Chapter Three

Cryptography and Encryption

Techniques
Basic cryptographic
Terminology
 Cryptography: Refers to schemes for encryption and
decryption; It comes from the Greek words for secret writing
 Encryption: The process by which plaintext is converted into
ciphertext
 Decryption: Recovering plaintext from the ciphertext
 Secret key: Used by the encryption algorithm. In a classical
(symmetric key) cryptography, the same secret key is used
for encryption and decryption
 Cryptanalysis: The study of “breaking the code”.
Cryptanalysts!
 Cryptology: Cryptography + cryptanalysis

2
Basic cryptographic /Cont…
Cryptography has five ingredients
 Plaintext (or Cleartext): the original message that is fed into the
algorithm as input
 Encryption algorithm: performs various substitutions and
transformations on the plaintext
 Secret Key: is also input to the algorithm; the exact
substitutions and transformations performed by the algorithm
depend on the key; larger key size means greater security but
may decrease encryption/decryption speed
 Ciphertext: the scrambled message produced as output. It
depends on the plaintext and the secret key; for a given
message, two different keys will produce two different
ciphertexts
 Decryption algorithm: the encryption algorithm run in reverse.
It takes the ciphertext and the same secret key (in symmetric
cryptography) and produces the original plaintext
3
Basic cryptographic /Cont…
Simplified Encryption Model

4
Basic cryptographic /Cont…
Description
 A sender S wants to transmit message M to a receiver R
 To protect the message M, the sender first encrypts it into an
unintelligible message M’
 After receipt of M’, R decrypts the message to obtain M
 M is called the plaintext: what we want to encrypt
 M’ is called the ciphertext: the encrypted output
Note: Steganography is a technique for hiding a secret message within
a larger one so that others cannot discern the presence or contents of
the hidden message; it is used to claim ownership; it is not encryption

5
Basic cryptographic /Cont…
Notation
 Given
– P = Plaintext
– C = Ciphertext
 C = EK(P) Encryption
 P = DK(C) Decryption
– P = DK(EK(P))
– C = EK(DK(C))

6
History: Enigma
 Before war broke out in 1939 the
Germans had planned a special way of
keeping their communications secret.
The army, navy and air force were told
to encode their messages using cipher
machines called ENIGMA.
 Enigma could put a message into code
in over 150 MILLION MILLION MILLION
different ways.
 The Germans believed that no one
could crack the Enigma code. But the
Allies knew that if they could, they
would be able to find out their
enemy's military secrets.

7
History: Enigma /Cont…
 The Enigma machine looked like a
typewriter in a wooden box. An
electric current went from the
keyboard through a set of rotors and
a plug board to light up the 'code'
alphabet.
 In the 1930's Polish cipher experts
secretly began to try to crack the
code. Just before war broke out they
managed to pass models and
drawings of Enigma to British and
French code-breakers.
 Later Enigma was broken.

8
History: Sigaba
 It was suited for fixed station secure
communications, and used by U.S. for
high-level communications, was the
only machine system used by any
participant to remain completely
unbroken by an enemy during World
War II.

9
Cipher Techniques
 The two basic building blocks of all encryption techniques
are substitution and transposition.
 Caesar Cipher - Early Example of a Substitution Cipher by
Julius Caesar
 Each character of a message is replaced by a character
three positions down in the alphabet (the alphabet is
wrapped around, so that the letter following Z is A)
o Plain text: ARE YOU READY
o Ciphertext: DUH BRX UHDGB

10
Cipher Techniques/ Substitution
 If we represent each letter of the alphabet by an integer that
corresponds to its position in the alphabet:
 The formula for replacing each character ‘p’ of the plaintext with a
character ‘c’ of the ciphertext can be expressed as:
c = E3(p ) = (p + 3) mod 26
 A more general version of this cipher that allows for any degree of
shift:
c = E( k, p ) = (p + k) mod 26
 The formula for decryption would be
p = D( k, c ) = (c - k) mod 26
 In these formulas
‘k’ is the secret key. The symbols ’E’ and ’D’ stand for encryption
and decryption respectively, and p and c are characters in the
plain and cipher text respectively.

11
Cipher Techniques/ Transposition
 A very different kind of mapping is achieved by performing some
sort of permutation on the plaintext letters
 The simplest of such ciphers is the rail fence technique, in which
the plaintext is written down as a sequence of diagonals and then
read off as a sequence of rows
 For example, to encipher the message “MEET ME AFTER THE
GOOD PARTY” with a rail fence of depth 2 (number of rows, which
is the key), we write the following

M E M A T R H G O P R Y
E T E F E T E O D A T
The ciphertext is MEMATRHGOPRYETEFETEODAT

12
Cipher Techniques/ Transposition
 With depth of 3

The ciphertext is MMTHORETEFETEODATEARGPY

 This would be trivial to cryptanalyze. A more complex scheme is
to write the message in a rectangle, row by row, and read the
message column by column, but permute the order of the
columns. The order of the columns is the key to the algorithm

13
Cipher Techniques/ Transposition
Example:
 Plain text: Attack Postponed Until Two AM
 Key: 4 3 1 2 5 6 7
A T T A C K
P
O S T P O N
E
D
 To encrypt, U N T I L
start with the column that is labeled 1, in this case
T
column 3. Write down all the letters in that column. Proceed to
W O A M X Y Z
column 4, which is labeled 2, then column 2, then column 1, then
columns 5, 6, and 7
 Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ
 Exercise: Decrypt the above ciphertext

14
There are two forms of encryption systems
 Symmetric (also called Traditional or Secret-key or Private key or
Single key) cryptosystem
 Asymmetric (also called Public key) cryptosystem

15
Symmetric Cryptosystem
 The same key is used to encrypt and decrypt a message
C = EK(P)
P = DK(C) P = DK[EK(P)]
 The key has to be kept secret
 The key has to be communicated using a secure channel;
major problem
 It is still in use in combination with public key cryptosystems
due to some of its advantages, mainly efficiency
Properties of an Encryption Function
 It is computationally infeasible to find the key K when given
the plaintext P and the associated ciphertext C [EK(P)]
 It should also be computationally infeasible to find another
key K’ such that EK(P) = EK’(P); Uniqueness

16
DES - A Popular Example of Symmetric Cryptosystem
 In 1973, the NBS (National Bureau of Standards, now called NIST -
National Institute of Standards and Technology) published a request
for an encryption algorithm that would meet the following criteria:
o have a high security level
o be easily understood
o not depend on the algorithm's confidentiality
o be adaptable and economical
o be efficient
 In late 1974, IBM proposed "Lucifer", which was then modified by
NSA (National Security Agency) in 1976 to become the DES (Data
Encryption Standard)
 DES was then approved by NBS in 1978 and was standardized by
ANSI under the name of ANSI X3.92, also known as DEA (Data
Encryption Algorithm)

17
DES /Cont..
 DES utilizes block cipher, which means that during the encryption
process, the plaintext is broken into fixed length blocks of 64 bits
 A block cipher processes the input one block of elements at a
time, producing an output block for each input block; larger
block sizes mean greater security but reduced encryption/
decryption speed; a block size of 128 bits is a reasonable
tradeoff and is nearly universal among recent block cipher
designs
 A stream cipher processes the input elements continuously,
producing output one element at a time, as it goes along
 e.g., substitution (Caesar Cipher)

18
DES /Cont..
 The key in DES is 56 bits; 8-bit out of the total 64-bit block key is
used for parity check (for example, if odd parity is used, each
byte has an odd number of 1s)
 56-bit key gives 256 ( 7.2*1016) possible key variations
 DES algorithm involves carrying out combinations, substitutions
and permutations between the text to be encrypted and the key,
while making sure the operations can be performed in both
directions (for decryption)
 The combination of substitutions and permutations is called a
product cipher

19
DES Encryption
 Data is divided into 64-bit blocks; the key is 56 bits
 The processing has three phases
Phase 1
 The 64-bit plaintext passes through an initial permutation (IP) that
rearranges the bits to produce the permuted input; no elements
are added or deleted or replaced, rather the order in which the
elements appear in the sequence is changed
Phase 2
 The 64 bits are then divided into two 32-bit halves called L and R.
The encryption then proceeds through 16 rounds of the same
function, each using the L and R parts, and a subkey

20
DES Encryption /Cont…
 In each round, the new L part is simply a copy of the incoming R
part
 The R and subkeys are processed in the so called
f-function, and exclusive-or of the output of the f-function with
the existing L part to create the new R part
Phase 3
 The L and R parts are swapped
 The pre-output is passed through a permutation that is the
inverse of the initial permutation (IP-1), to produce the 64-bit
ciphertext

21
DES Encryption /Cont…

Swap L and R

Structure of DES Algorithm

22
DES Encryption /Cont…
 DES – Permutation: The initial permutation and its inverse are
defined by tables; in all tables, the numbers are the bit
positions

Initial Permutation (IP) Inverse Permutation (IP-1)

23
DES Encryption /Cont…
IP (e.g., IP(1) = 58; IP(2) = 50, etc.) IP-1 (e.g., IP-1(1) = 40; IP-1(2) = 8, etc.)
58 50 42 34 26 18 10 2
40 8 48 16 56 24 64 32
60 52 44 36 28 20 12 4 L
39 7 47 15 55 23 63 31
62 54 46 38 30 22 14 6
38 6 46 14 54 22 62 30
64 56 48 40 32 24 16 8
37 5 45 13 53 21 61 29
57 49 41 33 25 17 9 1
36 4 44 12 52 20 60 28
59 51 43 35 27 19 11 3
R 35 3 43 11 51 19 59 27
61 53 45 37 29 21 13 5
34 2 42 10 50 18 58 26
63 55 47 39 31 23 15 7
33 1 41 9 49 17 57 25

“First Bit of the output is taken from the 58th bit of the input, etc...

24
DES Encryption /Cont…
Generating Sub keys
 Initially, the key is passed through a permutation function
 Then, for each of the sixteen rounds, a sub key (Ki ) is
produced by the combination of a left circular shift and a
permutation
 The permutation function is the same for each round, but a
different sub key is produced because of the repeated shifts
of the key bits

25
DES Encryption /Cont…
 To generate the subkeys, we start with the 56-bit key
(64 bits - with parity bits); the bits of the key are numbered from
1 through 64; every eighth bit is ignored

Input Key (the numbers are the bit positions)

 These are permuted and divided into two halves called C and D
(Permutation Choice 1)
 For each round, C and D are each shifted left circularly one or two bits
(the number of bits depending on the round)
 The 48-bit subkey is then selected from the current C and D bits using
Permutation Choice 2

26
DES Encryption /Cont…

DES- Algorithm - Key Schedule and Subkey

Generation
27
DES Encryption /Cont…
PC-1: Permutation Choice 1
 Extracts and permutes only 56-bit of the original 64-bit key
(excluding parity bits 8,16, 24, 32, 40, 48, 56, 64)

Schedule of Left Shifts

28
DES Encryption /Cont…
PC-2: Permutation Choice 2
 Selects or extracts the 48-bit subkey for each round from the 56-bit
key-schedule

29
DES Encryption /Cont…
The f-function (Some call it the mangler function)
 The f-function mixes the bits of the R portion using the Subkey for
the current round. First the 32-bit R value is expanded to 48-bits
using a permutation E. That value is then exclusive-or'ed with the
subkey
 The 48-bits are then divided into eight 6-bit chunks, each of which is
fed into an S-Box (Substitution-Box or Substitution Table) that mixes
the bits and produces a 4-bit output. A little bit funny operation
here!!
 Those eight 4-bit outputs are combined into a 32-bit value (8*4 =
32), and permuted once again to give the output of the f-function

30
DES Encryption /Cont…

Last Permutation

DES- Algorithm, the f-function

31
DES Encryption /Cont…
f-function: Expansion/Permutation (E)

E table
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21

The 32-bit half-block of data is 20 21 22 23 24 25

expanded to 48 bits; those in 24 25 26 27 28 29

red are all repeated at 28 29 30 31 32 1

different positions

32
DES Encryption /Cont…

DES S-Box for S1- There is one box for each of the 8 S-Boxes
If S1 is the function defined in this table and B is a block of 6 bits, then S1(B) is determined
as follows: The first and last bits of B represent in base 2 a number in the decimal range 0
to 3 (or binary 00 to 11). Let that number be i. The middle 4 bits of B represent in base 2 a
number in the decimal range 0 to 15 (binary 0000 to 1111). Let that number be j. Look up
in the table the number in the i-th row and j-th column. It is a number in the range 0 to 15
and is uniquely represented by a 4 bit block. That block is the output S1(B) of S1 for the
input B. For example, for input block B = 011011 the first bit is "0" and the last bit "1"
giving 01 as the row. This is row 1. The middle four bits are "1101". This is the binary
equivalent of decimal 13, so the column is column number 13. In row 1, column 13
appears 5. This determines the output; 5 is binary 0101, so that the output is 0101. Hence
S1(011011) = 0101. Find S1(101011)?
The design criteria for the S-boxes and for the entire algorithm were not made public 33
DES Decryption
 Decryption is identical to encryption, except that the
subkeys are used in the opposite order. That is, subkey 16 is
used in round 1, subkey 15 is used in round 2, etc., ending
with subkey 1 being used in round 16
The Avalanche Effect
 A desirable property of any encryption algorithm is that a
small change in either the plaintext or the key should
produce a significant change in the ciphertext
 In particular, a change in one bit of the plaintext or one bit
of the key should produce a change in many bits of the
ciphertext. This is referred to as the avalanche effect
 If the change were small, this might provide a way to reduce
the size of the plaintext or key space to be searched leading
to brute-force attack

34
DES Attacks
 Types of attacks (cracking) in all types of encryption
o The attacker has only the cipher text and his/her goal is to
find the corresponding plaintext
o The attacker has the cipher text and the corresponding
plaintext and his/her goal is to find the key
o In both cases the attacker may or may not know the
algorithm
 A good cryptosystem protects against all types of attacks

35
DES Attacks/ Cont…
 The security of encryption depends on the secrecy of the key, not
the secrecy of the algorithm
o Keeping the algorithm secret means to invent, test, and install
a new one when the old is discovered which is very difficult
o Keep only the key secret; so that it can be changed as often as
needed
 The two types of attacks on an encryption algorithm are
o Cryptanalysis: based on properties of the encryption
algorithm
o Brute-force: also called exhaustive key search, involves trying
all possible keys; This is the most basic method of attack for
any cipher

36
DES Attacks/ Cont…
 An encryption scheme is said to be computationally secure if
either of the following two criteria are met
 The cost of breaking the cipher exceeds the value of the
encrypted information
 The time required to break the cipher exceeds the useful
lifetime of the information
 Unfortunately, it is very difficult to estimate the amount of
effort required to cryptanalyze ciphertext successfully
 The following is the average time required for exhaustive key
search (brute-force attack) for various key sizes

37
 Key Size Number of Time required at 1 Time required at
(bits) Alternative Keys Decryption/µs 106 Decryption/µs
32 232 = 4.3 x 109 231µs = 35.8 minutes 2.15 milliseconds
56 256 = 7.2 x 1016 255µs = 1142 years 10 hours
128 2128 = 3.4 x 1038 2127µs = 5.4x1024 years 5.4 x 1018 years
168 2168 = 3.7 x 1050 2167µs = 5.9x1036 years 5.9 x 1030 years

 The length of the key determines the number of possible keys, and
hence the feasibility of the approach; with a key length of 56 bits,
there are 256 possible keys, which is approximately 7.2x1016 keys.
Thus, a brute-force attack appears impractical
 Assuming that, on average, half the key space has to be searched, a
single machine performing one DES encryption per microsecond
would take more than a thousand years

38
 In academia, various proposals for a DES-cracking machine were
advanced.
• In 1977, Diffie and Hellman proposed a machine costing an
estimated US$20 million which could find a DES key in a single
day.
• By 1993, Wiener had proposed a key-search machine costing
US$1 million which would find a key within 7 hours.
 However, none of these early proposals were ever implemented.
 The vulnerability of DES was practically demonstrated in 1997,
where RSA Security sponsored a series of contests, offering a
$10,000 prize to the first team that broke a message encrypted with
DES for the contest.

39
 That contest was won by the DESCHALL Project, led by Rocke Verser,
Matt Curtin, and Justin Dolske, using idle cycles of thousands of
computers across the Internet.
 The feasibility of cracking DES quickly was demonstrated in 1998
when a custom DES-cracker was built by the
Electronic Frontier Foundation (EFF), a cyberspace civil rights group,
at the cost of approximately US$250,000. Their motivation was to
show that DES was breakable in practice as well as in theory.

40
The EFF's US$250,000
DES cracking machine contained
1,856 custom chips and could
brute force a DES key in a matter of
days - the photo shows a DES
Cracker circuit board fitted with
several Deep Crack chips.

41
DES – Variants
Triple DES (3DES)
 Another alternative, which would preserve the existing
investment in software and equipment, is to use multiple
encryption with DES and multiple keys – Triple DES
 Provides enhanced security by executing the core algorithm
three times and the key length becomes 56*3 = 168-bits
 With triple length key of three 56-bit keys K1, K2 & K3,
encryption follows an encrypt-decrypt-encrypt (EDE)
sequence
Encrypt with K1 Decrypt with K2Encrypt with K3
C = E(K3, D(K2, E(K1, P)))
 Decryption requires that the keys be applied in reverse order
Decrypt with K3 Encrypt with K2 Decrypt with K1
P = D(K1, E(K2, D(K3, C)))
42
 As an alternative, we can use only two keys, i.e., setting K3
equal to K1 gives us a double length key K1, K2
C = E(K1, D(K2, E(K1, P)))
P = D(K1, E(K2, D(K1, C)))
 There is no cryptographic significance to the use of decryption
for the second stage; its only advantage is that it allows users
of 3DES to decrypt data encrypted by users of the older single
DES by setting K2 = K1
C = E(K1, D(K1, E(K1, P))) = E(K1,P)
P = D(K1, E(K1, D(K1, C))) = D(K1, C)

43
AES (Advanced Encryption Standard)
Origin
 Clear a replacement for DES was needed
 have theoretical attacks that can break it
 have demonstrated exhaustive key search attacks
 Can use Triple-DES – but slow, has small blocks
 US NIST issued call for ciphers in 1997
 15 candidates accepted in Jun 98
 5 were shortlisted in Aug-99
 Rijndael was selected as the AES in Oct-2000
 issued as FIPS PUB 197 standard in Nov-2001

44
The AES Cipher - Rijndael
 Designed by Rijmen-Daemen in Belgium
 Has 128/192/256 bit keys, 128 bit data
 An iterative rather than feistel cipher
 processes data as block of 4 columns of 4 bytes
 operates on entire data block in every round
 Designed to be:
 resistant against known attacks
 speed and code compactness on many CPUs
 design simplicity

45
AES Structure
 Data block of 4 columns of 4 bytes is state
 Key is expanded to array of words
 Has 9/11/13 rounds in which state undergoes:
o Byte substitution (1 S-box used on every byte)
o Shift rows (permute bytes between groups/columns)
o Mix columns (subs using matrix multiply of groups)
o Add round key (XOR state with key material)
 view chipper as alternating XOR key & scramble data
bytes
 Initial XOR key material & incomplete last round
 With fast XOR & table lookup implementation

46
47
Asymmetric (Public-key) Cryptosystem

 It is a form of cryptosystem in which encryption and decryption

are performed using different keys - one public key (KE) and one
private key (KD) - that form a unique pair
C = EKE(P)
P = DKD(C)  P = DKD[EKE(P)]
 The two keys have the property that deriving the private key
from the public key is computationally infeasible
 Proposed by Diffie and Hellman in 1976
 Uses Mathematical functions whose inverse is not known by
Mathematicians of the day
 It is a revolutionary concept since it avoids the need of using a
secure channel to communicate the key
 It has made cryptography available for the general public and
made many of today’s online applications feasible
48
Asymmetric (Public-key) /Cont…
 It provides a radical departure from the past
 Public-key algorithms are based on mathematical
functions rather than on substitution and permutation
 Public-key cryptography is asymmetric, involving the
use of two separate keys, in contrast to symmetric
encryption, which uses only one key. The use of two
keys has profound consequences in the areas of
confidentiality, key distribution, and authentication
 But the authenticity of a secret message is not
guaranteed since anyone can send secret messages to the
owner of a private key because the corresponding public
key is known

49
Asymmetric (Public-key) /Cont…
Properties of Public Key Cryptosystem
 If you have the private key, you can easily decrypt what is
encrypted by the public key
 Otherwise, it is computationally infeasible to decrypt what
has been encrypted by the public key

50
Asymmetric (Public-key) /Cont…
Steps in Asymmetric Cryptosystems
1. Each user generates a pair of keys to be used for the
encryption and decryption of messages
2. Each user places one of the two keys in a public register or
other accessible file. This is the public key. The companion
key is kept private (private key)
3. If Bob wishes to send a confidential message to Alice, Bob
encrypts the message using Alice’s public key
4. When Alice receives the message, she decrypts it using her
private key. No other recipient can decrypt the message
because only Alice knows Alice’s private key
At any time, a user can change its private key and publish the
companion public key to replace its old public key

51
Asymmetric (Public-key) /Cont…
Why public-key cryptography?
 The first problem is that of key distribution since key
distribution under symmetric encryption requires either (1)
that two communicants already share a key, which somehow
has been distributed to them; or (2) the use of a Key
Distribution Center (KDC)
 The second requirement negates the very essence of
cryptography: the ability to maintain total secrecy over your
own communication; “what good would it do after all to
develop impenetrable cryptosystems, if their users were
forced to share their keys with a KDC that could be
compromised by either burglary or other means?”
 The second problem is that of digital signatures. If the use of
cryptography was to become widespread, then electronic
messages and documents would need the equivalent of
signatures used in paper documents
52
Asymmetric (Public-key) /Cont…
Use of Public-key Cryptosystems
 It can be used for confidentiality, authentication, or both
 The use of public-key cryptosystems can be classified into three:
 Encryption/decryption: For confidentiality, the sender encrypts
a message with the recipient’s public key
 Digital signature: For authentication, the sender “signs” a
message with its private key. Signing is achieved by a
cryptographic algorithm applied to the message or to a small
block of data that is a function of the message
 Key exchange: Two sides cooperate to exchange a session key,
(i.e., a user wishes to set up a connection with another user and
uses a secret key to encrypt messages on that connection);
Different approaches are possible, involving the private key(s) of
one or both parties
 Some algorithms are suitable for all three applications, whereas
others can be used only for one or two of these applications

53
Asymmetric (Public-key) /Cont…

Applications of Public-Key Cryptosystems

 RSA - Rivest-Shamir-Adleman
 DSS - Digital Signature Standard
 You can read about Diffie-Hellman, DSS, and Elliptic Curve
Cryptography (ECC) algorithms

54
RSA - Asymmetric Cryptosystem Example
 The most widely used public-key cryptosystem is RSA
 RSA is from Ron Rivesh, Adi Shamir and Leonard Adleman (in
1977)
 It is a block cipher in which the plaintext and ciphertext are
integers between 0 and m-1 for some m
 The private and public keys are constructed from very large
prime numbers (consisting of hundreds of decimal digits)
Principle: No mathematical method is yet known to efficiently
find the prime factors of large numbers
 Breaking RSA is equivalent to finding the prime factors: this is
known to be computationally infeasible, i.e., security is based
on the difficulty of factoring large integers
 It is only the person who has produced the keys from the
prime numbers who can decrypt messages
55
RSA /Cont…
RSA - Key Generating Algorithm
1. Choose two large prime numbers, p and q
2. Compute n = pq and (phi) φ = (p-1)(q-1)
3. Choose an integer e, 1 < e < φ, such that GCD(e, φ) = 1
(Note: The Greatest Common Divisor of two integers is the largest positive
integer that exactly divides both integers) or e and φ are relatively prime
(two integers are relatively prime if their only common positive integer
factor is 1)
4. Determine the secret exponent d, 1 < d < φ, such that
(e*d) mod φ = 1; i.e., the remainder of (ed)/φ is one
5. The public key is the pair of integers (e, n) and the private key is (d, n), i.e.,
both sender and receiver must know the value of n. The sender knows the
value of e, and only the receiver knows the value of d
 Keep all the values d, p, q and φ secret
 n is known as the modulus
 e is known as the public exponent or encryption exponent
 d is known as the secret exponent or decryption exponent

56
RSA /Cont…
RSA- Encryption
Sender A does the following
 Obtains the recipient B's public key (e, n)
 Represents the plaintext message as a positive integer M
 Computes the ciphertext C = Me mod n
 Sends the ciphertext C to B
RSA- Decryption
Recipient B does the following
 Uses his/her private key (d, n) to compute M = Cd mod n
 Extracts the plaintext from the message representative M
 Compared to DES, RSA is computationally more complex; encryption
is 100-1000 times slower than DES
 Hence encryption systems use RSA to exchange only shared keys (for
symmetric cryptosystems) in a secure way

57
RSA /Cont…
RSA Simple Example - Key Generation
1. Choose two prime numbers: p=11, q=3
2. n = pq = 11*3 = 33
φ = (p-1)(q-1) = 10*2 = 20
3. Choose e, 1 < e < φ; we choose e=3
Check GCD(e, φ) = GCD(3, 20) = 1 (i.e., 3 and 20 are relatively
prime)
4. Determine d, 1<d<φ, such that ed mod φ (or 3d mod 20)
Simple testing (d = 2, 3, ...) gives d = 7
Check: ed = 3*7 % 20 = 1, which is divisible by φ (20)
5. Public key = (e, n) = (3, 33)
Private key = (d, n) = (7, 33)

58
RSA /Cont…
RSA- Encryption Example
 Now say we want to encrypt the message M = 7
 C = Me mod n = 73 mod 33 = 343 mod 33 = 13
 Hence the ciphertext C = 13
RSA- Decryption Example
 For decryption, we compute
 M = Cd mod n = 137 mod 33 = 7
 Hence the plaintext d = 7

59
RSA /Cont…
RSA - More Meaningful Example
 Message: ATTACKxATxSEVEN
 Group the characters into blocks of three and compute a message
representative integer for each block
 ATT ACK XAT XSE VEN
 In the same way that a decimal number can be represented as
the sum of powers of ten,
(e.g., 135 = 1 x 102 + 3 x 101 + 5 x 100), we could represent our
blocks of three characters in base 26 using A=0, B=1, C=2, ...,
Z=25
 ATT = 0 x 262 + 19 x 261 + 19 x 260 = 513
ACK = 0 x 262 + 2 x 261 + 10 x 260 = 62
XAT = 23 x 262 + 0 x 261 + 19 x 260 = 15567
XSE = 23 x 262 + 18 x 261 + 4 x 260 = 16020
VEN = 21 x 262 + 4 x 261 + 13 x 260 = 14313
60
RSA /Cont…
1. Generate two prime numbers: p=137 and q=131
2. n = pq = 137*131 = 17,947
φ = (p-1)(q-1) = 136*130 = 17680
3. Choose e = 3
Check GCD(3,17680)=1 (i.e., e and φ are relatively prime)
4. Determine d, 1<d<φ, such that ed mod φ the remainder of
(3d divides 17680) = 1; d = 11787; (11787*3) % 17680 = 1
5. Hence
 Public key, (e, n) = (3, 17947) and
 Private key (d, n) = (11787, 17947)

61
RSA /Cont…
 To encrypt the first integer that represents "ATT“ (513), we
have
 C = Me mod n = 5133 mod 17947 = 8363
 We can verify that our private key is valid by decrypting
 M = Cd mod n = 836311787 mod 17947 = 513
 Overall, our plaintext is represented by the set of integers m
 (513, 62, 15567, 16020, 14313)
 After decryption, these numbers are converted to their
textual equivalents by successively dividing by 26 and
taking the remainders
 We compute the corresponding ciphertext integers
C = Me mod n
 (8363, 5017, 11884, 9546, 13366)

62
Digital Signature
 Confidentiality ensures that messages cannot be intercepted and read
by eavesdroppers, i.e., encryption protects against passive attack
 A different requirement is to protect against active attack (falsification
of data and transactions). Protection against such attacks is known as
message authentication
 A message, file, document, or other collection of data is said to be
authentic when it is genuine (not altered) and comes from its alleged
source
 A digital signature is not used to ensure the confidentiality of a
message, but rather to guarantee who sent the message, i.e.,
authentication (nonrepudiation); it proves who the sender is
 Non repudation can be source repudiation (denial of transmission of
message by source) or destination repudiation (denial of receipt of
message by destination)
 Just as with handwritten signatures, digital signing should be done in a
way that is verifiable and non forgeable

63
Digital Signature /Cont…
 Digital signature is also used for Message Integrity; it ensures that
messages are protected against modification
 Note: authentication may mean both nonrepudation and data
integrity and sometimes only data integrity
 Digital Signature for Assurance
 Consider the situation where Bob has just sold Alice
something for 500 Birr through a deal that is made by e-mail
 Alice sends an e-mail accepting to pay 500 Birr
 Two issues need to be taken care of in addition to
authentication
 Alice needs to be assured that Bob will not modify the
amount and show that Alice promised to pay more than
500 Birr
 Bob needs to be assured that Alice will not deny that she
sends the message, i.e., source repudiation

64
Digital Signature /Cont…
 If Alice signs the message digitally, the two issues will be
solved so that her signature is uniquely tied to its content
 Bob’s change will be noticed and Alice also cannot deny
 There are several ways to place digital signatures; One
popular way is to use public-key cryptosystem such as
RSA, i.e., message encryption by itself can provide
measure of authentication

65
Digital Signature /Cont…
Notation: KX- : Private key of X
KX+ : Public key of X
 Alice encrypts the message using her private key
 C = E(KA-, M) – this is Alice’s signature
 Sends the encrypted message to Bob
 Bob then decrypts the signature using Alice’s public key
 M = D(KA+, C)
 If Bob can decrypt it with Alice’s public key, the message must
have been encrypted by Alice; No one else has Alice’s private
key, and therefore no one else could have created a ciphertext
that could be decrypted with Alice’s public key – nonforgeable
and verifiable
 Therefore, the encrypted message serves as a digital signature
 In addition, it is impossible to alter the message without access
to Alice’s private key, so the message is authenticated both in
terms of source and in terms of data integrity 66
Digital Signature /Cont…
 But anyone can decrypt the message using Alice’s public key if
it is not important that the message be kept secret
 To combine both confidentiality and authentication
 Alice has to first encrypt the message using her private key
 Then encrypt the message with Bob’s public key
 C = E(KB+, E(KA-, M))
 Sends the encrypted message to Bob
 Bob decrypts the message using his private key
 Bob then decrypts the message using Alice’s public key
 M = D(KA+, D(KB-, C))
 Disadvantage: The public-key algorithm must be applied four
times rather than two which has an impact on efficiency

67
Digital Signature /Cont…
 Symmetric encryption can also be used for authentication
 A message transmitted from source A to destination B is
encrypted using a secret key shared by only A and B. If no
other party knows the key, then confidentiality is provided:
No other party can recover the plaintext of the message; B
is also assured that the message was generated by A
(authentication)
 But, Alice can deny that she has sent the message; Bob can
also modify the amount

Symmetric Encryption: Authentication and Confidentiality

68
Digital Signature /Cont…
Digital Signature Using Message Digest
 Problems in Digital Signature
 Alice may claim that her private key has been stolen
before the message was sent
 Alice may change her private key; a solution could be to
have a central authority that keeps track of changes in
keys and that signed messages be timestamped
 Alice’s entire message is encrypted which may be
expensive in terms of processing requirements
 It also requires a great deal of storage. Each document
must be kept in plaintext to be used for practical
purposes. A copy also must be stored in ciphertext so that
the origin and contents can be verified in case of a dispute
 A better and cheaper method is to use a message digest

69
Hash Functions
 A hash function H takes a message m of arbitrary length and
produces a fixed size bit string h, h = H(m)
 When the hash value h is sent with the message m (not
encrypted), it enables to determine whether m has been
modified or not; the principal objective of a hash function is
data integrity
 When a hash function is used to provide message integrity,
the hash function value h is often referred to as a message
digest
 The two most common hashing algorithms are MD5 (Message
Digest version 5) which produces a 128-bit hash and Secure
Hash Algorithm or SHA (SHA-1 and later versions like SHA-
256) by NIST which produces a 160-bit message digest

70
Hash Functions /Cont…
Example
 Assume we want to send the number 12345 and use hashing to make
sure there were no changes to this transmission
 The chosen algorithm (highly simplified) is
 Multiply the data by 56,789
 Invert the result
 Chop off all but the first four characters
Multiply: 12345 x 56789 = 701060205
Invert: 502060107
Truncate: 5020
 Hence 5020 is the hash value that is sent along with 12345
 The receiver follows the same steps to hash the message; if the
results match then there was no modification
 A typical hash combines encryption and truncation or padding to get
to a fixed-size authentication value
71
Hash Functions /Cont…
 If m is changed to m’, its hash h’ = H(m’) will be different from
h = H(m) and can be easily detected
 Alice first computes a message digest and encrypts it with her
private key
 E(KA-, H(m)) is sent with m so that Bob knows that it comes
from Alice by decrypting it with her public key
 Bob decrypts the digest and calculates the message digest; if
they match he knows the message has not been altered

Digitally signing a message using a message digest 72

Hash Functions /Cont…
 m can be sent as plaintext or if confidentiality is required
can be encrypted using Bob’s public key, but with an
implication on performance
 E(KA-, H(m)) and E(KB+, m) are sent so that Bob knows
that it comes from Alice by decrypting the message digest
with her public key and m is also protected from
eavesdropping

73
Hash Functions /Cont…
 The message digest can be encrypted using symmetric encryption if
it is assumed that only the sender and receiver share the
encryption key

Using Symmetric Encryption

 The public-key approach has two advantages:

1. It provides a digital signature as well as message integrity.
2. It does not require the distribution of keys to communicating
parties 74
Hash Functions /Cont…
Message Authentication Code (MAC)
 Some hash functions require a key; others do not
 When encryption is used with hashing, it is extremely expensive
 Without encryption, Trudy can claim to be Alice and send a bogus
message m’ and H(M’) to Bob - Masquerading
 To perform message integrity, in addition to a hash function, Alice
and Bob will need a shared secret s, which is just a string of bits
called the authentication key, but distributing s has the same
problem as a symmetric key
 Steps
 Alice concatenates s with m to create m+s and calculates the
hash h=H(M+s); h is called a Message Authentication Code
(MAC)
 Alice appends the MAC to m and sends the extended message
(m, h) to Bob – no encryption
 Bob calculates H(m+s) and compares it with h since he knows s
75
Hash Functions /Cont…
Properties of Hash Functions
 One-way function: It is computationally infeasible to find m
that corresponds to a known output of h
 Or given a hash value h it should be difficult to find the
message m such that h = H(m)
 That means you cannot “unhash” something
 Collision resistance
 Weak-collision resistance: It is computationally infeasible,
given m and H, to find m’ ≠ m such that H(m) = H(m’)
 Strong-collision resistance: Given H, it is computationally
infeasible to find any two different input values m and m’,
such that H(m) = H(m’)

76
Hash Functions /Cont…
 The output is of fixed-length no matter what input is given. This is
exactly how Windows stores passwords. For example, if the
password is password, then Windows will first hash it producing
something like:
0BD181063899C9239016320B50D3E896693A96DF
 It then stores it in the SAM (Security Accounts Manager) file in the
Windows System directory. When you log on, Windows cannot
unhash your password (remember it is one-way). So, what
Windows does is take whatever password you type in, hash it, and
then compare the result with what is in the SAM file. If they match
(exactly), then you can log in
 Caution: password remains invisible while being entered, but
 it is transferred in clear from keyboard to memory
 it is present in clear in memory for a short time
 Hence, beware of eavesdropping and password sniffers!
77
Hash Functions /Cont…
 Hashing also has other applications
For example, it can be used for intrusion detection and virus
detection. Store H(F) for each file on a system and secure the
hash values (e.g., on a CD-R that is kept secure). One can later
determine if a file has been modified by recomputing H(F). An
intruder would need to change F without changing H(F)

78
Symmetric Key Distribution
 For symmetric encryption to work, the two parties to an
exchange must share the same key, and that key must be
protected from access by others
 Frequent key changes are usually desirable to limit the
amount of data compromised if an attacker learns the key
 Symmetric Key Distribution Using Symmetric Encryption
 Key distribution can be achieved in a number of ways.
For two parties A and B, the following can be used
1. A key could be selected by A and physically delivered
to B
2. A third party could select the key and physically
deliver it to A and B

79
Symmetric Key Distribution /Cont…
3. If A and B have previously and recently used a key, one party
could transmit the new key to the other, using the old key to
encrypt the new key
 The problem with this option is if an attacker ever succeeds
in gaining access to one of the keys
4. If A and B each have an encrypted connection to a third party
C, C could deliver a key on the encrypted links to A and B
 This is preferable and two kinds of keys are used
– Permanent key: used between entities for the purpose of
distributing session keys
– Session key: when two end systems (hosts, terminals,
etc.) wish to communicate, they establish a logical
connection (e.g., virtual circuit). For the duration of that
logical connection, called a session, all user data are
encrypted with a one-time session key. At the conclusion
of the session, the session key is destroyed

80
Symmetric Key Distribution /Cont…
 Option 4 requires a Key Distribution Center (KDC) that determines
which systems are allowed to communicate with each other
 The operation of a KDC is as follows
1. When host A wishes to set up a connection to host B, it transmits
a connection request packet to the KDC. The communication
between A and the KDC is encrypted using a master key (or
permanent key) shared only by A and the KDC
2. If the KDC approves the connection request, it generates a unique
one-time session key. It encrypts the session key using the
permanent key it shares with A and delivers the encrypted session
key to A. Similarly, it encrypts the session key using the permanent
key it shares with B and delivers the encrypted session key to B
3. A and B can now set up a logical connection and exchange
messages and data, all encrypted using the temporary session key

81
Symmetric Key Distribution /Cont…
 The automated key distribution approach provides the flexibility
and dynamic characteristics needed to allow a number of users to
access a number of servers and for the servers to exchange data
with each other. The most widely used application that
implements this approach is Kerberos
Benefits of Session Keys
 The session key is safely discarded when the channel is no longer
used
 When a key is used very often it becomes vulnerable. Thus by
using the permanent key less often, we make them less vulnerable
 Replay attacks can be avoided (i.e., using the key later after the
session ends to pretend as one of the communicating parties)
 Such a combination of long-lasting and cheaper (more temporary)
session keys is a good choice

82
Symmetric Key Distribution /Cont…
Symmetric Key Distribution Using Asymmetric Encryption
 Because of the inefficiency of public key cryptosystems, they are almost
never used for the direct encryption of sizable block of data, but are
limited to relatively small blocks
 One of the most important uses of a public-key cryptosystem is to
encrypt secret keys for distribution
 Assume that A and B have exchanged public keys
1. A uses B’s public key to encrypt a message (m1) to B containing an
identifier of A (IDA) and a nonce (N1), which is used to identify this
transaction uniquely
m1 = E(KB+, IDA+N1)
2. B sends a message (m2) to A encrypted with A’s public key and
containing A’s nonce N1 as well as a new nonce N2 generated by B.
Because only B could have decrypted message m1, the presence of N1 in
message m2 assures A that the correspondent is B
m2 = E(KA+, N1+N2)

83
Symmetric Key Distribution /Cont…
3. A returns N2, encrypted using B’s public key, to assure B
that its correspondent is A
m = E(KB+, N2)
4. A selects a secret key Ks and sends M = E(KB+, E(KA-, Ks))
to B. Encryption of this message with B’s public key ensures
that only B can read it; encryption with A’s private key
ensures that only A could have sent it
5. B computes to recover the secret key
 This scheme ensures both confidentiality and authentication
(steps 1 and 2) in the exchange of a secret key

84
Public Key Distribution
Public Announcement of Public Keys
 Send a public key to any other participant or broadcast the key to
the community
 But anyone can forge such a public announcement, i.e., some user
could pretend to be a legitimate user and send a public key to
another participant or broadcast it; or Trudy can send Alice a public
key pretending to be Bob
Public-key Infrastructure
 We need a body that certifies the public key is that of the party (a
person, a router, etc.) we wish to communicate with, i.e.,
Certification/Certificate Authority (CA) that signs (certifies) the
public key; an example is VeriSign
 Public-Key Infrastructure (PKI) is the set of hardware, software,
people, policies, and procedures needed to create, manage, store,
distribute, and revoke digital certificates based on asymmetric
cryptography
85
Public Key Distribution /Cont…
 Users publish certificates with the X.509 standard (for formatting
certificates)
 A certificate is a public key and some naming “stuff”, digitally
signed by someone you trust (third party), i.e., the CA
 The resulting certificate will contain information like user’s
name/ID, user’s public key, name of CA, start date of certificate,
and length of time it is valid
 When Bob sends a message (encrypted with his private key) and
his CA-signed certificate, Alice uses the CA’s public key to check
the validity of Bob’s certificate and extract Bob’s public key
 The Internet Engineering Task Force (IETF) Public Key
Infrastructure X.509 (PKIX) working group has been the driving
force for deploying a certificate-based architecture on the
Internet
 Read more about the Internet Engineering Task Force (IETF)
Public Key Infrastructure X.509 (PKIX)
86
Concluding Remarks about Encryption
Symmetric Cryptography
 Advantage: It is efficient
 Disadvantage: It is impractical for exchanging messages with a
large group of previously unknown correspondents over a
public network, e.g., in e-commerce, for a merchant to
conduct transactions securely with millions of customers,
each customer would need a distinct key assigned by that
merchant and transmitted over a separate secure channel
Asymmetric Cryptography
 Advantage: It allows for secrecy between two parties who
have not arranged in advance to have a shared key (or trusted
some third party to give it to them)
 Disadvantage: inefficient
Therefore, in practice, hybrid systems use public-key to establish
session key for symmetric encryption
87
Question
?

88