COMPUTER

SECURITY
UNIT-4: PRIVATE KEY ENCRYPTION SCHEMES , PUBLIC
KEY ENCRYPTION SCHEMES, BLOCK CIPHERS

1
 Public Key Cryptography
Unlike symmetric key cryptography, we do not find historical use of public-key cryptography. It is a relatively
new concept.
Symmetric cryptography was well suited for organizations such as governments, military, and big financial
corporations were involved in the classified communication.
With the spread of more unsecure computer networks in last few decades, a genuine need was felt to use
cryptography at larger scale. The symmetric key was found to be non-practical due to challenges it faced for
key management. This gave rise to the public key cryptosystems.
The process of encryption and decryption is depicted in the following illustration

2
Public Key Cryptography
The most important properties of public key encryption scheme are −
Different keys are used for encryption and decryption. This is a property which set this scheme different than
symmetric encryption scheme.
Each receiver possesses a unique decryption key, generally referred to as his private key.
Receiver needs to publish an encryption key, referred to as his public key.
Some assurance of the authenticity of a public key is needed in this scheme to avoid spoofing by adversary as
the receiver. Generally, this type of cryptosystem involves trusted third party which certifies that a particular
public key belongs to a specific person or entity only.
Encryption algorithm is complex enough to prohibit attacker from deducing the plaintext from the ciphertext
and the encryption (public) key.
Though private and public keys are related mathematically, it is not be feasible to calculate the private key from
the public key. In fact, intelligent part of any public-key cryptosystem is in designing a relationship between two
keys.

3
Symmetric vs. Asymmetric Systems
Recall that there are two basic types of encryption:
symmetric algorithms: (also called “secret key”) use the same key for both encryption and
decryption.
asymmetric algorithms: (also called “public key”) use different keys for encryption and
decryption.
For any encryption approach, there are two major challenges :
Key distribution: how do we convey keys to those who need them to establish secure
communication.
Key management: given a large number of keys, how do we preserve their safety and make
them available as needed.

4
Asymmetric Encryption Primer
In asymmetric or public key encryption , different keys are used for Encryption
and Decryption.
Each subject S has a publicly disclosed key K S (“S’s public key”) that anyone can
use to encrypt, and a privately held key K s− 1 S (“S’s private key”).
The relationship is: M = {{ M } K S } Ks − 1 .
Anyone wishing to send a message M confidentially to S sends { M } K s . Only
the holder of K − 1 S can decrypt this message.

5
How Many Keys: Symmetric Encryption
Given a symmetric system with n users, how many
keys are needed for pairwise secure communication?
Each time a new user is added to the system, it
needs to share a new key with each previous user.
Thus, for n users, we have
1 + 2 + . . . + ( n − 1) = n ( n − 1) / 2 keys.
This is O ( n 2 ) keys.

6
How Many Keys: Asymmetric Encryption
Given an asymmetric system of n users, how many keys are needed for pairwise secure
communication?
Each time a new user is added to the system, it needs only a public key and a private key.
Thus, for n users, we have 2 n keys, which is O ( n ).
Depending on the algorithm, each user may need separate pair s for confidentiality and signing,
i.e., 4 n keys, which is still O ( n ).

7
Characteristics of Keys
Typically, in a symmetric encryption system keys are: 1 randomly generated k -bit strings, 2
simple to generate, 3 have no special properties.
In a public key system, keys:
1 have special structure (e.g., are large primes), and
2 are expensive to generate.
Key sizes are not comparable between the two approaches. A 128-bit symmetric key may be
equivalent in strength to a 3000 –bit public key.
Lessons
 Using symmetric encryption, security requires that each pair of users share a secret key.
 In an asymmetric system, each user has a public/private key pair.
 Keys in the two approaches have very different characteristics and are not directly comparable.

8
BLOCK CIPHER
The basic scheme of a block cipher is depicted as follows −
A block cipher takes a block of plaintext bits and generates a block of ciphertext bits, generally of same size. The size of
block is fixed in the given scheme. The choice of block size does not directly affect to the strength of encryption scheme.
The strength of cipher depends up on the key length.
Block Size Though any size of block is acceptable, following aspects are borne in mind while selecting a size of a block.
Avoid very small block size − Say a block size is m bits. Then the possible plaintext bits combinations are then 2m. If
the attacker discovers the plain text blocks corresponding to some previously sent ciphertext blocks, then the attacker
can launch a type of ‘dictionary attack’ by building up a dictionary of plaintext/ciphertext pairs sent using that encryption
key. A larger block size makes attack harder as the dictionary needs to be larger.
Do not have very large block size − With very large block size, the cipher becomes inefficient to operate. Such plaintexts
will need to be padded before being encrypted.
Multiples of 8 bit − A preferred block size is a multiple of 8 as it is easy for implementation as most computer processor
handle data in multiple of 8 bits.

9
BLOCK CIPHER .. Cont..
Padding in Block Cipher Block ciphers process blocks of fixed sizes say64bits. The length of plaintexts is mostly not a
multiple of the block size. For example, a 150-bit plaintext provides two blocks of 64 bits each with third block of balance
22 bits. The last block of bits needs to be padded up with redundant information so that the length of the final block
equal to block size of the scheme. In our example, the remaining 22 bits need to have additional 42 redundant bits added
to provide a complete block.
The process of adding bits to the last block is referred to as padding. Too much padding makes the system inefficient.
Also, padding may render the system insecure at times, if the padding is done with same bits always.
Block Cipher Schemes There is a vast number of block ciphers schemes that are in use. Many of them are publically
known. Most popular and prominent block ciphers are listed below.
Digital Encryption Standard DES − The popular block cipher of the 1990s. It is now considered as a ‘broken’ block cipher,
due primarily to its small key size.
Triple DES − It is a variant scheme based on repeated DES applications. It is still a respected block ciphers but inefficient
compared to the new faster block ciphers available.
Advanced Encryption Standard AES − It is a relatively new block cipher based on the encryption algorithm Rijndael that
won the AES design competition.

10
BLOCK CIPHER .. Cont..
IDEA − It is a sufficiently strong block cipher with a block size of 64 and a key size of 128 bits. A
number of applications use IDEA encryption, including early versions of Pretty Good Privacy PGP
protocol. The use of IDEA scheme has a restricted adoption due to patent issues.
Twofish − This scheme of block cipher uses block size of 128 bits and a key of variable length. It
was one of the AES finalists. It is based on the earlier block cipher Blowfish with a block size of
64 bits.
Serpent − A block cipher with a block size of 128 bits and key lengths of 128, 192, or 256 bits,
which was also an AES competition finalist. It is a slower but has more secure design than other
block cipher.
In the next sections, we will first discuss the model of block cipher followed by DES and AES, two
of the most influential modern block ciphers.

11
Initialization Vector ( IV)
An Initilazation Vector (IV) is a block of bits that is used by several modes to randomize the encryption and hence to produce
distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process.
An Initilazation Vector has different security requirements than a key, so the IV usually does not need to be secret.
However, in most cases, it is important that an Initilazation Vector is never reused under the same key.
For CBC and CFB, reusing an IV leaks some information about the first block of plaintext, and about any common prefix
shared by the two messages.
For OFB and CTR, reusing an IV completely destroys security.
In CBC mode, the Initilazation Vector must, in addition, be unpredictable at encryption time; in particular, the (previously)
common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure (for example,
this method was used by SSL 2.0).
If an attacker knows the Initilazation Vector (or the previous block of ciphertext) before he specifies the next plaintext, he
can check his guess about plaintext of some block that was encrypted with the same key before (this is known as the TLS CBC
IV attack).

12
BLOCK CIPHER MODES OF OPERATION
In this chapter, we will discuss the different modes of operation of a block cipher. These are
procedural rules for a generic block cipher. Interestingly, the different modes result in different
properties being achieved which add to the security of the underlying block cipher.
A block cipher processes the data blocks of fixed size. Usually, the size of a message is larger
than the block size. Hence, the long message is divided into a series of sequential message
blocks, and the cipher operates on these blocks one at a time.

1. Electronic Code Book ( ECB ) Mode

13
Electronic Code Book ECB Mode
This mode is a most straightforward way of processing a series of sequentially listed message blocks.
Operation
• The user takes the first block of plaintext and encrypts it with the key to produce the first block of ciphertext.
• He then takes the second block of plaintext and follows the same process with same key and so on so forth.

The ECB mode is deterministic, that is, if plaintext block P1, P2,…, Pm are encrypted twice under the
same key, the output ciphertext blocks will be the same.
In fact, for a given key technically we can create a codebook of ciphertexts for all possible plaintext
blocks. Encryption would then entail only looking up for required plaintext and select the
corresponding ciphertext. Thus, the operation is analogous to the assignment of code words in a
codebook, and hence gets an official name − Electronic Codebook mode of operation ECB. It is
illustrated as follows −

14
 ECB mode can also make
protocols without integrity
protection even more
susceptible to replay attacks,
since each block gets decrypted
in exactly the same way

15
Analysis of ECB Mode
In reality, any application data usually have partial information which can be guessed. For
example, the range of salary can be guessed. A ciphertext from ECB can allow an attacker to
guess the plaintext by trial-and-error if the plaintext message is within predictable.
For example, if a ciphertext from the ECB mode is known to encrypt a salary figure, then a small
number of trials will allow an attacker to recover the figure. In general, we do not wish to use a
deterministic cipher, and hence the ECB mode should not be used in most applications.

16
Cipher Block Chaining CBC Mode
CBC mode of operation provides message dependence for generating ciphertext and makes the
system non-deterministic.
Operation
 The operation of CBC mode is depicted in the following illustration. The steps are as follows −
 Load the n-bit Initialization Vector IV in the top register.
 XOR the n-bit plaintext block with data value in top register.
 Encrypt the result of XOR operation with underlying block cipher with key K.
 Feed ciphertext block into top register and continue the operation till all plaintext blocks are processed.
 For decryption, IV data is XORed with first ciphertext block decrypted. The first ciphertext block is also
fed into to register replacing IV for decrypting next ciphertext block.

17
Analysis of CBC Mode
In CBC mode, the current plaintext block is added to the previous ciphertext block, and then the result is encrypted with
the key. Decryption is thus the reverse process, which involves decrypting the current ciphertext and then adding the
previous ciphertext block to the result.
Advantage of CBC over ECB is that changing IV results in different ciphertext for identical message. On the drawback side,
the error in transmission gets propagated to few further block during decryption due to chaining effect.
It is worth mentioning that CBC mode forms the basis for a well-known data origin authentication mechanism. Thus, it
has an advantage for those applications that require both symmetric encryption and data origin authentication.

18
Cipher Feedback CFB Mode
In this mode, each ciphertext block gets ‘fed back’ into the encryption process in order to encrypt the
next plaintext block.
Operation
• The operation of CFB mode is depicted in the following illustration. For example, in the present system, a
message block has a size ‘s’ bits where 1 < s < n. The CFB mode requires an initialization vector IV as the initial
random n-bit input block. The IV need not be secret. Steps of operation are − Load the IV in the top register.
• Encrypt the data value in top register with underlying block cipher with key K.
• Take only ‘s’ number of most significant bits leftbits of output of encryption process and XOR them with ‘s’ bit
plaintext message block to generate ciphertext block.
• Feed ciphertext block into top register by shifting already present data to the left and continue the operation
till all plaintext blocks are processed.
• Essentially, the previous ciphertext block is encrypted with the key, and then the result is XORed to the
current plaintext block.
• Similar steps are followed for decryption. Pre-decided IV is initially loaded at the start of decryption.

19
Analysis of CFB Mode
CFB mode differs significantly from ECB mode, the ciphertext corresponding to a given plaintext block depends not just on that plaintext
block and the key, but also on the previous ciphertext block. In other words, the ciphertext block is dependent of message.

CFB has a very strange feature. In this mode, user decrypts the ciphertext using only the encryption process of the block cipher. The
decryption algorithm of the underlying block cipher is never used.

Apparently, CFB mode is converting a block cipher into a type of stream cipher. The encryption algorithm is used as a key-stream generator to
produce key-stream that is placed in the bottom register. This key stream is then XORed with the plaintext as in case of stream cipher.

By converting a block cipher into a stream cipher, CFB mode provides some of the advantageous properties of a stream cipher while
retaining the advantageous properties of a block cipher. On the flip side, the error of transmission gets propagated due to changing of
blocks.

20
Output Feedback OFB Mode
It involves feeding the successive output blocks from the underlying block cipher back to it.
These feedback blocks provide string of bits to feed the encryption algorithm which act as the
key-stream generator as in case of CFB mode.
The key stream generated is XOR-ed with the plaintext blocks. The OFB mode requires an IV as
the initial random n-bit input block. The IV need not be secret.
The operation is depicted in the following illustration −

21
Counter CTR Mode
It can be considered as a counter-based version of CFB mode without the feedback. In this mode, both the
sender and receiver need to access to a reliable counter, which computes a new shared value each time a
ciphertext block is exchanged. This shared counter is not necessarily a secret value, but challenge is that
both sides must keep the counter synchronized.
Operation
Both encryption and decryption in CTR mode are depicted in the following illustration. Steps in operation are
−
 Load the initial counter value in the top register is the same for both the sender and the receiver. It plays the same
role as the IV in CFB and CBC mode.
 Encrypt the contents of the counter with the key and place the result in the bottom register.
 Take the first plaintext block P1 and XOR this to the contents of the bottom register. The result of this is C1. Send C1 to
the receiver and update the counter. The counter update replaces the ciphertext feedback in CFB mode.
 Continue in this manner until the last plaintext block has been encrypted.
 The decryption is the reverse process. The ciphertext block is XORed with the output of encrypted contents of counter
value. After decryption of each ciphertext block counter is updated as in case of encryption.

22
Analysis of Counter Mode
It does not have message dependency and hence a ciphertext block does not depend on the previous plaintext blocks.
Like CFB mode, CTR mode does not involve the decryption process of the block cipher. This is because the CTR mode is
really using the block cipher to generate a key-stream, which is encrypted using the XOR function. In other words, CTR
mode also converts a block cipher to a stream cipher.
The serious disadvantage of CTR mode is that it requires a synchronous counter at sender and receiver. Loss of
synchronization leads to incorrect recovery of plaintext.

23