Module - 2

Symmetric and Asymmetric key

Cryptography and key Management
Contents
2.1 Block cipher principles
➢ Block cipher modes of operation,
➢ DES, Double DES, Triple DES,
➢ Advanced Encryption Standard (AES),
➢ Stream Ciphers: RC4 algorithm.
2.2 Public key cryptography:
➢ Principles of public key cryptosystems- The RSA Cryptosystem,
➢ The knapsack cryptosystem
2.3 Symmetric Key Distribution: KDC
➢ Needham-schroeder protocol.
➢ Kerberos: Kerberos Authentication protocol
➢ Symmetric key agreement: Diffie Hellman
➢ Public key Distribution: Digital Certificate: X.509, PKI
Stream Cipher
➢ Pseudorandom Number Sequence: Uses a sequence of pseudorandom
numbers to encrypt data.
➢ Enhanced Cryptanalysis Difficulty: A longer keystream makes
cryptanalysis more difficult.
➢ Brute Force Protection.
➢ Stronger Security.
➢ Efficient Keystream Design: Including more 1s and 0s in the keystream
increases cryptanalysis difficulty.
➢ Compact Code: Require fewer lines of code.
➢ Each bit of paintext is combined with bits of security key and then XORed
to get ciphertext.
Fig. Block Diagram of Stream Cipher
Block Cipher - Design principles
Block ciphers use the Feistel cipher structure and process fixed-size data
blocks (typically 64 or 128 bits) to generate ciphertext. The design of block
ciphers focuses on several key principles for security and efficiency:
● Number of Rounds: More rounds increase security by making the
encryption process more complex (e.g., DES uses 16 rounds, AES uses
10).
● Round Function (F): In Feistel structure, the round function's complexity
influences the cipher’s strength. It is non-linear i.e it is difficult to
establish connection between input to F and output from F. Also F should
have high Avalanche effect.
● Key Size: Larger keys make it more difficult to perform brute-force
attacks, with a 128-bit key being generally considered secure.
 The process of selecting subkeys should be designed in a way that makes
it challenging to reverse-engineer and retrieve the main key.
● Key Schedule: The key schedule ensures unpredictability and resistance
to attacks that target weak or related keys.
● Block Size: A larger block size helps prevent attacks based on statistical
patterns (e.g., 128-bit blocks).
● Avalanche Effect: A small change in the input should drastically alter
the output, adding security.
● Security Analysis: Ciphers should be tested against various attacks (e.g.,
differential and linear cryptanalysis, brute-force) and implementation
threats (e.g., side-channel attacks).
Ideal Block Cipher
 Block Cipher Design

basic principles still like Feistel’s in 1970’s

number of rounds
● more is better, exhaustive search best attack
function f:
● provides “confusion”, is nonlinear, avalanche
● have issues of how S-boxes are selected
key schedule
● complex subkey creation, key avalanche
 Stream Cipher Block Cipher

By taking one bit of ordinary text at a

Block Ciphers Encrypts data in
time, the stream cipher transforms
fixed-size blocks.
plain text into cipher text.

It is basically used for data-at-rest

Used for data-in-transit encryption.
encryption.

It requires low processing power. It needs high processing power.

It has low computational load. It requires high computational load.

Stream Cipher cannot operate as a Block ciphers can operate as a stream

block cipher. cipher.
Claude Shannon and Substitution-Permutation
Ciphers
Claude Shannon introduced idea of substitution-permutation (S-P)
networks in 1949 paper
form basis of modern block ciphers
S-P nets are based on the two primitive cryptographic operations seen
before:
● substitution (S-box)
● permutation (P-box)
provide confusion & diffusion of message & key
cipher needs to completely obscure statistical properties of original
message
more practically Shannon Shannon suggested suggested
combining S & P elements to obtain:
• diffusion – dissipates statistical structure of plaintext over bulk of
ciphertext
• confusion – makes relationship between
ciphertext and key as complex as possible
 Feistel Cipher Structure
Horst Feistel devised the feistel cipher
● based on concept of invertible product cipher
partitions input block into two halves
● process through multiple rounds which
● perform a substitution on left data half
● based on round function of right half & subkey
● then have permutation swapping halves
implements Shannon’s S-P net concept
It is a symmetric encryption algorithm framework used in many
well-known encryption systems, such as the Data Encryption Standard
(DES).
Each round applies transformations to the data based on the key.
Feistel Cipher Structure
 Feistel Cipher Design Elements
block size
key size
number of rounds
subkey generation algorithm
Feistel Round Function (F) is key to how the Feistel cipher achieves
security. It typically involves:
● Expansion: Expanding the input block (typically the right half) to a larger
size.
● Substitution: Using a substitution operation, such as S-boxes, to confuse
the data.
● Permutation: Reordering the bits to increase diffusion (spread out the
influence of each bit).
● XOR with Subkey: The expanded, substituted, and permuted value is then
XORed with the subkey.
Feistel Cipher Decryption
 Example (2-Round Feistel Cipher):

Initialization:
Start with a plaintext block, split into left (L0) and right (R0) halves.
Round 1:
Compute the round function F using R0 and the first subkey K1.
Update L1 = R0 and R1 = L0 XOR F(R0, K1).
Round 2:
Apply the round function again using R1 and the second subkey K2.
Final ciphertext is the concatenation of L2 and R2
 Data Encryption Standard (DES)
It is a symmetric key based block cipher standard used for encryption and
decryption
It is most widely used block cipher in world
It was adopted in 1977 by NBS (now NIST)
● as FIPS PUB 46

FEATURES
Block Size: 64 bits of data.
Key Size: 56 bits (often represented as 64 bits, but 8 bits are used for
parity checking and do not contribute to the actual key).
Rounds: 16 rounds of encryption.
Feistel Structure: Like other Feistel ciphers, DES operates on the principle
of dividing the data into two halves and processing them in multiple
rounds.
DES Encryption Overview
 DES Round Structure

It uses two 32-bit L & R halves

as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 ⊕ F(Ri–1, Ki)
F takes 32-bit R half and 48-bit subkey:
● expands R to 48-bits using perm E
● adds to subkey using XOR
● passes through 8 S-boxes to get 32-bit result
● finally permutes using 32-bit perm P
Initial Permutation (IP): rearranges the bits of input data to create a
permuted block.
Rounds: DES uses 16 rounds. In each round, the L0 and R0 are
manipulated using a round function (F)
Round Function (F): The right half of the data (32 bits) is expanded to 48
bits using an expansion permutation. The expanded half is then XORed
with the round subkey (48 bits). The result is passed through 16 S-boxes
(substitution boxes) resulting in a 32-bit output. The output of the S-boxes
is then permuted using a permutation P.
XOR Operation: The output of the round function is XORed with the left
half of the data from the previous round.
Swap: The left and right halves are swapped at the end of each round
(except the final round).
 Each round step looks like this:
L(n) = R(n-1)
R(n) = L(n-1) XOR F(R(n-1), K(n))
Subkeys: Each round uses a different subkey (K1, K2, ..., K16). The
original 56-bit key is processed through a key schedule algorithm to
generate 16 subkeys, each 48 bits long.
The key schedule involves:
● Splitting the 56-bit key into two 28-bit halves.
● Shifting the halves and selecting certain bits to create a 48-bit subkey for
each round.
● Final Round: In the 16th round, after the left and right halves are
processed, the halves are not swapped before combining them into the final
output.
Final Permutation (FP): After the 16 rounds, a final permutation (FP) is
applied to the 64-bit block. This permutation is the inverse of the initial
permutation (IP). The result is the final ciphertext.
 Substitution Boxes S

have eight S-boxes which map 6 to 4 bits

each S-box is actually 4 little 4 bit boxes
● outer bits 1 & 6 (row bits) select one row of 4
● inner bits 2-5 (col bits) are substituted
● result is 8 lots of 4 bits, or 32 bits
row selection depends on both data & key
● feature known as autoclaving (auto keying)
example:
● S(18 09 12 3d 11 17 38 39) = 5fd25e03
 DES Key Schedule

forms subkeys used in each round

● initial permutation of the key (PC1) which selects 56-bits in two 28-bit
halves
● 16 stages consisting of:
• rotating each half separately either 1 or 2 places depending on the
key rotation schedule K
• selecting 24-bits from each half & permuting them by PC2 for use
in round function F
 Avalanche Effect
key desirable property of encryption algorithm
where a change of one input or key bit results in changing approx half
output bits
making attempts to “home-in” by guessing keys impossible
DES exhibits strong avalanche
 Strength of DES – Analytic Attacks
Several analytic attacks are possible on DES, these utilise some deep
structure of the cipher
● by gathering information about encryptions
● can eventually recover some/all of the sub-key bits
● if necessary then exhaustively search for the rest
generally these are statistical attacks
include
● differential cryptanalysis
● linear cryptanalysis
● related key attacks

NOTE: The key length of 56 bits is considered insecure by modern

standards due to advances in computational power. DES is susceptible to
brute-force attacks, but it was widely used for many years until more
secure algorithms (like AES) became the standard
Timing Attacks
attacks actual implementation of cipher
use knowledge of consequences of implementation to derive information
about some/all subkey bits
specifically use fact that calculations can take varying times depending on
the value of the inputs to it
particularly problematic on smartcards

Differential Cryptanalysis
have some input difference giving some output difference with probability
p
if find instances of some higher probability input / output difference pairs
occurring
can infer subkey that was used in round
then must iterate process over many rounds (with decreasing probabilities)
 Differential Cryptanalysis

a statistical attack against Feistel ciphers

uses cipher structure not previously used
design of S-P networks has output of function f influenced by both input &
key
hence cannot trace values back through cipher without knowing value of the
key
differential cryptanalysis compares two related pairs of encryptions
Differential Cryptanalysis Compares Pairs of
Encryptions
with a known difference in the input
searching for a known difference in output
when same subkeys are used
 Differential Cryptanalysis
perform attack by repeatedly encrypting plaintext pairs with known input
XOR until obtain desired output XOR
when found
● if intermediate rounds match required XOR have a right pair
● if not then have a wrong pair, relative ratio is S/N for attack
can then deduce keys values for the rounds
● right pairs suggest same key bits
● wrong pairs give random values
for large numbers of rounds, probability is so low that more pairs are
required than exist with 64-bit inputs
Biham and Shamir have shown how a 13-round iterated characteristic can
break the full 16-round DES
 Linear Cryptanalysis
It is a statistical method developed by Matsui et al in early 90's
must be iterated over rounds, with decreasing probabilities
based on finding linear approximations
can attack DES with 243 known plaintexts, easier but still in practise
infeasible
find linear approximations with prob p != ½
P[i1,i2,...,ia] ⊕ C[j1,j2,...,jb] = K[k1,k2,...,kc]
where ia,jb,kc are bit locations in P,C,K
gives linear equation for key bits
get one key bit using max likelihood alg
using a large number of trial encryptions
effectiveness given by: |p–1/2|
 DES Design Criteria

as reported by Coppersmith in [COPP94]

7 criteria for S-boxes provide for
● non-linearity
● resistance to differential cryptanalysis
● good confusion
3 criteria for permutation P provide for
● increased diffusion
 Advanced Encryption Standard

AES is replacement for DES. It was needed as

● have theoretical attacks that can break DES
● have demonstrated exhaustive key search attacks
● Triple-DES can be used but it is slow
private key symmetric block cipher
It uses 128 bit blocks
It works on keys with sizes 128, 192, 256 bits.
Used in industry due to its strong cipher properties.
Fig. Block Diagram of AES
AES Requirements
128-bit data, 128/192/256-bit keys
stronger & faster than Triple-DES
active life of 20-30 years (+ archival use)
both C & Java implementations

Fig. Encryption in AES

 The AES Cipher - Rijndael

designed by Rijmen-Daemen in Belgium

has 128/192/256 bit keys, 128 bit data
an iterative rather than feistel cipher
● processes data as block of 4 columns of 4 bytes
● operates on entire data block in every round
designed to be:
● resistant against known attacks
● speed and code compactness on many CPUs
● design simplicity
 Rijndael
data block of 4 columns of 4 bytes is state
key is expanded to array of words
has 9/11/13 rounds in which state undergoes:
● byte substitution (1 S-box used on every byte)
● shift rows (permute bytes between groups/columns)
● mix columns (subs using matrix multipy of groups)
● add round key (XOR state with key material)
● view as alternating XOR key & scramble data bytes
initial XOR key material & incomplete last round
with fast XOR & table lookup implementation
Block Diagram & Internal of AES- Rijndael
 Byte Substitution
A simple substitution of each
byte
uses one table of 16x16 bytes
containing a permutation of
all 256 8-bit values
each byte of state is replaced
by byte indexed by row (left
4-bits) & column (right 4-bits)
● eg. byte {95} is replaced
by byte in row 9 column 5
● which has value {2A}
S-box constructed using
defined transformation of
values in GF(28)
designed to be resistant to all
known attacks
 Shift Rows
a circular byte shift in each each
● 1st row is unchanged
● 2nd row does 1 byte circular shift to left
● 3rd row does 2 byte circular shift to left
● 4th row does 3 byte circular shift to left
decrypt inverts using shifts to right
since state is processed by columns, this step permutes bytes between the
columns
 Mix Columns
each column is processed separately
each byte is replaced by a value dependent on all 4 bytes in the column
effectively a matrix multiplication in GF(28) using prime poly m(x)
=x8+x4+x3+x+1
can express each col as 4 equations
● to derive each new byte in col
decryption requires use of inverse matrix
● with larger coefficients, hence a little harder
have an alternate characterisation
● each column a 4-term polynomial
● with coefficients in GF(28)
● and polynomials multiplied modulo (x4+1)
Mix Columns
 Add Round Key
XOR state with 128-bits of the round key
again processed by column (though effectively a series of byte operations)
inverse for decryption identical
● since XOR own inverse, with reversed keys
designed to be as simple as possible
● a form of Vernam cipher on expanded key
● requires other stages for complexity / security
AES Round
 AES Key Expansion

takes 128-bit (16-byte) key and

expands into array of 44/52/60 32-bit
words
start by copying key into first 4 words
then loop creating words that depend
on values in previous & 4 places back
● in 3 of 4 cases just XOR these
together
● 1st word in 4 has rotate + S-box +
XOR round constant on previous,
before XOR 4th back
 AES Decryption
AES decryption is not identical to
encryption since steps done in
reverse
but can define an equivalent
inverse cipher with steps as for
encryption
● but using inverses of each step
● with a different key schedule
works since result is unchanged
when
● swap byte substitution & shift
rows
● swap mix columns & add
(tweaked) round key
 Implementation Aspects
can efficiently implement on 8-bit CPU
● byte substitution works on bytes using a table of 256 entries
● shift rows is simple byte shift
● add round key works on byte XOR’s
● mix columns requires matrix multiply in GF(28) which works on byte
values, can be simplified to use table lookups & byte XOR’s
can efficiently implement on 32-bit CPU
● redefine steps to use 32-bit words
● can precompute 4 tables of 256-words
● then each column in each round can be computed using 4 table lookups
+ 4 XORs
● at a cost of 4Kb to store tables
designers believe this very efficient implementation was a key factor in its
selection as the AES cipher
 Multiple Encryption & DES
clear a replacement for DES was needed
● theoretical attacks that can break it
● demonstrated exhaustive key search attacks
AES is a new cipher alternative
prior to this alternative was to use multiple encryption with DES
implementations
Triple-DES is the chosen form
 Double-DES?
could use 2 DES encrypts on each block
● C = EK2(EK1(P))
issue of reduction to single stage
and have “meet-in-the-middle” attack
● works whenever use a cipher twice
● since X = EK1(P) = DK2(C)
● attack by encrypting P with all keys and store
● then decrypt C with keys and match X value
● can show takes O(256) steps
 Triple-DES with Two-Keys
hence must use 3 encryptions
● would seem to need 3 distinct keys
but can use 2 keys with E-D-E sequence
● C = EK1(DK2(EK1(P)))
● nb encrypt & decrypt equivalent in security
● if K1=K2 then can work with single DES
standardized in ANSI X9.17 & ISO 8732
no current known practical attacks
 Triple-DES with Three-Keys
although are no practical attacks on two-key Triple-DES have some
indications
can use Triple-DES with Three-Keys to avoid even these
● C = EK3(DK2(EK1(P)))
has been adopted by some Internet applications, eg PGP, S/MIME

Modes of Operation
block ciphers encrypt fixed size blocks
● eg. DES encrypts 64-bit blocks with 56-bit key
need some way to en/decrypt arbitrary amounts of data in practise
ANSI X3.106-1983 Modes of Use (now FIPS 81) defines 4 possible modes
subsequently 5 defined for AES & DES
have block and stream modes
 Electronic Codebook Book (ECB)
message is broken into independent blocks which are encrypted
each block is a value which is substituted, like a codebook, hence name
each block is encoded independently of the other blocks
Ci = DESK1(Pi)
uses: secure transmission of single values
 Advantages and Limitations of ECB
message repetitions may show in ciphertext
● if aligned with message block
● particularly with data such graphics
● or with messages that change very little, which become a code-book
analysis problem
weakness is due to the encrypted message blocks being independent
main use is sending a few blocks of data
 Cipher Block Chaining (CBC)
message is broken into blocks and linked together in encryption operation
each previous cipher blocks is chained with current plaintext block, hence
name
use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
uses: bulk data encryption, authentication
Message Padding Advantages and Limitations
at end of message must handle a of CBC
possible last short block
a ciphertext block depends on all
● which is not as large as blocks before it
blocksize of cipher
any change to a block affects all
● pad either with known
following ciphertext blocks
non-data value (eg nulls)
need Initialization Vector (IV)
● or pad last block along with
count of pad size ● which must be known to
• eg. [ b1 b2 b3 0 0 0 0 5] sender & receiver
• means have 3 data bytes, ● if sent in clear, attacker can
then 5 bytes pad+count change bits of first block, and
change IV to compensate
● this may require an extra
entire block over those in ● hence IV must either be a
message fixed value (as in EFTPOS)
● or must be sent encrypted in
there are other, more esoteric
ECB mode before rest of
modes, which avoid the need for
message
an extra block
 Cipher FeedBack (CFB)
message is treated as a stream of bits and added to the output of the block
cipher
result is feedback for next stage (hence name)
standard allows any number of bit (1,8, 64 or 128 etc) to be feedback
● denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
most efficient to use all bits in block (64 or 128)
Ci = Pi XOR DESK1(Ci-1)
C-1 = IV
uses: stream data encryption, authentication
Cipher FeedBack (CFB)
 Advantages and Limitations of CFB
appropriate when data arrives in bits/bytes
most common stream mode
limitation is need to stall while do block encryption after every n-bits
note that the block cipher is used in encryption mode at both ends
errors propogate for several blocks after the error
 Output FeedBack (OFB)
message is treated as a stream of bits
output of cipher is added to message
output is then feed back (hence name)
feedback is independent of message
can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
uses: stream encryption on noisy channels
Output FeedBack (OFB)
 Advantages and Limitations of OFB
bit errors do not propagate
more vulnerable to message stream modification
a variation of a Vernam cipher
● hence must never reuse the same sequence (key+IV)
sender & receiver must remain in sync
originally specified with m-bit feedback
subsequent research has shown that only full block feedback (ie CFB-64
or CFB-128) should ever be used
 Counter (CTR)
a “new” mode, though proposed early on, it is similar to OFB but encrypts
counter value rather than any feedback value
must have a different key & counter value for every plaintext block (never
reused) Ci = Pi XOR Oi
Oi = DESK1(i)
uses: high-speed network encryptions
 Advantages and Limitations of CTR

efficiency
● can do parallel encryptions in h/w or s/w
● can preprocess in advance of need
● good for bursty high speed links
random access to encrypted data blocks
provable security (good as other modes)
but must ensure never reuse key/counter values, otherwise could break (cf
OFB)
 Stream Ciphers
process message bit by bit (as a stream)
have a pseudo random keystream
combined (XOR) with plaintext bit by bit
randomness of stream key completely destroys statistically properties in
message Ci = Mi XOR StreamKeyi
but must never reuse stream key
● otherwise can recover messages (cf book cipher)
 Stream Cipher Properties
some design considerations are:
● long period with no repetitions
● statistically random
● depends on large enough key
● large linear complexity
properly designed, can be as secure as a block cipher with same size key
but usually simpler & faster
 RC4
a proprietary cipher owned by RSA DSI
another Ron Rivest design, simple but effective
variable key size, byte-oriented stream cipher
widely used (web SSL/TLS, wireless WEP)
key forms random permutation of all 8-bit values
uses that permutation to scramble input info processed a byte at a time
 RC4 Key Schedule
starts with an array S of numbers: 0..255
use key to well and truly shuffle
S forms internal state of the cipher
for i = 0 to 255 do
S[i] = i
T[i] = K[i mod keylen])
j=0
for i = 0 to 255 do
j = (j + S[i] + T[i]) (mod 256)
swap (S[i], S[j])
 RC4 Encryption
encryption continues shuffling array values
sum of shuffled pair selects "stream key" value from permutation
XOR S[t] with next byte of message to en/decrypt
i = j = 0
for each message byte Mi
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]
RC4 Overview
 RC4 Security
claimed secure against known attacks
● have some analyses, none practical
result is very non-linear
since RC4 is a stream cipher, must never reuse a key
have a concern with WEP, but due to key handling rather than RC4 itself

Private-Key Cryptography
traditional private/secret/single key cryptography uses one key
shared by both sender and receiver
if this key is disclosed communications are compromised
also is symmetric, parties are equal
hence does not protect sender from receiver forging a message & claiming
is sent by sender
 Public-Key Cryptography
probably most significant advance in the 3000 year history of cryptography
uses two keys – a public & a private key
asymmetric since parties are not equal
uses clever application of number theoretic concepts to function
complements rather than replaces private key crypto

Why Public-Key Cryptography?

developed to address two key issues:

● key distribution – how to have secure communications in general
without having to trust a KDC with your key
● digital signatures – how to verify a message comes intact from the
claimed sender
public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni
in 1976
 Public-Key Cryptography
public-key/two-key/asymmetric cryptography involves the use of two
keys:
● a public-key, which may be known by anybody, and can be used to
encrypt messages, and verify signatures
● a private-key, known only to the recipient, used to decrypt messages,
and sign (create) signatures
is asymmetric because
● those who encrypt messages or verify signatures cannot decrypt
messages or create signatures
 Public-Key Characteristics
Public-Key algorithms rely on two keys where:
● it is computationally infeasible to find decryption key knowing only
algorithm & encryption key
● it is computationally easy to en/decrypt messages when the relevant
(en/decrypt) key is known
● either of the two related keys can be used for encryption, with the other
used for decryption (for some algorithms)

Public-Key Cryptosystems
 Public-Key Applications
can classify uses into 3 categories:
● encryption/decryption (provide secrecy)
● digital signatures (provide authentication)
● key exchange (of session keys)
some algorithms are suitable for all uses, others are specific to one
 Security of Public Key Schemes
like private key schemes brute force exhaustive search attack is always
theoretically possible
but keys used are too large (>512bits)
security relies on a large enough difference in difficulty between easy
(en/decrypt) and hard (cryptanalyse) problems
more generally the hard problem is known, but is made hard enough to be
impractical to break
requires the use of very large numbers
hence is slow compared to private key schemes
 RSA
by Rivest, Shamir & Adleman of MIT in 1977
best known & widely used public-key scheme
based on exponentiation in a finite (Galois) field over integers modulo a
prime
● nb. exponentiation takes O((log n)3) operations (easy)
uses large integers (eg. 1024 bits)
security due to cost of factoring large numbers
● nb. factorization takes O(e log n log log n) operations (hard)
 RSA Key Setup
each user generates a public/private key pair by:
selecting two large primes at random - p, q
computing their system modulus n=p.q
● note ø(n)=(p-1)(q-1)
selecting at random the encryption key e
• where 1<e<ø(n), gcd(e,ø(n))=1
solve following equation to find decryption key d
● e.d=1 mod ø(n) and 0≤d≤n
publish their public encryption key: PU={e,n}
keep secret private decryption key: PR={d,n}
 RSA Use

to encrypt a message M the sender:

● obtains public key of recipient PU={e,n}
● computes: C = Me mod n, where 0≤M<n
to decrypt the ciphertext C the owner:
● uses their private key PR={d,n}
● computes: M = Cd mod n
note that the message M must be smaller than the modulus n (block if
needed)
 Why RSA Works
because of Euler's Theorem:
● aø(n)mod n = 1 where gcd(a,n)=1
in RSA have:
● n=p.q
● ø(n)=(p-1)(q-1)

● carefully chose e & d to be inverses mod ø(n)

● hence e.d=1+k.ø(n) for some k

hence :
Cd = Me.d = M1+k.ø(n) = M1.(Mø(n))k
= M1.(1)k = M1 = M mod n
 RSA Example - Key Setup
1. Select primes: p=17 & q=11
2. Compute n = pq =17 x 11=187
3. Compute ø(n)=(p–1)(q-1)=16 x 10=16o
4. Select e: gcd(e,160)=1; choose e=7
5. Determine d:
de=1 mod 160 and d < 160
Value is d=23 since 23x7=161= 10x160+1
1. Publish public key PU={7,187}
2. Keep secret private key PR={23,187}
 RSA Example - En/Decryption

sample RSA encryption/decryption is:

given message M = 88 (nb. 88<187)
encryption:
C = 887 mod 187 = 11
decryption:
M = 1123 mod 187 = 88
 Exponentiation
can use the Square and Multiply Algorithm
a fast, efficient algorithm for exponentiation
concept is based on repeatedly squaring base
and multiplying in the ones that are needed to compute the result
look at binary representation of exponent
only takes O(log2 n) multiples for number n
● eg. 75 = 74.71 = 3.7 = 10 mod 11
● eg. 3129 = 3128.31 = 5.3 = 4 mod 11

c = 0; f = 1
for i = k downto 0
do c = 2 x c
f = (f x f) mod n
if bi == 1 then
c = c + 1
f = (f x a) mod n
return f
 Efficient Encryption
encryption uses exponentiation to power e
hence if e small, this will be faster
● often choose e=65537 (216-1)
● also see choices of e=3 or e=17
but if e too small (eg e=3) can attack
● using Chinese remainder theorem & 3 messages with different modulii
if e fixed must ensure gcd(e,ø(n))=1
● ie reject any p or q not relatively prime to e
decryption uses exponentiation to power d
● this is likely large, insecure if not
can use the Chinese Remainder Theorem (CRT) to compute mod p & q
separately. then combine to get desired answer
● approx 4 times faster than doing directly
only owner of private key who knows values of p & q can use this
technique
 RSA Key Generation

users of RSA must:

● determine two primes at random - p, q
● select either e or d and compute the other
primes p,q must not be easily derived from modulus n=p.q
● means must be sufficiently large
● typically guess and use probabilistic test
exponents e, d are inverses, so use Inverse algorithm to compute the other
 RSA Security & Attacks
possible approaches to attacking RSA are:
● brute force key search (infeasible given size of numbers)
● Common modulus : mathematical attacks (based on difficulty of
computing ø(n), by factoring modulus n)
● timing attacks (on running of decryption)
● chosen ciphertext attacks (given properties of RSA)
● Choosing small numbers / Factoring Problem
● Man in the middle attack
 Factoring Problem
mathematical approach takes 3 forms:
● factor n=p.q, hence compute ø(n) and then d
● determine ø(n) directly and compute d
● find d directly
currently believe all equivalent to factoring
● have seen slow improvements over the years
• as of May-05 best is 200 decimal digits (663) bit with LS
● biggest improvement comes from improved algorithm
• cf QS to GHFS to LS
● currently assume 1024-2048 bit RSA is secure
• ensure p, q of similar size and matching other constraints
 Key Management
public-key encryption helps address key distribution problems
have two aspects of this:
● distribution of public keys
● use of public-key encryption to distribute secret keys

Distribution of Public Keys

can be considered as using one of:
● public announcement
● publicly available directory
● public-key authority
● public-key certificates
 Public Announcement
users distribute public keys to recipients or broadcast to community at large
● eg. append PGP keys to email messages or post to news groups or
email list
major weakness is forgery
● anyone can create a key claiming to be someone else and broadcast it
● until forgery is discovered can masquerade as claimed user
 Publicly Available Directory
can obtain greater security by registering keys with a public directory
directory must be trusted with properties:
● contains {name,public-key} entries
● participants register securely with directory
● participants can replace key at any time
● directory is periodically published
● directory can be accessed electronically
still vulnerable to tampering or forgery
 Public-Key Authority
improve security by tightening control over distribution of keys from
directory
has properties of directory
and requires users to know public key for the directory
then users interact with directory to obtain any desired public key securely
● does require real-time access to directory when keys are needed
 Public-Key Certificates
certificates allow key exchange without real-time access to public-key
authority
a certificate binds identity to public key
● usually with other info such as period of validity, rights of use etc
with all contents signed by a trusted Public-Key or Certificate Authority
(CA)
can be verified by anyone who knows the public-key authorities public-key
 Public-Key Distribution of Secret Keys
use previous methods to obtain public-key
can use for secrecy or authentication
but public-key algorithms are slow
so usually want to use private-key encryption to protect message contents
hence need a session key
have several alternatives for negotiating a suitable session
 Simple Secret Key Distribution
proposed by Merkle in 1979
● A generates a new temporary public key pair
● A sends B the public key and their identity
● B generates a session key K sends it to A encrypted using the supplied
public key
● A decrypts the session key and both use
problem is that an opponent can intercept and impersonate both halves of
protocol
 Public-Key Distribution of Secret Keys

if have securely exchanged public-keys:

 Hybrid Key Distribution

retain use of private-key KDC

shares secret master key with each user
distributes session key using master key
public-key used to distribute master keys
● especially useful with widely distributed users
rationale
● performance
● backward compatibility
 Diffie-Hellman Key Exchange
first public-key type scheme proposed by Diffie & Hellman in 1976 along
with the exposition of public key concepts
is a practical method for public exchange of a secret key
used in a number of commercial products
a public-key distribution scheme
● cannot be used to exchange an arbitrary message
● rather it can establish a common key
● known only to the two participants
value of key depends on the participants (and their private and public key
information)
based on exponentiation in a finite (Galois) field (modulo a prime or a
polynomial) - easy
security relies on the difficulty of computing discrete logarithms (similar to
factoring) – hard
 Diffie-Hellman Setup
all users agree on global parameters:
● large prime integer or polynomial q
● a being a primitive root mod q
each user (eg. A) generates their key
● chooses a secret key (number): xA < q
● compute their public key: yA = axA mod q
each user makes public that key yA
shared session key for users A & B is KAB:
KAB = axA.xB mod q
= yAxB mod q (which B can compute)
= yBxA mod q (which A can compute)
KAB is used as session key in private-key encryption scheme between Alice
and Bob
if Alice and Bob subsequently communicate, they will have the same key
as before, unless they choose new public-keys
attacker needs an x, must solve discrete log
 Diffie-Hellman Example
users Alice & Bob who wish to swap keys:
agree on prime q=353 and a=3
select random secret keys:
● A chooses xA=97, B chooses xB=233
compute respective public keys:
● yA=397 mod 353 = 40 (Alice)
● yB=3233 mod 353 = 248 (Bob)
compute shared session key as:
● KAB= yBxA mod 353 = 24897 mod 353 = 160 (Alice)
● KAB= yAxB mod 353 = 40233 mod 353 = 160 (Bob)
 Key Exchange Protocols
users could create random private/public D-H keys each time they
communicate
users could create a known private/public D-H key and publish in a
directory, then consulted and used to securely communicate with them
both of these are vulnerable to a meet-in-the-Middle Attack
authentication of the keys is needed
 Elliptic Curve Cryptography
majority of public-key crypto (RSA, D-H) use either integer or polynomial
arithmetic with very large numbers/polynomials
imposes a significant load in storing and processing keys and messages
an alternative is to use elliptic curves
offers same security with smaller bit sizes
newer, but not as well analysed
 ECC Diffie-Hellman
can do key exchange analogous to D-H
users select a suitable curve Ep(a,b)
select base point G=(x1,y1)
● with large order n s.t. nG=O
A & B select private keys nA<n, nB<n
compute public keys: PA=nAG, PB=nBG
compute shared key: K=nAPB, K=nBPA
● same since K=nAnBG
 ECC Encryption/Decryption
several alternatives, will consider simplest
must first encode any message M as a point on the elliptic curve Pm
select suitable curve & point G as in D-H
each user chooses private key nA<n
and computes public key PA=nAG
to encrypt Pm : Cm={kG, Pm+kPb}, k random
decrypt Cm compute:
Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
Comparable Key Sizes for Equivalent Security

Symmetric scheme ECC-based scheme RSA/DSA

(key size in bits) (size of n in bits) (modulus size in bits)

56 112 512

80 160 1024

112 224 2048

128 256 3072

192 384 7680

256 512 15360

 Knapsack Cryptosystem

It is a Public key cryptography, it needs two different keys - Public key for
the Encryption and Private key for Decryption.
In this algorithm, we will use two different knapsack problems one is easy
and the other one is hard.
The easy knapsack is used as the private key and the hard knapsack is
used as the public key. The easy knapsack is used to derive the hard
knapsack.
For the easy knapsack, we will choose a super-increasing problem.
Superincreasing knapsack is a sequence in which every next term is
greater than the sum of all preceding terms.
{1, 2, 4, 10, 20, 40} is a super increasing as
1<2, 1+2<4, 1+2+4<10, 1+2+4+10<20 and 1+2+4+10+20<40.
Derive the Public key
Step-1: Choose a super increasing knapsack {1, 2, 4, 10, 20, 40} as the private key.
Step-2: Choose two numbers n and m. Multiply all the values of the private key by the
number n and then find modulo m. The value of m must be greater than the sum of all
values in the private key, for example, 110. The number n should have no common
factor with m, for example, 31.

Step-3: Calculate the values of the Public key using m and n.

1x31 mod(110) = 31
2x31 mod(110) = 62
4x31 mod(110) = 14
10x31 mod(110) = 90
20x31 mod(110) = 70
40x31 mod(110) = 30
Thus, our public key is {31, 62, 14, 90, 70, 30}
And Private key is {1, 2, 4, 10, 20, 40}.
Let our plain text be 100100111100101110.

1. Encryption : As our knapsacks contain six values, so we will split our plain text into
groups of six:

100100 111100 101110

Multiply each value of the public key with the corresponding values of each group and
take their sum.

100100 {31, 62, 14, 90, 70, 30}

1x31+0x62+0x14+1x90+0x70+0x30 = 121
111100 {31, 62, 14, 90, 70, 30}
1x31+1x62+1x14+1x90+0x70+0x30 = 197
101110 {31, 62, 14, 90, 70, 30}
1x31+0x62+1x14+1x90+1x70+0x30 = 205

So, our cipher text is 121 197 205.

Decryption-
https://www.geeksforgeeks.org/knapsack-encryption-algorithm-in-cryptography/
 Needham–Schroeder protocol
N-S is a shared-key authentication protocol designed to generate and
propagate a session key, i.e., a shared key for subsequent symmetrically
encrypted communication.
N-S uses nonces (short for “numbers used once”), randomly generated values
included in messages.
If a nonce is generated and sent by A in one step and returned by B in a later
step, A knows that B’s message is fresh and not a replay from an earlier
exchange.
Note that a nonce is not a timestamp. The only assumption is that it has not
been used in any earlier interchange, with high probability.
A requests B's public keys from S.

S responds with B's public key KPB alongside B's identity, encrypted by the
server's private key KQS

A chooses a random nonce NA and sends it to B by encrypting it using B's public

Key KPB received in step 2

B now knows that A wants to communicate. So, B requests A's public keys from
S.

S responds with A's public key KPA alongside A's identity, encrypted by the
server's private key KQS

B chooses a random nonce NB and sends it to A along with NA to prove his ability
to decrypt with KQB

A confirms NB to B, to prove her ability to decrypt with KQA

Fig. N-S protocol workflow
 Kerberos: Kerberos Authentication protocol

Document Link : Kerberos Authentication protocol