Transport Services

UNIT 1 TRANSPORT SERVICES AND and Mechanism

MECHANISM
Structure Page Nos.
1.0 Introduction 5
1.1 Objectives 5
1.2 Transport Services 6
1.2.1 Types of Services
1.2.2 Quality of Service
1.2.3 Data Transfer
1.2.4 Connection Management
1.2.5 Expedited Delivery
1.3 Elements of Transport Layer Protocols 9
1.3.1 Addressing
1.3.2 Multiplexing
1.3.3 Flow Control and Buffering
1.3.4 Connection Establishment
1.3.5 Crash Recovery
1.4 Summary 16
1.5 Solutions/Answers 16
1.6 Further Readings 17

1.0 INTRODUCTION
The transport layer is the core of the OSI model. It is not just another layer but the
heart of the whole protocol hierarchy. Protocols at this layer oversee the delivery of
data from an application program on one device to an application program on another
device. It is the first end-to-end layer in the OSI model. It provides its services to the
upper layer to use the services of the network layer and other lower layer protocols.
You must be aware that an Internet is comprised of several physical networks such as
the LANs, MANs, and WANs that are connected together through a variety of media
(wired as well wireless) to facilitate the transfer of data from a computer on one
network to another computer on another network. As a transmission moves from one
network to another, the data on the way may be transformed i.e., it may be
encapsulated in different types and lengths of packets.
The upper-layer protocols are unaware of the intricacy of the physical networks the
transport layer. To the upper layers, the individual physical networks are a simple
homogeneous network that somehow takes data and delivers it to its destination,
reliably. For example, even if an Ethernet in the LAN part of internet is replaced by a
FDDI, the upper layers remain unaware of it. To them, the Internet is a single and
essentially unchanging network. The transport layer provides this transparency.
Examples of transport layer protocols are Transmission Control Protocol (TCP) and
User Datagram Protocol (UDP).
In this unit, we will first discuss types of services we might expect from a transport
layer. Next, we will examine several mechanisms to support these services.

1.1 OBJECTIVES
After going through this unit, you should be able to:

• list and describe transport services, and

• list and describe transport mechanisms.
5
Transport Layer and
Application Layer Services
1.2 TRANSPORT SERVICES
We begin by looking at the kinds of services that a transport protocol can or should
provide to upper layer protocols. Figure 1 outlines the environment for transport
services. There is a transport entity that provides services to the upper layer users,
which might be an application process such as http, telnet etc. This local transport
entity communicates with some remote-transport entity, based on the services
provided by the network layer.

System 2
System 1
User of transport
Upper layer services
Application/
transport
Services provided interface
to upper layer

Transport Transport
Transport Protocol Transport layer
entity entity

Services taken from

network layer

Figure 1: Transport entity environment

As discussed earlier the general service provided by a transport protocol is the end-to-
end transport of data in a way that shields the upper layer user from the details of the
underlying networks infrastructure. The following categories of services are generally
used for describing the services provided by the transport layers.

• Types of services
• Quality of service
• Data transfer
• Connection management
• Expedited delivery

1.2.1 Types of Services

There are generally two basic types of services: (i) Connection-oriented and
(ii) Connectionless, or datagram services provided by the Internet. A connection-
oriented service is the most common type of protocol service available. It provides the
establishment, maintenance, and termination of a logical connection between users.
This is also called handshaking procedures. The connection-oriented service
generally implies that the service is reliable which includes features such as flow
control, error control and sequence delivery. Flow control makes sure that neither side
of a connection overwhelms the other side by sending too many pockets too quickly.

Connection-Oriented: The Internet connection oriented service is accomplished

using TCP (Transmission Control Protocol). Reliable transport, flow control and
congestion control are types of services that are provided to an application by TCP.
These services are acknowledged. The TCP’s congestion control mechanism is used
to maintain throughput.
6
Connectionless Service: There is no handshaking here before sending the packet. Transport Services
and Mechanism
There are also no flow control and congestion control mechanisms. Since there is no
handshaking procedure, data can be transferred faster. But there is no reliable data
transfer either as these services are acknowledged. The Internets connectionless
service is called UDP (User Datagram Protocol). Some of the applications of
connectionless service are internet telephony and video conferencing.
The connection-oriented transport service is similar to the connection oriented
network service. So the question is, why do we require two different layers to provide
the same type of service. The answer to this question is that the transport code runs on
the user’s machine whereas the network layer runs mostly on the routers, which are
controlled by the carrier which provide poor service. Therefore, the only possibility is
to put another layer on top of the network layer, that improves the quality of service.

It is due to the transport layer that application programmers can write programs
according to standard sets of library procedure calls and have these programs run on
networks without worrying about dealing with different subnet interfaces and
unreliable transmission.
Thus, there is a place at the transport level for both a connection-oriented and a
connectionless type of service.

1.2.2 Quality of Service

The transport protocol entity should allow the upper layer protocol users to specify the
types of quality of transmission service to be provided. Based on these specifications
the transport entity attempts to optimise the use of the underlying link, network, and
other resources to the best of its ability, so as to provide the collective requested
services. But these services are limited to the internet capabilities of the network layer
services.

Examples of services that might be requested are:

• Expedited delivery of packet

• Acceptable error and loss levels of packet
• Desired average and maximum delay in transmission of a packet
• Desired average and minimum throughout
• Priority levels.

You are aware that IP is a standard protocol for the network layer. IP does provide a
quality-of-service parameter such as priority as well as a binary specification for
normal or low delay, normal or high throughput, and normal or high reliability. Thus,
the transport entity can make a request to the internetwork entity. The network may
alter flow control parameters and the amount of network resources allocated on a
virtual circuit to achieve desired throughput. The transport layer may also split one
transport connection among multiple virtual circuits to enhance throughput. This will
be explained in section 1.3.2.

You must be aware that different applications may require different quality of
services. For example:

• A file transfer protocol might require high throughput. It may also require high
reliability to avoid retransmissions at the file transfer level.
• A transaction protocol (e.g., web browser-web server) may require low delay.
• An electronic mail protocol may require multiple priority levels.

One approach to providing a variety of qualities of service is to include a quality-of-

service facility within the protocol; the transport protocols typically follow the same
approach. An alternative is to provide a different transport protocol for different
7
Transport Layer and
Application Layer Services
classes of traffic; this is to some extent the approach taken by the ISO-standard family
of transport protocols.

An application layer protocols need from the Transport layer [Ref.2]. These are:
(i) Reliable data transfer
(ii) Bandwidth
(iii) Timing/delay.

(i) Reliable data transfer: By reliable data transfer means that there is not a single bit
of loss of data during transmission. There are certain types of application, which does
not tolerate any loss of data, such as financial applications. In particular, a loss of file
data, or data in a financial transaction, can have devastating consequences (in the
latter case, for either the bank or the customer). Other applications in the category are
transfer of web documents, electronic mail, file transfer and remote host access. But
there are some applications which can tolerate some amount of data loss. For example,
multimedia applications such as real-time audio/video. In these multimedia
applications, lost data might result in a small glitch while playing the audio/video. The
effects of such a loss on application quality and actual amount of tolerable packet loss,
will depend strongly on the application and the coding scheme used.

(ii) Bandwidth: The concept of bandwidth has been explained in the first block. Just
to recall, higher the bandwidth more the channel capacity. There are certain
applications, which are bandwidth sensitive. For example, the Internet telephony,
requires a given amount of bandwidth. But there are some other types of application
called elastic application which can make use of as much or as little bandwidth as
happens to be available. Electronic mail, file transfer, and Web transfers are all elastic
application [Ref.2] of course; the more bandwidth, and the better would be transport
capacity.

(iii) Timing/delay: The final service requirement is that of timing. There are certain
applications, which require tight timing constraints on data delivery in order to be
effective. For example, interactive real-time applications, such as Internet telephony,
virtual environments, teleconferencing, and multiplayer games. Many of these
applications require that end-to end delays be on the order of a few hundred
milliseconds or less. Long delays in Internet telephony, and a long delay between
taking an action and judging the response from the environment in a multiplicity game
tends to result in unnatural pauses in the conversation.

1.2.3 Data Transfer

The whole purpose, of course, of a transport protocol is to transfer data between two
transport entities. Both user data and control data must be transferred from one end to
the other end either on the same channel or separate channels. Full-duplex service
must be provided. Half-duplex and simplex modes may also be offered to support
peculiarities of particular transport users.

Here, you may ask the question if the network layer does a similar task, why it is
necessary at the transport layer. The network layer overseas the hop by hop delivery
of the individual packet but does not see any relationship between those packets even
those belonging to a single message. Each packet is treated as an independent entity.
The transport layer on the other hand makes sure that not just a single packet but the
entire sequence of packets.

8
1.2.4 Connection Management Transport Services
and Mechanism
When connection-oriented service is provided, the transport entity is responsible for
establishing and terminating connections. Both symmetric and asymmetric procedure
for connecting establishment may be provided.
Connection termination can be either abrupt or graceful. With an abrupt termination,
data in transmit may be lost. A graceful termination prevents either side from shutting
down until all data has been delivered.

1.2.5 Expedited Delivery

A service similar to that provided by priority classes is the expedited delivery of data.
Some data submitted to the transport service may supersede data submitted
previously. The transport entity will endeavour to have the transmission facility
transfer the data as rapidly as possible. At the receiving end, the transport entity will
interrupt the transport service user to notify it of the receipt of urgent data. Thus, the
expedited data service is in the nature of an interrupted mechanism, and is used to
transfer occasional urgent data, such as a break character from a terminal or an alarm
condition. In contrast, a priority service might dedicate resources and adjust
parameters such that, on average, higher priority data are delivered more quickly.

 Check Your Progress 1

1) List the three types of services provided by Transport layer to Applications
layer.
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
2) Describe the presence of data loss and time sensitiveness for the following
applications:
(a) File Transfer
(b) E-mail
(c) Web surfing
(d) Stored audio/video.

1.3 ELEMENTS OF TRANSPORT LAYER

PROTOCOLS
The services provided by the transport layer are implemented by the transport layer
protocols such as TCP and UDP. We will talk about them in the next unit. In this
section, we will take up important components of the transport layer for discussion. A
transport layer deals with hop-by-hop processes.

1.3.1 Addressing

The issue concerned with addressing is simply this-how a user process will set up a
connection to a remote user process? How the address of a remote process should be
specified? The method generally used is to define transport address to which the
process can listen for connection requests. In Internet jargon these end points are
called port or TSAP (Transport Services Access Points). Similarly, these end points
at the network layer are then called NSAP (Network Services Access Points). The
following illustration (Figure 2) shows the connection between a user processes as
host 1 with a remote process (server) as host 2.

9
Transport Layer and
Application Layer Services

Host 1 Host 2
Application TSAP XXXX Application Server 1 Server 2 Server 3
process Layer

Transport
Transport Layer TSAP XXYY
connection
Network
Layer
NSAP
NSAP

Data link
Layer

Physical
Layer

Figure 2: Transport connections between a client and a server

The following steps may be needed for establishing a transport connection [Ref. 1]:
1) Just assume that an application process running on 1 wants to find out the next
day’s weather forecast, so, it issues a CONNECT request specifying its
transport connection point number TSAP XXXX as well as the TSAP number
XXYY of the weather forecasting server which will establish transport
connection with the destination. This action ultimately results in a transport
connection between the application process on host 1 and a server 1 on host 2.

2) Assume that a weather forecasting server is attached to a transport connection at

XXYY.

3) The application process then sends a request for the next 10 days weather
report.

4) The weather server process responds with the current weather report.

5) The transport connection is then released.

The question, that needs to be addressed: How does the host user know that
the address of the destination server process is attached to a particular transport
connection. To resolve this issue various strategies are suggested [Refer 1]:

1) Initial connection protocol: In the scheme a process server acts as a proxy

server for less heavily used servers. Instead of every server listening at a well
known port address waiting for a connection request, a process server listens to
sets of ports at the same time and informs a particular server to act upon getting
a connecting request to perform the required work*. The new server then does
the request work, while the process server goes back to listening for new
request. Therefore, through a process server a rarely used server should not be
listening to ports all the time.

10
2) Some commonly used services are assigned “well-known address” (for Transport Services
and Mechanism
example, time sharing and word processing).
3) A name server or sometimes a directory server is provided. The Transport
Service user requests a service through some generic or global name. The
request is sent to the name server, which does a directory lookup and returns an
address. The transport entity then proceeds with the connection. This service is
useful for commonly used applications that change location from time to time.
It is also used for those stations in which services do exist independently of a
process server. For example, a file server that needs to run on a special
hardware (a machine with disk) that cannot be created dynamically when
someone want to talk to it [Ref. 1].

1.3.2 Multiplexing
The transport entity may also perform a multiplexing function with respect to the
network services that it uses. There are two types of multiplexing techniques that
define upward multiplexing as the multiplexing of multiple transport connections on
a single network connection, and downward multiplexing as the splitting of a single
transport connection among multiple lower-level connections. This is illustrated in
Figure 3.
Transport Connections Transport Connections

T1 T2 T3 T1 T2 T3

(•) (•) (•) Transport Layer (•) (•) (•)

(•) Network Layer (•)

Virtual Circuit One

Network Connection

(a) Upward Multiplexing

Transport Connection Transport Connection

(•) (•)

Transport
(•) (•) (•)
Layer Network
(•) (•) (•) Layer
Virtual Circuit 3
Virtual Circuit 2

Virtual Circuit 1

Network Connection

(b) Downward Multiplexing

11
Transport Layer and
Application Layer Services Figure 3: Multiplexing
Consider, for example, a transport entity making use of an X.25 service. X.25 is a
network layer protocol like IP. Why should the transport entity employ upward
multiplexing? There are, after all, 4905 virtual circuits available. In the typical case,
this is a more than enough to handle all active Transport Service user. However most
X.25 networks base part of their charge on virtual-circuit connect time, as each virtual
circuit consumes some node buffer resources. Thus, if a single virtual circuit
provides sufficient throughput for multiple TS users, upward multiplexing
may be used [Figure 3].

On the other hand, downward multiplexing or splitting might be used to provide

more bandwidth than a single Virtual Circuit can manage. A way out is to open
multiple network connections and distribute traffic among them on a round-robin
basis, as indicated in Figure (3b). This modus operandi is called downward
multiplexing. With k network connections open, the effective bandwidth is increased
by a factor of k. A common example of downward multiplexing occurs with home
users who have an ISDN line. This line provides for two separate connections of 64
kbps each. Using both of them to call an Internet provider and dividing the traffic over
both lines makes it possible to achieve an effective bandwidth of 128 kbps.

1.3.3 Flow Control and Buffering

There are similarities as well as differences between data link layer and transport layer
in order to support flow control mechanism. The similarity is in using the sliding
window protocol. The main difference is that a router usually has relatively few lines,
whereas a host may have numerous connections. Due to this reason it is impractical to
implement the data link buffering strategy in the transport layer.

Whereas flow control is a relatively simple mechanism at the data link layer, it is a
rather complex mechanism at the transport layer, for two main reasons:

• Flow control at the transport level involves the interaction of three components:
TS users, transport entities, and the network service.
• The transmission delay between transport entities is variable and generally long
compared to actual transmission time.
The following delay may arise during the interaction of the two transport entities A
and B:
(i) Waiting time to get permission from its own transport entity (interface flow
control).

(ii) Waiting time by A to have permission to send the data to B.

(iii) Waiting time as network layer services.

In any case, once the transport entity has accepted the data, it sends out a segment.
Some time later, it receives an acknowledgement that the data has been received at the
remote end. It then sends a confirmation to the sender.

Now let us come to the flow control problem.

First, we present two ways of coping with the flow control requirement [Ref.3] by
using a fixed sliding-window protocol and by using a credit scheme.

The first mechanism is already familiar to us from our discussions of data link layer
protocols. The key ingredients are:

• The use of sequence numbers on data units.

12
• The use of a window of fixed size. Transport Services
and Mechanism
• The use of acknowledgements to advance the window.
This scheme really works well. For example, consider a protocol with a window size
of 3. Whenever the sender receives an acknowledgement from a particular segment, it
is automatically authorised to send the succeeding seven segments. (Of course, some
may already have been sent). Now, when the receiver’s buffer capacity comes down
to 7 segments, it can withhold acknowledgement of incoming segments to avoid
overflow. The sending transport entity can send, at most, seven additional segments
and then must stop. Because the underlying network service is reliable, the sender will
not time-out and retransmit. Thus, at some point, a sending transport entity may have
a number of segments outstanding, for which no acknowledgement has been received.
Because we are dealing with a reliable network, the sending transport entity can
assume that the segments will come through and that the lack of acknowledgement is
a flow control tactic. Such a strategy would not work well in an unreliable network, as
the sending transport entity would not know whether the lack of acknowledgement is
due to flow control or a lost segment.

The second alternative, a credit scheme, provides the receiver with a greater degree of
control over data flow.

The credit scheme decouples acknowledgement from flow control. In fixed sliding-
window protocols, used as the data Line layer, the two are synonymous. In a credit
scheme, a segment may be acknowledged without granting a new credit, and vice
versa. Figure 4 illustrates the protocol. For simplicity, we have depicted data flow in
one direction only. In this example, data segments are numbered sequentially module
8 (e.g., SN 0 = segment with sequence number 0). Initially, through the connection-
establishment process, the sending and receiving sequence numbers are synchronised,
and A is granted a credit allocation of 7. A advances the trailing edge of its window
each time that it transmits, and advances the leading edge only when it is granted a
credit.

Figure 4 shows a view of this mechanism from the sending and receiving sides; of
course, both sides take both views because data may be exchanged in both directions.

From the receiving point of view, the concern is for received data and for the window
of credit that has been allocated. Note that the receiver is not required to immediately
acknowledge incoming segments, but may wait and issue a cumulative
acknowledgement for a number of segments; this is true for both TCP and the ISO
transport protocol.

In both the credit allocation scheme and the sliding window scheme, the receiver
needs to adopt some policy concerning the amount of data it permits the sender to
transmit. The conservative approach is only to allow new segments up to the limit of
available buffer space.

A conservative flow control scheme may limit the throughput of the transport
connection in long-delay situations. The receiver could potentially increase
throughput by optimistically granting credit for space it does not have. This is called
dynamic buffer allocation scheme. For example, if a receiver’s buffer is full but it
anticipates that it can release space for two segments within a round-trip propagation
time, it could immediately send a credit of 2. If the receiver can keep up with the
sender, this scheme may increase throughput and can do no harm. If the sender is
faster than the receiver, however, some segments may be discarded, necessitating a
retransmission. Because retransmissions are not otherwise necessary with a reliable
network service, an optimistic flow control scheme will complicate the protocol.

13
Transport Layer and
Application Layer Services

14 Figure 4: Credit based flow control

The optimum trade-off between source buffering and destination buffering depends on Transport Services
and Mechanism
the type of traffic carried out by the connection. For low bandwidth bursty traffic,
such as that produced by an interactive terminal, it is better not to dedicate any
buffers, but rather to acquire them dynamically at both ends. Since the sender cannot
be sure the receiver will be able to acquire a buffer, the sender must retain a copy of
the TPDU(Transport Protocol Data Unit) until it is acknowledged. On the other hand,
for file transfer and other high bandwidth traffic, it is better if the receiver dedicates a
full window of buffers, to allow the data to flow at maximum speed. Thus, for low-
bandwidth bursty traffic, it is better to buffer at the sender, and for high-bandwidth
smooth traffic, it is better to buffer at the receiver.

As connections are opened and closed and as the traffic pattern changes, the sender
and receiver needs to dynamically adjust their buffer allocations. Consequently, the
transport protocol should allow a sending host to request buffer space at the other end.
Buffers could be allocated per connection, or collectively, for all the connections
running between the two hosts. Alternatively, the receiver, knowing its buffer station
(but not knowing the offered traffic) could tell the sender “I have reserved X buffers
for you”. If the number of open connections should increase, it may be necessary for
an allocation to be reduced, so the protocol should provide for this possibility.

In summary, a reasonably general way to manage dynamic buffer allocation is to

decouple the buffering from the acknowledgements, in contrast to the sliding window
protocols of data link layer.

1.3.4 Connection Establishment

End-to-end delivery can be accomplished in either of two modes: connection-oriented

or connectionless. Of these two, the connection-oriented mode is the more commonly
used. A connection-oriented protocol establishes a virtual circuit or pathway through
the Internet between the sender and receiver. All of the packets belonging to a
message are then sent over this same path. Using a single pathway for the entire
message facilities, the acknowledgement process and retransmission of damaged or
lost frames. Connection-oriented services, therefore, are generally considered reliable.

Connection-oriented transmission has three stages: connection establishment, data

transfer, and connection termination.

The network is generally unreliable and congested. Even with a reliable network
service, there is a need for connection establishment and termination procedures to
support connection-oriented service. Connection establishment serves three main
purposes:

• It allows each end to assure that the other exists.

• It allows negotiation of optional parameters (e.g., maximum segment size,
maximum window size, quality of service).
• It triggers allocation of transport entity resources (e.g., buffer space, entry in
connection table).

To solve the problems arising out of unreliable and congested networks 3-way
handshake procedure is used to establish transport connection, which is generally
comprised of three steps.
(i) Connection initiation / requirement
(ii) Connection confirmation
(iii) Acknowledgement of confirmation and data transfer.

15
Transport Layer and
Application Layer Services 1.3.5 Crash Recovery
Similar to the database this is an important issue in computer network. In a network a
host as well as a router can crash. Therefore, the issue is its recovery. In case of the
loss of Virtual Circuit (In case the network layer provides connection oriented service)
due to a crash delivery, a new virtual circuit may be established then probing the
transport entity to ask which TPDU it has received and which one it has not received
so that the latter can be retransmitted. In case of datagram subnet, the frequency of the
lost TPDU is high but the network layer knows how to handle that. The real problem
is the recovery from the host crash. Students are requested to read Computer Network
by Tanenbaum on this method and also to relate to how a similar problem is resolved
in the database (MCS-043).

 Check Your Progress 2

1) List the important multiplexing mechanism at the Transport Layer and also
explain how they are different from each other.
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
2) Describe the similarities as well as differences between Data Link Layer and
Transport Layer in order to support Flow Control mechanism.
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………

1.4 SUMMARY

In this unit, we have discussed two important components with respect to transport
layer namely, transport services and the elements of transport layer protocols. As a
part of transport services we discussed type of services, quality of services, connection
mechanism. We also outlined three types of services provided by the transport layer
through the applications layer. We listed the various types of protocols (applications
layer) and the kind of services. We also differentiated between the data link layer and
transport layer with respect to flow control mechanism. Similarly, we also
differentiated between two types of multiplexing mechanism at the transport layer.

1.5 SOLUTIONS/ANSWERS
Check Your Progress 1
1) Reliable data transfer, Bandwidth, timing delay

2)

Application Data Loss Time-sensitive

a. File Transfer No Loss No
b. e-mail No Loss No
c. Web Surfing No Loss No
d. Stored Audio/Video Loss tolerant Yes
16
Check Your Progress 2 Transport Services
and Mechanism
1) There are two multiplexing mechanism in the transport layer namely, upward
multiplexing and downward multiplexing. Upward multiplexing as the
multiplexing of multiple transport connections on a single network connection,
and downward multiplexing as the splitting of a single transport connection
among multiple lower-level connections. Downward multiplexing or splitting
might be used to provide more bandwidth than a single Virtual Circuit can
manage. A way out is to open multiple network connections and distribute the
traffic among them on a round-robin basis. This modus operandi is called
downward multiplexing.

2) The similarity is in using the sliding window protocol. The main difference is
that an intermediate node usually has relatively few lines, whereas a host may
have numerous connections. Due to this reason it is impractical to implement
the data link buffering strategy in the transport layer. Whereas flow control is a
relatively simple mechanism at the data link layer, it is a rather complex
mechanism at the transport layer, for two main reasons:

• Flow control at the transport level involves the interaction of three

components: TS users, transport entities, and the network service.

• The transmission delay between transport entities is variable and generally

long compared to actual transmission time.

1.6 FURTHER READINGS

1) Computer Networks, A.S. Tanenbaum, 4th Edition, Prentice Hall of India,

New Delhi, 2002.

2) Computer Networking, A Top down approach featuring the Internet, James

Kurose and Keith W. Ross, Pearson education, New Delhi.

3) Data and Computer Communications, William Stalling, 6th Edition, Pearson

Education, New Delhi.

17
Transport Layer and
Application Layer Services
UNIT 2 TCP/UDP
Structure Page Nos.
2.0 Introduction 18
2.1 Objectives 18
2.2 Services Provided by Internet Transport Protocols 19
2.2.1 TCP Services
2.2.2 UDP Services
2.3 Introduction to UDP 20
2.4 Introduction to TCP 22
2.5 TCP Segment Header 22
2.6 TCP Connection Establishment 24
2.7 TCP Connection Termination 26
2.8 TCP Flow Control 26
2.9 TCP Congestion Control 29
2.10 Remote Procedure Call 32
2.11 Summary 34
2.12 Solutions/Answers 34
2.13 Further Readings 35

2.0 INTRODUCTION
In the previous unit, we discussed the fundamentals of the transport layer which
covered topics related to the quality of services, addressing, multiplexing, flow control
and buffering. The main protocols which are commonly used such as TCP
(Transmission Control Protocol and UDP (User Diagram Protocol) were also
discussed. TCP is the more sophisticated protocol of the two and is used for
applications that need connection establishment before actual data transmission.
Applications such as electronic mail, remote terminal access, web surfing and file
transfer are based on TCP.

UDP is a much simpler protocol than TCP because, it does not establish any
connection between the two nodes. Unlike TCP, UDP does not guarantee the delivery
of data to the destination. It is the responsibility of application layer protocols to make
UDP as reliable as possible.

In this unit we will go into details on these two protocols.

2.1 OBJECTIVES
After going through this unit, you should be able to:

• list and explain the various services provided by the Transport Layer;

• establish and release TCP connections;

• describe TCP and UDP header formats;

• describe TCP Flow Control mechanism and how it is different from data link
layer, and

• discuss the Congestion mechanism in TCP.

18
 TCP/UDP
2.2 SERVICES PROVIDED BY INTERNET
TRANSPORT PROTOCOLS
The Internet provides two service models: TCP and UDP. The selection of a particular
service model is left to the application developers. TCP is a connection oriented and
reliable data transfer service whereas UDP is connectionless and provides unreliable
data transfer service.

2.2.1 TCP Services

When an application invokes TCP for its transport protocol, the application receives
the following services from it:

• Connection oriented service

• Reliable transport service
• Congestion-control mechanism.

Now let us describe these services in brief:

Connection-oriented service: As you are aware from your understanding of the
previous unit that the connection oriented service is comprised of the handshake
procedure which is a full duplex connection in that, two processes can send messages
to each other over the connection at the same time. When the application has finished
sending the message, it must remove the connection. The service is referred to as a
“connection oriented” service. We are also aware from the discussion on the network
layer that this service is implemented through the virtual circuit mechanism.

Reliable transport service: Communicating processes can rely on TCP to deliver all
the data that is sent, without error and in the proper order. When one side of the
application passes a stream of bytes into a socket, it can count on TCP to deliver the
same stream of data to the receiving socket, with no missing or duplicate bytes.
Reliability in the Internet is achieved with the use of acknowledgement and
retransmissions.

Congestion-control mechanism: TCP also includes a congestion-control mechanism

for the smooth functioning of Internet processes. When the packet load offered to the
network exceeds its handling capacity congestion builds up.

One point to be noted is that, although, the Internet connection oriented service is
bundled with suitable data transfer, flow control and congestion control mechanisms,
they are not the essential components of the connection oriented service [Ref. 2].

A connection oriented service can be provided with bundling these services through a
different type of a network.

Now we will look at the services TCP does not provide? Some of these are:
i) It does not guarantee a minimum transmission rate,
ii) It does not provide any delay guarantee. But it guarantees delivery of all data.
However, it provides no guarantee to the rate of data delivery.

2.2.2 UDP Services

Some of the important features of UDP are as follows:
i) UDP is connectionless, so there is no hand shaking before the two processes
start communications.

19
Transport Layer and ii) It provides unreliable data transfer service therefore, there is no guarantee that
Application Layer Services
the message will reach. Due to this, the message may arrive as the receiving
process at a random time.
iii) UDP does not provide a congestion-control service. Therefore, the sending
process can pump data into a UDP socket at any rate it pleases. Then why do we
require such a protocol at the transport layer? There are certain types of
applications such as real time. Real-time applications are applications that can
tolerate some loss but require a minimum rate. Developers of real-time
applications often choose to run their applications over the UDP because their
applications cannot wait for acknowledgements for data input. Now coming
back to TCP, since it guarantees that all the packets will be delivered to the host,
many application protocols, layer protocols are used for these services. For
example, SMTP (E-mail), Telnet, HTTP, FTP exclusively uses TCP whereas
NFS and Streaming Multimedia may use TCP or UDP. But Internet telephony
uses UDP exclusively.

2.3 INTRODUCTION TO UDP

So you might have guessed from the previous section, that UDP is and unreliable
transport protocol. Apart from multiplexing /demultiplexing and some error correction
UDP adds little to the IP protocol. In this section, we take a look at UDP, at how it
works and at what it does.

In case, we select UDP instead of TCP for application development, then the
application is almost directly talking to the IP layer. UDP takes messages from the
application process, attaches the source and destination port number fields for the
multiplexing/demultiplexing service, adds two other small fields, and passes the
resulting segment to the network layer. Without establishing handshaking between
sending and receiving transport-layer entities, the network layer encapsulates the
segment into an IP datagram and then makes a best-effort attempt to deliver the
segment to the receiving host. If the segment arrives at the receiving host, UDP uses
the destination port number to deliver the segment’s data to the desired application
process.

So you might ask a question then why is UDP required? TCP should be the choice for
all types of application layer/protocol. DNS stands for domain name system. It
provides a directory service for the internet. It is commonly used by other application
protocols (HTTP, FTP etc.) to translate user given host names to IP address. But
before we answer your question let-us look at another application called the DNS,
which runs exclusively in UDP only but unlike other protocols DNS is not an
application with which users interact directly. Instead DNS is a core Internet function
that translates the host name to IP addresses. Also unlike other protocols, DNS
typically uses UDP. When the DNS application in a host wants to make a query, it
constructs a DNS query message and passes the message to the UDP. Without
performing any handshaking with the UDP entity running on the destination end
system, UDP adds header fields to the message and passes the resulting segment to the
network layer. The network layer encapsulates the UDP segment into a datagram and
sends the datagram to a name server. The DNS application at the querying host then
waits for a reply to its query. If it doesn’t receive a reply (possibly because the
underlying network lost the query or the reply), either it tries sending the query to
another name server, or it informs the invoking application that it can’t get a reply.

Like DNS, there are many applications, which are better suited for UDP for the
following reasons [Ref 2]:

• No connection establishment: Since UDP does not cause any delay in

establishing a connection, this is a probably the principal reason why DNS runs
20
 over UDP rather than TCP-DNS which would be much slower if it runs over TCP/UDP
TCP. HTTP uses TCP rather than UDP, since reliability is critical for Web
pages with text.

• More Client support: TCP maintains connection state in the end systems. This
connection state includes receiving and sending buffers, congestion-control
parameters, and sequence and acknowledgement number parameters. We will
see in Section 3.5 that this state information is needed to implement TCP’s
reliable data transfer service and to provide congestion control. UDP, on the
other hand, does not maintain connection state and does not track any of these
parameters. A server devoted to a particular application can typically support
many more active clients when the application runs over UDP rather than TCP.
Because UDP, (unlike TCP) does not provide reliable data service and
congestion control mechanism, therefore, it does not need to maintain and track
the receiving and sending of buffers (connection states), congestion control
parameters, and sequence and acknowledgement number parameters.

• Small packet header overhead. The TCP segment has 20 bytes of header over-
head in every segment, whereas UDP has only eight bytes of overhead.

Now let us examine the application services that are currently using the UDP protocol.
For example, remote file server, streaming media, internet telephony, network
management, routing protocol such as RIP and, of course, DNS use UDP. Other
applications like e-mail, remote terminal access web surfing and file transfer use TCP.
Please see reference [2] for further details.

Before discussing the UDP segments structure, now, let us try to answer another
question. Is it possible to develop a reliable application on UDP? Yes, it may be
possible to do it by adding acknowledgement and retransmission mechanisms, at the
application level. Many of today’s proprietary streaming applications do just
this − they run over UDP, but they have built acknowledgements and retransmissions
into the application in order to reduce packet loss. But you understand that it will lead
to complete application software design.

UDP Segment Structure

UDP is an end to end transport level protocol that adds only port addresses, checksum
error control and length information to the data from the upper layer.

The application data occupies the data field of the UDP segment. For example, for
DNS, the data field contains either a query message or a response message. For a
streaming audio application, audio samples fill the data field. The packet produced by
UDP is called a user datagram.

Figure 1: UDP segment structure

The UDP header has only four fields, each consisting of two bytes [Figure 1]. Let us
discuss each field separately:
• Source port address: It is the address of the application program that has
created the message.

• Destination port address: It is the address of the application program that will
receive the message.

21
Transport Layer and
Application Layer Services
• Total length: It specifies the length of UDP segment including the header in
bytes.

• Checksum: The checksum is used by the receiving host to check whether errors
have been introduced into the segment. In truth, the checksum is also calculated
over a few of the fields in the IP header in addition to the UDP segment.

 Check Your Progress 1

1) Is it true that if IP is the network layer protocol, so TCP must be the transport
layer 1?
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
2) There are two protocols at the transport layer, which of the two is better?
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………..

2.4 INTRODUCTION TO TCP

TCP is designed to provide reliable communication between pairs of processes (TCP
users) across a variety of reliable and unreliable networks and Internets. TCP is stream
oriented (Connection Oriented). Stream means that every connection is treated as
stream of bytes. The user application does not need to package data in individual
datagram as it is done in UDP. In TCP a connection must be established between the
sender and the receiver. By creating this connection, TCP requires a VC at IP layers
that will be active for the entire duration of a transmission. The data is placed in
allocated buffers and transmitted by TCP in segments. In addition, TCP provides two
useful facilities for labelling data, push and urgent:

[When the PSH (data push) bit is set, this is an indication that the receiver should pass
the data to the upper layer immediately. The URG (Urgent) bit is used to indicate that
there is data in this segment that the sending side upper layer entity has marked as
urgent. The location of the last byte of this urgent data is indicated by the 16 bit
urgent data pointer field 7).

Both IP and UDP treat multiple datagrams belongings to a single transmission as

entirely separate units, un-related to each other. TCP on the other hand is responsible
for the reliable delivery of entire segments. Every segment must be received and
acknowledged before the VC is terminated.

2.5 TCP SEGMENT HEADER

TCP uses only a single type of protocol data unit, called a TCP segment. The header is
shown in Figure 2. Because one header must perform all protocol mechanisms, it is
rather large, with a minimum length of 20 octets. A segment beginning with 9 fixed
format 20 byte header may be followed by header option [Ref. 1]. After the options, if
any, up to 65,535 – 20 (IP header) – (TCP header) = 65,445 data bytes may follow. A
Segment with no data is used, for controlling messages and acknowledgements.

22
 TCP/UDP

Figure 2: TCP header format

The fields are:

• Source port (16 bits): Source service access points and identify local end
points of connection.

• Sequence number (32 bits): Sequence number of the first data octet in this
segment except when SYN is present. If SYN is present, it is the initial
sequence number (ISN), and the first data octet is ISN +1.

• Acknowledgement number (32 bits): A piggybacked acknowledgement

contains the sequence number of the next byte that the TCP entity expects to
receive and not for last byte correctly received. Separate number field and
acknowledgement number fields are used by the TCP sender and the receiver
has to implement a reliable data service.

• Data offset (4 bits): Number of 32-bit words in the header.

• Reserved (6 bits): Reserved for future use.

• Flags (6 bits):

URG: Used to indicate that there is data in this segment which sends the at the
upper layer has marked urgent. The location of the last byte of this urgent data
is indicated by the 16 bit urgent data pointer field.

ACK: Acknowledgement field indicates that the value carried in the ACK field
is valid.
PSH: Push function. The receiver is represented to deliver the data to the
application upon arrival, and not buffer it until a full buffer has been received.
RST: Reset the connection due to host crash or some other reason.
SYN: Synchronise the sequence numbers.
FIN: No more data from sender.

• Receive Window (16 bits): Used for credit based flow control scheme, in
bytes. Contains the number of data bytes beginning with the one indicated in the
acknowledgement field that the receiver is willing to accept.

• Checksum (16 bits): It provides extra reliability. It Checksums the header, the
data and conceptual pseudo header. The Checksum algorithm simply adds up all
the 16 bit words in one’s complement and then takes one’s complement of the
sum. As a consequence, when the receiver performs calculations on the entire
segment including the checksum field, the result should be 0 [Ref. 1].

23
Transport Layer and
Application Layer Services
• Urgent data Pointer (16 bits): Points to the octet following the urgent data;
this allows the receiver to know how much urgent data is coming.

• Options (Variable): At present, only one option is defined, which specifies the
maximum segment size that will be accepted.

Several of the fields in the TCP header warrant further elaboration. The source port
and destination port specify the sending and receiving users of TCP. As with IP, there
are a number of common users of TCP that have been assigned numbers; these
numbers should be reserved for that purpose in any implementation. Other port
numbers must be arranged by agreement between communicating parties.

2.6 TCP CONNECTION ESTABLISHMENT

Before data transmission a connection must be established. Connection establishment
must take into account the unreliability of a network service, which leads to a loss of
ACK, data as well as SYN. Therefore, the retransmission of these packets have to be
done. Recall that a connection establishment calls for the exchange of SYNs.

Figure 3 illustrates typical three-way [Ref. 3] handshake operations.

1) Transport entity A (at the sender side) initiates the connection to transport to
entity B by setting SYN bit.

2) Transport entity B (at the receiver side) acknowledges the request and also
initiates a connection request.

3) A acknowledges to connection request of B and B sends a retransmission and B

retransmits.
Now, let us test how this mechanism handles delayed SYN and ACK packets. It is
shown that old SYN X arrives at B after the close of the relevant connection as shown
in Figure 3 (b). B assumes that this is a fresh request and responds with SYN j,
ACK i. When A receives this message, it realises that it has not requested a
connection and therefore, sends an RST, ACK j. Note that the ACK j portion of the
RST message is essential so that an old duplicate RST does not abort a legitimate
connection establishment. The final example Figure 3 (c) shows a case in which an
old SYN, ACK arrives in the middle of a new connection establishment. Because of
the use of sequence numbers in the acknowledgements, this event causes no harm.

Sender A indicates a connection

SYNi
A B

Receiver B accepts and acknowledges

SYNj, ACKi
A B

The sender also acknowledges the connection request from the receiver and begins
transmission
SYNi, ACKj
A B

(a) Normal Operation

24
Obsolete SYN arrives from the previous connection at B TCP/UDP

SYNi
A B

B accepts and acknowledges

SYNj, ACKi
A B

Sender A rejects Receiver B’s connection

RST, ACKj
A B

(b) Delayed arrived of SYN packet

A initiates a connection

SYNi
A B

old SYN arrives at A

SYNK, ACK = X
A B

A rejects it

RST, ACK = K
A B

B accepts and acknowledge it

SYNj, ACK = i
A B

A acknowledges and begins transmission

SNi, ACK = j
A B

(c) Delayed SYN and ACK

Figure 3: Three-way handshake mechanism

The three-way handshake procedure ensures that both transport entities agree on their
initial sequence number, which must be different. Why do we need different sequence
numbers? To answer this, let us assume a case, in which, the transport entities have

25
Transport Layer and picked up the same initial sequence number. After a connection is established, a
Application Layer Services
delayed segment from the previous connection arrives at B, which will be accepted
because the initial sequence number turns out to be legal. If a segment from the
current connection arrives after some time, it will be rejected by host B, thinking that
it is a duplicate. Thus host B cannot distinguish a delayed segment from the new
segment.

2.7 TCP CONNECTION TERMINATION

TCP adopts a similar approach to that used for connection establishment. TCP
provides for a graceful close that involves the independent termination of each
direction of the connection. A termination is initiated when an application tells TCP
that it has no more data to send. Each side must explicitly acknowledge the FIN parcel
of the other, to be acknowledged. The following steps are required for a graceful
close.

• The sender must send FIN j and receive an ACK j

• It must receive a FIN j and send an ACK j
• It must wait for an interval of time, to twice the maximum expected segment
lifetime.

Acknowledgement Policy

When a data segment arrives that is in sequence, the receiving TCP entity has two
options concerning the timing of acknowledgment:

• Immediate: When data are accepted, immediately transmit an empty (no data)
segment containing the appropriate acknowledgment number.

• Cumulative: When data are accepted, record the need for acknowledgment, but
wait for an outbound segment with data on which to piggyback the
acknowledgement. To avoid a long delay, set a window timer. If the timer
expires before an acknowledgement is sent, transmit an empty segment
containing the appropriate acknowledgement number.

2.8 TCP FLOW CONTROL

Flow Control is the process of regulating the traffic between two end points and is
used to prevent the sender from flooding the receiver with too much data. TCP
provides a flow control service to its application to eliminate the possibility of the
sender overflowing. At the receivers buffer TCP uses sliding window with credit
scheme to handle flow control. The scheme provides the receiver with a greater
degree of control over data flow. In a credit scheme a segment may be acknowledged
without the guarantee of a new credit and vice-versa. Whereas in a fixed sliding
window control (used at the data link layer), the two are interlinked (tied).

Now, let us understand this scheme with the help of a diagram.

Assume that the sender wants to send application data to the receiver. The receiver has
4 K byte buffer which is empty as shown below:
0 4 K byte

1) Initially buffer size = Empty

26
2) Sender transmits 2 K byte segment (data) with sequence number 0 as shown TCP/UDP
below :

Data = 2 K, Sequence No. = 0

Sender Receiver

3) The packet is examined at the receiver. After that it will be acknowledged by it.
It will also specify the credit value (window size) of the receiver. Until the
application process running at the receiver side removes some data from buffer,
its buffer size remains fixed at 2048. Therefore, credit value (window size) is
2048 byte.

Receivers
Buffer = 2 K data Empty

ACK = 2048, Sequence No. = 2048, Credit = 2048 Receiver

Sender

4) Now the sender transmits another 2048 bytes, which is acknowledged, but the
advertised window (credit) is 0.

Receivers
Buffer = Full

Data = 2048, Sequence No. = 2048

Sender Receiver

ACK = 4096, Credit = 0

Sender Receiver

5) The sender must stop sending data until the application process on the receiving
host has removed some data from the buffer, at which time TCP can advertise, a
large window (credit value).

Application
Receivers has read 2 K
Buffer = byte data 2K

ACK = 4096, Credit = 2048

Sender Receiver

When the credit size is zero, normally there is no transmission from the sender side
except in two situations:

(i) Urgent data requires to be sent

(ii) Sender wants to know the credit size and the next byte expected by the receiver.

27
Transport Layer and Both senders and receivers can delay the transmission from their side to optimise
Application Layer Services
resources. If a sender knows that the buffer capacity of a receiver window is 8 K and
currently it has received just 2 K, then it may buffer it at the sender side till it gets
more data from the application process. Similarly, the receiver has to send some data
to the sender it can delay the acknowledgement till its data is ready for that the
acknowledgement can be piggybacked. Therefore, the basic reason of delaying the
acknowledgement is to reduce the bandwidth.

Let us consider an example of a log-in session, for example, Telnet Session in which
the user types one character at a time and the server (log-in server) reacts to every
keystroke. You will notice that one character requires four exchanges of IP packets
between the log-in session client and a Telnet server which is illustrated below:

Assume that TCP and IP header are 20 bytes each).

1st exchange (at the sender side)

- Whenever application data comes to TCP sender, it creates 20 bytes of a

segment, which it gives to IP to create a IP datagram.

Total no. of bytes sent = 20 bytes (TCP) + 20 bytes (IP) + 1 byte for a
character (a key stroke) = 41 byte.

2nd exchange (at the receiver side)

- The receiver (Telnet a log-in server) immediately sends an

acknowledgement to the sender.

Total no. of bytes sent by the server = 20 bytes (TCP) +20 byte (IP) = 40 bytes.
No extra byte is required for an acknowledgement.

3rd exchange (From the log-in server)

- Window update-related message which moves to window one byte right.

Total no. of byte sent – 20bytes (TCP) + 20byte (IP) = 40 bytes.

4th exchange (From the log-in server)

- Echos Character back to the client

Total no. bytes – 20 bytes (TCP) + 20 byte (IP) + 1 byte (0 char) = 41 bytes.

Therefore, the total number of bytes exchanged = 41 + 40 + 40 + 41 = 162 bytes.

So what is the solution to reduce the wastage of bandwidth? The solution has been
proposed by Nagle and is known as Nagle’s algorithm.

The algorithm works as follows: When data comes the sender one byte at a time, just
send the first byte and buffer all the rest until the outstanding byte is acknowledged. In
the meantime, if the application generates some more characters before the
acknowledgement arrives, TCP will not transmit the character but buffer them instead.
After the acknowledgement arrives TCP transmits all the characters that have been
waiting in the buffer in a single segment.

Nagle’s algorithm is widely used for the TCP implementation. But in certain cases,
the algorithm might not be applicable. For example, in highly interactive applications
where every keystroke or a curser movement is required to be sent immediately.

28
Another problem that wastes network bandwidth is when the sender has a large TCP/UDP
volume of data to transmit and the receiver can only process its receiver buffer a few
bytes at a time. Sooner or later the receiver buffer becomes full. When the receiving
application reads a few bytes from the receive buffer, the receiving TCP sends a small
advertisement window to the sender, which quickly transmits a small segment and
fills the receiver buffer again. This process goes on and on with many small segments
being transmitted by the sender for a single application message. This problem is
called the silly window syndrome. It can be avoided if the receiver does not
advertise the window until the window size is at least as large as half of the
receiver buffer size, or the maximum segment size. The sender side can cooperate
by refraining from transmitting small segments.

To summarise, the silly window syndrome can be explained stepwise as:

Step I: Initially the receiver buffer is full

Step II: Application process reads one byte at the receiver side.

Step III: The TCP running at the receiver sends a window update to the sender.

Step IV: The TCP sender sends another byte.

Step V: The receiver buffer is filled up again.

Steps III, IV and V continue forever. Clark’s solution is to prevent the receiver from
sending a window update for 1 byte. In the solution the receiver window is forced to
wait until it has a sufficient amount of space available and then only advertise.
Specifically, the receiver should not send a window update until it can handle the
maximum segment size it advertised when the connection was established, or its
buffer half empty, whichever is smaller.

Nagle’s algorithm and Clark’s solution to the silly window syndrome are
complementary. Both solutions are valid and can work together. The goal is for the
sender not to send small segments and the receiver not to ask for them. Nagle was
trying to solve the problem caused by the sending application delivering data to TCP a
byte at a time. Clark was trying to solve the problem of the receiving application.

2.9 TCP CONGESTION CONTROL

As discussed in the previous section, TCP provides many services to the application
process. Congestion Control is one such service. TCP uses end-to-end Congestion
Control rather than the network supported Congestion Control, since the IP Protocol
does not provide Congestion released support to the end system. The basic idea of
TCP congestion control is to have each sender transmit just the right amount of data to
keep the network resources utilised but not overloaded. You are also aware that TCP
flow control mechanism uses a sliding-window protocol for end-to-end flow control.
This protocol is implemented by making the receiver advertise in its
acknowledgement the amount of bytes it is willing to receive in the future, called the
advertised window to avoid the receiver’s buffer from overflow. By looking at the
advertised window, the sender will resist transmitting data that exceeds the amount
that is specified in the advertised window. However, the advertised window does not
prevent the buffers in the intermediate routers from overflowing due to which routers

29
Transport Layer and get overloaded. Because IP does not provide any mechanism to control congestion, it
Application Layer Services
is up to the higher layer to detect congestion and take proper action. It turns out that
TCP window mechanism can also be used to control congestion in the network.

The protocols designers have to see that the network should be utilised very efficiently
(i.e., no congestion and no underutilisation). If the senders are too aggressive and send
too many packets, the network will experience congestion. On the other hand, if TCP
senders are too conservative, the network will be underutilised. The maximum amount
of bytes that a TCP sender can transmit without congesting the network is specified by
another window called the congestion window. To avoid network congestion and
receiver buffer overflow, the maximum amount of data that the TCP sender can
transmit at any time is the minimum of the advertised window (receiver window) and
the congestion window. Thus, the effective window is the minimum of what the
sender thinks is OK and what the receiver thinks is OK. If the receiver advertises for
8 K window but the sender sends 4 K size of data if it thinks that 8 K will congest the
network, then the effective windows size is 4K.

The approach used in TCP is to have each sender limit the rate of data traffic into the
network as a function of perceived network congestion. If a TCP sender perceives
that there is small congestion along the path, then it increases its send rate otherwise it
reduce it.

The TCP congestion control algorithm dynamically adjusts the congestion window
according to the network state. The algorithm is called slow start. The operation of
the TCP congestion control algorithm may be divided into three phases: slow start,
congestion avoidance and congestion occurrence. The first phase is run when the
algorithm starts or restarts, assuming that the network is empty. The technique, slow
start, is accomplished by first setting the congestion window to one maximum-size
segment. Each time the sender receives an acknowledgement from the receiver, the
sender increases the congestion window by one segment. After sending the first
segment, if the sender receives an acknowledgement before a time-out, the sender
increases the congestion window to two segments. If these two segments are
acknowledged, the congestion window increases to four segments, and so on. As
shown in the Figure 4, the congestion window size grows exponentially during this
phase. The reason for the exponential increase is that slow start needs to fill an empty
pipe as quickly as possible. The name “slow start” is perhaps a misnomer, since the
algorithm ramps up very quickly.

Slow start does not increase the congestion window exponentially forever, since the
network will be filled up eventually. Specifically, slow start stops when the
congestion window reaches a value specified as the congestion threshold, which is
initially set to 65,535 bytes. At this point a congestion avoidance (2nd phase) phase
takes over. This phase assumes that the network is running close to full utilisation. It
is wise for the algorithm to reduce the rate of increase so that it will not overshoot
excessively. Specifically, the algorithm increases the congestion window linearly
rather than exponentially when it tries to avoid congestion. This is realised by
increasing the congestion window by one segment for each round-trip time.

Obviously, the congestion window cannot be increased indefinitely. The congestion

window stops increasing when TCP detects that the network is congested. The
algorithm now enters the third phase.

30
 TCP/UDP
48

44 Time out
40

36

32

28

20

16

12

Figure 4: Dynamics of TCP congestion window

At this point the congestion threshold is first set to one-half of the current window size
(the minimum of the congestion window and the advertised window, but at least two
segments). Next the congestion window is set to one maximum-sized segment. Then
the algorithm restarts, using the slow start technique.
How does TCP detect network congestion? There are two approaches:
i) Acknowledgement does not arrive before the timeout because of a segment loss.
ii) Duplicate acknowledgement is required.

The basic assumption the algorithm is making is that, a segment loss is due to
congestion rather than errors. This assumption is quite valid in a wired network where
the percentage of segment losses due to transmission errors is generally low (less than
1 per cent). Duplicate ACK can be due to either segment reordering or segment loss.
In this case the TCP decreases the congestion threshold to one-half of the current
window size, as before. However, the congestion window is not reset to one. If the
congestion window is less than the new congestion threshold, then the congestion
window is increased as in slow start. Otherwise, the congestion window is increased
as in congestion avoidance. However, the assumption may not be valid in a wireless
network where transmission errors can be relatively high.
The Figure 4 illustrates the dynamics of the congestion window as time progresses.
Thus, assumes that maximum segment size is 1024, threshold to 32K and congestion
window to 1 K for the first transmission. The congestion window then grows
exponentially (slow start phase) until it hits the threshold (32 K). After that it grows
linearly (congestion avoidance phase I). Now, when congestion occurs, the threshold
is set to half the current window (20 K) and slow start initiated all over again. In case
there is no congestion, the congestion window will continue to grow.

31
Transport Layer and In short, TCP’s congestion control algorithm operates as follows:
Application Layer Services

1) When the Congestion Window is below the threshold, the sender uses for slow
start phase and congestion window grows exponentially.
2) When the congestion window is above the threshold the sender is in the
congestion avoidance phase and congestion window grows linearly.
You may wish to refer the references [1], [2] and [4] for further clarification on the
subject.

2.10 REMOTE PROCEDURE CALL

In this section we will look at two other files access mechanisms such as Network
File System and Remote Procedure Call used for accessing files from a server at the
client machine. These two mechanism allow programs to call procedures located on
remote machines.
Network File System (NFS)
The network file system (NFS) is a file access protocol. FTP and TFTP transfer entire
files from a server to the client host. A file access service, on the other hand, makes
file systems on a remote machine visible, though they were on your own machine but
without actually transferring the files. NFS provides a number of features:
(1) NFS allows you to edit a file on another machine exactly as you would if it were
on your own machine.
(2) It even allows you to transfer files from the server to a third host not directly
connected to either of you.
Remote Procedure Call (RPC)
NFS works by invoking the services of a second protocol called remote procedure call
(RPC). Figure 5 shows a local procedure call (in this case, a C program calls the open
function to access a file stored on a disk).
int main (void)
{
………... User application
fp=fopen (……..); program
………...
}

int fopen (…….) Definition of a

{ Local
open ( )
close ( ) function (procedure)
}

Hard
Disk
Local Machine

Figure 5: Concept of local procedure call

32
RPC transfers the procedure call to another machine. Using RPC, local procedure TCP/UDP
calls are mapped onto appropriate RPC function calls. Figure 6 illustrates the
process: a program issues a call to the NFS client process. The NFS client formats the
call for the RPC client and passes it along. The RPC client transforms the data into a
different format and provides the interface with the actual TCP/IP transport
mechanisms. At the remote host, the RPC server retrieves the call, reformats, and
passes it to the NFS server. The NFS server relays the call to the remote disk, which
responds as if to a local call and opens the file to the NFS server. The same process is
followed in reverse order to make the calling application believe that the file is open
on its own host.

int main
(void)
……………

NFS NFS
client server

int fopen (…) int fopen (…)

……………. RPC RPC …………….
close ( ) client server …………….

TCP/IP
Hard Local Hard
Disk Machine Remote Disk
Machine

Figure 6: Concept of remote procedure call

There are three independent components in NFS protocol:

(i) NFS itself
(ii) General purpose RPC
(iii) Data representing format (DRF).

In order to make the NFS computer independent what can be done is to use RPC and
DRF in other software, (including application), programme by dividing a program into
a client side and a server side that use RPC as the chief transport mechanism. On the
client side, the transfer procedures may be designated as remote, forcing the compiler
to incorporate RPC code into those procedures. On the server side, the desired
procedures are implemented by using other RPC facilities to declare them as a part of
a server. When the executing client program calls one of the remote procedures, RPC
automatically collects values for arguments, from a message, sends the message to the
remote server, awaits a response, and stores returned values in the designated
arguments. In essence, communication with the remote server occurs automatically as
a side-effect of a remote call. The RPC mechanism hides all the details of protocols,
making it possible for programmers who know little about the underlying
communication protocols but who can write distributed application programs.

33
Transport Layer and  Check Your Progress 2
Application Layer Services

1) What is the difference between FTP and NFS?

……………………………………………………………………………………
……………………………………………………………………………………
………..……………………………………………………………………

2) What is a flow control problem? What is the basic mechanism at the transport
layer to handle flow control problem?
……………………………………………………………………………………
……………………………………………………………………………………
………..……………………………………………………………………

2.11 SUMMARY

In this unit, we discussed the two transport layer protocols (TCP & UDP) in detail.
The transport port can be light weight (very simple) which provide very little facility.
In such cases, the application directly talks to the IP. UDP is an example of a transport
protocol, which provides minimum facility, with no control, no connection
establishment, no acknowledgement and no congestion handling feature. Therefore, if
the application is to be designed around the UDP, then such features have to be
supported in the application itself. On the other hand, there is another protocol-TCP
which provides several feature such as reliability, flow control, connection
establishment to the various application services. Nevertheless, the services that the
transport layer can provide often constrain the network layer protocol.

We had a close look at the TCP connection establishment, TCP flow control, TCP
congestion handling mechanism and finally UDP and TCP header formats. With
respect to congestion control, we learned that congestion control is essential for the
well-being of the network. Without congestion control the network can be blocked.

2.12 SOLUTIONS/ANSWERS

Check Your Progress 1

1) No, TCP is only part of the TCP/IP transport layer. The other part is UDP (user
datagram protocol).

2) It depends on the type of an application. TCP provide a connection-oriented,

reliable service (extra overheads). Stream means that the connection is treated
as stream of bytes. The user application does not need to package data in
individual datagrams.

Reliable means that every transmission of data is acknowledged by the receiver.

UDP offers minimum datagram delivery service.

Check Your Progress 2

1) FTP transfers entire files from a server to the client host. NFS, on the other hand
makes file systems on a remote machine visible as they are on your own
machine but without actually transferring the files.

34
2) Flow control is the process of regulating the traffic between points and is used TCP/UDP
to present the sender from flooding the receiver with too much data.

The basic mechanism to handle flow control at the transport layer is the sliding
window with credit scheme. The credit scheme provides the receiver with a
greater degree of control over data flow. In decouples acknowledgement from
flow control. In fixed sliding window control such as x.25 and HDLC, the two
are synonymous. In a credit scheme, a segment may be acknowledged without
granting new credit and vice-versa.

2.13 FURTHER READINGS

1) Computer Networks, A.S Tanebaum, 4th Edition, PHI, New Delhi, 2003.

2) Computer Networking, Computer Networking, A top down approach featuring

the Internet, J.F. Kurose & K.W. Ross, Pearson Edition, New Delhi, 2003.

3) Data and Computer Communication, William Stallings, 6th Edition, Pearson

Education, New Delhi. 2002.

4) Communications Networks, Leon Garcia, and Widjaja, Tata McGraw Hill,

2000.

35
Transport Layer and
Application Layer Services UNIT 3 NETWORK SECURITY-I
Structure Page Nos.
3.0 Introduction 36
3.1 Objectives 36
3.2 Cryptography 37
3.3 Symmetric Key Cryptography 38
3.4 Public Key Cryptography 53
3.4.1 RSA Public Key Algorithm
3.4.2 Diffie-Hellman
3.4.3 Elliptic Curve Public Key Cryptosystems
3.4.4 DSA
3.5 Mathematical Background 63
3.5.1 Exclusive OR
3.5.2 The Modulo Function
3.6 Summary 65
3.7 Solutions/Answers 66
3.8 Further readings 67

3.0 INTRODUCTION
Cryptography plays an important role in network security. The purpose of
cryptography is to protect transmitted information from being read and understood by
anyone except the intended recipient. In the ideal sense, unauthorised individuals can
never read an enciphered message.
Secret writing can be traced back to 3,000 B.C. when it was used by the Egyptians.
They used hieroglyphics to conceal writing from unintended recipients. Hieroglyphics
is derived from the Greek word hieroglyphica, which means “sacred carvings”.
Hieroglyphics evolved into hieratic, which was easier to use script. Around 400 B.C.,
military cryptography was employed by the Spartans in the form of strip of papyrus or
parchment wrapped around a wooden rod. This system is called a Scytale. The
message to be encoded was written lengthwise down the rod on the wrapped material.
Then, the material was unwrapped and carried to the recipient. In unwrapped form,
the writing appeared to random characters, and to read again the material was
rewound on a rod of the same diameter and length.

During 50 B.C., Julius Caesar, the emperor of Rome, used a substitution cipher to
transmit messages to Marcus Tullius Cicero. In this, letters of the alphabets are
substituted for other letters of the same alphabet. Since, only one alphabet was used,
this is also called monoalphabetic substitution. This particular cipher involved shifting
the alphabet by three letters and substituting those letters. This is sometimes known as
C3 (for Caesar shifting three places).

In this unit, we provide details of cryptography and its needs. In section 3.2 we define
cryptography, Section 3.3 presents a brief review of symmetric cryptography. In
section 3.4 we discuss the Asymmetric Cryptography. We summarise the unit in
section 3.6 followed by the Solutions/Answers.

3.1 OBJECTIVES
After going through this unit, you should be able to:
• learn about the principles and practice of cryptography, and
• various symmetric and public key algorithms.

36
 Network Security-I
3.2 CRYPTOGRAPHY
Cryptography is the science of writing in secret code and is an ancient art; the first
documented use of cryptography in writing dates back to circa 1900 B.C. when an
Egyptian scribe used non-standard hieroglyphics in an inscription. Some experts argue
that cryptography appeared simultaneously sometime after writing was invented, with
applications ranging from diplomatic missives to war-time battle plans. The new form
of cryptography emerges with the widespread development of computer and
communications technologies. Cryptography is a key technology when
communicating over any un-trusted medium, particularly the Internet. Rivest defines
cryptography as simply “Communication in the presence of adversaries”. Modern
cryptographic techniques have many uses, such as access control, digital signatures,
e-mail security, password authentication, data integrity check, and digital evidence
collection and copyright protection.
Cryptographic systems are generically classified among three independent
dimensions:

• Types of Operation: All encryption algorithms are based on two general

principles: substitution and transposition. The fundamental requirements are
that no information is lost and all operations are reversible.

• Key Used: If both sender and the receiver use the same key, then it is referred
to as symmetric, single-key, secret-key, or conventional encryption. And if the
encryption and decryption key are different, the system is asymmetric key, two-
key, or public key encryption.

Within the context of any application-to-application communication, there are some

specific security requirements: (1) Authentication, (2) Privacy/confidentiality,
(3) Integrity, and (4) Non-repudiation. There are, in general, three types of
cryptographic schemes typically used to accomplish these goals: (1) secret key (or
symmetric) cryptography, (2) public key (or asymmetric) cryptography, and (3) hash
functions, each of which is described in the subsequent subsections.

 Check Your Progress 1

1) What is cryptography?

……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………

2) List the various requirements of application-to-application communication.

……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………

3) List various types of cryptographic techniques.

……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………

37
Transport Layer and
Application Layer Services 3.3 SYMMETRIC KEY CRYPTOGRAPHY
About twenty years ago, cryptography was the art of making and breaking codes. The
codes were used to transfer messages over an unsecured channel. The channel should
be protected from intruders who read, insert, delete or modify messages, as depicted
in Figure 1. The transmission of a message is done using an encryption function E
that converts the message or plaintext using the key into a cipher text. The receiver
does the reverse of this operation, using the decryption function D and a decryption
key to recover the plaintext from the cipher text. The key is distributed in advance
over a secure channel, for example by courier.

Normally, the encryption and decryption function, but not the key, are considered
known to the adversary, so the protection of the information depends on the key only.
If the enemy knows the key, the whole system is useless until a new key is distributed.
In secret Key Cryptography, a single key is used for both encryption and decryption,
as shown in Figure 1. The main difficulty with this approach is the distribution of the
key.

Secret key cryptography schemes are generally categorised as being either stream
ciphers or block ciphers. Stream ciphers operate on a single byte (or computer word)
at a time, and implement some form of feedback mechanism so that the key is
constantly changing. Block cipher scheme encrypts one block of data at a time using
the same key on each block.

Secured Channel
Key

Unsecured Channel
E D Message
Message

Figure 1: Secret Key Cryptography

The most common secret key cryptography scheme is Data Encryption Standard
(DES), designed by IBM in 1970s and adopted by the National Bureau of Standard
(NBS) of USA [now the National Institute for Standards and Technology (NIST)] in
1977 for commercial and unclassified government applications. DES is a block-cipher
employing a 56-bit key operating on 64 bit blocks of data. DES has a complex set of
rules and transformations designed basically for fast hardware implementation and
slow software implementation. The latter point is significant in today’s context, as the
speed of CPU is several orders of magnitude faster than twenty years ago. IBM also
proposed a 112-bit key for DES in the 1990s, which was never implemented
seriously.

In 1997, NIST initiated the task of developing a new secure cryptosystem for U.S
government applications. This effort has resulted in AES (Advanced Encryption
Standard). AES became the official successor to DES in December 2001. AES is
based on Rjndael Algorithm and employs a 128-, 192-, or 256-bit key.

38
The following terminology is often used when symmetric ciphers are examined: Network Security-I

Block Ciphers

A block of cipher transforms n-bit plaintext blocks to n-bit ciphertext blocks on the
application of a cipher key k. The key is generated at random using various
mathematical functions as shown in Figure 2.

Message source Encryption

one block at a Algorithm Cipher Text
time

Key Source

Figure 2: Block cipher

Stream Ciphers
A stream cipher consists of a state machine that outputs at each state transition one bit
of information. This stream of output bits is called the running key. Just XORring the
running key to the plaintext message can implement the encryption. The state machine
is a pseudo-random number generator. For example, we can build one from a block
cipher by encrypting repeatedly its own output. Typically, more elaborate
constructions (for high speed) are used for stream ciphers. Some of the more well-
known stream ciphers are RC4 and SEAL. Several stream ciphers are based on linear-
feedback shift registers (LFSR) (Figure 3), such as A5/1 used in the GSM. These have
the benefit of being very fast (several times faster than usual block ciphers).

Figure 3: Stream cipher linear feedback shift register (LFSR)

SSSC (Self-Synchronising Stream Ciphers)

The class of self-synchronsing stream ciphers has property that it corrects the output
stream after the bit flips or even drops bits after a short time.
SSSCs can be constructed using block ciphers in a CFB-related way. Assume, that we
have already encrypted n bits of the message and know that much of the ciphertext
(where n denotes the block length of the cipher). Then we produce a new running key
bit by encrypting the n ciphertext bits. Take one bit of the output of the cipher to be
the new running key bit. Now moving one bit further we can iterate this procedure for
the whole length of the message.
One bit error in a ciphertext cannot affect the decrypted plaintext after n bits. This
makes the cipher self-synchronising.

The block cipher used should have sufficiently large block size to avoid substitution
attacks.
Substitution and Transposition
A substitution (Figure 4) means replacing symbols or group of symbols by other
symbols or groups of symbols. Transposition (Figure 5), on the other hand,

39
Transport Layer and means permuting the symbols in a block. Neither of these operations alone provide
Application Layer Services sufficient security, but strong ciphers can be built by combining them. A Substitution-
Permutation Network (SPN) means a cipher composed of a number of stages, each
involving substitutions and permutations. The prominent examples of SPNs are DES
and CAST-128.

Figure 4: Substitution

Figure 5: Transposition
S-Boxes
Lookup tables that map n bits to m bits, where n and m are often equal. There are
several ways of constructing and measuring good S-boxes for ciphers.

a) S-boxes, which are resistant against well known attacks, can be created using
rigorous mathematical approach by applying bent functions (or related).

b) Other designers apply heuristic approaches that result in S-boxes that are more
difficult to handle in mathematical proofs, but can have additional benefits.

The S-box may even be the only non-linear part of the cipher (e.g., DES) and thus,
may be considered as the single most important part of the cipher. In fact, DES’s S-
boxes are so good that it is used in many other cipher design (for example, Serpent).

Feistel Networks
The original idea was used in the block cipher, Lucifer, invented by Horst Feistel.
Several variations have been devised from the original version. A Feistel network
(Figure 6) is a general way of constructing block ciphers from simple functions. The
standard Feistel network takes a function from n bits to n bits and produces an
invertible function from 2n bits to 2n bits. The structure of Fiestel network is based on
round function. The essential property of Feistel networks that makes them so useful
in cipher design is that the round function need not be invertible, but always is the
resulting function. If the round function depends on, say, k bits of a key, then the
Feistel cipher requires rk bits of the key where r is the number of rounds used. The
security of the Feistel structure is not obvious. It is compulsory that a Feistel cipher
has enough number of rounds, but just adding more rounds does not always guarantee
security.

The process of taking the user key and expanding it into rk bits for the Feistel rounds
is called key scheduling. This is often a non-linear operation and hence does not

40
directly provide any information about the actual user key. There are many ciphers Network Security-I

that have this basic structure; Lucifer, DES, and Twofish etc.

Figure 6: Feistal Cipher

Expansion, Permutation
They are linear operations, and thus, not sufficient to guarantee security. They are
common tools in mixing bits in a round function and when used with good non-linear
S-boxes (as in DES) they are vital for the security because they propagate the non-
linearity uniformly over all bits.
Bitslice Operations (Bitwise Logic Operations XOR, AND, OR, NOT and Bit
Permutations)

The idea of bitslice implementations of block ciphers is due to Eli Biham. It is

common in vector machines to achieve parallel operation. However, Biham applied it
on serial machines by using large registers as available in modern computers. The
term “bitslice” has been the contribution of Matthew Kwan.

All block ciphers can be designed in bitslice manner, but this could affect the speed of
operations such as addition and multiplication they may become very slow. On the
other hand, permutations are almost free as they only require a renaming of the
registers and this can be done at the coding level. Thus, for example, in DES
exhaustive key search using bitslice techniques, one can increment the current key in,
a fraction of a time than is usually needed for key scheduling.

The AES finalist Serpent is designed to be implemented using bitslice operations

only. This makes it particularly efficient on modern architectures with many registers.

Modes of Operation

Block ciphers are the most commonly used cipher. Block ciphers transform a fixed-
size block of data (usually 64 bits) into another fixed-size block (possibly 64 bits wide
again) using a function selected by the key. If the key, input block and output block
have all n bits, a block cipher basically defines a one-to-one mapping from n-bit
integers to permutations of n-bit integers.

If the same block is encrypted twice with the same key, the resulting ciphertext blocks
are also the same (this mode of encryption is called electronic code book, or ECB).
This information could be useful for an attacker. For identical plaintext blocks being
encrypted to different ciphertext blocks, three standard modes are generally used:

1) CBC (Cipher Block Chaining): First XORing the plaintext block with the
previous ciphertext block obtains a ciphertext block, and then the resulting
value needs to be encrypted. In this, leading blocks influence all trailing blocks,
which increases the number of plaintext bits one ciphertext bit depends on, but
this may also leads to synchronisation problems if one block is lost. The Process
of Cipher Block Chaining shown in Figure 7. In this Figure m1, m2, m3 are
messages and C1, C2 and C3 are ciphertexts.

41
Transport Layer and
Application Layer Services

Figure 7: Cipher block chaining

2) CFB (Cipher Feedback): In this the kth ciphertext block is obtained by

encrypting the (k-1)th ciphertext block and XORing the result onto the plaintext.
The CFB mode possess self-synchronising property: A CFB feedback loop can
also be used as a pseudo-random number generator if one simply feeds one
block of true random data with trailing blocks of zeroes into the encryption
routine (although the expected period of this PRNG would be only about 2n/2
where n is the block size of the cipher). CFB is shown in Figure 8.

Figure 8: Cipher feedback model

3) OFB (Output Feedback Block):It is used as a synchronous key-stream

generator, whose output is XORed with the plaintext to obtain ciphertext, block
by block. The key-stream is generated by riterative encryption, starting with an
initialisation vector (IV) which, along with the key, is agreed upon beforehand.
OFB is shown in Figure 9.

Figure 9: Output feedback block

The One-Time Pad

The one-time pad (OTP) is the only cipher that has been proven to be unconditionally
secure, i.e., unbreakable in practice. Further, it has been proven that any unbreakable,
unconditionally secure cipher must be a one-time pad.

42
The Vernam cipher (invented by G. Vernam in 1917) in one time pad and is very Network Security-I
simple: take a stream of bits that contain the plaintext message, and a key, which is
the secret random bit-stream of the same length as the plaintext. [To encrypt the
plaintext with the key, sequentially exclusive-or each pair of key bit and plaintext bit
to obtain the ciphertext bit]. If the key is truly random, the attacker or adversary has
no means of deciding whether some guessed plaintext is more likely than any other
when, only the ciphertext and no knowledge of the plaintext is available.

The main practical problem is that the key does not have a small constant length, but
the same length as the message, and one part of a key should never be used twice (or
the cipher can be broken). However, this cipher has allegedly been in widespread use
since its invention, and even more since the security proof by C. Shannon in 1949.
Although, admittedly the security of this cipher had been conjectured earlier, it was
Shannon who actually found a formal proof for it.

DES

The Data Encryption Standard (DES) is an algorithm developed in the mid-1970s and
turned into a standard by the US National Institute of Standards and Technology
(NIST), and was also adopted by several other governments worldwide. It was and
still is widely used, especially in the financial industry.

DES is a block cipher with a 64-bit block size. It uses 56-bit keys. This makes it
suspectible to exhaustive key search with modern computing powers and special-
purpose hardware. DES is still strong enough to keep most random hackers,
adversaries and individuals out, DES is easily breakable with special hardware by,
government, criminal organizations etc. DES is getting too weak, and should not be
used in new applications. NIST proposed in 2004 to withdraw the DES standard.

A variant of DES, Triple-DES (also 3DES) is based on using DES three times
(normally in an encrypt-decrypt-encrypt sequence with three different, unrelated
keys). The Triple-DES is arguably much stronger than (single) DES, however, it is
rather slow compared to some new block ciphers.

Although, at the time of DES’s introduction, its design philosophy was held secret.
Some information has been published about its design, and one of the original
designers, Don Coppersmith, has said that they discovered ideas similar to
differential crypt analysis while designing DES in 1974. However, it was just a matter
of time that these fundamental ideas were re-discovered.

Although DES is no longer considered a practical solution, it is many a time used to

describe new crypt analytical methods. Even today, there are no crypt analytical
techniques that would completely break DES in a structural way; indeed, the only real
weakness known is the short key size (and perhaps the small block size).

DES uses the:

• Data Encryption Algorithm (DEA),

• a secret key block-cipher employing a 56-bit key operating on 64-bit blocks.

• FIPS 81 describes four modes of DES operation: Electronic Codebook (ECB),

Cipher Block Chaining (CBC), Cipher Feedback (CFB), and Output Feedback
(OFB). Despite all these options, ECB is the most commonly deployed mode of
operation.

43
Transport Layer and DES uses a 56-bit key, which is divided into eight 7-bit blocks and an 8th odd parity
Application Layer Services bit is added to each block (i.e., a "0" or "1" is added to the block so that there are an
odd number of 1 bit in each 8-bit block). By using the 8 parity bits for rudimentary
error detection, a DES key is actually 64 bits in length for computational purposes
(although it only has 56 bits worth of randomness, or entropy).

Figure 10: DES algorithm

DES process on 64-bit blocks of the plaintext, invoking 16 rounds of permutations,

swaps, and substitutes, as shown in Figure 10. The main DES steps are:

1) The 64-bit block undergoes an initial permutation (IP), where each bit is moved
to a new bit position; e.g., the 1st, 2nd, and 3rd bits are moved to the 58th, 50th,
and 42nd position, respectively.
2) The permuted 64-bit input is divided into two 32-bit blocks, called left and
right, respectively. The initial values of the left and right blocks are denoted as
L0 and R0.

3) There are then 16 rounds of operation on the L and R blocks.

44
During each iteration (where n ranges from 1 to 16), the following formula is used: Network Security-I

Ln = Rn-1
Rn = Ln-1 XOR f(Rn-1,Kn)

The new L block value is taken from the prior R block value. The new R block is
calculated by taking the bit-by-bit exclusive-OR (XOR) of the prior L block with the
results of applying the DES cipher function, f, to the prior R block and Kn. (Kn is a 48-
bit value derived from the 64-bit DES key). Each round uses a different 48 bits
according to the standard’s Key Schedule algorithm.

The cipher function, f, combines the 32-bit R block value and the 48-bit subkey in the
following way:

• First, the 32 bits in the R block are expanded to 48 bits by an expansion

function (E); the extra 16 bits are found by repeating the bits in 16 predefined
positions.

• The 48-bit expanded R-block is then ORed with the 48-bit subkey.

• The result is a 48-bit value that is then divided into eight 6-bit blocks.

• These are fed as input into 8 selection (S) boxes, denoted S1,...,S8. Each 6-bit
input yields a 4-bit output using a table lookup based on the 64 possible inputs;
this results in a 32-bit output from the S-box. The 32 bits are then rearranged by
a permutation function (P), producing the results from the cipher function.

The results from the final DES round — i.e., L16 and R16 — are recombined into a 64-
bit value and fed into an inverse initial permutation (IP-1). At this step, the bits are
rearranged into their original positions, so that the 58th, 50th, and 42nd bits, for
example, are moved back into the 1st, 2nd, and 3rd positions, respectively. The output
from IP-1 is the 64-bit ciphertext block.

Breaking DES
DES’s 56-bit key was too short to withstand a brute-force attack from computing
power of modern computers. Remember Moore’s Law: computer power doubles
every 18 months. Keeping this law in mind, a key that could withstand a brute-force
guessing attack in 2000 could hardly be expected to withstand the same attack a
quarter of a century later.

DES is even more vulnerable to a brute-force attack as it is commonly used to encrypt

words, meaning that the entropy of the 64-bit block is greatly reduced. That is, if we
are encrypting random bit streams, then a given byte might contain any one of 28
(256) possible values and the entire 64-bit block has 264, or about 18.5 quintillion,
possible values. If we are encrypting words, however, we are most likely to find a
limited set of bit patterns; perhaps 70 or so if we account for upper and lower case
letters, the numbers, space, and some punctuation. That is, only about ¼ of the bit
combinations of a given byte are likely to occur. Despite this, the U.S. government
insisted throughout the mid-1990s that 56-bit DES was secure and virtually
unbreakable if appropriate precautions were employed. In response, RSA Laboratories
sponsored a series of cryptographic challenges to prove that DES was no longer
secure and appropriate for use.

• DES Challenge I was launched in March 1997. R. Verser completed it in 84 days

in a collaborative effort to break DES using thousands of computers on the
Internet. The first DES II challenge lasted 40 days during early 1998. This
problem was solved by distributed.net, a worldwide distributed computing

45
Transport Layer and network using the spare CPU cycles of computers around the Internet. The
Application Layer Services participants in distributed.net’s activities load a client program that runs in the
background, conceptually similar to the SETI @Home “Search for Extraterrestrial
Intelligence” project). By the end of the project, distributed.net systems were
checking 28 billion keys per second.
• The second DES II challenge lasted just less than 3 days. On July 17, 1998, the
Electronic Frontier Foundation (EFF) announced the construction of a hardware
that could brute-force a DES key in an average of 4.5 days. The device called
Deep Crack, could check 90 billion keys per second and cost only about $220,000
including design. As the design is scalable, this suggests that an organisation
could develop a DES cracker that could break 56-bit keys in an average of a day
for as little as $1,000,000.
• The DES III challenge, launched in January 1999, was broken in less than a day
by the coordinated efforts of Deep Crack and distributed.net.

The Deep Crack algorithm is to launch a brute-force attack by guessing every possible
key. A 56-bit key yields 256, or about 72 quadrillion, possible values. The DES cracker
team initially assumed that some recognisable plaintext would appear in the decrypted
string even though they didn’t have a specific known plaintext block. They then
applied all 256 possible key values to the 64-bit block. The system checked to find if
the decrypted value of the block was “interesting”, which they defined as bytes
containing one of the alphanumeric characters, space, or some punctuation. As the
likelihood of a single byte being “interesting” is about ¼, then the likelihood of the
entire 8-byte stream being “interesting” is about ¼8, or 1/65536 (½16). This dropped
the number of possible keys that might yield positive results to about 240, or about a
trillion.
After the assumption that an “interesting” 8-byte block would be followed by another
“interesting” block. Therefore, if the first block of ciphertext decrypted to something
interesting, they decrypted the next block; otherwise, they abandoned this key. Only if
the second block was also “interesting” did they examine the key closer. Looking for
16 consecutive bytes that were “interesting” meant that only 224, or 16 million, keys
required to be examined further. This further examination was primarily to see if the
text made any sense.
It is important to mention mentioning a couple of forms of crypt analysis that have
been shown to be effective against DES. Differential cryptanalysis, invented in 1990
by E. Biham and A. Shamir (of RSA fame), is a chosen-plaintext attack. By selecting
pairs of plaintext with particular differences, the crypt analyst examines the
differences in the resultant ciphertext pairs. Linear plaintext, invented by M. Matsui,
uses a linear approximation to analyse the actions of a block cipher (including DES).
Both these attacks one be more efficient than brute force.
DES Variants
After DES algorithm was “officially” broken, several variants appeared. In the early
1990s, there was a proposal to increase the security of DES by effectively increasing
the key length by using multiple keys with multiple passes etc. But for this scheme to
work, it had to first be shown that, the DES function is not a group, as defined in
mathematics. If DES was a group, then we could show that for two DES keys, X1 and
X2, applied to some plaintext (P), we can get a single equivalent key, X3, that would
provide the same result; i.e.,
EX2(EX1(P)) = EX3(P)

where EX(P) represents DES encryption of some plaintext P using DES key X. If DES
were a group, it wouldn’t matter how many keys and passes we applied to some
plaintext; we could always find a single 56-bit key that would provide the same result.

46
As DES was proven not to be a group, we apply additional keys and passes to increase Network Security-I
the effective key length. One choice, then, might be to use two keys and two passes,
yielding an effective key length of 112 bits. This can be called Double-DES. The two
keys, Y1 and Y2, might be applied as follows:

C = EY2(EY1(P))
P = DY1(DY2(C))

where EY(P) and DY(C) represent DES encryption and decryption, respectively, of
some plaintext P and ciphertext C, respectively, using DES key Y.

But an interesting attack can be launched against this “Double-DES” scheme. The
applications of the formula above can be with the following individual steps (where
C’ and P’ are intermediate results):

C’ = EY1(P) and C = EY2(C’)

P’ = DY2(C) and P = DY1(P’)

Unfortunately, C’=P’, which leaves it vulnerable to a simple known plaintext attack

(or “Meet-in-the-middle”) where the attacker or adversary knows some plaintext (P)
and its matching ciphertext (C). To obtain C’, the attacker or adversary needs to try all
256 possible values of Y1 applied to P; to obtain P’, the attacker needs to try all 256
possible values of Y2 applied to C. Since C’=P’, the attacker knows when a match has
been achieved — after only 256 + 256 = 257 key searches, only twice the work of brute-
forcing DES.

Triple-DES (3DES) is based upon the Triple Data Encryption Algorithm (TDEA), as
described in FIPS 46-3. 3DES, which is not susceptible to a meet-in-the-middle
attack, employs three DES passes and one, two, or three keys called K1, K2, and K3.
Generation of the ciphertext (C) from a block of plaintext (P) is accomplished by:

C = EK3(DK2(EK1(P)))
where EK(P) and DK(P) represent DES encryption and decryption, respectively, of
some plaintext P using DES key K. This is also sometimes referred to as an encrypt-
decrypt-encrypt mode operation.

Decryption of the ciphertext into plaintext is accomplished by:

P = DK1(EK2(DK3(C)))
The use of three, independent 56-bit keys provides 3DES with an effective key length
of 168 bits. The specification also defines use of two keys where, in the operations
above, K3 = K1; this provides an effective key length of 112 bits. Finally, a third
keying option is to use a single key, so that K3 = K2 = K1 (in this case, the effective
key length is 56 bits and 3DES applied to some plaintext, P, will yield the same
ciphertext, C, as normal DES would with that same key). With the relatively low cost
of key storage and the modest increase in processing due to the use of longer keys, the
best recommended practices are that 3DES are employed with three keys.

Another variant of DES, called DESX, is the contribution of Ron Rivest. Developed
in 1996, DESX is a very simple algorithm that greatly increases DES’s resistance to
brute-force attacks without increasing its computational complexity. In DESX, the
plaintext input is XORed with 64 additional key bits prior to encryption and the output
is likewise XORed with the 64 key bits. By adding just two XOR operations, DESX
has an effective keylength of 120 bits against an exhaustive key-search attack. It is
pertinent to note that DESX is not immune to other types of more sophisticated

47
Transport Layer and attacks, such as differential or linear crypt analysis, but brute-force is the primary
Application Layer Services attack vector on DES.

AES
In response to cryptographic attacks on DES, search for a replacement to DES started
in January 1997. In September 1997, a formal Call for Algorithms was initiated and in
August 1998 announced that 15 candidate algorithms were being considered (Round
1). In April 1999, NIST announced that the 15 had been filtered down to five finalists
(Round 2): MARS (multiplication, addition, rotation and substitution) from IBM;
Ronald Rivest’s RC6; Rijndael from a Belgian team; Serpent, developed jointly by a
team from England, Israel, and Norway; and Twofish, developed by Bruce Schneier.
In October 2000, NIST announced their selection: Rijndael.
In October 2000, NIST published the Report on the Development of the Advanced
Encryption Standard (AES) that compared the five Round 2 algorithms in a number of
categories. The table below summarises the relative scores of the five schemes
(1=low, 3=high):

Algorithm
Category MARS RC6 Rijndael Serpent Twofish
General
3 2 2 3 3
security
Implementation
1 1 3 3 2
of security
Software
2 2 3 1 1
performance
Smart card
1 1 3 3 2
performance
Hardware
1 2 3 3 2
performance
Design features 2 1 2 1 3

NIST selected Rijndael as its performance in hardware and software across a wide
range of environments in all possible modes. It has excellent key setup time and has
low memory requirements, in addition its operations are easy to defend against power
and timing attacks.

In February 2001, NIST published the Draft Federal Information Processing Standard
(FIPS) AES Specification for public review and comment. AES contains a subset of
Rijndael’s capabilities (e.g., AES only supports a 128-bit block size) and uses some
slightly different nomenclature and terminology, but to understand one is to
understand both. The 90-day comment period ended on May 29, 2001 and the U.S.
Department of Commerce officially adopted AES in December 2001, published as
FIPS PUB 197.

AES (Rijndael) Overview

Rijndael (pronounced as in “rain doll” or “rhine dahl”) is a block cipher designed by
Joan Daemen and Vincent Rijmen, both cryptographers in Belgium. Rijndael can
operate over a variable-length block using variable-length keys; the version 2
specification submitted to NIST describes use of a 128-, 192-, or 256-bit key to
encrypt data blocks that are 128, 192, or 256 bits long. The block length and/or key
length can be extended in multiples of 32 bits and it is specifically designed for
efficient implementation in hardware or software on a range of processors. The design

48
of Rijndael was strongly influenced by the block cipher called Square, also designed Network Security-I
by Daemen and Rijmen. Rijndael is an iterated block cipher, meaning that the initial
input block and cipher key undergoes multiple rounds of transformation before
producing the output. Each intermediate cipher result is called State.

For simplicity, the block and cipher key are often given as an array of columns where
each array has 4 rows and each column represents a single byte (8 bits). The number
of columns in an array representing the state or cipher key, then, can be calculated as
the block or key length divided by 32 (32 bits = 4 bytes). An array representing a State
will have Nb columns, where Nb values of 4, 6, and 8 correspond to a 128-, 192-, and
256-bit block, respectively. Similarly, an array representing a Cipher Key will have
Nk columns, where Nk values of 4, 6, and 8 correspond to a 128-, 192-, and 256-bit
key, respectively. An example of a 128-bit State (Nb = 4) and 192-bit Cipher Key
(Nk = 6) is shown below:
s0,0 s0,1 s0,2 s0,3 k0,0 k0,1 k0,2 k0,3 k0,4 k0,5
s1,0 s1,1 s1,2 s1,3 k1,0 k1,1 k1,2 k1,3 k1,4 k1,5
s2,0 s2,1 s2,2 s2,3 k2,0 k2,1 k2,2 k2,3 k2,4 k2,5
s3,0 s3,1 s3,2 s3,3 k3,0 k3,1 k3,2 k3,3 k3,4 k3,5

The number of transformation rounds (Nr) in Rijndael is a function of the block length
and key length, and is given in the table below:

Block Size
Rounds
Nr 128 bits 192 bits 256 bits
Nb = 4 Nb = 6 Nb = 8
128 bits
10 12 14
Nk = 4
Key 192 bits
Size Nk = 6 12 12 14

256 bits
14 14 14
Nk = 8

The AES version of Rijndael does not support all nine combinations of block and key
lengths, but only the subset using a 128-bit block size. NIST calls these supported
variants AES-128, AES-192, and AES-256 where the number refers to the key size.
The Nb, Nk, and Nr values supported in AES are:

Parameters
Variant Nb Nk Nr
AES-128 4 4 10
AES-192 4 6 12
AES-256 4 8 14

The AES/Rijndael cipher itself has three operational stages:

• AddRound Key transformation

• Nr-1 Rounds comprising: SubBytes transformation; ShiftRows

transformation; MixColumns transformation; AddRoundKey
transformation

• A final Round comprising: SubBytes transformation; ShiftRows

transformation; AddRoundKey transformation.

49
Transport Layer and The nomenclature used below is taken from the AES specification, although,
Application Layer Services references to the Rijndael specification are made for completeness. The arrays s and s'
refer to the State before and after a transformation, respectively (NOTE: The Rijndael
specification uses the array nomenclature a and b to refer to the before and after
States, respectively). The subscripts i and j are used to indicate byte locations within
the State (or Cipher Key) array.

The SubBytes Transformation

The substitute bytes (called ByteSub in Rijndael) transformation operates on each of
the State bytes independently and changes the byte value. An S-box, or substitution
table, controls the transformation. The characteristics of the S-box transformation as
well as a compliant S-box table are provided in the AES specification; as an example,
an input State byte value of 107 (0x6b) will be replaced with a 127 (0x7f) in the
output State and an input value of 8 (0x08) would be replaced with a 48 (0x30).

One simple way to think of the SubBytes transformation is that a given byte in State s
is given a new value in State s' according to the S-box. The S-box, then, is a function
on a byte in State s so that:

s'i,j = S-box (si,j)

The more general depiction of this transformation is shown by:

s0,0 s0,1 s0,2 s0,3 s'0,0 s'0,1 s'0,2 s'0,3

s1,0 s1,1 s1,2 s1,3 ====> S-box ====> s'1,0 s'1,1 s'1,2 s'1,3
s2,0 s2,1 s2,2 s2,3 s'2,0 s'2,1 s'2,2 s'2,3
s3,0 s3,1 s3,2 s3,3 s'3,0 s'3,1 s'3,2 s'3,3

The ShiftRows Transformation

The shift rows transformation cyclically shifts the bytes in the bottom three rows of
the State array. According to the more general Rijndael specification, rows 2, 3, and 4
are cyclically left-shifted by C1, C2, and C3 bytes, respectively, per the table below:

Nb C1 C2 C3
4 1 2 3
6 1 2 3
8 1 3 4

The current version of AES, of course, only allows a block size of 128 bits (Nb = 4)
so that C1=1, C2=2, and C3=3.

The diagram below shows the effect of the Shift Rows transformation on State s:

State s ----------- no shift -----------> State s'

s0,0 s0,1 s0,2 s0,3 ----> left-shift by C1 (1) ----> s0,0 s0,1 s0,2 s0,3
s1,0 s1,1 s1,2 s1,3 ----> left-shift by C2 (2) ----> s1,1 s1,2 s1,3 s1,0
s2,0 s2,1 s2,2 s2,3 ----> left-shift by C3 (3) ----> s2,2 s2,3 s2,0 s2,1
s3,0 s3,1 s3,2 s3,3 s3,3 s3,0 s3,1 s3,2

50
The MixColumns Transformation Network Security-I

The mix columns (called MixColumn in Rijndael) transformation uses a mathematical

function to transform the values of a given column within a State, acting on the four
values at one time as if they represented a four-term polynomial.
s'i,c = MixColumns (si,c)
for 0<=i<=3 for some column, c.

The column position does not change, however, the values within the column change.
Round Key Generation and the AddRoundKey Transformation
The Cipher Key is used to derive a different key to be applied to the block during each
round of the encryption operation. These keys are known as the Round Keys and each
will be the same length as the block, i.e., Nb 32-bit words.
The AES defines a key schedule by which the original Cipher Key (of length Nk 32-
bit words) is used to form an Expanded Key. The Expanded Key size is equal to the
block size multiplied by the number of encryption rounds plus 1, which will provide
Nr+1 different keys. (Note that there are Nr encipherment rounds but Nr+1

AddRoundKey transformations.). For example, AES uses a 128-bit block and either
10, 12, or 14 iterative rounds depending upon key length. With a 128-bit key, we
would need 1408 bits of key material (128×11=1408), or an Expanded Key size of 44
32-bit words (44×32=1408). Similarly, a 192-bit key would require 1664 bits of key
material (128×13), or 52 32-bit words, while a 256-bit key would require 1920 bits of
key material (128×15), or 60 32-bit words. The key expansion mechanism, then, starts
with the 128-, 192-, or 256-bit Cipher Key and produces a 1408-, 1664-, or 1920-bit
Expanded Key, respectively. The original Cipher Key occupies the first portion of the
Expanded Key and is used to produce the remaining new key material.

The result is an Expanded Key that can be 11, 13, or 15 separate keys, each used for
one AddRoundKey operation. These, then, are the Round Keys. The diagram below
shows an example using a 192-bit Cipher Key (Nk=6), shown in magenta italics:

Expanded
W0 W1 W2 W3 W4 W5 W6 W7 W8 W9 W10 W11 W12 W13 W14 W15 ... W44 W45 W46 W47 W48 W49 W50 W51
Key:
Round
Round key 0 Round key 1 Round key 2 Round key 3 ... Round key 11 Round key 12
keys:

The AddRoundKey (called Round Key addition in Rijndael) transformation merely

applies each Round Key, in turn, to the State by a simple bit-wise exclusive OR
operation.

MARS by Zunic et al., IBM.

This new design uses a special type of a Feistel network, which depends heavily on
the instruction sets available on modern 32-bit processors. This has the benefit that on
these target machines it is efficient, but it may lead to implementation
problems/difficulties in cheaper architectures like smart cards.

RC6 by Rivest, Robshaw, and Yin, RSA Laboratories.

RC6 follows the ideas of RC5 with improvements. It attempts to avoid some of the
differential attacks against RC5’s data dependent rotations. However, there are some
attacks that are not yet employed, and it is unclear whether RC6 is well enough
analysed yet.

51
Transport Layer and Serpent by Anderson, Biham, and Knudsen.
Application Layer Services
Serpent has a basically conservative but, in many ways innovative design. It may be
implemented by bitslice (or vector) gate logic throughout. This makes it rather
complicated to implement from scratch, and writing it in a non-bitslice way involves
an efficiency penalty. The 32 rounds lead to probably the highest security margin on
all AES candidates, while it is still fast enough for all practical purposes.

Twofish by Schneier et al., Counterpane Security.

Twofish is a block cipher designed by Counterpane, whose founder and CTO is Bruce
Schneier. The design is highly delicate, supported with many alternative ways of
implementation. It is crypt analysed in much detail, by the very authoritative
“extended Twofish team”. It is basically a Feistel cipher, but utilises many different
ideas. This cipher has key dependent S-boxes like Blowfish (another cipher by Bruce
Schneier).
Other Symmetric Ciphers
Blowfish
Bruce Schneier designed blowfish and it is a block cipher with a 64-bit block size
and variable length keys (which may vary up to 448 bits). It has gained of acceptance
in a number of applications, including Nautilus and PGPfone.

Blowfish utilises the idea of randomised S-boxes: while doing key scheduling, it
generates large pseudo-random lookup tables through several encryptions. These
tables depend on the user supplied key in a very complex manner. This makes
blowfish highly resistant against many attacks such as differential and linear crypt
analysis. But is not the algorithm of choice for environments where large memory
space (something like 4096 bytes) is not available. The known attacks against
Blowfish are based on its weak key classes.

CAST-128
CAST-128, Substitution-Permutation Network (SPN) cryptosystem, is similar to DES,
which have good resistance to differential, linear and related-key crypt analysis.
CAST-128 has Feistel structure and utilises eight fixed S-boxes. CAST-128 supports
variable key lenghts between 40 and 128 bits (described in RFC2144).

IDEA

IDEA (International Data Encryption Algorithm), was developed at ETH Zurich in

Switzerland by Xuejia Lai uses a 128-bit key, and is considered to be very secure.
The best attacks against IDEA uses the impossible differential idea of Biham, Shamir
and Biryukov. They can attack only 4.5 rounds of IDEA and this poses no threat to
the total of 8.5 rounds used in IDEA. It is pertinent to note that IDEA is patented in
the United States and in most European countries.
Rabbit

Rabbit is a stream cipher, based on iterating a set of coupled nonlinear function. It is

characterised by a high performance in software.

RC4
RC4 is a stream cipher by Ron Rivest at RSA Data Security, Inc. It accepts keys of
arbitrary length. It used to be a trade secret, until someone posted source code for an

52
algorithm on the usenet, claiming it to be equivalent to RC4. The algorithm is very Network Security-I

fast. Its security is unknown, but breaking it does not seem trivial either. Because of
its speed, it may have uses in certain particular applications.
RC4 is essentially a pseudo random number generator, and the output of the generator
is exclusive-ored with the data stream. For this reason, it is very important that the
same RC4 key should not be used to encrypt two different data streams.

 Check Your Progress 2

1) What is the result of the Exclusive OR operation 1XOR0?
(a) 1
(b) 0
(c) Indeterminate
(d) 10

2) A block cipher:
(a) Is an asymmetric key algorithm
(b) Converts variable-length plaintext into fixed-length ciphertext
(c) Breaks a message into fixed length units for encryption
(d) Encrypts by operating on a continuous data stream.

3) What is the block length of the Rijndael Cipher?

(a) 64 bits
(b) 128 bits
(c) Variable
(d) 256 bits.

4) What is the key length of the Rijndael Block Cipher

(a) 56 or 64 bits
(b) 512 bits
(c) 128, 192, or 256 bits
(d) 512 or 1024 bits.

5) The NIST Advanced Encryption Standard uses the:

(a) 3 DES algorithm
(b) DES algorithm
(c) Rijndael algorithm
(d) IDEA algorithm.

6) The modes of DES do not include:

(a) Electronic code book
(b) Variable block feedback
(c) Cipher block chaining
(d) Output feedback.

3.4 PUBLIC KEY CRYPTOGRAPHY

Modern cryptography deals with communication between many different parties,
without using a secret key for every pair of parties. In 1976, Whitfield Diffie and
Martin Hellman published an invited paper in the ÏEEE Transactions on Information
Theory titled “New Directions in Cryptography”. This paper can be considered as the

53
Transport Layer and beginning of modern cryptography. Their paper described a two – key crypto system
Application Layer Services in which two parties can perform a secure communication over a non-secure channel
without having to share a secret key. PKC depends upon the existence of so-called
one-way function, or mathematical functions that are easy to calculate but the
calculation of the inverse function is relatively difficult.
Generic PKC uses two keys that are mathematically related and knowledge of one key
does not allow someone to easily determine the other key. One key is used to encrypt
and the other key is used to decrypt. It does not matter which key is applied first and
because a pair of keys are used, this is called asymmetric key cryptography. In PKC,
one of the keys is designated as the public key and the other key is designated as the
private key. The public key may be advertised but the private key is never revealed to
another party. It is straightforward enough to send messages under this scheme.
Suppose Alice wants to send Bob a message, Alice encrypts some information using
Bob’s public key; Bob decrypts the ciphertext using his private key.

The most common PKC implementation is RSA, named after the three MIT
mathematicians who developed it  Ronald Rivest, Adi Shamir, and Leonard
Adleman. RSA can be used for key exchange, digital signatures, or encryption of
small blocks of data. The Figures 11 and 12 highlights how digital signature are
created and verified. The detailed discussion will be made in the next unit. RSA uses a
variable size encryption block and variable size key. The key pair is derived from a
very large number, n, that is the product of two large prime numbers selected through
special rules; these primes may be 100 or more digits in length each, yielding an n
with roughly twice as many digits as the prime factors. The public key includes n and
a derivate of one of the factor of n; an adversary cannot determine the prime factor of
n (and, therefore, the private key) from this information alone and that is what makes
the RSA algorithm so secure.

Figure11: Digital Signature

Figure12: Digital signature verification process

54
Goldwasser, Micali, and Rivest gave the rigorous definition of security for signature Network Security-I
scheme and provided the first construction that probably satisfied that definition,
under a suitable assumption. The assumption that claw-free pair of permutations exist,
is implied by the assumption that integer factorisation is hard. The earlier signature
scheme due to Merkle was also shown to satisfy this definition. Rompel, Naor and
Yung showed how to construct a digital signature scheme using any one-way
function. The inefficiency of the above mentioned schemes, and due to the fact that
these schemes require the signer’s secret key to change between invocations of the
signing algorithm make these solutions impractical.
Several other signature schemes have been shown to be secure in the so-called
random-oracle model. The random-oracle model is a model of computation in which it
is assumed that a given hash function behaves as an ideal random function. An ideal
random function is a function where the input domain is the set of binary strings, such
that each binary string is mapped to a random binary string of the same length.
Although this assumption is evidently false, as it formalises the notion that the hash
function is like a black box and its output cannot be determined until it is evaluated. A
proof of security in the random oracle model gives some evidence of resilience to
attack. The RSA signatures with special message formatting, the Fiat-Shamir, and the
Schnorr signature schemes have been analysed and proven secure in the random
oracle model. However, it is known that security in the random oracle model does not
imply security in the plain model.
Gennaro, Halevi, Rabin, Cramer Shoup proposed the first signature schemes whose
efficiency is suitable for practical use and whose security analysis does not assume an
ideal random function. These schemes are considered to be secure, under RSA
assumption.
PKC depends upon the existence of so-called one-way functions, or mathematical
functions that are easy to compute whereas their inverse function is relatively difficult
to compute. Let me give you two simple examples:
1) Multiplication vs. factorisation
2) Exponentiation vs. logarithms
The important Public-key cryptography algorithms are:
• RSA
• Diffie-Hellman: After the RSA algorithm was published, Diffie and
Hellman came up with their own algorithm. D-H is used for secret-key
key exchange only, and not for authentication or digital signatures.
• Digital Signature Algorithm (DSA): The algorithm specified in NIST’s
Digital Signature Standard (DSS), provides digital signature capability
for the authentication of messages.
• ElGamal: Designed by Taher Elgamal, is a PKC system similar to
Diffie-Hellman and used for key exchange.
• Elliptic Curve Cryptography (ECC): A PKC algorithm based upon
elliptic curves. ECC can offer levels of security with small keys
comparable to RSA and other PKC methods. It was designed for
devices with limited compute power and/or memory, such as smartcards
and PDAs.
• Public-Key Cryptography Standards (PKCS): A set of interoperable
standards and guidelines for public-key cryptography, designed by RSA
Data Security Inc.
o PKCS #1: RSA Cryptography Standard (Also RFC 3447)

55
Transport Layer and o PKCS #2: Incorporated into PKCS #1.
Application Layer Services o PKCS #3: Diffie-Hellman Key-Agreement Standard
o PKCS #4: Incorporated into PKCS #1.
o PKCS #5: Password-Based Cryptography Standard (PKCS #5 V2.0 is
also RFC 2898)
o PKCS #6: Extended-Certificate Syntax Standard (being phased out in
favor of X.509v3)
o PKCS #7: Cryptographic Message Syntax Standard (Also RFC 2315)
o PKCS #8: Private-Key Information Syntax Standard
o PKCS #9: Selected Attribute Types (Also RFC 2985)
o PKCS #10: Certification Request Syntax Standard (Also RFC 2986)
o PKCS #11: Cryptographic Token Interface Standard
o PKCS #12: Personal Information Exchange Syntax Standard
o PKCS #13: Elliptic Curve Cryptography Standard
o PKCS #14: Pseudorandom Number Generation Standard is no longer
available
o PKCS #15: Cryptographic Token Information Format Standard
• Cramer-Shoup: A public-key cryptosystem proposed by R. Cramer and V.
Shoup of IBM in 1998.
• Key Exchange Algorithm (KEA): A variation on Diffie-Hellman;
proposed as the key exchange method for Capstone.
• LUC: A public-key cryptosystem designed by P.J. Smith and based on
Lucas sequences. Can be used for encryption and signatures, using
integer factoring.
Public Key Infrastructure (PKI) in India
The Act provides the Controller of Certifying Authorities to license and regulate the
working of CAs and also to ensure that CAs does not violate any of the provisions of
the Act. CCA has created the framework for Public Key Infrastructure in India. It has
prescribed technical standards for cryptography and physical security based on
international standards/best practices of ITU, IETF, IEEE etc. CAs has to prove
compliance with these standards through a stringent audit procedure that has been put
in place. CAs also needs to get their CPS (Certification Practice Statement) approved
by the CCA. India has seven Certifying Authorities: (1) SafeScrypt-Certifying
Authority; (2) National Informatics Centre-Certifying Authority; (3) Tata
Consultancy- Services Certifying Authorities; (4) Institute for Research and
Development in Banking Technology-Certifying Authority; (5) Customs and Central
Excise-Certifying Authority; (6) Mahanagar Telephone Nigam Limited-Certifying
Authority; and (7) n(Code) Solutions CA (GNFC).
The CCA also maintains the National Repository of Digital Certificates (NRDC), as
required under the IT Act 2000 that contains all the certificates issued by all the CAs
in India. The CCA operates its signing activity through the Root Certifying Authority
of India (RCAI), which is operational under stringent controls.

Public Key Cryptosystem

Asymmetric key algorithms or Public key algorithm use a different key for encryption
and decryption (Figure 13), and the decryption key cannot (practically) be derived
from the encryption key. Public key methods are important because they can be used
to distribute encryption keys or other data securely even when the parties have no
opportunity to agree on a secret key in private. All known public key methods are
quite slow, and they are usually only used to encrypt session keys, that are then used
to encrypt the bulk of the data using a symmetric encryption.

56
 Network Security-I

Figure13: Encryption and decryption process

3.4.1 RSA Public Key Algorithm (Rivest-Shamir-Adelman Algorithm)

RSA Public Key Algorithm is the most commonly used public key algorithm and this
algorithm can be used both for encryption and for signing. It is generally considered to
be secure when sufficiently long keys are used (512 bits is insecure, 768 bits is
moderately secure, and 1024 bits is good). The security of RSA relies on the difficulty
of factoring large integers. The recent advances in factoring large integers would
make RSA vulnerable. It is patented in US and the Patent expired in year 2000.

RSA Algorithm
Key Generation Algorithm

1) Generate two large random primes, p and q, of approximately equal size such
that their product n = pq is of the required bit length, e.g., 1024 bits.

2) Compute n = pq and (φ) phi = (p −1)(q −1).

3) Choose an integer e, 1 < e < phi, such that gcd(e,

phi) = 1.

4) Compute the secret exponent d, 1 < d < phi, such that

ed ≡ 1 (mod phi).

5) The public key is (n, e) and the private key is (n, d).
The values of p, q, and phi should also be kept
secret.
Where
• n is known as the modulus.
• e is known as the public exponent or encryption
exponent.
• d is known as the secret exponent or decryption
exponent.

Encryption
Sender A does the following:
1) Obtains the recipient B’s public key (n, e).
2) Represents the plaintext message as a positive
integer m.
3) Computes the ciphertext c = m^e mod n.
4) Sends the ciphertext c to B.

57
Transport Layer and Decryption
Application Layer Services
Recipient B does the following:
1) Uses his private key (n, d) to compute m = c^d
mod n.
2) Extracts the plaintext from the integer representative m.

Summary of RSA
• n = pq where p and q are distinct primes.
• phi, φ = (p-1)(q-1)
• e < n such that gcd(e, phi)=1
• d = e^-1 mod phi.
• c = m^e mod n, 1<m<n.
• m = c^d mod n.

Example RSA Algorithm

Let us select two prime numbers, p = 7 and q= 17. Keys are generated as follows:

1. Two prime numbers, p = 7 and q = 17

2. n = pq = 7 x17 = 119
3. P(n) = (p-1) (q-1) = (7-1) (17-1) = 6 x 16 = 96
4. Find e which is relatively prime to φ(n) = 96 and less than φ(n).
e = 5 for this case
5. Find d such that d.e = 1 mod 96 and d<96 d = 77
6. So, public key in = [5,119] and private key is = [77, 119]

Encryption and Decryption using RSA algorithm

Encryption: Let plain text input of M = 19

Cipher text C = Me(mod n )
2476099
= 195 (mod119) =
119
= 20807 with remainder of 66
Cipher Tex t= 66

Decryption:

M=cd(modn)
= 6677(mod 119)
= 19

3.4.2 Diffie-Hellman

Diffie-Hellman is a commonly used public-key algorithm for key exchange. It is

generally considered to be secure when sufficiently long keys and proper generators
are used. The security of Diffie-Hellman relies on the difficulty of the discrete
logarithm problem (which is believed to be computationally equivalent to factoring
large integers). Diffie-Hellman is claimed to be patented in the United States, but the
patent expired on April 29, 1997. There are also strong rumours that the patent might
in fact be invalid (there is evidence of it having been published over an year before the
patent application was led). Diffie-Hellman is sensitive to the selection of the strong
prime, size of the secret exponent, and the generator.

58
The “Diffie-Hellman Method For Key Agreement” allow two hosts to create and Network Security-I
share a secret key.
1) First the hosts must get the “Diffie-Hellman parameters”. A prime number, ‘p’
(larger than 2) and “base”, ‘g’, an integer that is smaller than ‘p’. They can
either be hard coded or fetched from a server.

2) The hosts each secretly generate a private number called ‘x’, which is less than
“p – 1”.

3) The hosts next generate the public keys, ‘y’. They are created with the function:
y = g^x % p

4) The two host now exchange the public keys (‘y’) and the exchanged numbers
are converted into a secret key, ‘z’.
z = y^x % p

‘z’ can now be used as the key for whatever encryption method is used to
transfer information between the two hosts. Mathematically, the two hosts
should have generated the same value for ‘z’.
z = (g^x % p)^x' % p = (g^x' % p)^x % p

All of these numbers are positive integers

x^y means: x is raised to the y power

x%y means: x is divided by y and the remainder is returned

Example:

Prime Number p = 353 and primitive root of 353, in this case is g = 3. Let A is sender
B is receives A & B select secret key as XA = 97 and XB = 233. Now A & B
computes their public keys. YA = 3233. Now A & B computes their public keys.
YA = 397 mod 353 = 40
YB = 3233 mod 353 = 248

After exchanging their public keys, A & B can compute the common secret key:
A computes:

Z=(YB) mod 253

B computes = 24897 mod 353 = 160
Z = (YA)xbmod353 = 40233 mod 353 = 160

3.4.3 Elliptic Curve Public Key Cryptosystems

Elliptic Curve Public Key Cryptosystems is an emerging field. They have been slow
to execute, but have become feasible with modern computers. They are considered to
be fairly secure, but haven’t yet undergone the same scrutiny as done on RSA
algorithm.

The Public-Key cryptography systems use hard-to-solve problems as the basis of the
algorithm. The most predominant algorithm today for public-key cryptography is
RSA, based on the prime factors of very large integers. While RSA can be
successfully attacked, the mathematics of the algorithm has not been comprised, per
se; instead, computational brute-force attacks have broken the keys. The protection

59
Transport Layer and mechanism is “simple” — keep the size of the integer to be factored ahead of the
Application Layer Services computational curve!
In 1985, cryptographers Victor Miller (IBM) and Neal Koblitz (University of
Washington) proposed the Elliptic Curve Cryptography (ECC) independently
(as shown in Figure 14). ECC is based on the difficulty of solving the Elliptic Curve
Discrete Logarithm Problem (ECDLP). Like the prime factorisation problem, ECDLP
is another “hard” problem that is deceptively simple to state: Given two points, P and
Q, on an elliptic curve, find the integer n, if it exists, such that P = nQ.
Elliptic curves combine number theory and algebraic geometry. These curves can be
defined over any field of numbers (i.e., real, integer, complex), although, we generally
see them used over finite fields for applications in cryptography. An elliptic curve
consists of the set of real numbers (x, y) that satisfies the equation:

y2 = x3 + ax + b
The set of all the solutions to the equation forms the elliptic curve. Changing a and b
changes the shape of the curve, and small changes in these parameters can result in
major changes in the set of (x,y) solutions.

Figure14: Elliptic Curve Cryptography

The figure above shows the addition of two points on an elliptic curve. Elliptic curves
have the interesting property that adding two points on the elliptic curve yields a third
point on the curve. Therefore, adding two points, P1 and P2, gets us to point P3, also
on the curve. Small changes in P1 or P2 can cause a large change in the position of
P3.
Let us analyse the original problem as stated above. The point Q is calculated as a
multiple of the starting point, P, or, Q = nP. An attacker might know P and Q but
finding the integer, n, is a difficult problem to solve. Q is the public key, then, and n is
the private key.
RSA has been the mainstay of PKC for over two decades. But ECC is exciting
because of their potential to provide similar levels of security compared to RSA but

60
with significantly reduced key sizes. Certicom Corp. (http://www.certicom.com/), one Network Security-I
of the major proponents of ECC, suggests the key size relationship between ECC and
RSA as per the following table:

ECC and RSA Key Comparison

Time to Break RSA:ECC Key-
RSA Key ECC Key
Key Size
Size Size
(MIPS Years) Ratio
512 104 106 5:1
768 108 132 6:1
1,024 1011 160 7:1
2,048 1020 210 10:1
21,000 1078 600 35:1

Since the ECC key sizes are so much shorter than comparable RSA keys, the length of
the public key and private key is much shorter in elliptic curve cryptosystems.
Therefore, this results in faster processing, and lower demands on memory and
bandwidth. In practice, the final results are not yet in; RSA, Inc. notes that ECC is
faster than RSA for signing and decryption, but slower than RSA for signature
verification and encryption.
Nevertheless, ECC is particularly useful in applications where memory, bandwidth,
and/or computational power is limited (e.g., a smartcard) and it is in this area that
ECC use is expected to grow.

3.4.4 DSA

DSS (Digital Signature Standard): A signature-only mechanism endorsed by the

United States Government. Its design has not been made public, and many people
have found potential problems with it (e.g., leaking hidden data, and revealing your
secret key if you ever happen to sign two different messages using the same random
number).
The DSA is used by a signatory to generate a digital signature on data and by a
verifier to verify the authenticity of the signature. Each signatory has a public and
private key. The private key is used in the signature generation process and the public
key is used in the signature verification process. For both signature generation and
verification, the data which is referred to as a message, M, is reduced by means of the
Secure Hash Algorithm (SHA) specified in FIPS YY. An adversary, who does not
know the private key of the signatory, cannot generate the correct signature of the
signatory. In other words, signatures cannot be forged. However, by using the
signatory’s public key, anyone can verify a correctly signed message.
A means of associating public and private key pairs for the corresponding users is
required. That is, there must be a binding of a user’s identity and the user’s public key.
A mutually trusted party may certify this binding. For example, a certifying authority
could sign credentials containing a user’s public key and identity to form a certificate.
Systems for certifying credentials and distributing certificates are beyond the scope of
this standard. NIST intends to publish separate document(s) on certifying credentials
and distributing certificates.

The DSA makes use of the following parameters:

61
Transport Layer and 1) p = a prime modulus, where 2L-1 < p < 2L for 512 = < L = <1024 and L a
Application Layer Services multiple of 64
2) q = a prime divisor of p - 1, where 2159 < q < 2160
3) g = h(p-1)/q mod p, where h is any integer with 1 < h < p - 1 such that h(p-1)/q mod
p > 1(g has order q mod p)
4) x = a randomly or pseudorandomly generated integer with 0 < x < q
5) y = gx mod p
6) k = a randomly or pseudorandomly generated integer with 0 < k < q

The integers p, q, and g can be public and can be common to a group of users. A
user’s private and public keys are x and y, respectively. They are normally fixed for a
period of time. Parameters x and k are used for signature generation only, and must be
kept secret. Parameter k must be regenerated for each signature.

The signature of a message M is the pair of numbers r and s computed according to

the equations below:
r = (gk mod p) mod q and
s = (k-1(SHA(M) + xr)) mod q.

In the above, k-1 is the multiplicative inverse of k, mod q; i.e., (k-1 k) mod q = 1 and
0 < k-1 < q. The value of SHA (M) is a 160-bit string output by the Secure Hash
Algorithm specified in FIPS 180. For use in computing s, this string must be
converted to an integer.

As an option, one may wish to check if r = 0 or s = 0. If either r = 0 or s = 0, a new

value of k should be generated and the signature should be recalculated (it is
extremely unlikely that r = 0 or s = 0 if signatures are generated properly).

The signature is transmitted along with the message to the verifier.

Prior to verifying the signature in a signed message, p, q and g plus the sender’s
public key and identity are made available to the verifier after proper authentication.

Let M’, r’ and s’ be the received versions of M, r, and s, respectively, and let y be the
public key of the signatory. To verify first check to see that 0 < r’ < q and 0 < s’ < q;
if either condition is violated, the signature shall be rejected. If these two conditions
are satisfied, the verifier computes:

w = (s')-1 mod q

u1 = ((SHA(M')w) mod q

u2 = ((r')w) mod q

v = (((g)ul (y)u2) mod p) mod q.

If v = r', then the signature is verified and the verifier can have high confidence that
the received message was sent by the party holding the secret key x corresponding to
y. For a proof that v = r' when M' = M, r' = r, and s' = s, see Appendix 1.

62
If v does not equal r', then the message may have been modified, the message may Network Security-I
have been incorrectly signed by the signatory, or the message may have been signed
by an impostor. The message should be considered invalid.

ElGamal public key cryptosystem. Based on the discrete logarithm problem.

ElGamal consists of three components: the key generator, the encryption algorithm,
and the decryption algorithm.

The key generator works as follows:

• Alice generates an efficient description of a cyclic group G of order q with
generator g. See below for specific examples of how this can be done.
• Alice chooses a random x from {0,...,q - 1}.
• Alice computes h = gx.
• Alice publishes h, along with the description of G,q,g, as her public key. Alice
retains x as her secret key.

The encryption algorithm works as follows: to encrypt a message m to Alice under her
public key (G,q,g,h),
• Bob converts m into an element of G.
• Bob chooses a random k from {0,...,q - 1}, then calculates c1 = gk and
.
• Bob sends the ciphertext (c1,c2) to Alice.
The decryption algorithm works as follows: to decrypt a ciphertext (c1,c2) with her
secret key x,
• Alice computes as the plaintext message.

Note that the decryption algorithm does indeed produce the intended message since:

If the space of possible messages is larger than the size of G, then the message can be
split into several pieces and each piece can be encrypted independently. Typically,
however, a short key to a symmetric-key cipher is first encrypted under ElGamal, and
the (much longer) intended message is encrypted more efficiently using the
symmetric-key cipher — this is termed hybrid encryption.

3.5 MATHEMATICAL BACKGROUND

In this section, we will find out mathematical background from mathematical
Algorithms.

3.5.1 Exclusive OR (XOR)

Exclusive OR (XOR) is one of the fundamental mathematical operations used in
cryptography (and many other applications). George Boole, a mathematician in the
late 1800s, invented a new form of “algebra” that provides the basis for building
electronic computers and microprocessor chips. Boole defined a bunch of primitive

63
Transport Layer and logical operations where there are one or two inputs and a single output depending
Application Layer Services upon the operation; the input and output are either TRUE or FALSE. The most
elemental Boolean operations are:

• NOT: The output value is the inverse of the input value (i.e., the output is
TRUE if the input is false, FALSE if the input is true).
• AND: The output is TRUE if all inputs are true, otherwise FALSE. (e.g., “the
sky is blue AND the world is flat” is FALSE while “the sky is blue AND
security is a process” is TRUE.)
• OR: The output is TRUE if either or both inputs are true, otherwise FALSE.
(e.g., “the sky is blue OR the world is flat” is TRUE and “the sky is blue OR
security is a process” is TRUE).
• XOR (Exclusive OR): The output is TRUE if exactly one of the inputs is
TRUE, otherwise FALSE. (e.g., “the sky is blue XOR the world is flat” is
TRUE while “the sky is blue XOR security is a process” is FALSE.)

In computers, Boolean logic is implemented in logic gates; for design purposes, XOR
has two inputs and a single output, and its logic diagram looks like this:

XOR 0 1

0 0 1

1 1 0

So, in an XOR operation, the output will be a 1 if one input is a 1; otherwise, the
output is 0. The real significance of this is to look at the “identity properties” of XOR.
In particular, any value XORed with itself is 0 and any value XORed with 0 is just
itself. Why does this matter? Well, if I take my plaintext and XOR it with a key, I get
a jumble of bits. If I then take that jumble and XOR it with the same key, I return to
the original plaintext.

3.5.2 The Modulo Function

The modulo function is, simply, the remainder function. It is commonly used in
programming and is critical to the operation of any mathematical function using
digital computers.
To calculate X modulo Y (usually written X mod Y), you merely determine the
remainder after removing all multiples of Y from X. Clearly, the value X mod Y will
be in the range from 0 to Y-1.

Some examples should clear up any remaining confusion:

• 15 mod 7 = 1
• 25 mod 5 = 0
• 33 mod 12 = 9
• 203 mod 256 = 203

Modulo arithmetic is useful in crypto because it allows us to set the size of an

operation and be sure that we will never get numbers that are too large. This is an
important consideration when using digital computers.
 Check Your Progress 3

64
1) Which of the following is an example of a symmetric key algorithm? Network Security-I

(a)
(b) RSA
(c) Diffie-Hellman
(d) Knapsack

2) Which of the following is a problem with symmetric key algorithms?

(a) It is slower than asymmetric key encryption
(b) Most algorithms are kept proprietry
(c) Work factor is not a function of the key size.
(d) It provides secure distribution of the secret key.

3) Which of the following is an example of an asymmetric key algorithms?

(a) ELLIPTIC CURVE
(b) IDEA
(c) 3 DES
(d) DES

4) In public key cryptography:

(a) Only the public key can encrypt, and only the private can decrypt
(b) Only the private key can encrypt, and only the public can decrypt
(c) The public key is used to encrypt and decrypt
(d) If the public key encrypts, and only the private can decrypt.
5) In a block cipher, diffusion:
(a) Conceals the connection between the ciphertext and plaintext
(b) Spread the influence of a plaintext character over many ciphertext
characters.
(c) Cannot be accomplished
(d) Is usually implemented by non-linear S-boxes.

6) State whether following statements are True or False. T F

(a) Work factor of double DES is the same as for single DES
(b) Elliptic curse cryptosystem have a lower strength per bit than RSA.
(c) In digitally-signed message transmission using a hash function the
message digest is encrypted in the public key of the sender.

3.6 SUMMARY
Information security can be defined as technological and managerial procedures
applied to computer systems to ensure the availability, integrity, and confidentiality of
the information managed by computer. Cryptography is a particularly interesting field
because of the amount of work that is, by necessity, done in secret. The irony is that
today, secrecy is not the key to the goodness of a cryptographic algorithm. Regardless
of the mathematical theory behind an algorithm, the best algorithms are those that are
well known and well documented because they are also well tested and well studied!
In fact, time is the only true test of good cryptography; any cryptographic scheme that
stays in use year after year is most likely to be a good one. The strength of
cryptography lies in the choice and management of the keys; longer keys will resist
attack better than shorter keys.

65
Transport Layer and With the introduction of IT Act 2000, the electronic transactions and electronically
Application Layer Services signed documents are valid under the court of law. Use of PKI in India is expected to
increase rapidly and for activation of global e-commerce and so also the use of digital
signatures within domestic and other Global PKI domains. This requires the
interoperability of PKI based applications.
Digitisation of information, networking, and WWW (world wide web), has changed
the economics of information. The Copyright Act 1957 as amended up to 1999 takes
care of the technological changes that still require major amendments in order to deal
with the challenges posed by the computer storage, Internet and the digital revolution.
With India being party to Trade Related Aspects of Intellectual Properties (TRIPs),
electronic transactions of IPRs and consultancy services related to them is expected to
be a new possibility in India. This may also promote our technology base to keep pace
with global trends. As India has already enacted IT Act 2000, this allows transactions
signed electronically for e-commerce primarily to be enforced in a court of law.
Several issues arise when we consider using digital documents and exchanging them
over the Internet, such as eavesdropping, tampering, impersonation etc. All these can
be remedied with the use of public key infrastructure (PKI). However, the question of
the time when a document was created may be answered by using Digital Time
stamping service, which is based on PKI. This information may prove to be crucial for
most e-commerce legally binding transactions, in particular for supporting
non-repudiation of digitally signed transactions.

3.7 SOLUTIONS/ANSWERS

Check Your Progress 1

1) Cryptography is the service of writing in secret code. It is the key technology

used when communicating over any un-trusted medium, particularly for
Internet.

2) (i) Authentication,
(ii) Privacy/confidentiality,
(iii) Integrity, and
(iv) Non-repudiation

3) (i) Secret key (or symmetric) cryptography,

(ii) Public key (or asymmetric) cryptography, and
(iii) Hash functions

Check Your Progress 2

1) (a) 1
(b) 0
(c) Indeterminated
(d) 10

2) Breaks a message into fixed length units for encryption.

3) Variable
4) 128, 192, or 256 bits
5) Rijndael algorithm
6) Variable block feedback

66
 Network Security-I
Check Your Progress 3
1) Rijndael
2) It is slower than asymmetric key encryption
3) Elliptic Curve
4) If the public key encrypts, and only the private can decrypt
5) Spread the influence of a plaintext character over many ciphertext
characters.

6) (a) True
(b) False
(c) False

3.8 FURTHER READINGS

1) Network Security Essential - Application and standard, Willam Stallings,

Pearson Education, New Delhi.

2) Computer Networks, A.S. Tanenbaum, 4th Edition, Practice Hall of India,

New Delhi, 2002.

67