Cryptography and Network Security NGIT-CSE

Cryptography and Network Security

(PC 604 CS)
UNIT-I
Security Goals, Cryptographic Attacks, Services and Mechanisms, Mathematics
of Cryptography

NETWORK SECURITY
Network Security consists of the provisions and policies adapted by network Administrator to
prevent and monitor unauthorized access, misuse, modification, or denial of a computer network
and network-accessible resources.

Introduction to Cryptography

The term is derived from the Greek word kryptos, which means hidden.
Cryptography is the study of secure communications techniques that allow only the sender and
intended recipient of a message to view its contents.

• Cryptography is the science of writing in secret code so that no other person except
the intended recipient could read
•
Cryptography is the practice and study of techniques for secure communication in the
presence of third parties. More generally, it is about constructing and analyzing protocols
that overcome the influence of attackers or outside people and which are related to various
aspects in information security such as data confidentiality, data integrity, authentication,
I
N

and non-repudiation. Applications of cryptography include ATM cards, computer

RA

passwords.
A
IJ

Cryptography is the science of using mathematics to encrypt and decrypt data. Cryptography
IR

enables you to store sensitive information or transmit it across insecure networks (like the Internet)
G

so that it cannot be read by anyone except the intended recipient.

JU
O
TH

Cryptography is the study and practice of techniques for secure communication in the presence of
SU

third parties called adversaries. It deals with developing and analyzing protocols that prevents
malicious third parties from retrieving information being shared between two entities thereby
following the various aspects of information security. Secure Communication refers to the scenario
where the message or data shared between two parties can’t be accessed by an adversary. In
Cryptography, an Adversary is a malicious entity, which aims to retrieve precious information or
data thereby undermining the principles of information security. PAIN principles are Privacy,
Integrity, Authentication and Non-repudiation are core principles of modern-day cryptography.

Privacy refers to certain rules and guidelines usually executed under confidentiality agreements
which ensure that the information is restricted to certain people or places.

Integrity refers to maintaining and making sure that the data stays accurate and consistent over its
entire life cycle.

Authentication is the process of making sure that the piece of data being claimed by the user
belongs to it.

Non-repudiation refers to the ability to make sure that a person or a party associated with a contract
SUTHOJU GIRIJA RANI,
or a communication Assistant
cannot Professor.
deny the 3 document or the
authenticity of their signature over their
sending of a message.
Cryptography and Network Security NGIT-CSE

Encryption and Decryption:

Consider two parties Alice and Bob. Now, Alice wants to send a message m to Bob over a secure
channel. So, what happens is as follows. The sender’s message or sometimes called the Plaintext, is
converted into an unreadable form using a Key k. The resultant text obtained is called the
Ciphertext. This process is known as Encryption. At the time of received, the Ciphertext is
converted back into the plaintext using the same Key k, so that it can be read by the receiver. This
process is known as Decryption.

For example:

Plaintext : hellongitkmec
Ciphertext : ifmmpohjulnfd

Types of Cryptography:
There are several types of cryptography, each with its own unique features and applications. Some
of the most common types of cryptography include:

1. Symmetric-key cryptography: This type of cryptography involves the use of a single key to
encrypt and decrypt data. Both the sender and receiver use the same key, which must be kept secret
to maintain the security of the communication.

2. Asymmetric-key cryptography: Asymmetric-key cryptography, also known as public-key

cryptography, uses a pair of keys – a public key and a private key – to encrypt and decrypt data.
The public key is available to anyone, while the private key is kept secret by the owner.

Hash functions: A hash function is a mathematical algorithm that converts data of any size into a
I

fixed-size output. Hash functions are often used to verify the integrity of data and ensure that it has
N
RA

not been tampered with.

A
IJ

Applications of Cryptography:
IR
G

Cryptography has a wide range of applications in modern-day communication, including:

JU
O
TH

Secure online transactions: Cryptography is used to secure online transactions, such as online
banking and e-commerce, by encrypting sensitive data and protecting it from unauthorized access.
SU

Digital signatures: Digital signatures are used to verify the authenticity and integrity of digital
documents and ensure that they have not been tampered with.
Password protection: Passwords are often encrypted using cryptographic algorithms to protect them
from being stolen or intercepted.
Military and intelligence applications: Cryptography is widely used in military and intelligence
applications to protect classified information and communications.

Challenges of Cryptography:
While cryptography is a powerful tool for securing information, it also presents several challenges,
including:

Key management: Cryptography relies on the use of keys, which must be managed carefully to
maintain the security of the communication.

Along with these there are many challenges as listed below:

Not simple – easy to get it wrong

SUTHOJU GIRIJA
must consider RANI,
potential Assistant Professor.
attacks 4
procedures used counter-intuitive
Cryptography and Network Security NGIT-CSE
involve algorithms and secret information
must decide where to deploy mechanisms
battle of wits between attacker / admin
not perceived to be of benefit until it fails
requires regular monitoring : a process, not an event

TERMINOLOGY OF CNS
• Plain text-the original message
• Cipher text-the coded message
• Cipher-algorithm for transforming plaintext to cipher text
• Key-info used in cipher known only to sender/receiver
• Encipher(Encrypt)-converting plaintext to cipher text
• Decipher(Decrypt)-recovering plain text from cipher text
• Cryptography-study of encryption principles/methods
• Cryptanalysis(code breaking)-the study of principles/methods of deciphering cipher text without
knowing key
• Cryptology-the field of both cryptography and cryptanalysis

MODEL FOR NETWORK SECURITY

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 5

Cryptography and Network Security NGIT-CSE

SECURITY GOALS

SECURITY ATTACKS
Accessing of data by unauthorized entity is called as attack

Passive Attacks
ActiveAttacks

PassiveAttacks:
Inapassiveattack,theattacker’sgoalisjusttoobtaininformation.Thismeansthattheattackdoesnot
modify data or harm the system. Active Attacks:
I
N

Anactiveattackmaychangethedataorharmthesystem.Attacksthatthreatentheintegrityandavailability
RA

are active attacks.

A
IJ
IR
G
JU
O
TH
SU

PassiveAttacks
(a) Releaseofmessagecontent–
Captureandreadthecontenttransmissions.
(b) TrafficAnalysis–
• can’treadtheinformation,butobservethepattern
• determinethelocationandidentityofcommunicatingparties
• observefrequencyandlengthofcommunication

SUTHOJU GIRIJA RANI, Assistant Professor. 6

Cryptography and Network Security NGIT-CSE

I
N
RA

ActiveAttacks
A
IJ

(a) Masquerading:Masqueradingorsnoopinghappenswhentheattackerimpersonatessomebodyels
IR

e.
G
JU
O
TH
SU

(b) Replay–
Theattackerobtainsacopyofamessagesentbyauserandlatertriestoreplayit.
SUTHOJU GIRIJA RANI, Assistant Professor. 7
Cryptography and Network Security NGIT-CSE

(c) Modification:Afterinterceptingor accessing information, the attackermodifies the

informationthen send to receiver.

I
N
RA

(d) Denialof service: Denialofservice (Dos)is averycommonattack.itmayslowdownortotally

A

interrupt the service of a system.

IJ
IR
G
JU
O
TH
SU

Cryptographic Attacks Categories

Cryptographicattackscanbebroadlycategorizedintotwodistincttypes:
• Cryptanalytic
• Non-Cryptanalytic Cryptanalytic Attacks:
• These attacks arecombinationsofstatistical and algebraic techniquesaimedat discover
thesecret key of a cipher.

SUTHOJU GIRIJA RANI, Assistant Professor. 8

Cryptography and Network Security NGIT-CSE
• The attacker thus guesses the key and looksforthedistinguishingproperty.if the property
is detected,theguessiscorrectotherwisethenextguessistried.
Non-CryptanalyticAttacks:
• The other types of attacks arenon-cryptanalytic attacks,whichdonotexplain
themathematical weakness of the cryptographic algorithm.

SERVICES AND MECHANISM

SecurityServices
ITU-T(X.800)isprovidedbyprotocollayeroftransmissionthatdefinessecurityservicesensuressecurity
of the data transfer

• Data Confidentiality:Itis designed toprotectdatafromdisclosure attack..That is, itis

designed to prevent snooping and traffic analysis attack.
• Data Integrity:It is designedtoprotectdatafrommodification,insertion,deletion
andreplayingby an adversary
• Authentication:Itprovidestheauthenticationofthepartyattheotherendoftheline.
• Non-repudiation:Itprotectsagainstrepudiationbyeitherthesenderorthereceiverofthedata.
• AccessControl:Itprovidesprotectionagainstunauthorizedaccesstodata
I
N
RA

SecurityMechanism:
A
IJ
IR

ITU-TrecommendsSecuritymechanismstoprovidethesecurityservices
G
JU
O
TH
SU

• Encipherment:The useof mathematicalalgorithms to transformdata into aform thatisnot

readily understandable

SUTHOJU GIRIJA RANI, Assistant Professor. 9

Cryptography and Network Security NGIT-CSE
• Data Integrity:Avarietyofmechanisms used to assure the integrity of
adataunitorstreamofdata units.
• Digital Signature:A digitalsignature is ameans bywhich thesendercanelectronicallysign
the data and thereceivercanelectronicallyverify thesignature.
• AuthenticationExchange:Amechanism intended toensure the identityof
anentitybymeans of information exchange.
• Routing Control:Enablesselectionof particularphysically secure routes forcertaindata
and allows routingchanges,especiallywhenabreachofsecurityis suspected.
• TrafficPadding:Insertingbogusdatatopreventtrafficanalysis.
• Notarization:Theuseofatrustedthirdpartytoassurecertainpropertiesofadataexchange.
• Access Control:A variety of mechanisms that enforce access rights to
resources.Relation Security Services and Mechanisms
➢ SecurityMechanism:Amechanismthatisdesignedtodetect,prevent,orrecoverfromasecurityatt
ack.
➢ Security Service:A service thatenhances thesecurityof dataprocessingsystems and
information transfers.Asecurityservicemakesuseofoneormoresecuritymechanisms.
I
N
RA
A
IJ

MATHEMATICSOFCRYPTOGRAPHY
IR
G

IntegerArithmetic:InIntegerarithmetic,weareuseasetandafewoperations.
JU

➢ Setof Integers: Thesetof Integers,denotedbyz, contains allintegralnumbers

O
TH

(withnofraction) from negative infinity to positive infinity.

SU

➢ Binary Operations:A Binaryoperation takes two inputs andcreates oneoutput.

T h r e e c o m m o n
binaryoperationsdefinedforintegersareaddition,subtractionandmultiplication.

SUTHOJU GIRIJA RANI, Assistant Professor. 10

Cryptography and Network Security NGIT-CSE

➢ Examples: (-5)+9=4 5+(-9)=-4

Add: 5+9=14
Subtract: 5-9=-4 (-5)-9=14 5-(-9)=14
Multiply: 5x9=45 (-5)x9=-45 5x(-9)=45
IntegerDivision:ifwedivideabyn,wecangetqandr.Therelationshipbetweenthesefourintegerscanbe
shown as
a=qxn+r
aisdividend,nisthedivisor,qisquotient,risremainder
➢ Examples:Assume that a= 255 andn = 11.Wecan findq = 23 andr = 2 usingthe division
algorithm. We have shown in following

TwoRestrictions:
• First,werequirethatthedivisorbeapositiveinteger(n>0).
• Second,werequirethattheremainderbeanon-negativeinteger(r>0).
IntegerDivision
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

Examples:Assumerandqarenegativewhen‘a’isnegative.
• Tomakerpositive,decrementqby1andaddvalueofntor
• consider-255=(-23x11)+(-2)↔-255=(-24x11)+9
• We have decremented -23 to -24 and added 11 to -2 to make 9. The relation is still
valid
Divisibility:
Ifaisnotzeroandweletr=0inthedivisionrelation,weget a = q x n
We then say that n divides a ( or n is a divisor of a ). We can also say that a is divisibleby n. T h e
above is n | a .
If the remainder is not zero, then n does not divide a andwe can write the relationship as a + n.
➢ Examples: The integer 4 divides the integer 32 because 32 = 8 x 4. We show this is as 4 |
32
➢ Thenumber8doesnotdividethenumber42because42=5x8+2. There is aremainder,
thenumber 2, in the equation.
Weshowthisas8+42.
SUTHOJU GIRIJA RANI, Assistant Professor. 11
Cryptography and Network Security NGIT-CSE
➢ Examples: The integer 4 divides the integer 32 because 32 = 8 x 4. We show this is as 4 |
32
➢ Thenumber8doesnotdividethenumber42because42=5x8+2. There is aremainder,
thenumber 2, in the equation.
We show this as 8 + 42. Examples:
1) Since3|15and15|45,accordingtothirdproperty,3|45
2) Since3| 15and3| 9,accordingtothefourthproperty,3|(15x2+9x4),whichmeans3|66.

Greatest Common Divisor(GCD)

Thegreatestcommondivisoroftwopositiveintegersisthelargestintegerthatcandividebothintegerswe
can write the relationship as a + n.
Examples:GCDof15and20is2becausedivisorsof15are3,5anddivisorsof20are2,4,5,10.The
GCDis5
➢ EuclideanAlgorithm:
➢ Euclideanalgorithmis used tofinding thegreatestcommondivisor (gcd)of two positive
integers. TheEuclideanalgorithmisbasedonthefollowingtwo facts
• Fact1:gcd(a,0)=a
• Fact2:gcd(a,b)=gcd(b,r),where r is the remainder of dividing a by b
• When gcd(a,b)=1,we say that a and b are relatively prime.
I
N
RA
A
IJ
IR

•
G
JU

Example:gcd(36,10)=?
O
TH
SU

Example:gcd(2740,1760)=?
Solution:weinitializer1to2740andr2to1760 Answer:
gcd(2740,1760)=20
.

SUTHOJU GIRIJA RANI, Assistant Professor. 12

Cryptography and Network Security NGIT-CSE

Extended Euclidean Algorithm

➢ Giventwointegersaandb,weoftenneedtofindothertwointegers,sandt,suchthat

➢ TheExtendedEuclideanAlgorithmcan calculatethegcd ( a,b) and atthesame time

calculate the value if s and t.
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 13

Cryptography and Network Security NGIT-CSE

Example: Given a = 161 and b = 28, Find gcd (a,b) and the values of s and t. Solution:
r=r1–qxr2,t=t1–qxt2,s=s1–qxs2,Weuseatabletofollowthealgorithm.
I
N
RA
A
IJ
IR
G

Wegetgcd(161,28)=7,s=-1andt=6
JU

Linear DiophantineEquations
O
TH
SU

Anequationoftypeax+by=cwithvariablesiscalledasLinearDiophantineEquation.
The Extended Euclidean algorithm is used to find solutions to the Linear Diophantine Equations
Thistypeofequationhaseithernosolutionoraninfinitenumberofsolutions.Letd=gcd(a,b). if d + c, then
theequation has no solution.
Ifd|c,thenwehaveaninfinitenumberofsolutions.(oneisparticularandrestaregeneralsolutions).
ParticularSolution:ifd|c,aparticularsolutiontotheaboveequationcanbefoundusingthefollowing steps:
• Reduce the equation to a1x + b1y =c1bydividingboth sides of the equationby d. This is
possible becaused dividesa,b, and cby the assumption.
• Solveforsandtintherelationa1s+b1t=1usingtheextendedEuclideanalgorithm.
• Theparticularsolution:x0=(c/d)sandy0=(c/d)t
GeneralSolutions:afterfindingtheparticularsolution,thegeneralsolutionscanbefound: x = x0+ k (b/d)
and
y=y0–k(a/d)wherekisaninteger

SUTHOJU GIRIJA RANI, Assistant Professor. 14

Cryptography and Network Security NGIT-CSE
Example:Findtheparticularandgeneralsolutionstotheequation
21x+14y=35.
Given equation, 21x+14y = 35 that iswritten as ax+by = c a=21, b=14, c=35
d=gcd(a,b)=gcd(21,14) [ApplyEuclideanAlgorithm]
=gcd(14,7) 1.gcd(a,0)=a
=gcd(7,0)=7 2.gcd(a,b)=gcd(b,r)
so, d=7 where’r’remainderNote: if d | c i.e 7|35 (7 divides 35),
so one is Particularsolutionand infinity General solutions.
ParticulaSolution:-
21x+14y=35 ①
Dividebothsidesby7in①,then
3x+2y=5 ②
usingExtendedEuclideanAlgorithm,find“s”and“t”
suchas 3s+2t=1 Ref.(sxa+txb=gcd(a,b))
Findgcd (3,2)wherer1is3andr2is2usingExtendedEuclideanAlgorithm r = r1 - r2 x q,s=s1 - s2 x q ,
t= t1 - t2 x q

as per particular solutions x0=(c/d)sandy0=(c/d)t

substitutevaluesa=21,b=14,c=35,d=7forx0andy0x0= (35/7)x 1= 5
y0= (35/7)(-1)=- 5
I
N

GeneralSolution:
RA

x=x0+k(b/d)andy=y0–k(a/d)wherekisan integer x = 5+k(14/7) ; y = -5-k(21/7)

A

x=5+2k y=-5-3k
IJ
IR

here“k”isaninteger;k=0,1,2,3,4…thensubstitutekinabove:
G

(5,-5),(7,-8),(9,-11), .................aresolutionstogivenequation
JU
O

ModularArithmetic
TH
SU

Thedivisionrelationship(a=qxn+r)hastwoinputs(aandn)andtwooutputs(qandr).Inmodular
arithmetic,wearefocusedinonlyoneoftheoutputs,theremainderr.
ModuloOperator:
• Modulooperatorisshownasmod.
• Thesecondinput(n)iscalledthemodulus.
• Theoutputriscalledtheresidue.
Thebelowfigureshowsthedivisionrelationcomparedtothemodulooperator

SUTHOJU GIRIJA RANI, Assistant Professor. 15

Cryptography and Network Security NGIT-CSE

Themodulooperator(mod)takesaninteger(a)fromthesetZandapositivemodulus(n).Theoperator creates
a non-negative residue (r).
amodn=r

-Example

I
N
RA

CONGRUENCE(≡)
A
IJ
IR

IftwonumbersAandBhavethepropertythattheirdifference A-BisintegrallydivisiblebyanumberC (i.e.,

G

(A-B)/Cisaninteger),thenAandBaresaidtobe"congruentmoduloC."ThenumberCiscalledthe
JU

modulus,andthestatement"AiscongruenttoB(moduloC)"iswrittenmathematicallyas
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 16

Cryptography and Network Security NGIT-CSE
A≡B(modC)
Thissaysthat“AiscongruenttoBmoduloC”.

Example2:
Assume,-8≡12(mod10) 2≡12(mod10) 12≡22(mod10) 22≡32(mod10)

I
N
RA
A
IJ

RESIDUE CLASSES
IR
G
JU

Aresidueclass[a]isthesetofintegerscongruentmodulon. In otherwords it isthesetof all integers such

thatx=a(mod n).
O
TH

Forexample,ifn=5,wehavefivesets[0],[1],[2],[3],[4]asshownbelow
SU

[ 0 ] { ..... - 1 - 1 ,-5,0, 5,10,15,...}

= , 5 0
[ 1 ] { ..... - 1 - 1 ,-6,1, 6,11,16,...}
= , 6 1
[ 2 ] { ..... - 1 - 1 ,-7,2, 7,12,17,...}
= , 7 2
[ 3 ] { ..... - 1 - 1 ,-8,3, 8,13,18,...}
= , 8 3
[ 4 ] { ..... - 1 - 1 ,-9,4, 9,14,19,...}
= , 9 4
Fromeachsetthereisoneleaseresiduethat
0 in [0], 1 in [1], 2 in [2], 3 in[3] and 4 in [4].. The set of these residues are shown as
Z5={0,1,2,3,4}

Applications:
SUTHOJU GIRIJA RANI, Assistant Professor. 17
Weuseaclocktomeasuretime.Ourclocksystemusesmodulo12arithmetic.Howeverinsteadofa0we the
12
Cryptography and Network Security NGIT-CSE
.

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 18

Cryptography and Network Security NGIT-CSE

I
N
RA
A
IJ
IR

Operations inZn
G
JU
O
TH

ThethreeBinaryoperations(addition,subtractionandmultiplication)aredefinedforthesetZn.
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 19

Cryptography and Network Security NGIT-CSE

I
N
RA
A
IJ
IR

Example2
G

Performthefollowingoperation:
JU

a. Add17to27inZ14
O
TH

(17+27)mod14=(44)mod14=2
Subtract34from12inZ13
SU

b.
(12-34)mod13=(-22)mod13=-9=(-9+13)=4
c. Multiply123by-10inZ20
(123*(-10))mod20=(-1230)mod20=-10=(-10+20)=10

Property1:
(a+b) mod n= [ (a mod n ) + (b mod n) ] mod n (4+5)mod2=[(4mod2)+(5mod2)]mod2
9mod2 = [0+1]mod2
1 = 1
Property2:
(a-b)modn=[(amodn)-(bmodn)]modn
(4-5)mod2=[(4mod2)-(5mod2)]mod2
-1mod2 = [0-1]mod2
-1mod2 = -1mod2

SUTHOJU GIRIJA RANI, Assistant Professor. 20

Cryptography and Network Security NGIT-CSE
Property3:
(axb)modn=[(amodn)x(bmodn)]modn(4x5)mod2=[(4mod2)x (5mod2)]mod 2 20
mod2 =[0x1]mod2
0 = 0mod2
0 = 0
INVERSES
Whenweareworkinginmodulararithmetic,weneedtofindinverseofanumberrelativetoanoperation.
Therearetwotypesofinversesareusedmodulararithmetic.
• Additiveinverse(relativetoanadditionoperation).
• Multiplicativeinverse(relativetoamultiplicationoperation).

Note:Inmodulararithmetic,eachintegerhasanadditiveinverse.
• Thesumofanintegeranditsadditiveinverseiscongruentto0modulon
I
N
RA
A

Itcanbeprovedthat‘a’hasamultiplicativeinverseinZniffgcd(n,a)=1.(Inthiscase‘a’andnaresaidto
IJ
IR

relatively prime.
G

Example1:Findmultiplicativeinverseof8inZ10.
JU
O
TH
SU

Example2:FindallmultiplicativeinversesinZ10.

Example3:Findallmultiplicativeinverses23inZ100.

SUTHOJU GIRIJA RANI, Assistant Professor. 21

Cryptography and Network Security NGIT-CSE

Additionand Multiplication Tables:

Inadditiontable,eachintegerhasanadditiveinverse.Theinversepairscanbefoundwhentheresultof
additioniszero.InFigure2.16,wehave(0,0),(1,9),(2,8),(3,7),(4,6),and(5,5).
Inmultiplicationtable,thepairscanbefoundwhenevertheresultofmultiplicationis1.InFigure,wehave
(1,1), (3,7) and (9,9).
I
N
RA
A
IJ
IR
G

Fig:AdditionandmultiplicationtablesinZ10
JU

Note:WeneedtouseZnwhenadditiveinversesareneeded;weneedtouseZ*nwhenmultiplicative inverses
O

are needed.
TH
SU

Twomore Sets:
Cryptographyoftenusestwomoresets:ZpandZ*p.

MATRICES
Amatrixisarectangulararrayoflxmelements;inwhich
listhenumberofrowsand
misthenumberofcolumns.
A matrix is normally denoted with an Uppercase Letter such as A. Theelementaijis
locatedintheithrowandjthcolumn.

DIFFERENTTYPESOF MATRICES

OPERATIONSANDRELATIONS
SUTHOJU GIRIJA RANI, Assistant Professor. 22
Relationoperation:
Cryptography and Network Security NGIT-CSE

Equality:
If twomatrices are equalsizde and content is same then theyhave equalityFour operations:
1. Addition
2. Subtraction
3. Multiplication
4. Scalarmultiplication

Examples:
Addition:CIJ=AIJ+BIJ
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 23

Cryptography and Network Security NGIT-CSE

Subtraction::CIJ=AIJ-BIJ

Multiplication

Examples:
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 24

Cryptography and Network Security NGIT-CSE

Multiplicationunitmatrixwithnormalmatrixgivesthesame matrix
AXI=IXA=A

DETERMINANT
IfAissquarematrixofmxmthendeterminantofAisdet(A)
I
N
RA
A
IJ
IR
G
JU

WhereAijis amatrix obtained fromAby deleting the ith rowand jth column. Determinant is
O

obtainedfor onlysquarematrices
TH

Det(2x2) matrix
SU

Example:det(3x3)matrix

SUTHOJU GIRIJA RANI, Assistant Professor. 25

Cryptography and Network Security NGIT-CSE

MATRICES-Inverses
AdditiveInverse
Theadditive inverseof thematrixAisanothermatrixBsuch thatA+B=0. In other words bij=-aij
Generally additive inverse is of A=-A Multiplicative Inverse:
Themultiplicative Inverse of asquare matrix A is a B such thatAX B= I.
NormallyMultiplicativeinverseofAisdefinedbyA-1
Multiplicativeinverseisdefinedforonlysquarematrices

Residue Matrices
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 26

Cryptography and Network Security NGIT-CSE

Example : FindA-1modulovalue-
Problem:

Solution:
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 27

Cryptography and Network Security NGIT-CSE

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 28

Cryptography and Network Security NGIT-CSE
UNIT-II
Symmetric Encryption
Classification of Cryptography, Introduction to symmetric cryptography, Mathematics of
Symmetric Key Cryptography, Introduction to Modern Symmetric Key Ciphers, Data Encryption
Standard, Advanced Encryption Standard.

Classification of Cryptography
Cryptography is a technique of securing information and communications through use of codes.
Thus preventing an unauthorized access to information. The prefix “crypt” means “hidden” and
suffix graphy means “writing”.

Cryptography Types
1) Symmetric Key Cryptography:
The sender and receiver of message use a single common key to encrypt and decrypt messages.
2) Asymmetric Key Cryptography:
A pair of keys is used to encrypt and decrypt information. A public key is used for encryption and a
private key is used for decryption. Even if the public key is known by every one the intended
receiver can only decode it because he alone knows the private key.
3) Hash Functions:
There is no usage of any key in this algorithm. A hash value with fixed length is calculated as per
the plain text which makes it impossible for contents of plain text to be recovered.

Classification is based on following points:

• Number of keys used
– Hash functions: no key
– Secret key cryptography: one key
– Public key cryptography: two keys - public, private
I
N

• Type of encryption operations used

RA

– substitution / transposition / product

A

• Way in which plaintext is processed

IJ
IR

– block / stream
G
JU

Steganography
O

• An alternative to encryption
TH

• Hides existence of message

SU

– using only a subset of letters/words in a longer message marked in some way

– using invisible ink

– hiding in graphic image or sound file

• Has drawbacks

– high overhead to hide relatively few info bits

Introduction to Symmetric Encryption

SUTHOJU GIRIJA RANI, Assistant Professor. 29

Cryptography and Network Security NGIT-CSE

I
N
RA
A
IJ
IR
G

Kerckhoff’s Principle
JU

It states that the security of a cryptographic system shouldn't rely on the secrecy of the
O
TH

algorithm. Instead, it should be based on the secrecy of the cryptographic key.

SU

Cryptanalysis
As cryptography is the science and art of creating secret codes, cryptanalysis is the
science and art of breaking those codes.

SUTHOJU GIRIJA RANI, Assistant Professor. 30

Cipher text Only attack
-Brute-Force attack & Statistical attack
Cryptography and Network Security NGIT-CSE

Known Plain text Only attack

-Tries to find next secret message

Chosen Plain text attack

I
N
RA
A
IJ
IR
G
JU
O
TH

Chosen Cipher text attack

SU

Stream ciphers
A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.
Examples of classical stream ciphers are the auto keyed Vigenère cipher and the
Vernam cipher.

SUTHOJU GIRIJA RANI, Assistant Professor. 31

Cryptography and Network Security NGIT-CSE

Block ciphers
A block cipher is one in which a block of plain text is treated as a whole and used to
produce a cipher text block of equal length. Typically, a block size of 64 or 128 bits is
used
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

Mathematics of Symmetric Key Cryptography

AlgebraicStructures:
Cryptography requires set of integers and specific operations that are defined for those sets. The
combination of the set and the operations that are applied to the elements of the set is called an
algebraic structure.

SUTHOJU GIRIJA RANI, Assistant Professor. 32

1. Groups
Cryptography and Network Security NGIT-CSE

AGroup(G)isasetelementswithabinaryoperation“•”usuallyAdditionormultiplicationthatsatisfies
fourproperties(Axioms).
• ACommutativeGroup,alsocalledanabeliangroup,isagroupinwhichtheoperatorsatisfiesthefo
ur propertiesfor groupsplusanextraproperty,commutativity.
• ClosureProperty:ifaandbareelementsofG,thenc=a•bisalsoanelementofG.
• AssociativelyProperty:ifa,b,andcareelementsof“G,then(a•b)•c=a•(b•c).
• ExistenceofIdentityProperty:For allainG,thereexistsanelemente,
calledtheidentityelement, such that e•a=a•e=a
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 33

Cryptography and Network Security NGIT-CSE
• ExistenceofInverseProperty:For eachainG,thereexistsanelementa1,calledtheinverseofa,
such that a • a1 = a1• a = e
• CommutativityProperty:ForallaandbinG,wehavea•b=b•a.

EXAMPLE1
Thesetofresidueintegerswiththeadditionoperator,G=<Zn,+>,isacommutativegroup
1. Closureissatisfied.TheresultofaddingtwointegersinZnisanotherintegerinZn
2. Associativityissatisfied.Theresultof4+(3+2)issameas(4+3)+2
3. Commutativeissatisfied.wehave3+4=4+3
4. Theidentityelementis0.wehave3+0=0+3=3
5. Everyelementhasanadditiveinverse.Theinverseof3is7(3+7mod10=0mod10inZ10)and
inverseof7is3(7+3mod10=0mod10inZ10),so inversepropertysatisfied
EXAMPLE2
I
N

ThesetZ n *withmultiplicationoperator,G=<Z n *,x>,isalsoanabeliangroup.Wecanperform

RA

multiplicationanddivisionsontheelements.Weanidentityelementas1.
A

FiniteGroup:Agroupiscalledafinitegroupifthesethasafinitenumberofelements;otherwise,itisan
IJ

infinite group.
IR
G
JU

OrderofaGroup:Theorderofgroup,|G|,isthenumberofelementsinthegroup.Ifthegroupisnot
O

finite,itsorderisinfinite;ifthegroupisfinite,theorderisfinite.
TH
SU

Subgroups:A subset H of a group G isa subgroup of G if H itselfisa group withrespect tothe

o p e r a t i o n o n G . I n o t h e r w o r d s , i f G = < S ,•> i s a g r o u p , H = < T,•> i s a g r o u p
underthesameoperation,andTisa non-empty subset of S, then H is a subgroup of G. The above
definition implies that:
1. Ifaandbaremembersofbothgroups,thenc=a•bisalsoamemberofbothgroups
2. Thegroupsharethesameidentityelement
3. Ifaisamemberofbothgroups,theinverseofaisalsoamemberofbothgroups
4. ThegroupmadewiththeidentityelementofG,H=<{e},•>,isasubgroupofG
5. Eachgroupisasubgroupofitself

CyclicSubgroup:Ifasubgroupofagroupcanbegeneratedusingthepowerofanelement,thesubgroupis
called the cyclic subgroup.
Thetermpowermeansrepeatedlyapplyingthegroupoperationtotheelement:
an-> a.a.a.a ...........................a(ntimes)
Example:ThegroupG=<Z3,+>containscyclicsubgroupsfor0,1and2: If generated using 0:
00mod3=0,01mod3=0,02mod3=0.so,H1=<{0},+>

SUTHOJU GIRIJA RANI, Assistant Professor. 34

Cryptography and Network Security NGIT-CSE
Ifgeneratedusing1:
10mod3=0,11mod3=1,12mod3 =(1+1)mod 3=2.so,H2=G If generated using 2:
20mod3=0,21mod3=2,22mod3=(2+2)mod3=1.so,H3=G
CyclicGroup:ACyclicgroupisagroupthatisitsowncyclicsubgroup.Theelementthatgeneratescyclic
subgroupcanalsogeneratesgroupitself.Thiselementisreferredasgenerator‘g’.
Example:Inthepreviousexample,ThegroupG=<Z3,+>isacyclicgropwithtwogeneratorsg=1andg=2
Lagrange’sTheorem:

Itrelatedtheorderofagrouptotheorderofitssubgroup.AssmethatGisgroupandHisitssubgroup.
IforderofGandHare|G|and|H|,respectively,basedonthistheorem|H|divides|G|.
EXAMPLE:Asper thepreviouscyclicsubgroupexample,|H1|=1,|H2|=3,|H3|=3, Obviously,allof
theseordersdivide theorderof|G|.

Example:
InthegroupG=<Z3,+>,ord(0)=1,ord(1)=3,ord(2)=3
2. RING
ARing,denotedas R=<{. ...................},•,□>,isanalgebraicstructurewithtwooperations(additionand
multiplication).
The firstoperationmustsatisfy allfivepropertiesrequired for anabeliangroup.
Thesecondoperationmustsatisfy only thefirst two.
I

Inaddition,thesecondoperationmustbedistributedoverthefirstoperation.
N
RA

Distributivitymeansthatforalla,bandcelementsofR,wehave
a□( b•c) = (a□b)•( a□c) and ( a•b) □c=(a□c ) •( b□c)
A
IJ
IR

CommutativeRing:Ifaringsatisfiescommutativeproperty,thenwesaytheringisacommutativering.
G

• Ringsdonotneedtohaveamultiplicativeinverse.
JU
O
TH
SU

Example: Z an Integer set is a Ring structure. ExplainwhyZ(setofIntegernumbers)isaring?

Suppose that2,3,4∈Z.
• Bothadditionandmultiplicationareassociativesince

SUTHOJU GIRIJA RANI, Assistant Professor. 35

Cryptography and Network Security NGIT-CSE
2+(3+4)=(2+3)+4,and2(3x4)=(2x3)4.
• Itfollowsthat
Theidentityelementforadditionis0since,2+0=2.
Theidentityelementformultiplicationis1since1x2=2.
• Addition is commutative too since 2+3=3+2 Multiplication is also commutative since
2x3=3x2,so, Z can be called a commutative ring).
Additionhastheinverseof-2since2+(−2)=0
(Notethatmultiplicationdoesnotneedtohaveamultiplicativeinverse.Becausemultiplicativeinverseof2
is ½. It is not an integer.
Lastly,multiplicationalsodistributesoveraddition,thatis2(3+4)=2x3+2x4.
Ringsdonotneedtohaveamultiplicative inverse.

3. FIELDS
Afield, denotedby F=<{...},•,□>,is acommutativeringin whichfirstandsecond operationssatisfies all
five properties.
Inotherwords:
Afieldisasetwiththetwobinaryoperationsofadditionandmultiplication,bothofwhichoperationsare
commutative,associative,containidentityelements,andcontaininverseelements.
Theidentityelementforadditionis0,andtheidentityelementformultiplicationis1.
Application:Afieldisastructurethatsupportstwopairsofoperations:addition/subtractionand
multiplication/division
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

FIELDS-Example

ExplainwhyR isafield.(Rissetofrealnumbers) :Supposethat a,b,c,d∈R.WeknowthatR hasaddition

and multiplication as binary operations since (a+b)=cfor some c, andab=d for some d. Furthermore,
we know that additionand multiplication defined onreal numbers is both
commutativeandassociative.
Additionally,theidentityelementforadditionis0,x+0=x,andtheidentityelementformultiplicationis1,
since 1x=x.
Lastly,theinverseelementforadditionis-x,sincex+(−x)=0(0beingtheidentityforaddition),andthe
inverseelementformultiplication1/xsincex⋅1/x=1whenx≠0.

SUTHOJU GIRIJA RANI, Assistant Professor. 36

Cryptography and Network Security NGIT-CSE

ComparisonofGroup,RingandField:

CheckwhetherZpisfieldstructureor not?

Finite Fields:
A finite field, a field with a finite number of elements. The finite fields are usually called Galois
I

fields and denoted as GF(pn).

N
RA

Note:AGaloisfield,GF(pn),isafinitefieldwithpnelementswherepisprime.
GF(p) Fields: When n=1, we have GF(p) field. Tis field can be the set Z, (0,1,2,p-1), with two
A
IJ

operations addition and multiplication. Each element has an additive inverse and that nonzero
IR

elements have amultiplicative inverse for prime p.

G

ExampleforGF(p)Field:AverycommonfieldinthiscategoryisGF(2)withtheset{0,1}andtwo
JU

operationsadditionandmultiplicationashownbelow:
O
TH
SU

NOTE: AdditionissameastoXORandmultiplicationisANDoperation GF(2n) Fields:-

GF(2 )isaFiniteFieldwith2nelements.Theelementsinthissetaren-bitwords.Forexample,ifn=3,the set
n

is: {000, 001, 010, 011, 100, 101,110, 111}

Example:ifn=2,thenGF(22)fieldinwhichthesethasfour2-bitwords:
{00,01,10,11}.
WhyGF(2n)?
Generallycomputerstorespositiveintegersasn-bitwords,canbe8-bit,16-bit,32-bit,64-bit.
Thismeansthatrangeofwords(integers)is0to2n-1.So,themodulusis2n
Wehavetwochoicesifweuseafieldstructure1)usingGF(p)orGF(2n)
1) Ifwe use GF(p)withthesetZp,wherepisthelargestprimenumberlessthan2n.
Thisis ineffiecient,ifweuseintegersfrompto2n-1.
Ifn=3,thelargestprimelessthan23is7.Thismeansthatwecannotuseinteger7,8.
SUTHOJU GIRIJA RANI, Assistant Professor. 37
Cryptography and Network Security NGIT-CSE
2) IfweGF(2n)withtheset2nelements.Theelementsinthissetaren-bitwords.Example:Ifn=3,,theset
is {000,001,010,011,100,101,110,111}

Polynomials
Thedataisshownasn-bitwordsinthecomputersthatsatisfythepropertiesinGF(2n).Thesen-bitwords
areeasilyrepresentedbyPolynomialofdegreen-1.
A polynomial of degree n-1 is an expression of the form: Where xi is called the ithterm and aiis
calledcoefficient of the ithterm.

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

Note: Polynomials representing n-bit words use two fields: GF(2) for Coefficients and GF(2n)
for terms.

Modulus:
Addition of two polynomials never creates a polynomial out of the set. However, multiplication of
two polynomials may create a polynomial with degrees more than n-1. This means that we need to
divide the result by a modulus and keep only the remainder.
A Prime Polynomial cannot be factored into a polynomial with degree of less than n. Such
polynomials are referred to as Irreducible polynomials.

SUTHOJU GIRIJA RANI, Assistant Professor. 38

Cryptography and Network Security NGIT-CSE

Operations on Polynomials: Addition:

Addition and Subtraction operations on polynomials are the same operation.
The addition operation for polynomials with coefficient in GF(2) is add the coefficients of the
corresponding term in GF(2).
Adding two polynomials of degree n-1 always create a polynomial with degree n-1, which means
that we do not need to reduce the result using the modulus.

AdditiveIdentity:Theadditiveidentityinapolynomialisazeropolynomial(apolynomialwithall
coefficients set to zero).

Additiveinverse:TheadditiveinverseofapolynomialwithcoefficientsinGF(2)isthepolynomialitself.
Thismeansthatthesubtractionoperationisthesameastheadditionoperation.
Polynomials-Addition
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

Polynomials-Multiplication
• Multiplicationinpolynomialsisthesumofthemultiplicationofeachtermofthefirstpolynomi
al with each term of the second polynomial.
• Themultiplicationmaycreatetermswithdegreemorethann-1,whichmeanstheresultneedst
obe reduced using a modulus polynomial

SUTHOJU GIRIJA RANI, Assistant Professor. 39

Cryptography and Network Security NGIT-CSE

DivisionbymodulustoreducePolynomial

Multiplicativeidentity&Multiplicativeinverse
I
N

Multiplicativeidentity:-Themultiplicativeidentityisalways1.Forexample,inGF(28),themultiplicative
RA

inverse is the bit pattern 00000001

A

Multiplicativeinverse:-UseextendedEuclideanAlgorithmtofindthemultiplicativeinverseofa
IJ
IR

polynomial.Thisprocessisexactlysameasforintegers.
G

Example: In GF(24), find the inverse of (x2+1) modulo (x4+x+1)Solution:-

JU

UsetheextendedEuclideanalgorithmasinTable:
O
TH
SU

Polynomials-Multiplicationusingacomputer
Ifwemultiplytwopolynomials,wealsoneedtoperformdivisionoperationthatreducesanefficiency.
Computerusesanalgorithmformultiplythepolynomialsthatshouldnotusedivisionoperation,instead
SUTHOJU GIRIJA RANI,
repeatedly multiplying Assistant Professor.
areducedpolynomialbyx. 40
Cryptography and Network Security NGIT-CSE
Example:Insteadoffindingtheresultofx2⊗P2,itcandonelike x ⊗ (x ⊗ P2)

Example:
Power Operation New Result Reduction
x0⊗P2 x7+x4+x3+x2+x No
x1⊗P2 x⊗(x7+x4+x3+x2+x) x5+x2+x+1 Yes
x2⊗P2 x⊗( x5+x2+x+1) x6+x3+x2+x No
x3⊗P2 x⊗( X6+x3+x2+x) x7+x4+x3+x2 No
x4⊗P2 x⊗( x7+x4+x3+x2) x5+x+1 Yes
x5⊗P2 x⊗(x5+x+1) x6+x2+x No

Resultis P1xP2=(x6+x2+x)+(x6+x3+x2+x)+(x5+x2+x+1)=x5+x3+x2+x+1
Simplealgorithm
1. Ifthemostsignificantbitofthepreviousresultis0,justshiftthepreviousresultonebittotheleft.
2. Ifthemostsignificantbitofthepreviousresultis1.
a) Shiftitonebittotheleft,and
b) Exclusive-ORitwiththemoduluswithoutthemostsignificantbit.
Example:MultiplyP1=(x5+x2+x)byP2=(x7+x4+x3+x2+x)inGF(28)withirreducible(x8+x4+x3+x+1)
Binary representation of P2=10011110,
Irreduciblepolynomial=100011011(9bits)
I
N

Power Shift-leftOperation Exclusive-OR

RA

x0⊗P2 10011110
A
IJ

X1⊗P2 111100 (00111100)+(00011011)=00100111

IR
G

X2⊗P2 1001110 1001110

JU
O

X3⊗P2 10011100 10011100

TH
SU

X4⊗P2 111000 (00111000)+(00011011)=00100011

X5⊗P2 01000110 01000110

P1⊗P2=(00100111)+ 01001110+01000110=00101111

MultiplicationofpolynomialsinGF(2n)canbeachievedusingshift-leftandexclusive-oroperations

Example:FindAdditionTableforGF(23)-

SUTHOJU GIRIJA RANI, Assistant Professor. 41

Cryptography and Network Security NGIT-CSE

Example:findMultiplicationTableforGF(23)-withirreduciblepolynomialisx3+x2+1
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

Symmetric Key Cipher

The sender and receiver of message use a single common key to encrypt and decrypt
messages.

SUTHOJU GIRIJA RANI, Assistant Professor. 42

Cryptography and Network Security NGIT-CSE

IfPistheplaintext,Cistheciphertext,andKisthekey,

WeassumethatBobcreatesP1; weprovethatP1=P:
I
N
RA

FigureLockingandunlockingwiththesamekey
A
IJ
IR
G
JU
O
TH
SU

Kerckhoff’sPrinciple
Based on Kerckhoff’s principle, one should always assume that the adversary, Eve, knows the
encryption/decryption algorithm. The resistance of the cipher to attack must be based only on
the secrecy of the key.

Kerckhoffs' principle is a fundamental concept in cryptography. It states that the security of a

cryptographic system shouldn't rely on the secrecy of the algorithm. Instead, it should be based
on the secrecy of the cryptographic key. A good cryptographic system should remain secure
even if the algorithm used is known.
SUTHOJU GIRIJA RANI, Assistant Professor. 43
Cryptography and Network Security NGIT-CSE
Kerckhoffs’ principle forms the basis for the design of modern cryptographic systems. These
systems assume that an attacker has complete knowledge of the cryptographic algorithm. That
way, the system’s security relies on the secrecy of the keys.

In broader terms, the principle means that “security through obscurity” is insufficient. Instead,
systems should be designed to be secure even when attackers know everything about how they
work.

Cryptanalysis
As cryptography is the science and art of creating secret codes, cryptanalysis is the science and art of
breaking those codes.

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 44

Cryptography and Network Security NGIT-CSE

Ciphertext-Only Attack
FigureCiphertext-onlyattack

InCiphertext-OnlyAttack,theattackerknowsonlysomeciphertext.He try tofind

correspondingkeyandplain textusingvariousmethods.
Brute-Forceattack:Attackertriesallpossiblekeys.Weassumethatheknowskeydomain
Statisticalattack:Thecryptanalystcanbenefitfromsomeinherentcharactersisticsoftheplaintextlanguage
toperformstatisticalattack.Example:LetterEismostfrequentlyusedcharacterinEnglish.
Known-Plaintext Attack
FigureKnown-plaintextattack
I
N
RA
A
IJ
IR
G
JU
O
TH

Inthisattack,heknowsomeciphertextandplaintextpairsthatweresentpreviouslybyAliceto Bob.Attackerhas
SU

kept both cipher text and plain text to use them to break the next secrete message.

Chosen-PlaintextAttack
FigureChosen-plaintextattack

Thisissimilartoknown-plaintextattack,butplaintext/ciphertextpairshavebeenchoosenbytheattacker.
ThiscanhappenwhenattackerhasaccesstoAlicecomputer.Shecanchoosesomeplaintextandinterpret
SUTHOJU
ciphertext. GIRIJA RANI, Assistant Professor. 45
 Cryptography and Network Security NGIT-CSE

Chosen-CiphertextAttack
FigureChosen-Ciphertextattack

ThisissimilartoChosenPlaintextattackexceptevechoosessomeciphertextanddecryptittofroma cipher/
plaintextpairs.ThiscanhappenwhenEvehasaccesstoBobcomputer.

Categoriesof Traditional Ciphers

1. SUBSTITUTIONCIPHERS
Asubstitutioncipherreplacesonecharacterwithanother
2. TRANSPOSITIONCIPHERS
ATranspositioncipherreorderssymbols
1. SUBSTITUTIONCIPHERS
I
N
RA

Asubstitutioncipherreplacesonesymbolwithanother.Substitutioncipherscanbecategorizedaseither
monoalphabetic ciphers orpolyalphabeticciphers.
A
IJ

Note:
IR

A substitution cipher replaces one symbol with another.

G
JU
O
TH
SU

Monoalphabetic Ciphers:
Inmonoalphabeticsubstitution,therelationshipbetweenasymbolintheplaintexttoasymbolinthe ciphertext is
always one-to-one.

Example1
Thefollowingshowsaplaintextanditscorrespondingciphertext.Thecipherisprobably
monoalphabeticbecausebothl’s(els)areencryptedasO’s.

Example2
Thefollowingshowsaplaintextanditscorrespondingciphertext.Thecipherisnotmonoalphabetic
becauseeachl(el)isencryptedbyadifferentcharacter.Thefirstl(el)isencryptedwithN;thesecondasZ
SUTHOJU GIRIJA RANI, Assistant Professor. 46
Cryptography and Network Security NGIT-CSE

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 47

Cryptography and Network Security NGIT-CSE

AdditiveCipher
Thesimplestmonoalphabeticcipheristheadditivecipher.Thiscipherissometimescalledashiftcipherand
sometimesaCaesarcipher,butthetermadditivecipherbetterrevealsitsmathematicalnature.
FigurePlaintextandciphertextinZ26

FigureAdditivecipher

Note:
Whenthecipherisadditive,theplaintext,ciphertext,andkeyareintegersinZ26.
Example:
Usetheadditivecipherwithkey=15toencryptthemessage“hello”.
Solution
Weapplytheencryptionalgorithmtotheplaintext,characterbycharacter:
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

Example:
Usetheadditivecipherwithkey=15todecryptthemessage“WTAAD”.
Solution
Weapplythedecryptionalgorithmtotheplaintextcharacterbycharacter:

SUTHOJU GIRIJA RANI, Assistant Professor. 48

Cryptography and Network Security NGIT-CSE

Shift Cipher andCaesar Cipher

Historically,additiveciphersarecalledshiftciphers.JuliusCaesarusedanadditivecipherto
communicatewithhisofficers.Forthisreason,additiveciphersaresometimesreferredtoastheCaesar
cipher.Caesarusedakeyof3forhiscommunications.
Note:
AdditiveciphersaresometimesreferredtoasshiftciphersorCaesarcipher

Multiplicative Ciphers FigureMultiplicativecipher

I
N
RA

Note:
A
IJ
IR

Inamultiplicativecipher,theplaintextandciphertextareintegersinZ26;thekeyisanintegerinZ26*.
G
JU
O
TH

Example1:
SU

Whatisthekeydomainforanymultiplicativecipher?
Solution:ThekeyneedstobeinZ26*.Thissethasonly12members:1,3,5,7,9,11,15,17,19,21,23,25.

Example2:

Weuseamultiplicativeciphertoencryptthemessage“hello”withakeyof7.Theciphertextis“XCZZU”.

SUTHOJU GIRIJA RANI, Assistant Professor. 49

AffineCiphers:
Cryptography and Network Security NGIT-CSE

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 50

Cryptography and Network Security NGIT-CSE
CombineadditveandmultiplicativeCiphers

Example1:
TheaffinecipherusesapairofkeysinwhichthefirstkeyisfromZ26*andthesecondisfromZ26.
The size of the key domain is 26 × 12 = 312.
Example2:
Useanaffineciphertoencryptthemessage“hello”withthekeypair(7,2).

MonoalphabeticSubstitution Cipher
I
N

Becauseadditive,multiplicative,andaffineciphershavesmallkeydomains,theyareveryvulnerableto
RA

brute-force attack.
A

Abettersolutionistocreateamappingbetweeneachplaintextcharacterandthecorrespondingciphertext
IJ

character.AliceandBobcanagreeonatableshowingthemappingforeachcharacter.
IR

FigureAnexamplekeyformonoalphabeticsubstitutioncipher
G
JU
O
TH

Example:
SU

We can use the key in Figure to encrypt the message The ciphertext is
Reference

PolyalphabeticCiphers
Inpolyalphabeticsubstitution,eachoccurrenceofacharactermayhaveadifferentsubstitute.The
relationshipbetweenacharacterintheplaintexttoacharacterintheciphertextisone-to-many.
Example‘a’canbeencipheredas‘D’inthebeginningofthetext,butas‘N’atthemiddle.

SUTHOJU GIRIJA RANI, Assistant Professor. 51

Cryptography and Network Security NGIT-CSE
Polyalphabetic has advantage of hiding the letter frequency.Example: Autokey Cipher

Example:
AssumethatAliceandBobagreedtouseanautokeycipherwithinitialkeyvaluek1=12.Now
AlicewantstosendBobthemessage“Attackistoday”.Encipheringisdonecharacterbycharacter.

TRANSPOSITIONCIPHERS
A transposition cipher does not substitute one symbol for another, instead it changes the location of
the symbols. A symbol in the first position may appaer in the tenth position of the cipher. A symbol
in the eighthpositionmayappearinthefirstositionofthecipher.
Note:Atranspositioncipherreorderssymbols
KeylessTransposition Ciphers
Simpletranspositionciphers,whichwereusedinthepast,arekeyless.
Example1:
A good exampleof akeyless cipher usingthe firstmethodis therailfencecipher. Theciphertextis
createdreading thepatternrowbyrow.Forexample, tosend themessage “Meet meat the park”toBob,
Alice writes
I
N
RA

Shethencreatestheciphertext“MEMATEAKETETHPR”.
A
IJ

Example2:
IR

AliceandBobcanagreeonthenumberofcolumnsandusethesecondmethod.Alicewritesthe
G

sameplaintext,rowbyrow,inatableoffourcolumns.
JU
O
TH
SU

Shethencreatestheciphertext“MMTAEEHREAEKTTP”bytransmittingthecharacterscolumnby
column.Bobreceivestheciphertextandfollowsthereverseprocesstogetplaintext.
Example:

SUTHOJU GIRIJA RANI, Assistant Professor. 52

Cryptography and Network Security NGIT-CSE

Thecipherinpreviousexampleisactuallyatranspositioncipher. Thefollowingshowsthepermutationof
each character in the plaintext into the ciphertext based on thepositions.

The second character in the plaintext has moved to the fifth position in the ciphertext; the third
character has moved to the ninth position; and so on.Although the characters are permuted, there is
a pattern in the permutation: (01, 05, 09, 13), (02, 06, 10, 13), (03, 07, 11, 15), and (4, 8, 12). In
each section, the difference between the two adjacent numbers is 4.
KeyedTransposition Ciphers
Thekeylesscipherspermutethecharactersbyusingwritingplaintextinonewayandreadingitinanother
wayThepermutationisdoneonthewholeplaintexttocreatethewholeciphertext.
Anothermethodistodividetheplaintextintogroupsofpredeterminedsize,calledblocks,andthenusea
keytopermutethecharactersineachblockseparately.
Example
Aliceneedstosendthemessage“Enemyattackstonight”toBob..

Thekeyusedforencryptionanddecryptionisapermutationkey,whichshowshowthecharacter are
permuted.
I
N

The permutationyields
RA
A
IJ
IR
G
JU

CombiningTwoApproachesforbetterresult
O
TH

Encryptionordecryptionisdonein3steps:
SU

1) Textiswrittenintorowbyrow
2) Permutationisdonebyreorderingcolumns
3) Newtableisreadcolumnbycolumn
Example

SUTHOJU GIRIJA RANI, Assistant Professor. 53

Cryptography and Network Security NGIT-CSE

Keys
InthepreviousExample,asinglekeywasusedintwodirectionsforthecolumnexchange:downwardfor
encryption,upwardfordecryption.Itiscustomarytocreatetwokeys.
I
N

FigureEncryption/decryptionkeysintranspositionalciphers
RA
A
IJ
IR
G
JU
O
TH

Keyinversionin a transposition cipher

SU

Using Matrices
Wecanusematricestoshowtheencryption/decryptionprocessforatranspositioncipher.Theplaintextand
ciphertextarelxmmatriceswithnumbericalvaluesofcharactersandkeysaremxmmatrix.
Inapermutationmatrix,everyroworcolumnhasexactlyone1andothersare0’s.Encryptionmultiplies
plaintextmatrixwithkeymatrixanddecryptionmultipliesciphertextmatrixwithinverseofkeymatrix(This
simply the transpostion of key matrix)

SUTHOJU GIRIJA RANI, Assistant Professor. 54

Cryptography and Network Security NGIT-CSE

Example

FigureRepresentationofthekeyasamatrixinthetranspositioncipher

Stream Ciphers and Block Ciphers

Stream Ciphers
• A stream cipher is one that encrypts a digital data stream one bit or one byte at a time.
Examples of classical stream ciphers are the auto keyed Vigenère cipher and the
Vernam cipher.
I
N
RA
A
IJ
IR
G
JU

BlockCiphers
O
TH

A block cipher is one in which a block of plain text is treated as a whole and used to produce a
SU

cipher text block of equal length. Typically, a block size of 64 or 128 bits is used.

ModernBlock Ciphers
Asymmetric-keymodernblockcipherencryptsann-bitblockofplaintextordecryptsann-bitblockof
ciphertext.Theencryptionordecryptionalgorithmusesak-bitkey.TheDecryptionalgorithmmustbethe
inverseoftheencryptionalgorithmandmustusethesamesecretekey.
FigureAmodernblock cipher
SUTHOJU GIRIJA RANI, Assistant Professor. 55
Cryptography and Network Security NGIT-CSE

Example:Howmanypaddingbitsmustbeaddedtoamessageof100charactersif 8-bitASCIIisusedfor
encodingand theblockcipheracceptsblocksof64bits?
Solution
Encoding100charactersusing8-bitASCIIresultsinan800-bit(100x8)message.Theplaintextmustbe
divisibleby64.If|M|and|Pad|arethelengthofthemessageandthelengthofthepadding,
I
N
RA
A
IJ
IR
G

Amodernblockciphercanbedesignedtoactasasubstitutioncipheroratranspositioncipher.
JU
O

Toberesistanttoexhaustive-searchattack,amodernblockcipherneedstobedesignedasasubstitution
TH

cipher.
SU

Example
Supposethatwehaveablockcipherwheren=64.Ifthereare101’sintheciphertext,howmanytrial-and-
errortestsdoesEveneedtodotorecovertheplaintextfromtheinterceptedciphertextineachofthe following
cases?
a. Thecipherisdesignedasasubstitutioncipher.
b. Thecipherisdesignedasatranspositioncipher.

Solution
a) Inthefirstcase,Evehasnoideahowmany1’sareintheplaintext.Eveneedstotryallpossible264
64-bitblockstofindonethatmakessense.
b) In thesecondcase, Eve knowsthat there areexactly 101’s in the plaintext.Evecan launch
an exhaustive-searchattackusingonlythose64-bitblocksthathaveexactly101’s.

ComponentsofaModernBlockCipher
Modernblockciphersnormallyarekeyedsubstitutionciphersinwhichthekeyallowsonlypartialmappings
fromthepossibleinputstothepossibleoutputs.ItussesP-Boxes,S-Boxes.

SUTHOJU GIRIJA RANI, Assistant Professor. 56

Cryptography and Network Security NGIT-CSE

P-Boxes
P-Boxes(alsocalledadD-BoxmeansDiffusionbox)
AP-box(permutationbox)parallelsthetraditionaltranspositioncipherforcharacters.Ittransposesbits.
ThreetypesofP-boxes

Example
Figureshowsall6possiblemappingsofa3×3P-box.

Thepossiblemappingsofa3×3P-box
I
N
RA

StraightP-Boxes
A
IJ
IR

Table Example of a permutation table for a straight P-box(64x64) At output of P-Box:

G

Input58goesto1stposition,input50goesto2ndposition,input42to3rdposition,….
JU
O
TH
SU

Example

Design an 8 × 8 permutation table for a straightP-box that moves the two middle bits (bits 4 and
5)in the input word to the two ends (bits 1 and 8) in the output words. Relative positions of other
bits should not be changed.
Solution

WeneedastraightP-boxwiththetable[41236785].Therelativepositionsofinputbits1,2,3,6,7,
and8havenotbeenchanged,butthefirstoutputtakesthefourthinputandtheeighthoutputtakesthefifth
input.

SUTHOJU GIRIJA RANI, Assistant Professor. 57

Cryptography and Network Security NGIT-CSE

CompressionP-Boxes
Exampleofa32×24permutationtable

Someoftheinputbitsareblockedatoutput:example: 7,8,9,15,16,23,24,25

ExpansionP-Boxes
Exampleofa12×16permutationtable

1,3,9,12aremappedtotwooutputs

P-Boxes:Invertibility
AstraightP-Boxisinvertible,thatmeansweusestraightP-Boxinencryptioncipheranditsinversein
decryption cipher.

Note
I

AstraightP-boxisinvertible,butcompressionandexpansionP-boxesarenot.
N
RA
A
IJ

Example
IR
G

Figureshowshowtoinvertapermutationtablerepresentedasaone-dimensionaltable.
JU
O
TH
SU

FigureCompressionandexpansionP-boxesarenon-invertible
SUTHOJU GIRIJA RANI, Assistant Professor. 58
Cryptography and Network Security NGIT-CSE

S-Box
AnS-box(substitutionbox)canbethoughtofasasmallsubstitutioncipher
Note
AnS-boxisanm×nsubstitutionunit,wheremandnarenotnecessarilythesame.
LinearS-Box:iftheinputsarex1,x2,x3…andoutputsarey1,y2,y3…andrelationshipbetweenthemis
Y1=f1(x1,x2,x3..),
I

Y2=f2(x1,x2,x3..)
N
RA

…..
Then above relation can be expressedas Y1=a11x1+a12x2+…
A
IJ

Y2=a21x1+a22x2+…
IR
G
JU

Example:Inanonlinears-box,suchboxescanhave‘and’termslikex1x2,x3x5… InanS-boxwiththree
O

inputsand twooutputs,wehave
TH
SU

TheS-boxislinearbecause a1,1=a1,2=a1,3=a2,1=1anda2,2=a2,3=0.Therelationshipcanbe represented by

matrices, as shown below:

Example
InanS-boxwiththreeinputsandtwooutputs,wehave

SUTHOJU GIRIJA RANI, Assistant Professor. 59

Cryptography and Network Security NGIT-CSE
wheremultiplicationandadditionisinGF(2).TheS-boxisnonlinearbecausethereisnolinearrelationship
between the inputs and the outputs.
Example
The following table defines the input/output relationshipfor an S-box of size 3 × 2. The leftmost bit
of the inputdefinestherow;the tworightmostbitsof the inputdefinethecolumn.The
twooutputbitsarevalues on thecrosssectionof theselectedrowand column.

Basedonthetable,aninputof010yieldstheoutput01.Aninputof101yieldstheoutputof00.
S-Boxes:Invertibility
AnS-boxmayormaynotbeinvertible.Inaninvertible
S-box,thenumberofinputbitsshouldbethesameasthenumberofoutputbits.
Example
Figureshowsanexampleof aninvertibleS-box.Forexample,iftheinputtotheleftboxis001,theoutput
is101.Theinput101intherighttablecreatestheoutput001,whichshowsthatthetwotablesareinverses of
each other.
I
N
RA
A
IJ
IR
G

Exclusive-OR
JU
O

An importantcomponentinmostblock ciphers is theexclusive-oroperation. Invertibility of the

TH

exclusive-or operation
SU

Product Ciphers
Shannonintroducedtheconceptofaproductcipher.Aproductcipherisacomplexciphercombining
substitution,permutation, andothercomponents .
Combination of S-box and P-box transformation—a product cipher.Two classes of product ciphers:
a) Feistelciphers,ExampleDES(dataencryptionstandard)
b) Non-feistelCiphers,ExampleAES(AdvancedEncryptinsystem)

SUTHOJU GIRIJA RANI, Assistant Professor. 60

Cryptography and Network Security NGIT-CSE
Diffusion
Theideaofdiffusionistohidetherelationshipbetweentheciphertextandtheplaintext.

Confusion
Theideaofconfusionistohidetherelationshipbetweentheciphertextandthekey.

Rounds
Diffusionandconfusioncanbeachievedusingiteratedproductcipherswhereeachiterationisa
combinationofS-boxes,P-boxes,andothercomponents.

FigureAproductciphermadeoftworounds

I
N
RA
A
IJ
IR

FeistelCipherStructure:
G
JU
O

• Feistel Cipher is notaspecificscheme of block cipher.It is adesign modelfrom

TH

whichmany different block ciphers are derived.

SU

• DESisjustoneexampleofaFeistelCipher.
• A cryptographicsystembased on Feistelcipherstructure uses the same algorithmfor both
encryption and decryption.
• The inputblockto each round is divided into twohalves thatcanbedenotedas L
andRfortheleft half and the right half.
• Ineachround,therighthalfoftheblock,R,goesthroughunchanged.Butthelefthalf,L,goes
throughanoperationthatdependsonRandtheencryptionkey.First,weapplyanencrypting
function ‘f ’ thattakes two input −the keyK andR.Thefunctionproduces
theoutputf(R,K). Then, weXORtheoutputofthemathematicalfunctionwithL.

SUTHOJU GIRIJA RANI, Assistant Professor. 61

Cryptography and Network Security NGIT-CSE

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 62

Cryptography and Network Security NGIT-CSE

BlockCipher DesignPrinciples
Blocksize:Largerblocksizesmeangreatersecurity(allotherthingsbeingequal)butreduced encryption/
decryptionspeedforagivenalgorithm.Thegreatersecurityisachievedbygreaterdiffusion.
Keysize:Largerkeysizemeansgreatersecuritybutmaydecreaseencryption/decryptionspeed.The
greatersecurityisachievedbygreaterresistancetobrute-forceattacksandgreaterconfusion
Numberofrounds:TheessenceoftheFeistelcipheristhatasingleroundoffersinadequatesecuritybut
thatmultipleroundsofferincreasingsecurity.Atypicalsizeis16rounds.
Subkeygenerationalgorithm:Greatercomplexityinthisalgorithmshouldleadtogreaterdifficultyof
cryptanalysis.
RoundfunctionF:Again,greatercomplexitygenerallymeansgreaterresistancetocryptanalysis.
DiffusionAndConfusion:-ThetermsdiffusionandconfusionwereintroducedbyClaudeShannonto
capturethetwobasicbuildingblocks(PlainText&CipherText)foranycryptographicsystem.

DataEncryptionStandard(DES)
TheDataEncryptionStandard(DES)isasymmetric-keyblockcipherpublishedbytheNationalInstituteof
Standards and Technology (NIST).
DESisanimplementationofaFeistelCipher.Ituses16roundFeistelstructure.Theblocksizeis64-bit.
Though,keylengthis64-bit,DEShasaneffectivekeylengthof56bits,since8ofthe64bitsofthekeyare
notusedbytheencryptionalgorithm(functionascheckbitsonly).
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 63

Cryptography and Network Security NGIT-CSE

DES Symmetric key Block Cipher

algorithm.DESfollowsFeistelcipher
structure.
Plain Text Block Size:
64Bits Cipher Text Size:
64 Bits
Master Key Size :64/56
Bits No. Of Rounds 16
RoundKey/SubkeySize:48Bits.

InitialPermutation&InverseInitialPermutation

Theinitialpermutation and its inverse aredefined by tables,as shown in Tables. The tables are to be
interpreted as follows.
Theinputtoatableconsistsof64bitsnumberedfrom1to64.
The64entriesinthepermutationtablecontainapermutationofthenumbersfrom1to64.
Eachentryinthepermutationtableindicatesthepositionofanumberedinputbitintheoutput,whichalso
consists of 64 bits.
TheinitialandfinalpermutationsarestraightPermutationboxes(P-boxes)thatareinversesofeachother.
Note:
InitialPermutation&InverseInitialPermutationshavenocryptographysignificanceinDES. Input
Table
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

Inoutput
At 1st place 58 At2ndplace50

SUTHOJU GIRIJA RANI, Assistant Professor. 64

Cryptography and Network Security NGIT-CSE
At3rd place42..

Inoutput
At 1st place 40 At 2ndplace8 At3rdplace48..
I
N
RA
A
IJ
IR
G
JU
O
TH

Rounds
SU

Theleftandrighthalvesofeach64-bitintermediatevaluearetreatedasseparate32-bitquantities,labeled L
(left) and R (right).
AsinanyclassicFeistelcipher,theoverallprocessingateachroundcanbesummarizedinthefollowing
formulas:

TheroundkeyK i is48bits.TheRinputis32bits.ThisRinputisfirstexpandedto48bitsbyusingatable
thatdefinesapermutationplusanexpansionthatinvolvesduplicationof16oftheRbits.

SUTHOJU GIRIJA RANI, Assistant Professor. 65

Cryptography and Network Security NGIT-CSE
Theresulting48bitsareXORedwithK i .This48-bitresultpassesthroughasubstitutionfunctionthat
producesa32-bitoutput,whichispermutedasdefinedbyTable.
The roleoftheS-boxesinthefunctionFis illustratedinFigure 3.7.Thesubstitutionconsistsofasetofeight
S-boxes,eachofwhichaccepts6bitsasinputandproduces4bitsasoutput.Thesetransformationsare
defined inTable3.3,which is interpreted asfollows:Thefirst andlastbitsof the inputtoboxSiform a2-bit
binarynumbertoselectoneoffoursubstitutionsdefinedbythefourrowsinthetableforS i .Themiddle
fourbitsselectoneofthesixteencolumns.Thedecimalvalueinthecellselectedbytherowandcolumnis
thenconvertedtoits4-bitrepresentationtoproducetheoutput.Forexample,inS1,forinput011001,the
rowis01(row1)andthecolumnis1100(column12).Thevalueinrow1,column12is9,sotheoutputis 1001.

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 66

Cryptography and Network Security NGIT-CSE

Round Function

TheheartofthiscipheristheDESfunction,f.TheDESfunctionappliesa48-bitkeytotherightmost32 bits to
produce a 32-bit output.
I
N
RA
A
IJ
IR
G
JU
O
TH

ExpansionPermutationBox−Sincerightinputis32-bitandroundkeyisa48-bit,wefirstneedtoexpand
SU

rightinputto48bits.Permutationlogicisgraphicallydepictedinthefollowingillustration−

ThegraphicallydepictedpermutationlogicisgenerallydescribedastableinDESspecificationillustratedas
shown−

SUTHOJU GIRIJA RANI, Assistant Professor. 67

Cryptography and Network Security NGIT-CSE

XOR(Whitener).−Aftertheexpansionpermutation,DESdoesXORoperationontheexpandedright
sectionandtheroundkey.Theroundkeyisusedonlyinthisoperation.
SubstitutionBoxes.−TheS-boxescarryouttherealmixing(confusion).DESuses8S-boxes,eachwitha 6-
bitinputanda4-bitoutput.Referthefollowingillustration−
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

TheS-boxruleisillustratedbelow−

SUTHOJU GIRIJA RANI, Assistant Professor. 68

Cryptography and Network Security NGIT-CSE

ThereareatotalofeightS-boxtables.
Theoutputofalleights-boxesisthencombinedinto32bitsection.
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 69

Cryptography and Network Security NGIT-CSE

The32-bitoutputfromtheeightS-boxesisthenpermuted,sothatonthenextround,theoutputfrom
each S-box immediately affects as many others as possible.

StraightPermutation
−The32bitoutputofS-boxesisthensubjectedtothestraightpermutationwithruleshowninthe following
illustration: I
N
RA
A
IJ
IR
G
JU
O
TH
SU

DESKeyGeneration
Theround-keygeneratorcreatessixteen48-bitkeysoutofa56-bitcipherkey.Theprocessofkey
generationisdepictedinthefollowingillustration−

SUTHOJU GIRIJA RANI, Assistant Professor. 70

Cryptography and Network Security NGIT-CSE

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

DESDecryption

AswithanyFeistelcipher,decryptionusesthesamealgorithmasencryption,exceptthattheapplicationof
the subkeys is reversed.

DESAnalysis
TwodesiredpropertiesofablockcipheraretheAvalancheeffectandthecompleteness.
Avalanche effect:

SUTHOJU GIRIJA RANI, Assistant Professor. 71

Cryptography and Network Security NGIT-CSE
Asmallchangeinplaintextresultsintheverygreatchangeintheciphertext.

Completeness effect:
Completenesseffectmeansthateachbitofciphertextneedstodependsonmanybitsontheplaintext.The
diffusionandconfusionproducedbyP-BoxesandS-BoxesinDES,showaverystrongcompletenesseffect.

DES Weaknesses Analysis

Weakness in Cipher Design:
It is not clear why the designers of DES used the initial and final permutations; these have no
security benefits. In the expansion permutation, the first and fourth bits of every 4-bit series are
repeated.
Weakness in Cipher Key:
DES Key size is 56 bits. To do Brute force attack on a given cipher text block, the adversary needs
to check 256 keys. With available technology it is possible to check1million keys per second
I
N
RA
A
IJ
IR
G
JU
O
TH

Double–DES
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 72

Cryptography and Network Security NGIT-CSE

Triple –DES

Triple DES was developed in 1999 by IBM–by a team led by Walter Tuchman. DES prevents a
meet-in- the-middle attack. 3-DES has a 168-bit key and enciphers blocks of 64 bits.

3-DESwith2Keys:
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 73

Cryptography and Network Security NGIT-CSE

3-DESwith3Keys:
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 74

Cryptography and Network Security NGIT-CSE
Theencryption-decryptionprocessisasfollows−
EncrypttheplaintextblocksusingsingleDESwithkeyK1.
Nowdecrypttheoutputofstep1usingsingleDESwithkeyK2.
Finally, encrypt the output of step 2 using single DES with key K3.The output of step 3 is the
ciphertext.
Decryptionofaciphertextisareverseprocess.UserfirstdecryptusingK3,thenencryptwithK2,andfinally
decrypt with K1.

I
N
RA
A
IJ
IR
G

AdvancedEncryptionStandard (AES
JU
O
TH

Algorithm)
SU

• TheAdvancedEncryptionStandard(AES)was publishedby the National Instituteof

Standards and Technology (NIST) in 2001.
• AESisasymmetricblockcipherthatisintendedtoreplaceDES.
ThefeaturesofAESareasfollows−
• Symmetrickeysymmetricblockcipher
• 128-bitdata,128/192/256-bitkeys
• StrongerandfasterthanTriple-DES
• Providefullspecificationanddesigndetails
• SoftwareimplementableinCand Java

AESisaniterativeratherthanFeistelcipher.Itisbasedon‘substitution–permutationnetwork’.It
comprisesofaseriesoflinkedoperations,someofwhichinvolvereplacinginputsbyspecificoutputs
(substitutions)andothersinvolveshufflingbitsaround(permutations).
Interestingly,AESperformsallitscomputationsonbytesratherthanbits.Hence,AEStreatsthe128bits
ofaplaintextblockas16bytes.These16bytesarearrangedinfourcolumnsandfourrowsfor processing as a
matrix.
SUTHOJU GIRIJA RANI, Assistant Professor. 75
Cryptography and Network Security NGIT-CSE
UnlikeDES,thenumberofroundsinAESisvariableanddependsonthelengthofthekey.
AESuses10roundsfor128-bitkeys,12roundsfor192-bitkeysand14roundsfor256-bitkeys.Each
oftheseroundsusesadifferent128-bitroundkey,whichiscalculatedfromtheoriginalAESkey.

TheschematicofAESstructureisgiveninthefollowingillustration

ROUNDS
I
N
RA

• UnlikeDES,thenumberofroundsinAESisvariableanddependsonthelengthofthekey.
• AESuses10roundsfor128-bitkeys,
A
IJ

• 12roundsfor192-bitkeysand
IR

• 14roundsfor256-bitkeys.
G

• Eachof these rounds usesadifferent128-bitroundkey,which is calculatedfrom

JU

theoriginalAES key.
O
TH
SU

Eachroundcompriseoffoursub-processes.Thefirstroundprocessisdepictedbelow−
AESTransformations:

TherearefourtransformationfunctionsusedinAESCipherateachround.
1. SubstituteBytesTransformation
SUTHOJU GIRIJA RANI, Assistant Professor. 76
Cryptography and Network Security NGIT-CSE
2. ShiftRowsTransformation
3. MixColumnsTransformation
4. AddRoundKeyTransformation

1. ByteSubstitution(SubBytes)
The 16 input bytes are substituted by values as specified in a table(S-box) given in design.
EachinputbyteofStateismappedintoanewbyteinthefollowingway:
• Theleftmost4bitsofthebyteareusedasarowvalue(inhexadecimalform)andtherightmost4
bitsareusedasacolumnvalue(inhexadecimalform)inS-boxtable.
Forexample,thehexadecimalvalue{95}referencesrow9,column5oftheS-box,whichcontainsthe
value{2A}.Accordingly,thevalue{95}ismappedinto thevalue{2A}.

I
N
RA
A
IJ
IR
G

.
JU
O

2. ShiftRowsTransformation:
TH
SU

❑ Inthistransformationbytesarepermuted(shifted).
❑ IntheEncryption,thetranformationiscalledShiftrowsandtheshiftingistotheleft.
❑ Thenumberofshiftsdependsontherownumber(0,1,2,or3)ofthestatematrixasshownbelow:

SUTHOJU GIRIJA RANI, Assistant Professor. 77

Cryptography and Network Security NGIT-CSE

I
N
RA

ThefollowingisanexampleofShiftRows.
A
IJ
IR
G
JU
O
TH
SU

Theinverseshiftrowtransformation,calledInvShiftRows,performsthecircularshiftsinthe
oppositedirectionforeachofthelastthreerows,witha1-bytecircularrightshiftforthesecondrow,andso on.

3. MixColumnsTransformation:
Mixingisthetransformatonthatchangesbitsinsidebyte.
Thisoperationtakes4bytes(acolumn)andbymultiplyingitwithaconstantmatrixthenmixesthemthat
produces new bytes.
MixColumn:operatesoneachcolumnindividually.Eachbyteofacolumnismappedintoanewvalue.
SUTHOJU GIRIJA RANI, Assistant Professor. 78
Cryptography and Network Security NGIT-CSE
Ittakesacolumnfromstateandmultiplyitwithaconstantsquarematrix.
ThebytevaluesarerepresentedaspolynomialswithcoefficientsinGF(2)andmulitplicationsaredonein
GF(28)

Constantmatricesformultiplications:
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

4. AddRoundKeyTransformation:
❑ Tomaketheciphertextmoresecrete,weaddcipherkeytothedatainastate.
❑ AddRoundKeyissameastoMixColumnsbutperformsadditionoperationinsteadofmultiplic
ation.

SUTHOJU GIRIJA RANI, Assistant Professor. 79

Cryptography and Network Security NGIT-CSE

ThefollowingisanexampleofAddRoundKey:

ThefirstmatrixisState,andthesecondmatrixistheroundkey.

AESKeyExpansion:
I
N
RA

❑ TheAES keyexpansion algorithmtakes as input afour-word(16-byte)keyandproduces a

linear arrayof44words(176bytes).Thisissufficienttoprovideafour-
A
IJ

wordroundkeyfortheinitial AddRoundKeystageandeachofthe10roundsofthe cipher.

IR

❑ T h e k e y i s c o p i e d i n t o t h e f i r s t f o u r w o r d s o f t h e e x p a n d e d k e y. T h e r e m a i n -
G

deroftheexpandedkey isfilledinfourwordsatatime.Eachaddedwordw[i]dependson
JU

theimmediatelyprecedingword, w[i-1], andthewordfourpositionsback,w[i-4].In

O

threeoutoffourcases,asimpleXORis used.
TH

❑ For a word whose position in the w array is a multiple of 4, a more complex function
SU

is used. Figure illustrates the generation of the expanded key, using the symbol g to
represent that complex function. Thefunctiongconsistsof the followingsubfunctions.

SUTHOJU GIRIJA RANI, Assistant Professor. 80

Cryptography and Network Security NGIT-CSE

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

Forexample,supposethattheroundkeyforround8is
EAD27321B5 8DBAD2312BF560 7F8D292F
Thenthefirst4bytes(firstcolumn)oftheroundkeyforround9arecalculatedasfollows:

SUTHOJU GIRIJA RANI, Assistant Professor. 81

Cryptography and Network Security NGIT-CSE

ANALYSISOF AES
Security
• AESwasdesignedafterDES.MostoftheknownattacksonDESwerealreadytestedonAES.
• Brute-ForceAttack
• AESisdefinitelymoresecurethanDESduetothelarger-sizekey.
• StatisticalAttacks
• Numeroustestshavefailedtodostatisticalanalysisoftheciphertext.
• DifferentialandLinearAttacks
• TherearenodifferentialandlinearattacksonAESasyet.
Implementation
• AES canbe implemented in software, hardware,and firmware. The implementationcan
use table lookupprocessorroutinesthatuseawell-definedalgebraic structure.
SimplicityandCost
• Thealgorithms used in AES are so simple that they can be easily
implementedusingcheapprocessors and a minimum amount of memory.
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 82

Cryptography and Network Security NGIT-CSE

UNIT–III
AsymmetricEncryption
MathematicsofAsymmetricKeyCryptography,AsymmetricKeyCryptography

PrimesandRelatedCongruenceEquations
PRIMES
Asymmetric-key cryptographyusesprimenumbers extensively. A prime is divisible only by itself
and 1.

FigureThreegroupsofpositiveintegers
Example1:
Whatisthesmallestprime?
Thesmallestprimeis2,whichisdivisibleby2(itself)and1.
Example2:
Listtheprimessmallerthan10.
Therearefourprimeslessthan10:2,3,5,and7.Itisinterestingtonotethatthepercentageofprimes
intherange1to10is40%.Thepercentagedecreasesastherangeincreases.
I
N

CardinalityofPrimes
RA

WecanuseinfiniteNumberofPrimes.
A
IJ

Numberof Primes
IR

π(x)isthenumberofprimeslessthanorequaltox.πisnotsimilartomathematicsπ.
G

Theprimesunder25are2,3,5,7,11,13,17,19and23soπ(3)=2,π(10)=4andπ(25)=9.
JU
O
TH
SU

ATableofvaluesof π(x)

Example1
Findthenumberofprimeslessthan1,000,000.
Theapproximationgivestherange72,383to78,543.
SUTHOJU GIRIJA RANI, Assistant Professor. 83
Cryptography and Network Security NGIT-CSE
Theactualnumberofprimesis78,498.
CheckingforPrimeness
Givenanumbern,howcanwedetermineifnisaprime?Theansweristhatweneedtoseeifthenumberis
divisible by all primes less than

Weknowthatthismethodisinefficient,butitisagoodstart.

Example1:
Is97aprime?
Thefloorofπ(97)=9.Theprimeslessthan9are2,3,5,and7.Weneedtoseeif97isdivisiblebyanyof these
numbers. It is not, so 97 is a prime.
Example2:
Is301aprime?
Thefloorofπ(301)=17.Weneedtocheck2,3,5,7,11,13,and17.Thenumbers2,3,and5donotdivide 301,
but 7 does. Therefore 301 is not aprime.

Fermat’sLittle Theorem
I
N

FirstVersion:ifpisprimeandaispositiveinteger,then
RA

ap−1≡ 1 modp
A

SecondVersion:
IJ

ap≡ a modp
IR
G

Thismeansthatifwedivideapbypthentheremaindershouldbe‘a’.
JU
O

Example1:
TH

Findtheresultof610mod11.
SU

Wehave610mod11=1.This is thefirstversionofFermat’slittletheoremwherep=11. Example 2

Findtheresultof312mod11.
Heretheexponent(12)andthemodulus(11)arenotthesame.Withsubstitutionthiscanbesolvedusing
Fermat’slittletheorem.

MultiplicativeInverses
a−1modp = a p−2mod p
Example
TheanswerstomultiplicativeinversesmoduloaprimecanbefoundwithoutusingtheextendedEuclidean
algorithm:

SUTHOJU GIRIJA RANI, Assistant Professor. 84

Cryptography and Network Security NGIT-CSE

Example:
Howtocalculatemultiplicativeinverseof5modulo23thatis5-1mod 23?
Solution:
1. 5-1mod23=523-2mod23 (Ref:a-1mod p=ap-2modp)
2. 5 mod23=5 mod23
23-2 21

3. Calculatefollowingtosolve521mod23:
51mod23 = 5
52mod23=25 mod23=2
54mod23= (52)2mod 23=(2)2mod23=4
58 mod23= (54)2mod23 (4)2 mod 23=16
516mod23=(58)2mod23(16)2mod23=256mod23=3
Nowbinaryequivalenceof21is10101,somultiply51,54and516values,leave52and58becausetheseare
0’sinbinaryform.
521mod23=(516x54x51)mod23=(3x4x5)mod23=60mod23=14mod23.
Finally5-1mod23=521mod23=14mod23

Euler'stotient function
I

Euler's totient function, also known as phi-function ϕ(n), this function counts the number of
N
RA

integers that are

bothsmallerthannandrelativelyprimeton(coprime).Twonumbersarecoprimeiftheirgreatest common
A
IJ

divisor equals 1.
IR

Herearevaluesofϕ(n)forthefirstfewpositiveintegers:
G
JU
O
TH
SU

Example:Findco-primesof9?
Ifwecheckgcd(9,1),gcd(9,2),gcd(9,4),gcd(9,5),gcd(9,7),gcd(9,8)=1,
So,coprimesto9are1,2,4,5,7,8andtheircountϕ(9)=6
Properties
• ϕ(1)=0
• If p isaprimenumber, ϕ(p)=p−1
• Ifaandbarerelativelyprime,then:ϕ(ab)=ϕ(a)⋅ϕ(b).
• Ifpisaprime,ϕ(pe)=pe-pe-1
Examples:
1) Findϕ(7)?
ϕ(7)=7-1=6
2) Findϕ(21)?
ϕ(21)=ϕ(3x7)=ϕ(3)xϕ(7)=2x6=12
3) Findϕ(77)?
SUTHOJU GIRIJA RANI, Assistant Professor.
ϕ(77)=ϕ(7x11)=ϕ(7)xϕ(11)=6x10=60 85
Cryptography and Network Security NGIT-CSE
4) Findϕ(32)?
ϕ(3 )=(32)-(32-1)=9-3=6
2

5) Whatisthevalueofϕ(13)?
Because13isaprime,ϕ(13)=(13−1)=12.
6) Whatisthevalueofϕ(10)?
Wecanusethethirdrule:ϕ(10)=ϕ(2)×ϕ(5)=1×4=4,because2and5areprimes.
7) Whatisthevalueofϕ(240)?
Wecan write240 =24×31×51. Then
ϕ (240)=(24−23)×(31−30)×(51−50)=64
8) Canwesaythatϕ(49)=ϕ(7)×ϕ(7)=6×6=36?
No.Thethirdruleapplieswhenmandnarerelativelyprime.Here49=72.Weneedtousethefourthrule:ϕ
(49)= 72− 71 = 42.
9) Whatisthenumberofelementsin Z14*?
Theanswerisϕ(14)=ϕ(7)×ϕ(2)=6×1=6.Themembersare1,3,5,9,11,and13.

Note:Interestingpoint:Ifn>2,thevalueoff(n)iseven.
Euler’sTheorem
FirstVersion:Foreveryaandn,theyarerelativelyprimethen
aϕ(n)≡1(modn)
SecondVersion
ak×f(n)+1≡a (modn)
Note:ThesecondversionofEuler’stheoremisusedintheRSAcryptosystem.
I
N
RA
A
IJ
IR
G
JU
O

Example2:
TH

Find the result of 624 mod 35. Solution

SU

Wehave624mod35=6ϕ(35)mod35=1. Example :
Find 34 mod 10 ? Solution

Example3:
Find the result of 2062 mod 77. Solution
If we let k = 1 on the second version, wehavef(77)=f(7)xf(11)=6x10=60
2062 mod77= (20mod77) (2060+1mod77)mod77=
(20mod 77)(20f(77)+1mod77) mod77
=(20)(20)mod77=15.
MultiplicativeInverses
Euler’stheoremcanbeusedtofindmultiplicativeinversesmoduloacomposite.

SUTHOJU GIRIJA RANI, Assistant Professor. 86

Cryptography and Network Security NGIT-CSE

Example:
Theanswerstomultiplicativeinversesmoduloacompositecanbefoundwithoutusingtheextended
Euclideanalgorithmifweknowthefactorizationofthecomposite:

PrimitiveRootandMultiplicative Orders
MultiplicativeOrder:
If'a'and'n‘arerelativelyprime,then
Themultiplicativeorderof‘a’modulonissmallestpositiveinteger'k'with
ak≡1(modn)
The order of modulo ‘n’ is written as ordn(a) or On(a)Example1:Definemultiplicativeorderof4mod7
41=4≡3(mod7)
42=16≡2(mod7)
43=64≡1(mod7)
Ord7(4)=3 because43iscongruentto1modulo7.
Example2:Definemultiplicativeorderof2mod7
21=2≡2(mod7)
I
N

22=4≡4(mod7)
RA

23=8≡1(mod7)
A

Ord7(2)=3 because23iscongruentto1modulo7.
IJ
IR
G
JU
O
TH

PrimitiveRoot:
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 87

Cryptography and Network Security NGIT-CSE

*
IftheGroupG=<Zn ,x>hasanyprimitiveroot,thenumberofprimitiverootsis
ϕ(ϕ(n))
Example:FindtheNumberofprimitiverootsof25
ϕ(25)=20
Findtheprimitiverootof761
ϕ(ϕ(761))=ϕ(760)
=ϕ(23x5x19) =ϕ(23)xϕ(5)xϕ(19)
I
N

=(23 - 22)x4x18=4x4x18
RA

=288
A
IJ

CHINESEREMAINDERTHEOREM
IR
G
JU

TheChineseremaindertheorem(CRT)isusedtosolveasetofcongruentequationswithonevariablebut
O
TH

differentmoduli,whicharerelativelyprime,asshownbelow:
SU

SolutionToChineseRemainderTheorem
1. FindM=m1×m2×…×mk.Thisisthecommonmodulus.
2. FindM1=M/m1,M2=M/m2,…,Mk=M/mk.
3. Findthe multiplicativeinverseofM1,M2,…, Mkusingthe corresponding moduli (m1, m2, …,
−1 −1 −1
mk). Call the inverses M1 , M2 , …, Mk .
4. Thesolutiontothesimultaneousequationsis

SUTHOJU GIRIJA RANI, Assistant Professor. 88

Cryptography and Network Security NGIT-CSE
Example:
Findthesolutiontothesimultaneousequations:

Solution:
Wefollowthefoursteps.
1. M=3×5×7=105
2. M1=105/3=35,M2=105/5=21,M3=105/7=15
3. TheinversesareM
1
−1=2,M−1= 1, M −1=1
2 3
4. x=(2×35×2+3×21×1+2×15×1)mod105=23mod105
Example2:
Findanintegerthathasaremainderof3whendividedby7and13,butisdivisibleby12. Solution
ThisisaCRTproblem.Wecanformthreeequationsandsolvethemtofindthevalueofx.

Ifwefollowthefoursteps,wefindx=276.Wecancheckthat
276=3mod7,276=3mod13and276isdivisibleby12(thequotientis23andtheremainderiszero).
I

Example3
N
RA

Assumeweneedtocalculatez=x+ywherex=123andy=334,butoursystemacceptsonlynumbersless than
100.
A
IJ
IR
G
JU
O
TH
SU

Addingeachcongruenceinxwiththecorrespondingcongruenceinygives

NowthreeequationscanbesolvedusingtheChineseremaindertheoremtofindz.Oneoftheacceptable
answers is z = 457.

QUADRATIC CONGRUENCE
QuadraticCongruenceisacongruenceoftheequationoftheform
a2x2+a1x+a0≡0(modn).
We limit our discussion to quadratic equations in whicha2= 1 and a1= 0, that is equationof the form.
x2≡a (mod n)
SUTHOJU GIRIJA RANI, Assistant Professor. 89
Cryptography and Network Security NGIT-CSE
Therearetwoways:
1. QuadraticCongruenceModuloaPrime
2. QuadraticCongruenceModuloaComposite
QuadraticCongruenceModuloaPrime
Inthis,weconsiderthemodulusisaprimenumber.Thatistheform.
x2≡a(modp)
Wherepisaprimeand‘a’isaninteger.
Example1:Solvethex2≡3(mod11)
Solution: 3 congruent to modulo 11 are 3,14,25 (25 is 5x5 or (-5)x(-5)) The given
equation has two solutions:
x2 ≡25 (mod11)
x≡5(mod11)andx≡-5(mod11),
But -5 ≡ 6 (mod 11) So, the solutions are 5 and 6 Check the result: substitute x=5
52≡25=3(mod11)
substitutex=6
62≡36=3(mod11)
Example2:Solvethey2≡10(mod13)
Solution:Thenumber10congruentto13are10,23,36(36is6x6or(-6)x(-6))
Thegivenequationhastwosolutions:
x≡ 6(mod13)and x≡ -6(mod13),
But -6 ≡ 7(mod 13) So, the solutions are 6 and 7 Checktheresult:substitutex=6
62≡36≡10(mod13)
substitutex=7
7≡49≡10(mod13)
QuadraticCongruenceModuloaComposite
QuadraticCongruenceModuloaCompositecanbesolvedbysetofQuadraticCongruenceModuloaPrime.
Decompositionofcongruencemodulo acomposite:
I
N
RA
A
IJ
IR
G
JU
O
TH

Example:Assumethatx2≡36(mod77).
SU

Weknowthat77=7×11.Wecanwrite

Theanswersarex≡+1(mod7),x≡−1(mod7),
x≡+5(mod11),andx≡−5(mod11).Nowwecanmakefoursetsofequationsoutofthese:

SUTHOJU GIRIJA RANI, Assistant Professor. 90

Cryptography and Network Security NGIT-CSE

Theanswersarex=±6and±27.

ASYMMETRICKEY/PUBLICKEY
CRYPTOGRAPHY
Asymmetrickeycryptosystems/public-keycryptosystemsuseapairofkeys:publickey
(encryption key) and private key (decryption key).
PublicKeyCryptography?

➢ Publickeycryptographyalsocalledasasymmetriccryptography.
➢ ItwasinventedbywhitfieldDiffieandMartinHellmanin1976.Sometimesthis
cryptography also called as Diffie-Helman Encryption.
➢ Public key algorithms are based on mathematical problems which admit no
e f f i c i e n t
solutionthatareinherentincertainintegerfactorization,discretelogarithmandEllipt
ic curverelations.
PublickeyCryptosystemPrinciples:
I
N

➢ Theconceptofpublickeycryptographyisinventedfortwomostdifficultproblemsof
RA

Symmetric key encryption.

A

▪ TheKeyExchangeProblem
IJ

▪ TheTrustProblem
IR

The Key Exchange Problem: The key exchange problem arises from the fact that
G
JU

communicatingpartiesmustsomehowshareasecretkeybeforeanysecurecommunicationcan
O

beinitiated,andbothpartiesmustthenensurethatthekeyremainssecret.Ofcourse,directkey
TH

exchange is not always feasible due to risk, inconvenience, and cost factors.
SU

TheTrustProblem:Ensuringtheintegrityofreceiveddataandverifyingtheidentityofthesourceof that
data can be very important. Means in the symmetric key cryptography system, receiver doesn‟t
know whetherthemessageiscomingforparticularsender.
➢ Thispublickeycryptosystemusestwokeysaspairforencryptionofplaintextand
Decryption of cipher text.
➢ Thesetwokeysarenamesas“Publickey”and“Privatekey”.Theprivatekeyiskept
secret where as public key is distributedwidely.
➢ Amessageortextdatawhichisencryptedwiththepublickeycanbedecryptedonly
with the corresponding private-key
Thistwokeysystemveryusefulintheareasofconfidentiality(secure)andauthentication

Apublic-keyencryptionschemehassix ingredients

1 Plaintext Thisisthereadablemessageordatathatisfedintothealgorithmasinput.

2 Encryption Theencryptionalgorithmperformsvarioustransformationsontheplaintext.
algorithm
SUTHOJU GIRIJA RANI, Assistant Professor. 91
Cryptography and Network Security NGIT-CSE
3 Publickey Thisisapairofkeysthathavebeenselectedsothatifoneisusedfor

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 92

Cryptography and Network Security NGIT-CSE

4 Private key e n c r y p t i o n , t h e o t h e r i s u s e d f o r d e c r y p t i o n . T h e
exacttransformationsperformed by the
algorithmdependonthepublicorprivatekeythatisprovidedasinput
Thisisthescrambledmessageproducedasoutput.Itdependsonthe plaintext
5 Ciphertext and thekey. For agiven message, twodifferent keyswillproduce two
different
ciphertexts.
6 Decryption This algorithm accepts the ciphertextand the matching key and produces
algorithm theoriginal plaintext.

Publickeycryptographyforprovidingconfidentiality(secrecy)

I
N
RA
A
IJ
IR
G
JU
O

Theessentialstepsarethefollowing.
TH

1. Each user generates a pair of keys to be used for the encryption and
SU

decryption of messages.
2. Each user places one of the two keys in a publicregister or other accessible
file. This is the public key. The companion key is kept private. As the above
Figure suggests, each user maintains a collection of public keys obtained
from others.
3. IfBobwishestosendaconfidentialmessagetoAlice,Bobencryptsthemessageusin
gAlice‟s
publickey.
4. WhenAlice receivesthemessage,shedecryptsitusingherprivate key.Noother
recipient can
decryptthemessagebecauseonlyAliceknowsAlice‟sprivatekey.

SUTHOJU GIRIJA RANI, Assistant Professor. 93

Cryptography and Network Security NGIT-CSE

ThereissomesourceAthatproducesamessageinplaintextX=[X1,X2,...,XM].
TheMelementsofXarelettersinsomefinitealphabet.ThemessageisintendedfordestinationB.B
generatesarelatedpairofkeys:apublickey,PUb,andaprivatekey,PRb.
PRbisknownonlytoB,whereasPUbispubliclyavailableandthereforeaccessiblebyA.
With themessageXandtheencryptionkeyPUbasinput,AformstheciphertextY=[Y1,Y2,...,YN]:
I
N

Theintendedreceiver,inpossessionofthematchingprivatekey,isabletoinvertthe
RA

transformation:
A

PublickeycryptographyforprovingAuthentication:
IJ
IR
G
JU
O
TH
SU

SUTHOJU GIRIJA RANI, Assistant Professor. 94

CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

Theabovediagramsshowtheuseofpublic-keyencryptiontoprovideauthentication:

➢ In this case, A prepares a message to B and encrypts it usingA‟s private key

b e f o r e
I
N

transmittingit.BcandecryptthemessageusingA‟spublickey.Becausethemessag
RA

ewas encrypted using A‟s private key, only A could have prepared the
A

message. Therefore, the entire encrypted message serves as a digital

IJ
IR

signature.
G
JU

➢ ItisimpossibletoalterthemessagewithoutaccesstoA‟sprivatekey,sothemessageis
O

authenticated both in terms of source and in terms of data integrity.

TH
SU

Publickeycryptographyforbothauthenticationandconfidentiality(Secrecy)

Itis,however,possibletoprovideboththeauthenticationfunctionandconfidentialitybyadoubleuseof
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
Assoc.Professor,CSED,KHIT,Guntur 88
PreparedbyCh
Samsonu,

I
N
RA
A
IJ
IR
G
JU
O
TH
SU
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
thepublic-keyscheme(abovefigure):
Inthiscase,webeginasbeforebyencryptingamessage,usingthesender‟sprivatekey.Thisprovides the
digital signature. Next, we encrypt again, using the receiver‟s public key. The final ciphertext can
be decrypted only by the intended receiver, who alone has the matching private key. Thus,
confidentiality is provided.

ApplicationsforPublic-KeyCryptosystems
Public-keysystemsarecharacterizedbytheuseofacryptographicalgorithmwithtwokeys,oneheld
privateandoneavailablepublicly.Dependingontheapplication,thesenderuseseitherthesender‟s
privatekeyorthereceiver‟spublickey,orboth,toperformsometypeofcryptographicfunction.theuse
ofpublic-keycryptosystemsintothreecategories
• Encryption/decryption:Thesenderencryptsamessagewith the recipient‟spublickey.
• Digital signature: The sender “signs” a message with its private key. Signing is
achieved by a cryptographic algorithm applied to the message or to a small block
of data that is a function of the message.
• Key exchange: Two sides cooperate to exchange a session key. Several
differentapproaches are possible, involving the private key(s) of one or
bothparties.

ApplicationsforPublic-KeyCryptosystems
Algorithm Encryption/Decryption DigitalSignature Key Exchange
RSA Yes Yes Yes
EllipticCurve Yes Yes Yes
Diffie-Hellman No No Yes
I
N

DSS No Yes No
RA
A
IJ

Public-KeyCryptanalysis
IR

As with symmetric encryption, a public-key encryption scheme is vulnerable to a brute-force

G

attack. The countermeasure is the same: Use large keys. However, there is a tradeoff to be
JU

considered. Public-
O
TH

keysystemsdependontheuseofsomesortofinvertiblemathematicalfunction.Thecomplexityof
calculatingthesefunctionsmaynotscalelinearlywiththenumberofbitsinthekeybutgrowmore
SU

rapidlythanthat.Thus,thekeysizemustbelargeenoughtomakebrute-forceattackimpracticalbut
smallenoughforpracticalencryptionanddecryption.Inpractice,thekeysizesthathavebeenproposed do
make brute-force attack impractical but resultin encryption/decryption speeds that are too slow
forgeneral-purpose use. Instead, as was mentioned earlier, public-key encryption is currently
confined to key management and signature applications.

RSA Algorithm
➢ Itisthemostcommonpublickeyalgorithm.
➢ ThisRSAnameisgetfromitsinventorsfirstletter(Rivest(R),Shamir(S)andAdleman(A)
) in the year 1977.
➢ TheRSAschemeisablockcipherinwhichtheplaintext&ciphertextareintegersbetween
0 and n-1 for some n.
1024
➢ Atypicalsizefornis1024bitsor309decimaldigits.Thatis,nislessthan2

DescriptionoftheAlgorithm:
PreparedbyChSamsonu, Assoc.Professor, 89
➢ RSAalgorithmusesanexpressionwithexponentials.
➢ InRSAplaintextisencryptedinblocks,witheachblockhavingabinaryvaluelessthanso
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
me number

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

PreparedbyChSamsonu, Assoc.Professor, 90
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
n.thatis,theblocksizemustbelessthanorequaltolog2(n)
➢ RSAusestwoexponentseanddwhereepublicanddprivate.
➢ Encryptionanddecryptionareoffollowingform,forsomePlainText M and CipherText
block C

M=Cdmod = (Memod n)dmodn =(Me)dmodn= Medmod n

Bothsenderandreceivermustknowthevalueofn.
Thesenderknowsthevalueofe&onlythereceiverknowsthevalueofdthusthisisapublickey encryption
algorithm with a
Public key PU={e, n} Private key PR={d, n}
StepsofRSAalgorithm:
Step 1Select 2 prime numbers p & q Step 2Calculate n=pq
Step3CalculateØ(n)=(p-1)(q-1)
Step 4 Selectorfind integere(publickey)which is relatively prime toØ(n). ie., e with gcd (Ø(n),
e)=1 where 1<e< Ø(n).
Step5Calculate“d”(privatekey)byusingfollowingcondition.
d<Ø(n).
Step6Performencryptionbyusing

Step7performDecryptionbyusing
Example:
I
N
RA

1. Selecttwoprimenumbers,p=17andq=11.
2. Calculaten=pq=17×11=187.
A

3. CalculateØ(n)=(p-1)(q-1)=16×10=160.
IJ
IR

4. SelectesuchthateisrelativelyprimetoØ(n)=160andlessthanØ (n);wechoosee=7.
G

5. Determinedsuchthatde≡1(mod160)andd<160.Thecorrectvalueisd=23,because23*
JU

7
O

=161
TH

=(1×160)+1;
SU

dcanbecalculatedusingtheextendedEuclid‟salgorithm
6. TheresultingkeysarepublickeyPU={7,187}andprivatekeyPR={23,187}.
TheexampleshowstheuseofthesekeysforaplaintextinputofM=88.Forencryption,
weneedtocalculateC=887mod187.Exploitingthepropertiesofmodulararithmetic,wecandothisas
follows.

PreparedbyChSamsonu, Assoc.Professor, 91
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

TheSecurityofRSA
FourpossibleapproachestoattackingtheRSAalgorithmare
• Bruteforce:Thisinvolvestryingallpossibleprivatekeys.
• Mathematicalattacks:Thereareseveralapproaches,allequivalentinefforttofactoringt
he product of two primes.
• Timingattacks:Thesedependontherunningtimeofthedecryptionalgorithm.
• Chosenciphertextattacks:ThistypeofattackexploitspropertiesoftheRSAalgorithm.
I
N

Trapdoorone-wayfunction
RA

▪ A trapdoorfunction is afunction thatis easy toperformoneway,buthas asecret thatis

A
IJ

required to perform the inverse calculationefficiently.

IR

▪ That is,if f is a trapdoorfunction, theny=f(x)is easy tocompute,butx=f−1(y) is hardto

G

compute withoutsomespecialknowledgek.Givenk,thenitiseasytocomputey=f−1(x,k).
JU

▪ The analogy to a"trapdoor"issomethinglike this:It's easy tofallthroughatrapdoor,butit's

O

very hardtoclimbbackoutandgettowhereyoustartedunlessyouhavea ladder.

TH

▪ Anexampleof such trapdoorone-wayfunctionsmaybe finding theprimefactorsof

SU

largenumbers. Nowadays, this task is practically infeasible.

▪ On the otherhand, knowingone of thefactors, it is easy to compute theother ones. For
example:RSAisaone-way trapdoor function
Diffie-HellmanKeyExchange
➢ Diffie-Hellmankeyexchangeisthefirstpublishedpublickeyalgorithm
➢ ThisDiffie-Hellmankeyexchangeprotocolisalsoknownasexponentialkeyagreement.
And it is based on mathematical principles.
➢ Thepurposeofthealgorithmistoenabletwouserstoexchangea keysecurelythatcan
then be used for subsequent encryption of messages.
➢ Thisalgorithmitselfislimitedtoexchangeofthekeys.
➢ Thisalgorithmdependsforitseffectivenessonthedifficultyofcomputingdiscretelogarit
hms.
➢ Thediscretelogarithmsaredefinedinthisalgorithminthewayofdefineaprimitiverootofa
prime number.
➢ Primitiveroot: we definea primitive root of a prime number Pas one whose
power generatealltheintegersfrom1toP-1thatisif‘a’isaprimitiverootoftheprimenumber
P, then the numbers are distinct and consist of the integers form
PreparedbyChSamsonu,Assoc.Professor, 921 through P-1 in
some permutation.
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

PreparedbyChSamsonu,Assoc.Professor, 93
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
Foranyintegerbanda,hereaisaprimitiverootofprimenumberP,then
i
b≡a modP 0≤i≤(P-1)
Theexponenti is refer asdiscretelogarithmorindexofb for thebase a,modP. The value denoted as
ind a,p(b)
AlgorithmforDiffie-HellmanKeyExchange:
Step1Selectglobalpublicnumbersq,α
qPrimenumber
αprimitiverootofqandα<q.
Step2ifA&Buserswishtoexchangeakey
a) UserAselectarandomintegerXA<q andcomputes

b) UserBindependentlyselectarandomintegerXB<qandcomputes
c) EachsidekeepstheXvalueprivateandMakestheYvalueavailablepubliclyto
the outer side.
Step 3 User A Computes the key as User B Computes the key as
Step4twocalculationproduceidenticalresults
Theresultisthatthetwosideshaveexchangedasecretkey.
I
N
RA
A
IJ
IR
G
JU

Example:
O
TH
SU

MAN-intheMiddleAttack(MITM)
Definition:Amaninthemiddleattackisaformofeavesdroppingwherecommunicationbetweentwo
usersismonitoredandmodifiedbyanunauthorizedparty.
Generallytheattackeractivelyeavesdropsbyintercepting(stoping)apublickeymessageexchange.
PreparedbyChSamsonu,Assoc.Professor, 94
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
TheDiffie-Hellmankeyexchangeisinsecureagainsta“Maninthemiddleattack”.
Suppose user A & B wish to exchange keys, and D is the adversary (opponent). The attack proceeds
as follows.
1. DpreparesfortheattackbygeneratingtworandomprivatekeysXD1&XD2andthen
computing the corresponding public keys YD1and YD2.
2. Atransmits YAtoB
3. DinterceptsYAand transmits YD1to B.andD also calculates

4. B receives YD1& calculate

5. B transmits YBtoA

6. DinterceptsYBandtransmitsYD2to„A‟and„D‟calculateK1

7. A receives YD2and calculates

Atthispoint,Bob andAlicethinkthattheyshare asecretkey,butinsteadBobandDarthsharesecretkey K1
and Alice and Darth share secret key K2. All future communication between Bob and Alice is
compromised in the following way. I

The key exchange protocol is vulnerable to such an attack because it does not
N
RA

authenticatetheparticipants.Thisvulnerabilitycanbeovercomewiththeuseofdigital signatures
and public-key certificates.
A
IJ

EllipticCurveCryptography
IR
G

➢ Elliptical curve cryptography (ECC) is apublic keyencryption technique based on

JU

elliptic curve theory that can be used to create faster, smaller, and more efficient
O

cryptographic keys.ECCgenerateskeysthroughthepropertiesof the

TH

ellipticcurveequationinsteadofthe traditional method of generation as the product

SU

of very large primenumbers

➢ An elliptic curve is defined by an equation in two variables with coefficients. For
c r y p t o g r a p h y , t h e
variablesandcoefficientsarerestrictedtoelementsinafinitefield,which results in the
definition of a finite abelian group.

EllipticCurvesoverRealNumbers

PreparedbyChSamsonu,Assoc.Professor, 95
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

ECC-KeyExchange:
TaketwoGlobalpublicElements
Eq(a,b):Ellipticcurvewithparametersa,b,&q
G :Pointonellipticcurvewhoseorderislargevaluen
AliceKeyGeneration:
Select private key nA: nA< n CalculatepublickeyPA:PA=nAxG Bob Key Generation:
Select private key nB: nB< n CalculatepublickeyPB:PB=nBxG Secrete Key calculation by Alice
K=nAxPB
SecreteKeycalculationbyBob
K=nBxPA
ECC-Encryption
• LetthemessagebeM
• FirstencodethemessageMintoapointontheellipticcurve
I
N

LetthispointbePm
RA

•
• Nowthispointisencrypted
A
IJ

• Forencryptionchoosearandompositiveintegerk
IR

• ThenCm={kG,Pm+kPB}whereGisthebasepoint
G

ECC-Decryption
JU

• Multiply first point in the pair with receivers secrete key i.e, kG x nB
O
TH

• Then subtract it from second point in the pair i.e, Pm+ kPB- (kGx nB)
SU

PreparedbyChSamsonu,Assoc.Professor, 96
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

ELGAMALCRYPTOGRAPHICSYSTEM
• In 1984, T. Elgamal announced a public-key scheme based on
discretelogarithms,closelyrelatedtotheDiffie-Hellmantechnique.
• EIGamalAlgorithmsareusedforbothdigitalsignaturesaswellasencryption.

EIGamalAlgorithm:-

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

Thus, functions asa one-time key,usedtoencrypt and decryptthe message. For example, let
us start with the prime field GF(19); that is, q = 19.It has primitive roots {2, 3, 10, 13, 14, 15
}. We choose α = 10.
Alicegeneratesakeypairasfollows:

PreparedbyChSamsonu,Assoc.Professor, 97
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

RABINCRYPTOSYSTEM
RabinCryptosystemisanpublic-keycryptosysteminventedbyMichaelRabin,isavariationoftheRSA.
RSAisbasedontheexponentiationcongruence;Robinisbasedonquadraticcongruence.
ThepublickeyintheRabinisn,privatekeyisthetuple(p,q).Everyonecanencryptamessageusingn,only
I
N

Bob can decrypt the message using p and q.

RA

DecryptionofthemessageisinfeasibleItusesasymmetrickeyencryptionforcommunicatingbetweentwo
A

parties and encrypting the message.

IJ

ThesecurityofRabincryptosystemisrelatedtothedifficultyoffactorization.Ithastheadvantageoverthe
IR
G

othersthattheproblemonwhichitbankshasprovedtobehardasintegerfactorization.
JU

Ithasthedisadvantagealso,thateachoutputoftheRabinfunctioncanbegeneratedbyanyoffourpossible
O

inputs.ifeachoutputisaciphertext,extracomplexityisrequiredondecryptiontoidentifywhichofthe four
TH

possible inputs was the true plaintext.

SU

StepsinRabincryptosystem Key generation

1. Generatetwoverylargeprimenumbers,pandq,whichsatisfiesthecondition
p≠q→p≡q≡3(mod4)
Forexample:
p=139andq=191
2. n=p.q
3. Public_key=n
4. Private_key=(p,q)
5. Returnpublic_key,Private_keys
Encryption
1. Getthepublickeyn.
2. Convertthemessage to ASCIIvalue. Then convertit to binary andextendthe
binaryvaluewith itself,andchangethebinaryvaluebacktodecimalM.
3. Encrypt with theformula: C = M2 mod n
4. SendCtorecipient.

PreparedbyChSamsonu,Assoc.Professor, 98
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
Decryption
1. AcceptCfromsender.
2. Compute:
a1 = C (p+1)/4 mod p a2= - C(p+1)/4 mod p b1= C(q+1)/4 mod q b2= - C(q+1)/4 mod q
3. Calculate four Plain text by using Chinese Remainder Algorithm:
M 1 =Chainese_Remainder(a1,b1,p,q) M 2 =Chainese_Remainder(a1,b2,p,q)
M3=Chainese_Remainder(a2,b1,p,q) M4=Chainese_Remainder(a2,b2,p,q)
4. Chooseoneoftheabove(M1,M2,M3andM4)istheappropriateplaintext.

I
N
RA

TheRabincryptosystemisnotdeterministic:Decryptioncreatesfourequallyprobableplaintexts
A
IJ

Example:
IR

1. Bobselectsp=23andq=7,notebotharecongruentto3mod4
G
JU

2. Bobcalculatesn=pxq=161
O

3. Bobannouncesnpublickly;hekeepspandqprivate
TH

4. Allicewant tosendplaintext P=24. Notethat161and 24are relativelyprime; 24 is in Z161*

SU

ShecalculatesC=242 mod161 =93mod161,andsends theciphertext93toBob

5. Bobreceives93andcalculatesfourvalues:
a. a1=+(93(23+1)/4mod23=1mod23
b. a2=-(93(23+1)/4mod23=22mod23
c. b1=+(93(7+1)/4mod7=4mod7
d. b2=-(93(7+1)/4mod7=3mod7
6. Bob takesfourpossible answers,(a1,b1),(a1,b2),(a2,b1),
(a2,b2)andusesChineseRemainderTheorem to find 4 possible plain texts: 116,24,137 and 45.

Case1:
Byusing(a1=1,b1=4)combinationswithmodulo(p=23,q=7),LetXisplaintext: X = 1 mod 23

PreparedbyChSamsonu,Assoc.Professor, 99
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
X=4mod7
ByusingChineseRemainderTheorem:
-1
M=23x7=161, M1=M/23=161/23=7, M2=M/7=161/7=23 M1 =7-1 mod 23 = 723-2
mod 23 = 721 mod23=10
-1
M2 =23-1mod7=237-2mod7=235mod 7=4
X=(a1xM1xM1 -1+a2xM2xM-1)modM
=(1x7x10+4x23x4)mod161=438mod161=116

Case2:
Byusing(a1=1,b2=3)combinationswithmodulo(p=23,q=7),LetXisplaintext: X = 1 mod 23
X=3mod7
ByusingChineseRemainderTheorem:
-1
M=23x7=161, M1=M/23=161/23=7, M2=M/7=161/7=23 M1 =7-1 mod 23 = 723-2
mod 23 = 721 mod23=10
-1
M2 =23-1mod7=237-2mod7=235mod 7=4
X=(a1xM1xM1 -1+a2xM2xM-1)modM
=(1x7x10+3x23x4)mod161=346mod161=24
Case3:
Byusing(a2=22,b1=4)combinationswithmodulo(p=23,q=7),LetXisplaintext: X = 22 mod 23
X=4mod7
ByusingChineseRemainderTheorem:
-1
M=23x7=161, M1=M/23=161/23=7, M2=M/7=161/7=23 M1 =7-1 mod 23 = 723-2
I

mod 23 = 721 mod23=10

N
RA

-1
M2 =23-1mod7=237-2mod7=235mod 7=4
A

X=(a1xM1xM1 -1+a2xM2xM-1)modM
IJ
IR

=(22x7x10+4x23x4)mod161=(1540+368)mod161=137
G
JU
O
TH

Case4:
Byusing(a2=22,b2=3)combinationswithmodulo(p=23,q=7),LetXisplaintext: X = 22 mod 23
SU

X=4mod7
ByusingChineseRemainderTheorem:
-1
M=23x7=161, M1=M/23=161/23=7, M2=M/7=161/7=23 M1 =7-1 mod 23 = 723-2
mod 23 = 721 mod23=10
-1
M2 =23-1mod7=237-2mod7=235mod 7=4
X=(a1xM1xM1 -1+a2xM2xM-1)modM
=(22x7x10+3x23x4)mod161=(1540+276)mod161=45
So,Finallyfromfourcases:wegotfourplaintextmessages
Case1:116
Case2:24
Case3:137
Case4:45.
Onlysecondanswer(24)isAliceplaintext,Bobneedstomakeadecisionbasedonthesituation

SecureoftheRabin System:
PreparedbyChSamsonu,Assoc.Professor,
TheRabinSystemissecureaslongaspandqarelargenumbers 100
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
UNIT-IV
DataIntegrity,DigitalSignatureSchemes&KeyManagement

MessageIntegrityandMessageAuthentication,CryptographicHashFunctions,Digital Signature, Key

Management.

MessageIntegrityandMessage Authentication

1. MessageIntegrity:
Thecryptographysystemsthatwehavestudiedsofarprovidesecrecy,orconfidentiality,butnot integrity.
However,thereareoccasionswherewemaynotevenneedsecrecybutinsteadmusthave integrity(Data will
not changed).

DocumentandFingerprint:
Onewaytopreservetheintegrityofadocumentisthroughtheuseofafingerprint.
IfAliceneeds tobesurethatthecontentsofherdocumentwillnotbechanged,shecanputher fingerprint at
the bottom of the document.

MessageandMessageDigest:
Theelectronicequivalentofthedocumentandfingerprintpairisthemessageanddigestspair.
I

Topreservetheintegrityofamessage,themessageispassedthroughanalgorithmcalleda cryptographic
N
RA

hash function.
A
IJ
IR
G
JU
O
TH
SU

Difference:
Thetwopairs(document/fingerprint)and(message/messagedigest)aresimilar,withsome differences.
Thedocumentandfingerprintarephysicallylinkedtogether.Themessageandmessagedigest
canbeunlinkedseparately,and,mostimportantly,themessagedigestneedstobe

PreparedbyChSamsonu,Assoc.Professor, 101
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
safefromchange.
Note:Themessagedigestsneedstobesafefromchange.

CheckingIntegrity:

I
N

CryptographicHashFunctionCriteria:
RA
A

Acryptographichashfunctionmustsatisfythreecriteria
IJ
IR

1. Pre-imageResistance
G

2. SecondPre-imageResistance
JU

3. CollisionResistance.
O
TH

PreimageResistance:Thehashfunctionmustbeaone-wayfunction:Foranygivencodeh,itis
SU

computationally infeasible to find h-1.

SecondPreimageResistance:Inthiscriterion,anadversaryisprovidedwiththevalueof

PreparedbyChSamsonu,Assoc.Professor, 102
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
xandisaskedtocomputethevalueofx1≠x,suchthath(x)=h(x1).
Ifitdifficultfor theattackertoperformthiscomputationweclaimthatthehash function is second pre-
image resistant.

CollisionResistance:Collisionofahashfunctionistheeventwhentwovaluesxand
I
N

x1,suchthatx1≠xhashtothesamevalue,i.e.,h(x)=h(x1).
RA
A
IJ
IR
G
JU
O
TH
SU

PreparedbyChSamsonu,Assoc.Professor, 103
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
RandomOracleModel:

2. MessageAuthentication:
➢ A message digest guaranteesthe integrity of a message. It guarantees
thatthe message has not been changed.
➢ Amessagedigestdoesnotauthenticatethesenderofthemessage.
➢ When Alice sends a messageto Bob, Bobneeds to know if themessage is
coming from Alice.
➢ To provide message authentication, Alice needsto provide proof that it is
Alice sending the message and not afraud.
➢ The digest created by a cryptographic hash function is normally called a
I
N

Modification Detection Code (MDC). This code can detect any

RA

modifications in the message.

A

➢ WhatweneedformessageauthenticationisaMessageAuthenticationCode
IJ

(MAC).
IR
G
JU

ModificationDetectionCode(MDC):
O
TH

➢ A modification detectioncode (MDC) is a message digest that can prove

SU

the integrityofthemessage:thatmessagehasnot beenchanged.

➢ If Alice needs to send a message to Bob and be sure that the message will
not change during transmission,
➢ Alicecancreateamessagedigest,MDC,andsendboththemessageandthe
MDC to Bob. Bob can create a new MDC from the message and compare
the received MDC and thenew MDC. If they are the same, the message
has not been changed.

PreparedbyChSamsonu,Assoc.Professor, 104
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

MessageAuthenticationCode(MAC):
➢ To ensure the integrity of a message and the data origin authentication–
we need to change a modification detection code (MDC) to a Message
Authentication Code(MAC).
➢ The difference between MDC and MAC is that the second include a
secrete key between Alice and Bob.

I
N
RA
A
IJ
IR
G
JU

MAC Security
O

HowcanEveforgeamessagewithouthavingthekey?
TH

1. If size of the key allows exhaustive search, Eve may try all
SU

possible keys to digest the message.

2. Usepreimageattack.
3. Given some pairs of messages and their MACs, Eve can
manipulatethemto comeup with a newmessage anditsdigest
Note:ThesecurityofaMACdependsonthesecurityoftheunderlyinghash algorithm.

NestedMAC:
✓ To improveMACsecurity,nested MACs were designed inwhichhashingis
performed twice.
▪ In1st step, thekey is concatenated with the message and is hashed to create
an intermediate digest.
▪ In2ndstep,the keyisconcatenatedwiththeintermediatedigestto
createthefinaldigest.

PreparedbyChSamsonu,Assoc.Professor, 105
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

HMAC(HashedMAC):
▪ HMACalgorithmstandsforHashedorHashbasedMessageAuthenticationCode
▪ itusestheHashingconcepttwice,sogreatresistanttoattacker
▪ HMACconsistsoftwinbenefitsofHashingandMAC
✓ The working of HMAC starts with taking a message M containing blocks of
length bbits.

✓ An input signature is padded to the left of the message and the wholeis given
as inputto a hashfunctionwhich givesus a intermediateHMAC.
I
N
RA

✓ IntermediateHMACagainis appendedtoanoutputsignatureandthewholeis
A

applied a hash function again,the resultis our final HMACof n bits

IJ
IR
G
JU
O
TH
SU

PreparedbyChSamsonu,Assoc.Professor, 106
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

CMAC(CipherbasedMAC)

• ThisissimilartoCBC(CipherBlockChaining),
• IttakesNblocksofmessagebutcreatesoneblockofMAC
• The message is divided into N blocks of m-bit size. If last block is not
m-bit size,then
paddedwithstart1then0000…,like100000…
• The block is encrypted with key K then its output is XOR with the next block
for nd
2
encryption,soon.
• Thelastblockisencryptedwithsomeaddtionalkvalueformorescurity.

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

CryptographicHashFunctions
Acryptographichashfunction takesamessageofarbitrarylengthand creates a message
digest of fixed length, also called hash.

AcryptographichashfunctionHacceptsavariable-lengthblockofdataMasinputand produces a fixed-

size hash value.
Therearetwomostpromisingcryptographichashalgorithms–

• SHA-512
PreparedbyChSamsonu,Assoc.Professor, 107
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
• Whirlpool

IteratedHashFunction
Allcryptographicfunctionsneedtocreateafixedsizedigestoutofavariable-size
message.Actually,thehashfunctionisfixedsizeinputfunction,butperformsnumberof times.
This fixed-sizehashfunctionisreferredtoasacompressionfunction,it compressesm-
bitstringinputtonbit string. I
N
RA
A
IJ
IR
G
JU
O

Merkle-DamgardScheme
TH
SU

• Thisisaniteratedhashfunctionthatiscollisionresistant
• Thisisthebasisformanycryptographichashfunctionstoday.

PreparedbyChSamsonu,Assoc.Professor, 108
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

• Messageisdividedintot-blocksofn-bitsize.Ifnecessarysomebitsarepadded
• TheblocksareM1,M2,…Mtandthedigestcreatedateachcompressionfunctionare
H1,H2,…Ht
• Beforestartingtheiteration,thedigestH0 issettofixedValuecalledIV(initialvalue or
initial vector)
ThecompressionfunctionoperatesonH i-1and MitocreateanewH i.Hi=f(Hi-1,Mi)wherefisa
compression function

HashFunctionsInvention
• SeveralHashfunctionsweredesignedbyRonRivest.
• TheseareMD(MessageDigest),MD2,MD4,andMD5
• MD5takesblocksofsize512-bitsandcreates128-bitdigest.
• The128-bitsizedigestistoosmalltoresistcollisionattack.

SecureHashAlgorithm(SHA)

• SHAoriginallydesignedbyNIST&NSAin1993
• SHAwasrevisedin1995asSHA-1
• adds3additionalversionsofSHA
• SHA-256,SHA-384,SHA-512structure&detailissimilartoSHA-1
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

SHA –512
• SHA-512isfamilyofSecureHashAlgorithm
• SHA-512createsa512bitmessagedigest.
• Theoriginalmessagedividedintomultipleblocksofsize1024bits.
• TheProcessingofeachblockinvolves80rounds
• Eachblockofsize(1024bits)canbeassumedas16wordsofsize64bits
• 128
Themaximumsizeofmessageislessthan2 .Thismeansthatifthelengthofa
128
message equal to or greater than 2 , it will not be processed by SHA-512
PreparedbyChSamsonu,Assoc.Professor, 109
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
• SHA-512basedonMerkle-Damgardscheme.

TheFollowingFigureshowsinternallogicoftheSHA-512
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

STEPS:

1. Appendpaddingbits:

Themessageispaddedwith1000000….Tomakethemessagemultiplesof1024.

PreparedbyChSamsonu,Assoc.Professor, 110
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

2. Appendlengthofthemessage:

Ablockof128bitsisappendedtothemessage.Containsthelengthoftheoriginalmessage.
Beforeadditionofthelengthofmessage,weneedtopadasspecifiedinthefirststep.
The size of padding bits is calculated as: (|M|+|P|+128)=0 mod 1024
|P|=-|M|-128mod1024
Example:Whatisthenumberofpaddingbitsifthelengthoftheoriginalmessageis2590 Solution: |P|
=-2590-128 mod 1024
=-2718mod1024=-670mod1024
=(1024-670)mod1024=354
Thepaddingconsistsofone1followedby3530’s
LengthFieldandPadding:
Beforethemessagedigestcanbecreated,SHA-512requirestheadditionofa128-bitlengthfield(0-(2128-
1)tothemessagethatdefinesthelengthofthemessageinbits.

CompressionFunction
I
N

Theheartofthealgorithmisamodulethatconsistsof80rounds;thismoduleislabeledasFinBlock Diagram.
RA

Eachroundttakesasinputthe512-bitbuffervalue,abcdefgh,andupdatesthecontentsofthebuffer.
A

Eachroundtmakesuseofa64-bitvalueWt,derivedfromthecurrent1024-bitblockbeing processed (Mi).

IJ
IR

EachroundtalsomakesuseofanadditiveconstantKt(64-bit)
G

Theoutput ofthe80throundisaddedtotheinputtothefirstround(Hi-1)toproduceHi.
JU
O
TH
SU

PreparedbyChSamsonu,Assoc.Professor, 111
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

80-WordInput Sequence
N
RA
A
IJ
IR
G
JU
O
TH
SU

PreparedbyChSamsonu,Assoc.Professor, 112
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

Constants

…..

Initializehashbuffer
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

PreparedbyChSamsonu,Assoc.Professor, 113
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

DIGITALSIGNATURE
• Adigitalsignatureisatechnique usedtovalidatetheauthenticityandintegrityofa
message.
• Inthephysicalworld,Apersonsignsadocumenttoshowthat itoriginatedfromhim or
was approved by him. The signature is proof to recipient that the document
comes from the correct entity.
• Similarly,a digital signature isa technique that binds a person/entity to the
I

digitaldata.Thisbindingcanbeindependentlyverifiedbyreceiveraswellas any
N
RA

third party.
• Digitalsignatureisacryptographicvaluethatiscalculatedfromthedataanda secret
A
IJ

key known only by the signer.

IR
G
JU

COMPARISONofconventionalsignature&DIGITALSIGNATURE
O
TH
SU

Inclusion
Aconventionalsignatureisincludedinthedocument;itispartofthedocument.
Butwhenwesignadocumentdigitally,wesendthesignatureasaseparatedocument.

VerificationMethod
Foraconventionalsignature,whentherecipientreceivesadocument,hecomparesthesignatureonthe
document with the signature on file.
Foradigitalsignature,therecipientreceivesthemessageandthesignature.Therecipientneedstoapplya
verificationtechniquetothecombinationofthemessageandthesignaturetoverifytheauthenticity.

Relationship
Foraconventionalsignature,thereisnormallyaone-to-manyrelationshipbetweenasignatureand
documents.Foradigitalsignature,thereisaone-to-onerelationshipbetweenasignatureanda message.

Duplicity
PreparedbyChSamsonu,Assoc.Professor, 114
Inconventionalsignature,acopyofthesigneddocumentcanbedistinguishedfromtheoriginaloneon
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
file.Indigitalsignature,thereisnosuchdistinctionunlessthereisafactoroftimeonthedocument.

PROCESSOFDIGITALSIGNATURE

Figure shows the digital signature process. The sender uses a signing algorithm to sign the
message. The message and the signature are sent to the receiver. The receiver receives the message
and the signature and
appliestheverifyingalgorithmtothecombination.Iftheresultistrue,themessageisaccepted;otherwise, it
is rejected.

I
N
RA
A
IJ
IR

SIGNINGTHEDIGEST
G
JU
O
TH
SU

ThedrawbackofAsymmetrickeycryptosystemsthatis“inefficientforlongmessages”.tInadigital
signaturesystemcanbeovercomeby“signingthedigestofthemessage”.

SERVICES

Theservicesincryptographyare:
Messageconfidentiality,authentication,IntegrityandNon-repudiation.
PreparedbyChSamsonu,Assoc.Professor, 115
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
• AdigitalsignaturesystemcanprovideMessageauthentication,IntegrityandNon-
repudiation, but still need encryption/decryption for message confidentiality.

MessageAuthentication
• Asecuredigitalsignaturescheme,likeasecureconventionalsignaturecan provide
message authentication
• E x a m p l e , B o b c a n v e r i f y t h a t t h e m e s s a g e
issentbyAlicebecauseAlice’spublickeyisusedinverification.
MessageIntegrity
Theintegrityofthemessageispreservedevenifwesignthewholemessagebecausewecannotgetthe same
signature if the message is changed.

Nonrepudiation
Nonrepudiationcanbeprovidedusingatrustedparty.

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

Confidentiality

Adigitalsignaturedoesnotprovideprivacy.
Ifthereisaneedforprivacy,anotherlayerofencryption/decryptionmustbeapplied.

PreparedbyChSamsonu,Assoc.Professor, 116
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

FigureAddingconfidentialitytoadigitalsignaturescheme

ATTACKSONDIGITALSIGNATURE
I

AttackTypes
N
RA

1. Key-OnlyAttack
A

Inkey-onlyattack,thepublickeyofAisavailabletoeveryoneandCmakesuseofthisfactandtryto
IJ
IR

recreatethesignatureofAanddigitallysignthedocumentsthatAdoesnotintendtodo.
G

2. Known-MessageAttack
JU

Intheknownmessageattack,ChasfewpreviousmessagesandsignaturesofA.NowCtriestoforge
O

thesignatureofAontothedocumentsthatAdoesnotintendtosignbyusingthebruteforcemethodby
TH

analyzingthepreviousdatatorecreatethesignatureofA
SU

3. Chosen-MessageAttack
InthismethodChastheknowledgeaboutA’spublickeyandobtainsA’ssignatureonthemessagesand
replacestheoriginalmessagewiththemessageCwantsAtosignwithhavingA’ssignatureonthem
unchanged.

Forgery Types

1. ExistentialForgery
Adversarycancreateapair(message, signature),suchthatthesignatureofthemessageisvalid.
Adversary has no control on the messages whose signature is forged
2. SelectiveForgery
Adversaryisabletocreatevalidsignaturesonamessage chosen by someone else, with a
significant probability.

PreparedbyChSamsonu,Assoc.Professor, 117
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
Adversarycontrolsthemessageswhosesignatureisforged

DIGITALSIGNATURESCHEMES
Severaldigitalsignatureschemeshaveevolvedduringthelastfewdecades.Someofthemhavebeen
implemented.

1. RSADigitalSignatureScheme
2. ElGamalDigitalSignatureScheme
3. SchnorrDigitalSignatureScheme
4. DigitalSignatureStandard(DSS)
5. EllipticCurveDigitalSignatureScheme

RSADIGITALSIGNATURESCHEMES
I
N
RA
A
IJ
IR
G
JU

Figure:GeneralideabehindtheRSAdigitalsignaturescheme
O
TH
SU

Thesenderuseshisownprivatekeytosignthedocumemnet,thereceivrusesthesenderspublickeyto verify
it

RSADIGITALSIGNATURESCHEMES–KeyGeneration

KeygenerationintheRSAdigitalsignatureschemeisexactlythesameaskeygenerationintheRSA.
1. Senderchoosestwoprimenumberspandq
2. Calculaten=pxq
3. Calculatef(n)=(p-1)x(q-1)
4. Choosesthepublicexponenteandcalculatesd(privateexponent)suchthatexd=1
mod f(n)
IntheRSAdigitalsignaturescheme, disprivate;eandnarepublic.RSA

DIGITALSIGNATURESCHEMES–Signingandverifying

PreparedbyChSamsonu,Assoc.Professor, 118
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

Signing:Alicecreateasignatureoutof themessageusing herprivateexponent, S=Md mod n and sends

the signature to Bob
Verifying:BobreceivesMandS.BobappliesAlicepublicexponenttothesignaturetocreateacopyof
themessageM1=Semodn.BobcomparesMandM1.Ifbotharecongruent,acceptsthemessage.
M1≡M(modn)Se≡M(modn)Mdxe≡M(modn)

RSADIGITALSIGNATURESCHEMES–EXAMPLE

Asatrivialexample,supposethatAlicechoosesp=823andq=953,andcalculatesn=784319.The
I
N

valueoff(n)is782544.Nowshechoosese=313andcalculatesd=160009.Atthispointkey
RA

generationiscomplete.NowimaginethatAlicewantstosendamessagewiththevalueofM=19070to
A

Bob.Sheusesherprivateexponent,160009,tosignthemessage:
IJ
IR
G
JU
O
TH

AlicesendsthemessageandthesignaturetoBob.Bobreceivesthemessageandthesignature.He calculates
SU

BobacceptsthemessagebecausehehasverifiedAlice’ssignature

ElGamalDigitalSignatures

• signaturevariantofElGamal,relatedtoD-H
– sousesexponentiationinafiniteGaloisfield
– securitybaseddifficultyofcomputingdiscretelogarithms,asinD-H
• useprivatekeyforencryption(signing)

PreparedbyChSamsonu,Assoc.Professor, 119
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
• usespublickeyfordecryption(verification)
• eachuser(eg.A)generatestheirkey

➢ AlicesignsamessageMtoBobbycomputing
● thehashm=H(M),0<=m<=(q-1)
● choserandomintegerKwith1<=K<=(q-1)andgcd(K,q-1)=1
● computetemporarykey:S1=akmodq
-1
● computeK theinverseofKmod(q-1)
● computethevalue:S2=K-1(m-xAS1)mod(q-1)
● signatureis:(S1,S2)
➢ anyuserBcan verifythesignaturebycomputing

ElGamalSignatureExample
➢ usefieldGF(19)q=19anda=10
➢ Alicecomputesherkey:
● AchoosesxA=16&computesyA=1016mod19=4
➢ Alicesignsmessagewithhashm=14as(3,4):
● choosingrandomK=5whichhasgcd(18,5)=1
I

computingS1=105mod19=3
N

●
RA

-1 -1
● findingK mod(q-1)=5 mod18=11
A

● computingS2=11(14-16.3)mod18=4
IJ
IR

➢ anyuserBcan verifythesignaturebycomputing
G

● V1= 1014mod19=16
JU

● V2=43.34=5184=16mod19
O
TH

since16=16signatureisvalid
SU

SchnorrDigitalSignatures
➢ alsousesexponentiationinafinite(Galois)
● securitybasedondiscretelogarithms,asinD-H
➢ minimizesmessagedependentcomputation
● multiplyinga2n-bitintegerwithann-bitinteger
➢ mainworkcanbedoneinidletime
➢ haveusingaprimemodulusp
● p–1 has a prime factor q of appropriatesizetypicallyp1024-bitandq160-
bit numbers

SchnorrKey Setup
➢ choosesuitableprimesp, q
q
➢ chooseasuchthata =1modp
PreparedbyChSamsonu,Assoc.Professor, 120
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
➢ (a,p,q)areglobalparametersforall
➢ eachuser(eg.A)generatesakey
● choosesasecretkey(number):0<sA<q
● computetheirpublickey:vA=a-sAmodq

➢ usersignsmessageby
r
● choosingrandomrwith0<r<qandcomputingx=a modp
● concatenatemessagewithxandhashresulttocomputing:e=H(M||x)
● computing:y=(r+se)modq
● signatureispair(e, y)
➢ anyotherusercanverifythesignatureasfollows:
y e
● computing:x'=a v modp
● verifyingthat:e=H(M||x’)
DigitalSignatureStandard(DSS)
➢ USGovtapprovedsignaturescheme
➢ designedbyNIST&NSAinearly90's
➢ publishedasFIPS-186in1991
➢ revisedin1993,1996&then2000
➢ usestheSHAhashalgorithm
➢ DSSisthestandard,DSAisthealgorithm
➢ FIPS186-2(2000)includesalternativeRSA&ellipticcurvesignaturevariants
➢ DSAisdigitalsignatureonlyunlikeRSAisapublic-keytechnique

DigitalSignatureAlgorithm(DSA)
I

➢ createsa320bitsignature
N
RA

➢ with512-1024bitsecurity
➢ smallerandfasterthanRSA
A
IJ

➢ adigitalsignatureschemeonly
IR

➢ securitydependsondifficultyofcomputingdiscretelogarithms
G

➢ variantofElGamal&Schnorrschemes
JU

DSAKey Generation
O
TH

➢ havesharedglobalpublickeyvalues(p,q,g):
SU

● choose160-bitprimenumberq
L-1 L
● choosealargeprimepwith2 <p<2
• whereL=512to 1024bitsandisamultipleof64
• suchthatqisa160bitprimedivisorof(p-1)
(p-1)/q
● chooseg=h
(p-1)/q
• where1<h<p-1andh modp>1
➢ userschooseprivate&computepublickey:
● chooserandomprivatekey:x<q
x
● computepublickey:y=g modp
DSASignature Creation
➢ tosignamessageMthesender:
● generatesarandomsignaturekeyk,k<q
● nb.kmustberandom,bedestroyedafteruse,andneverbereused
k
➢ then computes signaturepair:r=(g mod p)mod q
s=[k-1(H(M)+xr)]modq
➢ sendssignature(r,s)withmessageM
PreparedbyChSamsonu,Assoc.Professor, 121
➢ havingreceivedM&signature(r,s)
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

PreparedbyChSamsonu,Assoc.Professor, 122
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
➢ toverifyasignature,recipient

DSSOverview

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

PreparedbyChSamsonu,Assoc.Professor, 123
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

KEYMANAGEMENT
SYMMETRIC-KEYDISTRIBUTION
• Symmetric-keycryptographyismoreefficientthanasymmetric-key cryptography
for enciphering large messages.
• S y m m e t r i c -
keycryptography,however,needsasharedsecretkeybetweentwoparties.
• Example:IfAliceneedstoexchangeconfidentialmessageswithNpeople,sheneed
N different keys and if N people need to exchange with each other, they need
N(N-1) keys. If 1 million people need to communicate with each other , they
need more than trillions of keys.
2
• ThisproblenormallyreferredasN problem,becausethenumberofrequired keys for N
entitesis 2
N
• Wealsohasaproblemofthedistributionofkeysthroughtheinternetwhichisunsecur
e.

Key-DistributionCenter:KDC

Apracticalsolutionfortheaboveproblemistheuseofatrustedthordparty,referredasKey-Distribution
Center( KDC )
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

1. AlicesendsarequesttotheKDCstatingthatsheneedsasessionsecretekeybetwee
nher and Bob
2. KDCinformBobaboutAlicerequest
IfBobagrees,asessionkeyiscreatedbetweenthetwo.

PreparedbyChSamsonu,Assoc.Professor, 124
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
FlatMultipleKDCs

WhenthenumberofpeopleusingaKDCincreases,thesystembecomesunmanageable.
Tosolvetheproblem,weusemultipleKDCs.Wedevidetheworldintodomains

HierarchicalMultipleKDCs
I
N
RA
A
IJ
IR
G
JU
O
TH

In this,KDCs arearrangedin hierarchicalmodel,the internationalKDCareat root,thennationalnext and

SU

local KDCs at lower level.

Session Keys
AKDCcreatesasecretkeyforeachmember.Thissecretkeycanbeusedonlybetweenthememberand the
KDC, not between two members.
Asessionsymmetrickeybetweentwopartiesisusedonlyonce.

SimpleprotocolUsinga KDC
FigureshowsfirstapproachusingKDC

PreparedbyChSamsonu,Assoc.Professor, 125
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

1. AlicesendsrequesttoKDC
2. KDCcreatesticketto Bob whichisencryptedusingBob’skey KB.
Theticketcontainsthe session key (KAB).
3. AliceextractstheBob’sticket
4. AlicesendstickettoBob.Bobopenstheticketandknowsthat Alicewanttosend
message to him by using KAB.
I
N

Drawback:Evecanusethereplayattackatstep3.
RA
A
IJ
IR
G
JU
O
TH
SU

PreparedbyChSamsonu,Assoc.Professor, 126
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
Needham-SchroederProtocol

I
N
RA
A
IJ
IR

1. AlicesendsmessagetoKDCthatincludehernonce,RA
G

2. KDCsendsencryptedticketforBobtoAlicewhichcontainssessionkey
JU

3. AlicesendsBobstickettohim
O
TH

4. Bobsendshischallenge(RB)toAlicewhichcontainssessionkey
SU

5. AlicerespondstoBobschallenge

KERBEROS
Kerberosisanauthenticationprotocol,andatthesametimeaKDC,thathasbecomeverypopular.
Severalsystems,includingWindows2000,useKerberos.
OriginallydesignedatMIT,ithasgonethroughseveralversions.

KERBEROSServers

ThreeserversareinvolvedintheKerberosprotocol.
AuthenticationServer(AS)
✓ Theauthenticationserver(AS)istheKDCintheKerberos protocol.
✓ EachuserregisterswithASandisgrantedauseridentityandapassword.
✓ ASverifiestheuser,issuesasessionkeytobeusedb/tAliceandTGS.
✓ andsendsaticketforTGS.
PreparedbyChSamsonu,Assoc.Professor, 127
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

Ticket-GrantingServer(TGS)
✓ Theticket-grantingserver(TGS)issuesaticketfortherealserver(Bob).
✓ Alsoprovidesthesessionkeyb/tAliceandBob.
✓ Kerberoshasaseparateduserverificationfromissuing oftickets.
✓ AlicecancontacttheTGSmultipletimestoobtainedticketsfordifferentreals
ervers.

RealServer
✓ Therealserver(Bob)providesservices
fortheuser(Alice).
✓ Kerberosisdesignedforclient-
serverprograms.
✓ Kerberosisnotusedforperson–to–
personauthentication
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

PreparedbyChSamsonu,Assoc.Professor, 128
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

SYMMETRIC-KEYAGREEMENT
Alice and Bob can create a session key between themselves without using
aKDC.Thismethodofsession-keycreationisreferredtoasthesymmetric- key agreement.
Example: Diffie-Hellman Key Agreement

Diffie-HellmanKeyAgreement
In this two parties are creating symmetric key without the need of a KDC. Before establishing, the
two parties need to choose two numbers p and g. Thep is a largenumberon theorderof300 digits.

I
N
RA
A
IJ

Steps:
IR

x
G

1. AlicechoosesalargerandomintegernumberxandcalculatesR1=g modp
JU

y
2. BobchoosesanotherlargenumberyandcalculatesR2=g modp
O
TH

3. AlicesendsR1toBobandBobsendsR2toAlice
x
SU

4. AlicecalculateskeyK=(R2) modp
y
5. Bob calculates key K=(R1) modpWhereKisthesymmetrickey for the session
ThesymmetrickeyintheDiffie-HellmanmethodisK=gxymodp

Diffie-HellmanKeyAgreement-EXAMPLE

Letusgiveatrivialexampletomaketheprocedureclear.Ourexampleusessmallnumbers,butnotethat
inarealsituation,thenumbersareverylarge.Assumethatg=7andp=23.Thestepsareasfollows:

1. Alicechoosesx=3andcalculatesR1=73mod23=21.
2. Bobchoosesy=6andcalculatesR2=76mod23=4.
3. Alicesendsthenumber21toBob.
4. Bobsendsthenumber4toAlice.
5. AlicecalculatesthesymmetrickeyK=43mod23=18.

PreparedbyChSamsonu,Assoc.Professor, 129
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
6. BobcalculatesthesymmetrickeyK=216mod23=18.
7. ThevalueofKisthesameforbothAliceandBob;
18
gxymodp= 7 mod35=18.

PUBLIC-KEYDISTRIBUTION

Inasymmetric-keycryptography,peopledonotneedtoknowasymmetricsharedkey;everyoneshieldsa
private key and advertises a public key.
Inpublickeykeycryptography,everyonehaveaccesstoeveryone’spublickey:publickeysare
availabletothepublic.
So,publickeysneedtobedistributed.

1. PublicAnnouncement
2. TrustedCenter
3. ControlledTrustedCenter
4. CertificationAuthority

5. X.509
6. Public-KeyInfrastructures(PKI)

PublicAnnouncement
Thenormalmethodistoannouncepublickeyspublicly,butisnotsecure
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

FigureAnnouncingapublickey
TrustedCenter
Amoresecureapproachistohaveatrustedcenterretainadirectoryofpublickeys

PreparedbyChSamsonu,Assoc.Professor, 130
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

ControlledTrustedCenter
Ahigherlevelsecuritycanbeachievedwhenthereareaddedcontrolson

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

PreparedbyChSamsonu,Assoc.Professor, 131
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

UNIT–V
NetworkSecurity-I
Securityatapplicationlayer:PGPandS/MIME,SecurityattheTransportLayer:SSLandTLS

Security atApplicationlayer andTransportLayer

Va r i o u s b u s i n e s s s e r v i c e s a r e n o w o f f e r e d o n l i n e t h o u g h c l i e n t - s e r v e r a p p l i c a t i o n s .
Themostpopularformsarewebapplicationande-mail.
Inbothapplications,theclientcommunicatestothedesignatedserverandobtainsservices.

Whileusingaservicefromanyserverapplication,theclientandserverexchangealotofinformationonthe
underlyingintranetorInternet.Weareawareoffactthattheseinformationtransactionsarevulnerableto
various attacks.
Networksecurityentailssecuringdataagainstattackswhileitisintransitonanetwork.

E-mail Security
Nowadays,e-mailhasbecomeverywidelyusednetworkapplication.Emailisoneofthemostwidely
usedandregardednetworkservices.Currentlymessagecontentsarenotsecure,maybeinspectedeither
intransitorbysuitablyprivilegedusersondestinationsystem.
E-mail Architecture:
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

1. UA-UserAgentisusefultopreparethemessages
2. M T A -
MessageTransferAgentisusefultosendmessagestomailserver.ThisisthePushprogram
3. M A A -
MessageAccessAgentisusefultoreceivemessagesfrommailserver.ThisisPullprogram

PreparedbyChSamsonu,Assoc.Professor, 132
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

PGP(PrettyGood Privacy)
• Providesaconfidentialityandauthenticationservicethatcanbeusedfor
electronicmailandfile storage applications
• DevelopedbyPhilZimmermann
• Selectedthebestavailablecryptographicalgorithmsasbuildingblocks
• I n t e g r a t e d t h e s e a l g o r i t h m s i n t o a g e n e r a l -
purposeapplicationthatisindependentofoperating
systemandprocessorandthatisbasedonasmallsetofeasy-to-usecommands
• Madethepackageanditsdocumentation,includingthesourcecode,freelyavailablevia the
Internet, bulletinboards, and commercialnetworks
• Enteredintoanagreementwithacompanytoprovideafullycompatible,low–
costcommercial version of PGP
PGPGrowth

Itisavailablefreeworldwideinversionsthatrunonavarietyofplatforms
• Thecommercialversionsatisfiesuserswhowantaproductthatcomeswithvendorsupport
• Itisbasedonalgorithmsthathavesurvivedextensivepublicreviewandareconsideredextremelysec
ure
• Ithasawiderangeofapplicability
• Itwasnotdevelopedby,norisitcontrolledby,anygovernmentalorstandardsorganization
• IsnowonanInternetstandardstrack,howeveritstillhasanauraofanantiestablishmentendeavor.

PGPNotation:
Ks=sessionkeyusedinsymmetricencryptionscheme
I
N

PRa = private key of user A, used in public-key encryption scheme PUa = public key of user A,
RA

used in public-key encryption schemeEP = public-key encryption

A

DP = public-key decryption EC = symmetric encryption DC = symmetricdecryption H = hash

IJ

function
IR

||=concatenation
G
JU

Z=compressionusingZIPalgorithm
O

R64=conversiontoradix64ASCIIformat1
TH
SU

PGPOperation–Authentication:
1. sendercreatesamessage
2. SHA-1usedtogenerate160-bithashcodeofmessage
3. hashcodeisencryptedwithRSAusingthesender'sprivatekey,andresultisattachedtomessage
4. receiverusesRSAorDSSwithsender'spublickeytodecryptandrecoverhashcode
5. receivergeneratesnewhashcodeformessageandcompareswithdecryptedhashcode,ifmatch,
message is accepted as authentic

PreparedbyChSamsonu,Assoc.Professor, 133
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

PGPOperation–Confidentiality:
1. s e n d e r g e n e r a t e s m e s s a g e a n d r a n d o m 1 2 8 -
bitnumbertobeusedassessionkeyforthismessageonly
2. messageisencrypted,usingCAST-128/IDEA/3DESwithsessionkey
3. sessionkeyisencryptedusingRSAwithrecipient'spublickey,thenattachedtomessage
4. receiverusesRSAwithitsprivatekeytodecryptandrecoversessionkey
5. sessionkeyisusedtodecryptmessage
I
N
RA
A
IJ
IR
G
JU

PGPOperation–Confidentiality&Authentication
O

Usesbothservicesonsamemessage
TH

Createsignature&attachtomessageoencryptbothmessage&signatureoattachRSAencryptedsession
SU

key

PGPOperation–Compression

Asadefault,PGPcompressesthemessageafterapplyingthesignaturebutbeforeencryption.Thishasthe
benefitofsavingspacebothfore-mailtransmissionandforfilestorage.
PreparedbyChSamsonu,Assoc.Professor, 134
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
Theplacementofthecompressionalgorithm,indicatedbyZforcompressionand Z -1fordecompression.
Socanstoreuncompressedmessage&signatureforlaterverification&becausecompressionisnon
deterministic uses ZIP compression algorithm
PGPOperation–Email Compatibility

• WhenPGPisused,atleastpartoftheblocktobetransmittedisencrypted.Ifonly thesignature
service is used, then the message digest is encrypted (with the sender’s private key). If
t h e
confidentialityserviceisused,themessageplussignature(ifpresent)areencrypted(withaone
- time symmetric key).
• Thus,partoralloftheresultingblockconsistsofastreamofarbitrary8-bitoctets.
• However,manyelectronicmailsystemsonlypermittheuseofblocksconsistingofASCIItext.
• Toaccommodatethisrestriction,PGPprovidestheserviceofconvertingtheraw8-bitbinary
stream to a stream of printable ASCII characters. The scheme used for this purpose is
radix-64 conversion.
• Each group of three octets of binary data is mapped into four ASCII characters. This
format also appends

S/MIME(Secure/MultipurposeInternet MailExtensions)
Secure/MultipurposeInternetMailExtension(S/MIME)isasecurityenhancementtotheMIMEInternet
e-mail format standard based on technology from RSA Data Security. it appears likely that S/
MIME will
emergeastheindustrystandardforcommercialandorganizationaluse,whilePGPwillremainthechoice
forpersonale-mailsecurityformanyusers.S/MIMEisdefinedinanumberofdocuments—most
importantly RFCs 3370, 3850, 3851, and 3852.
I
N

S/MIMEsupportinmanymailagentsegMSOutlook,Mozilla,MacMailetc
RA

TounderstandS/MIME,weneedfirsttohaveageneralunderstandingoftheunderlyinge-mailformat
A
IJ

thatituses,namelyMIME.WehavetolearnaboutRFC5322(internetMessageFormat)
IR

RFC5322:
G
JU

• Definesaformatfortextmessagesthataresentusingelectronicmail
O

• Messagesareviewedashavinganenvelopeandcontents
TH

• Theenvelopecontainswhateverinformationisneededtoaccomplishtransmissionan
SU

d delivery
• Thecontentscomposetheobjecttobedeliveredtotherecipient
• RFC5322standardappliesonlytothecontents
Thecontentstandardincludesasetofheaderfieldsthatmaybeusedbythemailsystemtocreatethe envelope

The overall structure of a message that conforms to RFC 5322 is very simple. A message consists
of some numberofheaderlines(theheader)followedby
unrestrictedtext(thebody).Theheaderisseparatedfrom
thebodybyablankline.Putdifferently,amessageisASCIItext,andalllinesuptothefirstblankline
areassumedtobeheaderlinesusedbytheuseragentpartofthemail system.

Aheaderlineusuallyconsistsofakeyword,followedbyacolon,followedbythekeyword’sarguments;
theformatallowsalonglinetobebrokenupintoseverallines.Themostfrequentlyusedkeywordsare
From,To,Subject,andDate.Hereisanexamplemessage:

Date:October8,20092:15:49PM EDT
PreparedbyChSamsonu,Assoc.Professor, 135
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
From:“WilliamStallings”
<[email protected]>Subject:The Syntax in RFC 5322
To:[email protected]
Cc:[email protected]

Hello.Thissectionbeginstheactualmessagebody,whichisdelimitedfromthe message heading

by a blank line.

MultipurposeInternetMailExtensions(MIME):
AnextensiontotheRFC5322frameworkthatis intendedtoaddresssomeoftheproblemsandlimitations
oftheuseofSimpleMailTransferProtocol(SMTP)liststhefollowinglimitationsoftheSMTP/5322
scheme.
1. SMTPcannottransmitexecutablefilesorotherbinaryobjects.
2. SMTPcannottransmittextdatathatincludesnationallanguagecharacters,becausetheseare
representedby8-bitcodeswithvaluesof 128decimalorhigher,andSMTPislimitedto7-bitASCII.
3. SMTPserversmayrejectmailmessageoveracertainsize.
4. SMTPgatewaysthattranslatebetweenASCIIandthecharactercodeEBCDICdonotuseaconsisten
t setofmappings,resulting in translationproblems.
MIMEisintendedtoresolvetheseproblemsinamannerthatiscompatiblewithexistingRFC5322
implementations.ThespecificationisprovidedinRFCs2045through2049.

TheMIMEspecificationincludesthefollowingelements.
1. Fivenewmessageheaderfieldsaredefined,whichmaybeincludedinanRFC5322
header. These fields provide information about the body of the message.
2. Anumberofcontentformatsaredefined,thusstandardizingrepresentationsthat
support multimedia electronic mail.
I
N
RA

3. Transferencodingsaredefinedthatenabletheconversionofanycontentformatintoa
form that is protected from alteration by the mail system.
A
IJ
IR

TheFiveHeaderFieldsDefinedinMIME: ThefiveheaderfieldsdefinedinMIMEare
G
JU
O

• MIME-Version: Must have the parameter value 1.0. This field indicates that the
TH

message conforms to RFCs 2045 and 2046.

SU

• Content-Type:Describes the data contained in the body with sufficient detail that
the receiving user agent can pick an appropriate agent or mechanism to
represent the data to the user or otherwise deal with the data in an appropriate
manner.
• Content-Transfer-Encoding:Indicates the type of transformation that has been
used to represent the body of the message in a way that is acceptable for
mailtransport.
• Content-ID:UsedtoidentifyMIMEentitiesuniquelyinmultiplecontexts.
• Content-Description: Atextdescriptionoftheobjectwiththebody;thisisuseful when
the object is not readable (e.g., audio data).

PreparedbyChSamsonu,Assoc.Professor, 136
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

MIMEContent Types:

I
N
RA
A
IJ
IR
G
JU
O
TH

MIMETransferEncodings:
SU

PreparedbyChSamsonu,Assoc.Professor, 137
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
S/MIMEFunctionality:S/MIMEprovidesthefollowingfunctions.

• Enveloped data:This consists of encrypted content of any type and encrypted

content encryption keys for one or more recipients.
• Signed data: A digital signature is formed by taking the message digest of the
content to be signed and then encrypting that with the private key of the signer.
The content plus signature are then encoded using base64 encoding. A signed
data message can only be viewed by a recipient with S/MIME capability.
• Clear-signed data:As with signed data, a digital signature of the content is
formed. However, in this case, only the digital signature is encoded using
base64. As a result, recipients without S/MIME capability can view the message
content, although they cannot verify thesignature.
• Signed and enveloped data: Signed-only and encrypted-only entities may be
nested, so that encrypted data may be signed and signed data or clear - signed
data may be encrypted.

S/MIME Messages:

• S/MIME secures a MIMEentity with asignature,encryption,or both. forming a

MIME wrapped
Public-KeyCryptographyStandards(PKCS)objecthavearangeofcontent-types:
envelopeddataosigneddata,clear-signeddataoregistrationrequest,certificateonlymessage
S/MIMEContentTypes
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

S/MIMECertificateProcessing:

• S/MIMEusespublic-keycertificatesthatconformtoversion3ofX.509
• Thekey-managementschemeusedbyS/MIMEisinsomewaysahybridbetweena
strict X.509 certification hierarchy andPGP’sweb oftrust
• S/MIMEmanagersand/orusersmustconfigureeachclientwithalistoftrustedkeys and
with certificate revocation lists.
Theresponsibilityislocalformaintainingthecertificatesneededtoverifyincomingsignaturesand
toencryptoutgoingmessages
• Thecertificatesaresignedbycertificationauthorities
UserAgentRoleAnS/MIMEuserhasseveralkey-managementfunctionstoperform

PreparedbyChSamsonu,Assoc.Professor, 138
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
• Key generation:The user of some related administrative utility (e.g., one
associated with LAN management) MUST be capable of generating separate
Diffie-Hellman and DSS key pairs and SHOULD be capable of generating RSA
key pairs. Each key pair MUST be generated from a good source of
nondeterministic random input and be protected in a secure fashion. A use agent
SHOULD generate RSA key pairs with a length in the range of 768 to 1024 bits
and MUST NOT generate a length of less than 512 bits.
• Registration:Auser’spublickeymustberegisteredwithacertificationauthorityinorder
toreceive an X.509 public-key certificate.
• Certificate storage and retrieval:A user requires access to a local list of
certificates in order to verify incoming signatures and to encrypt outgoing
messages. Such a list could be maintained by the user or by some local
administrative entity on behalf of a number ofusers.

VeriSign Certificates There are several companies that provide certification authority (CA)
services. For example, Nortel has designed an enterprise CA solution and can provide S/MIME
support within an organization. There are a number of Internet-based CAs, including VeriSign,
GTE, and the U.S. PostalService.
Enhanced Security Services : three enhanced security services have been proposed in
an Internet draft. The three services are :Signed receipts, Security labels, Secure
mailing lists

Transport Level Security:

Websecurity considerations:
I
N
RA

The World Wide Web is fundamentally a client/server application running over the Internetand
TCP/IP intranets
A
IJ

ThefollowingcharacteristicsofWebusagesuggesttheneedfortailoredsecuritytools:
IR

• The Internet is two-way. Unlike traditional publishing environments—even electronic

G

publishing systems involving teletext, voice response, orfax-back— the Web is

JU

vulnerable to attacks on the Web servers over the Internet.

O
TH

• T h e We b i s i n c r e a s i n g l y s e r v i n g a s a h i g h l y v i s i b l e o u t l e t f o r c o r p o r a t e
andproductinformationand as the platform for business transactions. Reputations can
SU

be damaged and money can be lostif the Web servers are subverted.
• AlthoughWebbrowsersareveryeasytouse,Webserversarerelativelyeasytoconfigureand
manage, andWebcontentis increasinglyeasy todevelop, the underlyingsoftware is
extraordinarily complex.Thiscomplexsoftwaremayhidemanypotentialsecurityflaws.
• A Webservercanbeexploited as alaunchingpadinto thecorporation’s or agency’s entire
c o m p u t e r
complex.OncetheWebserverissubverted,anattackermaybeabletogainaccesstodataand
systemsnotpartof theWebitselfbutconnectedtotheserverat the localsite.
• Casualanduntrained(insecuritymatters)usersarecommonclientsforWeb-
basedservices.Such usersarenotnecessarilyawareof
thesecurityrisksthatexistanddonothave the toolsorknowledge to take effective
countermeasures.

PreparedbyChSamsonu,Assoc.Professor, 139
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
Websecurity Threats:

Table.AComparisonofThreatsonthe Web

WebTrafficSecurityApproaches:
I

AnumberofapproachestoprovidingWebsecurityarepossible.
N
RA

1. One way to provide Web security is to use IP security (IPsec) (Figure(a)). The
A

advantage of using IPsecisthatit istransparentto

IJ

endusersandapplicationsandprovidesageneral- purpose solution. It includes

IR

filtering capability that filters the unwanteddata.

G
JU

2. Anotherrelativelygeneral-purposesolutionisto
O

implementsecurityjustaboveTCP(Figure (b)). The example of this approach is the

TH

Secure Sockets Layer (SSL) and the follow-on Internet standard known as
SU

Transport Layer Security (TLS). At this level, there are two implementation
choices. For full generality, SSL (or TLS) could be provided as part of the
underlying protocol suite and therefore be transparent to applications.
Alternatively, SSL can be embedded in specific packages. For example,
Netscape and Microsoft Explorer browserscomeequipped with SSL,andmost
Webservershaveimplementedthe protocol.
3. Application-specific security services are embedded within the particular
application.Figure (c) shows examples of this architecture. The advantage of this
approach is that the service can be tailored to the specific needs of a
givenapplication.

PreparedbyChSamsonu,Assoc.Professor, 140
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
Figure:relativelocationofsecurityfacilitiesintheTCP/IPProtocolstack5.4.

SSL(SecureSocketLayer):
SSLprobablymostwidelyusedWebsecuritymechanism,anditis implementedattheTransportlayer.
SSLisdesignedtomakeuseofTCPtoprovideareliableend-to-endsecureservice.
NetscapeoriginatedSSL.Version3oftheprotocolwasdesignedwithpublicreviewandinputfrom
industryandwaspublishedasanInternetdraftdocument.Subsequently,becameInternetstandardknown
as TLS (Transport Layer Security)
SSLArchitecture:

SSLisdesignedtomakeuseofTCPtoprovideareliableend-to-end
secureservice.SSLisnotasingleprotocolbutrathertwolayersof
protocols.
TwoimportantSSLconceptsaretheSSLsessionandtheSSLconnection,whicharedefinedin the
specification as follows.
1. Connection:A connection is a transport that provides a suitable type of
service.For SSL, such connections are peer-to-peer relationships. Every
connection is associated with one session.
2. Session:AnSSLsessionisanassociationbetweenaclient andaserver.Sessions are
created by the Handshake Protocol. Sessions define a set of cryptographic
security parameters which can be shared among multiple connections.
I
N
RA
A
IJ
IR
G
JU
O

Figure:SSLProtocolstack
TH
SU

SSLRecordProtocol:

SSLRecordProtocoldefinestwoservicesforSSLconnections:
1. Confidentiality:TheHandshakeProtocoldefinesasharedsecretkeythatis used for
conventional encryption of SSL payloads. The message is compressed before
being concatenatedwiththeMAC andencrypted,witha range of ciphers being
supported as shown.
2. MessageIntegrity:TheHandshakeProtocolalsodefinesasharedsecret key that is
used to form a message authentication code(MAC).

PreparedbyChSamsonu,Assoc.Professor, 141
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

Figure:SSLRecordProtocolOperation
Figure shows the overall operation of the SSL Record Protocol. The Record Protocol takes an
a p p l i c a t i o n
messagetobetransmitted,fragmentsthedataintomanageableblocks,optionallycompressesthedata,
appliesaMAC,encrypts,addsaheader,andtransmitstheresultingunitinaTCPsegment.Receiveddata
aredecrypted,verified,decompressed,andreassembledbeforebeingdeliveredtohigher-levelusers.
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

Figure:SSLRecordFormat
ThefinalstepofSSLRecordProtocolprocessingistoprepareaheaderconsistingofthefollowing fields:

ContentType(8bits):Thehigher-layerprotocolusedtoprocesstheenclosedfragment.

MajorVersion (8bits): Indicates major version of SSL in use. ForSSLv3, the value is3.
Minor Version (8 bits): Indicates minor version in use. For SSLv3, the value is 0.

Compressed Length (16 bits): The length in bytes of the plaintext fragment (or
14
compressedfragmentifcompressionisused).Themaximumvalueis2 +2048.
ChangeCipherSpecProtocol:
TheChangeCipherSpecProtocolisoneofthethreeSSL-specificprotocolsthatusetheSSLRecord
Protocol.Itisthesimplest,consistingofasinglemessage,whichconsistsofasinglebytewiththevalue
1.Thesolepurposeof this message is to cause the pendingstate tobe copied into thecurrentstate,
PreparedbyChSamsonu,Assoc.Professor,
whichupdatestheciphersuitetobeusedonthis connection. 13
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

SSLAlertProtocol:
TheAlertProtocolisusedtoconveySSL-relatedalertstothepeerentity.Aswithotherapplicationsthat
useSSL,alertmessagesarecompressedandencrypted,asspecifiedbythecurrentstate.Eachmessagein
thisprotocolconsistsoftwobytes,thefirsttakesthevaluewarning(1)orfatal(2)toconveytheseverity
ofthemessage.Thesecondbytecontainsacodethatindicatesthespecificalert.

SSLHandshakeProtocol:
The most complex part of SSL is the Handshake Protocol. This protocol allows the server and
client to
authenticateeachotherandtonegotiateanencryptionandMACalgorithmandcryptographickeystobe
used to protect data sent in an SSL record. The Handshake Protocol is used before any application

data is transmitted.TheHandshakeProtocolconsistsofaseriesofmessagesexchangedbyclientandserver.
Theexchangecanbeviewedin4phases:
I

• Phase1.Establish SecurityCapabilities - thisphaseisusedbytheclientto

N
RA

initiatealogicalconnectionandtoestablishthesecuritycapabilitiesthatwillbe
associated with it
A
IJ

• Phase2.ServerAuthenticationandKeyExchange-theserverbeginsthisphase by
IR

sending its certificate if it needs to be authenticated.

G
JU

• Phase 3. Client Authentication and Key Exchange- the client should verify
O

that the server provided a valid certificate if required and check that the
TH

server_hello parameters are acceptable

SU

• Phase 4. Finish - this phase completes the setting up of a secure connection.

The client sends a change_cipher_spec message and copies the pending
CipherSpec into thecurrent CipherSpec. At this point the handshake is complete
and the client and server may begin to exchange application layer data.

PreparedbyChSamsonu,Assoc.Professor, 140
CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

I
N
RA
A
IJ
IR
G
JU
O
TH
SU

PreparedbyChSamsonu,Assoc.Professor, 141
 CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

TransportLayerSecurity(TLS) Protocol
In order to provide an open Internet standard ofSSL, Internet EngineeringTask Force(IETF)released
The Transport Layer Security (TLS) protocol in January 1999. TLS is defined as a proposed
Internet Standard in RFC 5246.
SalientFeatures
TLSprotocolhassameobjectivesasSSL.
Itenablesclient/serverapplicationstocommunicateinasecuremannerbyauthenticating,preventing
eavesdroppingand resistingmessagemodification.
TLSprotocolsitsabovethereliableconnection-orientedtransportTCPlayerinthenetworkinglayers’
stack.
ThearchitectureofTLSprotocolissimilartoSSLv3protocol.Ithastwosubprotocols:theTLSRecord
protocol and the TLS Handshake protocol.
ThoughSSLv3andTLSprotocolhavesimilararchitecture,severalchangesweremadein
architectureandfunctioningparticularlyforthehandshakeprotocol.

ComparisonofTLSandSSLProtocols:
1. ProtocolVersion−TheheaderofTLSprotocolsegmentcarriestheversionnumber
3.1todifferentiatebetweennumber3carriedbySSLprotocolsegmentheader.
2. Message Authentication − TLS employs a keyed-hash message authentication
code (HMAC). Benefit is that H-MAC operates with any hash function, not just MD5
or SHA, as explicitly stated by the SSL protocol.
I

3. Session Key Generation − There are two differences between TLS and SSL
N
RA

protocol for generation of key material.

A

1. Method of computing pre-master and master secrets is similar. But in TLS

IJ

protocol, computation of master secret uses the HMAC standard and

IR

pseudorandom function (PRF) output instead of ad-hoc MAC.

G
JU

2. The algorithm for computing session keys and initiation values (IV) is different in
O

TLS than SSL protocol.

TH

4. AlertProtocolMessage−
SU

1. TLS protocol supports all the messages used by the Alert protocol of SSL,
except No certificatealert message being made redundant. The client sends
empty certificate in case client authentication is not required.
2. ManyadditionalAlertmessagesareincludedinTLSprotocolforothererrorconditions
such as
record_overflow,decode_erroretc.

5. Supported Cipher Suites− SSL supports RSA, Diffie-Hellman and Fortezza cipher
suites. TLS protocol supports all suits except Fortezza.
6. Client Certificate Types− TLS defines certificate types to be requested in a
certificate_requestmessage. SSLv3 support all of these. Additionally, SSL support
certain other types of certificate such as Fortezza.
7. CertificateVerifyandFinishedMessages−

PreparedbyChSamsonu,Assoc.Professor, 142
 CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
1. In SSL, complexmessage procedure is used for thecertificate_verify message.
With TLS, the verified information is contained in the handshake messages itself
thus avoiding this complex procedure.
2. FinishedmessageiscomputedindifferentmannersinTLSandSSLv3.
8. Padding of Data − In SSL protocol, the padding added to user data before
encryption is the minimum amount required to make the total data-size equal to a
multiple of the cipher’sblock length. In TLS, the padding can be any amount that
results in data-size that is a multiple of the
cipher’sblocklength,uptoamaximumof255bytes.

SecureShellProtocol (SSH):

ThesalientfeaturesofSSHareasfollows−

SSHisanetworkprotocolthatrunsontopoftheTCP/IPlayer.Itisdesignedto replace the

TELNET which provided unsecure means of remote logon facility.

SSHprovidesasecureclient/servercommunicationandcanbeusedfortasks such as file

transfer and e-mail.
SSH2isaprevalentprotocolwhichprovidesimprovednetworkcommunication security
over earlier version SSH1.
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

Figure:SSHProtocolstack

TransportLayerProtocol:
InthispartofSSHprotocolprovidesdataconfidentiality,server(host)authentication,anddata
integrity.Itmayoptionallyprovidedatacompressionaswell.
ServerAuthentication−Hostkeysareasymmetriclikepublic/privatekeys.Aserverusesa
public
keytoproveits identity to aclient.Theclientverifiesthatcontactedserveris a―known hostfrom
thedatabaseitmaintains.Oncetheserverisauthenticated,sessionkeysaregenerated.
PreparedbyChSamsonu,Assoc.Professor, 143
‖
 CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
SessionKeyEstablishment−Afterauthentication,theserverandtheclientagreeuponcipher
tobe
used.Sessionkeysaregeneratedbyboththeclientandtheserver.Sessionkeysaregeneratedbefore user
authentication so that usernames and passwords can be sent encrypted. These keys are generally
replacedatregularintervals(say,everyhour)duringthesessionandaredestroyedimmediatelyafter use.
DataIntegrity−SSHusesMessageAuthenticationCode(MAC)algorithmstofordata
integritycheck.Itisanimprovementover32bitCRCusedby SSH1.
UserAuthenticationProtocol:
InthispartofSSHauthenticatestheusertotheserver.Theserververifiesthataccessisgivento
intendedusersonly.Manyauthenticationmethodsarecurrentlyusedsuchas,typedpasswords, Kerberos,
public-key authentication, etc.
ConnectionProtocol:
This provides multiple logical channels over a single underlying SSH connection SSH Services:
SSHprovidesthreemainservicesthatenableprovisionofmanysecuresolutions.Theseservicesare
brieflydescribedasfollows−
SecureCommand-Shell(RemoteLogon)−Itallowstheusertoeditfiles,viewthecontentsof directories,
and access applications on connected device. Systems administrators can remotely start/view/
stopservicesandprocesses,createuseraccounts,andchangefile/directoriespermissions and so on. All
tasks that are feasible at a machine’s command prompt can now be performed securelyfromthe
remotemachineusingsecureremote logon.
Secure File Transfer − SSH File Transfer Protocol (SFTP)is designed as an extension for SSH-2for
securefiletransfer.Inessence,itisaseparateprotocollayeredovertheSecureShellprotocolto handlefile
transfers. SFTP encrypts both the username/password and the file data being transferred. It
usesthesameportastheSecureShellserver,i.e.systemportno22.
PortForwarding(Tunneling)−ItallowsdatafromunsecuredTCP/IPbasedapplicationstobe secured.
After port forwarding has been set up, Secure Shell reroutes traffic from a program (usually a
I
N

client) and sends it across the encrypted tunnel to the program on the other side (usually a
RA

server).Multipleapplicationscantransmitdataoverasinglemultiplexedsecurechannel,eliminatingthene
ed to open many ports on a firewall orrouter.
A
IJ
IR
G
JU
O
TH
SU

PreparedbyChSamsonu,Assoc.Professor, 144
 CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
UNIT-VI:
NetworkSecurity-II:SecurityattheNetworkLayer:IPSec,SystemSecurity

1.IPSECURITYOVERVIEW
IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data
authentication,integrity,andconfidentialityasdataistransferredbetweencommunicationpoints across
IP networks.
IPSec provides data security at the IP packet level. A packet is a data bundle that is organized for
transmissionacrossanetwork,anditincludesaheaderandpayload(thedatainthepacket).

IPSecSECURITYFEATURES:
IPSecisthemostsecuremethodcommerciallyavailableforconnectingnetworksites.
IPSecwasdesignedtoprovidethefollowingsecurityfeatureswhentransferringpacketsacross networks:
Authentication:Verifiesthatthepacketreceivedisactuallyfromtheclaimedsender.
Integrity:Ensuresthatthecontentsofthepacketdidnotchangeintransit.
Confidentiality:Concealsthemessagecontentthroughencryption.

IPSecELEMENTS:
IPSeccontainsthefollowingelements:
EncapsulatingSecurityPayload(ESP):Providesconfidentiality,authentication,andintegrity.
AuthenticationHeader(AH):Providesauthenticationandintegrity.
InternetKeyExchange(IKE):Establishsharedsymmetrickey.Provideskeymanagementand Security
Association (SA) management.
I
N

APPLICATIONSOFIPSec:
RA

IPSecprovidesthecapabilitytosecurecommunicationsacrossaLAN,acrossprivateandpublic WANs,
A

and across the Internet.

IJ
IR

Examplesofitsuseincludethefollowing:
G

• SecurebranchofficeconnectivityovertheInternet
JU

• SecureremoteaccessovertheInternet
O

Establishingextranetandintranetconnectivitywithpartners:
TH

• IPSeccanbeusedtosecurecommunicationwithotherorganizations,ensuringauthentication
SU

andconfidentialityandprovidingakeyexchangemechanism.
Enhancingelectroniccommercesecurity:
• EventhoughsomeWebandelectroniccommerceapplicationshavebuilt-insecurityprotocols,
the use of IPSec enhances that security.

BENEFITSOFIPSEC:
• IPSecprovidesstrongsecuritywithinandacrosstheLANs.
• FirewallusesIPSectorestrictallthoseincomingpacketswhicharenotusingIP.Sincefirewall
istheonlywaytoenterintoanorganization,restrictedpacketscannotenter.
• IPSecisbelowthetransportlayer(TCP,UDP)andsoistransparenttoapplications.
• ThereisnoneedtochangesoftwareonauserorserversystemwhenIPSecisimplementedin the
firewall or router.
• EvenifIPSecisimplementedinendsystems,upper-layersoftware,includingapplications,is not
affected. IPSeccanbe transparenttoend users.

PreparedbyChSamsonu,Assoc.Professor, 145
 CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
• IPSeccanprovidesecurityforindividualusersifneeded.

IPSecScenario:

IPSecArchitecture:
Architecturecoversgeneralconceptsofsecurityrequirements,definitions,andmechanismsdefining
IPSec technology.
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

PreparedbyChSamsonu,Assoc.Professor, 146
 CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

Figure:IPSecArchitecture

EncapsulatingSecurityPayload(ESP):TheESPheaderisdesignedtoprovideamixofsecurity
servicesinIPv4andIPv6.ESPmaybeappliedalone,incombinationwithAH,orinanestedfashion.
Itconsistsofanencapsulatingheaderandtrailerused toprovideencryptionorcombined encryption/
authentication.CurrentspecificationisRFC4303

AuthenticationHeader(AH):Anextensionheadertoprovidemessageauthentication.Current
I

specification is RFC 4302.

N
RA

Encryptionalgorithms:Encryptionalgorithmsencryptdatawithakey.TheESPmoduleinIPsec uses
A
IJ

encryption algorithms.
IR
G

Authenticationalgorithms:Authenticationalgorithmsproduceanintegritychecksumvalue or digest
JU

that is based on the data and a key. The AH module uses authentication algorithms. The ESP
O
TH

modulecanuseauthentication algorithms as well.

SU

Domain of Interpretation(DOI): DOI is the identifier which support both AH and ESP protocols.
It containsvaluesneededfordocumentationrelatedtoeachother.

KeyManagement:Itcontainsthedocumentthatdescribeshowthekeysareexchangedbetween sender
and receiver.

SecurityAssociations(SAs)
AnSAisarelationshipbetweencommunicatingdevicesthatdescribeshowtheywillusesecurity services
to communicate securely.
Ifclientwantstocommunicatewithserver,ithasclientSecurityAssociation,ifServerwantstoreply to
client, it has server Security association.
TheseSAsareonewaycommunications.
Iftwopartiesneedtocommunicate,theymustdeterminewhichalgorithms(RSA,3DES,MD5,
PreparedbyChSamsonu,Assoc.Professor, 147
 CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
SHA…)andsessionkeysareused.SAusedbyIPsectotrackalltheseparametersforeachsession.
YouwillneedtoconfigureSAparametersandmonitorSAsonCiscoroutersandthePIXFirewall.
• AseparatepairofIPSecSAsaresetupforAHandESPtransform.
• EachIPSecpeeragreestosetupSAsconsistingofpolicyparameterstobeusedduringthe IPSec
session.
• TheSAsareunidirectionalforIPSecsothatpeer1willofferpeer2apolicy.
• Ifpeer2acceptsthispolicy,itwillsendthatpolicybacktopeer1.Thisestablishestwoone- way SAs
between the peers.
• Two-waycommunicationconsistsoftwoSAs,oneforeachdirection.
• EachSAconsistsofvaluessuchasdestinationaddress,asecurityparameterindex(SPI),the IPSec
transforms used for that session, security keys, and additional attributes suchas IPSec
lifetime.
Asecurityassociationisuniquelyidentifiedbythree parameters:
• SecurityParametersIndex(SPI):AbitstringassignedtothisSAandhavinglocal
significanceonly.SPIislocatedinAHandESPheaders.SPIenablesthereceivingsystem under
which the packet is to process.
• IP Destination Address: It is the end point address of SA which can be end user system
or a network system.
• Security Protocol Identifier: security protocol identifier indicates whether the
associations is an AH or ESP.
AlltheSAsaremaintainedinSecurityAssociationDatabase(SAD)

SAParameters:
SequenceNumberCounter:A32-bitvalueusedtogeneratetheSequenceNumberfieldinAHor ESP
headers.
I
N

SequenceCounterOverflow:AflagindicatingwhetheroverflowoftheSequenceNumber
RA

Countershouldgenerateanauditableeventandpreventfurthertransmissionofpacketsonthis SA.
A

Anti-ReplayWindow:Avoidduplicateofpackets
IJ

AHInformation:Authenticationalgorithm,keys,keylifetimes,andrelatedparametersbeingused with
IR
G

AH.
JU

ESPInformation:Encryptionandauthenticationalgorithm,keys,initializationvalues,keylifetimes,
O

andrelatedparametersbeingusedwithESP(requiredforESPimplementations).
TH

LifetimeofThisSecurityAssociation:Atimeintervalorbytecountafter whichanSAmustbe replaced

SU

with a new SA or terminated.

IPSecProtocolMode:ThisparameterrepresentsthetypeofmodeusedforIPSecimplementation. The
mode may be a Tunnel or transport.

TransportandTunnelModesinIPsec
IPSecoperatesintwomodes:
1) TunnelMode
2) TransportMode

PreparedbyChSamsonu,Assoc.Professor, 148
 CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

TunnelMode:
Withtunnelmode,theentireoriginalIPpacketisprotectedbyIPSec.ThismeansIPSecwrapsthe
originalpacket,encryptsit,addsanewIPheaderandsendsittotheotherside.
Original IP Header not visible to attacker(if it is using ESP).Attacker doesnot knowwhich hostsare
talking.
I
N
RA
A
IJ
IR
G
JU

Figure:IPSecTunnelmode
O
TH
SU

Tunnelmodeismostcommonlyusedbetweengateways,end-systemtoGateways.

TransportMode:
IPSecTransportmodeisusedforend-to-endcommunications,forexample,forcommunication
betweenaclientandaserverorbetweenaworkstationandagateway(ifthegatewayisbeingtreated as a
host).

Whenusingthetransportmode,onlytheIPpayloadisencrypted.AHorESPprovidesprotectionfor
theIPpayload.TheoriginalIPheader isnotchanged,
Sothepassiveattackerscanseewhoistalking.

PreparedbyChSamsonu,Assoc.Professor, 149
 CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

Figure:IPSecTransportMode

AUTHENTICATION HEADER(AH)
TheAuthenticationHeaderprovidessupportfordataintegrityandauthenticationofIPpackets.
DataintegrityserviceinsuresthatdatainsideIPpacketsisnotalteredduringthetransit.
Theauthenticationfeatureenablesanendsystemtoauthenticatetheuserorapplicationandfilter
trafficaccordingly.Italsopreventstheaddressspoofingattacks
AHisimplementedinonewayonlyi.eAuthenticationalongwithIntegrity.
AHprovidesauthenticationforasmuchoftheIPheaderaspossible,butcannotallbeprotectedby AH.
AH also includes an IPSec sequence number, which provides protection against replay attacks
becausethisnumberis alsoincludedin authenticateddataandcanbecheckedbythereceivingparty. Data
privacy is not provided by AH.
I
N
RA
A
IJ
IR
G
JU
O
TH
SU

Figure:AuthenticationHeaderFormat

1. NextHeader:IdentifiesthetypeofheaderthatimmediatelyfollowingtheAH.
2. PayloadLength:LengthofAuthenticationHeaderin32-bit words.
3. Reserved:Forfutureuse.
4. SecurityParametersIndex:Identifiesasecurityassociation.
5. SequenceNumber:Amonotonicallyincreasingcountervalue.
6. AuthenticationData(variable):Avariable-lengthfieldthatcontainstheIntegrityCheckValue (ICV),
or MAC, for this packet.

PreparedbyChSamsonu,Assoc.Professor, 150
 CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
EncapsulatingSecurityPayload(ESP):
Security services can be provided between a pair of communicating hosts, between a pair of
communicatingsecuritygateways,orbetweenasecuritygatewayandahost.TheESPheaderis inserted
after the IP header and before the next layer protocol header (transport mode) or before an
encapsulated IP header (tunnel mode). ESP can be used to provide confidentiality, data origin
authentication,connectionlessintegrity,ananti-replayservice(aformofpartialsequenceintegrity),
and(limited)trafficflowconfidentiality.Thesetofservicesprovideddependsonoptionsselectedat the
time of Security Association (SA) establishment and on the location of the implementation in a
network topology.

I
N

Figure:ESPFormat
RA
A

1. SecurityParametersIndex:Identifiesasecurityassociation.
IJ

2. Sequence Number :Amonotonicallyincreasingcountervalue; this provides an anti-replay

IR

function, as discussed for AH.

G
JU

3. Payload Data: This is a transport-levelsegment (transportmode)or IP packet (tunnel mode) that

O

is protected by encryption.
TH

4. Padding (0-255 bytes):Extrabits orspaces are added to the message inorder tomaintain
SU

confidentiality
5. PadLength:Indicatesthenumberofpadbytesimmediatelyprecedingthisfield.
6. NextHeader:meansthenextpayloadornextdata
7. AuthenticationData (variable):contains the Integrity CheckValue computedoverthe ESPpacket
minus the Authentication Data field.

SecurityPolicy(SP)
A Security Policy is a set of rules that define the type security applied to a packet when it is to be
sent or whenithasarrived.ItdefinesthenetworktrafficattheIPlayer.

IPSecprotectsyourprivatenetworkfrominternetattacksthroughend-to-endsecurity.

PreparedbyChSamsonu,Assoc.Professor, 151
 CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
IPSecpolicyisdeterminedprimarilybytheinteractionoftwodatabases,theSecurityAssociation
Database(SAD)andtheSecurityPolicyDatabases(SPD)

IPSecpoliciesmustbecarefullydesigned,configures,coordinatedandmanagedtoensurethatIPSec
communication is successful.

SecurityPolicyDatabase(SPD)

IPSecPoliciesaremaintainedintheSecurityPolicyDatabase(SPD).

IPSecPoliciesdefineswhichtraffictobeprotected,howitistobeprotected,andwithwhomtoprotect
it.

Thesendinghostdetermineswhatpolicyisappropriateforthepacket,dependingonvarious"Selectors" by
checking in theSecurity PolicyDatabase(SPD).

"Selectors"canincludeSourceandDestinationIPAddresses,Name(UserIDiraSystemName),
TransportLayerProtocols(TCPorUDP)orSourceandDestinationPorts.

TheSecurityPolicyDatabase(SPD)indicateswhatthepolicyisforaparticularpacket.Ifthepacket
requiresIPsecprocessing,itwillbeitispassedtotheIPsecmodulefortherequiredprocessing.

KEYMANAGEMENTofIPSec
I
N
RA

ThekeymanagementportionofIPSecinvolvesthedeterminationanddistributionofsecretkeys
A
IJ
IR

typicalrequirementisfourkeysforcommunicationbetweentwoapplications:transmitandreceivepairs
G

for both AH and ESP.

JU
O

Keysare managedby
TH
SU

• Manual:Asystemadministratormanually configures each systemwith its own keys andwith

t h e
keysofothercommunicatingsystems.Thisissuitableforsmall,relativelystaticenvironments.
• Automated:An automatedsystemenables theon-demand creationof keysforSAs and
facilitates the use of keys in a large distributed system.

ThedefaultautomatedkeymanagementprotocolforIPSecisreferredtoasISAKMP/Oakley.

Keymanagementprotocol–Elements

1. OakleyKeyDeterminationProtocol

2. InternetSecurityAssociationandKeyManagementProtocol(ISAKMP)

OakleyKeyDeterminationProtocol:
PreparedbyChSamsonu,Assoc.Professor, 152
 CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem
• Oakley is akeyexchangeprotocolbasedon the Diffie-Hellman algorithmbut providing
added security.
• Oakleyisgenericinthatitdoesnotdictatespecificformats.

TheDiffie-Hellmanalgorithmhastwoattractivefeatures:

1. Secretkeysarecreatedonlywhen needed.

2. The exchangerequiresno preexisting infrastructureother than anagreementon

theglobalparameters. However,thereareanumberofweaknessestoDiffie-Hellman,aspointedoutin

3. Itdoesnotprovideanyinformationabouttheidentitiesoftheparties.

4. Itissubjecttoaman-in-the-middleattack

It is computationally intensive. As a result, it is vulnerable to a clogging attack, in which an

opponent requests a high number of keys. Oakley is designed to retain the advantages of Diffie-
Hellman while countering its weaknesses.

FeaturesofOakley:

TheOakleyalgorithmischaracterizedbyfiveimportantfeatures:

• Itemploysamechanismknownascookiestothwartcloggingattacks.
• It enables the twoparties tonegotiate agroup;this,inessence,specifies theglobalparametersof
I

the Diffie-Hellman key exchange.

N
RA

• Itusesnoncestoensureagainstreplay attacks.
• ItenablestheexchangeofDiffie-Hellmanpublickeyvalues.
A

• ItauthenticatestheDiffie-Hellmanexchangetothwartman-in-the-middleattacks.
IJ
IR
G

InternetSecurityAssociationandKeyManagementProtocol(ISAKMP):
JU
O
TH

ISAKMP provides aframeworkfor Internet keymanagement andprovides

SU

thespecificprotocolsupport, includingformats,fornegotiationofsecurityattributes.

ISAKMPHeaderFormat:

An ISAKMP message consists of an ISAKMP header followed by one or more payloads. All of this
is carried in a transport protocol. The specification dictates that implementations must support the
use of UDP for the transport protocol.

PreparedbyChSamsonu,Assoc.Professor, 153
 CryptographyandNetworkSecurity B.Tech(CSE)IVYearISem

Itconsistsofthefollowingfields:
1. Initiator Cookie (64bits): Cookie ofentity thatinitiatedSA establishment, SA notification,orSA
deletion.
2. Responder Cookie (64bits):Thecookieofentity thatis respondingto anSA establishmentrequest,
SAnotification,orSAdeletion.Onthefirstmessage,therespondercookieiszero.
3. NextPayload(8bits):Indicatesthetypeofthefirstpayloadinthemessage
4. MajorVersion(4bits):IndicatesmajorversionofISAKMPinuse.
5. MinorVersion(4bits):Indicatesminorversioninuse.
6. ExchangeType(8bits):Indicatesthetypeofexchange.
7. Flags(8bits):IndicatesspecificoptionssetforthisISAKMPexchange.
8. MessageID(32bits):UniqueIDforthismessage.
9.Length(32bits):Lengthof totalmessage (headerplusallpayloads)inoctets. ion has a high false alarm
I
N

rate.
RA
A
IJ
IR
G
JU
O
TH
SU

PreparedbyChSamsonu,Assoc.Professor, 154