Chapter 3:- Cryptography and Public Key

Infrastructure
 Introduction to Cryptography
Before going in detail to this chapter, we should know some basic
concepts of cryptography, which are explained below.

Cryptanalysis

(Sender) (Receiver)
Message Message
Encryption Decryption
Source Cipher text Destination
(plaintext) $%# (plaintext)
ABC ABC
Encryption Decryption
Key Key
Figure 3.1 Conventional encryption model

- Cryptography is  derived from Greek words: “Crypto” means “hidden”

and “Graphy” means “writing”. So we can say cryptography is hidden
writing or secret writing.
- Plaintext (clear text): plaintext is original message or normal information
that can be understood by reading it. This message is confidential.
- Cipher text: Plaintext is converted into unreadable form is cipher text.
The conversion is done using encryption algorithm using encryption key.
Cipher text is secure message that can‟ t be understood by the attacker.
- Encryption (Enciphering): it is the process by which plaintext is
converted into cipher text using encryption algorithm.
- Secret key (Key): Key is a set of numbers which is used by cipher for
encryption process. So we need encryption key for encryption of plaintext
to cipher text. And we need decryption key for decryption of cipher text
to plaintext.
2 |C o m p u t e r a n d N e t w o r k S e c u r i t y

- Decryption (Deciphering): it is a reverse process of encryption at

receiver end. In it cipher text message is converted back to the original
message using decryption algorithm.
- Encryption and Decryption algorithms combined known as cipher or
cryptography system.
3.1 Classification of Cryptography (Symmetric and
Asymmetric cryptography)
- We can classify all cryptography algorithms in to two groups: Symmetric
key (Private key also called Secret key) algorithms and Asymmetric Key
(Public key) Cryptography Algorithm.
 Symmetric key cryptography
(Sender) (Receiver)
Message Message
Encryption Decryption
Source Destination
Cipher text
(plaintext) (plaintext)

Encryption /
Decryption Key
(Same Key)
Figure 3.2 Symmetric key cryptography

- In this cryptography, as we can see in above figure, same key is used by

both the sender and the receiver.
- Sender uses this key for encryption algorithm to encrypt data; and
receiver using the same key for decryption algorithm to decrypt data.
- In it key is shared between sender and receiver.
- It is also called private key or secret key encryption
- Example: Data Encryption Standard (DES).
 Advantages
- It takes less time compare to public key cryptography.
- The key is smaller.
 Cryptography and Public key infrastructure

 Asymmetric key cryptography

Public Key

Receiver’s
Private Key
Sender
Receiver

Figure 4.3 Asymmetric key cryptography

- In this cryptography technique, there are two keys: a private key and a
public key.
- In this method, private key is used for individual and public key is
available for public.
- Public key is disclosed to all the users in network and private key is the
secret key known only to a particular user.
- Private key is never distributed by the receiver
- Public key used for encryption and private key is used for decryption.
- Example: RSA algorithm, Digital signature
 Cryptographic systems are characterized along three independent
dimensions:
1. The type of operation (algorithm) used:
 There are two general techniques substitution and transposition.
 In substitution technique, each plaintext element (letter) is replaced or
mapped with another letter.
 In transposition technique, elements in the plaintext are rearranged.
2. Number of keys used:
 If both sender and receiver use the same key, the system is referred to
as symmetric, single-key, secret-key, or conventional encryption. If the
sender and receiver use different keys, the system is referred to as
asymmetric, two-key, or public-key encryption.
4 |C o m p u t e r a n d N e t w o r k S e c u r i t y

3. The way in which the plaintext is processed (Block cipher or Stream cipher):
 A block cipher processes the input one block of elements at a time,
producing an output block for each input block.
 A stream cipher processes the input elements continuously, producing
output one element at a time, as it goes along.
 Cryptanalysis and Brute force attack
- Generally attackers try to attack in encryption to recover the key rather
than plaintext. There are two general approaches to attacking a
conventional encryption scheme Cryptanalysis and Brute force attack:
 Cryptanalysis: The process of trying to break the cipher text to obtain the
original plain text is called cryptanalysis.
- It is study of ciphers and cipher text with a view of finding weaknesses in
them to retrieve plaintext from cipher text without necessarily knowing
the key or the algorithm.
- It is breaking the code, and the person attempting cryptanalysis is called
cryptanalyst.
 Brute-force attack: The attacker tries every possible key on a piece of
cipher text until the plain text is achieved. On average, half of all possible
keys must be tried to achieve success.
 Various types of cryptanalysis attacks are
- Cipher text only: in which the cryptanalyst tries to get the plaintext or the
decryption function from the knowledge of a piece of cipher text. It is
weakest among all methods.
- Known plain text: the cryptanalyst has access to a cipher text and its
corresponding plain text. Then attacker tries brute force attack to find
decryption function.
- Chosen plaintext: in which Plaintext message chosen by cryptanalyst and
obtain the corresponding cipher text with the secret key.
- Chosen cipher text: this is just opposite of previous attack, the
cryptanalysis can choose any cipher text he wants and obtain the
corresponding plaintext using a decryption. This is strongest among all
methods.
 Cryptography and Public key infrastructure

 Difference between symmetric key cryptography and asymmetric

key cryptography

Symmetric Cryptography Asymmetric Cryptography

It uses the same key for both It uses one key for encryption and
encryption and decryption. different key for decryption.
Figure: Figure:

It is also called secret key or It is also called public key or two

private key encryption. key encryption.
It cannot be used for digital It can be used for digital signature.
signature.
It is extremely fast and relatively It has high computational burden
low complexity. and slow compare to symmetric.
Purpose: The symmetric encryption Purpose: it is often used for securely
is used for bulk data transmission. exchanging secret keys.
Example: DES, AES Example: RSA

3.2 Encryption algorithms

 Caesar Cipher
- It is the simplest technique found by Julius Caesar.
- It is a substitution cipher technique.
- In this method, each character of a plaintext message is replaced by a
character three position down in the alphabet to get the cipher text
message. For example letter „A‟ in plaintext converted in cipher text letter
„D‟ same as B to E, W to Z and so on.
6 |C o m p u t e r a n d N e t w o r k S e c u r i t y
- We can define the transformation by listing all possibilities, as follows:
Plain text

a b c d e f g h I j k l m n o p q r s t u v w x y z
Cipher text

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

- For example:
If plaintext is  aarush and bhagya
Cipher text is DDUXVK DQG EKDJBD
- So, by adding 3 as a key, you can encrypt your plaintext into cipher text
and by subtracting 3 from cipher text you can get back the plaintext.
- Now let‟ s assign the numeric value to each letter, then:

a b c d e f g h i j
0 1 2 3 4 5 6 7 8 9
k l m n o p q r s t
10 11 12 13 14 15 16 17 18 19
u v w x y z
20 21 22 23 24 25

- We can represent the Caesar cipher mathematically as:

C = E(3 , p) = (p + 3) mod 26 (Where C is cipher text, P is plaintext)

And for decryption we can write:

P = E (3 , c) = (c – 3) mod 26
- A more general version of this cipher is:
C = E( k, p ) = (p + k) mod 26 and P = E(3 , c) = (c – k) mod 26
 Advantages of Caesar cipher
 It is easy to use.
 Its working fast.
 Cryptography and Public key infrastructure

 Disadvantages Caesar cipher

 It has simple structure. The encryption and decryption algorithms are
known.
 There are only 25 keys to try.
 Brute force attack can be done on it easily.
Note: Caesar cipher is the simplest form of “shift cipher”.
Shift cipher is a type of substitution cipher in which each letter in the
plaintext is replaced by a letter some fixed number of positions up or
down the alphabet. For example, with a leftshift of 3, D would be
replaced by A, E would become B, and so on.
In case of Caesar cipher encryption, we are replacing our plaintext
letter by shifting three letters ahead.

 Playfair cipher
- This technique has been used until the end of World War 1 by Britain. It is
a type of block cipher.
- It is the best known method of multiple-letter encryption cipher.
- Playfair algorithm is based on the use of a 5 X 5 matrix of letters
constructed using a keyword.
- Fill in letters of keyword in the matrix and fill the rest of matrix with other
letters.
- I and J are put in a single place (same position).
- For example  using the keyword BHAGYA, the matrix will be like:
B H A G Y
C D E F I/J
K L M N O
P Q R S T
U V W X Z
8 |C o m p u t e r a n d N e t w o r k S e c u r i t y

- The matrix is constructed by filling in the letters of the keyword from left
to right and from top to bottom and then filling the remainder of the matrix
with the remainder letters in alphabetic order.
 In the process of encryption in Playfair cipher:
- Break the plaintext into pairs of two consecutive letters, like „asmita‟ is
written as  as mi ta
- If a pair is repeated letters, insert filler like „X‟ in the plaintext. E.g.
„balloon‟ is treated as ba lx lo on.
- If both letters falls in the same row of the key matrix, replace each with the
letter immediate to its right (wrapping back to start from end). E.g. “GY”
encrypts to “YB”.
- If both letters falls in the same column, replace each with the letter
immediately below it (again wrapping to top from bottom). E.g. “BU”
encrypts to “CB”.
- Otherwise each letter is replaced by the one in its row in the column of the
other letter of the pair. E.g. “DS” encrypts to “FQ” and “CY” encrypts to
“IB” or “JB” (as needed).
 Advantage of this cipher is  it is much improved over mono alphabetic
technique.
 Disadvantage  Actually still it can be broken due to limited structure of
plaintext.
Example of Playfair cipher
Generate cipher text for the plaintext “hide the gold in the tree stumps”,
and the keyword is “playfair example”.
In our example we have given the keyword „playfair example‟
First construct key matrix for the key, like:

P L A Y F

I/J R E X M

B C D G H

K N O Q S

T U V W Z
 Cryptography and Public key infrastructure

Our plaintext is: “hide the gold in the tree stumps”

To encrypt a plaintext message, first we have to group the plaintext letters
in to two (2), like: “HI DE TH EG OL DI NT HE TR EX ES TU MP”
Now as per rules, encrypt individual group one by one, we get:
BM OD ZB XD NABE KU DM UI (or UJ)XM MO UV IF (or JF) (that is our
cipher text)
 Vigenere cipher

- It is poly alphabetic substitution in which more than one alphabet is

recognized for a single character.
- It is based on basic Caesar cipher technique.
- It uses a different shift depending on the position of letters in the message.
- In the process of this cipher, first of all vigenere table is created in which
all the 26 alphabets are written in different rows, each alphabet shifted
cyclically.
- To find the cipher text, intersection of corresponding column of plaintext
and keyword would be considered.
- In vigenere table, plaintext is written vertical and keyword is written
horizontal.
- The vigenere table is shown below:
10 |C o m p u t e r a n d N e t w o r k S e c u r i t y

- As shown in the above table, the encryption of letter „R‟ with key „M‟ is D.
- Now let‟ s take a simple example. Key is  COUNTON and Plaintext is 
VIGENERE CIPHER
- In the process of encryption, first repeat the key until the length of
plaintext.
- Take one by one letter from key and plaintext then we can get cipher text
letter from vigenere table (as shown in the above table, with the key letter
M and plaintext letter R, we get cipher text letter D).
Key C O U N T O N C O U N T O N

Plain
V I G E N E R E C I P H E R
Text
Cipher
X W A R G S E G Q C C A S E
Text

- So our cipher text is: XWARGSEGQCCASE

 Cryptography and Public key infrastructure

- Similarly for decryption, you need to find a X in row of key value (C), then
find corresponding plaintext letter in that column (V).
 One Time Pad (OTP) Perfect cryptography
- OTP is specific subset of Vernam cipher. It is also called perfect cipher.
- It is basic yet solid method to protect short messages.
- It the most secure method and almost impossible to break it
mathematically.
- It is implemented using random key that is as long as the message. The
key is random so that cipher text is too random.
- Basic Idea: Cipher text should provide no “information” about Plaintext.
So OTP provide “perfect secrecy”.
- The key is to be used to encrypt and decrypt a single message, and then is
discarded. (The key in OTP never be reused.)
- Only two copies of the key are generated; one for sender and one for
receiver.
- Each new message requires a new key of the same length as the new
message.
- There is no statistical relationship between plaintext and cipher text, so
this method is very much hard to break.
 In the process of encryption of OTP
- Add each corresponding letter of plaintext to the corresponding alphabet
of OTP.
- If the sum produced is greater than or equals to 26, subtract 26 from it.
- Translate each number of the sum back to corresponding alphabet. This
gives the output cipher text.
- Each key letter is used exactly once for only one message.
- Sender encrypts the message and then destroys the OTP. Receiver
decrypts the message using the same OTP and then destroys the OTP.
For example: plaintext is  how are you?
One time pad is  NCBTZQARX
12 |C o m p u t e r a n d N e t w o r k S e c u r i t y

H O W A R E Y O U
Plaintext
7 14 22 0 17 4 24 14 20

N C B T Z Q A R X
One Time Pad
13 2 1 19 25 16 0 17 23

20 16 23 19 42 20 24 31 43
Initial Total

Subtract 26,
20 16 23 19 16 20 24 5 17
If ≤ 26

Cipher text U Q X T Q U Y F R

 Disadvantages
- There is a practical problem of making large set of random keys.
- There is a problem of key distribution and protection as for every
message, equal length of key is needed by both sender and receiver.
 Hill cipher
- It is poly alphabetic cipher method developed by Lister Hill in 1929.
- The encryption algorithm takes m successive plaintext letters and
substitutes for them m cipher text letters.
- The substitution is determined by m linear equations in which each
character is assigned a numerical value (a = 0, b = 1 ... z = 25).
- For m = 3, the system can be described as follows:
c1 = (k11P1 + k12P2 + k13P3) mod 26
c2 = (k21P1 + k22P2 + k23P3) mod 26
c3 = (k31P1 + k32P2 + k33P3) mod 26
- And in general we can write like this:
 Cryptography and Public key infrastructure

𝑐1 𝑘11 𝑘12 𝑘13 𝑝1

𝑐2 = 𝑘21 𝑘22 𝑘23 * 𝑝2 mod 26
𝑐3 𝑘31 𝑘32 𝑘33 𝑝3
OR
C = KP mod 26
Where C representing cipher text, P representing plaintext and k is 3x3
matrix representing encryption key.
- For example: consider the plaintext “pay more money” and use the
encryption key
17 17 5
K = 21 18 21
2 2 19
- Now to get the cipher text, as per the equation C = KP mod 26.
- Here our first three letters of plaintext are „pay‟ which are alphabetically
numeric are: 15 0 and 24. These are then multiplied with key vector. And
we get the cipher text.
𝑝 15 15 17 17 5 15
𝑎 = 0 then K * 0 mod 26 = 21 18 21 * 0 mod 26
𝑦 24 24 2 2 19 24
11 𝐿
= 13 = 𝑁 = LNS
18 𝑆
- The cipher text for the entire plaintext is LNSHDLEWMTRW
Another example of hill cipher
Convert the plaintext „CAT‟ into cipher text using Hill cipher method, key
6 24 1
is 13 16 10
20 17 15
Here we have plaintext CAT, its numeric value ( 2, 0, 19)
6 24 1
If the key is 13 16 10 , then encryption is K*P mod 26
20 17 15
6 24 1 2
= 13 16 10 * 0 mod 26
20 17 15 19
14 |C o m p u t e r a n d N e t w o r k S e c u r i t y

31
= 16 mod 26
325
5
= 8 = FIN (that is cipher text)
13

3.3 Transposition techniques

- As we have discussed, in substitution techniquesin generating cipher
text, it focuses on substituting a plaintext alphabet with another alphabet.
Whereas in transposition techniquesin generating cipher text, plaintext
remains the same but the order of character is shuffled around.
- Transposition technique is simply  permuting the plaintext.
 Rail fence technique
- This is the simplest transposition technique.
- In which the plaintext is written down as a sequence of diagonals and then
read off as a sequence of rows to get cipher text.
- For example, to encipher the plaintext message "aarush is a good boy"
with a rail fence of depth 2, we write the following:
a r s i a o d o
a u h s g o b y
In the above process of rail fence, write the plaintext vertically and read it
horizontally, we get cipher text.
The cipher text is ARSIAODOAUHSGOBY
- But this type of arrangement is easy for cryptanalysis.
- A more complex scheme is column transposition technique.
- In which, plaintext message is written in a rectangular format of a
predefined size of row by row.
- Then read the message now column by column. The order of the column
can be decided by the key which is any random number of length same as
rectangle length.
- Then we can obtain a cipher text message.
 Cryptography and Public key infrastructure

- For For example  the message (plaintext) is “bhagya is also a good boy”
Key  5 2 1 4 6 3
Plaintext B h a g y a
 i s a l s o
a g o o d b
o y x x x x

(Note: fill the remaining blank positions by X)

- Now read above plaintext column by column with the given priority, we
get the cipher text: AAOXHSGYAOBXGLOXBIAOYSDX
- This technique is easy to break by trying few permutations or frequency
analysis of letters.
- To solve it, add more number of transposition rounds.
(Note: You can break up the letters into 3 or 4 rails as well. For that you HAVE
to break the message into 3 or 4 equal groups.)

 Steganography
- It is an art of hiding data.
- The word “steganography” derived from Greek words “stego” means
“cover” and “graphy” means “writing” So, Steganography means
“covered writing”. It also means “information hiding”. It conceals the
existence of the message.
- It is the art and science of communicating in such a way that the presence
of a message cannot be detected.
- Steganography and encryption are both used to ensure data
confidentiality. However the main difference between both of them is that
with encryption, anybody can see that both parties are communicating in
secret.
- While in case of steganography, nobody can see this communication. This
makes steganography more secure.
- In encryption, we scramble the message so the intruder can’t be
understood, while in steganography the secure message or plaintext (or
image) is embedded within another message (or even an image). The
embedded data will be confidential from the attacker.
16 |C o m p u t e r a n d N e t w o r k S e c u r i t y

- There exist two types of materials  message and carrier (cover).

- Where message is the secret data that should be hidden and carrier is the
material that takes the message in it.
- Following is a simple structure of steganography
Cover*
Cover Stego file

Message FE FE-1 Message*

- As per above figure we can say that secret data is being embedded inside
a cover to produce the stego file. At the receiving end, the stego file is
decoded to get the original data.
- There are mainly three types of steganography
1. Text steganography: in which message is encoded in text / documents.
2. Audio steganography: in which message is encoded in audio clip.
3. Image steganography: in which message is encoded in images.
- Some techniques have been used historically for steganography are:
 Character marking:
- The secret message is overwritten in pencil. The marks are ordinarily not
visible unless the paper is held at an angle to bright light.
 Invisible ink:

- The special chemical is used to write on paper. To all it looks a blank

page, but some heat or chemical is applied to that it generates the visible
text.
 Pin punctures:
- Some of the characters in the message contain only tiny punctures. This
can only be seen when hold in bright light.
 Typewriter correction ribbon:
- Used between lines typed with a black ribbon, the results of typing with
the correction tape are visible only under a strong light.
 Cryptography and Public key infrastructure

- Using steganography, we can hide our secret message behind text,

image, in the disk space, audio files, in the network packets or also in the
software coding.
 Advantage of this method is that an intruder has no idea that two parties
are communicating in secret form.
 Steganography has some drawbacks compared to encryption:
- It is very time consuming, as it is lot of overhead in hiding the message.
- If the secret message has very large size then it is very difficult to embed it
within another message or image.
3.4 Hashing function
- A hash function is a cryptographic algorithm that can be used to provide
data integrity and authentication.
- Hash function converts large, variable size input into small, fixed size
output. OR A hash function maps a variable-length message into a fixed
length hash value, or message digest.
- A hash code does not use a key but is a function only of the input message.
- The hash code is a function of all the bits of the message and provides an
error-detection capability: A change to any bit or bits in the message
results in a change to the hash code.
- A hash value h is generated by a function H of the form
h = H(M)

(where M is a VAriable-length message and H(M) is the fixed-length hash

VALUe.)

Figure 4.4 Hashing

18 |C o m p u t e r a n d N e t w o r k S e c u r i t y

- The hash value is appended to the message at the source at a time when
the message is assumed or known to be correct. The receiver
authenticates that message by re-computing the hash value.
- The purpose of a hash function is to produce a "fingerprint" of a file,
message, or other block of data.
- To be useful for message authentication, a hash function H must have the
following properties:
 H can be applied to a block of data of any size.
 H produces a fixed-length output.
 H(x) is relatively easy to compute for any given x.
 Application of hash function
- Most general use of hash functions in digital signature and for data
integrity.
- Hashing is used in collision resolution techniques.
- It is also used for password authentication.
 SHA – 1 (Secure Hash Algorithm – 1)
- (A 160-bit hash function which resembles the earlier MD5 algorithm. SHA
was designed by NIST & NSA in 1993, revised 1995 as SHA-1.
- SHA-1 produces a 160 bits hash value called message digest (output of
SHA-1).
- The message size of SHA-1 is  264-1 bits.
- The block size is  512 bits.
- The word size is  32 bits.
- Number of steps required for SHA-1 is  80 bits.
- SHA-1 uses modular arithmetic and logical binary operations.
 The ideal SHA-1 has the following properties:
 it is infeasible to find a message that has a given hash.
 it is infeasible to modify a message without changing its hash.
 it is infeasible to find two different messages with the same hash.
 Cryptography and Public key infrastructure

 Working of SHA 1

abcde = (e + ft + s5 (a) + W(t) + K(t)), a, s30 (b), c, d)

- Step 1: Padding
Padding bits are added to the end of the original message such that the
message length set to 64 bits short of multiple of 512.
- Step 2: Append length
The length of the message excluding the length of padding is calculated
and appended to the end of padding.
- Step 3: Divide the input into 512 bit blocks
Input is now divided into equal length of 512 blocks.
- Step 4: Initialize changing variable
Five changing variables A to E are initialized (5 * 32 = 160 bits).
- Step 5: Processing blocks
 Copy the variables A-E into a-e.
20 |C o m p u t e r a n d N e t w o r k S e c u r i t y

 Divide the current 512 block into 16 sub blocks, each of which
containing 32 bits.
 SHA has four rounds, each round has 20 steps. Each round takes
current 512 bit block.
 So, SHA-1 makes total of 80 iterations.
 Advantages
- This method is harder for brute force attack.
- It is also used in message authentication, OTP, software integrity,
password validity etc.
 Disadvantages
- There should be a problem of “collision” in that algorithm, to avoid it,
some strong hash algorithm needed. And at the receiver end, exact
matches will result in success.
 Application main application of SHA1 is digital signature.

3.5 Asymmetric encryption

- Already in the earlier part of this chapter, we have seen the concept of
asymmetric cryptography where two keys are used: a private key and a
public key.
- In this method, private key is used for individual and public key is
available for public.
- Public key is disclosed to all the users in network and private key is the
secret key known only to a particular user.
- Private key is never distributed by the receiver
- Public key used for encryption and private key is used for decryption.
- Example: RSA algorithm, Digital signature
 Digital signature
- It is a type of asymmetric cryptography.
- A digital signature is a mathematical technique used to validate the
authenticity and integrity of a message, software, or digital document.
- A digital signature is basically a way to ensure that an electronic
document (e-mail, spreadsheet, text file, etc.) is authentic.
 Cryptography and Public key infrastructure

- Authentic means that you know who created the document and you know
that it has not been altered in any way since that person created it.

- Digital signature schemes normally gives two algorithms: one for signing
which involves the user’s private key and one for verifying signatures
which involves the user’s public key. The output of this process is called
the “digital signature”.
- It is easily transportable, cannot be changed by someone else, and can
automatically time stamped.
- The main requirements of a digital signature are:
 It is unique to the sender.
 It should be recognizable and verifiable.
 The difference between digital signature and hand written signature:
- The hand written signature is biologically linked where as digital
signature is something that is signed and produced by machine.
- If someone steals your machine, and with it your private key, they could
pretend to be you, legitimately. The same is not true for a handwritten
signature.
- Handwritten signatures are under the direct control of the signer, whereas
digital signatures must be applied by a computer commanded by the
signer.
- Forgery can be possible in case of hand written signature, while in digital
signature it is virtually impossible.
- Handwritten signatures are extremely simple, and easy to understand
whereas Digital signatures are complex to understand.
22 |C o m p u t e r a n d N e t w o r k S e c u r i t y

- Hand written signatures can be witnessed that the digital signatures do

not.
 How digital signature works:

- The digital signature usually involves two processes: one performed by the
signer and the other by the receiVER of the digital signature.
- The digital signature uses the hash result which is unique to both the
signer and verifier.
- At the verification side, digital signature is checked by the reference of
the original message and a given public key.
- Finally the result is generated that the digital signature is verified or not.
 Digital signatures fall into two categories
1. Direct digital signature
- Involve only communicating parties (sender and receiver).
- It assumed receiver has sender’s public-key.
- Digital signature made by sender signing entire message or hash with
private-key.
- The main drawback of this signature is that the validity of this scheme is
depends on the security of the sender’s private key. Sender can claim the
deny of the communication at any time when he wishes.
 Cryptography and Public key infrastructure

2. Arbitrated digital signature

- The problem associated with the direct digital signature can be addressed
by it.
- In this signature, there is an arbiter between sender and receiver. Every
signed message from sender to receiver goes first to an arbiter, who
checks the details and validate the signed message.
- It requires suitable level of trust in arbiter from both the sender and
receiver.
- It can be implemented using either private or public key.
 Advantages of digital signature
- It provides document security and confidentiality.
- You can track your progress of work through it.
- It provides speed and authenticity of data.
- Provides the advantage of non-repudiation.
- Increase customer satisfaction.
 Disadvantages of digital signature
- To work with digital certificates, senders and recipients have to buy
verification software.
- To work with digital signature effectively, sender and receiver have to buy
digital certificate also.
- It suffers from the problem of expiry.
 Key escrow
- Key escrow is a cryptographic key exchange process in which a key is
held in escrow (vault) or stored by a third party.
- Key escrow system provides a backup source for cryptographic keys.
- But sometimes it is risky as third party is involved.
- Normally a key would not be released to anyone without proper
authentication of sender or receiver.
- Purpose  is that is to serve as backup if the parties (either sender or
receiver) lose the data, such as through natural disaster or earth quake or
any attack.
24 |C o m p u t e r a n d N e t w o r k S e c u r i t y

- Advantage of key escrow is that it is a backup of cryptographic key in case

the parties with access to key lose the data through a disaster or malicious
intent.
- Disadvantage is that it is more complex to understand and it suffers from
the problem of vulnerabilities and risks.
3.6 Public Key Infrastructure (PKI)
- PKI is closely related to the idea of asymmetric-key cryptography.
- Public Key Infrastructure (PKI) is a well-known technology that can be
used to establish identities, encrypt information and digital signature of
documents.
- PKI the set of hardware, software, people, policies and procedures
needed to create, manage, store, distribute & revoke digital certificates
based on asymmetric cryptography.
- PKI identifies and manages the security services like: access control,
integrity, confidentiality, authentication and non-repudiation.

Figure 4.5Public key infrastructure (PKI)

 A Public Key Infrastructure consists of (Components of PKI):

 Certification Authority (CA)
 Registration Authority (RA)
 PKI clients
 Cryptography and Public key infrastructure

 Digital certificates
 Certificate Distribution System or repository
 Certification Authority (CA)
 The CA is a trusted third party that authenticates entities taking part in an
electronic transact, it issues digital certificates.
 That issues and verifies certificates. A certificate includes the public
key or information about the public key.
 CA represents the people, processes and tools to create digital
certificate.
 Who can be CA?  The authority of acting as a CA has to be with
someone who everybody trusts. The governments in the various
countries decide who can and who cannot be a CA.
 A CA is a reputed organization, such as a post office, financial
institution, software company, etc.
 In some of the architectures, there are multiple levels of CAs in
which each higher level CA assures for its subordinate CA.
 General tasks of CA are:
o Issuing certificates
o Revoking certificates
o Formulating a certificate policy
o Implementing the Certification Practice Statement (CPS)
 Two of the world‟ s most famous CAs are VeriSign & Entrust.
 Registration Authority (RA)
 An RA is responsible for the interaction between clients and CAs.
 The RA acts as a verifier for the certificate authority before digital
certificate is issued to the requestor.
 RA accepting and verifying registration information about new user.
Generating keys on behalf of the end users.
 General tasks of RA are:
o Receive entity requests and validate them
o Send the requests to the CA
26 |C o m p u t e r a n d N e t w o r k S e c u r i t y

o Receive the processed certificate from the CA

o Send the certificate to the correct entity
 RAs are especially useful for scaling PKI applications across
different geographical locations. For example, a CA can delegate
its responsibilities to different RAs and assign an area of operation
to each RA, such as an RA for northern region, southern region, and
eastern and western regions. One or more directories where the
certificates are held.
 PKI clients
 The entities which request CAs or RAs to issue certificates are
commonly referred to as PKI Clients.
 To obtain a certificate from CA, a PKI client first sends the request to
generate a public-private key pair. After generating this key pair,
the request is sent to the CA through RA, then after validation
process CA generates the certificate for the PKI client.
 All communication between a client and the CA is kept secure. And
the client is responsible for ensuring the safety of its private key.
 Digital Certificates
 This is an important component of PKI.
 It is a digital version of a paper-based passport or driving license or
any other document.
 Digital certificate binds a user with its public key. It is providing
guarantee about the user‟ s identity.
 The digital certificate will contain digital signature of certificate
authority to allow the receiver to confirm the authenticity of digital
certificate.
 Ensuring the security of public key is highly needed in PKI
environment, for that data integrity is needed. However data
integrity alone is not sufficient to guarantee about the security of
public key, and for that digital certificates providing this feature the
security of public key.
 It also providing the authentication of work with private key, and
this eliminates the chance of impersonation.
 Cryptography and Public key infrastructure

 To obtain digital certificate, an organization or any individual must

apply to certification authority (CA) which is responsible for
validating & ensuring authenticity of requesting organization.
 Digital certificate contents

Serial Numberuniquely identify the certificate

Subjectidentifies distinguished name of the user.

Signature Algorithmidentifies the algorithm used by CA to sign
the certificate.
Issuer Nameidentifies distinguished name of CA.
Valid fromthe date the certificate is first VALID from
Valid tothe expiration date
Key usagepurpose of public key (signature/certificate
signing/encryption).
Public key valuethe VALUe of the public key.
Thumbprint Algorithm the algorithm used to create the hash of
certificate.
Thumbprintthe hash VALUe of the certificate.
SAN (Subject Alternative Name) this field is optional. This is used
to proVE multiple identities which
the certificate can authenticate.
VersionVERSion of the certificate standard. e.g. “X.509 VERSion 3”.
Extension used to proVIDe additional information.

 Certificates can be used for

 Authentication which verifies the identity of someone or
something.
 Privacy which ensures that information is only available to the
intended users.
 Encryption  which disguises information so that unauthorized
readers are unable to decipher it.
28 |C o m p u t e r a n d N e t w o r k S e c u r i t y

 Digital signatures  which provide non repudiation and

message integrity.
 Many applications use certificates, such as e-mail applications
and Web browsers.
 There are four main categories of digital certificates that are used
currently on the internet.
- Personal certificate - Software publisher certificate
- Server certificate - Certificate Authority Certificates

 Steps for obtaining digital certificate

 First of all Identify which Client Digital Certificate best suits your
requirements.
 Key generation  the client (user/organization who want to obtain
certificate) can create a private-public key pair using software
which is a part of web browser or web server. The client then sends
public key & evidences to the RA. Alternatively, the RA can
generate a key pair for the client itself.
 Registration  after generating the key pair in the first step, then if
user generates the key pair, he/she sends public key & other
registration information to the RA. Then the CSR (Certificate Signing
Request) form is filled and request to the RA for registration.
 Verification  after the completion of registration process, RA has to
verify the user‟ s documents in 2 phases: Firstly, RA needs to verify
the user‟ s credential such as evidences provided are correct &
acceptable.The second check is to ensure that the user does have
the private key for the public key. RA also verify the user‟ s CSR,
then RA create dummy certificate using user‟ s public key.
 Certificate creation  after all steps are performed successfully, RA
passes all the details of user to CA. The CA verifies & then creates a
digital certificate for the user. The CA also keeps one copy of it for
his own record.
 User then can download the certificate and install in his computer.
 Cryptography and Public key infrastructure

 Certificate distributed system (CDS)

 CDS distributes certificates to users and organizations.
 CDS distributes certificates in cooperation with the directory
service server. The distribution system is used to do the following
tasks:
o Generate and issue key pairs
o Certify the validity of public keys by signing the public key
o Revoke expired or lost keys
o Publish the public keys in the directory service server
3.7 Centralized and Decentralized infrastructure
- PKI generating the key pairs using centralized or decentralized methods.
- In Decentralized infrastructures: software on individual computers
generates and stores cryptographic keys local to the system.
- The users communicating have their own public private keys, no third
party is involved.
- While in case of centralized infrastructure: the keys are generated and
stores on a central server, and are transmitted to the individual systems as
needed.
- Advantage of centralized key generation is that  it is useful when there is
a need of large key storage.
- Disadvantages of centralized key are the server that holds the key
should be single point of failure. And attackers have the prime target over
a single system.
 Private key protection
- If an intruder obtains a user‟ s private key, authenticity and non-
repudiation can no longer claimed or proven.
- As private key is a crucial component of PKI, it can be protected at each
stage of its life.
- When the private key is generated for the first time, it should be stored
somewhere for the future use.
30 |C o m p u t e r a n d N e t w o r k S e c u r i t y

- Minimize access to private keys: computers with private keys should have
minimum external connections.
- Use physical security to private keys: Protect private keys with
cryptographic hardware products. Cryptographic hardware does not
allow export of the private key to software where it could be attacked.
- Key should be destroyed properly at the end of its lifetime.
- Key should never be exposed in clear text.
- The key should not be shared. It should be stored securely.
- There should not be any copy of private key in case of digital signature.
- The key should be transported securely.
3.8 Trust models
- A trust model is a collection of rules that informs application on how to
decide the legality of a digital certificate.
- There are three main types of trust models used with PKI:
1. Hierarchical trust model
2. Bridge trust model
3. Hybrid trust model
 Hierarchical trust model
- It is also known as a tree model in which a root CA residing at the top and
provides all the information. Intermediate CAs, leaf CAs and end entities
are also there.
Figure of hierarchical model is as below:

It trusts the CA above it

and below it

Leaf entities
 Cryptography and Public key infrastructure

- The root CA generates certificates for the intermediate CAs, which in turn
generates certificates for the leaf CAs, and the leaf CAs generate
certificates for the end-entities (users, network devices, applications).
- This model allows tight control over certificate based activities.
- Root CA systems can have trusts between them and there can be trust
between intermediate and leaf CAs.
- The leaf CA is any CA that is at the end of the network or chain.
- This structure is helpful in creating hybrid structure.
- The root CA‟ s public keys are distributed to all entities and these are used
to verify the certificates.
 Bridge trust model(Peer to peer trust model)
- In it, peer to peer relationship exists between roots CAs.
- In this model, certification process between organizations or departments
is possible.
- The root CAs can communicate each other, allowing cross verification.
Bidirectional trust is there.
- This model is useful in geographically dispersed organizations which are
working together.
Figure of this model is as below

- In a large geographically dispersed organization, root CA is there at

remote location would have its own internal hierarchy, and users would be
able to access certificates from any place in the CA structure.
- All cross verification is handled between the two root CA systems.
32 |C o m p u t e r a n d N e t w o r k S e c u r i t y

- This model may be useful if you‟ re dealing with a large, geographically

dispersed organization or you have two organizations that are working
together.
- Main advantage of this model is  interoperability between organizations.
- And main disadvantage can be  Lack of trustworthiness of root CAs.
 Hybrid trust model
- It is the most flexible model among all.
- It can use the capabilities of any or all of the structure discussed above.
- Hybrid trust model is implemented through a bridge CA.
Figure of this model is as below
It is not the root CA, it just
provides cross certification

- All non-root CAs are certified within a root CA‟ s hierarchy.

- A bridge CA is responsible for issuing cross-certificates to all connected
CAs and trust domains.
- The bridge is not considered a root or trust CA, it is just an entity to
generate and maintain cross certification for the connected environments.
- Major disadvantage with this model is that  it is more complicated and
confusing.
 Cryptography and Public key infrastructure

 Difference between mono alphabetic ciphers and poly

alphabetic ciphers.

Mono alphabetic ciphers Poly alphabetic cipher

It uses fixed substitution over the It uses a number of substitutions at

entire message different positions in the message
In it, the same substitution rule is In it, the substitution rule
used for every substitution. changescontinuously from letter to
letter according to the elements of
the encryption key.
Example: Caesar cipher Example: Vigenere cipher

 Difference between substitution method and transposition

method.

Substitution method Transposition method

In it, the letters of plain text are In it, in generating cipher text,
replaced by other letters or number plaintext remains the same but the
or symbols. order of character is shuffled
around
Each letter retains its position Each letter retains its identity but
changes its identity changes its position
Example: Caesar cipher Example: Rail fence cipher
34 |C o m p u t e r a n d N e t w o r k S e c u r i t y

Assignment

Short Questions
1 Define: Encryption, Decryption
Define Cryptanalysis. List out various cryptanalysis attacks.
Write a simple example for conversation of plaintext into cipher text
2
using Caesar cipher.
3 Define symmetric and asymmetric encryption. List out types of them.
4 Define hash function. Write down application of hash function.
Which key is used for encryption and decryption in symmetric and
5
asymmetric cryptography?
6 Define transposition technique.
Descriptive Questions
1 Draw and explain symmetric encryption model.
2 Write a short note on steganography.
Convert given plaintext into cipher text using Vigenere cipher:
3
Plaintext is: “GUJARAT UNIVERSITY” and Key is: “TECHNOLOGICAL”
4 Explain SHA-1 algorithm in short with block diagram.
5 Write a short note on digital signature.
6 Explain the steps of obtaining digital certificate.
7 Define centralized infrastructure. Write its limitations.
8 Explain bridge trust model.
9 Explain Playfair cipher with example.
10 Explain rail fence cipher with an example.
11 Explain private key protection.
Plaintext is: “SUMMER” and key is:
17 17 5
12 21 18 21
2 2 9
Solve it using hill cipher.
13 If key is: “computer”, write Playfair cipher key matrix.
Solve using Playfair cipher. Solve using Playfair cipher.
Key: “LARKSPUR” Key: “PRIMROSE”
14
Plaintext: “rocky mountain Plaintext: “hike the foothills”
meadow”
Solve using Playfair cipher. Solve using Playfair cipher.
Key: “charles” Key: “keyword”
15
Plaintext: “the scheme really Plaintext: “why don‟ t you?”
works”