WachemoUniversity_Cryptography_and_Network_Security.pdf

Wachemo University
Cryptography & Network Security for MSc. Computer Science Students
Sofonias Yitagesu (Ph.D.)
February 2023

Evaluation
50 %, 50 %
☞ Evaluations
✓ Scientific Journal paper review and presentation (15 %)
✓ Survey paper review on current and hot research topics in Cryptography & Network
Security areas (15 %)
✓ Assignments: Lab + ... (20 %)
✓ Final Exam (50 %)
✓ Exam date: March
✓ All assignments will be submitted on March 18 2023
Sofonias Yitagesu (Ph.D.) Wachemo University February 2023 2 / 185

Chapter xxx: Introduction to Cryptography & Network Security
Contents in Brief
✓ Basic objectives of cryptography,
✓ secret-key and public-key cryptography,
✓ one-way and trapdoor one-way functions,
✓ cryptanalysis,
✓ attack models,
✓ classical cryptography.

Information security and cryptography
Definition and Cryptographic goals
☞ Definition:
✓ Cryptography studies mathematical techniques related to information security, such
as confidentiality, data integrity, entity authentication, and data origin
authentication.
✓ Cryptography is about the prevention and detection of cheating and other malicious
activities.
☞ Cryptographic goals:
✓ Of all the information security objectives, the following four form a framework upon
which the others will be derived: (1) privacy or confidentiality; (2) data integrity;
(3) authentication; and (4) non-repudiation.

Cryptographic goals
1 Privacy or confidentiality.
✓ keeping information secret from all but those who are authorized to see it.
2 Data integrity.
✓ ensuring information has not been altered by unauthorized or unknown means.
3 Authentication.
✓ Entity authentication: corroboration of the identity of an entity (e.g., a person, a
computer terminal, a credit card, etc.).
1 Message authentication: corroborating the source of information, also known as
data origin authentication.
4 Non-repudiation.
✓ preventing the denial of previous commitments or actions.
☞ A fundamental goal of cryptography is to adequately address these four
areas in both theory and practice.

A taxonomy of cryptographic primitives.
☞ The primitives should be evaluated with respect
to various criteria:
☞ Level of security: Often it is given in terms of the
number of operations required (using the best
methods currently known) to defeat the intended
objective.
☞ Functionality. Which primitives are most effective
for a given objective will be determined by the
basic properties of the primitives.
☞ Methods of operation. One primitive could
provide very different functionality depending on
its mode of operation or usage.
☞ Performance. The efficiency of a primitive in a
particular mode of operation.
☞ Ease of implementation. The difficulty of realizing
the primitive in a practical instantiation.

Background on functions
Functions
☞ Functions (1-1, one-way, trapdoor one-way)
➦ A set consists of distinct objects which are called elements of the set. For example,
a set X might consist of the elements a, b, c, and this is denoted X = {a, b, c}
☞ Definition.
➦ A function is defined by two sets X and Y and a rule f which assigns to each
element in X precisely one element in Y . The set X is called the domain of the
function and Y the codomain. If x is an element of X (usually written x ∈ X ) the
image of x is the element in Y which the rule f associates with x; the image y of x
is denoted by y = f(x). Standard notation for a function f from set X to set Y is
f : X −→ Y . If y ∈ Y , then a preimage of y is an element x ∈ X for which
f(x) = y. The set of all elements in Y which have at least one preimage is called
the image of f, denoted Im(f).

Example (function)
☞ Example 1.3.
✓ Consider the sets X = {a, b, c}, Y = {1, 2, 3, 4},
and the rule f from X to Y defined as
f(a) = 2, f(b) = 4, f(c) = 1. Figure 1.2 shows a
schematic of the sets X, Y and the function f.
The preimage of the element 2 is a. The image of
f is {1, 2, 4}.
✓ Given in Figure 1.2, each element in the domain
X has precisely one arrowed line originating from
it. Each element in the codomain Y can have any
number of arrowed lines incident to it (including
zero lines).
✓ Often only the domain X and the rule f are
given and the codomain is assumed to be the
image of f. This point is illustrated with two
examples (1.3 & 1.4).

Example (function)
☞ Example 1.4.
✓ Take X = {1, 2, 3, ..., 10} and let f be the rule that for each x ∈ X, f(x) = rx,
where rx is the remainder when x2
is divided by 11. Explicitly then
✓ f(1) = 1 f(2) = 4 f(3) = 9 f(4) = 5 f(5) = 3
✓ f(6) = 3 f(7) = 5 f(8) = 9 f(9) = 4 f(10) = 1.
✓ The image of f is the set Y = {1, 3, 4, 5, 9}.
☞ Example 1.5.
✓ Take X = {1, 2, 3, ..., 1050
} and let f be the rule f(x) = rx, where rx is the
remainder when x2
is divided by 1050
+ 1 for all x ∈ X.
✓ Here it is not feasible to write down f explicitly as in Example 1.4, but nonetheless
the function is completely specified by the domain and the mathematical description
of the rule f.

Types of functions
(i) Injective 1-1 (one-one) Function
☞ A function (or transformation) is 1 − 1 (one-to-one) if each element in the
codomain Y is the image of at most one element in the domain X.
✓ For every input, there is a unique output, i.e, each element in A maps to only one
element in B.
✓ All the elements in the domain must be used, but all the elements in the co-domain
need not be used. Horizontal line test for injective functions must only cut the
graph once.

Types of functions
(ii) Subjective Function
☞ A function (or transformation) is onto if each element in the codomain Y
is the image of at least one element in the domain. Equivalently, a
function f : X −→ Y is onto if Im(f) = Y.
☞ All the elements in the co-domain have to be used, i.e, domain =
co-domain.

Types of functions
(iii) Bijective Function
☞ If a function f : X −→ Y is 1 − 1 and Im(f) = Y., then f is called a
bijection.
✓
✓ Fact If f : X −→ Y is 1 − 1 then f : X −→ Im(f) is a bijection. In particular, if
f : X −→ Y is 1 − 1, and X and Y are finite sets of the same size, then f is a
bijection.

Types of functions
Injective, Subjective, abd Bijective Examples
☞ The functions described in Examples 1.3 and 1.4 are not bijections. In
Example 1.3 the element 3 is not the image of any element in the domain.
In Example 1.4 each element in the codomain has two preimages. But, It
is subjective function.

Inverse function
☞ Definition.
✓ If f is a bijection from X to Y then it is a simple
matter to define a bijection g from Y to X as
follows: for each y ∈ Y define g(y) = x where
x ∈ X and f(x) = y. This function g obtained
from f is called the inverse function of f and is
denoted by g = f−1
☞ Example (inverse function).
✓ Let X = {a, b, c, d, e}, & Y = {1, 2, 3, 4, 5}, and
consider the rule f given by the arrowed edges in
Figure 1.3. f is a bijection and its inverse g is
formed simply by reversing the arrows on the
edges. The domain of g is Y & the codomain is X.
✓ If f is a bijection, then so is f−1
. In cryptography,
bijections are used to encrypt messages, & inverse
transformations are used to decrypt. If it was not
bijections, it would not be possible to decrypt to a
unique message.

Functions
One-way functions
☞ A function f from a set X to a set Y is called a one-way function if f(x)
is “easy” to compute for all x ∈ X but for “essentially all” elements
y ∈ Im(f) it is “computationally infeasible” to find any x ∈ X such that
f(x) = y.
✓ Computing f(x) is a relatively simple thing to do, but to reverse the
procedure is much more difficult; that is, given a remainder to find the
value x which was originally cubed (raised to the third power).
✓ This procedure is referred to as the computation of a modular cube root
with modulus n. If the factors of n are unknown and large, this is a
difficult problem; however, if the factors p and q of n are known then
there is an efficient algorithm for computing modular cube roots.

One-way functions
A simple prime factorization example
☞ One-way functions Example

Functions
Trapdoor one-way functions
☞ A trapdoor one-way function is a one-way function f : X −→ Y with the additional
property that given some extra information (called the trapdoor information) it
becomes feasible to find for any given y ∈ Im(f), an x ∈ X such that f(x) = y.
☞ Example 1.15 illustrates the concept of a trapdoor one-way function. With the
additional information of the factors of n = 2624653723 (namely, p = 48611 and
q = 53993, each of which is five decimal digits long) it becomes much easier to
invert the function.
☞ The factors of 2624653723 are large enough that finding them by hand computation
would be difficult. Of course, any reasonable computer program could find the
factors relatively quickly.
☞ If one selects p and q to be very large distinct prime numbers (each having about
100 decimal digits) then, by today’s standards, it is a difficult problem, even with the
most powerful computers, to deducep and q simply from n. This is the well-known
integer factorization problem and a source of many trapdoor one-way functions.

Trapdoor function
A simple prime factorization example
☞ A trapdoor function is a special case of a
one-way function.
☞ It is a one-way function: easy to compute in
one direction but difficult to compute in the
opposite direction (finding its inverse).
☞ However, with trapdoor information (t) given,
it is easy to find its inverse.

Trapdoor one-way functions
☞ It remains to be rigorously established whether there actually are any
(true) one-way functions.
☞ That is to say, no one has yet definitively proved the existence of such
functions under reasonable (and rigorous) definitions of “easy” and
“computationally infeasible”. Since the existence of one-way functions is
still unknown, the existence of trapdoor one-way functions is also
unknown.
☞ However, there are a number of good candidates for one-way and
trapdoor one-way functions.
☞ One-way and trapdoor one-way functions are the basis for public-key
cryptography.

Permutations
☞ Permutations are functions which are often used in various cryptographic
constructs.

(i) Symmetric-key encryption
☞ Consider an encryption scheme consisting of the sets of encryption and
decryption transformations {Ee : e ∈ K} and {Dd : d ∈ K}, respectively,
where K is the key space.
☞ The encryption scheme is said to be symmetric-key if for each associated
encryption/decryption key pair (e, d), it is computationally “easy” to
determine d knowing only e, and to determine e from d.

☞ A symmetric encryption scheme has five ingredients:
1 Plaintext: The original message or data that is fed into the algorithm as
input.
2 Encryption algorithm: performs various substitutions and transformations
on the plaintext.
3 Secret key: is input to encryption algorithm, resulting in different output
depending on key.
4 Ciphertext: is a random stream of data that is unintelligible depending on
the plaintext and secret key.
5 Decryption algorithm: takes ciphertext and secret key and produces
original plaintext.

☞ Two-party communication using encryption,
with a secure channel for key exchange. The
decryption key d can be efficiently computed
from the encryption key e.
♥ One of the major issues with symmetric-key
systems is to find an efficient method to agree
upon and exchange keys securely.
➜ In symmetric-key encryption, the encryption
key e is transported from one entity to the
other with the understanding that both can
construct the decryption key d. This means
that the key e must also be kept secret, as d
can be deduced from e.

Cryptanalysis and Brute-Force Attack
☞ Attack a conventional encryption scheme to recover the key in use, not
plaintext.
➦ Cryptanalysis: This type of attack exploits the characteristics of the
algorithm to attempt to deduce a specific plaintext or to deduce the key
being used.
➦ Brute-force attack: The attacker tries every possible key on a piece of
ciphertext until an intelligible translation into plaintext is obtained. On
average, half of all possible keys must be tried to achieve success.

symmetric-key encryption schemes: block ciphers and stream ciphers.
☞ Stream cipher
♥ Stream cipher works on a single bit at a time.
♥ RC4 (rivest Cipher 4) is the most widely used
of all stream ciphers, particularly in software.
☞ Block cipher
♥ A block cipher is an algorithm operating on
fixed-length groups of bits called blocks.
♥ When data comes in, data comes in chunks.
♥ The usual sizes of each block are 64 bits, 128
bits, and 256 bits.
♥ Block cipher includes DES, Triple DES, IDEA,
RC5, AES, and blowfish.
♥ Two important classes of block ciphers are
substitution ciphers and transposition ciphers

Substitution ciphers and transposition ciphers
Simple substitution ciphers
Let A be an alphabet of q symbols and M be the set of all strings of length t
over A. Let K be the set of all permutations on the set A. Define for each
e ∈ K an encryption transformation Ee as:
➜ Ee(m) = (e (m1) e (m2) · · · e (mt)) = (c1c2 · · · ct) = c
➜ where m = (m1m2 · · · mt) ∈ M. In other words, for each symbol in a
t-tuple, replace (substitute) it by another symbol from A according to
some fixed permutation e. To decrypt c = (c1c2 · · · ct) compute the
inverse permutation d = e−1
and
➜ Dd(c) = (d (c1) d (c2) · · · d (ct)) = (m1m2 · · · mt) = m
➜ Ee is called a simple substitution cipher or a mono-alphabetic substitution
cipher.

Classical Encryption techniques
(i) Caesar cipher
☞ The Caesar cipher involves replacing each
letter of the alphabet with the letter standing
three places further down the alphabet. For
example,
➜ plain: meet me after the toga party
➜ cipher: PHHW PH DIWHU WKH WRJD
SDUWB
☞ We can define the transformation by listing
all possibilities, as follows:
➜ plain: a b c d e f g h i j k l m n o p q r s t u v
w x y z
➜ cipher: D E F G H I J K L M N O P Q R S T
U V W X Y Z A B C
☞ The algorithm (for each plaintext letter p,
substitute the ciphertext letter C :)
➜ C = E(3, p) = (p + 3)mod 26

(i) Caesar cipher
☞ A shift may be of any amount, so that the general Caesar algorithm is:
C = E(k, p) = (p + k)mod 26 where k takes on a value in the range 1 to
25. The decryption algorithm is simply.
➜ p = D(k, C) = (C − k)mod 26
☞ If it is known that a given ciphertext is a Caesar cipher, then a brute-force
cryptanalysis is easily performed: simply try all the 25 possible keys
☞ Three important characteristics of this problem enabled us to use a
bruteforce cryptanalysis:
1 The encryption and decryption algorithms are known.
2 There are only 25 keys to try.
3 The language of the plaintext is known and easily recognizable.

(i) Caesar cipher
☞ Figure shows the plaintext leaps out as
occupying the third line.
➜ What generally makes brute-force cryptanalysis
impractical is the use of an algorithm that
employs a large number of keys.
➜ For example, the triple DES algorithm, makes
use of a 168-bit key, giving a key space of 2168
or greater than 3,7 ∗ 1050
possible keys.
➜ If plaintext language is unknown, then plaintext
output may not be recognizable.
➜ If this file is then encrypted with a simple
substitution cipher, then the plaintext might
not be recognized when it is uncovered in a
brute-force cryptanalysis.

(ii) monoalphabetic substitution cipher
☞ A permutation of a finite set of elements S is an ordered sequence of all
the elements of S, with each element appearing exactly once. For
example, if S = {a, b, c}, there are six permutations of S :
➜ abc, acb, bac, bca, cab, cba
➜ In general, there are n! permutations of a set of n elements, because the first
element can be chosen in one of n ways, the second in n − 1 ways, the third in
n − 2 ways, and so on.
☞ Recall the assignment for the Caesar cipher:
➜ plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
➜ cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
☞ If, instead, the “cipher” line can be any permutation of the 26 alphabetic
characters, then there are 26! or greater than 4 ∗ 1026
possible keys.

☞ A monoalphabetic substitution cipher would
seem to eliminate brute-force techniques for
cryptanalysis. This is because a single cipher
alphabet (mapping from plain alphabet to
cipher alphabet) is used per message.
☞ However, If the cryptanalyst knows the nature
of the plaintext (e.g., noncompressed English
text), then the analyst can exploit the
regularities of the language, e.g., see the
ciphertext and relative frequencies of the
letters in the ciphertext (in %).

➜ The relative frequency of the letters can be
determined and compared to a standard
frequency distribution for English.
➜ It seems likely that cipher letters P and Z are
the equivalents of plain letters e and t. The
letters S, U, O, M, and H are relatively high
frequency and correspond to plain letters from
the set {a, h, i, n, o, r, s}. The letters with the
lowest frequencies (A, B, G, Y, I, J) are likely
included in the set {b, j, k, q, v, x, z}.
➜ A more systematic approach is to look for other
regularities. A powerful tool is to look at the
frequency of two-letter combinations, known as
digrams.
➜ The most common such digram is th. In our
ciphertext, the most common digram is ZW,
which appears three times.

➜ So we make the correspondence of Z with t and W with h. Then, by our
earlier hypothesis, we can equate P with e. Now notice that the sequence
ZWP appears in the ciphertext, and we can translate that sequence as
“the.” This is the most frequent trigram (three-letter combination) in
English, indicating that we are on the right track.
➜ Continued analysis of frequencies plus trial and error should easily yield a
solution from this point. The complete plaintext, with spaces added
between words, follows:

“it was disclosed yesterday that several informal but direct contacts have been
made with political representatives of the viet cong in moscow.”
➜ Monoalphabetic ciphers are easy to break because they reflect the frequency data of
the original alphabet. A countermeasure is to provide multiple substitutes, known as
homophones, for a single letter.
➜ For example, the letter e could be assigned a number of different cipher symbols,
such as 16, 74, 35, and 21, with each homophone assigned to a letter in rotation or
randomly.
➜ However, even with homophones, each element of plaintext affects only one element
of ciphertext, and multiple-letter patterns (e.g., digram frequencies) still survive in
the ciphertext, making cryptanalysis relatively straightforward.
➜ Two principal methods are used in substitution ciphers to lessen the extent to which
the structure of the plaintext survives in the ciphertext: One approach is to encrypt
multiple letters of plaintext, and the other is to use multiple cipher alphabets.

(iii) Playfair cipher
➜ Multiple-letter encryption cipher, which treats digrams in the plaintext as single
units and translates these units into ciphertext digrams.
➜ It is based on the use of a 5 * 5 matrix of letters constructed using a keyword. Here
is an example, the keyword is monarchy.
➜ The matrix is constructed by filling in the letters of the keyword (minus duplicates)
from left to right and from top to bottom, and then filling in the remainder of the
matrix with the remaining letters in alphabetic order. The letters I and J count as
one letter.

☞ Plaintext is encrypted two letters at a time, according to the following
rules:
1 Repeating plaintext letters that are in the same pair are separated with a filler
letter, such as x, so that balloon would be treated as ba lx lo on.
2 Two plaintext letters that fall in the same row of the matrix are each replaced by
the letter to the right, with the first element of the row circularly following the last.
For example, ar is encrypted as RM
3 Two plaintext letters that fall in the same column are each replaced by the letter
beneath, with the top element of the column circularly following the last. For
example, mu is encrypted as CM.
4 Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its own
row and the column occupied by the other plaintext letter. Thus, hs becomes BP
and ea becomes IM (or JM, as the encipherer wishes).

(iii) Playfair cipher, Examples
(1) Playfair cipher Examples

(iii) Playfair cipher, Examples
(2) Playfair cipher, Question with solutions

☞ The Playfair cipher is a great advance over simple monoalphabetic
ciphers.
➦ For one thing, whereas there are only 26 letters, there are 26 * 26 = 676 digrams,
so the identification of individual digrams is more difficult.
➦ Furthermore, the relative frequencies of individual letters exhibit a much greater
range than that of digrams, making frequency analysis much more difficult.
➦ For these reasons, the Playfair cipher was for a long time considered unbreakable.
➦ Despite this level of confidence in its security, the Playfair cipher is relatively easy to
break, because it still leaves much of the structure of the plaintext language intact.
➦ A few hundred letters of ciphertext are generally sufficient.

Chapter xxx: Block ciphers:
Contents in Brief
✓ Modes of operation
✓ DES and its variants,
✓ RCS,
✓ IDEA,
✓ SAFER,
✓ FEAL,
✓ BlowFish,
✓ AES,

Introduction and overview
☞ Block ciphers can be either symmetric-key or public-key
➦ When multiple blocks of plaintext are encrypted using the same key, a number of
security issues arise. To apply a block cipher in a variety of applications, five modes
of operation have been defined by NIST.
➦ A block cipher is a function which maps n-bit plaintext blocks to n-bit ciphertext
blocks; n is called the blocklength.
➦ The function is parameterized by a k-bit key K, taking values from a subset (the key
space) of the set of all n-bit vectors Vk. It is generally assumed that the key is
chosen at random.
➦ Use of plaintext and ciphertext blocks of equal size avoids data expansion.
➦ To allow unique decryption, the encryption function must be one-to-one (i.e.,
invertible). For n-bit plaintext and ciphertext blocks and a fixed key, the encryption
function is a bijection, defining a permutation on n-bit vectors.

Block Cipher Modes of Operation
Five types
Figura: Block Cipher Modes of Operation

Five types
➜ Cryptographic algorithm works on main two techniques: block and stream
ciphers.
➜ In a stream cipher, the plaintext is encrypted one bit at a time.
➜ In a block cipher, the plaintext is broken into blocks of a fixed length and
the bits in each block are encrypted together.
➜ One of the main issues with block ciphers is that they only allow you to
encrypt messages the fixed size as their block length.
➜ If plaintext, which has a block size 64 bits easily encrypt. But encrypt a
65-bit message, you need a way to define how the second block should be
encrypted.

Five types
➜ The solution to this is called block cipher
modes of operation. Need of block cipher mode
is basic building block for providing data
security.
➜ In block cipher rather than encrypting one bit
at a time, block of bits is encrypted at a time.
➜ There are 5 modes of operation for block cipher
that may be used in a wide variety of
applications like symmetric key cryptographic
algorithm.
➜ These modes define how data encrypted and
decrypted.

(1) Electronic Codebook (ECB) Mode
➜ In ECB (Electronic Code Book) mode, the
given plain text message is divided into blocks
of 64 bits each, and each 64 bits block gets
encrypted independently. The plaintext box
produces cipher text of same size.
➜ Hence, we can imagine a gigantic codebook
with an entry for every possible b − bit plaintext
pattern showing its corresponding ciphertext.
➜ The size of each plan (block) and cipher text
should be 64 bits. and the key is the same for
each block. The plane text is encrypted and
decrepited independently. Finally, combine each
P1 to PN to get the original plane text. This is
suitable only for short messages.

☞ The procedure is simply to break the message into b − bit blocks, padding
the last block if necessary.
☞ Decryption is performed one block at a time, always using the same key.
In Figure, the plaintext consists of a sequence of b − bit blocks,
P1, P2, ..., PN ; the corresponding sequence of ciphertext blocks is
C1, C2, ..., CN .
☞ The ECB mode should be used only to secure messages shorter than a
single block of underlying cipher (i.e., 64 bits for 3DES and 128 bits for
AES).
☞ The most significant characteristic of ECB is that if the same b − bit
block of plaintext appears more than once in the message, it always
produces the same ciphertext.

☞ The drawback of ECB mode is that for occurrence of more than one
plaintext block in the input generates the same cipher text block in the
output, which gives clue to the attacker. For example, “ABC” plain text
convert into 64-bit block and it generates 64-bit cipher text “XYZ”.
☞ If the message is highly structured, it may be possible for a cryptanalyst
to exploit these regularities.
☞ For example, if it is known that the message always starts out with certain
predefined fields, then the cryptanalyst may have a number of known
plaintext–ciphertext pairs to work with.
☞ If the message has repetitive elements with a period of repetition a
multiple of b bits, then these elements can be identified by the analyst.

(2) cipher block chaining (CBC)
➜ The cipher block chaining mode is used to
overcome the problem of ECB mode. In this
mode, the first block of plaintext is XORed
with an Initialization Vector (IV), which is then
encrypted using key k produces cipher text
block 1. In the next step, each plaintext block
is XORed with the previous cipher text block.
The procedure continues till all plaintext block
gets encrypted shown in the figure.
➜ Plaintext blocks are represented by using P1,
P2, P3,...,Pn, and corresponding ciphertext
blocks are represented using C1, C2, C3,..., Cn.
The initialization vector does not have a special
meaning; it is simply used to make the input
message more complicated or unique.
➜ As with the ECB mode, the last block must be
padded to a full b bit if it is a partial block.

XOR in Cryptography
☞ (eXclusive OR): A Boolean logic operation that
is widely used in cryptography as well as in
generating parity bits for error checking and
fault tolerance.
☞ XOR compares two input bits and generates
one output bit.
☞ The logic is simple. If the bits are the same, the
result is 0. If the bits are different, the result is
1.

☞ In this mode decryption process, cipher text block 1 gets decrypted using
the same key used earlier during the encryption process the output of this
step is XOR with IV and produces Plaintext.
☞ In the next step, the cipher text block 2 is decrypted, and its output is
XOR with cipher text block 1 which results in plaintext block 2.
☞ Repeat the process for all cipher text blocks to produce original plaintext
blocks, as shown in the above figure.

☞ On decryption, the IV is XORed with the output of the decryption
algorithm to recover the frst block of plaintext. The IV is a data block
that is the same size as the cipher block.
☞ This means that if an opponent can predictably change bits in IV, the
corresponding bits of the received value of P1 can be changed. For other
possible attacks based on prior knowledge of IV.
☞ In conclusion, because of the chaining mechanism of CBC, it is an
appropriate mode for encrypting messages of length greater than b bits. In
addition to its use to achieve confidentiality, the CBC mode can be used
for authentication.
☞ Application of CBC Mode: CBC mode is applicable whenever large
amounts of data need to be sent securely. (e.g., email, FTP, web etc..)

cipher feedback (CFB) mode
(3) Cipher feedback (CFB) mode
☞ CFB mode uses block cipher but acts as a stream cipher. It means data is
encrypted in smaller units of block 8 bits rather than a predefined size of
64 bits.
☞ A stream cipher eliminates the need to pad a message to be an integral
number of blocks. It also can operate in real time. If a character stream is
being transmitted, each character can be encrypted and transmitted
immediately.
☞ One desirable property of a stream cipher is that the ciphertext be of the
same length as the plaintext. Thus, if 8-bit characters are being
transmitted, each character should be encrypted to produce a ciphertext
output of 8 bits.

☞ In the CFB encryption process, 64 bits initialization vector is used, which
is kept in 64 bits of a shift register.
☞ The Initial Vector (IV) is encrypted and produces a 64-bits encrypted IV.
It is divided into two parts s(8 bits) and b-s (remaining 56 bits).
☞ Now the leftmost s bits (size of 8 bits) of the encrypted IV are XORed
with the first s bits (size of 8 bits) of plain text P1 to produce the first s
bits of cipher text C1, which is then transmitted to the next step.
☞ In the next step, the content of the 64-bit shift register is shifted left by
b-s bits, and C1 is placed in the right-most s bits of the shift register,
which again undergoes the encryption process shown in the figure. This
process continues until all plain text units have been encrypted.

(3) Cipher feedback (CFB) mode: (a) Encryption
➜ The figure assumes that the unit of
transmission is s bits; a common value is s = 8.
In this case, rather than blocks of b bits, the
plaintext is divided into segments of s bits.
➜ First, the input to the encryption function is a
b − bit shift register initially set to some IV.
➜ The leftmost (most significant) s bits of the
output of the encryption function are XORed
with the first segment of plaintext P1 to
produce the first unit of ciphertext C1, which is
then transmitted.
➜ In addition, the contents of the shift register
are shifted left by s bits, and C1 is placed in the
rightmost (least significant) s bits of the shift
register. This process continues until all
plaintext units have been encrypted.

(3) Cipher feedback (CFB) mode: (b) Decryption
➜ For decryption, the same scheme is used,
except that the received ciphertext unit is
XORed with the output of the encryption
function to produce the plaintext unit.
➜ Note that it is the encryption function that is
used, not the decryption function. This is easily
explained. Let MSBs(X) be defined as the
most significant s bits of X. Then,
➜ We can define CFB mode as follows.

☞ Although CFB can be viewed as a stream cipher, it does not conform to
the typical construction of a stream cipher. In a typical stream cipher, the
cipher takes as input some initial value and a key and generates a stream
of bits, which is then XORed with the plaintext bits.
☞ In the case of CFB, the stream of bits that is XORed with the plaintext
also depends on the plaintext.
☞ In CFB encryption, like CBC encryption, the input block to each forward
cipher function (except the first) depends on the result of the previous
forward cipher function; therefore, multiple forward cipher operations
cannot be performed in parallel.
☞ In CFB decryption, the required forward cipher operations can be
performed in parallel if the input blocks are first constructed (in series)
from the IV and the ciphertext.

Output feedback mode (OFB)
(4) Output feedback mode (OFB)
☞ The OFB mode is similar in structure to that of CFB. For OFB, the
output of the encryption function is fed back to become the input for
encrypting the next block of plaintext. In CFB, the output of the XOR
unit is fed back to become input for encrypting the next block.
☞ The other difference is that the OFB mode operates on full blocks of
plaintext and ciphertext, whereas CFB operates on an s − bit subset. OFB
encryption can be expressed as

☞ Some thought should convince you that we can rewrite the encryption
expression as:
☞ We can define OFB mode as follows.

(4) Output feedback mode (OFB): encryption
➜ As with CBC and CFB, the OFB mode requires
an initialization vector. In the case of OFB, the
IV must be unique to each execution of the
encryption operation.
➜ The reason for this is that the sequence of
encryption output blocks, Oi, depends only on
the key and the IV and does not depend on the
plaintext.
➜ Therefore, for a given key and IV, the stream of
output bits used to XOR with the stream of
plaintext bits is fixed.
➜ If two different messages had an identical block
of plaintext in the identical position, then an
attacker would be able to determine that
portion of the Oi, stream.

Output feedback mode (OFB) mode
(4) Output feedback mode (OFB): Decryption
➜ One advantage of the OFB method is that bit
errors in transmission do not propagate. For
example, if a bit error occurs in C1, only the
recovered value of P1 is affected; subsequent
plaintext units are not corrupted. With CFB,
C1 also serves as input to the shift register and
therefore causes additional corruption
downstream.
➜ The disadvantage of OFB is that it is more
vulnerable to a message stream modification
attack than is CFB.
➜ Consider that complementing a bit in the
ciphertext complements the corresponding bit
in the recovered plaintext. Thus, controlled
changes to the recovered plaintext can be
made. This may make it possible for an
opponent, by making the necessary changes to
the checksum portion of the message as well as

Output feedback mode (OFB) mode
➜ OFB has the structure of a typical stream cipher, because the cipher
generates a stream of bits as a function of an initial value and a key, and
that stream of bits is XORed with the plaintext bits.
➜ The generated stream that is XORed with the plaintext is itself
independent of the plaintext; this is highlighted by dashed boxes in Figure.
➜ One distinction from the stream ciphers is that OFB encrypts plaintext a
full block at a time, where typically a block is 64 or 128 bits. Many
stream ciphers encrypt one byte at a time.

OFB vs CFB
Differences
➜ The output feedback (OFB) mode is similar in structure to that of CFB.
In CFB, the ciphertext unit is fed back to the shift register.
➜ In the case of output feedback mode (OFB), the difference is that output
of encryption process O1, instead of generating text C1 is directly placed
in the next stage of the shift register without XOR operation.
➜ In OFB mode, if there is a small error in individual bits, it remains an
error in individual bits, which does not corrupt the whole encrypted
message (to avoid bit error transmission), which is the biggest advantage
of OFB mode over all other modes.
➜ Another difference of OFB mode operates on full blocks of plaintext and
ciphertext, not on an s-bit subset.

counter (CTR) mode
(5) counter (CTR) mode: (a) Encryption
➜ Although interest in the counter (CTR) mode
has increased recently with applications to
ATM (asynchronous transfer mode) network
security and IPsec (IP security), this mode was
proposed in 1979.
➜ Figure depicts the CTR mode. A counter equal
to the plaintext block size is used. The counter
is initialized to some value and then
incremented by 1 for each subsequent block
(modulo 2b, where 2 is the block size).
➜ For encryption, the counter is encrypted and
then XORed with the plaintext block to
produce the ciphertext block; there is no
chaining.

counter (CTR) mode
(5) counter (CTR) mode: (b) Decryption
➜ For decryption, the same sequence of counter
values is used, with each encrypted counter
XORed with a ciphertext block to recover the
corresponding plaintext block.
➜ Thus, the initial counter value must be made
available for decryption. Given a sequence of
counters T1, T2,..., TN , we can define CTR
mode as follows.
➜ For the last plaintext block, which may be a
partial block of u bits, the most significant u
bits of the last output block are used for the
XOR operation; the remaining b − u bits are
discarded. Unlike the ECB, CBC, and CFB
modes, we do not need to use padding because
of the structure of the CTR mode.

counter (CTR) mode
(5) counter (CTR) mode
➜ As with the OFB mode, T1 must be different for all of the messages
encrypted using the same key.
➜ Further, all Ti values across all messages must be unique. If, contrary to
this requirement, a counter value is used multiple times, then the
confidentiality of all of the plaintext blocks corresponding to that counter
value may be compromised.
➜ In particular, if any plaintext block that is encrypted using a given counter
value is known, then the output of the encryption function can be
determined easily from the associated ciphertext block.
➜ This output allows any other plaintext blocks that are encrypted using the
same counter value to be easily recovered from their associated ciphertext
blocks. One way to ensure the uniqueness of counter values is to continue
to increment the counter value by 1 across messages.

counter (CTR) mode
(5) counter (CTR) mode: Advantages
☞ Hardware efficiency:
➦ Encryption (or decryption) in CTR mode can be done in parallel on multiple blocks
of plaintext or ciphertext.
➦ Unlike the three chaining modes, the algorithm must complete the computation on
one block before beginning on the next block.
➦ This limits the maximum throughput of the algorithm to the time for one execution
of block encryption or decryption.
☞ Software efficiency:
➦ Because of the opportunities for parallel execution in CTR mode, processors that
support parallel features, such as aggressive pipelining, multiple instruction dispatch
per clock cycle, a large number of registers, and SIMD instructions, can be
effectively utilized.

counter (CTR) mode
(5) counter (CTR) mode: Advantages
☞ Preprocessing:
➦ Preprocessing can be used to prepare the output of the encryption boxes that feed
into the XOR functions. When the plaintext or ciphertext input is presented, then
the only computation is a series of XORs. Such a strategy greatly enhances
throughput and security.
☞ Random access:
➦ With the chaining modes, block Ci cannot be computed until the i − 1 prior blocks
are computed. There may be applications in which a ciphertext is stored and it is
desired to decrypt just one block. For such applications, the random access feature
is attractive.
☞ Provable security: It can be shown that CTR is at least as secure as the
other.
☞ Simplicity:
➦ Unlike ECB and CBC modes, CTR mode requires only the implementation of the
encryption algorithm and not the decryption algorithm.

Chapter xxx: Data Encryption Standard (DES)
Contents in Brief
✓

Data Encryption Standard (DES)
Introduction
☞ Developed in early 1970’s at IBM. DES is
landmark in cryptographic algorithms.
☞ DES works based on Feistel Cipher Structure.
DES is symmetric cipher algorithm and use
block cipher method for encryption and
decryption. The Figure bellow is Process of
DES. and the right figure is Key Discarding
Process.

Steps of DES
1 Step – 1: 64-bit plain text block is given to
Initial Permutation (IP) function.
2 Step – 2: IP performed on 64-bit plain text
block.
3 Step – 3: IP produced two halves of the
permuted block known as Left Plain Text
(LPT) and Right Plain Text (RPT).
4 Step – 4: Each LPT and RPT performed
16-rounds of encryption process.
5 Step – 5: LPT and RPT rejoined and Final
Permutation (FP) is performed on combined
block.
6 Step – 6: 64-bit Cipher text block is generated.

Steps of DES
Initial Permutation (IP) Generate LPT -RPT
☞ Initial Permutation performed only once. Bit
sequence have changed as per IP table.
☞ For Example: 1st bit takes 40th Position, 58th
bit take 1st position
☞ Output of IP is divided into two equal halves
known as LPT, RPT. (LPT – 32 bits, RPT –
32 bit)

Steps of DES
16 Rounds of Encryption
☞ Step – 1: Key Transformation (56-bit key)
1 Key Bit Shifted per round
2 Compression Permutation
☞ Step – 2: Expansion permutation of Plain Text
and X-OR (P.T. size: 48 bit, C.T. size: 48 bit)
☞ Step – 3: S-box Substitution
☞ Step – 4: P-box (Permutation)
☞ Step – 5: X-OR and Swap.

Steps of DES
Step – 1: Key Bit Shifted per Round
☞ 56-bit key is divided into two halves each of
28-bits.
☞ Circular left shift is performed on each half.
☞ Shifting of Bit position is depending on round.
☞ For round number 1,2,9 and 16 shifts are done
by one position.
☞ For remaining rounds shift is done by 2
positions.

Steps of DES
Step – 1: Key Bit Shifted per Round
☞ Compression Permutation
☞ 56-bit input with bit shifting position
☞ Generates 48-bit key (Compression of Key
bit)
☞ Drop 9, 18, 22, 25, 35, 38, 43 and 54 bits.
☞ Generated 48 bits keys are as below:

Steps of DES
Step – 2: Expansion Permutation and X-OR
☞ 32-bit RPT of IP is expanded to 48-bits
☞ Expansion permutation steps:
☞ 32-bit RPT is divided into 8-blocks each of
4-bits
☞ 48-bit RPT is XORed with 48-bit Key and
output is given to S-Box.

Steps of DES
Step – 3: S-BOX Substitution

Steps of DES
Step -4: P-BOX Permutation
☞ Output of s-box is given to p-box
☞ 32-bit is permuted with 16 x 2 permutation
table
☞ For Example: 16th bit of S-box takes 1st
Position as per below permutation table.

Steps of DES
Step – 5: XOR and SWAP
☞ 32-bit LPT is XORed with 32-bit p-box.
☞ 1st round of encryption is completed. Now
remaining 15 rounds will be performed same as
1st round.

Steps of DES
Final Permutation
☞ At the end of the 16 rounds, the final
permutation is performed (only once).
☞ For Example: 40th bit of input takes 1st
Position as per below permutation table.
☞ The output of the final permutation is the
64-bit encrypted block (64-bit cipher text
block).

☞ Until the introduction of the Advanced Encryption Standard (AES) in
2001, the Data Encryption Standard (DES) was the most widely used
encryption scheme. DES was adopted in 1977 by the NIST. It has been
the subject of much controversy concerning how secure the DES is. The
DES transforms 64-bit input into a series of steps using a 56-bit key.
☞ The overall scheme for DES encryption is illustrated in Figure. As with
any encryption scheme, there are two inputs to the encryption function:
➜ the plaintext to be encrypted and the key. In this case, the plaintext must be 64 bits
in length and the key is 56 bits in length.
☞ Looking at the left-hand side of the figure, we can see that the processing
of the plaintext proceeds in three phases.

DES encryption
➜ First, the 64-bit plaintext passes through an
initial permutation (IP) that rearranges the bits
to produce the permuted input.
➜ This is followed by a phase consisting of sixteen
rounds of the same function, which involves
both permutation and substitution functions.
The output of the last (sixteenth) round
consists of 64 bits that are a function of the
input plaintext and the key. The left and right
halves of the output are swapped to produce
the preoutput.
➜ Finally, the preoutput is passed through a
permutation [IP−1
] which is the inverse of the
initial permutation function, to produce the
64-bit ciphertext. Except for the initial and final
permutations, DES has the exact structure of a
Feistel cipher.

DES decryption
☞ The right-hand portion of the Figure shows how the 56-bit key is used.
Initially, the key is passed through a permutation function. Then, for each
of the sixteen rounds, a subkey(Ki) is produced by combining a left
circular shift and a permutation. The permutation function is the same for
each round, but a different subkey is produced because of the repeated
shifts of the key bits.
☞ As with any Feistel cipher, decryption uses the same algorithm as
encryption, except that the application of the subkeys is reversed.
Additionally, the initial and final permutations are reversed.

DES Example
☞ We now work through an example and consider some of its implications.
Although you are not expected to duplicate the example by hand, you will
find it informative to study the hex patterns that occur from one step to
the next.
☞ For this example, the plaintext is a hexadecimal palindrome. The
plaintext, key, and resulting ciphertext are as follows:

DES Example
☞ Result
➦ The table shows the progression of the algorithm. The first row shows the
32-bit values of the left and right halves of data after the initial
permutation. The next 16 rows show the results after each round. Also
shown is the value of the 48-bit subkey generated for each round.
➦ Note that Li = Ri − 1. After the inverse initial permutation, the final row
shows the left- and right-hand values. These two values combined form
the ciphertext.

DES Example Result
➜ The table shows the progression of the
algorithm. The first row shows the 32-bit values
of the left and right halves of data after the
initial permutation. The next 16 rows show the
results after each round. Also shown is the value
of the 48-bit subkey generated for each round.
➦ Note that Li = Ri − 1. After the inverse initial
permutation, the final row shows the left- and
right-hand values. These two values combined
form the ciphertext.
➜ A desirable property of any encryption
algorithm is that a small change (one bit) in
either the plaintext or the key should produce a
significant change in the ciphertext. This is
referred to as the avalanche effect.

Avalanche Effect in DES: Change in Plaintext
➦ Using the example from both Tables shows the
result when the fourth bit of the plaintext is
changed, so that the plaintext is
12468aceeca86420.
➦ The second column of the table shows the
intermediate 64-bit values at the end of each
round for the two plaintexts. The third column
shows the number of bits that differ between
the two intermediate values.
➦ The table shows that, after just three rounds,
18 bits differ between the two blocks. On
completion, the two ciphertexts differ in 32 bit
positions.

Avalanche Effect in DES: Change in Key
➦ Table shows a similar test using the original
plaintext of with two keys that differ in only the
fourth bit position: the original key,
0f1571c947d9e859, and the altered key,
1f1571c947d9e859.
➦ The results show that about half of the bits in
the ciphertext differ and that the avalanche
effect is pronounced after just a few rounds.

The Strength of DES: The USe of 56-Bit Keys
☞ These concerns, by and large, fall into two areas: key size and the nature
of the algorithm.
➦ With a key length of 56 bits, there are 256
possible keys, which is
approximately 7,2 ∗ 1016
keys. Thus, on the face of it, a brute-force attack
appears impractical.
➦ Assuming that, on average, half the key space has to be searched, a single
machine performing one DES encryption per microsecond would take
more than a thousand years to break the cipher.
➦ As far back as 1977, Diffie and Hellman postulated that the technology
existed to build a parallel machine with 1 million encryption devices, each
of which could perform one encryption per microsecond.

The Strength of DES: The USe of 56-Bit Keys
➦ With current technology, it is not even necessary to
use special, purpose-built hardware. The speed of
commercial, off-the-shelf processors threatens the
security of DES. A recent analysis suggests that with
contemporary supercomputer technology, 1013
encryptions per second is reasonable.
➦ A single PC can break DES in about a year; if
multiple PCs work in parallel, the time is drastically
shortened. Key sizes of 128 bits or greater are
effectively unbreakable using simply a brute-force
approach. Even if we managed to speed up the
attacking system by a factor of 1 trillion, it would
still take over 100,000 years to break a code using a
128-bit key.
➦ Fortunately, there are a number of alternatives to
DES, the most important of which are AES and
triple DES.

The Strength of DES: The nature of the algorithm
☞ Another concern is that cryptanalysis is possible by exploiting the
characteristics of the DES algorithm.
☞ The focus of concern has been on the eight substitution tables, or
S-boxes, used in each iteration.
☞ Because the design criteria for these boxes, and indeed for the entire
algorithm, were not made public, there is a suspicion that the boxes were
constructed in such a way that cryptanalysis is possible for an opponent
who knows the weaknesses in the S-boxes.
☞ This assertion is tantalizing, and over the years, several regularities and
unexpected behaviors of the S-boxes have been discovered.
☞ Despite this, no one has so far succeeded in discovering the supposed fatal
weaknesses in the S-boxes.

The Strength of DES: A timing attack
☞ A timing attack is when information about the key or the plaintext is
obtained by observing how long it takes a given implementation to
perform decryptions on various ciphertexts.
☞ A timing attack exploits the fact that an encryption or decryption
algorithm often takes slightly different amounts of time on different inputs.
☞ It is reported that it yields the Hamming weight (number of bits equal to
one) of the secret key. This is a long way from knowing the actual key,
but it is an intriguing first step.
☞ The authors conclude that DES is fairly resistant to a successful timing
attack but suggest some avenues to explore.
☞ Although this is an interesting line of attack, it so far appears unlikely
that this technique will ever be successful against DES or more powerful
symmetric ciphers such as triple DES and AES.

The Advanced Encryption Standard (AES)
AES Structure
➦ The AES was published by the NIST in 2001. AES is
intended to replace DES as the approved standard
for a wide range of applications. Compared to
public-key ciphers such as RSA, the structure of AES
is quite complex.
➦ In AES, all operations are performed on 8-bit bytes.

Introduction
☞ AES is symmetric key cryptographic algorithm published by NIST in 2001.
☞ AES is replacement of DES. AES works on block cipher technique, i.e.,
size of plain text and cipher text must be same.
☞ An input key is also same size of plain text, e.g., In AES, the data length
(plane text size) of 128, 192, and 256 bits, and supporting three different
key lengths, 128, 192, and 256 bits.
☞ AES consists of multiple rounds of processing different key bits like 10
rounds for processing 128-bit keys, 12 rounds for processing 192-bit keys,
and 14 rounds for processing 256-bit keys.

Plain Text transform in Matrix Form
☞ Consider, “AES USES A MATRIX”.
☞ If we want to use 16 bit, we need to add to Z Z at
the end to make it 16 characters
☞ Then, all the character convert into numbers, and
the numbers are then converted to hexadecimals.
☞ Plain text (128-bit) converts into 4x4 square matrix
of bytes. Therefore, the first four bytes of a 128-bit
input block occupy first column in the 4x4 matrix of
bytes. The next four bytes occupy the second
column, and so on.
☞ Each cell (e.g., 00 is 4bit+4bit) in the matrix
contains 8 bit (8x16 =128 bit).
☞ AES operates on a 4x4 column-major order matrix of
bytes; called as state array.

Steps of AES Encryption
☞ Overall structure of AES encryption process
shown in figure. The number of rounds is 10,
for the case when the encryption key is 128 bit
long. (12 rounds – 192 bits, 14-rounds – 256
bits).
☞ For encryption, each round consists of the
following four steps: SubBytes, ShiftRows,
MixColumns, AddRoundKey

(i) SubBytes / Substitute Bytes
☞ The table is S-box and used during encryption
process (Figure : Substituion Box with Example).
☞ AES defines a 16 x 16 matrix of byte values, called
an S-box, that contains a permutation of all possible
256 8-bit values. Each individual byte of State is
mapped into a new byte in the following way: The
leftmost 4 bits of the byte are used as a row value
and the rightmost 4 bits are used as a column value.
These row and column values serve as indexes into
the S-box to select a unique 8-bit output value.
☞ For example, the hexadecimal value EA references
row E, column A of the S-box, which contains the
value 87. Accordingly, the value EA is mapped into
the value 87.

(i) SubBytes / Substitute Bytes
☞ The table is inverse S-box. It will be used
during decryption process.

(ii) Shift Row transformation
☞ The shift row transformation is called ShiftRows.
1 Rules of shifting rows,
2 Row 1 No Shifting
3 Row 2 1 byte left shift
☞ The inverse shift row transformation, called
InvShiftRows, performs the circular shifts in the
opposite direction for each of the last three rows,
with a one-byte circular right shift for the second
row, and so on.

(iii) Mix Columns
☞ The mix column transformation, called
MixColumns, operates on each column
individually. Each byte of a column is mapped
into a new value that is a function of all four
bytes in that column.
☞ The mix column transformation, called
MixColumns, operates on each column
individually. Each byte of a column is mapped
into a new value that is a function of all four
bytes in that column.

(iv) AddRoundKey
☞ In the forward add round key transformation,
called AddRoundKey, the 128 bits of State are
bitwise XORed with the 128 bits of the round
key.
☞ As shown in figure, the operation is viewed as a
column wise operation between the 4 bytes of a
state column and one word of the round key; it
can also be viewed as a byte-level operation.
☞ Finally, here it generate the cipher text, i.e., as
shown in the right matrix.

Blowfish algorithm
Blowfish algorithm description
☞ Blowfish is a variable-length key, 64-bit block cipher (input key size). It is
symetric key encription, only suitable for applications where the key does
not change often, like a communications link or an automatic file
encryptor.
☞ The algorithm consists of two parts: a key-expansion part and a
data-encryption part.
1 Key expansion converts a key of at most 448 bits into several subkey arrays totaling
4168 bytes.
2 Data encryption occurs via a 16-round Feistel network. Each round consists of a
key-dependent permutation, and a key- and data-dependent substitution. All
operations are XORs and additions on 32-bit words. The only additional operations
are four indexed array data lookups per round.

Blowfish algorithm
Subkeys
☞ Subkeys: Blowfish uses a large number of subkeys. These keys must be
precomputed before any data encryption or decryption.
1 The P-array consists of 18 32-bit subkeys: P1, P2.....P18
2 There are four 32-bit S-boxes with 256 entries each:

Blowfish algorithm
Encryption
☞ Encryption: Blowfish is a Feistel network consisting of 16 rounds. The
input is a 64-bit data element, x.
➦ Divide x into two 32-bit halves: xL, xR
➦

Blowfish algorithm
Block Diagram of Blowfish
➦ Decryption is exactly the same as encryption,
except that P1, P2.....P18 are used in the
reverse order.
➦ Implementations of Blowfish that require the
fastest speeds should unroll the loop and ensure
that all subkeys are stored in cache.

Blowfish algorithm
Generating the Subkeys
➦ Generating the Subkeys: The subkeys are
calculated using the Blowfish algorithm. The
exact method is as follows:
1 Initialize first the P-array and then the four
S-boxes, in order, with a fixed string. This
string consists of the hexadecimal digits of pi
(less the initial 3). For example:

Blowfish algorithm
Generating the Subkeys
1 XOR P1 with the first 32 bits of the key, XOR P2 with the second 32-bits of the
key, and so on for all bits of the key (possibly up to P14). Repeatedly cycle through
the key bits until the entire P-array has been XORed with key bits.
2 Encrypt the all-zero string with the Blowfish algorithm, using the subkeys described
in steps (1) and (2).
3 Replace P1 and P2 with the output of step (3).
4 Encrypt the output of step (3) using the Blowfish algorithm with the modified
subkeys.
5 Replace P3 and P4 with the output of step (5).
6 Continue the process, replacing all entries of the P-array, and then all four S-boxes
in order, with the output of the continuously-changing Blowfish algorithm.

Chapter xxx: Public-key cryptography

Principles of public-key cryptosystems
Public-key cryptography
➦ The concept of public-key cryptography evolved from an attempt to
attack two of the most difficult problems associated with symmetric
encryption.
1 Key distribution under symmetric encryption requires either (1) that two
communicants already share a key, which somehow has been distributed to them; or
(2) the use of a key distribution center.
➦ The former required users to share their keys with a key-pair that could be
compromised by burglary or subpoena; the latter required them to be
decryption keys.
➦ The first was that of how electronic messages and documents should be
signed - could a method be devised that would satisfy all parties that a
digital message had been sent by a particular person?
➦ Diffie and Hellman’s method was radically different from all previous
approaches to cryptography, going back over 4,000 years, and solved two

➦ Asymmetric algorithms rely on one key for encryption and a different but
related key for decryption.
➦ These algorithms have the following important characteristic.
1 It is computationally infeasible to determine the decryption key given only
knowledge of the cryptographic algorithm and the encryption key.
➦ In addition, some algorithms, such as RSA, also exhibit the following
characteristic.
1 Either of the two related keys can be used for encryption, with the other used for
decryption.

Public-key cryptosystems
A public-key encryption scheme
➦ A public-key encryption scheme has six ingredients.
1 Plaintext: This is the readable message or data that is fed into the algorithm as
input.
2 Encryption algorithm: The encryption algorithm performs various transformations
on the plaintext.
3 Public and private keys: This is a pair of keys that have been selected so that if one
is used for encryption, the other is used for decryption. The exact transformations
performed by the algorithm depend on the public or private key that is provided as
input.
4 Ciphertext: This is the encrypted message produced as output. It depends on the
plaintext and the key. For a given message, two different keys will produce two
different ciphertexts.
5 Decryption algorithm: This algorithm accepts the ciphertext and the matching key
and produces the original plaintext.

Essential steps
➦ The essential steps are the following.
1 Each user generates a pair of keys to be used for the encryption and decryption of
messages.
2 Each user places one of the two keys in a public register or other accessible file.
This is the public key. The companion key is kept private. As Figure 9.1a suggests,
each user maintains a collection of public keys obtained from others.
3 If Bob wishes to send a confidential message to Alice, Bob encrypts the message
using Alice’s public key.
4 When Alice receives the message, she decrypts it using her private key. No other
recipient can decrypt the message because only Alice knows Alice’s private key

➦ With this approach, all participants have access
to public keys, and private keys are generated
locally by each participant and therefore need
never be distributed.
➦ As long as a user’s private key remains
protected and secret, incoming communication
is secure.
➦ At any time, a system can change its private
key and publish the companion public key to
replace its old public key.

Public-key cryptography demonstration
➦ Let us take a closer look at the essential elements of a public-key
encryption scheme
1 There is some source A that produces a message in plaintext,
X = [X1, X2, ..., XM ].
2 The message is intended for destination B. B generates a related pair of keys: a
public key, PUb, and a private key,PRb.
3 PRb is known only to B, whereas PUb is publicly available and therefore accessible
by A.
4 With the message X and the encryption key PUb as input, A forms the ciphertext
Y = [Y1, Y2, c, YN ] :
Y = E(PUb, X)
5 The intended receiver, in possession of the matching private key, is able to invert
the transformation:
X = D(PRb, Y )

Public-Key Cryptosystem: Confidentiality
➦ An adversary, observing Y and having access to
PUb, but not having access to PRb or X, must
attempt to recover X and/or PRb.
➦ If the adversary is interested only in this
particular message, then the focus of effort is to
recover X by generating a plaintext estimate X
➦ Often, however, the adversary is interested in
being able to read future messages as well, in
which case an attempt is made to recover PRb
by generating an estimate PRb.

Public-Key Cryptosystem: Authentication
➦ Figure show the use of public-key encryption to provide
authentication:
Y = E(PRa, X)
X = D(PUa, Y )
➦ In this case, A prepares a message to B and encrypts it
using A′
s private key before transmitting it. BB can
decrypt the message using A′
s public key.
➦ Because the message was encrypted using A′
s private key,
only A could have prepared the message. Therefore, the
entire encrypted message serves as a digital signature.
➦ In addition, it is impossible to alter the message without
access to A′
s private key, so the message is authenticated
both in terms of source and in terms of data integrity.
➦ This encryption process does not provide confidentiality.
That is, the message being sent is safe from alteration but
not from eavesdropping.

Public-Key Cryptosystem: Authentication and Secrecy
☞ It is possible to provide both the authentication
function and confidentiality by a double use of
the public-key scheme:
Z = E(PUb, E(PRa, X))
X = D(PUa, D(PRb, Z))
☞ In this case, we begin as before by encrypting a
message, using the sender’s private key and the
receiver’s public key.
☞ The final ciphertext can be decrypted only by
the intended receiver, who alone has the
matching private key.

public-key cryptosystems Applications
☞ Depending on the application, the sender uses either the sender’s private
key or the receiver’s public key, or both, to perform some type of
cryptographic function.
1 Encryption/decryption: The sender encrypts a message with the recipient’s public
key, and the recipient decrypts the message with the recipient’s private key.
2 Digital signature: The sender “signs” a message with its private key. Signing is
achieved by a cryptographic algorithm applied to the message or to a small block of
data that is a function of the messag
3 Key exchange: Two sides cooperate to exchange a session key, which is a secret key
for symmetric encryption generated for use for a particular transaction (or session)
and valid for a short period of time. Several different approaches are possible,
involving the private key(s) of one or both parties.

The Rivest-Shamir-Adleman (RSA) Algorithm
☞ The RSA scheme is a cipher in which the plaintext and ciphertext are
integers between 0 and n − 1 for some n.
☞ A typical size for n. is 1024 bits, or 309 decimal digits. That is, n. is less
than 21024
.
1 RSA makes use of an expression with exponentials. Plaintext is encrypted in blocks,
with each block having a binary value less than some number n.
2 Encryption and decryption are of the following form, for some plaintext block M
and ciphertext block C.
C = Me
mod n
M = Cd
mod n = (Me
)d
mod n = Med
mod n
3 Both sender and receiver must know the value of n. The sender knows the value of
e, and only the receiver knows the value of d. Thus, this is a publickey encryption
algorithm with a public key of PU = e, n and a private key of PR = d, n.

☞ For this algorithm to be satisfactory for public-key encryption, the
following requirements must be met.
1 It is possible to find values of e, d, and n such that Med
modn= M for all M < n.
2 It is relatively easy to calculate Me
mod n and Cd
mod n for all values of M < n.
3 It is infeasible to determine d given e and n.
☞ item Consider first requirement and need to find a relationship of the form
Med
mod n = M
☞ The preceding relationship holds if e and d are multiplicative inverses modulo ϕ(n),
where ϕ(n) is the Euler totient function. It is shown that for p, q prime,
ϕ(pq) = (p − 1)(q − 1). The relationship between e and d can be expressed as
ed mod ϕ(n) = 1
☞ This is equivalent to saying
ed ≡ 1 mod ϕ(n)
d ≡ e−1
mod ϕ(n).

☞ That is, e and d are multiplicative inverses mod ϕ(n). Tthis is true only if
e (and therefore d) is relatively prime to ϕ(n). Equivalently, gcd(ϕ(n), d)
= 1.
☞ We are now ready to state the RSA scheme. The ingredients are the
following:
p, q, two prime numbers (private, chosen)
n = pq (public, calculated)
e, with gcd(ϕ(n), e) = 1;1 <e < ϕ(n) (public, chosen)
d ≡ e−1
(mod ϕ(n)) (private, calculated)

☞ The private key consists of d, n and the public
key consists of e, n.
☞ Suppose that user A has published its public
key and that user B wishes to send the message
M to A.
☞ Then B calculates C = Me
mod n and
transmits C. On receipt of this ciphertext, user
A decrypts by calculating M = Cd
mod n.
☞ Figure summarizes the RSA algorithm. Alice
generates a public/private key pair; Bob
encrypts using Alice’s public key; and Alice
decrypts using her private key.

☞ An example is shown in Figure:
☞ For this example, the keys were generated as follows.
1 Select two prime numbers, p = 17 and q = 11.
2 Calculate n = pq = 17 * 11 = 187.
3 Calculate ϕ(n) = (p - 1)(q - 1) = 16 * 10 = 160
4 Select e such that e is relatively prime to ϕ(n) = 160 and less than ϕ(n); we choose
e = 7.
5 Determine d such that de ≡ 1 (mod 160) and d < 160. The correct value is d = 23,
because 23 * 7 = 161 = (1 * 160) + 1; d can be calculated using the extended
Euclid’s algorithm.

☞ The resulting keys are public key PU = 7, 187 and private key PR = 23,
187. The example shows the use of these keys for a plaintext input of M
= 88.
☞ For encryption, we need to calculate C = 887
mod 187. Exploiting the
properties of modular arithmetic, we can do this as follows
887
mód 187 =

884
mód 187

× 882
mód 187

× 881
mód 187

mód 187
881
mód 187 =88
882
mód 187 =7744 mód 187 = 77
884
mód 187 =59, 969, 536 mód 187 = 132
887
mód 187 =(88 × 77 × 132) mód 187 = 894, 432 mód 187 = 11

☞ For decryption, we calculate M = 1123
mod 187:
1123
mód 187 =
h
111
mód 187

×

112
mód 187

×

114
mód 187

×

118
mód 187

×

118
mód 187
i
mód 187
111
mód 187 =11
112
mód 187 =121
114
mód 187 =14, 641 mód 187 = 55
118
mód 187 =214, 358, 881 mód 187 = 33
1123
mód 187 =(11 × 121 × 55 × 33 × 33) mód 187
=79, 720, 245 mód 187 = 88

☞ Let us look first at the process of encryption
and decryption and then consider key
generation

☞ Five possible approaches to attacking the RSA algorithm are
1 Brute force: This involves trying all possible private keys.
2 athematical attacks: There are several approaches, all equivalent in effort to
factoring the product of two primes.
3 Timing attacks: These depend on the running time of the decryption algorithm.
4 Hardware fault-based attack: This involves inducing hardware faults in the processor
that is generating digital signatures.
5 Chosen ciphertext attacks: This type of attack exploits properties of the RSA
algorithm.
☞ The defense against the brute-force approach is the same for RSA as for
other cryptosystems, namely, to use a large key space. Thus, the larger
the number of bits in d, the better.

Key exchange: Diffie-Hellman
☞ The first published public-key algorithm appeared in the seminar paper by
Diffie and Hellman that defined public-key cryptography and is generally
referred to as Diffie–Hellman key exchange.
☞ The purpose of the algorithm is to enable two users to securely exchange
a key that can then be used for subsequent symmetric encryption of
messages, i.e., to exchange keys between sender and receiver.
☞ Briefly, a primitive root of a prime number p is one whose powers modulo
p generate all the integers from 1 to p - 1. That is, if a is a primitive root
of the prime number p, then the numbers
1 a mod p, a2
mod p, c , ap−1
mod p are distinct and consist of the integers from 1
through p-1 in some permutation.

The algorithm
☞ Figure summarizes the Diffie–Hellman key exchange algorithm. For this
scheme, there are two publicly known numbers: a prime number q and an
integer a that is a primitive root of q. Suppose the users A and B wish to
create a shared key.
☞ User A selects a random integer XA q and computes YA = αXA
mód q.
Similarly, user B independently selects a random integer XB q and
computes YB = αXB
mód q. Each side keeps the X value private and
makes the Y value available publicly to the other side.
☞ Thus, XA is A’s private key and YA is A’s corresponding public key, and
similarly for B. User A computes the key as K = (YB)
XA
mód q and user
B computes the key as K = (YA)
XB
mód q. These two calculations
produce identical results:

The Diffie–Hellman Key Exchange

Chapter xxx: Introduction to Number Theory
Public-key parameters
✓ Modular arithmetic,
✓ Greatest common divisor,
✓ Primarily testing,
✓ Chinese remainder theorem,
✓ Modular square roots,
✓ Finite fields.

The Euclidean algorithm
The greatest common divisor
☞ One of the basic techniques of number theory is the Euclidean algorithm,
which is a simple procedure for determining the greatest common divisor
of two positive integers.
☞ We will use the notation gcd(a, b) to mean the greatest common divisor
of a and b. The greatest common divisor of a and b is the largest integer
that divides both a and b. We also define gcd(0, 0) = 0.
☞ More formally, the positive integer c is said to be the greatest common
divisor of a and b if
1 c is a divisor of a and of b.
2 any divisor of a and b is a divisor of c.

The greatest common divisor
☞ Because we require that the greatest common divisor be positive,
gcd(a, b) = gcd(a, −b) = gcd(−a, b) = gcd(−a, −b).
1 In general, gcd(a, b) = gcd(|a|, |b|),
2 E.g., gcd(60, 24) = gcd(60, −24) = 12.
☞ We stated that two integers a and b are relatively prime if and only if
their only common positive integer factor is 1. This is equivalent to saying
that a and b are relatively prime if gcd(a, b) = 1.
1 8 and 15 are relatively prime because the positive divisors of 8 are 1, 2, 4, and 8, and
the positive divisors of 15 are 1, 3, 5, and 15. So 1 is the only integer on both lists.

Finding the greatest common divisor
☞ Let us now look at an example with relatively
large numbers to see the power of this
algorithm:
☞ In this example, we begin by dividing
1160718174 by 316258250, which gives 3 with
a remainder of 211943424.
☞ Next we take 316258250 and divide it by
211943424. The process continues until we get
a remainder of 0, yielding a result of 1078.

Finding the greatest common divisor using Euclid’s Algorithm
☞ Finding the Greatest Common Divisor
(GCD)/Highest Common Factor (HCF).
☞ Manual way of understanding and finding the
GCD of two numbers with examples
GCD(12,33).
☞ Euclid’s Algorithm or Euclidean Algorithm for
finding the GCD/HCD of two numbers with
examples.

Finding the greatest common divisor Euclidean Algorithm
☞ Euclidean Algorithm for finding the GCD/HCD
of two numbers with examples.
☞ Solved Examples on GCD(50,12) and
GCD(83,19).

Modular arithmetic
The modulus.
☞ If a is an integer and n is a positive integer, we define a mod n to be the
remainder when a is divided by n.
☞ The integer n is called the modulus. Thus, for any integer a,
1 a = qn + r 0 ≤r n; q = [a|n]
2 a = [a|n]; ∗n+(a mod n)
☞ Congruences have the following properties:
☞ If n|(a − b), then (a − b) = kn for some k. So we can write a = b + kn.
Therefore, (a mod n) = (remainder when b + kn is divided by n) =
(remainder when b is divided by n) = (b mod n).

Modular arithmetic
The properties of Congruences
☞ It has mathematical concept in cryptography

Modular arithmetic
Modular arithmetic properties
☞ Modular arithmetic exhibits the following
properties:
☞ Here are examples of the three properties:

Primarily testing
Testing for Primality (Miller-Rabin Test)
☞ For many cryptographic algorithms, it is necessary to select one or more
very large prime numbers at random. There is no simple yet efficient
means of accomplishing this task. An algorithm can yield a number that is
not necessarily a prime but can be almost certainly a prime.
☞ The algorithm due to Miller and Rabin is typically used to test a large
number for primality. It perform a probability primality test, whether a
given number is a composite number or a prime number. First, any
positive odd integer n ≤ 3 can be expressed as
1 n - 1 = 2k
q with k 0, q odd
2 Note that n - 1 is an even integer. Then, divide (n - 1) by 2 until the result is an
odd number q, for a total of k divisions.
3 If n is expressed as a binary number, then the result is achieved by shifting the
number to the right until the rightmost digit is a 1, for a total of k shifts.

Primarily testing
☞ Two properties of prime numbers
1 If p is prime and a is a positive integer less than p, then a2
mód p = 1 if and only if
either a mód p = 1 or a mód p = −1 mód p = p − 1. By the rules of modular
arithmetic (a mód p)(a mód p) = a2
mód p. Thus, if either a mód p = 1 or
a mód p = −1, then a2
mód p = 1. Conversely, if a2
mód p = 1, then
(a mód p)2
= 1, which is true only for a mód p = 1 or a mód p = −1.
2 Let p be a prime number greater than 2. We can then write p − 1 = 2k
q with
k 0, q odd. Let a be any integer in the range 1 a p − 1. Then one of the two
following conditions is true.
1 aq
is congruent to 1 modulo p. That is, aq
mód p = 1, or equivalently, aq
≡ 1(módp).
2 One of the numbers aq
, a2q
, a4q
, . . . , a2k−1
q
is congruent to −1 modulo p. That is, there is
some number j in the range (1 ≤ j ≤ k) such that a2j−1
q
mód p = −1 mód p = p − 1 or
equivalently, a2j−1
q
≡ −1(módp)

Primarily testing
☞ We can use the preceding property to devise a test for primality.

Primarily testing
Testing for Primality (Fermat’s Test)
☞ Fermat’s theorem states the following: If p is prime and a is a positive
integer not divisible by p, then
1 ap−1
≡ 1(modp)

The Chinese remainder theorem
☞ One of the most useful results of number theory is the Chinese remainder
theorem (CRT).In essence, the CRT says it is possible to reconstruct
integers in a certain range from their residues modulo a set of pairwise
relatively prime moduli.
☞ One of the useful features of the Chinese remainder theorem is that it
provides a way to manipulate (potentially very large) numbers mod M in
terms of tuples of smaller numbers.
☞ This can be useful when M is 150 digits or more. However, note that it is
necessary to know beforehand the factorization of M.

☞

Chapter xxx: Cryptographic hash functions

Cryptographic hash functions
Purpose of Hash Function
☞ Purpose of a hash function is to verify the integrity of a message.
☞ Message authentication is a mechanism or service used to achieve
authentication. Message authentication and hash function assure that
data received are exactly as sent by sender. (i.e., contain no modification,
insertion, deletion, or replay).
☞ In many cases, there is a requirement that the authentication mechanism
assures that provide identity of the sender is valid.
☞ When a hash function is used to provide message authentication, the hash
function value is often referred to as a message digest.
☞

☞ A hash function H accepts a variable-length block of data M as input and
produces a fixed-size hash value h = H(M).
☞ In general terms, the principal object of a hash function is data integrity.
A change to any bit or bits in M results, with high probability, in a change
to the hash value.
☞ A cryptographic hash function is an algorithm for which it is
computationally infeasible to find either
1 a data object that maps to a pre-specified hash result (the one-way property) or
2 two data objects that map to the same hash result (the collision-free property).
☞ Because of these characteristics, hash functions are often used to
determine whether or not data has changed.

☞ Figure depicts the general operation of a
cryptographic hash function. Typically, the input is
padded out to an integer multiple of some fixed
length (e.g., 1024 bits), and the padding includes the
value of the length of the original message in bits.
☞ The length field is a security measure to increase the
difficulty for an attacker to produce an alternative
message with the same hash value, as explained
subsequently.

Application of Cryptographic hash functions
(1) Message authentication
☞ Message authentication ensures data received is exactly as sent, without
modification, deletion, or replay, i.e., integrity of a message.
☞ When a hash function is used to provide message authentication, the hash
function value is often referred to as a message digest.

☞ The essence of the use of a hash function for
message integrity is as follows.
1 The sender computes a hash value as a function of
the bits in the message and transmits both the hash
value and the message. The receiver performs the
same hash calculation on the message bits and
compares this value with the incoming hash value.
2 If there is a mismatch, the receiver knows that the
message (or possibly the hash value) has been altered

☞ The hash value must be transmitted in a secure
fashion to prevent an adversary from altering it to
fool the receiver. This type of attack is shown in
Figure.
☞ In this example, Alice transmits a data block and
attaches a hash value. Darth intercepts the message,
alters or replaces the data block, and calculates and
attaches a new hash value.
☞ Bob receives the altered data with the new hash
value and does not detect the change. To prevent
this attack, the hash value generated by Alice must
be protected.

Application of hash function Using Symmetric Key
Cryptography
☞ Figure illustrates a variety of ways in which a hash
code can be used to provide message authentication,
as follows.
1 (A) The message plus concatenated hash code is
encrypted using symmetric encryption. Because only
A and B share the secret key, the message must have
come from A and has not been altered. Encryption is
used to ensure authentication and confidentiality,
providing structure and redundancy.
2 (B) Only the hash code is encrypted, using
symmetric encryption. This reduces the processing
burden for those applications that do not require
confidentiality.

1 (C) It is possible to use a hash function but no
encryption for message authentication. The
technique assumes that the two communicating
parties share a common secret value S. A computes
the hash value over the concatenation of M and S
and appends it to M, allowing B to verify the secret
value. Because the secret value itself is not sent, an
opponent cannot modify an intercepted message and
cannot generate a false message.
2 (D) Confidentiality can be added to the approach of
method (c) by encrypting the entire message plus
the hash code.

☞ There has been growing interest in techniques that avoid encryption due
to the following.
1 Encryption software is relatively slow. Even though the amount of data to
be encrypted per message is small, there may be a steady stream of
messages into and out of a system.
2 Encryption hardware costs are not negligible. Low-cost chip
implementations of DES are available, but the cost adds up if all nodes in
a network must have this capability.
3 Encryption hardware is optimized toward large data sizes. For small blocks
of data, a high proportion of the time is spent in initialization/invocation
overhead.
4 Encryption algorithms may be covered by patents, and there is a cost
associated with licensing their use.

☞ MACs (aka keyed hash function) are used to authenticate information exchanged
between two parties ( that share a secret key), producing a hash value associated
with the protected message.
☞ A MAC function takes as input a secret key and a data block and produces a hash
value, referred to as the MAC, which is associated with the protected message.
☞ If the integrity of the message needs to be checked, the MAC function can be
applied to the message and the result compared with the associated MAC value. An
attacker cannot alter the associated MAC value without knowledge of the secret key.
☞ Note that the combination of hashing and encryption results in an overall function
that is, in fact, a MAC (Figure b). That is, E(K, H(M)) is a function of a
variable-length message M and a secret key K, and it produces a fixed-size output
that is secure against an opponent who does not know the secret key.

Tow Simple Hash functions
☞ All hash functions operate using the following general principles.
1 The input (message, file, etc.) is viewed as a sequence of n-bit blocks. The input is
processed one block at a time in an iterative fashion to produce an n-bit hash
function.
2 One of the simplest hash functions is the bit-by-bit exclusive-OR (XOR) of every
block. This can be expressed as
3 Ci = bi1 ⊕ bi2 ⊕ g ⊕ bim, where
4 Ci = ith
bit of the hash code, 1 ≤ i ≤ n
5 m = number of n-bit blocks in the input
6 bij = ith
bit in jth
block
7 ⊕ = XOR operation
☞ This operation produces a simple parity bit for each bit position and is
known as a longitudinal redundancy check.

☞ It is reasonably effective for random data as a data integrity check. Each
n-bit hash value is equally likely. Thus, the probability that a data error
will result in an unchanged hash value is 2−
n.
☞ For example, in most normal text files, the high-order bit of each octet is
always zero. So if a 128-bit hash value is used, instead of an effectiveness
of 2−128
, the hash function on this type of data has an effectiveness of
2−112
.
☞ A simple way to improve matters is to perform a one-bit circular shift, or
rotation, on the hash value after each block is processed. The procedure
can be summarized as follows.
1 Initially set the n-bit hash value to zero.
2 Process each successive n-bit block of data as follows: (1) Rotate the current hash
value to the left by one bit. (2) XOR the block into the hash value.

Secure Hash Algorithm (SHA)
☞ SHA is the most widely used hash function,
developed by NIST and published as a federal
information processing standard in 1993.
☞ SHA-1 is the last standardized hash algorithm, based
on MD4 and designed to protect against
cryptanalytic weaknesses.
☞ In 2005, NIST announced the intention to phase out
approval of SHA-1 and move to a reliance on SHA-2
by 2010.
☞ Shortly thereafter, a research team described an
attack in which two separate messages could be
found that deliver the same SHA-1 hash using 26
9
operations, far fewer than the 28
0operations
previously thought needed to find a collision with an
SHA-1 hash [WANG05].
☞ This result should hasten the transition to SHA-2.

Secure Hash Algorithm (SHA)
SHAs
☞ SHA-1 is considered insecure and has been phased out for SHA-2.
☞ SHA-2, particularly the 512-bit version, would appear to provide
unassailable security. However, SHA-2 shares the same structure and
mathematical operations as its predecessors, and this is a cause for
concern.
☞ SHA-3 was announced by NIST in October 2012 and published in August
2015. SHA-3 is a cryptographic hash function intended to complement
SHA-2 for a variety of applications.

Digital signature
☞ The most important development from the work on
public-key cryptography is the digital signature. It
provide security capabilities that are difficult to
implement in other ways.
☞ Figure is a generic model of the process of
constructing and using digital signatures.
☞ Suppose that Bob wants to send a message to Alice.
He wants Alice to be certain that the message is
indeed from him. For this purpose, Bob uses a secure
hash function, such as SHAs, to generate a hash
value for the message.
☞ That hash value, together with Bob’s private key
serves as input to a digital signature generation
algorithm, which produces a short block that
functions as a digital signature. Bob sends the
message with the signature attached.

Digital signature
☞ When Alice receives the message plus signature, she
1 calculates a hash value for the message;
2 provides the hash value and Bob’s public key as inputs to a digital signature
verification algorithm.
☞ If the algorithm returns the result that the signature is valid, Alice is
assured that the message must have been signed by Bob.
☞ No one else has Bob’s private key and therefore no one else could have
created a signature that could be verified for this message with Bob’s
public key.
☞ In addition, it is impossible to alter the message without access to Bob’s
private key, so the message is authenticated both in terms of source and
in terms of data integrity.

Digital signature
Properties
☞ Message authentication protects two parties from third parties, but not
against each other. Several forms of dispute between the two parties are
possible.
☞ Suppose that John sends an authenticated message to Mary. Consider the
following disputes that could arise.
1 Mary may forge a different message and claim that it came from John. Mary would
simply have to create a message and append an authentication code using the key
that John and Mary share.
E.g., The receiver increases the amount of funds transferred and claims the larger
amount had arrived from the sender.
2 John can deny sending the message. Because it is possible for Mary to forge a
message, there is no way to prove that John did in fact send the message. E.g., The
sender pretends the message was never sent to avoid a bad transaction.

Digital signature
Properties
☞ Digital signatures are the most attractive solution to the problem of lack
of trust between sender and receiver.
☞ The digital signature must have the following properties:
1 It must verify the author and the date and time of the signature.
2 It must authenticate the contents at the time of the signature.
3 It must be verifiable by third parties, to resolve disputes.

Digital signature
Properties
☞ On the basis of the properties and attacks, we can formulate the following
requirements for a digital signature.
1 The signature must be a bit pattern that depends on the message being signed.
2 The signature must use some information only known to the sender to prevent both
forgery and denial.
3 It must be relatively easy to produce the digital signature.
4 It must be relatively easy to recognize and verify the digital signature.
5 It must be computationally infeasible to forge a digital signature, either by
constructing a new message for an existing digital signature or by constructing a
fraudulent digital signature for a given message.
6 It must be practical to retain a copy of the digital signature in storage.

Direct Digital signature
Properties
☞ Direct digital signature involves only the communicating parties, assuming
the destination knows the source’s public key.
➦ Symmetric encryption provides confidentiality by encrypting the entire message plus
signature with a shared secret key. The signature function must be performed first
and then an outer confidentiality function in dispute resolution in order to prevent
third parties from accessing the message and its signature.
➦ The validity of a scheme depends on the security of the sender’s private key, and
administrative controls can be used to protect against this ploy, but the threat is
still there, at least to some degree. The most important idea is to require a
timestamp and prompt reporting of compromised keys to a central authority.
➦ The most important idea is to use a digital certificate and certificate authorities to
protect against threats of stolen private keys.

The RSA approach
The RSA approach
☞ NIST published FIPS 186, which uses the Secure Hash Algorithm (SHA)
and incorporates digital signature algorithms based on RSA and elliptic
curve cryptography.
➦ In the RSA approach, the message to be signed is input to a hash function that
produces a secure hash code of fixed length.
➦ This hash code is then encrypted using the sender’s private key to form the
signature.
➦ Both the message and the signature are then transmitted.
➦ The recipient takes the message and produces a hash code.
➦ The recipient also decrypts the signature using the sender’s public key.
➦ If the calculated hash code matches the decrypted signature, the signature is
accepted as valid.

The RSA Algorithms
☞ NIST published FIPS 186, which uses the Secure
Hash Algorithm (SHA) and incorporates digital
signature algorithms based on RSA and elliptic curve
cryptography.
➦ In the RSA approach, the message to be signed is
input to a hash function that produces a secure
hash code of fixed length.
➦ This hash code is then encrypted using the
sender’s private key to form the signature.
➦ Both the message and the signature are then
transmitted.
➦ The recipient takes the message and produces a
hash code.
➦ The recipient also decrypts the signature using
the sender’s public key.
➦ If the calculated hash code matches the decrypted
signature, the signature is accepted as valid.

The DSA approach
➦ The DSA approach also makes use of a hash function.
➦ The hash code is provided as input to a signature
function along with a random number k generated for
this particular signature.
➦ The signature function also depends on the sender’s
private key (PRa) and a set of parameters known to a
group of communicating principals.
➦ We can consider this set to constitute a global public
key (PUG) The result is a signature consisting of two
components, labeled s and r.
➦ At the receiving end, the hash code of the incoming
message is generated. The hash code and the signature
are inputs to a verification function.
➦ The verification function also depends on the global
public key as well as the sender’s public key (PUa),
which is paired with the sender’s private key.
➦ The verification function outputs a value equal to the
signature component r if the signature is valid. if the
signature is valid.

The DSA Algorithms
➦ Figure summarizes the algorithm. There are
three parameters that are public and can be
common to a group of users. An N-bit prime
number q is chosen. Next, a prime number p
is selected with a length between 512 and
1024 bits such that q divides (p − 1).
➦ Finally, g is chosen to be of the form
h(
p − 1)/q mod p, where h is an integer
between 1 and (p − 1) with the restriction
that g must be greater than 1.
➦ With these parameters in hand, each user
selects a private key and generates a public
key. The private key x must be a number
from 1 to (q − 1) and should be chosen
randomly or pseudorandomly. The public
key is calculated from the private key as
y = gx
mod p.

The DSA Algorithms
☞ The signature of a message M consists of the pair of numbers r and s,
which are functions of the public key components (p, q, g), the user’s
private key (x), the hash code of the message H(M), and an additional
integer k that should be generated randomly or pseudorandomly and be
unique for each signing.
☞ Let M, r, and s be the received versions of M, r, and s, respectively.
Verification is performed using the formulas shown in Figure.
☞ The receiver generates a quantity v that is a function of the public key
components, the sender’s public key, the hash code of the incoming
message, and the received versions of r and s.
☞ If this quantity matches the r component of the signature, then the
signature is validated.

Chapter xxx: Internet and Network Security

Computer security
☞ Cryptographic algorithms and protocols have a wide range of applications,
and network and Internet security relies heavily on them.
☞ Computer security protects information system resources to ensure
integrity, availability, and confidentiality.
☞ Data confidentiality: Assures that private or confidential information is not
made available or disclosed to unauthorized individuals.
☞ Data integrity ensures that information and programs are changed only in
authorized ways.
☞ Availability: Assures that systems work promptly and service is not denied
to authorized users.
☞ Authenticity is confidence in the validity of a transmission, message, or
message originator. Verify users are who they say they are and input is
from a trusted source.

Network access control (NAC)
Elements of Network access control (NAC)
☞ Network access control (NAC) authenticates users, determines data
access, and monitors endpoints for health.
☞ Access requestors (ARs) are nodes attempting to access the network,
including workstations, servers, printers, cameras, and other IP-enabled
devices.
☞ Policy server determines access based on AR posture, policy, and backend
systems.
☞ NAS is an access control point for remote users connecting to an
enterprise’s network.

Network access control (NAC)
Elements of Network access control (NAC)
☞ Network access control (NAC) authenticates
users, determines data access, and monitors
endpoints for health.
☞ Access requestors (ARs) are nodes
attempting to access the network, including
workstations, servers, printers, cameras, and
other IP-enabled devices.
☞ Policy server determines access based on AR
posture, policy, and backend systems.
☞ NAS is an access control point for remote
users connecting to an enterprise’s network.

Distribution of public keys
☞ Proposals for public key distribution include general schemes:
1 Public announcement
2 Publicly available directory
3 Public-key authority
4 Public-key certificates

1 Public announcement
☞ Public-key encryption is public, allowing any participant to send or broadcast their
public key to others.
☞ However, it has a major weakness. Anyone can forge public keys and use them for
authentication until a user discovers the forgery and alerts other participants.
2 Publicly available directory
☞ Maintaining a publicly available dynamic directory of public keys requires the
responsibility of a trusted entity or organization.
☞ This scheme is clearly more secure than individual public announcements but still
has vulnerabilities. However, An adversary could obtain or compute the private key,
impersonate participants, and tamper with records.
3 Public-Key Authority
☞ Stronger security for public-key distribution can be achieved by providing tighter
control over the distribution of public keys from the directory.
☞ A and B can save each other’s public keys for future use, allowing users to request
fresh copies to ensure currency.

Public-Key certificates
☞ Public-Key certificates
1 The public-key authority is a bottleneck in the system, making it vulnerable to
tampering.
2 Certificates are used to exchange keys without contacting a public-key authority,
consisting of a public key, an identifier of the key owner, and a block signed by a
trusted third party.
3 A user can present their public key to a certificate authority to obtain a certificate
and publish it, which can be verified by an attached trusted signature.
4 Each participant applies to the certificate authority, supplying a public key and
requesting a certificate. Certificate scheme requires application in person or by
secure authenticated communication.

Certification
☞ X509 is an ITU-T recommendation that defines a directory service that
maintains a database of information about users, including a mapping
from user name to network address and other attributes.
☞ X.509 provides authentication services by providing public-key certificates
and alternative authentication protocols.
☞ X.509 is an important standard for certificate structure and authentication
protocols, used in various contexts.
☞ X.509 is based on public-key cryptography and digital signatures, but does
not dictate the use of a specific digital signature algorithm or hash
function. Figure illustrates the overall X.509 scheme for generating a
public-key certificate.
☞ The X.509 scheme provides an easily accessible location for users to
obtain certificates from a trusted certification authority.

public-key infrastructure (PKI)
☞ PKI is the set of hardware, software, people, policies, and procedures
needed to create, manage, store, distribute, and revoke digital certificates
based on asymmetric cryptography.
☞ Developing a PKI to enable secure, convenient, and efficient acquisition of
public keys. Figure shows the interrelationship among the key elements of
the PKIX model. These elements are
1 End entities consume and/or support PKI services.
2 CA is the issuer of certificates and CRLs, and may also support administrative
functions.
3 RA is an optional component that can assist with end entity registration.
4 Repository is a method for storing certificates and CRLs to be retrieved by end
entities.

Kerberos
☞ Kerberos is an authentication service for an open distributed environment,
allowing servers to restrict access to authorized users and authenticate
requests. In this environment, three approaches to security can be
envisioned.
1 Rely on each individual client workstation to assure the identity of its user or users
and rely on each server to enforce a security policy based on user identification (ID).
2 Require that client systems authenticate themselves to servers, but trust the client
system concerning the identity of its user.
3 Require users to prove their identity and servers to clients.
☞ Kerberos supports a distributed client/server architecture to protect user
information and resources in an open environment.

IPsec
☞ IPsec provides the capability to secure communications across a LAN,
across private and public WANs, and across the Internet.
1 Secure branch office connectivity over the Internet: Businesses can use virtual
private networks to reduce costs and network management overhead.
2 Secure remote access over the Internet: IP security protocols allow end users to gain
secure access to company networks, reducing toll charges.
3 Establishing extranet and intranet connectivity with partners: IPsec is used to secure
communication and ensure confidentiality.
4 Enhancing electronic commerce security: IPsec enhances electronic commerce
security by encrypting and authenticating traffic.
☞

Thank you!

WachemoUniversity_Cryptography_and_Network_Security.pdf

More Related Content

Similar to WachemoUniversity_Cryptography_and_Network_Security.pdf (20)

More from LegesseSamuel (10)

Recently uploaded (20)

WachemoUniversity_Cryptography_and_Network_Security.pdf