If a secret piece of news is divulged by a spy before the time is

ripe, he must be put to death, together with the man to whom the
secret was told.
-The Art of War

Solution over this is CRYPTOGRAPHY

Introduction : Cryptography, Cryptanalysis, Cryptology,
Substitution techniques : Caesar’s cipher, monoalphabetic
and polyalphabetic, Transposition techniques – Rail fence
technique, simple columnar, Steganography
Hashing - concept
Unit - 3
Symmetric and asymmetric cryptography : Introduction
Symmetric encryption : DES (Data encryption standard)
algorithm, Diffie-Hellman algorithm, Problem of key
distribution, Asymmetric key cryptography : Digital
Signature
7H15 M3554G3 53RV35 7O PR0V3 H0W 0UR M1ND5 C4N D0
4M4Z1NG 7H1NG5! 1MPR3551V3 7H1NG5! 1N 7H3 B3G1NN1NG
17 WA5 H4RD BU7 N0W, 0N 7H15 LIN3 Y0UR M1ND 1S
R34D1NG 17 4U70M471C4LLY W17H0U7 3V3N 7H1NK1NG
4B0U7 17, B3 PROUD! 0NLY C3R741N P30PL3 C4N R3AD 7H15!

From R.H.Rathod
To CO-6-I
 CRYPTOGRAPHY
Cryptography is the art of achieving security by encoding messages
to make them non-readable non understandable

This is a block on Cryptographic R#5%`&”m.;p0-

network & system S89!@!%$sp*i^c/
Internet security e-$557

This process is systematic &

well structured
 Plain Text
Clear text or plain text signifies a message that can be understood by the sender,
the recipient and also by anyone else who gets an access to that message.

Ex. Hi Amit
Hope you are doing fine. How about the
conference this Monday at 11.00 am ?
Regards
Anita
 Cipher Text
When a plain text message is codified using any suitable scheme, the resulting
message is called as cipher text.

Hi Amit
Plain Text Hope you are doing fine. How about the
Message conference this Monday at 11.00 am ?
Regards
Anita
Kl Dplw
Krsh brx duh griqj ilqj. Krz derxw ekh
Cipher Text frqihuhqfh wklv Prqgdb dw 11.00 dp?
Message
Uhjdugv
Dqlwd
 CRYPTANALYSIS
Cryptanalysis is refers to the study of ciphers, ciphertext, or cryptosystems with
a view to finding weaknesses in them that will permit retrieval of the plaintext
from the cipher text, without necessarily knowing the key or the algorithm.
It is like breaking a code

R#5%`&”m.;p0- Cryptographic This is a block

S89!@!%$sp*i^c/ system on network &
e-$557 Internet security

This process is trial and

error based
 CRYPTANALYST
Cryptanalyst is a person who attempts to break a cipher text message
to obtain the original plain text message.
And the process itself is called cryptanalysis

CRYPTOLOGY
Cryptology is a combination of cryptography and cryptanalysis.
Encryption – It transforms (encodes) a plain text message into cipher text.
Decryption – It transforms (decodes) a cipher text message back into plain text

Sender Receiver
Hello Hello
Plain Text Cipher Text

Encrypt Decrypt

Internet
lfmmp lfmmp
 Techniques for transforming plain text to cipher text

Substitution Transposition
Techniques Techniques

Substitution Cipher Technique :

In this technique, the characters of a plain text are replaced by other characters,
numbers or symbols

1. Caesar Cipher
2. Modified Caesar Cipher
3. Mono-alphabetic Cipher
4. Polyalphabetic Substitution Cipher
5. Homophonic Substitution Cipher
6. PolyGram Substitution Cipher
 1.Caesar Cipher
Proposed by Julius Caesar. Each alphabet in a message is replaced by an
alphabet three places down the line
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

A scheme for codifying messages by replacing each alphabet with an

alphabet three places down the line

● ● ●

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
 2. Modified Caesar Cipher
The Cipher Text alphabets may not be three places down the order, but can
be any places down the order, and would be constant

• An alphabet A may not be necessarily be replaced by D

• It can be replaced by any valid alphabet i.e. by E or by F or by G and so on

• Once the replacement scheme decided, it would be constant

• Thus an alphabet A can be replaced by any other alphabet i.e. B through Z

Breaking a cipher text KWUM PMZM 🡪

Cipher text K W U M P M Z M

Attempt Number

1 L X V N Q N A N
2 M Y W O R O B O
3 N Z X P S P C P
4 O A Y Q T Q D Q
5 P B Z R U R E R
6 Q C A S V S F S
7 R D B T W T G T
8 S E C U X U H U
9 T F D V Y V I V
10 U G E W Z W J W
11 V H F X A X K X
12 W I G Y B Y L Y
13 X J H Z C Z M Z
14 Y K I A D A N A
15 Z L J B E B O B
16 A M K C F C P C
17 B N L D G D Q D
18 C O M E H E R E
19 D P N F I F S F
20 E Q O G J G T G
21 F R P H K H U H
22 G S Q I L I V I
23 H T R J M J W J
24 I U S K N K X K
25 J V T L O L Y L
 3. Mono-alphabetic Cipher

It uses random substitution

• Each A can be replaced by any other alphabet (B through Z)
• Each B can be replaced by any other random alphabet (A or C through
Z) and so on
• There is no relation between the replacement of B and replacement of A
• 26 x 25 x 23 x ….2) or 4 x 1026 possibilities
 4. Polyalphabetic Substitution Cipher
• Uses multiple one-character keys
• Each of the keys encrypts one plain text character
• The first key encrypts the first plain text character; the second key
encrypts the second plain text char. and so on
• After all the keys are used, they are recycled

Vigenere Cipher is the example of Polyalphabetic Substitution Cipher

 Vigenere Cipher

Looking plain text in column and key in row, get Cipher Text

Plain
C O M P U T E R S E C U R I T Y
Text

Key S P I C E S P I C E S P I C E S
Cipher
U D U R Y L T Z U I U J Z K X Q
text
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I J K L M N O P Q R S T U V W X Y ZZ A B C D E F G H
J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S T U
U V W X Y Z A B C D E F G H I J K L M N O P Q R
T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U V
PlainW X Y Z A B C D E F G H I J K L M N O P Q R S T
V W X Y
C Z
OA M
B C
PD U
E F
T G
EH R
I J
SK E
L M
C N
UO R
P Q
IR T
S T
Y U
Text
W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X Y
Key Z A S B PC D I E CF E
G H S I PJ K I L CM E
N O S P PQ R I S CT E
U V SW
Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
 5. Homophonic Substitution Cipher

• One plain text alphabet can map to more than one cipher text alphabet
• Cipher text alphabet can be any one of the chosen set
• For eg. A can be replaced by D,H,P,R ; B can be replaced by E,I,Q,S etc.

6. PolyGram Substitution Cipher

• Replaces one block of plain text with a block of cipher text

• It does work on block-by-block basis
• For instance, HELLO could be replaced by YUQQW, but HELL could be
replaced by diff. text block TEUI
 Transposition Cipher Technique

This technique do not simply replace one alphabet with another; they also
perform some permutation over the plain text alphabet
They performs reordering

1. Rail Fence Technique : It involves writing plain text as sequence of diagonals

and then reading it row-by-row to produce cipher text.

Algorithm
• Write down plain text message as a sequence of diagonals
• Read the plain text written in step1 as a sequence of rows
• The message obtained is the cipher text message
 Example
Original Plain Text : Come home tomorrow

1. Write the first character on first line i.e. C, second character on second line
i.e. o, then the third character on the first line i.e. m and so on

C m h m t m r o
o e o e o o r w

2. Now read the text row-by-row and write it sequentially. Thus we have as
the cipher text :

Cmhmtmrooeoeoorw
 2. Simple Columnar Transposition Technique :
It simply arranges the plain text as a sequence of rows of a rectangle that
are read in columns randomly

Algorithm
• Write the plain text message row-by-row in a rectangle of a predefined
size
• Read the message column-by-column. It need not be in the order of
columns 1, 2, 3 etc. It can be any random order such as 2, 3, 1 etc.
• The message obtained is the cipher text message
Ex. Original Plain Text : Come home tomorrow
1. Let us consider a rectangle with six columns.
Column1 Column2 Column3 Column4 Column5 Column6
C o m e h o
m e t o m o
r r o w

2. Write the message in the rectangle row-by-row.

3. Now, let us decide the order of columns as some random order, say 4, 6, 1,
2, 5 and 3.
4. Then read the text in the order of these columns, The cipher text obtained
would be

eowooCmroerhmmto
 Perform more than one rounds of transposition

Algorithm with multiple rounds

Algorithm
• Write the plain text message row-by-row in a rectangle of a predefined
size
• Read the message column-by-column. It need not be in the order of
columns 1, 2, 3 etc. It can be any random order such as 2, 3, 1 etc.
• The message obtained is the cipher text message of round 1
• Repeat steps 1 to 3 as many times as desired
Original Plain Text : Come home tomorrow
The cipher text eowoocmroerhmmto
Let us perform steps 1 through 3 once more.
Column1 Column2 Column3 Column4 Column5 Column6
e o w o o c
m r o e r h
m m t o
Now, let us use the same order of columns as before i.e. 4, 6,
1, 2, 5 and 3. Then read the text in the order of these
columns.
The cipher text obtained would be as, - in round2
oeochemmormorwot
Continue like this if more number of iterations is desired,
otherwise stop
 3. Vernam Transposition Technique :

• Uses a one-time pad, which is discarded after a single use.

• One-time pad is implemented using a random set of non-repeating
characters as the input cipher text.
• The length of the input cipher text is equal to the length of the
original plain text.
 Algorithm
1. Treat each plain text alphabet as a number in an increment sequence i.e. A=0,
B=1,… Z=25.
2. Do the same of each character of the input cipher text.

3. Add each number corresponding to the plain text alphabet to the

corresponding input ciphertext alphabet number.

4. If the sum thus produced is greater than 26, subtract 26 from it.

5. Translate each number of the sum back to the corresponding alphabet. This
gives the output cipher text.
Plain Text : HOW ARE YOU ; One-time pad : NCBTZQARX

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

1.Plain Text H O W A R E Y O U
7 14 22 0 17 4 24 14 20

2.One-time N C B T Z Q A R X
pad 13 2 1 19 25 16 0 17 23
3.Initial total 20 16 23 19 42 20 24 31 43
4. Subtract 20 16 23 19 16 20 24 5 17
26, if >25
5. Cipher U Q X T Q U Y F R
Text
4. Book Cipher Transposition Technique :
• Simple and similar in principle to the Vernam Cipher.
• For producing Cipher text, some portion of text from a book is used, serves
the purpose of one-time pad.
• They are added to the input plain text message similar to the way a one-time
pad works.
 Cryptography techniques

Symmetric Key Asymmetric Key

Cryptography Cryptography

Symmetric Key Cryptography

In this scheme only one key is used and the same key is used both for
encryption and decryption of messages

Asymmetric Key Cryptography

Two different keys are used, one key is used for encryption & another,
different key is used for decryption
Person A wants to send a highly confidential letter to another person B.
Symmetric Key Cryptography
A and B both reside in the same city, but are separated by a few miles
and for some reason, cannot meet each other.
How would you tackle this problem?
A puts the letter in an envelop, seals it and sends it by post

Letter
Envelop

Postal n/w
and
Relaxed distribution
system

Letter Envelop
 Another option is to send the envelop via hand-delivery mechanism

A now puts the envelop inside a box, seals it with a highly secure lock and send it
to B

Letter
Envelop

Send through the mechanism of Post/courier/hand-

delivery
1. Sender and receiver will use the same key to lock and unlock i.e. for
encryption and decryption

2. At the Senders end the key transforms the plain text message into a
cipher text form. At the Receivers end the same key is used to decrypt
the encrypted message.

3. It is also referred as Secret Key Cryptography or Private Key

Cryptography

4. Both the parties must agree upon the key before any transmission
begins and nobody else should know about it.
 Symmetric Key Cryptography

Sender Receiver
A B

Plain Cipher Network Cipher Plain

Text Text Text Text

Encrypt with symmetric key Decrypt with symmetric key

At the Senders end the key transforms the plain text message into a cipher text form. At
the Receivers end the same key is used to decrypt the encrypted message.
 Use of separate lock and keys per communication pair

Lock Lock

A B A C

Key Key Key Key

When A wants to communicate with B & C, we need two lock-n-key pairs ( A-B & A-
C)
Thus, we need one lock-n-key pair per person with whom A wants to communicate
 No of parties & corresponding no of lock-n-key pairs required
For n persons, the no of lock-n-key pairs is n * (n-1) / 2
Parties involved Number of lock-n-key pairs required
2 (A, B) 1 (A-B)
3 (A, B, C) 3 (A-B, A-C, B-C)
4 (A, B, C, D) 6 (A-B, A-C, A-D, B-C, B-D, C-D)
5 (A, B, C, D, E)10 (A-B, A-C, A-D, A-E, B-C, B-D, B-E,
C-D, C-E, D-E)
If the no of parties is 2, we need 2 * (2-1)/2 = 1 lock-n-key pair
If the no of parties is 3, we need 3 * (3-1)/2 = 3 lock-n-key pair
If the no of parties is 4, we need 4 * (4-1)/2 = 6 lock-n-key pair
If the no of parties is 5, we need 5 * (5-1)/2 = 10 lock-n-key pair
 Features of Secret Key

An identical key is used for encryption and decryption

Strength of algorithm is determined by the size of the key,

longer the key more difficult it is to crack

Typical key size vary between 48 bits and 448 bits

To crack the key, the hacker has to use brute force

 Diffe-Helman key Exchange / Agreement
(Beyond Syllabus)

Two parties who want to communicate securely, can agree on a

symmetric key.

This algorithm can be used only for key agreement, not for
encryption or decryption.
Once both the parties agree on the key to be used, they need to
use other symmetric key encryption algorithms for actual
encryption or decryption of messages.
1. Ankit and Boby agree on two large prime numbers, n and g.
2. Ankit chooses another large random number x & calculate A as
A=gx mod n.
3. Ankit sends the number A to Boby.
4. Boby independently chooses another large random integer y &
calculates B as B=gy mod n.
5. Boby sends the number B to Ankit.
6. Ankit now computes the secret key K1 as K1=Bx mod n
7. Boby now computes the secret key K2 as K2=Ay mod n
K1 is equal to K2
Diffe-Helman key Exchange / Agreement Algorithm Example
Let n = 11, g=7
Let x = 3, we have A= 73 mod 11 = 343 mod 11 = 2 A=2

Ankit sends 2 to Boby

Let y = 6, we have B= 76 mod 11 = 117649 mod 11 = 4 B=4

Boby sends 4 to Ankit

K1 = 43 mod 11 = 64 mod 11 = 9

K2 = 26 mod 11 = 64 mod 11 = 9

K1 = K2 = K
Symmetric Key Encryption
Data Encryption Standard
 Data Encryption Standard (DES)
DES is block cipher.
It encrypts data in blocks of size 64 bits each.
It uses a 56-bit key.
Every eighth bit of the key is discarded to produce a 56-bit key.

Bit positions 8, 16, 24, 32, 40, 48, 56 and 64 are discarded.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
 Data Encryption Standard (DES)
DES is block cipher.
It encrypts data in blocks of size 64 bits each.
It uses a 56-bit key.
Every eighth bit of the key is discarded to produce a 56-bit key.

Bit positions 8, 16, 24, 32, 40, 48, 56 and 64 are discarded.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 
16
17 18 19 20 21 22 23 
24 25 26 27 28 29 30 31 
32
33 34 35 36 37 38 39

40 41 42 43 44 45 46 47

48
49 50 51 52 53 54 55 
56 57 58 59 60 61 62 63 
64
 Conceptual working of DES
64-bit 64-bit 64-bit
Plain Plain Plain
Original 64-bit key
Text Text Text
…..
DES KeyDES
discarding DES
56-bit 56-bit 56-bit
key
process key
key
64-bit 64-bit 64-bit
Cipher Resulting
Cipher56-bit key Cipher
Text Text Text
Block 1 Block 2 Block 3
1. In the first step, the 64-bit plain text
block is handed over to an Initial Plain Text (64 bits)
Permutation function (IP).
2. The Initial Permutation (IP) is
performed on plain text. Initial Permutation
3. The IP produces two halves of the
permuted block Left Plain Text (LPT) LPT RPT
and Right Plain Text (RPT).
Key Key
4. Each of LPT & RPT go through 16 16 rounds 16 rounds
rounds of encryption process.
5. LPT & RPT rejoined to get Final
Permutation (FP) is performed on the Final Permutation
combined block
6. The result of this process produces 64- Cipher Text (64 bits)
bit cipher text
( Content Beyond Syllabus )
 Each of the 16 rounds consists of broad level steps as …

Key Transformation 48-bit sub-key generated from 56-bit key

LPT /RPT expanded to 48-bit from 32-bit
Expansion Permutation
Accepts 48-bit i/p from the XOR opn involving
the key & compressed RPT & produces 1 32-
bit o/p using the substitution technique
S-Box Substitution
The output of S-box consists of 32 bits. These
32 bits are permuted using a P-box
P-Box Permutation
The
The result of this XOR
left portion of thebecomes the newtext
initial 64-bit right
is
half
XORed(RPT). Theoutput
with old rightproduced
half (RPT)bybecomes
P-box
XOR and Swap the new left half, in swapping
permutation.
 Single Round
32 bits 32 bits 28 bits 28 bits
LPT RPT C D
Expansion/ Left shift Left shift
permutation
48
48
XOR
Permutation
48

S-box Substitution
32

Permutation (P)
32
XOR

LPT RPT C D
 Dr.Panjabrao Deshmukh Polytechnic,
Shivaji Nagar, Amravati
(Maharashtra Govt-Aided Institute)

Subject : Network & information Security 22620

Unit-3 : 3.4 Asymmetric Key Cryptography

Date : 17/05/2021, at 11:30am

By
Rajendra H. Rathod
Lecturer, Comp. Engg. Dept.
 Don't
compare
yourself with
any one in
this world.
If you compare,
you are
insulting
 Asymmetric Cryptography

• Two different keys are used, Public & Private key

• The Public key is for the general public and Private key is a
secret key.
• One key is used for encryption and other for decryption

• Not other key can decrypt the message – not even the original
(first) key used for encryption.
• Every communicating party needs just a key pair for
communicating with any number of other communicating
parties Each party publishes its public key.

• A directory can be constructed where the various parties

with their ids and the corresponding public keys are
maintained.
 Asymmetric Key Cryptography

Sender A Receiver B

Plain Cipher Cipher Plain

Text
Text Text Network Text

Encrypt with Decrypt with

B’s public key B’s private key
Customer
A Bank’s
public key

Customer
B Bank’s Bank’s BANK
public key private key

Customer
C Bank’s
public key

Use of public key-private key pair by a bank

 Suppose A wants to send message to B, then A & B should
each have a private key and a public key
A should keep her private key secret
B should keep her private key secret
A should inform B about her public key
B should inform A about her public key
Key details A should know B should know
A’s private key Yes No
A’s public key Yes Yes
B’s private key No Yes
B’s public key Yes Yes
A encrypts the message using B’s public key and sends to B
B decrypts A’s message using B’s private key
 Symmetric versus Asymmetric key Cryptography

Characteristics Symmetric key Asymmetric key

Key used for encryption Same key is used for both One key for enc another key
/decryption enc/dec for dec
Speed Very fast Slower
Size of resulting text Same as or less than clear More than the clear text
text
Key agreement A big problem No problem
No of keys required as Equals about the square of Same as the number of
compared to no of the number of participants participants
participants
Mainly for enc & dec, can’t Can be used for enc & dec
Usage be for digital sign also for digital sign
Brief overview of general scheme
If A is the sender of a message and B is the receiver. A encrypts the
message with B’s public key and sends the encrypted message.

Another scheme
If A is the sender of a message and B is the receiver. A encrypts the
message with A’s private key and sends the encrypted message to B.

Plain
Sender (A) Text
Receiver (B)
Encrypt with A’s
private key

Cipher
A sends this encrypted
Text
message to B
 Combining both practices to have a very efficient security solution

A’s computer encrypt the original plain text message with the help of
standard cryptographic algorithm, producing cipher text

Plain
Text

Sender (A)
Symmetric Key Cipher Text
Encryption
Algorithm

Symmetric key
A now takes one time symmetric key and encrypts it with B’s public key,
called “key wrapping”

Symmetric key

Sender (A)
Symmetric Key
Encryption Algorithm

B’s Public key

Now A puts the cipher text and encrypted symmetric key together inside a
digital envelop

Cipher Text

Sender (A)

Digital Envelop

Symmetric key
encrypted with
B’s public key
• B receives and opens the digital envelop. After B opens envelop, it
receives two things: cipher text and one time session key encrypted using
B’s public key

• B now uses the same symmetric key algorithm and its private key to
decrypt the logical box that contains the symmetric key encrypted using
B’s public key

• The output of this process is one time symmetric key

• Finally B applies the same symmetric key algorithm and symmetric key
to decrypt the cipher text. This process yields the original plain text.
 Plain
Sender (A)
Text Receiver (B)
Encrypt with A’s
private key

Cipher A sends this encrypted

Text
message to B
Sender Receiver
(A) (B)

Plain
Plain Cipher Cipher
Text
Network Text
Text
Text

Decrypt with
Encrypt with
A’s public key
A’s private key
 Digital Signature
A Digital Signature is a data item that vouches the origin and the
integrity of a Message

The originator of a message uses a signing key (Private Key) to sign

the message and send the message and its digital signature to a
recipient

The recipient uses a verification key (Public Key) to verify the origin
of the message and that it has not been tampered with while in
transit
• Digital signature can be used in all electronic
communications
–Web, e-mail, e-commerce

• It is an electronic stamp or seal that append to the

document.

• Ensure the document being unchanged during

transmission.
 How digital Signature works?

User A Transmit via the Internet

Use A’s private key to sign the document

User B received
Verify the signature the document with
by A’s public key stored signature attached
at the directory
User B
 Digital Signature Generation and Verification
Message Sender Message Receiver

Message Message

Hash function Hash function

Public
Digest Key

Private
Key Encryption
Decryption

Signature
Expected Digest Digest
 Message Digest or Hash
Message Digest is a fingerprint or the summery of message
Message Digest: Some requirement
Given a message digest, it should be very
easy to find its corresponding message 1Original
0 1 0 1data
01 Message Original data
block-1 Original
Digest
block-2
0101010
digest …
data

Message digest
Given a message digest, it should be very Message
Must not be algorithm
Reverse
Message
difficult to find the original message for possible Digest
Algorithm Digest
which the digest was created Algorithm

Message Message
digest 1 digest 2
Given a message digest, if we calculate 0101 These two
Message
their message digest, the two message 1 0 1 1 Original
message data
digest
Digest
… must be different
digest must be different
 Dr.Panjabrao Deshmukh Polytechnic,
Shivaji Nagar, Amravati
(Maharashtra Govt-Aided Institute)

Subject : Network & information Security 22620

Unit-5 : 5.4 Public Key Infrastructure

Date :
 There is still a problem linked to the
“Real Identity” of the Signer
Why should I trust what the Sender
claims to be?

Moving towards PKI …

 Public Key Infrastructure (PKI)
A Public Key Infrastructure is an Infrastructure to support and manage
Public Key-based Digital Certificates

PKI is a system that uses public-key encryption and digital certificates to

achieve secure Internet services.

There are 4 major parts in PKI.

• Certification Authority (CA)
• A directory Service
• Services, Banks, Web servers
• Business Users
 PKI Structure
Certification Authority Directory services

Public/Private Keys

User

Services,
Banks,
Webserver
 4 key services
Authentication – Digital Certificate
To identify a user who claim who he/she is, in order to access the resource.

Non-repudiation – Digital Signature

To make the user becomes unable to deny that he/she has sent the message,
signed the document or participated in a transaction.

Confidentiality - Encryption
To make the transaction secure, no one else is able to read/retrieve the
ongoing transaction unless the communicating parties.

Integrity - Encryption
To ensure the information has not been tampered during transmission.
 X509 PKI

Basic Components:
• Certificate Authority (CA)

• Registration Authority (RA) “Provider” Side

• Certificate Distribution
System

• PKI enabled applications “Consumer” Side

 Digital Certificates
Digital Certificate is a data with digital signature from one trusted
Certification Authority (CA).

A Digital Certificate is a binding between an entity’s Public Key and

one or more Attributes relating its Identity.

This data contains:

– Who owns this certificate
– Who signed this certificate
– The expired date
– User name & email address
It is commonly used for authentication and secure exchange of information
on open networks, such as the Internet, extranets, and intranets.

Certificates can be issued for a variety of functions such as Web user

authentication, Web server authentication, secure e-mail
(Secure/Multipurpose Internet Mail Extensions, or S/MIME), and Internet
Protocol security (IPSec), Transport Layer Security (TLS), and code signing

It can be used for a variety of electronic transactions including e-mail,

electronic commerce, groupware and electronic funds transfers

Digital Certificates provide a means of proving your identity in electronic

transactions
In conjunction with encryption, Digital Certificates provide a more complete
security solution, assuring the identity of all parties involved in a
transaction.

The most common use of a digital certificate is to verify that a user sending
a message is who he or she claims to be

A Digital Certificate is issued by a Certification Authority (CA) and signed

with the CA's private key.

You can present a Digital Certificate electronically to prove your identity

or your right to access information or services online.
 Digital Certificate

CERTIFICATE

Issuer

Subject

Subject Public Key

Issuer
Digital
Signature
 Structure of Digital Certificate
X.509V3

Version
Certificate
Identifies Serial Number
a particular version of the X.509 protocol
Signature Algorithm Identifier

Version 1

Version 3
Version 2
Contains a unique integer number, which is generated by the CA
Issuer Name
Contains the subject’s public key and algorithms related to that key. This
Identifies theBefore
Validity (Not algorithm used by the CA to sign this
/ Not After)
Helps identify a CA
Subject
field never be
uniquely
Name if blank.
two or more CA’s have
Helps identify
Identifies
adate
Subject
the uniquely certificate
Distinguish if two
Nameor more
of thethe
subjects
CAtimeframe
thathave
created
used the same
Contains two – time
Subjectused values,
theKey
Public same which specify
Issuer Name over time
Information within which
the and
Subject
certificate signed
shouldName
this
be certificate
over time as valid.
considered
Issuer Unique
Identifies the Distinguish nameIdentifier
of the end entity to whom certificate refers.
Subject Unique Identifier
Extensions
Certification Authority’s Digital Signature All Versions
 Certificate Authority (CA)
A CA is a trusted agency that can issue digital certificates
Basic Tasks:

• Key Generation
• Digital Certificate Generation
• Certificate Issuance and Distribution
• Revocation
• Key Backup and Recovery System
• Cross-Certification
 Registration Authority (RA)
The RA is the intermediate entity between the end users and the CA, which
assists the CA in its day-to-day activities.
Basic Tasks:

• Registration of Certificate Information

• Face-to-Face Registration
• Remote Registration

• Generating keys on behalf of the end users

• Accepting and authorizing the request for certificate Revocation

End User

Registration Certification
End User Authority Authority

End User
Certificate Creation Steps
Key generation

Registration

Verification

Certificate creation
 Step 1: Key generation
The action begins with the subject who wants to obtain a certificate. There are
two approaches . . . .
a. The subject can create a private key and public key pair using some
software.
b. The RA can generate a key pair on the subject’s behalf.

Key
generation

This would be sent to the

RA
Private Key Public Key
 Step 2: Registration

This step is requires only if the user generates the key pair in the first step.

User sends the public key and the associated registration information and
all the evidence to the RA

For this, the software provides a wizard in which the user enters data,
submits it. This data travels over the internet.

The format for the certificate requests has been standardized and is called
Certificate Signing Request (CSR)
 Step 3: Verification

After the registration process is complete, the RA has to verify the user’s
credentials. This is in two respects:

a. The RA needs to verify the user’s credentials such as the evidence

provided are correct & acceptable.

b. The second check is to ensure that the user who is requesting for the
certificate does indeed posses the private key corresponding to the public
key that is sent as a part of the certificate request to the RA. This check is
called Proof of Possession – of the private key.
1. The RA can demand that the user must digitally sign CSR using
private key.

2. RA can create a random number challenge, encrypt is with

user’s public key and send the encrypted challenge to the user.

3. The RA can generate a dummy certificate for the user, encrypt

it using the user’s public key and send it to the user.
 Step 4: Certificate creation

The RA passes on all the details of the user to the CA.

The CA sends the certificate to the user and also retains a copy of
the certificate for its own record.
 How does the CA sign a digital Certificate
Version A message digest (hash) of all but the
Certificate Serial Number
last fields of the digital certificate
Signature Algorithm Identifier
Issuer Name
Validity (Not Before / Not After) Message
Subject Name Digest
Subject Public Key Information Algorithm
Issuer Unique Identifier
Subject Unique Identifier
Extensions
Certification Authority’s Digital Signature
Message
Digest MD1

Message
CA’s public Signature
key Algorithm

This digital signature of the CA is

stored as the last field of the digital Digital
certificate Signature
Verification of Digital Certificate
Version
Certificate Serial Number
Signature Algorithm Identifier
Issuer Name Step
Validity (Not Before / Not After) Message 1
Subject Name Digest
Subject Public Key Information Algorithm
Issuer Unique Identifier
Subject Unique Identifier
Step
Extensions
Certification Authority’s Digital Signature 2
Step Message
3 CA’s Public Digest MD1
Digital key
Signature
Step
Step 6 Is MD1=
4
MD2?
Decryption

Step
5
Message
Digest MD2
 Verification of Digital Certificate
The verification of digital certificate consists of following steps

1. The user passes all fields except the last one of the received digital certificate to a
message digest algorithm

2. The message digest algorithm calculates a message digest (hash) of all fields of the
certificate, except the last one.

3. The user now extract the digital signature of the CA from the certificate.

4. The user de-signs the CA’s signature i.e. decrypts the signature with CA’s public key

5. This produces another message digest MD2