www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.

in

Detailed Notes
UNIT –I
Security Attacks (Interruption, Interception, Modification and Fabrication), Security Services
(Confidentiality, Authentication, Integrity, Non-repudiation, access Control and Availability) and
Mechanisms, A model for Internetwork security. Classical Encryption Techniques, DES, Strength
of DES, Differential and Linear Cryptanalysis, Block Cipher Design Principles and Modes of
operation, Blowfish, Placement of Encryption Function, Traffic Confidentiality, key Distribution,
Random Number Generation

Introduction:

This is the age of universal electronic connectivity, where the activities like hacking, viruses, electronic fraud
are very common. Unless security measures are taken, a network conversation or a distributed application can
be compromised easily.

Some simple examples are:

Online purchases using a credit/debit card.
A customer unknowingly being directed to a false website.
A hacker sending a message to a person pretending to be someone else.

Network Security has been affected by two major developments over the last several decades. First one is
introduction of computers into organizations and the second one being introduction of distributed systems
and the use of networks and communication facilities for carrying data between users & computers. These
two developments lead to ‘computer security’ and ‘network security’, where the computer security deals
with collection of tools designed to protect data and to thwart hackers. Network security measures are needed
to protect data during transmission. But keep in mind that, it is the information and our ability to access that
information that we are really trying to protect and not the computers and networks.

Why We Need Information Security?

Because there are threats

Threats
A threat is an object, person, or other entity that represents a constant danger to an asset

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in The 2007 CSI

survey

∙ 494 computer security practitioners

∙ 46% suffered security incidents
∙ 29% reported to law enforcement
∙ Average annual loss $350,424
∙ 1/5 suffered ‗targeted attack‘
∙ The source of the greatest financial losses?
∙ Most prevalent security problem
∙ Insider abuse of network access
∙ Email
Threat Categories

∙ Acts of human error or failure

∙ Compromises to intellectual property
∙ Deliberate acts of espionage or trespass
∙ Deliberate acts of information extortion
∙ Deliberate acts of sabotage or vandalism
∙ Deliberate acts of theft
∙ Deliberate software attack
∙ Forces of nature
∙ Deviations in quality of service
∙ Technical hardware failures or errors
∙ Technical software failures or errors
∙ Technological obsolesce

Definitions
Computer Security - generic name for the collection of tools designed to protect data and to thwart hackers

Network Security - measures to protect data during their transmission

Internet Security - measures to protect data during their transmission over a

collection of interconnected networks

our focus is on Internet Security

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

which consists of measures to deter, prevent, detect, and correct

security violations that involve the transmission & storage of
information

ASPECTS OF SECURITY

consider 3 aspects of information security:

● Security Attack
● Security Mechanism

● Security Service

SECURITY ATTACK

any action that compromises the security of information owned by

an organization

information security is about how to prevent attacks, or failing that, to

detect attacks on information-based systems

often threat & attack used to mean same thing

have a wide range of attacks

can focus of generic types of attacks

∙ Passive

∙ Active

30

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in Passive Attack

Active Attack
INTERRUPTION
An asset of the system is destroyed or becomes unavailable or unusable. It is an
attack on availability.
Examples:

Destruction of some hardware

Jamming wireless signals
Disabling file management systems
INTERCEPTION
An unauthorized party gains access to an asset. Attack on confidentiality.
Examples:
Wire tapping to capture data in a network.
Illicitly copying data or programs
Eavesdropping
MODIFICATIONWhen an unauthorized party gains access and tampers an asset. Attack is on Integrity.
4

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

Examples:
Changing data file
Altering a program and the contents of a message

FABRICATION
An unauthorized party inserts a counterfeit object into the system. Attack on Authenticity. Also called
impersonation

Examples:
Hackers gaining access to a personal email and sending message
Insertion of records in data files
Insertion of spurious messages in a network

Difference between Active Attack and Passive Attack:

S.NOActive Attack Passive Attack

for Integrity as
well While in passive
as availability. attack attention
1. is on
In active attack
attention is on
While in passive
attack,
Modification in
2. 3. the information
does not take
place.
In active attack,
Modification in
information take
place.
Passive Attack is
Active Attack is danger for
danger Confidentiality. 5

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

detection. prevention.

the attack. informed about

the attack.
4. In active attack,
System resources While in passive
can be changed. attack, System
resources are not
Active attack change.
5. 6.
influence the
services of the While in passive
system. attack,
information and
In active attack, messages in the
7. information system or
collected through network are
passive attacks acquired.
are used during
executing.
While passive
Active attack is attack are
8. 9. tough to restrict performed by
from entering collecting the
systems or information such
networks. as passwords,
While due to messages by
Due to active passive attack, itself.
attack system is there is no any
always damaged. harm to the
system. Passive Attack is
easy to
In active attack,
Victim gets While in passive prohibited in
comparison to
informed about attack, Victim
does not get active attack.

SECURITY SERVICES

It is a processing or communication service that is provided by a system to give a

specific kind of production to system resources. Security services implement security
policies and are implemented by security mechanisms.

Confidentiality

Confidentiality is the protection of transmitted data from passive attacks. It is used

to prevent the disclosure of information to unauthorized individuals or systems. It has been
 defined as “ensuring that information is accessible only to those authorized to

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

have access”.
The other aspect of confidentiality is the protection of traffic flow from analysis. Ex: A credit card
number has to be secured during online transaction.

Authentication
This service assures that a communication is authentic. For a single message transmission, its
function is to assure the recipient that the message is from intended source. For an ongoing
interaction two aspects are involved. First, during connection initiation the service assures the
authenticity of both parties. Second, the connection between the two hosts is not interfered
allowing a third party to masquerade as one of the two parties. Two specific authentication
services defines in X.800 are

Peer entity authentication: Verifies the identities of the peer entities involved in communication.
Provides use at time of connection establishment and during data transmission. Provides
confidence against a masquerade or a replay attack
Data origin authentication: Assumes the authenticity of source of data unit, but does not
provide protection against duplication or modification of data units. Supports applications like
electronic mail, where no prior interactions take place between communicating entities.
Integrity
Integrity means that data cannot be modified without authorization. Like confidentiality, it can be
applied to a stream of messages, a single message or selected fields within a message. Two types of
integrity services are available. They are
Connection-Oriented Integrity Service: This service deals with a stream of
messages, assures that messages are received as sent, with no duplication, insertion, modification,
reordering or replays. Destruction of data is also covered here. Hence, it attends to both message
stream modification and denial of service.
Connectionless-Oriented Integrity Service: It deals with individual messages regardless of larger context,
providing protection against message modification only.

An integrity service can be applied with or without recovery. Because it is related to active
attacks, major concern will be detection rather than prevention. If a 7

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

violation is detected and the service reports it, either human intervention or automated recovery
machines are required to recover.
Non-repudiation
Non-repudiation prevents either sender or receiver from denying a transmitted message. This
capability is crucial to e-commerce. Without it an individual or entity can deny that he, she or it is
responsible for a transaction, therefore not financially liable.
Access Control
This refers to the ability to control the level of access that individuals or entities have to a network
or system and how much information they can receive. It is the ability to limit and control the
access to host systems and applications via communication links. For this, each entity trying to
gain access must first be identified or authenticated, so that access rights can be tailored to the
individuals.
Availability
It is defined to be the property of a system or a system resource being accessible and usable upon
demand by an authorized system entity. The availability can significantly be affected by a variety
of attacks, some amenable to automated counter measures i.e authentication and encryption and
others need some sort of physical action to prevent or recover from loss of availability of
elements of a distributed system.

SECURITY MECHANISMS
According to X.800, the security mechanisms are divided into those implemented in a specific
protocol layer and those that are not specific to any particular protocol layer or security service.
X.800 also differentiates reversible & irreversible encipherment mechanisms. A reversible
encipherment mechanism is simply an encryption algorithm that allows data to be encrypted and
subsequently decrypted, whereas irreversible encipherment include hash algorithms and message
authentication codes used in digital signature and message authentication applications

Specific Security Mechanisms

Incorporated into the appropriate protocol layer in order to provide some of the
OSI security services,
Encipherment: It refers to the process of applying mathematical algorithms for 8

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

converting data into a form that is not intelligible. This depends on algorithm used an encryption
keys.

Digital Signature: The appended data or a cryptographic transformation applied to any data unit
allowing to prove the source and integrity of the data unit and protect against forgery.
Access Control: A variety of techniques used for enforcing access permissions to the system
resources.
Data Integrity: A variety of mechanisms used to assure the integrity of a data unit or stream of data
units.
Authentication Exchange: A mechanism intended to ensure the identity of an entity by means of
information exchange.

Traffic Padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis
attempts.
Routing Control: Enables selection of particular physically secure routes for certain data and
allows routing changes once a breach of security is suspected.
Notarization: The use of a trusted third party to assure certain properties of a data exchange
Pervasive Security Mechanisms
These are not specific to any particular OSI security service or protocol layer.
Trusted Functionality: That which is perceived to b correct with respect to some criteria
Security Level: The marking bound to a resource (which may be a data unit) that names or
designates the security attributes of that resource.
Event Detection: It is the process of detecting all the events related to network security. Security
Audit Trail: Data collected and potentially used to facilitate a security audit, which is an
independent review and examination of system records and activities. Security Recovery: It deals
with requests from mechanisms, such as event handling and management functions, and takes
recovery actions.

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

MODEL FOR NETWORK SECURITY

 Data is transmitted over network between two communicating parties, who must cooperate for the
exchange to take place. A logical information channel is established by defining a route through the
internet from source to destination by use of communication protocols by the two parties. Whenever
an opponent presents a threat to confidentiality, authenticity of information, security aspects come
into play. Two components are present in almost all the security providing techniques.
A security-related transformation on the information to be sent making it unreadable 10

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

by the opponent, and the addition of a code based on the contents of the message, used to verify
the identity of sender.

Some secret information shared by the two principals and, it is hoped, unknown to the opponent.
An example is an encryption key used in conjunction with the transformation to scramble the
message before transmission and unscramble it on reception

A trusted third party may be needed to achieve secure transmission. It is responsible for
distributing the secret information to the two parties, while keeping it away from any opponent. It
also may be needed to settle disputes between the two parties regarding authenticity of a message
transmission. The general model shows that there are four basic tasks in designing a particular
security service:
1. Design an algorithm for performing the security-related transformation. The algorithm should
be such that an opponent cannot defeat its purpose
2. Generate the secret information to be used with the algorithm
3. Develop methods for the distribution and sharing of the secret information
4. Specify a protocol to be used by the two principals that makes use of the security algorithm and
the secret information to achieve a particular security service
Various other threats to information system like unwanted access still exist. The existence of
hackers attempting to penetrate systems accessible over a network remains a concern. Another
threat is placement of some logic in computer system affecting various applications and utility
programs. This inserted code presents two kinds of threats.
Information access threats intercept or modify data on behalf of users who should not have access
to that data.
Service threats exploit service flaws in computers to inhibit use by legitimate users Viruses and
worms are two examples of software attacks inserted into the system by means of a disk or also
across the network. The security mechanisms needed to cope with unwanted access fall into two
broad categories.

Some basic terminologies used

∙ CIPHER TEXT - the coded message

∙ CIPHER - algorithm for transforming plaintext to ciphertext

∙ KEY - info used in cipher known only to sender/receiver

11

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

∙ ENCIPHER (ENCRYPT) - converting plaintext to ciphertext

∙ DECIPHER (DECRYPT) - recovering ciphertext from plaintext

∙ CRYPTOGRAPHY - study of encryption principles/methods

∙ CRYPTANALYSIS (CODEBREAKING) - the study of principles/ methods of
deciphering ciphertext without knowing key

∙ CRYPTOLOGY - the field of both cryptography and cryptanalysis

CRYPTOGRAPHY
Cryptographic systems are generally classified along 3 independent dimensions: Type of operations
used for transforming plain text to cipher text

All the encryption algorithms are abased on two general principles: substitution, in which each
element in the plaintext is mapped into another element, and transposition, in which elements in
the plaintext are rearranged.

The number of keys used

If the sender and receiver uses same key then it is said to be symmetric key (or) single key (or)
conventional encryption. If the sender and receiver use different keys then it is said to be public
key encryption.

The way in which the plain text is processed

A block cipher processes the input and block of elements at a time, producing output block for
each input block. A stream cipher processes the input elements continuously, producing output
element one at a time, as it goes along.

CRYPTANALYSIS

The process of attempting to discover X or K or both is known as cryptanalysis. The strategy used by the
cryptanalysis depends on the nature of the encryption scheme and the information available to the
cryptanalyst. There are various types of cryptanalytic attacks based on the amount of information
known to the cryptanalyst.

Cipher text only – A copy of cipher text alone is known to the cryptanalyst.

12

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

Known plaintext – The cryptanalyst has a copy of the cipher text and the corresponding
plaintext.
Chosen plaintext – The cryptanalysts gains temporary access to the encryption machine. They
cannot open it to find the key, however; they can encrypt a large number of suitably chosen
plaintexts and try to use the resulting cipher texts to deduce the key.

Chosen cipher text – The cryptanalyst obtains temporary access to the decryption machine, uses
it to decrypt several string of symbols, and tries to use the results to deduce the key.

CLASSICAL ENCRYPTION TECHNIQUES

There are two basic building blocks of all encryption techniques: substitution and transposition.
SUBSTITUTION TECHNIQUES
A substitution technique is one in which the letters of plaintext are replaced by other letters or by
numbers or symbols. If the plaintext is viewed as a sequence of bits, then substitution involves
replacing plaintext bit patterns with cipher text bit patterns.
CAESAR CIPHER
The earliest known use of a substitution cipher and the simplest was by Julius Caesar. The Caesar
cipher involves replacing each letter of the alphabet with the letter standing 3 places further down
the alphabet. e.g., plain text : pay more money Cipher text: SDB PRUH PRQHB
Note that the alphabet is wrapped around,
so that letter following „z‟ is „a‟.
For each plaintext letter p, substitute the cipher text letter c
such that C = E(p) = (p+3) mod 26
A shift may be any amount, so that general Caesar algorithm is C = E (p) = (p+k) mod 26 Where
k takes on a value in the range 1 to 25.
The decryption algorithm is simply P = D(C) = (C-k) mod 26
MONOALPHABETIC CIPHERS
Here, Plaintext characters are substituted by a different alphabet stream of 13

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

characters shifted to the right or left by n positions. When compared to the Caesar ciphers, these
monoalphabetic ciphers are more secure as each letter of the ciphertext can be any permutation of
the 26 alphabetic characters leading to 26! or greater than 4 x 1026 possible keys. But it is still
vulnerable to cryptanalysis, when a cryptanalyst is aware of the nature of the plaintext, he can
find the regularities of the language. To overcomethese attacks, multiple substitutions for a single
letter are used. For example, a letter can be substituted by different numerical cipher symbols
such as 17, 54, 69….. etc. Even this method is not completely secure as each letter in the plain
text affects on letter in the ciphertext.
Or, using a common key which substitutes every letter of the plain text.
The key ABCDEFGHIIJ
KLMNOPQRSTUVWXYZ QWERTYUIIOPAS
DFGHJ KLZXCV BNM

Would encrypt the message

II think therefore II am
into
OZIIOFAZIITKTYGKTOQD

But any attacker would simply break the cipher by using frequency analysis by observing the
number of times each letter occurs in the cipher text and then looking upon the English letter
frequency table. So, substitution cipher is completely ruined by these attacks. Monoalphabetic
ciphers are easy to break as they reflect the frequency of the original alphabet. A countermeasure
is to provide substitutes, known as homophones for a single letter.

PLAYFAIR CIPHERS
It is the best known multiple –letter encryption cipher which treats digrams in the plaintext as single
units and translates these units into ciphertext digrams. The Playfair Cipher is a digram substitution
cipher offering a relatively weak method of encryption. It was used for tactical purposes by British
forces in the Second Boer War and in World War I and for the same purpose by the Australians and
Germans during World War II. This was because Playfair is reasonably fast to use and requires no
special equipment. A typical scenario for Playfair use would be to protect important but non-critical
secrets during actual combat. By the time the enemy cryptanalysts could break the message, the 14

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in
information was useless to them. It is based around a 5x5 matrix, a copy of which is held by both
communicating parties, into which 25 of the 26 letters of the alphabet (normally either j and i are
represented by the same letter or x is ignored) are placed in a random fashion. For example, the
plain text is Shi Sherry loves Heath Ledger and the agreed key is sherry. The matrix will be built
according to the following rules.
∙ in pairs,
∙ without punctuation,
∙ All Js are replaced with Is.

SH IS HE RR YL OV ES HE AT HL ED GE R

∙ Double letters which occur in a pair must be divided by an X or a Z.

∙ E.g. LI TE RA LL Y LI TE RA LX LY

SH IS HE RX RY LO VE SH EA TH LE DG ER The alphabet square is prepared using, a 5*5

matrix, no repetition letters, no Js and key is written first followed by the remaining alphabets with
no i and j.

SHERY
ABCDF
GIKLM
NOPQT
UVWXZ
For the generation of cipher text, there are three rules to be followed by each pair of letters.

letters appear on the same row： replace them with the letters to their immediate right
respectively

letters appear on the same column： replace them with the letters immediately below
respectively

not on the same row or column： replace them with the letters on the same row respectively
but at the other pair of corners of the rectangle defined by the original pair. Based on the above
three rules, the cipher text obtained for the given plain text is
15
www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

HE GH ER DR YS IQ WH HE SC OY KR AL RY
Another example which is simpler than the above one can be given as: Here, key word is playfair.
Plaintext is Hellothere hellothere becomes -------he lx lo th er ex .

Applying the rules again, for each pair, If they are in the same row, replace each with the letter to
its right (mod 5)
he
If they are in the same column, replace each with the letter below it (mod 5)
lo

RV

Otherwise, replace each with letter we’d get if we swapped their column indices
lx
YV

So the cipher text for the given plain text is KG YV RV QM GI KU

To decrypt the message, just reverse the process. Shift up and left instead of down and
right. Drop extra x’s and locate any missing I’s that should be j’s. The message will be
back into the original readable form. no longer used by military forces because of the
advent of digital encryption devices. Playfair is now regarded as insecure for any purpose
because modern hand-held computers could easily break the cipher within seconds.
HILL CIPHER
 It is also a multi letter encryption cipher. It involves substitution of ‘m’ ciphertext
letters for ‘m’ successive plaintext letters. For substitution purposes using ‘m’ linear
equations, each of the characters are assigned a numerical values i.e. a=0, b=1, c=2,
d=3,…….z=25. For example if m=3, the system can be defined as: c1 = (k11p1 + k12p2 +
k13p3) mod 26 c2 = (k21p1 + k22p2 + k23p3) mod 26 c3 = (k31p1 + k32p2 + k33p3) mod 26 If we
represent in matrix form, the above statements as matrices and column vectors:

16

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

Thus, C = KP mod26, where C= Column vectors of length 3 P = Column vectors of length 3 K

= 3x3 encryption key matrix. For decryption process, inverse of matrix K i.e. K-1 is required which
is defined by the equation KK-1 = K-1K = I, where I is the identity matrix that contains only 0’s and
1’s as its elements. Plaintext is recovered by applying K-1 to the cipher text. It is expressed as C =
EK(P) = KP mod26 P = DK(C) = K-1C mod26. = K-1KP = IP = P

Example: The plain text is I can’t do it and the size of m is 3 and key K is chosen as following
17

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in
 The main
advantages of hill cipher are given below:
It
perfectly hides single-letter frequencies.

Use of 3x3 Hill ciphers can perfectly hide both the single letter and two-letter frequency
information.

Strong enough against the attacks made only on the cipher text.
But, it still can be easily broken if the attack is through a known plaintext. 18
www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

POLYALPHABETIC CIPHERS
In order to make substitution ciphers more secure, more than one alphabet can be used. Such
ciphers are called polyalphabetic, which means that the same letter of a message can be
represented by different letters when encoded. Such a one-to-many correspondence makes the use
of frequency analysis much more difficult in order to crack the code. We describe one such cipher
named for Blaise de Vigenere a 16-th century Frenchman. The Vigenere cipher is a
polyalphabetic cipher based on using successively shifted alphabets, a different shifted alphabet
for each of the 26 English letters. The procedure is based on the tableau shown below and the use
of a keyword. The letters of the keyword determine the shifted alphabets used in the encoding
process.

For the message COMPUTING GIVES INSIGHT and keyword LUCKY we proceed by repeating
the keyword as many times as needed above the message, as follows.
 19

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

Encryption is simple: Given a key letter x and a plaintext letter y, the ciphertext letter is at the
intersection of the row labeled x and the column labeled y; so for L, the ciphertext letter would be
N. So, the ciphertext for the given plaintext would be given as:

Decryption is equally simple: The key letter again identifies the row and position of ciphertext
letter in that row decides the column and the plaintext letter is at the top of that column. The
strength of this cipher is that there are multiple ciphetext letters for each plaintext letter, one for
each unique letter of the keyword and thereby making the letter frequency information is
obscured. Still, breaking this cipher has been made possible because this reveals some
mathematical principles that apply in cryptanalysis. To overcome the drawback of the periodic
nature of the keyword, a new technique is proposed which is referred as an autokey system, in
which a key word is concatenated with the plaintext itself to provide a running key. For ex In the
above example, the key would be luckycomputinggivesin Still, this scheme is vulnerable to
cryptanalysis as both the key and plaintext share the same frequency distribution of letters
allowing a statistical technique to be applied. Thus, the ultimate defense against such a
cryptanalysis is to choose a keyword that is as long as plaintext and has no statistical relationship
to it. A new system which works on binary data rather than letters is given as
Ci = pi ki where, pi = ith binary digit of plaintext ki = ith binary digit of key Ci= ith binary digit of
ciphertext
= exclusive-or operation. Because of the properties of XOR, decryption is done by performing the
same bitwise operation.
pi = Ci ki A very long but, repeation key word is used making cryptanalysis difficult.

TRANSPOSITION TECHNIQUES

All the techniques examined so far involve the substitution of a cipher text symbol for a plaintext
symbol. A very different kind of mapping is achieved by performing some sort of permutation on
the plaintext letters. This technique is referred to as a transposition cipher.

20

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

Rail fence is simplest of such cipher, in which the plaintext is written down as a sequence of
diagonals and then read off as a sequence of rows.

Plaintext = meet at the school house

To encipher this message with a rail fence of depth 2,

We write the message as follows: m e a t e c o l o s e t t h s h o h u e

The encrypted message is MEATECOLOSETTHSHOHUE

Row Transposition Ciphers-A more complex scheme is to write the message in a rectangle, row
by row, and read the message off, column by column, but permute the order of the columns. The
order of columns then becomes the key of the algorithm.

e.g., plaintext = meet at the school

house Key = 4 3 1 2 5 6 7

PT = m e e t a t t h e s c h o o l h o u s e

CT = ESOTCUEEHMHLAHSTOETO

A pure transposition cipher is easily recognized because it has the same letter frequencies as the
original plaintext. The transposition cipher can be made significantly more secure by performing
more than one stage of transposition. The result is more complex permutation that is not easily
reconstructed.

STEGANOGRAPHY
A plaintext message may be hidden in any one of the two ways. The methods of steganography
conceal the existence of the message, whereas the methods of cryptography render the message
unintelligible to outsiders by various transformations of the text. A simple form of steganography,
but one that is time consuming to construct is one in which an arrangement of words or letters
within an apparently innocuous text spells out the real message. e.g., (i) the sequence of first
letters of each word of the overall message spells out the real (hidden) message. (ii) Subset of the
words of the overall message is used to convey the hidden message. Various other techniques
have been used historically, some of them are

21

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

∙ Character marking – selected letters of printed or typewritten text are overwritten in pencil.
The marks are ordinarily not visible unless the paper is held to an angle to bright light.
∙ Invisible ink – a number of substances can be used for writing but leave no visible trace until
heat or some chemical is applied to the paper.
∙ Pin punctures – small pin punctures on selected letters are ordinarily not visible unless the
paper is held in front of the light.
∙ Typewritten correction ribbon – used between the lines typed with a black ribbon, the results
of typing with the correction tape are visible only under a strong light.

Drawbacks of Steganography
∙ Requires a lot of overhead to hide a relatively few bits of information.
∙ Once the system is discovered, it becomes virtually worthless.

CONVENTIONAL ENCRYPTION PRINCIPLES

A Conventional/Symmetric encryption scheme has five ingredients

1. Plain Text: This is the original message or data which is fed into the algorithm as input.

2. Encryption Algorithm: This encryption algorithm performs various substitutions and

transformations on the plain text.

3. Secret Key: The key is another input to the algorithm. The substitutions and transformations
performed by algorithm depend on the key.
4.Cipher Text: This is the scrambled (unreadable) message which is output of the encryption algorithm.
This cipher text is dependent on plaintext and secret key. For a given plaintext, two different keys
produce two different cipher texts.

5. Decryption Algorithm: This is the reverse of encryption algorithm. It takes the cipher text and secret
key as inputs and outputs the plain text.

22

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in
The important point is that the security of conventional encryption depends on the secrecy of the

key, not the secrecy of the algorithm i.e. it is not necessary to keep the algorithm secret, but only

the key is to be kept secret. This feature that algorithm need not be kept secret made it feasible for

wide spread use and enabled

manufacturers develop low cost chip implementation of data encryption algorithms. With the use

of conventional algorithm, the principal security problem is maintaining the secrecy of the key.

FEISTEL CIPHER STRUCTURE

The input to the encryption algorithm are a plaintext block of length 2w bits and a key K. the
plaintext block is divided into two halves L0 and R0. The two halves of the data pass through „n‟
rounds of processing and then combine to produce the ciphertext block. Each round „i‟ has inputs
Li-1 and Ri-1, derived from the previous round, as well as the subkey Ki, derived from the overall
key K. in general, the subkeys Ki are different from K and from each other.
All rounds have the same structure. A substitution is performed on the left half of
23

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

the data (as similar to S-DES). This is done by applying a round function F to the right half
of the data and then taking the XOR of the output of that function and the left half of the data. The
round function has the same general structure for each round but is parameterized by the round
subkey ki. Following this substitution, a permutation is performed that consists of the interchange
of the two halves of the data. This structure is a particular form of the substitution-permutation
network. The exact realization of a Feistel network depends on the choice of the following
parameters and design features:
∙ Block size - Increasing size improves security, but slows cipher
∙ Key size - Increasing size improves security, makes exhaustive key searching harder, but may
slow cipher
∙ Number of rounds - Increasing number improves security, but slows cipher
∙ Subkey generation - Greater complexity can make analysis harder, but slows
cipher
∙ Round function - Greater complexity can make analysis harder, but slows cipher ∙ Fast software
en/decryption & ease of analysis - are more recent concerns for
practical use and testing

24

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in
 The process of decryption is essentially the same as the encryption process. The rule is as follows:

use the cipher text as input to the algorithm, but use the subkey ki in reverse order. i.e., kn in the

first round, kn-1 in second round and so on. For clarity, we use the notation LEi and REi for data

traveling through the decryption algorithm. The diagram below indicates that, at each round, the

intermediate value of the decryption process is same (equal) to the corresponding value of the

encryption process with two halves of the value swapped.

25

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in i.e.,

REi || LEi (or) equivalently RD16-i || LD16-i

After the last iteration of the encryption process, the two halves of the output are swapped, so that
the cipher text is RE16 || LE16. The output of that round is the cipher text. Now take the cipher text

and use it as input to the same algorithm. The input to the first round is RE16 || LE16, which is

equal to the 32-bit swap of the output of the sixteenth round of the encryption process. Now we

will see how the output of the first round of the decryption process is equal to a 32-bit swap of the

input to the sixteenth round of the encryption process.

First consider the encryption

process, LE16 = RE15

RE16 = LE15(+) F (RE15, K16)

On the decryption side, LD1 =RD0 = LE16 =RE15

RD1 = LD0 (+) F (RD0, K16)= RE16 F (RE15, K16)= [LE15 F

(RE15, K16)] F (RE15, K16)= LE15

Therefore, LD1 = RE15 RD1 = LE15 In general, for the ith iteration of the encryption algorithm, LEi =

REi-1 REi = LEi-1 F (REi-1, Ki)

Finally, the output of the last round of the decryption process is RE0 || LE0. A 32-bit swap

recovers the original plaintext.

DEFINITIONS
Encryption: Converting a text into code or cipher.

Converting computer data and messages into something, incomprehensible use a key, so that only

a holder of the matching key can reconvert them.

Conventional or Symmetric or Secret Key or Single Key encryption:

26

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

Uses the same key for encryption & decryption.

Public Key encryption: Uses different keys for encryption & decryption Conventional

Encryption Principles

∙ An encryption scheme has five ingredients:

1. Plaintext – Original message or data.

2. Encryption algorithm – performs substitutions & transformations on plaintext. 3. Secret Key –

exact substitutions & transformations depend on this

4. Ciphertext - output ie scrambled input.

5. Decryption algorithm - converts ciphertext back to plaintext.

SIMPLIFIED DATA ENCRYPTION STANDARD (S-DES)

27
www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

The figure above illustrates the overall structure of the simplified DES. The S
DES encryption algorithm takes an 8-bit block of plaintext (example: 10111101) and a 10-bit key
as input and produces an 8-bit block of ciphertext as output. The S-DES decryption algorithm
takes an 8-bit block of ciphertext and the same 10-bit key used to produce that ciphertext as input
and produces the original 8-bit block of plaintext.

The encryption algorithm involves five functions:

∙ an initial permutation (IP)

∙ a complex function labeled fk, which involves both permutation and

substitution operations and depends on a key input

∙ a simple permutation function that switches (SW) the two halves of the data

∙ the function fk again

∙ a permutation function that is the inverse of the initial permutation

The function fk takes as input not only the data passing through the encryption algorithm, but also
an 8-bit key. Here a 10-bit key is used from which two 8-bit subkeys are generated. The key is
first subjected to a permutation (P10). Then a shift operation is performed. The output of the shift
operation then passes through a permutation function that produces an 8-bit output (P8) for the
first subkey (K1). The output of the shift operation also feeds into another shift and another
instance of P8 to produce the second subkey (K2).
The encryption algorithm can be expressed as a composition composition1 of functions: IP-1 ο fK2 ο
SW ο fk1 ο IP
Which can also be written as
Ciphertext = IP-1 (fK2 (SW (fk1 (IP (plaintext)))))
Where

K1 = P8 (Shift (P10 (Key)))

K2 = P8 (Shift (shift (P10 (Key))))
Decryption can be shown as
Plaintext = IP-1 (fK1 (SW (fk2 (IP (ciphertext)))))
28

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

S-DES depends on the use of a 10-bit key shared between sender and receiver. From this key, two
8-bit subkeys are produced for use in particular stages of the encryption and decryption algorithm.
First, permute the key in the following fashion. Let the 10-bit key be designated as (k1, K2, k3, k4,
k5, k6, k7, k8, k9, k10).
Then the permutation P10 is defined as:
P10 (k1, K2, k3, k4, k5, k6, k7, k8, k9, k10) = (k3, k5, K2, k7, k4, k10 10, k1, k9, k8, k6) P10 can be
concisely defined by the display:

P10

3 5 2 7 4 10 1 9 8 6
This table is read from left to right; each position in the table gives the identity of the input bit
that produces the output bit in that position. So the first output bit is bit 3 of the input; the second
output bit is bit 5 of the input, and so on. For example, the key (1010000010) is permuted to
(10000 01100). Next, perform a circular left shift (LS-1), or rotation, separately on the first five
bits and the second five bits. In our example, the result is (00001 11000). Next we apply P8,
which picks out and permutes 8 of the 10 bits according to the following rule:

P8

6 3 7 4 8 5 10 9

29

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

The result is subkey 1 (K1). In our example, this yields (10100100). We then go back to the pair
of 5-bit strings produced by the two LS-1 functions and performs a circular left shift of 2 bit
positions on each string. In our example, the value (00001 11000) becomes (00100 00011).
Finally, P8 is applied again to produce K2. In our example, the result is (01000011).

S-DES encryption
Encryption involves the sequential application of five functions.
Initial and Final Permutations The input to the algorithm is an 8-bit block of plaintext, which we
first permute using the IP function:

IP

2 6 3 1 4 8 5 7

This retains all 8 bits of the plaintext but mixes them up.
Consider the plaintext to be 11110011.
Permuted output = 10111101
At the end of the algorithm, the inverse permutation is used:
 IP –1

4 1 3 5 7 2 8 6

The Function fk

The most complex component of S-DES is the function fk, which consists of a combination of
permutation and substitution functions. The functions can be expressed as follows. Let L and R be
the leftmost 4 bits and rightmost 4 bits of the 8-bit input to f K, and let F be a mapping (not
necessarily one to one) from 4-bit strings to 4-bit strings.
Then we let fk(L, R) = ( L (+) F( R, SK), R)
Where SK is a subkey and (+) is the bit-by-bit exclusive-OR function.
e.g., permuted output = 1011 1101 and suppose F (1101, SK) = (1110) for some key SK. Then f
K(10111101) = 10111110, 1101 = 01011101
We now describe the mapping F. The input is a 4-bit number (n1 n2 n3 n4). The first operation is
an expansion/permutation operation:

E/P

4 1 2 3 2 3 4 1

30

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in R=

1101 E/P output = 11101011 It is clearer to depict the result in this fashion:

The 8-bit subkey K1 = (k11, k12 12, k13 13, k14 14, k15 15, k16 16, k17 17, k18) is added to this
value using exclusive-OR:
Let us rename these 8 bits:

The first 4 bits (first row of the preceding matrix) are fed into the S-box S0 to produce a 2- bit
output, and the remaining 4 bits (second row) are fed into S1 to produce another 2- bit output.

These two boxes are defined as follows:

The S-boxes operate as follows. The first and fourth input bits are treated as a 2-bit number that
specify a row of the S-box, and the second and third input bits specify a column of the S-box. The
entry in that row and column, in base 2, is the 2-bit output. For example, if (p0,0 p0,3) = ) (00)
and ( p0,1 p0,2) = (10), then the output is from row 0, column 2 of S0, which is 3, or (11) in )
binary. Similarly, (p1,0 p1,3) and ( p1,1 p1,2) are used to index into a row and column of S1 to
produce an additional 2 bits. Next, the 4 bits produced by S0 and S1 undergo a further
permutation as follows:

P4

2 4 3 1

The output of P4 is the output of the function F.

31

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

The Switch Function The function f K only alters the leftmost 4 bits of the input. The switch
function (SW) interchanges the left and right 4 bits so that the second instance of f K operates on a
different 4 bits. In this second instance, the E/P, S0, S1, and P4 functions are the same. The key
input is K2. Finally apply inverse permutation to get the ciphertext.
DATA ENCRYPTION STANDARD (DES)

The main standard for encrypting data was a symmetric algorithm known as the Data Encryption
Standard (DES). However, this has now been replaced by a new standard known as the Advanced
Encryption Standard (AES) which we will look at later. DES is a 64 bit block cipher which means
that it encrypts data 64 bits at a time. This is contrasted to a stream cipher in which only one bit at a
time (or sometimes small groups of bits such as a byte) is encrypted. DES was the result of a
research project set up by International Business Machines (IBM) corporation in the late 1960’s
which resulted in a cipher known as LUCIFER. In the early 1970’s it was decided to commercialize
LUCIFER and a number of significant changes were introduced. IBM was not the only one involved
in these changes as they sought technical advice from the National Security Agency (NSA) (other
outside consultants were involved but it is likely that the NSA were the major contributors from a
technical point of view). The altered version of LUCIFER was put forward as a proposal for the new
national encryption standard requested by the National Bureau of Standards (NBS)3 . It was finally
adopted in 1977 as the Data Encryption Standard - DES (FIPS PUB 46). Some of the changes made
to LUCIFER have been the subject of much controversy even to the present day. The most notable
of these was the key size. LUCIFER used a key size of 128 bits however this was reduced to 56 bits
for DES. Even though DES actually accepts a 64 bit key as input, the remaining eight bits are used
for parity checking and have no effect on DES’s security. Outsiders were convinced that the 56 bit
key was an easy target for a brute force attack4 due to its extremely small size. The need for the
parity checking scheme was also questioned without satisfying answers. Another controversial issue
was that the S-boxes used were designed under classified conditions and no reasons for their
particular design were ever given. This led people to assume that the NSA had introduced a
“trapdoor” through which they could decrypt any data encrypted by DES even without knowledge
of the key. One startling discovery was that the S-boxes appeared to be secure against an attack
known as Differential Cryptanalysis which was only publicly discovered by Biham and Shamir in
1990. This suggests that the NSA were aware of this attack in 1977; 13 years earlier! In fact the
DES designers claimed that the reason they never 32

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

made the design specifications for the S-boxes available was that they knew about a number of
attacks that weren’t public knowledge at the time and they didn’t want them leaking - this is quite a
plausible claim as differential cryptanalysis has shown. However, despite all this controversy, in
1994 NIST reaffirmed DES for government use for a further five years for use in areas other than
“classified”. DES of course isn’t the only symmetric cipher. There are many others, each with
varying levels of complexity. Such ciphers include: IDEA, RC4, RC5, RC6 and the new Advanced
Encryption Standard (AES). AES is an important algorithm and was originally meant to replace
DES (and its more secure variant triple DES) as the standard algorithm for non-classified material.
However as of 2003, AES with key sizes of 192 and 256 bits has been found to be secure enough to
protect information up to top secret. Since its creation, AES had underdone intense scrutiny as one
would expect for an algorithm that is to be used as the standard. To date it has withstood all attacks
but the search is still on and it remains to be seen whether or not this will last. We will look at AES
later in the course.

INNER WORKING OF DES

DES (and most of the other major symmetric ciphers) is based on a cipher known as the Feistel block

cipher. It consists of a number of rounds where each round contains bit shuffling, non- linear substitutions

(S-boxes) and exclusive OR operations. As with most encryption schemes, DES expects two inputs - the

plaintext to be encrypted and the secret key. The manner in which the plaintext is accepted, and the key

arrangement used for encryption and decryption, both determine the type of cipher it is. DES is therefore a

symmetric, 64 bit block cipher as it uses the same key for both encryption and decryption and only

operates on 64 bit blocks of data at a time5 (be they plaintext or ciphertext). The key size used is 56 bits,

however a 64 bit (or eight-byte) key is actually input. The least significant bit of each byte is either used

for parity (odd for DES) or set arbitrarily and does not increase the security in any way. All blocks are

numbered from left to right which makes the eight bit of each byte the parity bit.

33

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

Once a plain-text message is received to be encrypted, it is arranged into 64 bit blocks required for input. If

the number of bits in the message is not evenly divisible by 64, then the last block will be padded. Multiple

permutations and substitutions are incorporated throughout in order to increase the difficulty of performing

a cryptanalysis on the cipher

OVERALL STRUCTURE
Figure below shows the sequence of events that occur during an encryption operation. DES

performs an initial permutation on the entire 64 bit block of data. It is then split into 2, 32 bit

sub-blocks, Li and Ri which are then passed into what is known as a round (see figure 2.3), of

which there are 16 (the subscript i in Li and Ri indicates the current round). Each of the rounds

are identical and the effects of increasing their number is twofold - the algorithms security is

increased and its temporal efficiency decreased. Clearly these are two conflicting outcomes and a

compromise must be made. For DES the number chosen was 16, probably to guarantee the

elimination of any correlation between the ciphertext and either the plaintext or key6 . At the end

of the 16th round, the 32 bit Li and Ri output quantities are swapped to create what is known as

the pre-output. This [R16, L16] concatenation is permuted using a function which is the exact

inverse of the initial permutation. The output of this final permutation is the 64 bit ciphertext.

34
www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

So in total the processing of the plaintext proceeds in three phases as can be seen from the left

hand side of figure

1. Initial permutation (IP - defined in table 2.1) rearranging the bits to form the “permuted input”.

2. Followed by 16 iterations of the same function (substitution and permutation). The output of the

last iteration consists of 64 bits which is a function of the plaintext and key. The left and right
 halves are swapped to produce the preoutput.

3. Finally, the preoutput is passed through a permutation (IP−1 - defined in table 2.1) which is

simply the inverse of the initial permutation (IP). The output of IP−1 is the 64- bit ciphertext

35

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

As figure shows, the inputs to each round consist of the Li , Ri pair and a 48 bit subkey which is a

shifted and contracted version of the original 56 bit key. The use of the key can be seen in the right

hand portion of figure 2.2: • Initially the key is passed through a permutation function (PC1 -
 defined in table 2.2) • For each of the 16 iterations, a subkey (Ki) is produced by a combination of a

left circular shift and a permutation (PC2 - defined in table 2.2) which is the same for each iteration.

However, the resulting subkey is different for each iteration because of repeated shifts.

36

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in
 37

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

DETAILS OF INDIVIDUAL ROUNDS

 The main operations on the data are encompassed into what is referred to as the cipher function and is

labeled F. This function accepts two different length inputs of 32 bits and 48 bits and outputs a single 32 bit

number. Both the data and key are operated on in parallel, however the operations are quite different. The

56 bit key is split into two 28 bit halves Ci and Di (C and D being chosen so as not to be confused with L

and R). The value of the key used in any round is simply a left cyclic shift and a permuted contraction of

that used in the previous round.

Mathematically, this can be written as

Ci = Lcsi(Ci−1), Di = Lcsi(Di−1) Ki = P C2(Ci , Di)

where Lcsi is the left cyclic shift for round i, Ci and Di are the outputs
after the shifts, P C2(.) is a function which permutes and compresses
a 56 bit number into a 48 bit number and Ki is the actual key used
in round i. The number of shifts is either one or two and is

38

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

determined by the round number i. For i = {1, 2, 9, 16} the number of

shifts is one and for every other round it is two
39
www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

s BBX Details
 40

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

ADVANCED ENCRYPTION ALGORITHM (AES)

∙ AES is a block cipher with a block length of 128 bits.
∙ AES allows for three different key lengths: 128, 192, or 256 bits. Most of our discussion will
assume that the key length is 128 bits.
∙ Encryption consists of 10 rounds of processing for 128-bit keys, 12 rounds for 192-bit keys, and
14 rounds for 256-bit keys.
∙ Except for the last round in each case, all other rounds are identical.
∙ Each round of processing includes one single-byte based substitution step, a row- wise
permutation step, a column-wise mixing step, and the addition of the round key. The order in
which these four steps are executed is different for encryption and decryption.
∙ To appreciate the processing steps used in a single round, it is best to think of a 128-bit block as
consisting of a 4 × 4 matrix of bytes, arranged as follows:
Therefore, the first four bytes of a 128-bit input block occupy the first column in the 4 × 4 matrix of
bytes. The next four bytes occupy the second column, and so on.
The 4×4 matrix of bytes shown above is referred to as the state array in AES.

41

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in
The algorithm begins with an Add round key stage followed by 9 rounds of four stages and a
tenth round of three stages.
This applies for both encryption and decryption with the exception that each stage of a round the
decryption algorithm is the inverse of its counterpart in the encryption algorithm.
The four stages are as follows: 1. Substitute bytes 2. Shift rows 3. Mix Columns 4. Add Round Key

Substitute Bytes

• This stage (known as SubBytes) is simply a table lookup using a 16 × 16 matrix of byte values
called an s-box.
• This matrix consists of all the possible combinations of an 8 bit sequence (28 = 16 × 16 = 256).
• However, the s-box is not just a random permutation of these values and there is a well defined
method for creating the s-box tables.

42
www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

• The designers of Rijndael showed how this was done unlike the s-boxes in DES for which no
rationale was given.Our concern will be how state is effected in each round. • For this particular
round each byte is mapped into a new byte in the following way: the leftmost nibble of the byte is
used to specify a particular row of the s-box and the rightmost nibble specifies a column.
• For example, the byte {95} (curly brackets represent hex values in FIPS PUB 197) selects row 9
column 5 which turns out to contain the value {2A}.
• This is then used to update the state matrix.

Shift Row Transformation

• This stage (known as ShiftRows) is shown in figure below.
• Simple permutation an nothing more.
• It works as follow: – The first row of state is not altered. – The second row is shifted 1 bytes to
the left in a circular manner. – The third row is shifted 2 bytes to the left in a circular manner. –
The fourth row is shifted 3 bytes to the left in a circular manner.
43

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

MIX COLUMN TRANSFORMATION

• This stage (known as MixColumn) is basically a substitution
• Each column is operated on individually. Each byte of a column is mapped into a new value that is
a function of all four bytes in the column.
• The transformation can be determined by the following matrix multiplication on state • Each
element of the product matrix is the sum of products of elements of one row and one column.
• In this case the individual additions and multiplications are performed in GF(28 ). • The
MixColumns transformation of a single column j (0 ≤ j ≤ 3) of state can be expressed as:
s ′ 0,j = (2 • s0,j) ⊕ (3 • s1,j) ⊕ s2,j ⊕
s3,j s ′ 1,j = s0,j ⊕ (2 • s1,j) ⊕ (3 • s2,j)
⊕ s3,j s ′ 2,j = s0,j ⊕ s1,j ⊕ (2 • s2,j)
⊕ (3 • s3,j) s ′ 3,j = (3 • s0,j) ⊕ s1,j ⊕
s2,j ⊕(2 • s3,j)
ADD ROUND KEY TRANSFORMATION
• In this stage (known as AddRoundKey) the 128 bits of state are bitwise XORed with the 128
bits of the round key.
• The operation is viewed as a columnwise operation between the 4 bytes of a state column and
one word of the round key.

44

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

• This transformation is as simple as possible which helps in efficiency but it also effects every bit
of state.
• The AES key expansion algorithm takes as input a 4-word key and produces a linear array of 44
words. Each round uses 4 of these words as shown in figure.
• Each word contains 32 bytes which means each subkey is 128 bits long. Figure 7 show
pseudocode for generating the expanded key from the actual key.

BLOWFISH ALGORITHM
• a symmetric block cipher designed by Bruce Schneier in 1993/94
• characteristics
• fast implementation on 32-bit CPUs
• compact in use of memory
• simple structure for analysis/implementation
• variable security by varying key size
• has been implemented in various products
BLOWFISH KEY SCHEDULE

• uses a 32 to 448 bit key, 32-bit words stored in K-array Kj ,j from 1 to 14

• used to generate
• 18 32-bit subkeys stored in P array, P1 ….P18
• four 8x32 S-boxes stored in Si,j , each with 256 32-bit entries
Subkeys and S-Boxes Generation:
1. initialize P-array and then 4 S-boxes in order using the fractional part of pi P1 (
left most 32-bit), and so on,,, S4,255.
2. XOR P-array with key-Array (32-bit blocks) and reuse as needed: assume we have up to k10 then P10
XOR K10,, P11 XOR K1 … P18 XOR K8
3. Encrypt 64-bit block of zeros, and use the result to update P1 and P2.
4. encrypting output form previous step using current P & S and replace P3 and P4. Then
encrypting current output and use it to update successive pairs of P.
5. After updating all P’s (last :P17 P18), start updating S values using the
encrypted output from previous step.
• requires 521 encryptions, hence slow in re-keying
• Not suitable for limited-memory applications.

45

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

BLOWFISH ENCRYPTION

• uses two main operations: addition modulo 232 , and XOR

• data is divided into two 32-bit halves L0 & R0
for i = 1 to 16 do
Ri = Li-1 XOR Pi;
 Li = F[Ri] XOR Ri-1;
L17 = R16 XOR P18;
R17 = L16 XOR P17;

• where
F[a,b,c,d] = ((S1,a + S2,b) XOR S3,c) + S4,d

46
www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

BLOCK CIPHER MODES OF OPERATIONS

• Direct use of a block cipher is inadvisable
• Enemy can build up “code book” of plaintext/ciphertext equivalents
• Beyond that, direct use only works on messages that are a multiple of the cipher
block size in length
• Solution: five standard Modes of Operation: Electronic Code Book (ECB), Cipher
Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter
(CTR).
Electronic Code Book
• Direct use of the block cipher
• Used primarily to transmit encrypted keys
• Very weak if used for general-purpose encryption; never use it for a file or a message.
• Attacker can build up codebook; no semantic security
• We write {P}k → C to denote “encryption of plaintext P with key k to produce ciphertext C”

47

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

Cipher Block Chaining

• We would like that same plaintext blocks produce different ciphertext blocks.
• Cipher Block Chaining (see figure) allows this by XORing each plaintext with the Ciphertext
from the previous round (the first round using an Initialisation Vector (IV)). • As before, the same
key is used for each block.
• Decryption works as shown in the figure because of the properties of the XOR operation, i.e. IV ⊕
IV ⊕ P = P where IV is the Initialisation Vector and P is the plaintext. • Obviously the IV needs to
be known by both sender and receiver and it should be kept secret along with the key for maximum
security.

Cipher Feedback (CFB) Mode

• The Cipher Feedback and Output Feedback allows a block cipher to be converted into a stream
cipher.
• This eliminates the need to pad a message to be an integral number of blocks. It also can operate
in real time.
• Figure shows the CFB scheme.
• In this figure it assumed that the unit of transmission is s bits; a common value is s = 8. 48

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

• As with CBC, the units of plaintext are chained together, so that the ciphertext of any plaintext
unit is a function of all the preceding plaintext (which is split into s bit segments).
• The input to the encryption function is a shift register equal in length to the block cipher of the
algorithm (although the diagram shows 64 bits, which is block size used by DES, this can be
extended to other block sizes such as the 128 bits of AES).
• This is initially set to some Initialisation Vector (IV).

OUTPUT FEEDBACK (OFB) MODE

• The Output Feedback Mode is similar in structure to that of CFB, as seen in figure 13. • As can be
seen, it is the output of the encryption function that is fed back to the shift register in OFB,
whereas in CFB the ciphertext unit is fed back to the shift register. • One advantage of the OFB
method is that bit errors in transmission do not propagate. • For example, if a bit error occurs in C1
only the recovered value of P1 is affected; subsequent plaintext units are not corrupted.
With CFB, C1 also serves as input to the shift register and therefore causes additional corruption
downstream.

49

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in
 Counter Mode

Confidentiality using Symmetric Encryption

traditionally symmetric encryption is used to provide message confidentiality 50

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in
 If encryption is to be used to counter attacks on confidentiality, we need to decide what to encrypt &
where the encryption function should be located.

It first examines the potential location of security attacks & then looks at two major approaches to
encryption placement.

have two major placement alternatives

Link encryption

Each vulnerable link is equipped on both ends with an encryption device.

Encryption occurs independently on every link.

implies must decrypt traffic between links.

requires many devices, but paired keys.

51
www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

Dis-Advantages of Link Encryption:

▪ Message must be encrypted each time it enters a switch.

▪ Message is vulnerable at each switch.

▪ In public networks, the user has no control over security of nodes

▪ To be effective, each node that shares a link should share a unique key with different keys on each
link.

▪ It requires more keys.

End-to-End encryption:

● Here,encryption occurs between original source and final destination

● need devices at each end with shared keys

when using end-to-end encryption must leave headers in clear

 ● so network can correctly route information

hence although contents protected, traffic pattern flows are not

52

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

ideally want both at once

● end-to-end protects data contents over entire path and provides authentication

● link protects traffic flows from monitoring

can place encryption function at various layers in OSI Reference Model

● link encryption occurs at layers 1 or 2

● end-to-end can occur at layers 3, 4, 6, 7

● as move higher less information is encrypted but it is more secure though more complex with more
entities and key

Traffic Confidentiality
The following types of information can be derived from traffic analysis attacks:

• Identities of communicating parties.

• How frequently parties are communicating?

• Message pattern that includes the length and quality of information.

Two approaches:

• Link Approach.

• End-to-End Approach.

Link Approach:

• Network layer header are encrypted to reduce traffic analysis.

• But it is possible for attacker to access the amount of traffic entering & leaving end system. •
• Traffic Padding is a counter measure: Produces cipher text continuously in the absence of plaintext. •

It is impossible for an attacker to distinguish between true data & padding bits.
53

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

End-to-End Approach:

• Here, measures for defenders are limited.

• Ex: if encryption is implemented at application layer, opponent can find the entities in the
 communication.

• If encryption is implemented at transport layer, addresses and traffic patterns are accessible. • One

technique is to pad out data units to a uniform length.

• In addition, null messages can be inserted into the stream.

Random Number Generation

Pseudo Random Number Generator (PRNG)

Pseudo Random Number Generator(PRNG) refers to an algorithm that uses mathematical formulas
to produce sequences of random numbers. PRNGs generate a sequence of numbers approximating the
properties of random numbers.

54

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

A PRNG starts from an arbitrary starting state using a seed state. Many numbers are generated in a
short time and can also be reproduced later, if the starting point in the sequence is known. Hence, the
numbers are deterministic and efficient.

Linear Congruential Generator is most common and oldest algorithm for generating
pseudo-randomized numbers. The generator is defined by the recurrence relation:
Xn+1 = (aXn + c) mod m
where X is the sequence of pseudo-random values
m, 0 < m - modulus
a, 0 < a < m - multiplier
c, 0 ≤ c < m - increment
x, 0 ≤ x <
0 0 m - the seed or start value

We generate the next random integer using the previous random integer, the integer constants, and the
integer modulus. To get started, the algorithm requires an initial Seed, which must be provided by some
means. The appearance of randomness is provided by performing modulo arithmetic..
Characteristics of PRNG
∙ Efficient: PRNG can produce many numbers in a short time and is advantageous for applications that
need many numbers
∙ Deterministic: A given sequence of numbers can be reproduced at a later date if the starting point in
the sequence is known.Determinism is handy if you need to replay the same sequence of numbers
again at a later stage.
∙ Periodic: PRNGs are periodic, which means that the sequence will eventually repeat itself. While
periodicity is hardly ever a desirable characteristic, modern PRNGs have a period that is so long that it
can be ignored for most practical purposes
Applications of PRNG
PRNGs are suitable for applications where many random numbers are required and where it is useful
that the same sequence can be replayed easily. Popular examples of such applications are simulation
and modeling applications. PRNGs are not suitable for applications where it is important that the
numbers are really unpredictable, such as data encryption and gambling.

55

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

UNIT II

` UNIT - II Public key Cryptography Principles, RSA algorithm, Key Management,

Diffie Hellman Key Exchange, Elliptic Curve Cryptography. Message authentication
and Hash Functions, Authentication Requirements and Functions, Message
Authentication, Hash Functions and MACs Hash and MAC Algorithms SHA-512,
HMAC.

PUBLIC KEY CRYPTOGRAPHY

The development of public-key cryptography is the greatest and perhaps the only true revolution
in the entire history of cryptography. It is asymmetric, involving the use of two separate keys, in
contrast to symmetric encryption, which uses only one key. Public key schemes are neither more
nor less secure than private key (security depends on the key size for both). Public-key
cryptography complements rather than replaces symmetric cryptography. Both also have issues
with key distribution, requiring the useof some suitable protocol. The concept of public-key
cryptography evolved from an attempt to attack two of the most difficult problems associated with
symmetric encryption:
1.) key distribution – how to have secure communications in general without having to trust a
KDC with your key

2.) digital signatures – how to verify a message comes intact from the claimed sender

Public-key/two-key/asymmetric cryptography involves the use of two keys:

∙ a public-key, which may be known by anybody, and can be used to encrypt messages, and verify
signatures
∙ a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures.

∙ is asymmetric because those who encrypt messages or verify signatures cannot decrypt
messages or create signatures

Public-Key algorithms rely on one key for encryption and a different but related key for
decryption. These algorithms have the following important characteristics:
∙ it is computationally infeasible to find decryption key knowing only algorithm & encryption key

56

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

∙ it is computationally easy to en/decrypt messages when the relevant

(en/decrypt) key is known
∙ either of the two related keys can be used for encryption, with the other used for
decryption (for some algorithms like RSA)
The following figure illustrates public-key encryption process and shows that a public key encryption
scheme has six ingredients: plaintext, encryption algorithm, public & private keys, ciphertext &
decryption algorithm.
The essential steps involved in a public-key encryption scheme are given below: 1.) Each user

generates a pair of keys to be used for encryption and decryption.

2.) Each user places one of the two keys in a public register and the other key is kept private.

3.) If B wants to send a confidential message to A, B encrypts the message using A’s public key.

4.) When A receives the message, she decrypts it using her private key. Nobody else can decrypt the
message because that can only be done using A’s private key (Deducing a private key should be
infeasible).

5.) If a user wishes to change his keys –generate another pair of keys and publish the public one:
no interaction with other users is needed.
Notations used in Public-key cryptography:
∙ The public key of user A will be denoted KUA.
∙ The private key of user A will be denoted KRA.
∙ Encryption method will be a function E.
∙ Decryption method will be a function D.
∙ If B wishes to send a plain message X to A, then he sends the cryptotext Y=E(KUA,X) 57

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

∙ The intended receiver A will decrypt the message: D(KRA,Y)=X

The first attack on Public-key Cryptography is the attack on Authenticity. An attacker may
impersonate user B: he sends a message E(KUA,X) and claims in the message to be B –A has no
guarantee this is so. To overcome this, B will encrypt the message using his private key: Y=E(KRB,X).
Receiver decrypts using B’s public key KRB. This shows the authenticity of the sender because
(supposedly) he is the only one who knows the private key. The entire encrypted message serves as a
digital signature. This scheme is depicted in the following figure:

58

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in
 But, a drawback still
exists. Anybody can decrypt the message using B’s public key. So, secrecy or confidentiality is being
compromised. One can provide both authentication and confidentiality using the public-key scheme
twice:

B encrypts X with his private key: Y=E(KRB,X)

B encrypts Y with A’s public key: Z=E(KUA,Y)

A will decrypt Z (and she is the only one capable of doing it): Y=D(KRA,Z)

A can now get the plaintext and ensure that it comes from B (he is the only one who knows his private
key): decrypt Y using B’s public key: X=E(KUB,Y).

59
www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

Applications for public-key cryptosystems:

1.) Encryption/decryption: sender encrypts the message with the receiver’s public key.

2.) Digital signature: sender “signs” the message (or a representative part of the message) using
his private key

3.) Key exchange: two sides cooperate to exchange a secret key for later use in a secret key
cryptosystem.

The main requirements of Public-key cryptography are:

1. Computationally easy for a party B to generate a pair (public key KUb, private key KRb). 2.

Easy for sender A to generate ciphertext:

3. Easy for the receiver B to decrypt ciphertect using private key:

4. Computationally infeasible to determine private key (KRb) knowing public key (KUb) 5.

Computationally infeasible to recover message M, knowing KUb and ciphertext C 6. Either of the
two keys can be used for encryption, with the other used for decryption: M=
DKRb[EKUb(M)]=DKUb[EKRb(M)]

Easy is defined to mean a problem that can be solved in polynomial time as a function of input
length. A problem is infeasible if the effort to solve it grows faster than polynomial time as a
function of input size. Public-key cryptosystems usually rely on difficult math functions rather
than S-P networks as classical cryptosystems. One-way function is one, easy to calculate in one
direction, infeasible to calculate in the other direction (i.e., the inverse is infeasible to compute).
Trap-door function is a difficult function that becomes easy if some extra information is known.
Our aim to find a trap door one-way function, which is easy to calculate in one direction and
infeasible to calculate in the other direction unless certain additional information is known.
Security of Public-key schemes:
∙ Like private key schemes brute force exhaustive search attack is always theoretically possible.
But keys used are too large (>512bits).
∙ Security relies on a large enough difference in difficulty between easy (en/decrypt) and hard
(cryptanalyse) problems. More generally the hard problem is known, its just made too hard to do
in practise.

60

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

∙ Requires the use of very large numbers, hence is slow compared to private key schemes

RSA ALGORITHM
RSA is the best known, and by far the most widely used general public key encryption algorithm,
and was first published by Rivest, Shamir & Adleman of MIT in 1978 [RIVE78]. Since that time
RSA has reigned supreme as the most widely accepted and implemented general-purpose
approach to public-key encryption. The RSA scheme is a block cipher in which the plaintext and
the ciphertext are integers between 0 and n- 1 for some fixed n and typical size for n is 1024 bits
(or 309 decimal digits). It is based on exponentiation in a finite (Galois) field over integers
modulo a prime, using large integers (eg. 1024 bits). Its security is due to the cost of factoring
large numbers. RSA involves a public-key and a private-key where the public key is known to all
and is used to encrypt data or message. The data or message which has been encrypted using a
public key can only be decryted by using its corresponding private-key. Each user generates a key
pair
i.e. public and private key using the following steps:
∙ each user selects two large primes at random - p, q
∙ compute their system modulus n=p.q
∙ calculate ø(n), where ø(n)=(p-1)(q-1)
∙ selecting at random the encryption key e, where 1<e<ø(n),and gcd(e,ø(n))=1
∙ solve following equation to find decryption key d: e.d=1 mod ø(n) and 0≤d≤n
∙ publish their public encryption key: KU={e,n}
∙ keep secret private decryption key: KR={d,n}

Both the sender and receiver must know the values of n and e, and only the receiver knows the
value of d. Encryption and Decryption are done using the following equations. To encrypt a
message M the sender:
– obtains public key of recipient KU={e,n}
– computes: C=Me mod n, where 0≤M<n
To decrypt the ciphertext C the owner:
– uses their private key KR={d,n}
– computes: M=Cd mod n = (Me) d mod n = Med mod n
61

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

For this algorithm to be satisfactory, the following requirements are to be met.

a) Its possible to find values of e, d, n such that Med = M mod n for all M<n
b) It is relatively easy to calculate Me and C for all values of M < n.
c) It is impossible to determine d given e and n

The way RSA works is based on Number theory: Fermat’s little theorem: if p is prime and a is
positive integer not divisible by p, then ap-1 ≡ 1 mod p. Corollary: For any positive integer a and
prime p, ap ≡ a mod p.

Fermat’s theorem, as useful as will turn out to be does not provide us with integers d,e we are
looking for –Euler’s theorem (a refinement of Fermat’s) does. Euler’s function associates to any
positive integer n, a number φ(n): the number of positive integers smaller than n and relatively
prime to n. For example, φ(37) = 36 i.e. φ(p) = p-1 for any prime p. For any two primes p,q,
φ(pq)=(p-1)(q-1). Euler’s theorem: for any relatively prime integers a,n we have aφ(n)≡1 mod
n. Corollary: For any integers a,n we have aφ(n)+1≡a mod n Corollary: Let p,q be two odd
primes and n=pq. Then: φ(n)=(p-1)(q
1) For any integer m with 0<m<n, m(p-1)(q-1)+1 ≡ m mod n For any integers k,m with 0<m<n,
mk(p-1)(q-1)+1 ≡ m mod n Euler’s theorem provides us the numbers d, e such that Med=M mod
n. We have to choose d,e such that ed=kφ(n)+1, or equivalently, d≡e- 1mod φ(n)

An example of RSA can be given

as, Select primes: p=17 & q=11
Compute n = pq =17×11=187
Compute ø(n)=(p–1)(q-1)=16×10=160
Select e : gcd(e,160)=1; choose e=7
Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23×7=161= 10×160+1 Publish public
key KU={7,187}
Keep secret private key KR={23,187}
Now, given message M = 88 (nb. 88<187)
encryption: C = 887 mod 187 = 11
decryption: M = 1123 mod 187 = 88

62

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

Another example of RSA is given as,

Let p = 11, q = 13, e = 11, m = 7

n = pq i.e. n= 11*13 = 143

ø(n)= (p-1)(q-1) i.e. (11-1)(13-1) = 120

e.d=1 mod ø(n) i.e. 11d mod 120 = 1 i.e. (11*11) mod 120=1;
so d = 11 public key :{11,143} and private key: {11,143}
C=Me mod n, so ciphertext = 711mod143 = 727833 mod 143; i.e. C = 106
M=Cd mod n, plaintext = 10611 mod 143 = 1008 mod 143; i.e. M = 7

For RSA
key generation,
– determine two primes at random - p, q

– select either e or d and compute the other

– means must be sufficiently large

– typically guess and use probabilistic test

Security of RSA

There are three main approaches of attacking RSA algorithm.

Brute force key search (infeasible given size of numbers) As explained before, involves trying all
possible private keys. Best defence is using large keys.
Mathematical attacks (based on difficulty of computing ø(N), by factoring modulus N) There
are several approaches, all equivalent in effect to factoring the product of two primes. Some of
them are given as:

63

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

– factor N=p.q, hence find ø(N) and then d

– determine ø(N) directly and find d

– find d directly

The possible defense would be using large keys and also choosing large numbers for p and q,
which should differ only by a few bits and are also on the order of magnitude 1075 to 10100. And
gcd (p-1, q-1) should be small.

DIFFIE-HELLMAN KEY EXCHANGE

Diffie-Hellman key exchange (D-H) is a cryptographic protocol that allows two parties that have
no prior knowledge of each other to jointly establish a shared secret key over an insecure
communications channel. This key can then be used to encrypt subsequent communications using
a symmetric key cipher. The D-H algorithm depends for its effectiveness on the difficulty of
computing discrete logarithms.
First, a primitive root of a prime number p, can be defined as one whose powers generate all the
integers from 1 to p-1. If a is a primitive root of the prime number p, then the numbers, a mod p,
a2 mod p,..., ap-1 mod p, are distinct and consist of the integers from 1 through p 1 in some
permutation.
For any integer b and a primitive root a of prime number p, we can find a unique exponent i such
that .The exponent i is referred to as the discrete logarithm of
b for the base a, mod p. We express this value as dloga,p (b). The algorithm is summarized below:

64

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in
For this scheme, there are two publicly known numbers: a prime number q and an integer α that is a
primitive root of q. Suppose the users A and B wish to exchange a key. User A selects a random
integer XA < q and computes YA = αXA mod q. Similarly, user B independently selects a random
integer XA < q and computes YB = αXB mod q. Each side keeps the X value private and makes the Y
value available publicly to the other side. User A computes the key as K = (YB)XA mod q and user B
computes the key as K = (YA)XB mod
q. These two calculations produce identical results.
Discrete Log Problem
The (discrete) exponentiation problem is as follows: Given a base a, an exponent b and a modulus p,
calculate c such that ab ≡ c (mod p) and 0 ≤ c < p. It turns out that this problem is fairly easy and can
be calculated "quickly" using fast-exponentiation. The discrete log problem is the inverse problem:
Given a base a, a result c (0 ≤ c < p) and a modulus

65
www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

p,calculate the exponent b such that ab ≡ c (mod p). It turns out that no one has found a quick
way to solve this problem With DLP, if P had 300 digits, Xa and Xb have more than 100 digits, it
would take longer than the life of the universe to crack the method.
Examples for D-H key distribution scheme:

1) Let p = 37 and g = 13.

Let Alice pick a = 10. Alice calculates 1310 (mod 37) which is 4 and sends that to Bob. Let Bob
pick b = 7. Bob calculates 137 (mod 37) which is 32 and sends that to Alice. (Note: 6 and 7 are
secret to Alice and Bob, respectively, but both 4 and 32 are known
by all.)
10 (mod 37) which is 30, the secret key.

7 (mod 37) which is 30, the same secret key.

2) Let p = 47 and g = 5. Let Alice pick a = 18. Alice calculates 518 (mod 47) which is 2 and sends
that to Bob. Let Bob pick b = 22. Bob calculates 522 (mod 47) which is 28 and sends that to Alice.

18 (mod 47) which is 24, the secret key.

22 (mod 47) which is 24, the same secret key

Man-in-the-Middle Attack on D-H protocol

Suppose Alice and Bob wish to exchange keys, and Darth is the adversary. The attack proceeds as
follows:
1. Darth prepares for the attack by generating two random private keys XD1 and XD2 and then
computing the corresponding public keys YD1 and YD2.

2. Alice transmits YA to Bob.

3. Darth intercepts YA and transmits YD1 to Bob. Darth also calculates K2 = (YA)XD2mod q. 4. Bob

receives YD1 and calculates K1 = (YD1)XE mod q.

5. Bob transmits XA to Alice.

6. Darth intercepts XA and transmits YD2 to Alice. Darth calculates K1 = (YB)XD1 mod q. 7. Alice
receives YD2 and calculates K2 = (YD2)XA mod q.

66

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth share
secret key K1 and Alice and Darth share secret key K2. All future communication between Bob
and Alice is compromised in the following way:
1. Alice sends an encrypted message M: E(K2, M).

2. Darth intercepts the encrypted message and decrypts it, to recover M.

3. Darth sends Bob E(K1, M) or E(K1, M'), where M' is any message. In the first case, Darth
simply wants to eavesdrop on the communication without altering it. In the second case, Darth
wants to modify the message going to Bob.
The key exchange protocol is vulnerable to such an attack because it does not authenticate the
participants. This vulnerability can be overcome with the use of digital signatures and public-key
certificates.

ELLIPTIC CURVE CRYPTOGRAPHY (ECC)

Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the
algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was
suggested independently by Neal Koblitz and Victor S. Miller in 1985. The principal attraction of
ECC compared to RSA is that it appears to offer equal security for a far smaller bit size, thereby
reducing the processing overhead.

Elliptic Curve over GF(p)

Let GF(p) be a finite field, p > 3, and let a, b

4a3 + 27b2 ≡ 0 (mod p). An elliptic curve, E(a,b)(GF(p)), is

defined as the set of points (x,y) ᴄ GF(p) * GF(p) which satisfy the equation
y2 ≡ x3 + ax + b (mod p), together with a special point, O, called the point at infinity. Let P and Q be
two points on E(a,b)(GF(p)) and O is the point at infinity.
• P+O = O+P = P

• If P = (x1,y1) then -P = (x1 ,-y1) and P + (-P) = O.

• If P = (x1,y1) and Q = (x2,y2), and P and Q are not O.

then P +Q = (x3 ,y3) where

x3 = ƛ 2 - x1 - x2
86

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in y3

= ƛ (x1 - x3) - y1 and

ƛ = (y2-y1)/(x2-x1) if P ≠ Q

ƛ = (3x12+a)/ 2y1 if P = Q

An elliptic curve may be defined over any finite field GF(q). For GF(2m), the curve has a different form:-
y2 + xy = x3 + ax2 + b, where b !=0.

Cryptography with Elliptic Curves

The addition operation in ECC is the counterpart of modular multiplication in RSA, and multiple addition
is the counterpart of modular exponentiation. To form a cryptographic system using elliptic curves,
some kind of hard problem such as discrete logarithm or factorization of prime numbers is needed.
Considering the equation, Q=kP, where Q,P are points in an elliptic curve, it is “easy” to compute Q
given k,P , but “hard” to find k given Q,P. This is known as the elliptic curve logarithm problem. k could
be so large as to make brute- force fail.

ECC Key Exchange

Pick a prime number p= 2180 and elliptic curve parameters a and b for the equation y2 ≡ x3 + ax
+ b (mod p) which defines the elliptic group of points Ep(a,b). Select generator point G=(x1,y1)
in Ep(a,b) such that the smallest value for which nG=O be a very large prime number. Ep(a,b) and
G are parameters of the cryptosystem known to all participants. The following steps take place:
• A & B select private keys nA<n, nB<n

• compute public keys: PA=nA×G, PB=nB×G

• Compute shared key: K=nA×PB, K=nB×PA {same since K=nA×nB×G }

ECC Encryption/Decryption As with key exchange system, an encryption/decryption system

requires a point G and and elliptic group Ep(a,b) as parameters. First thing to be done is to encode
the plaintext message m to be sent as an x-y point Pm. Each user chooses private key nA<n and
computes public key PA=nA×G. To encrypt and send a

68

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

message to Pm to B, A chooses a random positive integer k and produces the ciphertext Cm

consisting of the pair of points Cm={kG, Pm+kPb}. here, A uses B’s public key. To

decrypt the ciphertext, B multiplies the first point in the pair by B’s secret key and subtracts the result
from the second point Pm+kPb – nB(kG) = Pm+k(nBG) – nB(kG) = Pm A has masked the message
Pm by adding kPb to it. Nobody but A knows the value of k, so even though Pb is a public key,
nobody can remove the mask kPb. For an attacker to recover the message, he has to compute k given
G and kG, which is assumed hard.
Security of ECC To protect a 128 bit AES key it would take a RSA Key Size of 3072 bits whereas
an ECC Key Size of 256 bits.
 Hence for
similar security ECC offers significant computational advantages.
Applications of ECC:

∙ Wireless communication devices

∙ Smart cards
∙ Web servers that need to handle many encryption sessions
∙ Any application where security is needed but lacks the power, storage and
computational power that is necessary for our current cryptosystems

KEY MANAGEMENT
One of the major roles of public-key encryption has been to address the problem of key
distribution. Two distinct aspects to use of public key encryption are present.
The distribution of public keys.

Use of public-key encryption to distribute secret keys.

69

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

Distribution of Public Keys The most general schemes for distribution of public keys are given
below

PUBLIC ANNOUNCEMENT OF PUBLIC KEYS

Here any participant can send his or her public key to any other participant or broadcast the key to
the community at large. For example, many PGP users have adopted the practice of appending
their public key to messages that they send to public forums.

Though this approach seems convenient, it has a major drawback. Anyone can forge such a public
announcement. Some user could pretend to be user A and send a public key to another participant
or broadcast such a public key. Until the time when A discovers about the forgery and alerts other
participants, the forger is able to read all encrypted messages intended for A and can use the
forged keys for authentication.

PUBLICLY AVAILABLE DIRECTORY

A greater degree of security can be achieved by maintaining a publicly available dynamic

directory of public keys. Maintenance and distribution of the public directory would have to be
the responsibility of some trusted entity or organization. It includes the following elements:
1. The authority maintains a directory with a {name, public key} entry for each participant.

2. Each participant registers a public key with the directory authority. Registration would have to be
in person or by some form of secure authenticated communication.

70

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in
3. A participant may replace the existing key with a new one at any time, either because of the
desire to replace a public key that has already been used for a large amount of data, or because the
corresponding private key has been compromised in some way.
4. Participants could also access the directory electronically. For this purpose, secure,
authenticated communication from the authority to the participant is mandatory. This scheme has
still got some vulnerabilities. If an adversary succeeds in obtaining or computing the private key
of the directory authority, the adversary could authoritatively pass out counterfeit public keys and
subsequently impersonate any participant and eavesdrop on messages sent to any participant. Or
else, the adversary may tamper with the records kept by the authority.

PUBLIC-KEY AUTHORITY
Stronger security for public-key distribution can be achieved by providing tighter control over the
distribution of public keys from the directory. This scenario assumes the existence of a public
authority (whoever that may be) that maintains a dynamic directory of public keys of all users.
The public authority has its own (private key, public key) that it is using to communicate to users.
Each participant reliably knows a public key for the authority, with only the authority knowing
the corresponding private key. For example, consider that Alice and Bob wish to communicate
with each other and the following steps take place and are also shown in the figure below:

71

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

1.) Alice sends a timestamped message to the central authority with a request for Bob’s public
key (the time stamp is to mark the moment of the request)

2.) The authority sends back a message encrypted with its private key (for authentication)
–message contains Bob’s public key and the original message of Alice – this way Alice knows
this is not a reply to an old request;

3.) Alice starts the communication to Bob by sending him an encrypted message containing her
identity IDA and a nonce N1 (to identify uniquely this transaction)

4.) Bob requests Alice’s public key in the same way (step 1)

5.) Bob acquires Alice’s public key in the same way as Alice did. (Step-2)

6.) Bob replies to Alice by sending an encrypted message with N1 plus a new generated nonce N2
(to identify uniquely the transaction)

7.) Alice replies once more encrypting Bob’s nonce N2 to assure bob that its correspondent is
Alice
Thus, a total of seven messages are required. However, the initial four messages need be used
only infrequently because both A and B can save the other's public key for future use, a technique
known as caching. Periodically, a user should request fresh copies of the public keys of its
correspondents to ensure currency.

72
www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

PUBLIC-KEY CERTIFICATES

The above technique looks attractive, but still has some drawbacks. For any communication between
any two users, the central authority must be consulted by both users to get the newest public keys i.e.
the central authority must be online 24 hours/day. If the central authority goes offline, all secure
communications get to a halt. This clearly leads to an undesirable bottleneck. A further improvement is
to use certificates, which can be used to exchange keys without contacting a public-key authority, in a
way that is as reliable as if the keys were obtained directly from a public-key authority. A certificate
binds an identity to public key, with all contents signed by a trusted Public-Key or Certificate
Authority (CA). A user can present his or her public key to the authority in a secure manner, and obtain
a certificate. The user can then publish the certificate. Anyone needed this user's public key can obtain
the certificate and verify that it is valid by way of the attached trusted signature. A participant can also
convey its key information to another by transmitting its certificate. Other participants can verify that
the certificate was created by the authority. This certificate issuing scheme does have the following
requirements:

1. Any participant can read a certificate to determine the name and public key of the certificate's owner.

2. Any participant can verify that the certificate originated from the certificate authority and is not
counterfeit.

3. Only the certificate authority can create and update certificates.

4. Any participant can verify the currency of the certificate.

73

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

Application must be in person or by some form of secure authenticated communication. For

participant A, the authority provides a certificate of the form
CA = E(PRauth, [T||IDA||PUa]) where PRauth is the private key used by the authority and T is a
timestamp. A may then pass this certificate on to any other participant, who reads and verifies the
certificate as follows: D(PUauth, CA) = D(PUauth, E(PRauth, [T||IDA||PUa])) = (T||IDA||PUa) The
recipient uses the authority's public key, PUauth to decrypt the certificate. Because the certificate is
readable only using the authority's public key, this verifies that the certificate came from the certificate
authority. The elements IDA and PUa provide the recipient with the name and public key of the certificate's
holder. The timestamp T validates the currency of the certificate. The timestamp counters the following
scenario. A's private key is learned by an adversary. A generates a new private/public key pair and applies
to the certificate authority for a new certificate. Meanwhile, the adversary replays the old certificate to B. If
B then encrypts messages using the compromised old public key, the adversary can read those messages. In
this context, the compromise of a private key is comparable to the loss of a credit card. The owner cancels
the credit card number but is at risk until all possible communicants are aware that the old credit card is
obsolete. Thus, the timestamp serves as something like an expiration date. If a certificate is sufficiently old,
it is assumed to be expired.
One scheme has become universally accepted for formatting public-key certificates: the X.509 standard.
X.509 certificates are used in most network security applications, including IP security, secure sockets
layer (SSL), secure electronic transactions (SET), and S/MIME.

SECRET KEY DISTRIBUTION WITH CONFIDENTIALITY AND AUTHENTICATION It is

assumed that A and B have exchanged public keys by one of the schemes described
 earlier.
Then the following steps occur:

1. A uses B's public key to encrypt a message to B containing an identifier of A (IDA) 74

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

and a nonce (N1), which is used to identify this transaction uniquely.

2. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new nonce
generated by B (N2) Because only B could have decrypted message (1), the presence of N1 in message (2)
assures A that the correspondent is B.
3. A returns N2 encrypted using B's public key, to assure B that its correspondent is A. 4. A selects a secret
key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message with B's public key ensures
that only B can read it; encryption with A's private key ensures that only A could have sent it.
5. B computes D(PUa, D(PRb, M)) to recover the secret key.

The result is that this scheme ensures both confidentiality and authentication in the
exchange of a secret key.

MESSAGE AUTHENTICATION
Message authentication is a procedure to verify that received messages come from the alleged
source and have not been altered. Message authentication may also verify sequencing and
timeliness. It is intended against the attacks like content modification, sequence modification,
timing modification and repudiation. For repudiation, concept of digital signatures is used to
counter it. There are three classes by which different types of functions that may be used to
produce an authenticator. They are:
 Message encryption–the ciphertext serves as authenticator

Message authentication code (MAC)–a public function of the message and a secret
key producing a fixed-length value to serve as authenticator. This does not provide a digital
signature because A and B share the same key.

Hash function–a public function mapping an arbitrary length message into a fixed- length
hash value to serve as authenticator. This does not provide a digital signature because there is no
key.
MESSAGE ENCRYPTION:

Message encryption by itself can provide a measure of authentication. The analysis differs for
conventional and public-key encryption schemes. The message must have come from the sender
itself, because the ciphertext can be decrypted using his (secret or public) key. Also, none of the
bits in the message have been altered because an opponent does not know how to manipulate the
bits of the ciphertext to induce

75

www.android.previousuestionpapers.com | www.previousuestionpapers.com |
www.ios.previousuestionpapers.com
www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

meaningful changes to the plaintext. Often one needs alternative authentication schemes than just
encrypting the message.
Sometimes one needs to avoid encryption of full messages due to legal requirements.
Encryption and authentication may be separated in the system architecture.

The different ways in which message encryption can provide authentication, confidentiality in
both symmetric and asymmetric encryption techniques is explained with the table below:
 MESSAGE AUTHENTICATION CODE
An alternative authentication technique involves the use of a secret key to generate a small
fixed-size block of data, known as cryptographic checksum or MAC, which is appended to the
message. This technique assumes that both the

76

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

communicating parties say A and B share a common secret key K. When A has a message to send
to B, it calculates MAC as a function C of key and message given as: MAC=Ck(M) The message
and the MAC are transmitted to the intended recipient, who upon receiving performs the same
calculation on the received message, using the same secret key to generate a new MAC. The
received MAC is compared to the calculated MAC and only if they match, then:
 1. The receiver is assured that the message has not been altered: Any alternations been done the
MAC’s do not match.
2. The receiver is assured that the message is from the alleged sender: No one except the sender

has the secret key and could prepare a message with a proper MAC. 3. If the message includes a
sequence number, then receiver is assured of proper sequence as an attacker cannot successfully
alter the sequence number.
Basic uses of Message Authentication Code (MAC) are shown in the figure:

There are three

different situations where use of a MAC is desirable:
a message is broadcast to several destinations in a network (such as a military If
control center), then it is cheaper and more reliable to have just one node responsible to
evaluate the authenticity –message will be sent in plain with an attached authenticator.

77

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

If one side has a heavy load, it cannot afford to decrypt all messages –it will just
check the authenticity of some randomly selected messages.
 Authentication of computer programs in plaintext is very attractive service as they
need not be decrypted every time wasting of processor resources. Integrity of the
program can always be checked by MAC.
MESSAGE AUTHENTICATION CODE BASED ON DES

The Data Authentication Algorithm, based on DES, has been one of the most widely
used MACs for a number of years. The algorithm is both a FIPS publication (FIPS PUB
113) and an ANSI standard (X9.17). But, security weaknesses in this algorithm have
been discovered and it is being replaced by newer and stronger algorithms. The algorithm
can be defined as using the cipher block chaining (CBC) mode of operation of DES
shown below with an initialization vector of zero.

The data (e.g., message, record, file, or program) to be authenticated are grouped into
contiguous 64-bit blocks: D1, D2,..., DN. If necessary, the final block is padded on the
right with zeroes to form a full 64-bit block. Using the DES encryption algorithm, E, and a
secret key, K, a data authentication code (DAC) is calculated as follows:

The DAC consists of either the entire block ON or the leftmost M bits of the block, with 16 ≤
M ≤ 64
 78

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in

Use of MAC needs a shared secret key between the communicating parties and also MAC does
not provide digital signature. The following table summarizes the confidentiality and
authentication implications of the approaches shown above.

HASH FUNCTION
A variation on the message authentication code is the one-way hash function. As with the
message authentication code, the hash function accepts a variable-size message M as input and
produces a fixed-size hash code H(M), sometimes called a message digest, as output. The hash
code is a function of all bits of the message and provides an error- detection capability: A change
 to any bit or bits in the message results in a change to the hash code. A variety of ways in which a
hash code can be used to provide message authentication is shown below and explained stepwise
in the table.

79

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com

www.android.universityupdates.in | www.universityupdates.in | www.ios.universityupdates.in
 80

www.android.previousuestionpapers.com | www.previousuestionpapers.com | www.ios.previousuestionpapers.com