CB3491 Notes
CB3491 Notes
CB3491 Notes
SYLLABUS
Computer Security Concepts – The OSI Security Architecture – Security Attacks – Security
Services and Mechanisms – A Model for Network Security – Classical encryption techniques:
Substitution techniques, Transposition techniques, Steganography – Foundations of modern
cryptography: Perfect security – Information Theory – Product Cryptosystem – Cryptanalysis.
Cyber Crime and Information Security – classifications of Cyber Crimes – Tools and Methods –
Password Cracking, Keyloggers, Spywares, SQL Injection – Network Access Control – Cloud
Security – Web Security – Wireless Security
1
INTRODUCTION
UNIT I INTRODUCTION TO SECURITY
Computer Security Concepts – The OSI Security Architecture – Security Attacks – Security
Services and Mechanisms – A Model for Network Security – Classical encryption techniques:
Substitution techniques, Transposition techniques, Steganography – Foundations of modern
cryptography: Perfect security – Information Theory – Product Cryptosystem – Cryptanalysis.
1.1 Introduction
➢ Human being from ages had two inherent needs − (a) to communicate and share
information and (b) to communicate selectively. These two needs gave rise to the art
of coding the messages in such a way that only the intended people could have access
to the information. Unauthorized people could not extract any information, even if the
scrambled messages fell in their hand.
➢ The art and science of concealing the messages to introduce secrecy in information
security is recognized as cryptography.
➢ The word ‘cryptography’ was coined by combining two Greek words, ‘Krypto’
meaning hidden and ‘graphene’ meaning writing.
➢ The art of cryptography is considered to be born along with the art of writing. As
civilizations evolved, human beings got organized in tribes, groups, and kingdoms.
This led to the emergence of ideas such as power, battles, supremacy, and politics.
These ideas further fueled the natural need of people to communicate secretly with
selective recipient which in turn ensured the continuous evolution of cryptography as
well.
➢ The first known evidence of cryptography can be traced to the use of ‘hieroglyph’.
Some 4000 years ago, the Egyptians used to communicate by messages written in
hieroglyph. This code was the secret known only to the scribes who used to transmit
messages on behalf of the kings. One such hieroglyph is shown below.
➢ Later, the scholars moved on to using simple mono-alphabetic substitution ciphers
during 500 to 600 BC. This involved replacing alphabets of message with other
alphabets with some secret rule. This rule became a key to retrieve the message
back from the garbled message.
➢ Computer data often travels from one computer to another, leaving the safety of its
protected physical surroundings. Once the data is out of hand, people with bad intention
could modify or forge your data, either for amusement or for their own benefit.
➢ Cryptography can reformat and transform our data, making it safer on its trip between
computers. The technology is based on the essentials of secret codes, augmented by
modern mathematics that protects our data in powerful ways.
➢ The Cryptography is the art or science encompassing the principles and methods of
transforming an intelligible message into one that is unintelligible, and then
retransforming that message back to its original form.
• Key: Some critical information used by the cipher, known only to the sender&
receiver.
• Encryption (encode): The process of converting plaintext to cipher text using a
cipher and a key.
• Decryption (Decode): The process of converting cipher text back into plaintext
using a cipher and a key.
• If the sender and receiver use same key then it is said to be symmetric key
(or) single key (or) conventional encryption.
• If the sender and receiver use different keys then it is said to be public key
encryption.
• A block cipher processes the input and block of elements at a time, producing
output block for each input block.
➢ There are various types of cryptanalytic attacks based on the amount of information
known to the cryptanalyst. They are:
• Cipher text only – A copy of cipher text alone is known to the cryptanalyst.
• Known plaintext – The cryptanalyst has a copy of the cipher text and the
corresponding plaintext.
➢ The two parties, who are the principals in this transaction, must cooperate for each
other to the exchange the message. When the transfer of data happened from one
source to another source some logical information channel is established between
them by defining a route through the internet from source to destination and by the
cooperative use of communication protocols (e.g., TCP/IP) by the two principals.
➢ It is necessary to protect the information from various types of attackers, who may
launch a threat to confidentiality, authenticity, DoS and so on. All the technique
providing some security components:
• Some of the secret information shared by the two parties. So, it is hoped,
unknown to the attacker.
➢ This is carried out either by the originator or by an adversary who intercepts the data
and re-transmits it, possibly as part of a masquerade attack by IP packet substitution.
Figure 1.6 shows replay attack.
• Connectionless Confidentiality
• Selective-Field Confidentiality
Data integrity
➢ Ensures that only authorized parties are able to modify computer system assets and
transmitted information. Modification includes writing, changing status, deleting,
creating and delaying or replaying of transmitted messages.
▪ Provides for the integrity of all user data on a connection and detects
any modification, insertion, deletion, or replay of any data within an
entire data sequence, with recovery attempted.
• Connectionless Integrity
Nonrepudiation
➢ Nonrepudiation Provides protection against denial by one of the entities involved in a
communication of having participated in all or part of the communication.
• Nonrepudiation, Origin
• Nonrepudiation, Destination
Example: Imagine a user of online banking who has made a transaction, but later denied that.
How the bank can protect itself in a such situation?
Availability Service
➢ An availability service is one that protects a system to ensure its availability.
This service addresses the security concerns raised by denial-of-service attacks. It
depends on proper management and control of system resources and thus depends on
access control service and other security services.
Threat
Attack
An assault on system security that derives from an intelligent threat; that is, an intelligent
act that is a deliberate attempt (especially in the sense of a method or technique) to evade
security services and violate the security policy of a system.
➢ Single key is used for both encryption and decryption. A symmetric encryption
scheme has five ingredients
➢ Plaintext: This is the original intelligible message or data that is fed into the
algorithm as input. (Figure 1.9)
➢ Encryption algorithm: The encryption algorithm performs various substitutions and
transformations on the plaintext.
➢ Secret key: The secret key is also input to the encryption algorithm. The key is a
value independent of the plaintext and of the algorithm. The algorithm will produce a
different output depending on the specific key.
➢ Ciphertext: This is the scrambled message produced as output. It depends on the
plaintext and the secret key.
➢ Decryption algorithm: This is essentially the encryption algorithm run in reverse. It
takes the ciphertext and the secret key and produces the original plaintext
Cryptanalysis
Brute-Force Attack
➢ The attacker tries every possible key on a piece of ciphertext until an intelligible
translation into plaintext is obtained. On average, half of all possible keys must be
tried to achieve success.
➢ There are two basic building blocks of all encryption techniques:
• Substitution
• Transposition
1.7.3 Substitution Techniques
➢ A substitution technique is one in which the letters of plaintext are replaced by other
letters or by numbers or symbols. If the plaintext is viewed as a sequence of bits, then
substitution involves replacing plaintext bit patterns with cipher text bit patterns.
Caesar cipher (or) shift cipher
➢ The earliest known use of a substitution cipher and the simplest was by Julius Caesar.
The Caesar cipher involves replacing each letter of the alphabet with the letter
standing 3 places further down the alphabet. The plaintext will be written in
lowercase, ciphertext will be written in uppercase. Let as assign a numerical
equivalent to each letter.
Where a= 0, z = 25
Example
Plaintext: Pay more money
Ciphertext: SDB PRUH PRQHB
The general Caesar algorithm is,
Example
Let k = 3
C = E (3, P)
C = (P+3) mod 26
Encryption
Plaintext = cat
Let K = 3, C= 2
C = 2+ 3
C=5
C=F
Next letter, a= 0
C = 0 +3
C=D
Next, t = 19
So, C = w
Ciphertext = FDW
Now, Decryption is just reverse process of Encryption
Drawbacks
• Bruteforce cryptanalysis can be easily performed by trying all the 25 possible keys.
• The language of the plaintext was english.
Monoalphabetic Ciphers
➢ Rather than just shifting the alphabet
➢ Could shuffle (jumble) the letters arbitrarily
➢ Each plaintext letter maps to a different random ciphertext letter
➢ Hence, key is 26 letters long
Playfair Cipher
➢ The best-known multiple letter encryption cipher is the Playfair, which treats
diagrams in the plaintext as single units and translates these units into cipher text
diagrams. The Playfair algorithm is based on the use of 5x5 matrix of letters
constructed using a keyword. The technique encrypts pairs of letters instead of single
letters.
Example
Key: Monarchy
Plaintext: instruments
The Playfair Cipher Encryption Algorithm
The Algorithm consists of 2 steps:
1. Generate the key Square(5×5):
➢ The key square is a 5×5 grid of alphabets that acts as the key for encrypting the
plaintext. Each of the 25 alphabets must be unique and one letter of the alphabet
(usually J) is omitted from the table (as the table can hold only 25 alphabets). If the
plaintext contains J, then it is replaced by I.
➢ The initial alphabets in the key square are the unique alphabets of the key in the order
in which they appear followed by the remaining letters of the alphabet in order.
The key is "monarchy"
2. Algorithm to encrypt the plain text: The plaintext is split into pairs of two letters
(digraphs). If there is an odd number of letters, a Z is added to the last letter.
PlainText: "instruments"
After Split: 'in' 'st' 'ru' 'me' 'nt' 'sz'
Rules for Encryption:
• If both the letters are in the same column: Take the letter below each one (going
back to the top if at the bottom).
For example:
Diagraph: "me"
Encrypted Text: cl
Encryption:
m -> c
e -> l
If both the letters are in the same row: Take the letter to the right of each one (going back
to the leftmost if at the rightmost position).
For example:
Diagraph: "st"
Encrypted Text: tl
Encryption:
s -> t
t -> l
If neither of the above rules is true: Form a rectangle with the two letters and take the
letters on the horizontal opposite corner of the rectangle.
For example:
Diagraph: "nt"
Encrypted Text: rq
Encryption:
n -> r
t -> q
For example:
Plain Text: "instrumentsz"
Encrypted Text: gatlmzclrqtx
Encryption:
i -> g
n -> a
s -> t
t -> l
r -> m
u -> z
m -> c
e -> l
n -> r
t -> q
s -> t
z -> x
Decryption
Plain Text: "gatlmzclrqtx"
Decrypted Text: instrumentsz
Decryption:
(red)-> (green)
ga -> in
tl -> st
mz -> ru
cl -> me
rq -> nt
tx -> sz
Advantages
➢ Play fair cipher is a great advance over simple mono alphabetic ciphers.
➢ Since there are 26 letters, 26 X 26 = 676 diagrams are possible, so identificaion of
individual diagram is more difficult.
➢ Frequency analysis is much more difficult.
Hill Cipher
➢ It is developed by the mathematician Lester Hill in 1929. Hill cipher is a polygraphic
substitution cipher based on linear algebra.Each letter is represented by a number
modulo 26. Often the simple scheme A = 0, B = 1, …, Z = 25 is used, but this is not
an essential feature of the cipher.
➢ The matrix used for encryption is the cipher key, and it should be chosen randomly
from the set of invertible n × n matrices (modulo 26).
C = KP mod 26
Example
Input : Plaintext: ACT
Key: GYBNQKURP
Output : Ciphertext: POH
Encryption
We have to encrypt the message ‘ACT’ (n=3).The key is ‘GYBNQKURP’ which can be
written as the nxn matrix:
➢ Thus the cipher text is generated by performing the bitwise XOR of the plaintext and
the key. Decryption uses the same key. Because of the properties of XOR, decryption
simply involves the same bitwise operation:
Advantages
➢ Encryption method is completely unbreakable.
Disadvantages
➢ It requires a very long key which is expensive to produce and expensive to transmit.
➢ Once a key is used it is dangerous to reuse it for second message.
Vigenere Cipher
➢ Vigenere Cipher is a method of encrypting alphabetic text. It uses a simple form
of polyalphabetic substitution. A polyalphabetic cipher is any cipher based on
substitution, using multiple substitution alphabets .The encryption of the original text
is done using the Vigenère square or Vigenère table.
➢ The table consists of the alphabets written out 26 times in different rows, each
alphabet shifted cyclically to the left compared to the previous alphabet,
corresponding to the 26 possible Caesar Ciphers.
➢ At different points in the encryption process, the cipher uses a different alphabet from
one of the rows.
➢ The alphabet used at each point depends on a repeating keyword.
Example:
Input : Plaintext : GEEKSFORGEEKS
Keyword : AYUSH
Output : Ciphertext : GCYCZFMLYLEIM
For generating key, the given keyword is repeated in a circular manner until it matches the
length of the plain text.
The keyword "AYUSH" generates the key "AYUSHAYUSHAYU"
The plain text is then encrypted using the process explained below.
Encryption
➢ The first letter of the plaintext, G is paired with A, the first letter of the key. So use
row G and column A of the Vigenère square, namely G. Similarly, for the second
letter of the plaintext, the second letter of the key is used, the letter at row E and
column Y is C. The rest of the plaintext is enciphered in a similar fashion.
Table to encrypt Geeks
Decryption
➢ Decryption is performed by going to the row in the table corresponding to the key,
finding the position of the ciphertext letter in this row, and then using the column’s
label as the plaintext.
➢ For example, in row A (from AYUSH), the ciphertext G appears in column G, which
is the first plaintext letter. Next we go to row Y (from AYUSH), locate the ciphertext
C which is found in column E, thus E is the second plaintext letter.
➢ A more easy implementation could be to visualize Vigenère algebraically by
converting [A-Z] into numbers [0–25].
Encryption
The plaintext(P) and key(K) are added modulo 26.
Ei = (Pi + Ki) mod 26
Decryption
Di = (Ei - Ki + 26) mod 26
The key for the railfence cipher is just the number of rails. To encrypt a piece of text, e.g.
defend the east wall of the castle
Example
Encryption
Input : Geeks for Geeks
Key = HACK
Output : e kefGsGsrekoe_
Decryption
Input : e kefGsGsrekoe_
Key = HACK
Output : Geeks for Geeks
Encryption
In a transposition cipher, the order of the alphabets is re-arranged to obtain the cipher-text.
1. The message is written out in rows of a fixed length, and then read out again column
by column, and the columns are chosen in some scrambled order.
2. Width of the rows and the permutation of the columns are usually defined by a
keyword.
3. For example, the word HACK is of length 4 (so the rows are of length 4), and the
permutation is defined by the alphabetical order of the letters in the keyword. In this
case, the order would be “3 1 2 4”.
4. Any spare spaces are filled with nulls or left blank or placed by a character
5. Finally, the message is read off in columns, in the order specified by the keyword.
1.7.5 Steganography
➢ Steganography is data hidden within data. Steganography is an encryption technique
that can be used along with cryptography as an extra-secure method in which to
protect data. At any rate, steganography protects from pirating copyrighted materials
as well as aiding in unauthorized viewing.
How is it different from cryptography?
➢ Cryptography and steganography are both methods used to hide or protect secret data.
However, they differ in the respect that cryptography makes the data unreadable, or
hides the meaning of the data, while steganography hides the existence of the data.
➢ In layman’s terms, cryptography is similar to writing a letter in a secret language:
people can read it, but won’t understand what it means. However, the existence of a
(probably secret) message would be obvious to anyone who sees the letter, and if
someone either knows or figures out your secret language, then your message can
easily be read.
➢ If you were to use steganography in the same situation, you would hide the letter
inside a pair of socks that you would be gifting the intended recipient of the letter. To
those who don’t know about the message, it would look like there was nothing more
to your gift than the socks. But the intended recipient knows what to look for, and
finds the message hidden in them.
➢ Similarly, if two users exchanged media files over the internet, it would be more
difficult to determine whether these files contain hidden messages, than if they were
communicating using cryptography.
Image Steganography
➢ As the name suggests, Image Steganography refers to the process of hiding data
within an image file. The image selected for this purpose is called the cover-
image and the image obtained after steganography is called the stego-image.(Figure
1.11)
Working Principle
➢ An image is represented as an N*M (in case of greyscale images) or N*M*3 (in case
of colour images) matrix in memory, with each entry representing the intensity value
of a pixel.
➢ In image steganography, a message is embedded into an image by altering the values
of some pixels, which are chosen by an encryption algorithm. The recipient of the
image must be aware of the same algorithm in order to known which pixels he or she
must select to extract the message.
Figure 1.11 Steganography
➢ Detection of the message within the cover-image is done by the process
of steganalysis.
➢ This can be done through comparison with the cover image, histogram plotting, or by
noise detection. While efforts are being invested in developing new algorithms with a
greater degree of immunity against such attacks, efforts are also being devoted
towards improving existing algorithms for steganalysis, to detect exchange of secret
information between terrorists or criminal elements.
1.6 Foundations of modern cryptography
There are four major characteristics that separate modern cryptography from the classical
approach.
Context of Cryptography
• Cryptography
• Cryptanalysis
Cryptography
➢ Cryptography deals with the actual securing of digital data. It refers to the design of
mechanisms based on mathematical algorithms that provide fundamental information
security services.
Cryptanalysis
➢ The art and science of breaking the cipher text is known as cryptanalysis.
➢ Cryptanalysis is the sister branch of cryptography and they both co-exist. The
cryptographic process results in the cipher text for transmission or storage. It
involves the study of cryptographic mechanism with the intention to break them.
Cryptanalysis is also used during the design of the new cryptographic techniques to
test their security strengths.
➢ Cryptography primitives are nothing but the tools and techniques in Cryptography
that can be selectively used to provide a set of desired security services −
• Encryption
• Hash functions
• Digital Signatures
The following table shows the primitives that can achieve a particular security service on
their own.
1.8.1 Perfect Security
➢ Perfect Secrecy (or information-theoretic secure) means that the ciphertext conveys
no information about the content of the plaintext. ... However, part of being
provably secure is that you need as much key material as you have plaintext to
encrypt.
➢ Its impact has been crucial to the success of the Voyager missions to deep space, the
invention of the compact disc, the feasibility of mobile phones, the development of
the Internet, the study of linguistics and of human perception, the understanding
of black holes, and numerous other fields.
➢ The theory has also found applications in other areas, including statistical
inference, natural language processing, cryptography, neurobiology, human vision,
the evolution and function of molecular codes (bioinformatics), model selection in
statistics, thermal physics, quantum computing, linguistics, plagiarism detection,
pattern recognition, and anomaly detection.
➢ Important sub-fields of information theory include source coding, algorithmic
complexity theory, algorithmic information theory, information-theoretic
security, Grey system theory and measures of information.
➢ The combination could yield a cipher system more powerful than either one alone.
This approach of alternatively applying substitution and permutation transformation
has been used by IBM in the Lucifer cipher system, and has become the standard for
national data encryption standards such as the Data Encryption Standard and
the Advanced Encryption Standard.
➢ A product cipher that uses only substitutions and permutations is called a SP-
network. Feistel ciphers are an important class of product ciphers.
1.7 Cryptanalysis
➢ Cryptanalysis is the art of trying to decrypt the encrypted messages without the use of
the key that was used to encrypt the messages. Cryptanalysis uses mathematical
analysis & algorithms to decipher the ciphers.
➢ The success of cryptanalysis attacks depends
• Brute force attack– this type of attack uses algorithms that try to guess all the
possible logical combinations of the plaintext which are then ciphered and compared
against the original cipher.
• Dictionary attack– this type of attack uses a wordlist in order to find a match of
either the plaintext or key. It is mostly used when trying to crack encrypted
passwords.
• Rainbow table attack– this type of attack compares the cipher text against pre-
computed hashes to find matches.
➢ Since the cryptanalysis concepts are highly specialized and complex, we concentrate
here only on some of the key mathematical concepts behind cryptography.
➢ To do this, certain mathematical equations are used, which are very difficult to solve
unless certain strict criteria are met. The level of difficulty of solving a given
equation is known as its intractability. These types of equations form the basis of
cryptography.
➢ A symmetric algorithm uses the same key to encrypt data as it does to decrypt data.
The study of symmetric cryptosystems is referred to as symmetric cryptography.
2.2.1 Groups
➢ A group is an algebraic structure conssting of a set of elements together with an
operation that combines any two elements to form a third element.
➢ A group G, sometimes denoted by {G, .} is a set of elements with a binary
Example 1:
Four cyclic subgroups can be made from the group G = <Z6, +>. There are H1 = < {0}, + >,
H2 = <{0, 2, 4}, +>, H3 = <{ 0, 3}, +> and H4 = G.
Example 2:
Three cyclic subgroups can be made from the group G = <Z10 *, x>. G has only four
elements: 1, 3, 7 and 9. The Cyclic sub groups are H1 = <{1}, x >, H2 = <{1, 9}, x>, H3 = G.
2.2.2 Rings
➢ A ring R, sometimes denoted by {R, +, x}, is a set of elements with two binary
operations, called addition and multiplication, such that for all a, b, c in R the
following axioms are obeyed:
• Closure under multiplication: If a and b belong to R, then ab is also in R.
• Associativity of multiplication: a (bc) = (ab) c for all a, b, c in R.
• Distributive laws:
▪ a (b + c) = ab + ac for all a, b, c in R.
▪ (a + b) c = ac + bc for all a, b, c in R.
➢ A ring is said to be commutative if it satisfies the following additional condition:
➢ We can define GF(5) on the set Z5 (5 is a prime) with addition and multiplication
operators as shown in Figure 2.3.
➢ Because 38 − 14 = 24, which is a multiple of 12, or, equivalently, because both 38 and
14 have the same remainder 2 when divided by 12.
➢ The same rule holds for negative values:
▪ -8 ≡ 7 (mod 5)
▪ 2 ≡ -3 (mod 5)
▪ -3 ≡ -8 (mod 5)
Examples:
Find the GCD
• GCD (12, 8)
• GCD (200, 1000)
• GCD (7, 122)
➢ The S-DES decryption algorithm takes an 8-bit block of ciphertext and the same 10-
bit key used to produce that ciphertext as input and produces the original 8-bit block
of plaintext.
➢ The function fk takes as input not only the data passing through the encryption
algorithm, but also an 8-bit key. Here a 10-bit key is used from which two 8-bit
subkeys are generated.
➢ The key is first subjected to a permutation (P10). Then a shift operation is performed.
The output of the shift operation then passes through a permutation function that
produces an 8-bit output (P8) for the first subkey (K1).
➢ The output of the shift operation also feeds into another shift and another instance of
P8 to produce the second subkey (K2).
Where
➢ S-DES depends on the use of a 10-bit key shared between sender and receiver. From
this key, two 8-bit subkeys are produced for use in particular stages of the encryption
and decryption algorithm.(Figure 2.6)
Figure 2.6 S-DES Key Generation
➢ First, permute the key in the following fashion. Let the 10-bit key be designated as
(k1, K2, k3, k4, k5, k6, k7, k8, k9, k10). Then the permutation P10 is defined as:
P10 (k1, K2, k3, k4, k5, k6, k7, k8, k9, k10) = (k3, k5, K2, k7, k4, k10 10, k1, k9, k8,
k6).
➢ This table is read from left to right; each position in the table gives the identity of the
input bit that produces the output bit in that position. So, the first output bit is bit 3 of
the input; the second output bit is bit 5 of the input, and so on.
Example
➢ The 10 bit key is (1010000010), now find the permutation from P10 for this key so it
becomes (10000 01100).
➢ Next, perform a circular left shift (LS-1), or rotation, separately on the first five bits
and the second five bits. In our example, the result is (00001 11000).
➢ Next, apply P8, which picks out and permutes 8 of the 10 bits according to the
following rule:
➢ So, The result is subkey 1 (K1). In our example, this yield (10100100).
➢ Then go back to the pair of 5-bit strings produced by the two LS-1 functions and
performs a circular left shift of 2 bit positions on each string. In our example, the
value (00001 11000) becomes (00100 00011).
➢ Finally, P8 is applied again to produce K2. In our example, the result is (01000011).
1. Initial Permutations
➢ The input to the algorithm is an 8-bit block of plaintext, which we first permute using
the IP function
2. The Function fk
➢ The most complex component of S-DES is the function fk, which consists of a
combination of permutation and substitution functions. The functions can be
expressed as follows. Let L and R be the leftmost 4 bits and rightmost 4 bits of the 8-
bit input to f K, and let F be a mapping (not necessarily one to one) from 4-bit strings
to 4-bit strings. Then we let
➢ Now, describe the mapping F. The input is a 4-bit number (n1 n2 n3 n4). The first
operation is an expansion/permutation operation:
➢ Now, find the E/P from IP
IP = 01111110, it becomes
E/P = 01111101
➢ The first 4 bits (first row of the preceding matrix) are fed into the S-box S0 to produce
a 2- bit output, and the remaining 4 bits (second row) are fed into S1 to produce
another 2-bit output.
➢ The S-boxes operate as follows. The first and fourth input bits are treated as a 2-bit
number that specify a row of the S-box, and the second and third input bits specify a
column of the S-box. Each s box gets 4-bit input and produce 2 bits as output. It
follows 00- 0, 01-1, 10-2, 11-3 scheme.
11 - > 3 11 -> 3
➢ Now, find P4
➢ The switch function (sw) interchanges the left and right 4 bits.
1100 1110
1110 1100
4. Second function fk
➢ First, do E/P function and XOR with K2, the value is 01101001⊕01000011, the
answer is 00101010
Value is 0000
After P4 => 0000 ⊕ 1110 = 1110, then concatenate last 4 bits after
interchange in sw.
5. Find IP-1
2. Function fk
3. Swift
4. Second fk
5. Find IP-1
➢ All symmetric block encryption algorithms in current use are based on a structure
referred to as Fiestel block cipher.
➢ A stream cipher is one that encrypts a digital data stream one bit or one byte at a
time. E.g, vigenere cipher. Figure (2.8a)
➢ A block cipher is one in which a block of plaintext is treated as a whole and used to
produce a cipher text block of equal length. Typically, a block size of 64 or 128 bits
is used. Figure (2.8b)
Figure 2.8 Stream Cipher and Block Cipher
➢ Many block ciphers have a Feistel structure. Such a structure consists of a number of
identical rounds of processing.
➢ In each round, a substitution is performed on one half of the data being processed,
followed by a permutation that interchanges the two halves.
➢ The original key is expanded so that a different key is used for each round.
➢ The Data Encryption Standard (DES) has been the most widely used encryption
algorithm. It exhibits the classic Feistel structure.
➢ The DES uses a 64-bit block and a 56-bit key. Two important methods of
cryptanalysis are differential cryptanalysis and linear cryptanalysis. DES has been
shown to be highly resistant to these two types of attack.
➢ A block cipher operates on a plaintext block of n bits to produce a ciphertext block of
n bits. There are possible different plaintext blocks and, for the encryption to be
reversible (i.e., for decryption to be possible), each must produce a unique ciphertext
block. Such a transformation is called reversible, or nonsingular
➢ In particular, Feistel proposed the use of a cipher that alternates substitutions and
permutations, where these terms are defined as follows:
• Substitution: Each plaintext element or group of elements is uniquely replaced
by a corresponding ciphertext element or group of elements.
• Permutation: A sequence of plaintext elements is replaced by a permutation
of that sequence. That is, no elements are added or deleted or replaced in the
sequence, rather the order in which the elements appear in the sequence is
changed.
➢ Two methods for frustrating statistical cryptanalysis are:
• Diffusion – Each plaintext digit affects many ciphertext digits, or each
ciphertext digit is affected by many plaintext digits.
• Confusion – Make the statistical relationship between a plaintext and the
corresponding ciphertext as complex as possible in order to thread attempts to
deduce the key.
➢ The left-hand side of figure 2.9 depicts the structure proposed by Feistel.
➢ The input to the encryption algorithm is a plaintext block of length 2w bits and a key
K. the plaintext block is divided into two halves L0 and R0.
➢ The two halves of the data pass through n rounds of processing and then combine to
produce the ciphertext block. Each round i has inputs Li-1 and Ri-1, derived from the
previous round, as well as the subkey Ki, derived from the overall key K.
➢ In general, the subkeys Ki are different from K and from each other. All rounds have
the same structure.
➢ A substitution is performed on the left half of the data (as similar to S-DES). This is
done by applying a round function F to the right half of the data and then taking the
XOR of the output of that function and the left half of the data.
➢ The round function has the same general structure for each round but is parameterized
by the round subkey ki. Following this substitution, a permutation is performed that
consists of the interchange of the two halves of the data.
• Key size - Increasing size improves security, makes exhaustive key searching
harder, but may slow cipher
• Subkey generation - Greater complexity can make analysis harder, but slows
cipher
• Round function - Greater complexity can make analysis harder, but slows
cipher
➢ The rule is as follows: use the cipher text as input to the algorithm, but use the subkey
ki in reverse order. i.e., kn in the first round, kn-1 in second round and so on.
➢ For clarity, we use the notation LEi and REi for data traveling through the decryption
algorithm and LDi and RDi.
➢ The above diagram indicates that, at each round, the intermediate value of the
decryption process is same (equal) to the corresponding value of the encryption
process with two halves of the value swapped.
➢ After the last iteration of the encryption process, the two halves of the output are
swapped, so that the cipher text is RE16 || LE16.
➢ The output of that round is the cipher text. Now take the cipher text and use it as input
to the same algorithm.
➢ The input to the first round is RE16 || LE16, which is equal to the 32-bit swap of the
output of the sixteenth round of the encryption process.
➢ Now we will see how the output of the first round of the decryption process is equal
to a 32-bit swap of the input to the sixteenth round of the encryption process.
➢ The general Structure of DES is depicted in the following illustration −Figure 2.10
Figure 2.10 General Structure of DES Encryption Algorithm
If we then take the inverse permutation, Y = IP-1(X) = IP-1(IP(M)) it can be seen that the
original ordering of the bits is restored.
Table 2.1 Permutation Tables for DES
➢ A 64-bit key is used as input to the algorithm. The bits of the key are numbered from
1 through 64; every eighth bit is ignored, as indicated by the lack of shading in Table
2.2a.
➢ The key is first subjected to a permutation governed by a table labeled Permuted
Choice One (Table 2.2b).
➢ The resulting 56-bit key is then treated as two 28-bit quantities, labelled C0 and D0.
➢ At each round, and are separately subjected to a circular left shift or (rotation) of 1 or
2 bits, as governed by Table 2.2d.
➢ These shifted values serve as input to the next round.
➢ They also serve as input to the part labeled Permuted Choice Two (Table 2.2c), which
produces a 48-bit output that serves as input to the function F(Ri-1, Ki)
Table 2.2 DES Key Calculation
2.10.4 S Boxes
➢ The substitution consists of a set of eight S-boxes (Figure 2.12), each of which
accepts 6 bits as input and produces 4 bits as output.
➢ The 32-bit output from the eight S-boxes is then permuted, so that on the next round,
the output from each S-box immediately affects as many others as possible.
Figure 2.12 Calculation of F (R. K)
2.10.5 Avalanche Effect
➢ A desirable property of any encryption algorithm is that a small change in either the
plaintext or the key should produce a significant change in the ciphertext.
➢ In particular, a change in one bit of the plaintext or one bit of the key should produce
a change in many bits of the ciphertext. Figure 2.13 shows the avalanche effect.
➢ The criteria used in the design of DES, focused on the design of the S-boxes and on
the P function that takes the output of the S-boxes. The criteria for the S-boxes are as
follows.
• No output bit of any S-box should be too close a linear function of the input
bits. Specifically, if we select any output bit and any subset of the six input
bits, the fraction of inputs for which this output bit equals the XOR of these
input bits should not be close to 0 or 1, but rather should be near 1/2.
• Each row of an S-box (determined by a fixed value of the leftmost and
rightmost input bits) should include all 16 possible output bit combinations.
• If two inputs to an S-box differ in exactly one bit, the outputs must differ in at
least two bits.
• If two inputs to an S-box differ in the two middle bits exactly, the outputs
must differ in at least two bits.
• If two inputs to an S-box differ in their first two bits and are identical in their
last two bits, the two outputs must not be the same.
• For any nonzero 6-bit difference between inputs, no more than eight of the 32
pairs of inputs exhibiting that difference may result in the same output
difference.
• This is a criterion similar to the previous one, but for the case of three S-
boxes.
➢ The S-boxes are the only nonlinear part of DES. If the S-boxes were linear (i.e., each
output bit is a linear combination of the input bits), the entire algorithm would be
linear and easily broken.
➢ If input is larger than b bits it can be divided further. For different applications and
uses, there are several modes of operations for a block cipher.
➢ The five standard Modes of Operation:
• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feedback (CFB)
• Output Feedback (OFB)
• Counter (CTR)
Electronic Code Book (ECB)
➢ Electronic code book is the easiest block cipher mode of functioning. It is easier
because of direct encryption of each block of input plaintext and output is in form of
blocks of encrypted ciphertext (Figure 2.14).
➢ Generally, if a message is larger than b bits in size, it can be broken down into bunch
of blocks and the procedure is repeated. In this approach, the plaintext is handled one
block at a time and each block of plaintext is encrypted using the same key.
➢ The term codebook is used because, for a given key, there is a unique ciphertext for
every b-bit block of plaintext.
Advantages
➢ Parallel encryption of blocks of bits is possible, thus it is a faster way of
encryption.
➢ Simple way of block cipher.
Disadvantages
➢ Prone to cryptanalysis since there is a direct relationship between plaintext and
ciphertext.
Cj = E (K, Pj) j = 1…, N
Pj = D (K, Cj) j = 1…, N
Figure 2.14 Electronic Code Book
➢ For the last plaintext block, which may be a partial block of bits, the most significant
bits of the last output block are used for the XOR operation; the remaining bits are
discarded.
Figure 2.18 Counter
Advantages
➢ Hardware efficiency
➢ Software efficiency
➢ Preprocessing
➢ Random access
➢ Provable security
➢ Simplicity
➢ Interestingly, AES performs all its computations on bytes rather than bits. Hence,
AES treats the 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged
in four columns and four rows for processing as a matrix.
➢ Unlike DES, the number of rounds in AES is variable and depends on the length of
the key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14
rounds for 256-bit keys. Each of these rounds uses a different 128-bit round key,
which is calculated from the original AES key.
➢ The overall structure of AES (figure 2.19) focus particularly on the four steps used in
each round of AES:
• Byte Substitution
• Shift Rows
• Mix Columns
MixColumns Transformation
➢ It operates on each column individually. Each byte of a column is mapped into a new
value that is a function of all four bytes in that column. The transformation can be
defined by the following matrix multiplication on State (Figure 2.22)
Figure 2.22 MixColumns Transformation
AddRoundKey Transormation
➢ It is a simple bitwise XOR of the current block with a portion of the expanded key.
The 128 bits of State are bitwise XORed with the 128 bits of the round key. As
shown in Figure 2.23, the operation is viewed as a columnwise operation between the
4 bytes of a State column and one word of the round key; it can also be viewed as a
byte-level operation.
Example of AddRoundKey
2.16.2 AES Key Expansion Algorithm
➢ This algorithm takes as input a four-word (16-byte) key and produces a linear array of
44 words (176 bytes).
➢ This is sufficient to provide a four-word round key for the initial AddRoundKey stage
and each of the 10 rounds of the cipher.
➢ The key is copied into the first four words of the expanded key. The remainder of the
expanded key is filled in four words at a time. Each added word w[i] depends on the
immediately preceding word w[i-1], and the word four positions back, w[i-4].
➢ In three out of four cases, a simple XOR is used. For a word whose position in the w
array is a multiple of 4, a more complex function is used. Figure 2.24 illustrates the
generation of the expanded key, using the symbol g to represent that complex
function.
Figure 2.24 AES Key Expansion
2.17 RC4
➢ RC4 is an encryption algorithm created in 1987 by Ronald Rivest of RSA Security. It
is a stream cipher (figure 2.25), which means that each digit or character is encrypted
one at a time. A cipher is a message that has been encoded.
➢ A key input is pseudorandom bit generator that produces a stream 8-bit number that is
unpredictable without knowledge of input key.
➢ The output of the generator is called key-stream, is combined one byte at a time with
the plaintext stream cipher using X-OR operation.
Figure 2.25 Stream Cipher Diagram
Example
2. A third party can select the key and physically deliver it to A and B.
3. If A and B have previously and recently used a key, one party can transmit
the new key to the other, encrypted using the old key.
4. If A and B each has an encrypted connection to a third-party C, C can deliver
a key on the encrypted links to A and B.
➢ Physical delivery (1 & 2) is simplest - but only applicable when there is personal
contact between recipient and key issuer. This is fine for link encryption where
devices & keys occur in pairs, but does not scale as number of parties who wish to
communicate grows. 3 is mostly based on 1 or 2 occurring first.
➢ A third party, whom all parties trust, can be used as a trusted intermediary to mediate
the establishment of secure communications between them (4). Must trust
intermediary not to abuse the knowledge of all session keys. As number of parties
grow, some variant of 4 is only practical solution to the huge growth in number of
keys potentially needed.
Key Distribution Centre
➢ The use of a key distribution center is based on the use of a hierarchy of keys. At a
minimum, two levels of keys are used.
➢ Communication between end systems is encrypted using a temporary key, often
referred to as a Session key.
➢ Typically, the session key is used for the duration of a logical connection and then
discarded
➢ Master key is shared by the key distribution center and an end system or user and
used to encrypt the session key.
Key Distribution Scenario
➢ Let us assume that user A wishes to establish a logical connection with B and
requires a one-time session key to protect the data transmitted over the connection.
A has a master key, Ka, known only to itself and the KDC; similarly, B shares the
master key Kb with the KDC(Figure 2.27). The following steps occur:
Figure 2.27 Key Distribution Scenario
1. An issue a request to the KDC for a session key to protect a logical connection to B.
The message includes the identity of A and B and a unique identifier, N1, for this
transaction, which we refer to as a nonce. The nonce may be a timestamp, a
counter, or a random number; the minimum requirement is that it differs with each
request. Also, to prevent masquerade, it should be difficult for an opponent to guess
the nonce. Thus, a random number is a good choice for a nonce.
2. The KDC responds with a message encrypted using Ka Thus, A is the only one who
can successfully read the message, and A knows that it originated at the KDC. The
message includes two items intended for A:
• The one-time session key, Ks, to be used for the session
• The original request message, including the nonce, to enable A to match this
response with the appropriate request
Thus, A can verify that its original request was not altered before reception by the
KDC and, because of the nonce, that this is not a replay of some previous request.
In addition, the message includes two items intended for B:
• The one-time session key, Ks to be used for the session
➢ The distribution of session keys delays the start of any exchange and places a
burden on network capacity. A security manager must try to balance these
competing considerations in determining the lifetime of a particular session key.
➢ For connection-oriented protocols, one obvious choice is to use the same session
key for the length of time that the connection is open, using a new session key
for each new session.
➢ If a logical connection has a very long lifetime, then it would be prudent to
change the session key periodically, perhaps every time the PDU (protocol data
unit) sequence number cycles.
➢ For a connectionless protocol, such as a transaction-oriented protocol, there is no
explicit connection initiation or termination.
➢ Thus, it is not obvious how often one needs to change the session key. The most
secure approach is to use a new session key for each exchange.
➢ A better strategy is to use a given session key for a certain fixed period only or for a
certain number of transactions.
PART B
➢ Primes and Prime Factorization are especially important in number theory, as are a
number of functions including the Totient function.
➢ Cryptography is the study of methods to send and receive the secret messages. In
general, we have a sender who is trying to send a message to receiver. There is also an
adversary, who wants to steal the message. We are successful if sender is able to
communicate a message to the receiver without adversary learning what the message
was.
➢ The most popular public key cryptosystems are based on the problem of factorization
of large integers and discrete logarithm problem in finite groups, in particular in the
multiplicative group of finite fields and the group of points on elliptic curve over
finite field.
Output:
GCD of 98 and 56 is 14
an−1 = 1(mod n). This suggests the Fermat test for a prime: pick a random a
∈{1,...,n−1} a ∈ {1,...,n−1} and see if an−1=1 (mod n). If not, then n must be
composite.
Z561=Z3×Z11×Z17
thus, each a ∈ Z* 561 corresponds to some
By Fermat’s Theorem, x2 = 1, y10 = 1 and z16 =1. Since 2, 10, and 16 all divide 560, this
means (x, y, z)560= (1, 1, 1) in other words, a560 = 1 for any a ∈ Z∗561
.
Thus, no matter what “a” we pick, 561 always passes the Fermat test despite being composite
so long as aa is coprime to n. Such numbers are called Carmichael numbers, and it turns out
there are infinitely many of them.
If a is not coprime to n then the Fermat test fails, but in this case, we may as well forgo tests
and recover a factor of n simply by computing gcd (a, n).
3.4 Factorization
➢ Prime Factorization (or integer factorization) is a commonly used mathematical
problem often used to secure public-key encryption systems. A common practice is to
use very large semi-primes (that is, the result of the multiplication of
two prime numbers) as the number securing the encryption.
3.4.1 Fundamental Theorem of Arithmetic
➢ Any positive integer greater than one can be written uniquely in the following prime
factorization form where P1, P2…., Pk are primes and e1, e2…ek are positive integers.
Applications of factorization
➢ Greatest Common Divisor
• The GCD of two numbers, gcd (a, b). This value can also be found if we know
the factorization of a and b.
• It can be proved that gcd (a, b) and lcm (a, b) are related to each other as
shown below.
➢ Example 1: Use the trial division algorithm to find the factors of 1233.
Solution
We run a program based on the algorithm and get the following result.
1233=32 * 137
3.4.3 Fermat Method
➢ The Fermat’s Factorization method is based on the representation of an odd integer as
the difference of two squares. For an integer n, we want a and b such as:
n = a2 - b2 = (a + b) (a - b)
Example
Use the Pollard p − 1 method to find a factor of 57247159 with the bound B = 8.
Solution
We run a program based on the algorithm and find that p = 421. As a matter of fact
57247159 = 421 × 135979. Note that 421 is a prime and p − 1 has no factor greater
than 8
421 − 1 = 22 × 3 × 5 × 7
3.4.5 Pollard's rho algorithm
➢ Pollard's rho algorithm is an algorithm for integer factorization. It was invented by
John Pollard in 1975. It uses only a small amount of space, and its expected running
time is proportional to the square root of the size of the smallest prime factor of the
composite number being factorized.
➢ Given a positive integer n, and that it is composite, find a divisor of it.
➢ Example:
Input: n = 12;
Output: 2 [OR 3 OR 4]
Input: n = 187;
Output: 11 [OR 17]
35y1 ≡ 1 (mod 4)
28y2 ≡ 1 (mod 5)
20y3 ≡ 1 (mod 7)
To find y1
35y1 ≡ 1 (mod 4)
gcd (Mk, mk)
gcd (35, 4)
gcd (4, 35 mod 4)
gcd (4, 3)
gcd (3, 4 mod 3)
gcd (3, 1) when n = 1
y1 = 3 gcd (m, n) = n
Similarly,
Find y2 and y3
Here, y2 = 2
y3 = 6
Step 4:
x = (a1 M1 y1 + a2 M2 y2 + a3M3Y3) (mod m)
= ((1 * 35 * 3) + (2 * 28 * 2) + (4 * 20 * 6)) mod 140
= (105 + 112 + 480) mod 140
= 697 mod 140
x = 137
Example 2:
x ≡ 3 (mod 4)
x ≡ 2 (mod 3)
x ≡ 4 (mod 5)
solve the value for x using Chinese Remainder Theoren.
Solution
m1 = 4 a1 = 3
m2 = 3 a2 = 2
m3 = 5 a3 = 4
Step 1:
m = m1 * m2 * m3
=4*3*5
m = 60
Step 2:
M1 = m/ m1 => 60/4 = 15
M2 = m/m2 => 60/3 = 20
M3 = m/m3 => 60/5 = 12
Step 3:
MkYk ≡ 1 (mod mk)
Put k=1
M1y1 ≡ 1(mod m1)
15y1 ≡ 1 (mod 4)
Put k = 2
M2y2 ≡ 1(mod m2)
20y2 ≡ 1 (mod 3)
Put k = 3
M3y3 ≡ 1(mod m3)
12y3 ≡ 1 (mod 5)
15y1 ≡ 1 (mod 4)
20y2 ≡ 1 (mod 3)
12y3 ≡ 1 (mod 5)
Find y1 =3
y2 =2
y3 = 3
Step 4:
x = (a1 M1 y1 + a2 M2 y2 + a3M3Y3) (mod m)
= ((3 * 15 * 3) + (2 * 20 * 2) + (4 * 12 * 3)) mod 60
= (135 + 80 + 144) mod 60
= 359 mod 60
x = 59
➢ That is: c = be mod m = d−e mod m, where e < 0 and b ⋅ d ≡ 1 (mod m).
➢ In the mathematics of the real numbers, the logarithm logb a is a number x such
that bx = a, for given numbers a and b. Analogously, in any group G, powers bk can be
defined for all integers k, and the discrete logarithm logb a is an integer k such
that bk = a.
➢ In number theory, the more commonly used term is index: we can write x =
indr a (mod m) (read the index of a to the base r modulo m) for rx ≡ a (mod m) if r is
a primitive root of m and gcd(a, m) = 1.
➢ Let G be any group. Denote its group operation by multiplication and its identity
element by 1. Let b be any element of G. For any positive integer k, the
expression bk denotes the product of b with itself k times:
➢ Similarly, let b-k denote the product of b−1 with itself k times. For k = 0, the kth power
is the identity: b0 = 1.
➢ With the spread of more unsecure computer networks in last few decades, a genuine
need was felt to use cryptography at larger scale.
➢ The symmetric key was found to be non-practical due to challenges it faced for key
management. This gave rise to the public key cryptosystems.
• Different keys are used for encryption and decryption. This is a property which
set this scheme different than symmetric encryption scheme.
• Though private and public keys are related mathematically, it is not be feasible to
calculate the private key from the public key. In fact, intelligent part of any
public-key cryptosystem is in designing a relationship between two keys.
➢ This cryptosystem is one the initial system. It remains most employed cryptosystem
even today. The system was invented by three scholars Ron Rivest, Adi
Shamir, and Len Adleman and hence, it is termed as RSA cryptosystem.
➢ We will see two aspects of the RSA cryptosystem, firstly generation of key pair and
secondly encryption-decryption algorithms.
▪ The pair of numbers (n, e) form the RSA public key and is made
public.
▪ ed = 1 mod (p − 1) (q − 1)
• Public key PU = {e, n}
• Private key PR = {d, n}
Figure 3.2 The RSA Algorithm
So, Ciphertext C = 11
Decryption
M = 1123 mod 187
1123 mod 187 = [(111 mod 187) x (112 mod 187) x (114 mod 187) x
(118 mod 187) x (118 mod 187)] mod 187
111 mod 187 = 11
112 mod 187 = 121
114 mod 187 = 14641 mod 187 = 55
118 mod 187 = 2,14, 358, 881 mod 187 = 33
118 mod 187 = 2,14, 358, 881 mod 187 = 33
1123 mod 187 = (11 x 121 x 55 x 33 x 33) mod 187
= 79, 720, 245 mod 187
= 88
So, Plaintext M =88
RSA Analysis
➢ The security of RSA depends on the strengths of two separate functions. The RSA
cryptosystem is most popular public-key cryptosystem strength of which is based on
the practical difficulty of factoring the very large numbers.
➢ If either of these two functions are proved non one-way, then RSA will be broken. In
fact, if a technique for factoring efficiently is developed then RSA will no longer be
safe.
➢ The strength of RSA encryption drastically goes down against attacks if the number p
and q are not large primes and/ or chosen public key e is a small number.
➢ This includes dealing with the generation, exchange, storage, use, crypto-shredding
(destruction) and replacement of keys. Successful key management is critical to the
security of a cryptosystem.
➢ In cryptography it is a very tedious task to distribute the public and private key
between sender and receiver.
➢ If key is known to the third party (forger/eavesdropper) then the whole security
mechanism becomes worthless. So, there comes the need to secure the exchange of
keys.
➢ There are 2 aspects for Key Management:
➢ Its major weakness is forgery, anyone could pretend to be user A and send a public
key to another participant or broadcast such a public key. Until the forgery is
discovered they can masquerade as the claimed user.
Publicly Available Directory
➢ The user obtains greater security by registering keys with a public directory.
➢ The directory must be trusted with properties:
The authority maintains a directory with a {name, public key} entry for each
participant.
Each participant registers a public key with the directory authority.
A participant may replace the existing key with a new one at any time because
the corresponding private key has been compromised in some way.
Participants could also access the directory electronically. For this purpose,
secure, authenticated communication from the authority to the participant is
mandatory.
Figure 3.6 illustrates the public key publication
A Hybrid Scheme
➢ Another way to use public-key encryption to distribute secret keys is a hybrid
approach.
➢ This scheme retains the use of a Key Distribution Center (KDC) that shares a secret
master key with each user and distributes secret session keys encrypted with the
master key.
➢ A public key scheme is used to distribute the master keys.
➢ The addition of a public-key layer provides a secure, efficient means of distributing
master keys.
3.11 Diffie-Hellman Key Exchange Algorithm
• The Diffie–Hellman key exchange or Key Agreement is a method of securely
exchanging cryptographic keys over a public channel.
• This protocol allows two users to exchange a secret key over an untrusted
network without any prior secrets. Security of transmission is critical for many
network and Internet applications.
• The purpose of the algorithm is to enable two users to securely exchange a key
that can be used for subsequent encryption of messages. So, two persons can
talk in untrusted network.
• The D-H, Based on the difficulty of computing discrete logarithms of large
numbers.
• Suppose A and B wish to exchange a secret key, the following steps are
needed.
o There are two publicly known numbers: one is prime number q and an integer
α that is primitive root of q.
o Suppose the user A and B wish to exchange a key.
o User A selects a random integer XA < q and
▪ computes YA = αxA mod q.
o Similarly, user B selects a random integer XB < q and
▪ computes YB = αxB mod q.
• Then user A computes the key as K= (YB)xA mod q
• User B computes K= (YA)xB mod q
• Then two calculations produce identical results.
Example 1:
• Choose global public elements
q=23, α = 9
• User A select value XA is 4
• Calculate public YA
YA= αxA mod q
= 94 mod 23
= 6561 mod 23
YA = 6
• User B select value XB is 3
• Calculate public YB
YB = αxB mod q
= 93 mod 23
= 729 mod 23
YB = 16
▪ Now, exchange their public keys
▪ Figure 3.13 shows the exchange of keys
mod q.
➢ To attack Diffie-Hellman, the attacker must determine k given a and ak;
➢ For elliptic curve cryptography, an operation over elliptic curves, called addition, is
used. Multiplication is defined by repeated addition. For example,
where the addition is performed over an elliptic curve. The Cryptanalysis involves
determining k given a and (a x k).
3.13.3 Elliptic Curves over Real Numbers
➢ Elliptic curves are not ellipses. They are so named because they are described by
cubic equations, similar to those used for calculating the circumference of anellipse.
➢ In general, cubic equations for elliptic curves take the form
y2 + axy + by = x3 + cx2 + dx + e
where a, b, c, d, and e are real numbers and x and y take on values in the real
numbers. For our purpose, it is sufficient to limit ourselves to equations of the form
y2 = x3 + ax+ b
➢ Such equations are said to be cubic, or of degree 3, because the highest exponent they
contain is a 3. Also included in the definition of an elliptic curve is a single element
denoted O and called the point at infinity or the zero point, which we discuss
subsequently. To plot such a curve, we need to compute
➢ For given values of a and b, the plot consists of positive and negative values of y for
each value of x. Thus, each curve is symmetric about y = 0. Figures 3.15 shows two
examples of elliptic curves.
➢ The technology can be used in conjunction with most public key encryption methods,
such as RSA and Diffie-Hellman.
➢ The ECC can achieve the same level of security with a 164-bit key that other systems
require a 1,024-bit key. Because ECC helps to establish equivalent security with lower
computing power and battery resource usage, it is becoming widely used for mobile
applications. The use of elliptic curves in cryptography was suggested independently
by Neal Koblitz and Victor S. Miller in 1985 and elliptic curve cryptography
algorithms entered wide use around 2004.
➢ Multiplying a point on the curve by a number will produce another point on the curve,
but it is very difficult to find what number was used, even if you know the original
point and the result.
➢ The Equations based on elliptic curves have a characteristic that is very valuable for
cryptography purposes: they are relatively easy to perform, and extremely difficult to
reverse.
➢ Consider the group E23 (9, 17). This is the group defined by the equation y2 mod 23 =
(x3 + 9x + 17) mod 23. What is the discrete logarithm k of Q = (4, 5) to the base P =
(16.5)? The brute-force method is to compute multiples of P until Q is found. Thus,
P = (16, 5); 2P = (20, 20); 3P = (14, 14); 4P = (19, 20); 5P = (13, 10); 6P = (7, 3); 7P
= (8, 7); 8P (12, 17); 9P = (4, 5).
Message Encryption
Symmetric Encryption
Symmetric encryption: confidentiality and authentication: A -> B:E(K, M)
Figure 4.1 Symmetric encryption: confidentiality and authentication
Theory of operation
➢ When A has a message to send to B, it calculates the MAC as a function of the
message and the key:
MAC = C (K, M), where
M = input message
C = MAC function
K = shared secret key
MAC = Message Authentication Code
➢ The message plus MAC are transmitted to the intended recipient.
➢ The recipient performs the same calculation on the received message, using the
same secret key, to generate a new MAC.
➢ The received MAC is compared to the calculated MAC
➢ if the received MAC matches the calculated MAC, then
➢ The receiver is assured that the message has not been altered
➢ The receiver is assured that the message is from the alleged sender
Basic Uses of Message Authentication Code (MAC)
(a) Message authentication: A->B: M||C(K, M)
Figure 4.5 Message Authentication
There are two major limitations of MAC, both due to its symmetric nature of operation −
o MAC technique does not provide a non-repudiation service. If the sender and
receiver get involved in a dispute over message origination, MACs cannot
provide a proof that a message was indeed sent by the sender.
o Though no third party can compute the MAC, still sender could deny having
sent the message and claim that the receiver forged it, as it is impossible to
determine which of the two parties computed the MAC.
Both these limitations can be overcome by using the public key based digital signatures
➢ Hash functions are extremely useful and appear in almost all information security
applications.
➢ A hash function is a mathematical function that converts a numerical input value into
another compressed numerical value. A hash function accepts a variable-size message
M as input and produces a fixed size output, referred to as a hash code H(M).
➢ A hash code does not use a key but is a function only of the input message
• Hash function coverts data of arbitrary length to a fixed length. This process
is often referred to as hashing the data.
• In general, the hash is much smaller than the input data, hence hash functions
are sometimes called compression functions.
➢ Efficiency of Operation
• Generally, for any hash function h with input x, computation of h(x) is a fast
operation.
There are two direct applications of hash function based on its cryptographic properties.
Password Storage
• Instead of storing password in clear, mostly all logon processes store the hash values
of passwords in the file.
• The Password file consists of a table of pairs which are in the form (user id, h(P)).
• An intruder can only see the hashes of passwords, even if he accessed the password.
He can neither logon using hash nor can he derive the password from hash value
since hash function possesses the property of pre-image resistance.
• Data integrity check is a most common application of the hash functions. It is used to
generate the checksums on data files. This application provides assurance to the user
about correctness of the data.
4.5 Security of hash function and MAC
There are two types attacks on hash functions and MAC.
1. Brute-force attacks
2. Cryptanalysis
Brute-force attacks
• A brute-force attack on a MAC has cost related to min (2k, 2n), similar to symmetric
encryption algorithms. As with encryption algorithms, cryptanalytic attacks on hash
functions and MAC algorithms seek to exploit some property of the algorithm to
perform some attack other than an exhaustive search.
• The strength of a hash function against brute-force attacks depends solely on the
length of the hash code produced by the algorithm.
• Suppose there are N possible hash values from a set of strings X, and suppose that the
output of a hash function is randomly distributed in this space. Take a subset of n
strings.
• How big does n have to be in order to have a probability >0.5 of some string in that
subset having a given hash value?
• The answer is: choosing n = N+1 n = N+1, I have the certainty to find almost one of
such I have the certainty to find almost one of such strings. A more refined answer
gives: n= (ln 2) *N (for a large N).
• For a 128-bit hash function, you need to test 2128 inputs (approximately 1038) to get a
0.5 chance of pre-imaging the hash, that is to say, of getting a given hash value.
• How big does n have to be in order to have a probability >0.5 of two strings in that set
having the same hash value?
• To try to put these numbers into perspective: 1019 microseconds is 317000 years,
while 1038 microseconds is 1024 years
Cryptanalysis
• Cryptanalysis attacks on hash functions and MAC algorithms seek to exploit some
property ofthe algorithm to perform some attacks other than an exhaustive search.
➢ Security Hash Algorithm (SHA) was developed in 1993 by the National Institute of
Standards and Technology (NIST) and National Security Agency (NSA).
➢ It was designed as the algorithm to be used for secure hashing in the US Digital
Signature Standard.
➢ Hashing function is one of the most commonly used encryption methods. A hash is a
special mathematical function that performs one-way encryption.
• SHA-1
• SHA-224
• SHA-256
• SHA-384
• SHA-512
➢ SHA-l generates a 160-bit message digest. Whereas MD5 generated message digest of
128 bits.
➢ Divide the original input message into number of 512-bit blocks, M0, M1, …Mj.
Step 4: Initialize the Chaining variable (Buffer Initiation)
• A 512-bit buffer is used to intermediate and final results of the hash function.
• Initialize Message Digest (MD) to these five 32-bit words (buffer) A, B, C, D,
E to
o A = 01 23 45 67
o B = 89 AB CD EF
o C = FE DC BA 98
o D = 76 54 32 10
o E = C3 D2 E1 F0
Step 5: Process Blocks
Step 5.1: Copy the chaining variables A-E to into variables a-e.
Step 5.2: Divide the current 512- bit block into 16 sub-blocks of 32 bits.
• For the first 16 words of W (i.e. t= 0 to 15), the contents of the input
message of sub-block M[t] become the contents of W[t].
SHA-512
➢ The algorithm takes as input a message with a maximum length of less than 2128 bits
and produces as output a 512-bit message digest. The input is processed in 1024-bit
blocks. Figure 4.17 depicts the overall processing of a message to produce adigest.
Figure 4.17 SHA-512 Structure
➢ The message is padded so that its length is congruent to 896 modulo 1024. Padding is
always added, even if the message is already of the desired length. So, the number of
padding bits is in the range of 1 to 1024. The padding consists of a single 1 bit
followed by the necessary number of 0 bits.
➢ A block of 128 bits is appended to the message. This block is treated as an unsigned
128-bit integer that contains the length of the original message.
➢ The outcome of the first two steps produces a message that is an integer multiple of
1024 bits in length. In figure 4.12, the expanded message is represented as the
sequence of 1024 bit-blocks M1, M2,…. MN, hence that the total length of the
expanded message is N * 1024 bits.
➢ A 512-bit buffer is used to hold intermediate and final results of the hash function.
The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h). These
registers are initialized to the following 64-bit integers (hexadecimal values).
➢ These values are stored in big-endian format, which is the most significant byte of a
word in the low-address byte position.
➢ Each round t makes use of a 64-bit value Wt. The output of the last round is added to
the input to the first round (Hi-1) to produce Hi. Fig 4.18 shows the processing of a
single 1024-bit block.
Step 5: Output
➢ After all N 1024-bit blocks have been processed, the output fro the N th stage is the
512-bit message digest.
T1 =h + ch (e, f, g) + ) +Wt + Kt
T2 =( ) + Maj (a, b, c)
a = T1 + T2
b =a
c =b
d =c
e = d + T1
f =e
g =f
h =g
➢ Digital signature is a cryptographic value that is calculated from the data and a secret
key known only by the signer.
➢ Signature is formed by taking the hash of the message and encrypting the message
with creator’s private key
➢ Signatures guarantees, the original content of the message or document that has been
sent is unchanged.
Requirements of DS
➢ The signature must be a bit pattern that depends on the message being signed.
➢ Bob can sign a message using a digital signature algorithm. The inputs to the
algorithm are the message and Bob’s private key. Any other user, say Alice, can
verify the signature using a verification algorithm, whose inputs are the message, the
signature and Bob’s public key.
➢ The sender generates hash code, which is act as signature and encrypt by
sender’s private key and send to receiver.
➢ The receiver generates hash code from the message and compare with sender’s
hash code.
➢ Here, the message is decrypted by sender’s public key.
Arbitrated Digital Signatures
➢ The Arbitrated Digital Signature includes three parties in which one is sender,
second is receiver and the third is arbiter who will become the medium for sending
and receiving message between them. The messages are less prone to get corrupted
because of timestamp being included by default.
Drawback
A can read the message from X to Y like an eavesdropper
2) Conventional Encryption, Arbiter does not see message
➢ Also, it is used to convince parties of each other’s identity and to exchange session
keys. They may be one-way or mutual.
2. Repetition that can be logged: Replay time stamped message within valid time.
3. Repetition that cannot be changed: The original message suppressed and it did not
arrive at its destination, that means, only replay messages arrives.
Countermeasures include
One-Way Authentication
➢ It required when sender & receiver are not in communications at same time (eg. E-
mail)
Password based authentication
1. Password Vulnerability
➢ Longer password
2. Encrypted Passwords
➢ Instead of storing the names and passwords in plain text form, they are encrypted and
stored in cipher text form in the table.
3. One-time passwords
1. User education
➢ A digital certificate is an electronic form that contains identification data, public key,
and the digital signature of a certification authority derived from that certification
authority’s private key.
➢ When a user signs on to the server, he provides his digital certificate that has the
public key and signature of the certification authority.
➢ The server then confirms the validity of the digital signature and if the certificate has
been issued by a trusted certificate authority or not. The server then authenticates the
user with public key cryptography to confirm the user is in possession of the private
key associated with the certificate. Fig. 4.23 shows the certificate-based
authentication.
• Step 5: When B receives EA,pr (R), decrypts it with A’s public key and compares it
with the nonce transmitted in message 2.
• Step 6: If they match, he concludes that A has used the private key corresponding to
the public key in his certificate.
Mutual Authentication
Two techniques
1. Based on a shared secret key
2. Using public key cryptography
Based on a shared secret key
➢ In this authentication approach, secret key is shared with both party such as source
and destination.
➢ The scheme is also known as “Challenge-Response protocol”
➢ Let KA,B be the shared secret key between Alice and Bob
➢ When Bob receives this message, Bob sends Alice back a message containing Alice’s
random number RA and his own random number RB and proposed session key, Ks.
➢ After examining message 2, Alice finds out the random number RA. A knows that
message 2 is from Bob only. Then Alice agrees to the session by sending back
message to Bob.
➢ When Bob reads RB encrypted with the session key which is generated by Bob, Bob
knows that A got message 2 and verified RA.
➢ The Hash code is provided as input to a signature function along with a random
number K generated for this particular signature.
➢ The signature function also depends on the sender's private key (PRa)and a set of
parameters known to a group of communicating principals and use of a global public
key (PUG).
➢ The output of the verification function is s value that is equal to the signature
component r if the signature is valid
Fig: 4.25 DSS Approach
➢ There are three parameters that are public and can be common to a group of users.
➢ A 160-bit prime number q is chosen.
➢ Then, a prime number p is selected with a length between 512 and 1024 bits such that
q divides (P-1).
➢ Choose g = h(p-1)/q where 1<h<p-1 and h(p-1)/q mod p > 1
private key
• choose random private key x where x < q
Public key
• compute public key: y = gx mod p
➢ To create a signature, a user calculates two quantities r and s, that are functions of
public key components (p, q, g) the user's private key (x), the hash code of the
message, H(M), and an additional integer k that should be generated randomly or
pseudorandomly and be unique for each signing.
Signature Verification
➢ After receiving M and signature (r, s), need to verify a signature. Now recipient
computes:
w = s-1 mod q
u1= [H(M)w] mod q
u2= (rw)mod q
v = [(gu1 yu2) mod p] mod q
➢ if v = r then signature is verified. Figure 4.27 shows DSS Signing and Verifying.
(a) Signing (b) Verifying
➢ Entity authentication is a technique designed to let one party prove the identity of
another party. An entity can be a person, a process, a client, or a server. The entity
whose identity needs to be proved is called the claimant; the party that tries to prove
the identity of the claimant is called the verifier.
Verification Categories
➢ In entity authentication, the claimant must identify herself to the verifier. This can be
done with one of three kinds of witnesses.
• Something known
o This is a secret known only by the claimant that can be checked by the
verifier. Examples are a password, a PIN, a secret key, and a private
key.
• Something possessed
o This is something that can be prove the claimant’s identity. Examples
are a passport, a driver’s license, a credit card etc.
• Something inherent
o This is an inherent characteristic of the claimant. Examples are
conventional signatures, fingerprints, voice and handwriting.
4.11 Passwords
➢ A fixed password is a password that is used over and over again for every access.
First Approach
➢ The system keeps a table (a file) that is sorted by user identification. To access the
system resources, the user sends their identification and password, in plaintext, to the
system. The system uses the identification to find the password in the table. If the
password sent by the user matches the password in the table, access is granted;
otherwise, it is denied. Fig. 4.28 shows this approach.
Figure 4.28 First Approach in Fixed password
Attacks on the First Approach
• Eavesdropping
• Stealing a password
• Accessing a password file
• Guessing
Second Approach
➢ A more secure approach is to store the hash of the password (instead of the plaintext
password) in the password file. Any user can read the contents of the file but the hash
function is a one-way function, it is almost impossible to guess the value of the
password. Figure 4.29 shows this approach, the system hashes it and stores the hash in
the password file when the password is created.
➢ Dictionary Attack
Third Approach
➢ The third approach is called salting the password. When the password string is created
a random string, called the salt, is concatenated to the password. The salt password is
then hashed. The ID, the salt and the hash are then stored in the file. When a user asks
for access, the system extracts the salt concatenates it with the received password,
makes a hash out of the result and compares it with the hash stored in the file. If there
is a match, access is granted otherwise it is denied.
➢ Figure 4.30 shows this approach.
➢ Salting makes the dictionary attack more difficult. If the original password is 6 digits
and the salts is 4 digits, then hashing is done over a 10 digit value. To attack this,
needs to make 10 million items to create a hash for each of them.
Fourth Approach
First Approach
➢ In this approach, the verifier sends a nonce, a random number used only once, to
challenge the claimant.
➢ A nonce must be time-varying; every time it is created, it is different. The claimant
responses to the challenge using the secret key shared between the claimant and the
verifier. Figure 4.32 shows this first approach.
➢ The first message is not part of challenge response, only informs the verifier that the
claimant wants to be challenged.
➢ The second message is the challenge, RB is the nonce randomly chosen by the verifier
(Bob) to challenge the claimant.
➢ The claimant encrypts the nonce using the shared the secret key know only to the
claimant and the verifier and sends the result to the verifier.
➢ The verifier decrypts the message. If the nonce obtained from decryption is the same
as the one sent by the verifier, Alice is granted access.
Second Approach
➢ In this approach, the time-varying value is a timestamp, which obivously changes
with time. The challenge message is the current time sent from the verifier to the
claimant.
➢ The claimant knows the current time. The first and second messages can be
combined.
➢ The result is that authentication can be done using one message. The figure 4.33
shows this approach.
Third Approach
➢ The first and second approaches are for unidirectionals authentication. Alice is
authenticated to Bob, but not other side.
➢ If Alice also needs to be sure about Bob’s identity, needs bidirectional
authentication. The figure 4.34 shows the third approach.
➢ The second message RB is the challenge from Bob to Alice. In the third message,
Alice responds to Bob’s challenge and at the same time, sends her challenge RA to
Bob. The third message is Bob’s response.
➢ The fourth message the order of RA and RB are switched to prevent a replay attack.
Figure 4.34 Third Approach using Symmetric Key Cipher
➢ Here, the timestamp is sent both as plaintext and as text scrambled by the keyed-hash
function.
➢ When Bob receives the message, he takes the plaintext T, applies the keyed-hash
function and then compares his calculation with what he received to determine the
authenticity of Alice.
Using an Asymmetric-Key Cipher
➢ In this cipher, Verifier encrypts the challenge with the Public key of the claimant.
Then the Claimant decrypts the challenge with her private key.
First Approach
➢ It is the unidirectional approach. Bob encrypts the challenge using Alice’s public key.
➢ Alice decrypts the message with her private key and sends the nonce to Bob. Figure
4.36 shows this approach.
Second Approach
➢ It is the bidirectional approach. In this approach, two public keys are used, one in each
direction.
➢ Alice sends her identity and nonce encrypted with Bob’s public key. Bob response
with his nonce encrypted with Alice’s public key.
➢ Finally, Alice, responds with Bob’s decrypted nonce. Figure 4.37 shows this
approach.
Figure 4.37 Second Approach using Asymmetric Key Cipher
First approach
➢ In this first approach, Bob uses a plaintext challenge and Alice signs the response.
Figure 4.38 shows this approach.
4.13 Biometrics
➢ Biometrics is the measurement of physiological or behavioral features that identify a
person (authentication something inherent).
➢ It measures features that cannot be guessed, stolen or shared.
➢ Figure 4.40 shows the classification of biometrics.
Components
➢ Several components are needed for biometrics, including capturing devices,
processors and storage devices.
➢ Capturing devices such as readers or sensors measure biometrics features. Processors
change the measured features to the type of data appropriate for saving.
➢ Storage devices save the result of processing for authentication.
Enrollment
➢ The corresponding feature of each person in the community supposed to be in the
database before using any biometric techniques for authentication. This is referred to
as enrollment.
Authentication
Verification
Identification
➢ A person’s feature is matched against all records in the database to find if she/he has a
record in the database.
Techniques
o Physiological
o Behaviroal
➢ This technique measures the physical traits of the human body for verification and
identification. The trait should be unique among all and feature should be changeable
due to aging, surgery, illness, disease and so on. There are several physiological
techniques are there.
Finger Print
➢ Fingerprints have been used for a long time. They show a high level of accuracy and
support verification and identification. It can be altered by aging, injury or disease.
Figure 4.40 Classification of Biometrics
Iris
➢ It measures the pattern within the iris that is unique for each person. They are very
accurate and stable over a person’s life. Its support verification and identification.
Retina
➢ The devices for this purpose examine the blood vessels in the back of the eyes. But
these devices are expensive and not common yet.
Face
➢ This technique analyses the geometry of the face based on the distance between facial
features such as the nose, mouth and eyes. It is support for verification and
identification.
Hands
➢ This technique measures the dimension of hands, including the shape and length of
the fingers. It is suitable for verification and identification.
Voice
➢ It is measures pitch, cadence and tone in the voice. It can be used locally or remotely.
This method used for verification.
DNA
➢ It is the chemical found in the nucleus of all cells of humans and most other
organisms. The pattern is persistent throughout life and even after death. It is
extremely accurate. It can be used for verification and identification. The only
problem is that identical twins may share the same DNA.
Signature
➢ Biometric approaches use signature tablets and special pens to identify the person.
Signature are mostly used for verification.
Keystroke
• Kerberos
• X.509
4.15 Kerberos
➢ It is a network authentication protocol designed to allow users, clients and servers,
authenticate themselves to each other through a trusted third party.
➢ This mutual authentication is done using secret key cryptography with parties proving
to each other their identity across an insecure network
➢ Communication between the client and server can be secure after the client and server
have used Kerberos to prove their identity.
Kerberos Requirements
➢ Reliability- is highly reliable employing a distributed server where one server is able
to back up another.
Kerberos Version 4
Kerberos Overview
➢ Kerberos Version 4 makes use of DES, to provide the authentication service. Figure
4.41 shows overview of Kerberos.
➢ For secure transaction, server should confirm the client and its request. In unprotected
network it creates burden on server, therefore an authentication server (AS) is used.
➢ The new service, TGS, issues tickets to users who have been authenticated to AS.
Thus, the user first requests a ticket-granting ticket (Tickettgs) from the AS. The client
module in the user workstation saves this ticket. Each time the user requires access to
a new service, the client applies to the TGS, using the ticket to authenticate itself.
➢ The TGS then grants a ticket for the particular service. The client saves each service-
granting ticket and uses it to authenticate its user to a server each time a particular
service is requested. The client requests a ticket-granting ticket on behalf of the user
by sending its user's ID and password to the AS, together with the TGS ID, indicating
a request to use the TGS service.
➢ The AS responds with a ticket that is encrypted with a key that is derived from the
user's password. When this response arrives at the client, the client prompts the user
for his or her password, generates the key, and attempts to decrypt the incoming
message. If the correct password is supplied, the ticket is successfully recovered.
➢ The ticket itself consists of the ID and network address of the user, and the ID of the
TGS.
➢ A Kerberos realm is a set of managed nodes that share the same Kerberos database.
The Kerberos database resides on the Kerberos master computer system, which
should be kept in a physically secure room.
➢ A read-only copy of the Kerberos database might also reside on other Kerberos
computer systems. However, all changes to the database must be made on the master
computer system.
➢ Changing or accessing the contents of a Kerberos database requires the Kerberos
master password.
➢ A Kerberos principal is a service or user that is known to the Kerberos system. Each
Kerberos principal is identified by its principal name. Principal names consist of three
parts: a service or user name, an instance name, and a realm name.
Fig. 4.42 Request for service in another realm
Kerberos Version 5
Kerberos Version 5 is specified in RFC 1510 and provides a number of improvements over
version 4.
1. Encryption system dependence: Version 4 requires the use of DES. Export restriction on
DES as well as doubts about the strength of DES were thus of concern. In version 5,
ciphertext is tagged with an encryption type identifier so that any encryption technique may
be used. Encryption keys are tagged with a type and a length, allowing the same key to be
used in different algorithms and allowing the specification of different variations on a given
algorithm.
2. Internet protocol dependence: Version 4 requires the use of Internet Protocol (IP)
addresses. Other address types, such as the ISO network address, are not accommodated.
Version 5 network addresses are tagged with type and length, allowing any network address
type to be used.
3. Message byte ordering: In version 4, the sender of a message employs a byte ordering of
its own choosing and tags the message to indicate least significant byte in lowest address or
most significant byte in lowest address. This technique works but does not follow established
conventions. In version 5, all message structures are defined using Abstract Syntax Notation
One (ASN.1) and Basic Encoding Rules (BER), which provide an unambiguous byte
ordering.
4.Ticket lifetime: Lifetime values in version 4 are encoded in an 8-bit quantity in units of
five minutes. Thus, the maximum lifetime that can be expressed is 28 x 5 = 1280 minutes, or
a little over 21 hours. This may be inadequate for some applications (e.g., a long-running
simulation that requires valid Kerberos credentials throughout execution). In version 5,
tickets include an explicit start time and end time, allowing tickets with arbitrary lifetimes.
5. Authentication forwarding: Version 4 does not allow credentials issued to one client to
be forwarded to some other host and used by some other client. This capability would enable
a client to access a server and have that server access another server on behalf of theclient.
6. Interrealm authentication: In version 4, interoperability among N realms requires on the
order of N2 Kerberos-to-Kerberos relationships, as described earlier. Version 5 supports a
method that requires fewer relationships, as described shortly.
Technical Deficiencies
1. Double encryption: The tickets provided to clients are encrypted twice, once with the
secret key of the target server and then again with a secret key known to the client. The
second encryption is not necessary and is computationally wasteful.
2. PCBC encryption: Encryption in version 4 makes use of a nonstandard mode of DES
known as propagating cipher block chaining (PCBC). It has been demonstrated that this mode
is vulnerable to an attack involving the interchange of ciphertext blocks. Version 5 provides
explicit integrity mechanisms, allowing the standard CBC mode to be used for encryption.
3. Session keys: Each ticket includes a session key that is used by the client to encrypt the
authenticator sent to the service associated with that ticket. In addition, the session key may
subsequently be used by the client and the server to protect messages passed during that
session. However, because the same ticket may be used repeatedly to gain service from a
particular server, there is the risk that an opponent will replay messages from an old session
to the client or the server. In version 5, it is possible for a client and server to negotiate a sub-
session key, which is to be used only for that one connection.
4. Password attacks: Both versions are vulnerable to a password attack.
Certificates
➢ The heart of the X.509 scheme is the public-key certificate associated with each user.
These user certificates are assumed to be created by some trusted certification
authority (CA) and placed in the directory by the CA or by the user.
➢ The directory server itself is not responsible for the creation of public keys or for the
certification function. Figure 4.43 illustrates the genration of public key certificates.
Fig. 4.44 X.509 Formats
➢ Version: Differentiates among successive versions (1, 2, and 3) of the certificate
format.
➢ Serial number: An integer value unique within the issuing CA.
➢ Signature algorithm identifier: The algorithm used to sign the certificate together
with any associated parameters.
➢ Issuer name: the name of the CA that created and signed this certificate.
➢ Period of validity: Consists of two dates: the first and last on which the certificate is
valid.
➢ Subject name: The name of the user to whom this certificate refers.
➢ Subject’s public-key information: The public key of the subject, plus an identifier
of the algorithm for which this key is to be used, together with any associated
parameters.
➢ Issuer unique identifier: (optional) used to identify uniquely the issuing CA.
➢ Subject unique identifier :( optional) used to identify uniquely the subject.
➢ Extensions: A set of one or more extension fields.
➢ Signature: it contains the hash code of the other fields encrypted with the CA’s
private key. This field includes the signature algorithm identifier.
The standard uses the following notation to define a certificate: CA<<A>> = CA {V, SN, AI,
CA, TA, A, Ap}
Where Y <<X>> = the certificate of user X issued by certification authority Y
Y {I} = the signing of I by Y. It consists of I with an encrypted hash code append