: Modular
(Multiplicative) inverse
The inverse of a number A is 1/A since A * 1/A = 1
e.g. the inverse of 5 is 1/5
In modular arithmetic we do not have a division operation.
The modular inverse of A (mod C) is A-1
(A * A-1) ≡ 1 (mod C)
Example:
The modular inverse of A mod C is the B value that makes
A * A-1 mod C = 1
A = 3, C = 11
Since (3*4) mod 11 = 1, 4 is modulo inverse of 3
A = 10, C = 17 , A-1 = 12
 Step 2: Modular (Multiplicative)
inverse
Determinants’ multiplicative inverse Modulo 26

Determinant 1 3 5 7 9 11 15 17 19 21 23 25

Inverse Modulo 26 1 9 21 15 3 19 7 23 11 5 17 25
Step 2: Multiply with adjoin of matrix

X%Y = X-(X/Y)*Y
77%26 = 77-(77/26)*26
= 77-(2)*26
= 77-52
= 25
Hill Cipher Encryption (Cont…)

P=CK-1 mod 26

Plaintext = “EXAM”
 Hill Cipher Examples
1. Key: Hill Plaintext: short example
Ciphertext:
2. Key: ACBA Plaintext: DR GREER
ROCKS (A=1, B=2, … )
Ciphertext:
3. Key:DACB Ciphertext: SAKNOXAOJ
(A=1,B=2,…)
Plaintext:
Substitution Techniques
1. Caesar Cipher
2. Monoalphabetic Cipher
3. Playfair Cipher
4. Hill Cipher
5. Polyalphabetic Ciphers
6. One-Time Pad
 5. Polyalphabetic Cipher
Monoalphabetic cipher encoded using only
one fixed alphabet
Polyalphabetic cipher is a substitution
cipher in which the cipher alphabet for the
plain alphabet may be different at different
places during the encryption process.
1. Vigenere cipher
2. Vernam cipher
 Plaintext

K
e
y

PT = HELLO
KEY = GMGMG
CT = NQRXU
 Vigenere Cipher
Keyword : DECEPTIVE Key must be as
Key : DECEPTIVEDECEPTIVEDECEPTIVE long as plaintext
else repeat a
Plaintext : WEAREDISCOVEREDSAVEYOURSELF keyword
Ciphertext : ZICVTWQNGRZGVTWAVZHCQYGLMGJ

An analyst looking at only the ciphertext would detect the repeated sequences
VTW at a displacement of 9 and make the assumption that the keyword is
either three or nine letters in length.

Keyword : DECEPTIVE Plaintext :

Key : DECEPTIVEWEAREDISCOVEREDSAV WEAREDISC
OVEREDSAV
EYOURSELF This system is
referred as an
auto key
system
 Vigenere Cipher
Multiple ciphertext letters for each plaintext letter.
Weakness is repeating, structured keyword.
Example:
Plaintext: internet technologies
Key: cryptography
Cipher using standard algorithm:
Cipher using auto key system:
 Vernam Cipher
The ciphertext is generated by applying the logical XOR
operation to the individual bits of plaintext and the key
stream.
Substitution Techniques
1. Caesar Cipher
2. Monoalphabetic Cipher
3. Playfair Cipher
4. Hill Cipher
5. Polyalphabetic Ciphers
6. One-Time Pad
 6. One time pad
Similar to Vigenere, but use random key as long as plaintext.
Only known scheme that is unbreakable (unconditional
security)
Ciphertext has no statistical relationship with plaintext.
Given two potential plaintext messages, attacker cannot
identify the correct message.
Two practical limitations:
1. Difficult to provide large number of random keys
2. Distributing unique long random keys is difficult
 One time pad
Attacker knows the ciphertext:
ANKYODKYUREPFJBYOJDSPLREYIUNOFDOIUERF
PLUYTS
Attacker tries all possible keys.
Two examples:
key1: pxlmvmsydofuyrvzwctnlebnecvgdupahfzzlmnyih
Plaintext1: mr mustard with the candlestick in the hall
key2: mfugpmiydgaxgoufhklllmhsqdqogtewbqfgyovuhwt
Plaintext2: miss scarlet with the knife in the library
There are many other legible plaintexts obtained with other
keys. No way for attacker to know the correct plaintext
 ONE TIME PAD EXAMPLE

In cryptography, the one-time pad (OTP) is an encryption technique

that cannot be cracked, but requires the use of a one-time pre-shared
key the same size as, or longer than, the message being sent. In this
technique, a plaintext is paired with a random secret key (also referred
to as a one-time pad). Then, each bit or character of the plaintext is
encrypted by combining it with the corresponding bit or character
from the pad using modular addition.
The resulting cipher text will be impossible to decrypt or break if the
following four conditions are met:-
The key must be truly random.
The key must be at least as long as the plaintext.
The key must never be reused in whole or in part
The key must be kept completely secret.
 ONE TIME PAD EXAMPLE
Suppose Alice wishes to send the message "HELLO" to Bob. Assume two
pads of paper containing identical random sequences of letters were somehow
previously produced and securely issued to both. Alice chooses the
appropriate unused page from the pad. The way to do this is normally arranged
for in advance, as for instance "use the 12th sheet on 1 May", or "use the next
available sheet for the next message".

The material on the selected sheet is the key for this message. Each letter from
the pad will be combined in a predetermined way with one letter of the
message. (It is common, but not required, to assign each letter a numerical
value, e.g., "A" is 0, "B" is 1, and so on.)

In this example, the technique is to combine the key and the messageusing
modular addition. The numerical values of corresponding message and key
letters are added together, modulo 26. So, if key material begins with
"XMCKL" and the message is "HELLO", then the coding would be done as
follows:
 ONE TIME PAD ENCRYPTION

H E L L O message

7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message

+ 23 (X) 12 (M) 2 (C) 10 (K) 11 (L) Key

= 30 16 13 21 25 message + key

= 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) (message + key)

mod 26

E Q N V Z → ciphertext
 ONE TIME PAD ENCRYPTION

If a number is larger than 25, then the

remainder after subtraction of 26 is taken in
modular arithmetic fashion. This simply means
that if the computations "go past" Z, the sequence
starts again at A.
The ciphertext to be sent to Bob is thus "EQNVZ".
Bob uses the matching key page and the same
process, but in reverse, to obtainthe plaintext.
Here the key is subtracted from the ciphertext,
again using modular arithmetic:
 ONE TIME PAD DEC

E Q N V Z ciphertext

4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) ciphertext

- 23 (X) 12 (M) 2 (C) 10 (K) 11 (L) key

= -19 4 11 11 14 ciphertext – key

= 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) ciphertext – key

(mod 26)

H E L L O → message
 Transposition Techniques
A transposition cipher does not substitute one symbol for
another, instead it changes the location of the symbols.
The simplest such cipher is the rail fence technique, in
which the plaintext is written down as a sequence of
diagonals and then read off as a sequence of rows.
For example, to send the message “Meet me at the park”
to Bob, Alice writes

M E M A T E A K
E T E T H P R

 She then creates the ciphertext: MEMATEAKETETHPR

 Rail Fence Transposition
Easy to break: letter frequency analysis to determine depth.
Example:
Plaintext: information and network security
Depth: 3
Cipher:
IRINTSINOMTOADEWKERTFANNOUY

I R I N T S I
N O M T O A D E W K E R T
F A N N O U Y
 Rows/Columns Transposition
Plaintextletters written in rows.
Ciphertext obtained by reading column-by-column, but re-
arranged.
Key determines order of columns to read.

Key: 4 3 1 2 5 6 7
Plaintext: A T T A C K P
O S T P O N E
D U N T I L T
W O A M X Y Z
Ciphertext: TTNA APTM TSUO AODW COIX KNLY PETZ
 Rows/Columns Transposition
Transposition ciphers can be made stronger by using
multiple stages of transposition
Plaintext: securityandcryptography
Key: 315624
Ciphertext:
Transpose again using same key:
Ciphertext:

EYYARDOYSTRRICGCAPPUNTH

YYCURRAHEOIPDRPYSGNATCT
 Cryptographic Algorithms
Cryptographic algorithms and protocols can be grouped into four
main areas

Cryptographic
algorithms and
protocols

Symmetric Asymmetric Data integrity Authentication

encryption encryption algorithms protocols

 Symmetric encryption used to secure the contents of blocks or

streams of data of any size, including messages, files, encryption
keys, and passwords
 Cryptographic Algorithms
Cryptographic algorithms and protocols can be grouped into four
main areas

Cryptographic
algorithms and
protocols

Symmetric Asymmetric Data integrity Authentication

encryption encryption algorithms protocols

 Asymmetric encryption used to conceal small blocks of data, such

as encryption keys and hash function values, which are used in
digital signatures.
 Cryptographic Algorithms
Cryptographic algorithms and protocols can be grouped into four
main areas

Cryptographic
algorithms and
protocols

Symmetric Asymmetric Data integrity Authentication

encryption encryption algorithms protocols

 Data integrity algorithms used to protect blocks of data, such as

messages, from alteration.
 Cryptographic Algorithms
Cryptographic algorithms and protocols can be grouped into four
main areas

Cryptographic
algorithms and
protocols

Symmetric Asymmetric Data integrity Authentication

encryption encryption algorithms protocols

 Authentication Protocols are schemes based on the use of

cryptographic algorithms designed to authenticate the identity of
entities.
 Threat and Attack
Threat: A potential for violation of security, which exists
when there is a circumstance, capability, action, or event
that could crack security and cause harm. That is, a threat is
a possible danger that might exploit a vulnerability.
Attack: An violation on system security that derives from
an intelligent threat; that is, an intelligent act that is a
calculated attempt to avoid security services and violate the
security policy of a system.
 Substitution Cipher Technique and
Transposition Cipher Technique
Substitution Cipher Technique
Substitution Cipher Technique is a traditional cipher text technique
which is used to encrypt a plain text into cipher text. In this technique,
each character is substituted with other character/number or other
symbol. This techniques changes identity of a character but not the
position of it.

Transposition Cipher Technique

Transposition Cipher Technique is also a traditional cipher text
technique which is used to encrypt a plain text into cipher text. In this
technique, each character position is changed to different position.
Following are some of the important differences between Substitution
Cipher Technique and Transposition Cipher Technique.
 Substitution Cipher Technique and
Transposition Cipher Technique
Following are some of the important differences between Substitution
Cipher Technique and Transposition Cipher Technique.
Sr. Key Substitution Cipher Technique Transposition Cipher Technique
No.

Algorithm Each character is replaced Each character is positioned

1 with other differently from its original
character/number/symbol. position.
Forms Mono Alphabetic Key-less Transposition Cipher and
Substitution Cipher and Poly Keyed Transposition cipher are
2
Alphabetic Substitution its two forms.
Cipher are its two forms.
Change Character identity is changed Character position is changed but
3 but position remains same. identity remains same.

Detection A letter less frequently used A letter near to original position

4
can be easily traced. get traced easily.
Example Caesar Cipher is an example Reil Fence Cipher is an example
5 of Substitution Cipher. of Transposition Cipher.
HILLCIPHER:

• Interesting multicipher cipher is the hillcipher

• The encryption algorithm takes m successive plaintext letters and substitutes
for them m ciphertext letters.
• Ex:

C1 = ( K11 P1 + K12 P2 + K13 P3 ) mod 26.

C2 = ( K21 P1 + K22 P2 + K23 P3 ) mod 26.

C3 = ( K31 P1 + K32 P2 + K33 P3) mod 26.

This can be expressed in terms of column vectors and matrices

1 11 12 13

2   1 2 3
21 22 23 mod 26
3 31 32 33

C=PK mod 26

• C & P are the column vectors of length 3.

• K is a 3*3 matrix.
Example:
Plaintext = “paymoremoney”

17 17 5
 
21 18 21
2 2 19

Encryption:

Plaintext: pay more money

3 * 3 matrix is our key. So split it 3 bit distance.
Plaintext:
P 15 M 12 E 4 N 13
A 0 O 14 M 12 E 4
y 24 r 17 o 17 Y 24
Calculate the C = KP mod 26

17 17 5
  15 0 24
21 18 21
2 2 19

255  0  48 303
=
255  0  48  =
303 take mod 26.
75  0  456 531

C = ( 17 17 11)
( R R L)

17 17 5
  12 14 17
21 18 21
2 2 19

204  294  34 532

=
204  252  34  =
490 take mod 26.
60  294  323 677

C = ( 12 22 1)
( M W B)

17 17 5
  4 12 14
21 18 21
2 2 19

68  252  28 348
=
68  216  28  =
312 take mod 26.
20  252  266 538

C = ( 10 0 18)
( K A S)

17 17 5
  13 4 24
21 18 21
2 2 19
 221  84  48 353
=
221  72  48  =
341 take mod 26.
65  84  456 605

C = ( 15 3 7)
( P D H)

CIPHERTEXT : (RRL MWB KAS PDH)

DECRYPTION:

1. First calculate K-1

2. P = K-1 C mod 26
= K-1 (KP) = P (C=KP mod 26)

Calculating K-1:

adj $k&

| |
Formula ; K-1 =

17 17 5
K =
21 18 21
2 2 19

|K|  k11[(k22*k33)-(k32*k23)] – k12 [(k21*k33) – (k31*k23)] +

k13 [(k21*k32) – (k31*k22)

|K|  17 $342 ( 42& ( 17 $399 ( 42&  5 $42 ( 36&

|K|  5100 ( 6069  30

|K|  ( 939.

|K|  ( 3 mod 26 +to eliminate ( value take "mod26"4

|K|  ( 3  26 ≡ 23 mod 26  |K| mod 26  a

  236  17

or 18x  23 mod 26
|5|

23. x = 1 (mod 26) = mod 26 = 23.x

Using Euclid Theorem:

26 1 0  R1

1 23 0 1  R2

7 3 +1 -1

1 2 -7 8

1 8 -9

26 * 8 + 23 (-9) =1

23 (-9) ≡ 1 mod 26. (remove the –ve symbol)

So x ≡ -9 mod 26

X= 17. (-9+26 = 17)

So

 23  17
 6
|5 |

Adj (k) = (cofactor) T

K11 = 918 21
:  $342 ( 42&  300
2 19

K12 = 921 21
:  $399 ( 42&  357
2 19
= 921 18
:  $42 ( 36& 6
2 2
K
13

= 917 5
:  $323 ( 10&  313
2 19
K
21

K22 = 917 5
:  $323 ( 10&  313
2 19
K23 = 917 17
:  $34 ( 34&  0
2 2
K31 = 917 5
:  $357 ( 90&  267
18 21

K32 = 917 5
:  $357 ( 105&  252
21 21
K33 = 917 17
:  $306 ( 357&  (51
21 18
300 (357 6
$co factor& 
(313 313 0 
267 (252 (51
300 (313 267
$co factor& 
(357
>
313 (252
6 0 (51
Adj (k) = (cofactor) T
300 (313 267
?@ $ & 
(357 313 (252
6 0 (51


K 6 = | | adj (K)
5
 300 (313 267
K 6
 17
(357 313 (252
6 0 (51
300 17 (313 17 267 17

(357 17 313 17 (252 17
6 17 0 17 (51 17
5100 (5321 4539

(6069 5321 (4284
102 0 (867
4 (17 15
K 6

(11 17 (20
24 0 (9
To remove negative (-) value take “mod 26” for each value.
4 9 15
K 6

15 17 6
24 0 17
This is demonstrated as follows:
17 17 15 4 9 15
K K 6

21 18 21
15 17 6
2 2 19 24 0 17
68  255  120 84  270  504 8  30  456

153  289  0 189  306  0 18  34  0 
255  102  85 315  108  357 30  12  323
443 858 494

442 495 52  mod 26
442 780 365
1 0 0

0 1 0
0 0 1
(unit matrix)

• The strength of the Hillcipher is that it completely hides single- letter

frequencies.
• The use of larger matrix hides more frequency information.
• Thus a 3*3 Hillcipher hides not only single-letter but two-letter frequency
information.
• The Hill cipher is strong against a cipher-text only attack.

P = K 6 C mod 26

4 9 15 11
P 
15 17 6  C13D
24 0 17 18

44  117  270 431

P 
165  221  108 
494 mod 26
264  0  306 570

P  $15 0 24&  E 

4 9 15 7
P 
15 17 6  C 3 D
24 0 17 11

28  27  165 220
P 
105  51  66 
222 mod 26
168  0  187 355
P  $12 14 17&  E mor

4 9 15 4
P 
15 17 6  C22D
24 0 17 12

16  198  180 394

P 
60  374  72  
506 mod 26
96  0  204 300
P  $4 12 14&  E emo

4 9 15 19
P 
15 17 6  F17G
24 0 17 22
 76  153  330 559
P 
285  289  132 
706 mod 26
456  0  374 830
P  $13 4 24&  E ney

15 0 24
PI 12 14 17 J  pay mor emo ney
4 12 14
13 4 24

Finally the hillcipher isproved.

*******
 Symmetric key cryptographic algorithms

• Data Encryption Standard (DES)

• Triple-DES or 3DES
• Advanced Encryption Standard(AES)

• RC2, RC4 and RC5 (RSA Data Security, Inc.)

• IDEA (International Data Encryption Algorithm)
• Blowfish
• SAFER
 Stream Cipher
A stream cipher is one that encrypts a digital data
stream one bit or one byte at a time.
In this scheme, the plaintext is processed one bit at
a time i.e. one bit of plaintext is taken, and a series
of operations is performed on it to generate one bit
of ciphertext. Technically, stream ciphers are block
ciphers with a block size of one bit.

Examples:
Autokeyed Vigenère cipher
A5/1
RC4
Vernam cipher.
 Stream Cipher

Bit-stream Bit-stream
Key(ki) Key(ki)
Generation Generation
010101 010101
algorithm algorithm
Ki Ki
Plaintext(pi) Ciphertext(ci) Plaintext(pi)
100101 110000 100101
ENCRYPTION DECRYPTION
 Block Cipher
A block cipher is one in which a block of plaintext is
treated as a whole and used to produce a ciphertext block
of equal length.
Typically, a block size of 64 or 128 bits is used.
Examples:
Feistel cipher
DES
Triple DES
AES
 Block Cipher Schemes
There is a vast number of block ciphers schemes that are in use. Many of them are
publically known. Most popular and prominent block ciphers are listed below.
Digital Encryption Standard (DES) − The popular block cipher of the 1990s. It is now
considered as a ‘broken’ block cipher, due primarily to its small key size.
Triple DES − It is a variant scheme based on repeated DES applications. It is still a
respected block ciphers but inefficient compared to the new faster block ciphers available.
Advanced Encryption Standard (AES) − It is a relatively new block cipher based on
the encryption algorithm Rijndael that won the AES design competition.
IDEA − It is a sufficiently strong block cipher with a block size of 64 and a key size of 128
bits. A number of applications use IDEA encryption, including early versions of Pretty
Good Privacy (PGP) protocol. The use of IDEA scheme has a restricted adoption due to
patent issues.
Twofish − This scheme of block cipher uses block size of 128 bits and a key of variable
length. It was one of the AES finalists. It is based on the earlier block cipher Blowfish with
a block size of 64 bits.
Serpent − A block cipher with a block size of 128 bits and key lengths of 128, 192, or
256 bits, which was also an AES competition finalist. It is a slower but has more secure
design than other block cipher.
 Block Cipher
b bits b bits

Plaintext Ciphertext

Key Encryption Key Decryption

(K) Algorithm (K) Algorithm

Ciphertext Plaintext

b bits b bits
Stream cipher and Block
Cipher
Both Block and Stream cipher are the methods of
Encryptions which are primarily used for
converting the plain text into cipher text directly
and belong to the family of symmetric key
ciphers.

Following are the important differences between

Block Cipher and Stream Cipher.
Sr Key Block Cipher
no
1 Definition Block Cipher is the type of
encryption where the
conversion of plain text
performed by taking its block
at a time.
2 Conversion of As Block Cipher takes block
Bits at a time so comparatively
more bits get converted as
compared to in Stream
Cipher specifically 64 bits or
more could get converted at
a time.
3 Principle Block Cipher uses both
confusion and diffusion
principle for the conversion
required for encryption.
Stream Cipher
On other hand Stream
Cipher is the type of
encryption where the
conversion of plain text
performed by taking one
byte of the plain text at a
time
On other hand in case of
Stream Cipher at most 8
bits could get converted at
a time.
On other hand Stream
Cipher uses only confusion
principle for the
conversion.
Sr Key Block Cipher Stream Cipher
no
4 Algorithm For encryption of plain text On other hand Stream
Block Cipher uses Electronic Cipher uses CFB (Cipher
Code Book (ECB) and Cipher Feedback) and OFB
Block Chaining (CBC) (Output Feedback)
algorithm. algorithm.
5 Decryption As combination of more bits On other hand Stream
get encrypted in case of Cipher uses XOR for the
Block Cipher so the reverse encryption which can be
encryption or decryption is easily reversed to the plain
comparatively complex as text.
compared to that of Stream
Cipehr.
6 Implementation The main implementation of On other hand the main
Block Cipher is Feistel Cipher. implementation of Stream
Cipher is Vernam Cipher.
 Diffusion and Confusion
Confusion
Diffusion
Confusion hides the
relationship between the  Diffusion hides the
ciphertext and the key. relationship between the
This is achieved by the use ciphertext and the plaintext.
of a complex substitution  This is achieved by changing
algorithm. one plaintext digit which affect
the value of many ciphertext
digits.
X1=0010 1011 Y1=1011 1001
Diffusion
X2=0000 1011 Y2=0110 1100

Single bit flip Many bit flips

 Plaintext (2w bits)
Feistel Cipher Structure
L0 w bits w bits R0 Or Block Cipher Structure
Round 1 K1
F
1. Plaintext is split into 32-bit
halves Li and Ri
L1 R1 2. Ri is fed into the function
F.
3. The output of function F is
Round n
then XORed with Li
Kn
4. Left and right half are
F
swapped.
Ln Rn

Ln+1 Rn+1
Li = R i – 1

Ciphertext (2w bits)

 Feistel Network Factors
Block size: Common block size of 64-bit. However, the new
algorithms uses a 128-bit, 256-bit block size.
Key size: Key sizes of 64 bits or less are now widely considered to
be insufficient, and 128 bits has become a common size.
Number of rounds: A typical size is 16 rounds.
Round function F: This phase consisting of sixteen rounds of the
same function, which involves both permutation and substitution
functions. Again, greater complexity generally means greater
resistance to cryptanalysis.
Subkey generation algorithm: For each of the sixteen rounds, a
different subkey (Ki) derived from main key by the combination
of a left circular shift and a permutation. Greater complexity in this
algorithm should lead to greater difficulty of cryptanalysis.
Feistel Encryption & Decryption
 Prove that o/p of first round
of Decryption is equal to 32-
bit swap of i/p of 16th round
of Encryption
 LD1=RE15 & RD1=LE15
 On Encryption Side:

 On Decryption Side:
 Symmetric Cryptosystems
Data Encryption Standard (DES)
 Developed in the 1970s; made a standard by the US government, was
widely used in the financial industry until 2004.
DES is a Feistel cipher
• 64 bit block length
• 56 bit key length
• 16 rounds
• 48 bits of key used each round (subkey)
• Each round is simple (for a block cipher)
• Security depends primarily on “S-boxes”
• Each S-boxes maps 6 bits to 4 bits
64-bit plaintext 64-bit key

Initial Permutation Permuted choice 1

64 56
K1 48 56
Round 1 Permuted choice 2 Left circular shift
64 56
K2 48 56
Round 2 Permuted choice 2 Left circular shift

K16 48 56
Round 16 Permuted choice 2 Left circular shift

32-bit swap 64-bit ciphertext

DES EncryptionAlgorithm
64
Inverse
Initial Permutation
Data Encryption Standard
X
Initial Permutation

X
Encryption
64 K1
Round 1

DES 56 Ki

64 Encryption K16
Y Round 16

Final permutation

Y
DES Single Round
32- bits 32-bits 28-bits 28-bits

Expansion/ permutation Left Shift Left Shift

(E table) (S) (S)
48
Ki Permutation/
XOR compression
48
48 (Permuted choice 2)

Substitution/choice
(S-box)
32
Permutation
(P)
32

XOR
 DES Encryption Algorithm
1. Initial permutation: First, the 64-bit plaintext passes
through an initial permutation (IP) that rearranges the
bits to produce the permuted input.
2. The F function: This phase consisting of sixteen
rounds of the same function, which involves both
permutation and substitution functions.
3. Swap: L and R swapped again at the end of the cipher,
i.e., after round 16 followed by a final permutation.
4. Inverse (Final) permutation: It is the inverse of the
initial permutation.
5. Subkey generation: For each of the sixteen rounds, a
different subkey (Ki) derived from main key by the
combination of a left circular shift and a permutation.
 Initial and Inverse Permutation
1 2 25 40 58 64
 The initial permutation
of the DES algorithm
changes the order of
the plaintext prior to
the first round of 1 2 8 25 40 58 64
encryption.
 The final permutation 16 Rounds
occurs after the sixteen 1 2 25 40 58 64
rounds of DES are
completed. It is the
inverse of the initial
permutation.
1 2 8 25 40 58 64
 Initial and Final Permutation
IP IP-1
58 50 42 34 26 18 10 2 40 8 48 16 56 24 64 32
60 52 44 36 28 20 12 4 39 7 47 15 55 23 63 31
62 54 46 38 30 22 14 6 38 6 46 14 54 22 62 30
64 56 48 40 32 24 16 8 37 5 45 13 53 21 61 29
57 49 41 33 25 17 9 1 36 4 44 12 52 20 60 28
59 51 43 35 27 19 11 3 35 3 43 11 51 19 59 27
61 53 45 37 29 21 13 5 34 2 42 10 50 18 58 26
63 55 47 39 31 23 15 7 33 1 41 9 49 17 57 25
 The F function Ri-1
32
 Main operation of DES Expansion/permutation
 f-function inputs: (E table)
Ri-1 and round key ki 48
Ki
XOR
 4 Steps: 48
1. Expansion E 48
2. XOR with round key
6 6 6 6 6 6 6 6
3. S-box substitution
S1 S2 S3 S4 S5 S6 S7 S8
4. Permutation
4 4 4 4 4 4 4 4

32
Permutation
(P)
32
 1. The Expansion Function E
Main purpose: Increases diffusion Ri-1
Since Ri-1 is a 32-bit input and Ki is a 32
48-bit key, we first need to expand Expansion/permutation
Ri-1 to 48 bits. (E table)
Input: (8 blocks, each of them 48
consisting 4 bits) - 32 bits
Output: (8 blocks, each of them Expansion Table E
consisting 6 bits) – 48 bits 32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
 2. Add round key
XOR Round Key Ri-1
After the expansion permutation, 32
DES uses the XOR operation on
the expanded right section and the Expansion/permutation
round key. (E table)
48
Note that both the right section
Ki
and the key are 48-bits in length XOR
48
now.
48
 3. The DES S-Boxes
S-Box substitution. Ri-1
Eight substitution tables. 32

6 bits of input Expansion/permutation

4 bits of output. (E table)
Convert 48 bits to 32 bits 48
Non-linear and resistant to Ki
XOR
differential cryptanalysis. 48
Crucial element for DES 48
security! 6 6 6 6 6 6 6 6
Introduces confusion.
S1 S2 S3 S4 S5 S6 S7 S8

32
 Role of S-box
The outer two bits of each group select one row of an S-box.
Inner four bits selects one column of an S-box.

S-box 1
 Example:
0 1 1 0 0 1 1 0 0 1
Input Output

Row Column
 4. The Permutation P
Ri-1
Permutation P 32

 Bitwise permutation. Expansion/permutation

(E table)
 Introduces diffusion. 48
Ki
Permutation Table P XOR 48
16 7 20 21 29 12 28 17 48
01 15 23 26 05 18 31 10
6 6 6 6 6 6 6 6
02 08 24 14 32 27 03 09
S1 S2 S3 S4 S5 S6 S7 S8
19 13 30 06 22 11 04 25
4 4 4 4 4 4 4 4

32
Permutation
(P)
32
 Key schedule of DES
Derives 16 round keys (or K
subkeys) ki of 48 bits each from 64

the original 56 bit key. PC-1

The input key size of the DES is 56

64 bit: 56 bit key and 8 bit parity

Permuted choice (PC-1)
Parity bits are removed in a first 57 49 41 33 25 17 09 01
permuted choice PC-1: (note that 58 50 42 34 26 18 10 02
the bits 8, 16, 24, 32, 40, 48, 56 59 51 43 35 27 19 11 03
and 64 are not used at all) 60 52 44 36 63 55 47 39
31 23 15 07 62 54 46 38
30 22 14 06 61 53 45 37
29 21 13 05 28 20 12 04
 Key schedule of DES
Split key into 28-bit halves C0 and D0. K
In rounds i = 1, 2, 9 ,16, the two halves are 64
each rotated left by one bit. PC-1
In all other rounds where the two halves are 56
C0
each rotated left by two bits. D0
These shifted values are input to the next 28 28
round. LS1 LS1

28 28
56 C1 D1
Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

key 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
 Key schedule of DES
In each round i permuted choice K
PC-2 selects a permuted subset of 64
48 bits of Ci and Di as round key PC-1

ki. 56
C0 D0
Permuted choice (PC-2) 28 28
Transform 1
14 17 11 24 01 05 03 28 LS1 LS1
15 06 21 10 23 19 12 04
28 28
26 08 16 07 27 20 13 02
K1 PC-2 C1 D1
41 52 31 37 47 55 30 40 48 56
51 45 33 48 44 49 39 56
34 53 46 42 50 36 29 32
SUBkey generation K
64
PC-1
56
C0 D0
28 28
Transform 1
LS1 LS1

28 28
K1 PC-2 C1 D1
48 56
28 28

LS2 LS2

LS16 LS16

28 28
K16 PC-2 C16 D16
48 56
 Avalanche Effect
Desirable property of any encryption algorithm is that a change in one bit of the plaintext or of
the key should produce a change in many bits of cipher text.
DES performs strong avalanche effect.

Although the two plaintext blocks differ only in the rightmost bit, the ciphertext blocks differ in
29 bits.
This means that changing approximately 1.5 % of the plaintext creates a change of
approximately 45 % in the ciphertext.
 Strength of DES
The use of 56-bit keys: 56-bit key is used in
encryption, there are 256 possible keys. A bruteforce
attack on such number of keys is impractical.

The nature of algorithm: Cryptanalyst can

perform cryptanalysis by exploiting the
characteristic of DES algorithm but no one has
succeeded in finding out the weakness.
 AES (Advanced Encryption
Standard)
The Rijndael proposal for AES defined a cipher in which the block
length and the key length can be independently specified to be 128,
192, or 256 bits.
Key size (words/ bytes/ bits) 4/16/128 6/24/192 8/32/256
Block size (words/ bytes/ bits) 4/16/128 4/16/128 4/16/128
Round key size (words/ bytes/ bits) 4/16/128 4/16/128 4/16/128
Number of Rounds 10 12 14

AES designed to have characteristics

1. Resistance against all known attacks
2. Speed and code compactness on a wide range of platforms
3. Design simplicity
AES (Advanced Encryption
Standard) 128 bits

Plaintext

AES Key (128-256 bits)

Ciphertext

128 bits
AES (Advanced Encryption
128 bits Plaintext
Standard) AES
AddRoundKey Cipher key
K0 (128, 192 or 256 bits)

Round-1
K1

Key expansion
Round-2
K2

Round-N
(slightly different) K10

128 bits Ciphertext

 Key

AddRoundKey

Notes:
SubBytes 1. One AddRoundKey is applied
before the First round.

Round 1
ShiftRows 2. The third transformation is
missing in the last round
MixColumns

AddRoundKey

SubBytes
Round 10

ShiftRows

AddRoundKey Round key 10

 AES Structure
Initialization
1. Expand 16-byte key to get
the actual key block to be
used.
2. Initialize 16-byte plaintext
block called as state.
3. XOR the state with the key
block.

For each round

1. Apply S-box
2. Rotate rows of state
3. Mix columns
4. Add Round key: XOR the
state with key block.
Data Units in AES
Block to State & State to
Block
Plain Text to State
 AES Structure
The first N-1 rounds consist of four distinct transformation functions.

• The 16 input bytes are substituted using an S-

SubBytes
box

• Each of the four rows of the matrix is shifted

ShiftRows
to the left

• Each column of four bytes is now transformed

MixColumns
using a special mathematical function.

• The 16 bytes of the matrix are now considered as

AddRoundKey 128 bits and are XORed to the 128 bits of theround
key.
 AES structure
State: Cipher key:
32 88 31 e0 2b 28 ab 09
43 5a 31 37 7e ae f7 cf
f6 30 98 07 15 d2 15 4f
a8 8d a2 34 16 a6 88 3c
 Initial transformation(AddRoundKey)
input state Cipher key
AddRoundKey:

32 88 31 e0 2b 28 ab 09 19 a0 9a e9
43 5a 31 37 7e ae f7 cf 3d f4 c6 f8
f6 30 98 07 15 d2 15 4f = e3 e2 8d 48
a8 8d a2 34 16 a6 88 3c be 2b 2a 08
 SubByte Transformation
The forward substitute byte transformation, called
SubBytes, is a simple table lookup
Input: 19 Output: D4

Row Column
 SubByte output
Input for SubByte Output of SubByte
19 a0 9a e9 d4 e0 b8 le
3d f4 c6 f8 27 bf b4 41
e3 e2 8d 48 11 98 5d 52
be 2b 2a 08 ae f1 e5 30
 ShiftRows
The first row of State is not altered.
For the second row, a 1-byte circular left shift is performed.
For the third row, a 2-byte circular left shift is performed.
For the fourth row, a 3-byte circular left shift is performed.

d4 e0 b8 le No rotation d4 e0 b8 le
27 bf b4 41 Rotate 1 byte bf b4 41 27
11 98 5d 52 Rotate 2 bytes 5d 52 11 98
ae f1 e5 30 Rotate 3 bytes 30 ae f1 e5
Input for ShiftRows Output of ShiftRows
 MixColumns
Each byte of a column is mapped into a new value that is a
function of all four bytes in that column.
Constant matrices used by MixColumns.
 MixColumns
d4 e0 b8 le 02 03 01 01 04 e0 48 28
bf b4 41 27
5d 52 11 98
01
01
02
01
03
02
01
03
= 66 cb f8 06
81 19 d3 26
30 ae f1 e5 03 01 01 02 e5 9a 7a 4c

02 03 01 01 d4 04
01 02 03 01 bf 66
01 01 02 03 5d = 81
03 01 01 02 30 e5
 AddRoundKey
In the forward add round key transformation, the 128 bits
of State are bitwise XORed with the 128 bits of the round
key.
04 e0 48 28 a0 88 23 2a A4 68 6b 02
66 cb f8 06 fa 54 a3 6c 9c 9f 5b 6a
81 19 d3 26 fe 2c 39 76
= 7f 35 Ea 50
e5 9a 7a 4c 17 b1 39 05 F2 2b 43 49

04 a0 A4
66 fa 9c
81 fe = 7f
e5 17 F2
AES Overall Structure
 AES key expansion
Words for each round
Round Words
Pre-round W0 W1 W2 W3
Round 1 W4 W5 W6 W7
Round 2 W8 W9 W10 W11
... ...
Round N W40 W41 W42 W43
 AES key expansion
K0 K4 K8 K12  The AES key expansion algorithm
K1 K5 K9 K13 takes as input a four-word (16-byte)
K2 K6 K10 K14
key and produces a linear array of 44
K3 K7 K11 K15
words (176 bytes).

W0 W1 W2 W3 g  Each added word w[i] depends onthe

immediately preceding word, w[i
- 1].
W4 W5 W6 W7  In three out of four cases, a simple
XOR is used.

W40 W41 W42 W43

 function of key expansion
32
V0 V1 V2 V3

V1 V2 V3 V0

Rcon Table
1 2 3 4 5 6 7 8 9 10 S S S S
01 02 04 08 10 20 40 80 1b 36
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
RC[i]
00 00 00 00 00 00 00 00 00 00
32
Key Expansion Example
Introduction to Cryptography

Public Key Cryptosystem

Prof. Dhaval Khatri & Prof Parinda Prajapati,
Department of Computer Engineering and Information
Technology
Ahmedabad Institute of Technology.
 Symmetric Key Encryption
Secret key shared by Secret key shared by
sender and recipient sender and recipient
K
K
Transmitted
cipher text
Y = E(K, X)
X X
Plaintext Encryption Algorithm Decryption Algorithm Plaintext
input (e.g. AES) (reverse of encryption output
algorithm)
 Symmetric Key Encryption example

 Safe with a strong lock, only Alice and Bob have a copy of the key
• Alice encrypts: locks message in the safe with her key
• Bob decrypts: uses his copy of the key to open the safe
 Public-Key Cryptosystems
It is used two keys for encryption and for
decryption.
– a public-key, which may be known by
anybody, and can be used to encrypt messages
– a private-key, known only to the recipient,
used to decrypt messages
• It has six ingredient
1 Plain text
2 Encryption algorithm
3 Public and private keys
4 Ciphertext
5 Decryption algorithm
 Public-Key Cryptosystems
• public-key/two-key/asymmetric cryptography
involves the use of two keys:
- a public-key, which may be known by anybody, and
can be used to encrypt messages, and verify signatures

- a private-key, known only to the recipient, used to

decrypt messages, and sign (create) signatures

• is asymmetric because
those who encrypt messages or verify signatures cannot
decrypt messages or create signatures
 A Asymmetric Key Encryption with Public Key
 The entire encrypted message
Bob’s
Public serves as a confidentiality.
Joy key ring
Ted
Mike Alice

PUa Alice’s public PRa Alice’s private

key key

Transmitted
X cipher text X
Y = E(PUa, X)
Plaintext Plaintext
input Encryption Algorithm Decryption Algorithm
output
(e.g. RSA)

Bob Alice
 Asymmetric Key Encryption with Private Key
 The entire encrypted message Alice’s
serves as a digital signature. Public
Joy key ring
Ted
Mike Bob

PRb Bob’s private PUb Bob’s public

key key

Transmitted
X cipher text X
Y = E(PRb, X)
Plaintext Plaintext
input Encryption Algorithm Decryption Algorithm
output
(e.g. RSA)

Bob Alice
Asymmetric Key Encryption
example New Idea:
Use the good old mailbox principle:

Everyone can drop a letter

But Only the owner has the

correct key to open the box

Public Key

Private Key
 Why Public-Key Cryptography?
Developed to address two key issues:
key distribution – how to have secure
communications in general without having to
trust a KDC with your key
No need for secure key delivery
No one else needs to know your private key
digital signatures – how to verify a message
comes intact from the claimed sender
 Public-Key Characteristics
Public-Key algorithms rely on two keys with the
characteristics that it is:
- computationally infeasible to find decryption
key knowing only algorithm & encryption
key

- computationally easy to en/decrypt messages

when the relevant (en/decrypt) key is known

- Oneway-ness is desirable: exp/log, mul/fac

- either of the two related keys can be used for

encryption, with the other used for decryption
(in some schemes)
Public-Key Cryptosystems: Secrecy
Public-Key Cryptosystems:
Authentication
 Authentication and Confidentiality
Source A Source B

Message X Encryption Y Encryption Z Decryption Y Decryption X Message

source Algorithm Algorithm Algorithm Algorithm Dest.

PUb PRb
Key pair
PRa PUa source

Key pair
source

Z = E(PUb, E(PRa, X)) X = D(PUa, D(PRB, Z))

 Applications for Public-Key
Cryptosystems
Encryption/decryption: The sender encrypts a
message with the recipient’s public key.

Digital signature: The sender “signs” a message with

its private key. Signing is achieved by a cryptographic
algorithm applied to the message or to a small block of
data that is a function of the message.

Key exchange: Two sides cooperate to exchange a

session key. Several different approaches are possible,
involving the private key(s) of one or both parties.
 RSA Algorithm
RSA is a block cipher in which the Plaintext and
Cipher text are represented as integers between 0
and n-1 for some value of n.
Large messages can be broken up into a number of
blocks.
Each block would then be represented by an
integer.
Step-1: Generate Public key and Private key.
Step-2: Encrypt message using Public key.
Step-3: Decrypt message using Private key.
 Step-1: Generate Public key and Private key

Select two large prime numbers: p and q

Calculate modulus : n = p * q
Calculate Euler’s totient function : φ(n) = (p-1) * (q-1)
Select e such that e is relatively prime to φ(n) and 1 < e <
φ(n)
Two numbers are relatively prime if they have no common
factors other than 1 or (gcd(φ(n) , e)=1).

Determine d such that d * e ≡ 1 (mod φ(n))

Publickey : PU = { e, n }
Privatekey : PR = { d, n }
 Step-2 and 3: Encryption and
Decryption
Step-2: Encryption using Public Key:
Plaintext: M
Ciphertext: C = Me mod n

Step-3: Decryption using Private Key:

Ciphertext: C
Plaintext: M = Cd mod n
 Multiple encryption
• Multiple encryption and triple DES
• Electronic Code Book Mode
• Cipher Block Chaining Mode
• Cipher Feedback Mode
• Output Feedback Mode
• Counter Mode
 Block Cipher Modes of Operations
• To apply a block cipher in a variety of applications,
five "modes of operation" have been defined.
1. Electronic Code Book (ECB)
2. Cipher Block Chaining (CBC)
3. Cipher Feedback (CFB)
4. Output Feedback (OFB)
5. Counter (CTR)
• The five modes are intended to cover a wide variety
of applications of encryption for which a block cipher
could be used.
• These modes are intended for use with any
symmetric block cipher, including triple DES and AES.
 Block Cipher Modes of Operations
• Block cipher: operates on fixed length b-bit input
to produce b-bit ciphertext.
• What about encrypting plaintext longer than b
bits?
• Break plaintext into b-bit blocks (padding if
necessary) and apply cipher on each block.
 1. ECB Encryption & Decryption
P1 P2 PN
64-bit 64-bit 64-bit
K K K
Encrypt Encrypt … Encrypt

64-bit 64-bit 64-bit

C1 C2 CN

C1 C2 CN
64-bit 64-bit 64-bit
K K K
Decrypt Decrypt … Decrypt

64-bit 64-bit 64-bit

P1 P2 PN
 Electronic Code Book (ECB) (cont…)
• In ECB Mode Plaintext handled one block at a
time and each block of plaintext is encrypted
using the same key.
• The term codebook is used because, for a given
key, there is a unique ciphertext for every b-bit
block of plaintext.

𝐶𝑗 = 𝐸(𝐾, 𝑃𝑗 ) 𝑗 = 1, . . , 𝑁

𝑃𝑗 = 𝐷(𝐾, 𝐶𝑗 ) 𝑗 = 1, . . , 𝑁
 Electronic Code Book (ECB) (cont…)
• ECB Advantages:
– No block synchronization between sender and receiver is required.
OK if some blocks are lost in transit.
– Bit errors caused by noisy channels only affect the corresponding
block but not succeeding blocks.
– Block cipher operating can be parallelized.
• ECB Disadvantages:
– Identical plaintexts result in identical ciphertexts.
– An attacker recognizes if the same message has been sent twice
simply by looking at the ciphertext.
– Plaintext blocks are encrypted independently of previous blocks.
An attacker may reorder ciphertext blocks which results in valid
plaintext.
 Substitution Attack on ECB
• Consider an electronic bank transfer
1 2 3 4 5
Sending Sending Receiving Receiving Amount
Bank A Account # Bank B Account # $

• The attacker sends $1.00 transfers from his account at bank A to

his account at bank B repeatedly.
• He can check for ciphertext blocks that repeat, and he stores
blocks 1,3 and 4 of these transfers.
• He now simply replaces block 4 of other transfers with the block 4
that he stored before.
• All transfers from some account of bank A to some account of bank
B are redirected to go into the attacker’s B account.
 Electronic Code Book (cont…)
• Strength: it’s simple.
• Weakness:
– Problem: with long message, repetition in plaintext may cause
repetition in ciphertext.
• Typical application:
– Secure transmission of short pieces of information (e.g. a
temporary encryption key).
2. CBC - Encryption & Decryption
P1 P2 PN
IV CN-1
K K K
Encrypt Encrypt … Encrypt

C1 C2 CN

C1 C2 CN
K K K
Decrypt Decrypt … Decrypt
IV CN-1

P1 P2 PN
Cipher Block Chaining (CBC) (cont…)
𝐶1 = 𝐸(𝐾, (𝑃1 ⊕ 𝐼𝑉)

𝐶𝑗 = 𝐸(𝐾, (𝑃𝑗 ⊕ 𝐶𝑗−1 )

𝑗 = 2, . . , 𝑁

𝑃1 = 𝐷(𝐾, 𝐶1 ) ⊕ 𝐼𝑉

𝑃𝑗 = 𝐸(𝐾, (𝐶𝑗 ) ⊕ 𝐶𝑗−1

𝑗 = 2, . . , 𝑁
 Cipher Block Chaining (CBC) (cont…)
• CBC is a technique in which the same plaintext
block, if repeated, produces different ciphertext
blocks.
• In this scheme, the input to the encryption
algorithm is the XOR of the current plaintext
block and the preceding ciphertext block and the
same key is used for each block.
• To produce the first block of ciphertext, an
initialization vector (IV) is XORed with the first
block of plaintext.
 Cipher Block Chaining (CBC) (cont…)
• Initialisation Vector (IV) must be known by
sender/receiver, but it should be kept secret from
attacker.
• On decryption, the IV is XORed with the output of
the decryption algorithm to recover the first
block of plaintext.
 Substitution Attack on CBC
• Consider the last example (electronic bank
transfer).
• If the IV is properly chosen for every wire transfer,
the attack will not work at all.
• If the IV is kept the same for several transfers, the
attacker would recognize the transfers from his
account at bank A to back B.
 Cipher Block Chaining (CBC) (cont…)
• Strength: because of the chaining mechanism of
CBC, it is an appropriate mode for encrypting
messages of length greater than b bits.
• Typical application:
– General-purpose block oriented transmission
– Authentication
 3. Cipher Feedback Mode (CFB)
• For AES, DES, or any block cipher, encryption is
performed on a block of b bits. In DES, b = 64 and
in AES, b = 128.
• However, it is possible to convert a block cipher
into a stream cipher, using cipher feedback (CFB)
mode, output feedback (OFB) mode, and counter
(CTR) mode.
• A stream cipher eliminates the need to pad a
message to be an integral number of blocks.
 CFB Encryption
CN-1
Shift register Shift register
IV b-s bits | s bits b-s bits | s bits
K K K
Encrypt Encrypt Encrypt

Select Discard
s bits b-s bits
Select Discard
s bits b-s bits
… Select Discard
s bits b-s bits
S bits S bits S bits
P1 P2 PN

C1 C2 CN
S bits S bits S bits
CFB Encryption (cont…)

𝐼1 = 𝐼𝑉
𝐼𝑗 = 𝐿𝑆𝐵𝑏−𝑠 (𝐼𝑗−1 )||𝐶𝑗−1 𝑗 = 2, . . , 𝑁
𝑂𝑗 = 𝐸(𝐾, 𝐼𝑗 ) 𝑗 = 1, . . , 𝑁
𝐶𝑗 = 𝑃𝑗 ⊕ 𝑀𝑆𝐵𝑠 (𝑂𝑗 ) 𝑗 = 1, . . , 𝑁
CFB Decryption
CN-1
Shift register Shift register
IV b-s bits | s bits b-s bits | s bits
K K K
Encrypt Encrypt Encrypt

Select Discard
s bits b-s bits
Select Discard
s bits b-s bits
… Select Discard
s bits b-s bits

C1 C2 CN
S bits S bits S bits

P1 P2 PN
S bits S bits S bits
CFB Decryption (Cont…)

𝐼1 = 𝐼𝑉
𝐼𝑗 = 𝐿𝑆𝐵𝑏−𝑠 (𝐼𝑗−1 )||𝐶𝑗−1 𝑗 = 2, . . , 𝑁
𝑂𝑗 = 𝐸(𝐾, 𝐼𝑗 ) 𝑗 = 1, . . , 𝑁
𝑃𝑗 = 𝐶𝑗 ⊕ 𝑀𝑆𝐵𝑠 (𝑂𝑗 ) 𝑗 = 1, . . , 𝑁
Cipher Feedback Mode (CFB) (cont…)
• The input to the encryption function is a b-bit shift register
that is initially set to some initialization vector (IV).
• The leftmost (most significant) s bits of the output of the
encryption function are XORed with the first segment of
plaintext P1 to produce the first unit of ciphertext C1 ,
which is then transmitted.
• In addition, the contents of the shift register are shifted
left by s bits, and C1 is placed in the rightmost (least
significant) s bits of the shift register.
• For decryption, the same scheme is used, except that the
received ciphertext unit is XORed with the output of the
encryption function to produce the plaintext unit.
4. OFB Encryption
Nonce
K K K
Encrypt Encrypt … Encrypt

P1 P2 PN

C1 C2 CN
𝐼1 = 𝑁𝑜𝑛𝑐𝑒
𝐼𝑗 = 𝑂𝑗−1 𝑗 = 2, . . , 𝑁
𝑂𝑗 = 𝐸(𝐾, 𝐼𝑗 ) 𝑗 = 1, . . , 𝑁
𝐶𝑗 = 𝑃𝑗 ⊕ 𝑂𝑗 𝑗 = 1, . . , 𝑁 − 1
OFB Decryption
Nonce
K K K
Encrypt Encrypt … Encrypt

C1 C2 CN

P1 P2 PN
𝐼1 = 𝑁𝑜𝑛𝑐𝑒
𝐼𝑗 = 𝑂𝑗−1 𝑗 = 2, . . , 𝑁
𝑂𝑗 = 𝐸(𝐾, 𝐼𝑗 ) 𝑗 = 1, . . , 𝑁
𝑃𝑗 = 𝐶𝑗 ⊕ 𝑂𝑗 𝑗 = 1, . . , 𝑁 − 1
Output Feedback Mode(OFB) (cont..)
• The output feedback (OFB) mode is similar in
structure to that of CFB.
• For OFB, the output of the encryption function is
fed back to become the input for encrypting the
next block of plaintext.
• In CFB, the output of the XOR unit is fed back to
become input for encrypting the next block.
• The other difference is that the OFB mode
operates on full blocks of plaintext and
ciphertext, whereas CFB operates on an s-bit
subset.
 OFB Mode (cont..)
• Nonce: A time-varying value that has at most a
negligible chance of repeating, for example, a
random value that is generated anew for each
use, a timestamp, a sequence number, or some
combination of these.
• Each bit in the ciphertext is independent of the
previous bit or bits.
• This avoids error propagation.
• Pre-compute of forward cipher is possible.
5. CTR Encryption
Counter 1 Counter 2 Counter N
K K K
Encrypt Encrypt … Encrypt

P1 P2 PN

C1 C2 CN

𝐶𝑗 = 𝑃𝑗 ⊕ 𝐸 𝐾, 𝑇𝑗 𝑗 = 1, . . , 𝑁
CTR Decryption
Counter 1 Counter 2 Counter N
K K K
Encrypt Encrypt … Encrypt

C1 C2 CN

P1 P2 PN

𝑃𝑗 = 𝐶𝑗 ⊕ 𝐸 𝐾, 𝑇𝑗 𝑗 = 1, . . , 𝑁
 Counter Mode (CTR) (cont…)
• Counter (CTR) mode has increased recently with
applications to ATM (asynchronous transfer
mode) network security and IP sec (IP security).
• A counter equal to the plaintext block size is
used.
• The counter value must be different for each
plaintext block that is encrypted.
• Typically, the counter is initialized to some value
and then incremented by 1 for each subsequent
block.
 Advantages of the CTR Mode
• Strengths:
– Needs only the encryption algorithm.
– Random access to encrypted data blocks.
– blocks can be processed (encrypted or decrypted) in parallel.
– Simple and fast encryption/decryption.
• Counter must be
– Must be unknown and unpredictable.
– pseudo-randomness in the key stream is a goal.
 Summary of all modes
Operation Description Type of
Mode Result
ECB Each n-bit block is encrypted Block Cipher
independently with same key.
CBC Same as ECB, but each block is XORed Block Cipher
with previous cipher text.
CFB Each s-bit block is XORed with s-bit key Stream Cipher
which is part of previous cipher text.
OFB Same as CFB, but input to the encryption Stream Cipher
is preceding encryption output.
CTR Same as OFB, but a counter is used Stream Cipher
instead of nonce.
 Multiple Encryption
• Given the potential vulnerability of DES to a
brute-force attack, there has been considerable
interest in finding an alternative.
• For DES requires 256 operations for brute force
attack.
• One approach is to design a completely new
algorithm, of which AES is a prime example.
• Another alternative, which would preserve the
existing investment in software and equipment, is
to use multiple encryption with DES and multiple
keys.
 Double DES
Key K1 Key K2

Plaintext Encryption Encryption Ciphertext

𝑋 = 𝐸(𝐾1 , 𝑃)
Encryption 𝐶 = 𝐸(𝐾2 , 𝐸(𝐾1 , 𝑃) )

𝑋 = 𝐸(𝐾1 , 𝑃) = 𝐷(𝐾2 , 𝐶)

Key K2 Key K1
𝑃 = 𝐷(𝐾1 , 𝐷(𝐾2 , 𝐶))

𝑋 = 𝐷(𝐾2 , 𝐶)
Ciphertext Decryption Decryption Plaintext
Decryption
 Double DES
• For double DES, 2 × 56-bit keys, meaning 112-bit
key length.
• Requires 2112 operations for brute force attack.
• Meet-in-the-middle attack makes it easier.
 Meet in the Middle Attack
• This attack involves encryption from one end, decryption
from the other and matching the results in the middle.
• Suppose cryptanalyst knows Pi and corresponding Ci.
• Now, the aim is to obtain the values of K1 and K2.
All Possible keys All Possible keys
K1 = 256 K2 = 256

Known Known
Plaintext Middle Ciphertext
Encryption Decryption
Text

• No. of Encryptions and Decryptions: 256 + 256 = 257

• For Double DES requires 257 operations for brute force
attack.
 Meet in the Middle Attack Step-1
 For all possible values (256) of key K1, the cryptanalyst would
encrypt the known plaintext by performing E(K1,P).
 The cryptanalyst would store output in a table.

Possible Keys P Table of

(Key = K1) Cipher Text
00 010
01 110
10
Encrypt 101
11 000

Cryptanalyst encryption operation

 Meet in the Middle Attack Step-2
 Cryptanalyst decrypt the known ciphertext with all possible values of K2.
 In each case cryptanalyst will compare the resulting value with the all
values in the table of ciphertext.

Possible Keys C Table of

(Key = K1) Cipher Text
00 For each 111
01 result do a 110
10 Decrypt
table look 001
11 up 011

Cryptanalyst decryption operation

 Meet in the Middle Attack

Possible
P Table of Table of C Keys
Possibl Cipher Text Cipher Text (Key = K1)
e Keys
010 (Key = 111 00
Find equal
110 K1) 011 01
match and store
101 00 E corresponding 001
D 10
01 K1 and K2.
000 110 11
10
11
Values of K1=01 and K2=11
 Triple DES
Key K1 Key K2 Key K1

A B
Plaintext E D E Ciphertext

𝐶 = 𝐸(𝐾1 , 𝐷 𝐾2 , 𝐸 𝐾1 , 𝑃 )

Key K1 Key K2 Key K1

B A
Ciphertext D E D Plaintext

𝑃 = 𝐷(𝐾1 , 𝐸 𝐾2 , 𝐷 𝐾1 , 𝐶 )
 Message Authentication Requirements
1. Disclosure: Release of message contents.
2. Traffic analysis: Analyses the traffic and observe the
pattern of traffic between parties.
3. Masquerade: Insertion of messages into the network
from a fraudulent source.
4. Content modification: Changes to the contents of a
message.
5. Sequence modification: Any modification to a sequence
of messages between parties.
6. Timing modification: Delay or replay of messages.
7. Source repudiation: Denial of transmission of message by
source.
8. Destination repudiation: Denial of receipt of message by
destination.
 Message Authentication Requirements
1. Disclosure Requires Message
Confidentiality
2. Traffic analysis (Encryption)
3. Masquerade Requires Message
4. Content modification Authentication
5. Sequence modification
6. Timing modification Requires Digital
Signature
7. Source repudiation
8. Destination repudiation
 Hash Function
• A hash function H accepts
a variable-length block of
data M as input and
produces a fixed-size hash
value h = H(M).
• A “good” hash function
has the property that the
results of applying a
change to any bit or bits
in M results, with high
probability, in a change to
the hash code.
 Input-Output behaviour of hash functions
Message Message
digest
Alice was beginning to get very tired of
sitting by her sister on the bank, and have H DFDB349C
nothing to do.

I am not a crook H FB93E283

I am not a cook H A3F4439B

Applications of Cryptographic Hash Functions
1. Message authentication
2. Digital Signature
3. One-way password file
 1. Message Authentication
• Message authentication is a mechanism or
service used to verify the integrity of a message.
• Message authentication assures that data
received are exactly as sent (i.e., contain no
modification, insertion, deletion, or replay).
• When a hash function is used to provide message
authentication, the hash function value is often
referred to as a message digest.
 Message authentication method - 1
Source A Destination B
H
M ll E D M
Compare
H K K
H(M)
E (K, [ M || H(M)])
• Only A and B share the secret key, the message must have come
from A and has not been altered.
• The hash code provides the structure required to achieve
authentication.
• Because encryption is applied to the entire message plus hash
code, confidentiality is also provided.
 Message authentication method - 2
Source A Destination B
H
M ll M Compare
K K

H E D
E(K, H(M))

• Only the hash code is encrypted, using symmetric

encryption.
• This reduces the processing burden for those
applications that do not require confidentiality.
 Message authentication method - 3
Source A Destination B
ll H
M ll M S
Compare

S ll H
H(M || S)
• It is possible to use a hash function but no encryption for message
authentication.
• A and B share a common secret value S.
• A computes the hash value over the concatenation of M and S
and appends the resulting hash value to M. Because B possesses
S, it can recompute the hash value to verify the message.
• An opponent cannot modify an intercepted message.
 Message authentication method - 4
Source A Destination B
ll H
E D M S
M ll
Compare

ll H K K
S
H(M || S)
E (K, [ M || H(M || S)])

• Confidentiality can be added to the approach of

method (3) by encrypting the entire message plus
the hash code.
MAC (Message Authentication Code)
• More commonly, message authentication is achieved
using a MAC also known as keyed hash function.
• MACs are used between two parties that share a
secret key to authenticate information exchanged
between those parties.
• A MAC function takes as input a secret key and a
data block and produces a hash value, referred to as
the MAC.
• The combination of hashing and encryption results in
an overall function that is a MAC (Method -2 in
previous slide).
MAC = C ( K , M )
 Digital Signature
• A digital signature is a mathematical technique
used to validate the authenticity and integrity of
a message, software or digital document.
• The operation of the digital signature is similar to
that of the MAC.
• In the case of the digital signature, the hash value
of a message is encrypted with a user’s private
key.
• Anyone who knows the user’s public key can
verify the integrity of the message that is
associated with the digital signature.
 Digital Signature
 How are we going to efficiently compute signatures of large
messages?
X1 X2 … XN

Kpr Sig Kpr Sig Kpr Sig

S1 S2 … SN

Three Problems
 Computational overhead
 Message overhead
 Security limitations
• Attacker could re-order or re-use signed blocks.
 Digital Signature
Solution:
• Instead of signing the whole message, sign only a
digest (=hash) Also secure, but much faster.
• Needed: Hash Functions
X1 X2 … XN

Kpr Sig

S
 Digital Signature method - 1
Source A Destination B
H
M ll M Compare
PRa PUa

H E D
E(PRa, H(M))

• The hash code is encrypted, using public-key

encryption with the sender’s private key.
• This provides authentication.
• It also provides a digital signature, because only
the sender could have produced the encrypted
hash code.
 Digital Signature method - 2
Source A Destination B
H
M ll E D M
PRa PUa Compare

H E K K D
E(PRa, H(M))
E (K, [ M || E(PRa, H(M)])

• If confidentiality as well as a digital signature is

desired, then the message plus the private-key-
encrypted hash code can be encrypted using a
symmetric secret key.
 Requirements for hash functions
1. Can be applied to any length of message M.
2. Produces fixed-length output h.
3. It is easy to compute h=H(M) for any message M.
4. Given hash value h is infeasible to find y such that (H(y) =
h)
• One-way property (In other words, given a fingerprint, we cannot derive a
matching message).
5. For given block x, it is computationally infeasible to find
y ≠ x with H(y) = H(x)
• Weak collision resistance
6. It is computationally infeasible to find messages m1 and
m2 with H(m1) = H(m2)
• Strong collision resistance
 Simple Hash Function
• The input (message, file, etc.) is viewed as a
sequence of n-bit blocks.
• The input is processed one block at a time in an
iterative fashion to produce an n-bit hash
function.
• One of the simplest hash functions is the bit-by-bit exclusive-OR
(XOR) of every block.
𝑪𝒊 = 𝒃𝒊𝟏 ⊕ 𝒃𝒊𝟐 ⊕ … ⊕ 𝒃𝒊𝒎
Where,
𝐶𝑖 = ith bit of the hash code 1 ≤ i ≤ n
m = number of n-bit blocks in the input
𝑏𝑖𝑗 = ith bit in jth block
 SHA - Secure Hash Algorithm
SHA - 1 SHA - 224 SHA - 256 SHA - 384 SHA - 512
Message
160 224 256 384 512
Digest Size
Message Size < 264 < 264 < 264 < 2128 < 2128
Block Size 512 512 512 1024 1024
Word Size 32 32 32 64 64
Number of
80 64 64 80 80
Steps
 SHA - 512
• The algorithm takes input as a message with a
maximum length of less than 2128 bits and
produces output as a 512-bit message digest.
• The input is processed in 1024-bit blocks.
Message Digest Generation using SHA - 512

Message (L bit) 10000…0 L

M1 (1024 bits) M2 (1024 bits) MN (1024 bits)

F F F

+ + +

IV=H0 H1 (512 H2 (512 HN (512

bits) bits) bits)
 Step - 1 Append Padding Bits
 The message is padded so that its length is congruent to 896
modulo 1024 [length ≡ 896(mod 1024)].
 Padding is always added, even if the message is already of the
desired length.
 Thus, the number of padding bits is in the range of 1 to 1024.
 The padding consists of a single 1 bit followed by the necessary
number of 0 bits.
 Step - 2 Append Length
 A block of 128 bits is appended to the message.
 This block is treated as an unsigned 128-bit integer (most
significant byte first) and contains the length of the original
message (before the padding).
 Step-1 and Step-2 Example
Example:
 Given is the message “abc” consisting of three 8-bit ASCII
characters with a total length of l =24 bits.
A B C
01100001 01100010 01100011

 We append a “1” followed by k = 871 zero bits, where k is

determined by
k≡ 896−(l+1)=896−25=871 mod 1024.
 Finally, we append the 128-bit value which contains the binary
representation of the length l =2410 =110002.
 The padded message is then given by
A B C Append Length
01100001 01100010 01100011 10000..0 00..011000
 Step - 3 Initialize hash buffer
 The outcome of the first two steps produces a message that is an
integer multiple of 1024 bits in length.
 The expanded message is represented as the sequence of 1024-bit
blocks M1 , M2, … , MN, so that the total length of expanded
message is N X 1024 bits.
 A 512-bit buffer is used to hold intermediate and final results of
the hash function. The buffer can be represented as eight 64-bit
registers (a, b, c, d, e, f, g, h).
 Step - 4 Process message in 1024-bit (128-word) blocks

 The heart of the algorithm is a module that consists of 80 rounds

and this module is labelled as F function.
SHA - 512 Processing of a Single 1024-Bit Block
Mi Hi-1

Message
schedule
a b c d e f g e 64
W0 K0
Round 0

a b c d e f g e 64
W79 K79
Round 79

+ + + + + + + +

Hi
 SHA - 512 Processing of a Single 1024-Bit Block
• Each round takes as input the 512-bit buffer
value, abcdefgh, and updates the contents of the
buffer.
• At input to the first round, the buffer has the
value of the intermediate hash value, Hi-1.
• Each round t makes use of a 64-bit value Wt,
derived from the current 1024-bit block being
processed.
• The output of the eightieth round is added to the
input to the first round (Hi-1) to produce Hi.
 Step – 5 Output
• After all Nth block of 1024-bit have been
processed, the output from the Nth stage is the
512-bit message digest.
SHA - 512 Round Function
SHA - 512 Round Function – Cont…
a b c d e f g h

Ch +
Ʃ Maj

+ Ʃ +

+ +
+ Wt

+ Kt

a b c d e f g h
 ℎ=𝑔
𝑔=𝑓
𝑓=𝑒
𝑒 = 𝑑 + 𝑇1
𝑑=𝑐
𝑐=𝑏
𝑏=𝑎
𝑎 = 𝑇1 + 𝑇2

512
𝑇1 = ℎ + Ch 𝑒, 𝑓, 𝑔 + 𝑒 + 𝑊𝑡 + 𝐾𝑡
1
512
𝑇2 = 𝑎 + Maj 𝑎, 𝑏, 𝑐
0
 SHA - 512 Round Function Elements
• Maj(a,b,c) = (a AND b) XOR (b AND c) XOR (a AND c)
Majority of arguments are true.
• Conditional function = (e AND f) XOR (NOT e and g)
• ∑(a) = ROTR(a,28) XOR ROTR(a,34) XOR ROTR(a,39)
• ∑(e) = ROTR(e,14) XOR ROTR(e,18) XOR ROTR(e,41)
• + = addition modulo 264
• Kt = a 64-bit additive constant.
• Wt = a 64-bit word derived from plaintext.
• ROTR = Circular right shift rotataion
 Message Authentication
• Message authentication is a procedure to verify
that received message came from the genuine
source and has not been altered.
• Message authentication may also verify
sequencing and timeliness.
• Message authentication is a mechanism or
service used to verify the integrity of a message.
• Message authentication assures that data
received are exactly same as sent (i.e., message
contains no modification, no insertion, no
deletion, or no replay).
 Message Authentication Requirements
1. Disclosure: Release of message contents.
2. Traffic analysis: Analyses the traffic and observe the
pattern of traffic between parties.
3. Masquerade: Insertion of messages into the network
from a fraudulent source.
4. Content modification: Changes to the contents of a
message.
5. Sequence modification: Any modification to a sequence
of messages between parties.
6. Timing modification: Delay or replay of messages.
7. Source repudiation: Denial of transmission of message by
source.
8. Destination repudiation: Denial of receipt of message by
destination.
 Message Authentication Requirements
1. Disclosure Requires Message
Confidentiality
2. Traffic analysis
3. Masquerade Requires Message
4. Content modification Authentication
5. Sequence modification
6. Timing modification Requires Digital
Signature
7. Source repudiation
8. Destination repudiation
 Message Authentication
Source A Destination B

M E D M

K 𝑬(𝑲, 𝑴) K
(a) Symmetric encryption : confidentiality and authentication

M E D M

PUb 𝑬(𝑷𝑼𝒃, 𝑴) PRb

(b) Public-key encryption : confidentiality

 Message Authentication
M E D M

PRa 𝑬(𝑷𝑹𝒂, 𝑴) PUa

(c) Public-key encryption : authentication and signature

M E E D D M

PRa 𝑬(𝑷𝑹𝒂, 𝑴) PUb E(PUb ,E(𝑷𝑹𝒂, 𝑴)) PRb E PUa

(𝑷𝑹𝒂, 𝑴)
(d) Public-key encryption : confidentiality, authentication, and signature
 Message Authentication Code
• An alternative authentication technique involves
the use of a secret key to generate a small fixed-
size block of data, known as a cryptographic
checksum or MAC.
• MAC is appended to the message. This technique
assumes that two communicating parties, say A
and B, share a common secret key K.
• When A has a message to send to B, it calculates
the MAC as a function of the message and the
key.
MAC = C ( K , M )
 Message Authentication Code
Source A Destination B
C
M K ll M
Compare
K
C
C(K, M)
(a) Message authentication

• The receiver is assured that the message has not

been altered.
• If an attacker alters the message but does not
alter the MAC, then the receiver’s calculation of
the MAC will differ from the received MAC.
 Message Authentication Code
• The receiver is assured that the message is from
the alleged sender.
• Because no one else knows the secret key, no one
else could prepare a message with a proper MAC.
• A MAC function is similar to encryption. One
difference is that the MAC algorithm need not be
reversible, as it must be for decryption.
 Message Authentication Code
Source A Destination B
C
M K1 ll E D M
Compare
K1
C K2 K2
E(K2, [M||C(K1, M)]) C(K1, M)
(b) Message authentication and confidentiality; authentication tied to plaintext
E(K2, M)
D
E ll C
M K1 M
Compare K2
K2 K1
C

C(K1, E(K2, M))

(c) Message authentication and confidentiality; authentication tied to ciphertext
 MAC Based on Hash Functions - HMAC
• Cryptographic hash functions such as MD5 and
SHA generally execute faster in software than
symmetric block ciphers such as DES.
• Library code for cryptographic hash functions is
widely available.
 Design objectives for HMAC
• To use available hash functions without
modifications.
• To allow for easy replaceability of the embedded
hash function in case faster or more secure hash
functions are found or required.
• To preserve the original performance of the hash
function without incurring a significant degradation..
• To use and handle keys in a simple way.
• To have a well understood cryptographic analysis of
the strength of the authentication mechanism based
on reasonable assumptions about the embedded
hash function.
K+ ipad
HMAC Structure
b bits b bits b bits

Si Y0 Y1 … YL-1 1. Append zeros to the left end of K to

create a b-bit string K+
n bits 2. XOR K+ with ipad to produce the b-
IV Hash
bit block Si.
n bits
3. Append M to Si.
K+ opad 𝐻(𝑆𝑖||𝑀) 4. Apply H to the stream generated in
Pad to b bits
step 3.
n bits 5. XOR K+ with opad to produce the b-
So bit block S0.
6. Append the hash result from step 4
IV
n bits
Hash to S0.
n bits 7. Apply H to the stream generated in
𝐻𝑀𝐴𝐶(𝐾, 𝑀) step 6 and output the result.
 HMAC Structure
• H = Embedded hash function (e.g. MD5, SHA-1, RIPEMD-
160).
• IV = Initial value that is input to hash function.
• M = Message input to HMAC.
• Yi = i th block of M.
• L = Number of blocks in M.
• N = Length of hash code produced by embedded hash
function.
• K + = K padded with zeros on the left so that the result is b
bits in length.
• ipad = 00110110 (36 in hexadecimal) repeated b/8 times.
• opad = 01011100 (5C in hexadecimal) repeated b/8 times.
 MAC based on Block Ciphers
• The Data Authentication Algorithm (DAA) based
on DES, has been one of the most widely used
MACs for a number of years.
• The algorithm can be defined as using the cipher
block chaining (CBC) mode of operation of DES
P1 P2 PN
IVwith an initialization vector of zero. C
N-1

K K K
Encrypt Encrypt … Encrypt

C1 C2 CN
 Data Authentication Algorithm (DAA)
Time = 1 Time = 2 Time = N
D1
D2 DN
(64 bits)

K DES DES DES

K K
(56 bits) Encrypt Encrypt
… Encrypt

O1
O2 ON
(64 bits)
Data Authentication Algorithm (DAA)

𝑂1 = 𝐸 𝐾, 𝐷1
𝑂2 = 𝐸 𝐾, 𝐷2 ⊕ 𝑂1
𝑂3 = 𝐸(𝐾, 𝐷3 ⊕ 𝑂2 )
.
.
𝑂𝑁 = 𝐸(𝐾, 𝐷𝑁 ⊕ 𝑂𝑁−1 )
Data Authentication Algorithm (DAA)
• The data (e.g. message, record, file, or program)
to be authenticated are grouped into contiguous
64-bit blocks D1, D2, …, Dn.
• If necessary, the final block is padded on the right
with zeroes to form a full 64-bit block.
• Using the DES encryption algorithm E and a
secret key K, a data authentication code (DAC) is
calculated.
Cipher-Based Message Authentication Code (CMAC)
• Cipher-based Message Authentication Code
(CMAC) mode of operation for use with AES and
triple DES.
• First, let us define the operation of CMAC when
the message is an integer multiple of n of the
cipher block length b.
• For AES, b = 128, and for triple DES, b = 64. The
message is divided into n blocks (M1, M2,…, Mn).
Cipher-Based Message Authentication Code (CMAC)
• The algorithm makes use of a k-bit encryption key
K and a b-bit constant K1.
• For AES, the key size k is 128, 192 or 256 bits.
• For triple DES, the key size is 112 or 168 bits.
Cipher-Based Message Authentication Code (CMAC)
M1 M2 … Mn

b K1
k
K Encrypt K Encrypt K Encrypt

(a) Message length is integer multiple of block size MSB(Tlen) T

M1 M2 … Mn 10..0

K2

K Encrypt K Encrypt K Encrypt

(b) Message length is not integer multiple of block size MSB(Tlen) T

Cipher-Based Message Authentication Code (CMAC)

𝐶1 = 𝐸 𝐾, 𝑀1
𝐶2 = 𝐸 𝐾, 𝑀2 ⊕ 𝐶1
𝐶3 = 𝐸(𝐾, 𝑀3 ⊕ 𝐶2 )
.
.
.
𝐶𝑛 = 𝐸 𝐾, 𝑀𝑛 ⊕ 𝑂𝑛−1 ⊕ 𝐾1
𝑇 = 𝑀𝑆𝐵𝑇𝑙𝑒𝑛(𝐶𝑛)
 Cryptographic Goals
Cryptographic Goals

Confidentiality Data integrity Authentication Non-repudiation

 Symmetric-key  Arbitrary length  Entity  Digital signatures
ciphers: hash functions authentication
• Block ciphers • Authentication
• Stream ciphers  Message primitives
Authentication
 Public-key Codes (MACs)  Message
ciphers authentication
 Digital signatures • MACS
• Digital
signatures
 Digital Signature
• A digital signature is an authentication
mechanism that enables the creator of a message
to attach a code that acts as a signature.
• Typically the signature is formed by taking the
hash of the message and encrypting the message
with the creator’s private key.
• The signature guarantees the source and integrity
of the message.
• The digital signature standard (DSS) is an NIST
standard that uses the secure hash algorithm
(SHA).
 Bob’s
Bob Alice Public
key
Message M Message M S

Cryptographic Cryptographic Decrypt

Bob’s Hash function Hash function
Private
key
h h h’

Encrypt
Compare

S
Return Signature
Bob’s Signature for M valid or not valid
 Hash Code, MAC and Digital Signature
Hash Code
• A hash of the message, if appended to the message itself,
only protects against accidental changes to the message, as
an attacker who modifies the message can simply calculate
a new hash and use it instead of the original one. So this
only gives integrity.
MAC
• A message authentication code (MAC) (sometimes also
known as keyed hash) protects against message forgery by
anyone who doesn't know the secret.
• This means that the receiver can forge any message – thus
we have both integrity and authentication (as long as the
receiver doesn't have a split personality), but not non-
repudiation.
 Hash Code, MAC and Digital Signature
Digital Signature
• A digital signature is created with a private key,
and verified with the corresponding public key of
an asymmetric key-pair.
• Only the holder of the private key can create this
signature, and normally anyone knowing the
public key can verify it. So digital signature
provides non-repudiation.
 Attacks
• C = Attacker, A = victim
• Key-only attack: C only knows A’s public key.
• Known message attack: C has set of messages, signatures.
• Generic chosen message attack: C obtains A’s signatures
on messages selected without knowledge of A’s public key.
• Directed chosen message attack: C obtains A’s signatures
on messages selected after knowing A’s public key.
• Adaptive chosen message attack: C may request
signatures on messages depending upon previous
message-signature pairs.
 Forgeries
• Total break: C determines A’s private key.
• Universal forgery: C finds an efficient signing
algorithm that provides an equivalent way of
constructing signatures on arbitrary messages.
• Selective forgery: C forges a signature for a
particular message chosen by C.
• Existential forgery: C forges a signature for a
particular message not chosen by C.
Consequently, this forgery may only be a minor
nuisance to A.
 Digital Signature Requirements
1. The signature must be a bit pattern that depends on the message
being signed.
2. The signature must use some information unique to the sender to
prevent both forgery and denial.
3. It must be relatively easy to produce the digital signature.
4. It must be relatively easy to recognize and verify the digital
signature.
5. It must be computationally infeasible to forge a digital signature,
either by constructing a new message for an existing digital signature
or by constructing a fraudulent digital signature for a given message.
6. It must be practical to retain a copy of the digital signature in
storage.
 Digital Signature Standard / DSA
• The DSS uses an algorithm that is designed to
provide only the digital signature function.
• Unlike RSA, it cannot be used for encryption or
key exchange.
 RSA Approach
• In the RSA approach, the message to be signed is input to a hash
function that produces a secure hash code of fixed length.
• This hash code is then encrypted using the sender’s private key to
form the signature.
• Both the message and the signature are then transmitted.
• The recipient takes the message and produces a hash code.

H
M PRa
ll M Compare
PUa

H E D
E(PRa, H(M))
 RSA Approach
• The recipient also decrypts the signature using
the sender’s public key.
• If the calculated hash code matches the
decrypted signature, the signature is accepted as
valid.
• Because only the sender knows the private key,
only the sender could have produced a valid
signature.
 DSA Approach
• The hash code is provided as input to a signature function along
with a random number K generated for this particular signature.
• The signature function also depends on the sender’s private key
(PRa) and a set of parameters known to a group of communicating
principals.
• We can consider this set to constitute a global public key (PUG)
• The result is a signature consisting of two components, labelled as
s and r.

H
ll M
M
PUG PRa PUG PUa
s
r
H Sig Compare
Ver
K
 DSA Approach
• At the receiving end, the hash code of the incoming
message is generated.
• This plus the signature is input to a verification
function.
• The verification function also depends on the global
public key(PUG) as well as the sender’s public key
(PUa), which is paired with the sender’s private key.
• The output of the verification function is a value that
is equal to the signature component 𝑟 if the
signature is valid.
• The signature function is such that only the sender,
with knowledge of the private key, could have
produced the valid signature.
 Digital Signature Algorithm
Global Public-Key Components
𝑝∶ Prime number where 2𝐿−1 < p < 2𝐿
For 512 ≤ 𝐿 ≤ 1024 and 𝐿 a multiple of 64;
i.e., bit length of between 512 and 1024 bits in
increments of 64 bits.

𝑞∶ Prime divisor of (𝑝 − 1), where 2𝑁−1 < p < 2𝑁

i.e., bit length of 𝑁 bits.

𝑔∶ = ℎ(𝑝−1)/𝑞 𝑚𝑜𝑑 𝑝
Where ℎ is any integer with 1 < ℎ < (𝑝 − 1)
Such that ℎ(𝑝−1)/𝑞 mod p > 1
 Digital Signature Algorithm
User’s Private key
𝑥 Random or pseudorandom integer with 0 < 𝑥 < 𝑞

User’s Public key

𝑦 = 𝑔 𝑥 𝑚𝑜𝑑 𝑝

User’s Per-Message Secret Number

𝑘 Random or pseudorandom integer with 0 < 𝑘 < 𝑞
 Digital Signature Algorithm
Signing
𝑟 = 𝑔𝑘 𝑚𝑜𝑑 𝑝 𝑚𝑜𝑑 𝑞
𝑠 = 𝑘 −1 𝐻 𝑀 + 𝑥𝑟 𝑚𝑜𝑑 𝑞
𝑆𝑖𝑔𝑛𝑎𝑡𝑢𝑟𝑒 = (𝑟, 𝑠)

H
ll M
M PUG PUa
PUG PRa
s
r
H Sig Compare
Ver

k
 DSA Signing
𝑀
𝑝 𝑞 𝑔

𝑀
𝑘 𝑟 = 𝑔𝑘 𝑚𝑜𝑑 𝑝 𝑚𝑜𝑑 𝑞

−1 𝑟
𝐻 𝑠= 𝑘 𝐻 𝑀 + 𝑥𝑟 𝑚𝑜𝑑 𝑞
𝐻(𝑀)
𝑥 𝑠
𝑥
 Digital Signature Algorithm
Verifying
𝑤 = (𝑠 ′ )−1 𝑚𝑜𝑑 𝑞
𝑢1 = 𝐻 𝑀′ 𝑤 𝑚𝑜𝑑 𝑞
𝑢2 = 𝑟 ′ 𝑤 𝑚𝑜𝑑 𝑞
𝑀 = message to be signed
𝑣 = [(𝑔𝑢1 𝑦 𝑢2 )𝑚𝑜𝑑 𝑝] 𝑚𝑜𝑑 𝑞
𝐻(𝑀) = hash of M using SHA-1
𝑇𝑒𝑠𝑡: 𝑣 = 𝑟′ 𝑀′ , 𝑟 ′ , 𝑠′ = received versions of M, r, s

H
ll M
M PUG PUa
PUG PRa
s
r
H Sig Compare
Ver

k
 DSA Verifying
𝑦 𝑞 𝑔

𝑢1 = 𝐻 𝑀′ 𝑤 𝑚𝑜𝑑 𝑞
𝐻 𝑢2 = 𝑟 ′ 𝑤 𝑚𝑜𝑑 𝑞
𝐻(𝑀′) 𝑣 = [(𝑔𝑢1 𝑦 𝑢2 )𝑚𝑜𝑑 𝑝] 𝑚𝑜𝑑 𝑞
𝑀′

𝑤 𝑟′ 𝑣

Signature
verification
𝑟′ 𝑞 𝑟 ′ = 𝑣?

𝑠′ 𝑤 = (𝑠 ′ )−1 𝑚𝑜𝑑 𝑞
 ElGamal Digital Signatures
• Uses private key for encryption (signing)
• Uses public key for decryption (verification)
• Each user generates their key
– Chooses a secret key (number): 1 < 𝑋𝐴 < 𝑞
– Compute their public key: 𝑌𝐴 = 𝑎 𝑋𝐴 𝑚𝑜𝑑 𝑞
 ElGamal Digital Signature
• Alice signs a message M to Bob by computing
– The hash 𝑚 = 𝐻 𝑀 , 0 ≤ 𝑚 ≤ (𝑞 − 1)
– Choose random integer 𝐾 with 1 <= 𝐾 <= 𝑞 − 1 and
𝑔𝑐𝑑(𝐾, 𝑞 − 1) = 1
– Compute temporary key: 𝑆1 = 𝑎𝐾 𝑚𝑜𝑑 𝑞
– Compute 𝐾 −1 the inverse of 𝐾 𝑚𝑜𝑑 (𝑞 − 1)
– Compute the value: 𝑆2 = 𝐾 −1 𝑚 − 𝑋𝐴 𝑆1 𝑚𝑜𝑑 (𝑞 − 1)
– Signature is: (𝑆1, 𝑆2)
• Any user B can verify the signature by computing
– 𝑉1 = 𝑎𝑚 𝑚𝑜𝑑 𝑞
– 𝑉2 = 𝑌𝐴 𝑆1 𝑆1 𝑆2 𝑚𝑜𝑑 𝑞 = (𝑎 𝑋𝐴 )𝑆1 (𝑎𝐾 )𝑆2 𝑚𝑜𝑑 𝑞
= 𝑎 𝑋𝐴𝑆1+𝑚−𝑋𝐴𝑆1 𝑚𝑜𝑑 𝑞 = 𝑎𝑚 𝑚𝑜𝑑 𝑞
– Signature is valid if 𝑉1 = 𝑉2
 ElGamal Signature Example
• Use field GF(19) 𝑞 = 19 and 𝑎 = 10
• Alice computes her key:
16
– A chooses 𝑋𝐴 = 16 & computes 𝑌𝐴 = 10 𝑚𝑜𝑑 19 = 4
• Alice signs message with hash 𝑚 = 14 as (3, 4)
– Choosing random 𝐾 = 5 which has 𝑔𝑐𝑑(18, 5) = 1
5
– Computing 𝑆1 = 10 𝑚𝑜𝑑 19 = 3
– Finding 𝐾 −1 𝑚𝑜𝑑 𝑞 − 1 = 5−1 𝑚𝑜𝑑 18 = 11
– Computing 𝑆2 = 11 14 − 16 ∗ 3 𝑚𝑜𝑑 18 = 4
• Any user B can verify the signature by
computing
14
– 𝑉1 = 10 𝑚𝑜𝑑 19 = 16
– 𝑉2 = 43 ∗ 34 = 5184 = 16 𝑚𝑜𝑑 19
– Since 16 == 16 signature is valid
 Schnorr Digital Signatures
• Also uses exponentiation in a finite (Galois)
• Security based on discrete logarithms
• Minimizes message dependent computation
• Multiplying a 2𝑛 𝑏𝑖𝑡 integer with an 𝑛 𝑏𝑖𝑡 integer
• Main work can be done in idle time
• Have using a prime modulus 𝑝
• 𝑝 − 1 has a prime factor 𝑞 of appropriate size
• Typically 𝑝 is 1024-bit and 𝑞 is 160-bit numbers
 Schnorr Key Setup
• Choose suitable primes 𝑝 𝑎𝑛𝑑 𝑞
𝑞
• choose 𝑎 such that 𝑎 = 1 𝑚𝑜𝑑 𝑝
• (𝑎, 𝑝, 𝑞) are global parameters for all
• Each user generates a key
• Chooses a secret key (number): 0 < 𝑆𝐴 < 𝑞
• Compute their public key: 𝑉𝐴 = 𝑎−𝑆𝐴 𝑚𝑜𝑑 𝑞
 Schnorr Signature
• User signs message by
• Choosing random number 𝑟 with 0 < 𝑟 < 𝑞 and computing:
X = 𝑎𝑟 𝑚𝑜𝑑 𝑝
• Concatenate message with 𝑋 and hash result to computing:
𝑒 = 𝐻(𝑀 || 𝑋)
• Computing: 𝑌 = 𝑟 + 𝑠𝑒 𝑚𝑜𝑑 𝑞
• Signature pair: (𝑒, 𝑌)
• Any other user can verify the signature as follows:
• Computing: 𝑋 ′ = 𝑎𝑌 𝑉 𝑒 𝑚𝑜𝑑 𝑝 = 𝑎𝑌 𝑎−𝑆𝑒 𝑚𝑜𝑑 𝑝
= 𝑎𝑌−𝑠𝑒 𝑚𝑜𝑑 𝑝 = 𝑎𝑟 𝑚𝑜𝑑 𝑝 = 𝑋
• Verifying that: 𝑒 = 𝐻(𝑀 || 𝑋′)
 Key Distribution
• Key distribution is the function that delivers a key
to two parties who wish to exchange secure
encrypted data.
• Some sort of mechanism or protocol is needed to
provide the secure distribution of keys.
• Key distribution often involves the use of
– Master keys, which are infrequently used and are long lasting.
– Session keys, which are generated and distributed for
temporary use between two parties.
 Symmetric Key Distribution using Symmetric Encryption
• Objective: Two entities share same secret key.
• Principle: Change keys frequently.
• How to exchange a secret key?
• For two parties A and B, key distribution can be achieved in a number
of ways, as follows:
1. A can select a key and physically deliver it to B.
2. Third party can select the key and physically deliver it to A and B.
3. If A and B have previously and recently used a key, one party can
transmit the new key to the other, encrypted using the old key.
4. If A and B each has an encrypted connection to a third party C, C
can deliver a key on the encrypted links to A and B.
 Using a Key Distribution Centre
• Key Distribution Centre (KDC) is trusted third
party.
• Hierarchy of keys used:
– Data sent between end-systems are encrypted with temporary
session key.
– Session keys obtained from KDC over network are encrypted
with master key.
– Master keys can be distributed using manual delivery.
 Key Hierarchy
• Communication
between end systems is
encrypted using a
temporary key, often
referred to as a session
key.
• Session keys are
transmitted in
encrypted form, using a
master key that is
shared by the key
distribution center and
an end system or user.
 Key Distribution Scenario
Key
Distribution
Center (Key)

(1) 𝐼𝐷𝐴 ||𝐼𝐷𝐵 || 𝑁1

(2) 𝐸(𝐾𝑎, [𝐾𝑠 ||𝐼𝐷𝐴 ||𝐼𝐷𝐵 || 𝑁1]) || 𝐸(𝐾𝑏 , [𝐾𝑠 ||𝐼𝐷𝐴 ])

(3) 𝐸(𝐾𝑏 , [𝐾𝑠 ||𝐼𝐷𝐴 ])

Initiator Initiator
A B

(4) 𝐸(𝐾𝑠 , 𝑁2])

(5) 𝐸(𝐾𝑠 , 𝑓(𝑁2))

 KDC Scenario Notation
• End-systems: A and B, identified by IDA and IDB.
• Master keys: Ka, Kb
• Session key (between A and B): Ks
• Nonce values: N1, N2
– E.g., timestamp, counter, random value.
– Must be different for each request.
– Must be difficult for an attacker to guess.
 Key Distribution Scenario
1. A issues a requests to the KDC for a session key
to protect a logical connection to B. The message
includes the identity of A and B and a unique
nonce N1.
2. The KDC responds with a message encrypted
using Ka that includes:
I. One-time session key Ks to be used for the session.
II. The original request message to enable A to match
response with appropriate request.
III. Information for B.
 Key Distribution Scenario
3. A stores the session key for use in the upcoming
session and forwards to B the information from
the KDC for B, namely, 𝐸(𝐾𝑏 , [𝐾𝑠 ||𝐼𝐷𝐴 ]).
4. B sends a nonce N2 to A using the new session
key.
5. A responds with f(N2) using Ks.
• Last two steps assure B, that, the original
message it received (step 3) was not a replay.
 Decentralised Key Distribution
• Alternative option that doesn’t rely on KDC.
• Each end-system must manually exchange n−1 master keys
(Km) with others.
(1) 𝐼𝐷𝐴 || 𝑁1

Initiator Initiator
A B
(2) 𝐸(𝐾𝑚 , [𝐾𝑠 ||𝐼𝐷𝐴 ||𝐼𝐷𝐵 || 𝑓(𝑁1) || 𝑁2])

(3) 𝐸(𝐾𝑠 , 𝑓(𝑁2))

1. A issues a request to B for a session key and includes a

nonce.
2. B responds with a message that is encrypted using the
shared master key.
3. A returns f(N2) to B using the new session key.
Symmetric Key Distribution using Asymmetric Encryption
• Common application of asymmetric encryption is
exchanging secret keys.
• Two examples:
1. Simple Secret Key Distribution.
2. Secret Key Distribution with Confidentiality and
Authentication.
Simple Secret Key Distribution
(1) 𝑃𝑈𝑎 ||𝐼𝐷𝐴

Initiator Initiator
A B

(2) 𝐸(𝑃𝑈𝑎, 𝐾𝑠 )

1. A generates a public/private key pair {PUa, PRa} and transmits a

message to B consisting of PUa and an identifier of A, IDA.
2. B generates a secret key, Ks and transmits it to A, encrypted with
A's public key.
3. A computes D(PRa, E(PUa, Ks)) to recover the secret key. Only A
can decrypt the message because only A and B will know the
identity of Ks.
4. A discards PUa and PRa and B discards PUa.
Secret Key Distribution with Confidentiality & Authentication
(1) 𝐸(𝑃𝑈𝑏, [𝑁1||𝐼𝐷𝐴 ])

(2) 𝐸(𝑃𝑈𝑎 , [𝑁1||𝑁2])

Initiator Initiator
A B

1. A uses B's public key to encrypt a message to B containing an

identifier of A(IDA) and a nonce (N1), which is used to identify this
transaction uniquely.
2. B sends a message to A encrypted with PUa and containing A's (N1)
as well as a new nonce generated by B(N2). The presence of N1 in
message (2) assures A that the correspondent is B.
Secret Key Distribution with Confidentiality & Authentication
(1) 𝐸(𝑃𝑈𝑏, [𝑁1||𝐼𝐷𝐴 ])

(2) 𝐸(𝑃𝑈𝑎 , [𝑁1||𝑁2])

Initiator Initiator
A B

(3) 𝐸(𝑃𝑈𝑏 , 𝑁2])

(4) 𝐸(𝑃𝑈𝑏, 𝐸(𝑃𝑅𝑎, 𝐾𝑠 ))
3. A returns N2, encrypted using B's public key, to assure B that its
correspondent is A.
4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B.
Encryption with B's public key ensures that only B can read it;
encryption with A's private key ensures that only A could have
sent it.
5. B computes D(PUa,D(PRb,M)) to recover the secret key.
 Distribution of Public Keys
• Public keys are made public by design.
• Issue: how to ensure public key of A actually
belongs to A (and not someone pretending to be
A).
• Four approaches for distributing public keys
1. Public announcement
2. Publicly available directory
3. Public-key authority
4. Public-key certificates
 1. Public Announcement

• Make public key available in open forum: newspaper,

email signature, website and conference.
• Problem: anyone can announce a key pretending to
be another user.
 2. Publicly Available Directory

1. The authority maintains a directory with a {name, public key} entry for
each participant.
2. Each participant registers a public key with the directory authority.
3. A participant may replace the existing key with a new one at any time.
4. Participants could also access the directory electronically. For this
purpose, secure, authenticated communication from the authority to
the participant is mandatory.
3. Public-Key Authority
Public-Key
Authority
(1) 𝑅𝑒𝑞𝑢𝑒𝑠𝑡 || 𝑇1
(4) 𝑅𝑒𝑞𝑢𝑒𝑠𝑡 || 𝑇2

(2) 𝐸(𝑃𝑅𝑎𝑢𝑡ℎ, [𝑃𝑈𝑏 || 𝑅𝑒𝑞𝑢𝑒𝑠𝑡 || 𝑇1])

(5) 𝐸(𝑃𝑅𝑎𝑢𝑡ℎ, [𝑃𝑈𝑎 || 𝑅𝑒𝑞𝑢𝑒𝑠𝑡 || 𝑇2])

(3) 𝐸 (𝑃𝑈𝑏, [𝐼𝐷𝐴 , 𝑁1])

Initiator Initiator
A B
(6) 𝐸(𝑃𝑈𝑎, [𝑁1 || 𝑁2])

(7) 𝐸(𝑃𝑈𝑏, 𝑁2)

 3. Public-Key Authority – Cont…
1. Asends a timestamped message to the public-
key authority containing a request for the
current public key of B.
2. The authority responds with a message that is
encrypted using the authority’s private key.
Message contains PUb, Original request and
Original time stamp T1.
3. A stores B’s public key and also uses it to encrypt a message to B
containing an identifier of A(IDa) and a nonce(N1).
4, 5. B retrieves A’s
public key from the authority in
the same manner as A retrieved B’s public key.
 3. Public-Key Authority – Cont…
6. B sends a message to A encrypted with PUa and
containing A’s nonce(N1) as well as a new nonce
generated by B(N2). The presence of N1 in
message (6) assures A that the correspondent is
B.
7. A returns N2, which is encrypted using B’s public
key, to assure B that its correspondent is A.
 4. Public-Key Certificates
• Any participant can read a certificate to
determine the name and public key of the
certificate’s owner.
• Any participant can verify that the certificate
originated from the certificate authority and is
not counterfeit.
• Only the certificate authority can create and
update certificates.
• Any participant can verify the currency of the
certificate.
4. Public-Key Certificates – Cont…
Certificate
Authority

𝑃𝑈𝑎 𝑃𝑈𝑏

𝐶𝐴 = 𝐸(𝑃𝑅𝑎𝑢𝑡ℎ , [𝑇1 || 𝐼𝐷𝑎 ||𝑃𝑈𝑎])

𝐶𝐴 = 𝐸(𝑃𝑅𝑎𝑢𝑡ℎ , [𝑇2 || 𝐼𝐷𝑏 || 𝑃𝑈𝑏])

(1) 𝐶𝐴

Initiator Initiator
A B

(2) 𝐶𝐴
 4. Public-Key Certificates – Cont…
• Each participant applies to the certificate authority,
supplying a public key and requesting a certificate.
• For participant A, the authority provides a certificate
of the form
𝐶𝐴 = 𝐸 (𝑃𝑅𝑎𝑢𝑡ℎ, [𝑇 || 𝐼𝐷𝑎 ||𝑃𝑈𝑎 ] )
• A may then pass this certificate on to any other
participant, who reads and verifies the certificate as
follows:
= 𝐷 𝑃𝑈𝑎𝑢𝑡ℎ, 𝐶𝐴
= 𝐷(𝑃𝑈𝑎𝑢𝑡ℎ, 𝐸 (𝑃𝑅𝑎𝑢𝑡ℎ, [𝑇 || 𝐼𝐷𝑎 ||𝑃𝑈𝑎 ] ))
= (𝑇 || 𝐼𝐷𝑎 ||𝑃𝑈𝑎 )
 X.509 Certificates
• An X.509 certificate is a digital certificate that uses
the widely accepted international X.509 public key
infrastructure (PKI) standard to verify that a public
key belongs to the user, computer or service identity
contained within the certificate.
• X.509 defines the format for public-key certificates
used in a variety of applications.
• The directory may serve as a repository of public-key
certificates.
• Each certificate contains the public key of a user and
is signed with the private key of a trusted
certification authority.
 Version
Certificate X.509
serial number
Signature
algorithm
Algorithm Formats

Version 1
identifier Parameters
Issuer name
Proof of Not before

Version 2

Version 3
validity Not after
Subject name
Subject’s Algorithms
public key Parameters
info Key
Issuer Unique
identifier
Subject Unique
identifier
Extensions
Versions

Algorithms
All

Signature Parameters
Encrypted hash
 X.509 Format – Cont…
• Version: Differentiates among successive versions of
the certificate format; the default is version 1.
• Serial number: The identity creating the certificate
must assign it a serial number that distinguishes it
from other certificates.
• Signature algorithm identifier: The algorithm used
by the issuer to sign the certificate.
• Issuer name: The name of the entity issuing the
certificate (usually a certificate authority).
• Period of validity: Consists of two dates: the first and
last on which the certificate is valid.
• Subject name: The name of the user to whom this
certificate refers.
 X.509 Format – Cont…
• Subject’s public-key information: The public key
associated with the identity.
• Issuer unique identifier: An optional-bit string
field used to identify uniquely the issuing
Certificate Authority (CA).
• Subject unique identifier: An optional-bit string
field used to identify uniquely the subject name.
• Extensions: A set of one or more extension fields.
 Public-Key Certificate Use
Unsigned certificate: Bob’s ID
contains user ID, information
user's public key
Bob’s Public H
key
Recipient can verify
H CA signature by comparing
information hash code values

E D
Generate hash Signed Certificate
code of unsigned
certificate
Encrypt hash code Decrypt signature
with CA's private key with CA's public key
to form signature to recover hash code
 Public key Infrastructure (PKI)
• A public-key infrastructure (PKI) is defined as the
set of hardware, software, people, policies, and
procedures needed to create, manage, store,
distribute, and revoke digital certificates based on
asymmetric cryptography.
• It provides the identification of public keys and
their distribution.
• The principal objective for developing a PKI is to
enable secure, convenient, and efficient
acquisition of public keys.
 Public key Infrastructure (PKI)
PKI users

Certificate/CRL retrieval
End entity
Registration,
Certificate/CRL Repositories

Initialization,
Certification,
Key pair recovery,
Registration Key pair update,
Certificate authority Revocation request
publication
Certificate
Certificate/CRL publication authority
Cross
certification
CRL Issuer Certificate
CRL publication
authority

PKI management
entities
 Public key Infrastructure (PKI) – Cont…
• End entity: A generic term used to denote end users,
devices (e.g., servers, routers), or any other entity that can
be identified in the subject field of a public-key certificate.
• Certification authority (CA): The issuer of certificates and
certificate revocation lists (CRLs).
• Registration authority (RA): CA may use a third-party
Registration Authority (RA) to perform the necessary
checks on the person or company requesting the certificate
to confirm their identity.
• CRL issuer: An optional component that a CA can delegate
to publish CRLs.
• Repository: A generic term used to denote any method for
storing certificates and CRLs so that they can be retrieved
by end entities.