Module II

Symmetric and Asymmetric key Cryptography and key

Management

Internal
Symmetric Algorithms

Symmetric based key algorithms(cipher) works on blocks of bits(characters) or one bit at

a time.

Internal
Block Cipher

• The algorithm that works on blocks are called block ciphers

• A block Cipher breaks down plain text message into fixed size blocks before converting
them into ciphertext using plain key.
• allows you to use a key to encrypt data in big ol’ groups (blocks) of a pre-determined size
(such as 128 bits, 256 bits, etc.).
• So, what this does is allow to encrypt all the data in a block as a single unit.
• For example, let’s say you have the message: “For the Alliance.” (Don’t hate, Horde fans.
Your time will come.)

Internal
Working

Internal
Stream Cipher
The algorithms that work on one bit of data at a time are called stream ciphers

Stream algorithms are faster and more

efficient than block ciphers because
they’re encrypting only one bit of data at
a time into individual symbols rather
than entire blocks.
So, they’re better suited for devices that
have fewer resources.

Internal
Sr No Attribute Block Cipher Stream Cipher

1 Definition Block Cipher is the type of encryption Stream Cipher is the type of
where the conversion of plaintext is encryption where the conversion
performed by taking its block at a time. of plaintext is performed by
taking one byte of the plaintext
at a time.

2 Principle It uses both diffusion and confusion Only the confusion principle is
principles for the conversion (used later in used by Stream Cipher for the
encryption). conversion.
3 Conversion of Block cipher uses either 64 bits or more While stream cipher uses 8 bits.
Bits than 64 bits.
4 Security High Low
5 Speed Low High
6 Application Non real time such as documents Real time data such as voice
7 Reversibility It is difficult to reverse encrypted text. It uses XOR encryption, which is
easily reversed to the plain text.

8 Algorithm modes ECB (Electronic Code Book) CBC (Cipher CFB (Cipher Feedback)
used Block Chaining) OFB (Output Feedback)
Internal
Block Cipher Principles

There are three main components in designing block cipher:

• Number of Rounds
• Design of the function F
• Key Scheduling

Internal
Design Principles for Number of Rounds in the Block Cipher:
• The greater the no of rounds, the more difficult is to perform cryptanalysis
• The no of rounds is chosen such that a known cryptanalysis takes a greater effort
compared to brute force attack.
Design Principles for Function F:
• It must be difficult to reassemble the substitution performed by function F.
• F is non linear which means it is difficult to establish any relation between input to F
and output from F
• F should have high avalanche effect.
Design Principles for Key Scheduling:
• Subkey selection should be such that it is difficult to work backwards to derive the main
key.
• Subkey should be hard to guess as well
• The key should produce avalanche effect.

Internal
Block Cipher mode of Operation

Electronic Code Book (ECB) – Mode block cipher

Cipher Block Chaining(CBC) Mode block Cipher
Cipher Feedback Mode (CFB) – block cipher acting as stream cipher
Output Feedback Mode –block cipher acting as stream cipher
Counter(CTR) mode, block cipher

Internal
Electronic Code Book (ECB) – f
❑ Electronic code book is the easiest block
cipher mode of functioning.
❑ It is easier because of direct encryption of
each block of input plaintext and output is in
form of blocks of encrypted ciphertext.
❑ Generally, if a message is larger than b bits
in size, it can be broken down into a bunch of
blocks and the procedure is repeated.
❑ Procedure of ECB is illustrated in diagram:

Advantages of using ECB –

✔ Parallel encryption of blocks of bits is
possible, thus it is a faster way of encryption.
✔ Simple way of the block cipher.

Disadvantages of using ECB –

✔ Prone to cryptanalysis since there is a direct
relationship between plaintext and
ciphertext.
Internal
 Cipher Block Chaining –

❑ Cipher block chaining or CBC is an advancement

made on ECB since ECB compromises some
security requirements.
❑ In CBC, the previous cipher block is given as input to
the next encryption algorithm after XOR with the
original plaintext block.
❑ In a nutshell here, a cipher block is produced by
encrypting an XOR output of the previous cipher
block and present plaintext block.
❑ The process is illustrated in Figure:

Advantages of CBC –
✔ CBC is a good authentication mechanism.
✔ Better resistive nature towards cryptanalysis than
ECB.
Disadvantages of CBC –
✔ Parallel encryption is not possible since every
encryption requires a previous cipher.

Internal
 Cipher Feedback Mode (CFB) -
I
❑ CFB mode stands for Cipher Feedback Mode. In this
mode, the data is encrypted in the form of units where
each unit is of 8 bits.
cipher is given as feedback to the next block of encryption
with some new specifications: first, an initial vector IV is
used for first encryption and output bits are divided as a
set of s and b-s bits.The left-hand side s bits are selected
along with plaintext bits to which an XOR operation is applied.
❑ The result is given as input to a shift register having b-s
bits to lhs,s bits to rhs and the process continues.
❑ The encryption and decryption process for the same is
shown in figure, both use encryption algorithms.

Advantages of CFB –
✔ Since, there is some data loss due to the use of shift
register, thus it is difficult for applying cryptanalysis.
Disadvantages of using ECB –
✔ The drawbacks of CFB are the same as those of CBC
mode. Both block losses and concurrent encryption of
several blocks are not supported by the encryption.
Decryption, however, is parallelizable and loss-tolerant.
Internal
Output Feedback Mode –
❑ The output feedback mode follows nearly the same
process as the Cipher Feedback mode except that it
sends the encrypted output as feedback instead of the
actual cipher which is XOR output.
❑ In this output feedback mode, all bits of the block are
sent instead of sending selected s bits.
❑ The Output Feedback mode of block cipher holds great
resistance towards bit transmission errors.
❑ It also decreases the dependency or relationship of the
cipher on the plaintext.

Advantages of OFB –
✔ In the case of CFB, a single bit error in a block is
propagated to all subsequent blocks. This problem is
solved by OFB as it is free from bit errors in the
plaintext block.
Disadvantages of OFB-
✔ The drawback of OFB is that, because to its operational
modes, it is more susceptible to a message stream
modification attack than CFB.
Internal
Counter Mode
❑ The Counter Mode or CTR is a simple counter-based
block cipher implementation.
❑ Every time a counter-initiated value is encrypted and
given as input to XOR with plaintext which results in
ciphertext block.
❑ The CTR mode is independent of feedback use and thus
can be implemented in parallel.
❑ Its simple implementation is shown in Figure

Advantages of Counter –
✔ Since there is a different counter value for each block,
the direct plaintext and ciphertext relationship is avoided.
This means that the same plain text can map to different
ciphertext.
✔ Parallel execution of encryption is possible as outputs
from previous stages are not chained as in the case of
CBC.
Disadvantages of Counter-
✔ The fact that CTR mode requires a synchronous counter
at both the transmitter and the receiver is a severe
drawback. The recovery of plaintext is erroneous when
Internal
Data Encryption Standard (DES)

Internal
Internal
Internal
Internal
Internal
Internal
Internal
Internal
Internal
Internal
Internal
DES uses a 56-bit key. Actually, the initial key consists of 64 bits. However, before the DES process even
starts, every 8th bit of the key is discarded to produce a 56-bit key. That is bit positions 8, 16, 24, 32, 40,
48, 56, and 64 are discarded.

Internal
Internal
Internal
Internal
Internal
Internal
DES Analysis
The DES satisfies both the desired properties of block cipher. These two properties make
cipher very strong.
• Avalanche effect − A small change in plaintext results in the very great change in the
ciphertext.
• Completeness − Each bit of ciphertext depends on many bits of plaintext.
• During the last few years, cryptanalysis have found some weaknesses in DES when key
selected are weak keys. These keys shall be avoided.
• DES has proved to be a very well designed block cipher. There have been no significant
cryptanalytic attacks on DES other than exhaustive key search.

Internal
Double DES
• In this approach, we use two instances of DES
ciphers for encryption and two instances of
reverse ciphers for decryption.
• Each instances use a different key for both the
instances

• The size of the key is doubled.

• The 64 bit plain text goes into first DES instance

which then converted into a 64 bit middle text
using the first key and then it goes to second
DES instance which gives 64 bit cipher text by
using second key.
• However double DES uses 112 bit key but
gives security level of 2^56 not 2^112 and this is
because of meet-in-the middle attack which
can be used to break through double DES.

Internal
Meet-in-the-middle attack

Internal
Triple DES
• Triple DES is a encryption technique which
uses three instance of DES on same plain
text. It uses there different types of key
choosing technique in first all used keys are
different and in second two keys are same
and one is different and in third all keys are
same.

• Triple DES is also vulnerable to meet-in-

the middle attack.

• The block collision attack can also be

done because of short block size and
using same key to encrypt large size of text.
It is also vulnerable to sweet32 attack.

 Two separate input result in the same hash

value: Collision attack
 Attacker tries to get small portion of plain
Internal text.:sweet32
Why Was the AES Encryption Algorithm necessary ?

• When the Data Encryption Standard algorithm, also known as the DES algorithm, was formed and
standardized, it made sense for that generation of computers. Going by today’s computational
standards, breaking into the DES algorithm became easier and faster with every year.
• A more robust algorithm was the need of the hour, with longer key sizes and stronger ciphers to
break into. They created the triple DES to fix this problem, but it never became mainstream
because of its relatively slower pace. Thus, the Advanced Encryption Standard came into existence
to overcome this drawback.

Internal
AES
• The AES Encryption algorithm (also known as the Rijndael algorithm) is a symmetric block cipher
algorithm with a block/chunk size of 128 bits. It converts these individual blocks using keys of 128,
192, and 256 bits. Once it encrypts these blocks, it joins them together to form the ciphertext.
• Published by NIST in 2001
• It is based on a substitution-permutation network, also known as an SP network. It consists of
a series of linked operations, including replacing inputs with specific outputs (substitutions) and
others involving bit shuffling (permutations).
• SP Network: It works on an SP network structure rather than a Feistel cipher structure, as seen
in the case of the DES algorithm.
• Key Expansion: It takes a single key up during the first stage, which is later expanded to multiple
keys used in individual rounds.
• Byte Data: The AES encryption algorithm does operations on byte data instead of bit data. So it
treats the 128-bit block size as 16 bytes during the encryption procedure.
• Key Length: The number of rounds to be carried out depends on the length of the key being used
to encrypt data. The 128-bit key size has ten rounds, the 192-bit key size has 12 rounds, and
the 256-bit key size has 14 rounds.

Internal
 Each round comprise of four sub-processes. The first
round process is depicted below −

Internal
Internal
Internal
Internal
Internal
Internal
Shift Rows

Internal
Internal
Add Round Key

Internal
Internal
Internal
Internal
Internal
Internal
Key Expansion in AES

The AES algorithm which takes 128 bits

(16 bytes) key as input, four-word key as
input and produce a linear array of 44
words. (In AES 4 Bytes = 1 Word). Figure
describe the steps of key expansion.

Internal
Internal
Decryption Process

The process of decryption of an AES cipher text is similar to the encryption process in the reverse
order. Each round consists of the four processes conducted in the reverse order −
• Add round key
• Mix columns
• Shift rows
• Byte substitution
Since sub-processes in each round are in reverse manner, unlike for a Feistel Cipher, the encryption
and decryption algorithms needs to be separately implemented, although they are very closely
related.

Internal
AES Analysis
• In present day cryptography, AES is widely adopted and supported in both hardware and
software.
• Till date, no practical cryptanalytic attacks against AES has been discovered. Additionally, AES has
built-in flexibility of key length, which allows a degree of ‘future-proofing’ against progress in the
ability to perform exhaustive key searches.
• However, just as for DES, the AES security is assured only if it is correctly implemented and good
key management is employed.

Internal
 Public Key Cryptography

public key cryptography (also known as public-key encryption and asymmetric encryption) are
based on algorithms presented by Rivest-Shamir-Adelman (RSA) Data Security.
Public key cryptography involves a pair of keys known as a public key and a private key (a public key
pair), which are associated with an entity that needs to authenticate its identity electronically or to
sign or encrypt data. Each public key is published and the corresponding private key is kept secret.
Data that is encrypted with the public key can be decrypted only with the corresponding private
key.

Internal
RSA Algorithm

The RSA algorithm is an asymmetric cryptography algorithm; this means that it uses a public key and
a private key (i.e. two different, mathematically linked keys). As their names suggest, a public key is shared
publicly, while a private key is secret and must not be shared with anyone.
The RSA algorithm is named after those who invented it in 1978: Ron Rivest, Adi Shamir, and Leonard
Adleman.
The RSA algorithm ensures that the keys, are as secure as possible. RSA key can be typically 1024 or 2048
bit long so that keys could not be broken easily.
RSA is base on the fact that it is difficult to factorize large integer. The following steps highlight how it
works:
1. Generating Keys
• Select two large prime numbers, x and y. The prime numbers need to be large so that they will be difficult
for someone to figure out.
• Calculate n=x x y.
• Calculate the totient function; ϕ(n)=(x−1)(y−1).
• Select an integer e, such that e is co-prime to ϕ(n) and 1<e<ϕ(n). The pair of numbers (n,e) makes up the
public key.
• Calculate d such that e. d mod ϕ(n)=1 ie. d= (k* ϕ(n) + )+1)/e for some integer k
• d can be found using the extended euclidean algorithm. The pair (n,d) makes up the private key.
Internal
Encryption
• Given a plaintext P, represented as a number, the ciphertext C is calculated as:
C=P e mod n.
Decryption
• Using the private key (n,d), the plaintext can be found using:
• P=C d mod n.

Internal
Advantages:
• It is very easy to implement RSA algorithm.
• RSA algorithm is safe and secure for transmitting confidential data.
• Cracking RSA algorithm is very difficult as it involves complex mathematics.
• Sharing public key to users is easy.
• Disadvantages:
• It may fail sometimes because for complete encryption both symmetric and asymmetric
encryption is required and RSA uses asymmetric encryption only.
• It has slow data transfer rate due to large numbers involved.
• It requires third party to verify the reliability of public keys sometimes.
• High processing is required at receiver’s end for decryption.
• RSA can’t be used for public data encryption like election voting.

Internal
Knapsack Crypto System
• Knapsack Encryption Algorithm is the first general public key cryptography
algorithm.
• It is developed by Ralph Merkle and Mertin Hellman in 1978.
• As it is a Public key cryptography, it needs two different keys. One is Public key which is
used for Encryption process and the other one is Private key which is used for Decryption
process. In this algorithm we will use two different knapsack problems in which one is easy
and other one is hard.
• easy knapsack is used as the private key and the hard knapsack is used as the public
key. The easy knapsack(private Key) is used to derived the hard knapsack(Public key).
• For the easy knapsack, we will choose a Super Increasing knapsack problem. Super
increasing knapsack is a sequence in which every next term is greater than the sum of
all preceding terms.

For example {1, 2, 4, 10, 20, 40} is a super increasing as

1<2, 1+2<4, 1+2+4<10, 1+2+4+10<20 and 1+2+4+10+20<40.

Internal
 Derive the Public Key
• Step-1: Choose a super increasing knapsack {1, 2, 4, 10, 20, 40} as the private key.

• Step-2: Choose two numbers n and m.

Multiply all the values of private key by the number n and then find modulo m. The value of m must
be greater than the sum of all values in private key, for example 110. And the number n should
have no common factor with m, for example 31.

• Step-3: Calculate the values of Public key using m and n.

1x31 mod(110) = 31 Thus, our public key is {31, 62, 14, 90, 70, 30}
2x31 mod(110) = 62 And Private key is {1, 2, 4, 10, 20, 40}.

4x31 mod(110) = 14
10x31 mod(110) = 90
20x31 mod(110) = 70
40x31 mod(110) = 30

Internal
Diffie-Hellman algorithm

• The Diffie-Hellman algorithm is being used to establish a shared secret that can be used
for secret communications while exchanging data over a public network using the elliptic
curve to generate points and get the secret key using the parameters.
• For the sake of simplicity and practical implementation of the algorithm, we will consider only
4 variables, one prime P and G (a primitive root of P) and two private values a and b.
• P and G are both publicly available numbers. Users (say Alice and Bob) pick private values
a and b and they generate a key and exchange it publicly.
• The opposite person receives the key and that generates a secret key, after which they have
the same secret key to encrypt.

Internal
Internal
Internal
Internal
 Key Distribution Center (KDC)
A Key Distribution Center is the way to automatically distribute keys to support arbitrary
connections between pairs of users. The users can be a computer, a process or applications.
Each user shares a unique key with the KDC, known as the master key.
• To use a KDC, we need a minimum of two-level key hierarchy.
• The master key is used to identify the user and, the second key is used to encrypt the
communication between the two users. This second key is usually known as the session
key.
• The session key is encrypted using the master key and it is then sent to the clients for an
end-to-end encrypted connection.
• Each session will have a different key. In this way, we are adding an extra layer of protection
because all the traffic is encrypted using different keys.
• So, if an attacker gets one key, it won’t be able to decrypt all the messages, only those
messages encrypted with the specific key.

Internal
Drawback

• The main drawback of a KDC is that the KDC must be trusted. Also, it must be protected at
all levels. If the security of the KDC is compromised all messages can be discovered easily.
• One way to fight this drawback is using a decentralized approach to key distribution.
Although not practical in large networks, can be of use in a local network.
for example Kerberos.

Internal
Needham-Schroeder Protocol
• Needham-Schroeder Protocol is a cryptographic protocol designed to establish secure
communication between two parties over an insecure network.
• It was proposed by Roger Needham and Michael Schroeder in 1978 and has since
become a fundamental protocol in network security.
The protocol involves three main entities:
• A trusted server
• Initiator (Alice)
• Responder (Bob)
• Its goal is to establish a shared session key between initiator and responder, which can
be used for secure communication.

Internal
Working
• The main thing in this protocol is that there is a trusted middle man or call him an arbitrator.
• This trusted middle man is a server. If an X machine wants to communicate, with Y machine,
then X has to contact the middle man server, saying am interested in communicating with Y.
• Let A = Machine A
• B = Machine B
• SK(AS) = this is the symmetric key known to Machine A and middle man Server named “S”
• SK(BS) = this is the symmetric key known to Machine B and middle man Server named “S”
• NON(A) = Nonce generated by Machine A (Nonce is a randomly genrated string which is only
valid for some period of time, This is used in encryption protocols to prevent replay attack.)
• NON(B) = Nonce generated by Machine B
• SK(S) = this is the symmetric key/session key generated by the server for both machine A
and Machine B.

Internal
• The symmetric keys of both machine A, Machine B are
already shared with the Middle Man server. Also any
other machine in the network also shares its respective
Symmetric keys with the Middle Man server.
• Message 1 Machine 1 sends a message to Server S saying
that I want to communicate with Machine B.

A -> S: (this message contains A and B and NON(A))

• Message 2: Server S sends message 2 back to Machine A

containing SK(S), and also one more copy of SK(S)
encrypted with SK(BS), this copy will be send to Machine B
by Machine A.

S→A:{NA,KAB​, B, {KAB​,A}KBS​} KA

• Message 3: Machine A forwards the copy of SK(S), to

Machine B, who can decrypt it with the key it has because it
was encrypted by the Middle man server with the Machine
B's symmetric Key SK(BS).

Internal
• Message 4: Machine B sends back Machine A a
nonce value encrypted by KAB to confirm that he
has the symmetric key or session key provided
by the middle man server.
B→A:{NB​}KAB​

• Message 5: Machine A performs a simple

operation on the nonce provided by the Machine B
and resends that back to machine B just to verify
Machine A has the key

A→B:{NB ​−1}KAB

There are still some vulnerability in this protocol for

replay attacks which is fixed by the timestamp
implementation in this, when used by Kerberos.

• It's reliance on a trusted server creates a central

vulnerability

Internal
Applications

The Needham-Schroeder protocol is utilized in several different applications, including:

• Transport Layer Security (TLS)

• Secure Socket Layers (SSL)

• Kerberos

Internal
Internal
 Kerberos
Kerberos provides a centralized authentication server whose
function is to authenticate users to servers and servers to users.
In Kerberos Authentication server and database is used for
client authentication.
Kerberos runs as a third-party trusted server known as the Key
Distribution Center (KDC). Each user and service on the network
is a principal.
the main components of Kerberos are:
• Authentication Server (AS):
The Authentication Server performs the initial authentication
and ticket for Ticket Granting Service.
• Database:
The Authentication Server verifies the access rights of users in
the database.
• Ticket Granting Server (TGS):
The Ticket Granting Server issues the ticket for the Server
Internal
KERBEROS
Step-1:

Client Requests for authentication. The

user asks Ticket Granting Ticket(TGT). This
request includes ID.

Step-2:
• Authentication Server verifies user’s
access right using database.
• If AS finds both values, it generates
users secret key, using user’s
password hash.

• The AS then computes TGS Secret key

and cerates a session key encrypted by
client secret key.

• then gives ticket-granting-ticket(Client

Id, Client nw address ,time stamp and
session key. )Results are encrypted
Internal using the Password of the user.
 Step -3: The decryption of the message is
done using the password then send the ticket
to Ticket Granting Server. The Ticket contains
authenticators like user names and network
addresses.

Step-4:
Ticket Granting Server decrypts the ticket sent
by User and authenticator verifies the request
then creates the ticket for requesting services
from the Server.

Step-5:
The user sends the Ticket and Authenticator to
the Server.

Step-6:
The server verifies the Ticket and
authenticators then generate access to the
service. After this User can access the services.

Internal
Kerberos Limitations:
• Each network service must be modified individually for use with Kerberos.

• It doesn’t work well in a timeshare environment.

• Stores all passwords are encrypted with a single key.

• May result in cascading loss of trust.

• Scalability

Internal
Applications

• Although Kerberos is found everywhere in the digital world, it is employed heavily on secure
systems that depend on reliable auditing and authentication features
• User Authentication
• Single Sign-On (SSO)
• Kerberos is used in Posix authentication, and Active Directory, NFS, and Samba. It's also an
alternative authentication system to SSH, POP, and SMTP.

Internal
Digital certificate
Digital certificate is issued by a trusted third party which proves sender’s identity to the

receiver and receiver’s identity to the sender. .

A digital certificate is a certificate issued by a Certificate Authority (CA) to verify the identity of the
certificate holder.
The CA issues an encrypted digital certificate containing the applicant’s public key and a variety of other
identification information.

Digital certificate used to attach public key with a particular individual or an entity.

Digital certificate contains:-

1. Name of certificate holder.
2. Serial number which is used to uniquely identify a certificate, the individual or the entity identified by the
certificate
3. Expiration dates.
4. Copy of certificate holder’s public key.(used for decrypting messages and digital signatures)
5. Digital Signature of the certificate issuing authority.
Internal
 Feature Digital Signature Digital Certificate

Digital signature is like a

Digital certificate is a file that
fingerprint or an attachment to a
Basics / Definition ensures holder’s identity and
digital document that ensures its
provides security.
authenticity and integrity.

It is generated by CA (Certifying
Hashed value of original message
Authority) that involves four
is encrypted with sender’s secret
Process / Steps steps: Key Generation,
key to generate the digital
Registration, Verification,
signature.
Creation.

Authenticity of Sender, integrity of It provides security

Security Services the document and non- and authenticity of certificate
repudiation. holder.

It follows Digital Signature

Standard It follows X.509 Standard Format
Standard (DSS).

Internal
 X.509
X.509 is a digital certificate that is built on top of a widely trusted standard known as ITU or
International Telecommunication Union X.509 standard, in which the format of PKI certificates is
defined.
X.509 digital certificate is a certificate-based authentication security framework that can be used for
providing secure transaction processing and private information.
These are primarily used for handling the security and identity in computer networking and internet-
based communications.

Internal
Format
Version number: It defines the X.509 version
that concerns the certificate.

Serial number: It is the unique number that

the certified authority issues.

Signature Algorithm Identifier: This is the

algorithm that is used for signing the
certificate.

Issuer name: Tells about the X.500 name of

the certified authority which signed and
created the certificate.

Period of Validity: It defines the period for

which the certificate is valid

Internal
 • Subject Name: Tells about the name
of the user to whom this certificate
has been issued.

• Subject’s public key

information: It defines the subject’s
public key along with an identifier of
the algorithm for which this key is
supposed to be used.

• Extension block: This field contains

additional standard information.

• Signature:
This field contains the hash code of all
other fields which is encrypted by the
certified authority private key.

Internal
Applications of X.509 Authentication Service Certificate

Many protocols depend on X.509 and it has many applications, some of them are given below:

• Document signing and Digital signature

• Web server security with the help of Transport Layer Security (TLS)/Secure Sockets Layer
(SSL) certificates

• Email certificates

• Code signing

• Secure Shell Protocol (SSH) keys

• Digital Identities

Internal
Public Key Infrastructure

• PKI (or Public Key Infrastructure) is the framework of encryption and cybersecurity that
protects communications between the server (your website) and the client (the users).
• It is the governing body behind issuing digital certificates.
• PKI is one of the most common forms of internet encryption, and it is used to secure
and authenticate traffic between web browsers and web servers..
• Public key infrastructure has two main goals: to ensure the privacy of the message being
sent and to verify that the sender is who they claim to be.

Components of PKI:
• Registration authority
• Certification authority
• Certification Repository
• Entity

Internal
PKI
• Certificate authority (CA): The CA is a trusted entity that issues, stores, and signs the
digital certificate. The CA signs the digital certificate with their own private key and then
publishes the public key that can be accessed upon request.
• Registration authority (RA): The RA verifies the identity of the user or device
requesting the digital certificate. This can be a third party, or the CA can also act as the
RA.
• Certificate database/ Repository: This database stores the digital certificate and its
metadata, which includes how long the certificate is valid.
• Central directory: This is the secure location where the cryptographic keys are indexed
and stored.
• Certificate management system: This is the system for managing the delivery of
certificates as well as access to them.
• Certificate policy: This policy outlines the procedures of the PKI. It can be used by
outsiders to determine the PKI’s trustworthiness.

Internal
Internal
The PKI certificate will contain the following:

• Distinguished name (DN) of the owner

• Owner’s public key

• Date of issuance

• Expiration date

• DN of the issuing CA

• Issuing CA’s digital signature

Internal
RC4

• RC4 means Rivest Cipher 4 (Ron’s Code. )invented by Ron Rivest in 1987 for RSA
Security.
• It is a Stream Ciphers. Stream Ciphers operate on a stream of data byte by byte.
• RC4 stream cipher is one of the most widely used stream ciphers because of its simplicity
and speed of operation.
• It is a variable key-size stream cipher with byte-oriented operations. It uses either 64 bit or
128-bit key sizes.
• It is generally used in applications such as Secure Socket Layer (SSL), Transport Layer
Security (TLS), and also used in IEEE 802.11 wireless LAN std.

Internal
RC4
RC4 relies on:

• Key inputs. This tool generates an eight-bit number (cipher) that's impossible to guess.
• Keystreams. The cipher scrambles plain text.
• Product. An X-OR operation combines the keystream with the cipher.

Internal
Working

• Initiate: input a secret key and the text you'd like to protect.
• Encrypt: The cipher scrambles your text via encryption. The work happens byte by byte
rather than in chunks.
• Send: scrambled text heads to the recipient. That person should have a copy of the secret
key you used to protect the data.
• Decryption: The recipient walks back through these steps to uncover your original text.
• RC4 relies on two mathematical concepts:
• KSA: A key-scheduling algorithm initializes the process in an array typically referred to as
"S." That "S" is processed 256 times, and bytes from the key are mixed in too.
• PRGA(Pseudo Random Generation Algorithm): Data is fed in byte by byte, and a
mathematical model modifies it. The model looks up values, add them to 256, and uses the
sum as the byte within the keystream. It swaps each element with another at least once
every 256 rounds.

Internal
Step 1: Produce keystream from the secret key using KSA and PRGA algorithms:

The user also has to provide the secret key as input.

RC4 relies on two mathematical concepts:

KSA:

Initialize an array of 256 bytes and a temporary array, T, is generated where the first (k - len)
elements of the key, K, are copied into it as shown below:

char S[256];
for(int i=0;i<256;i++){
S[i] = i;
T[i] = K[i mod (k - len)]
}

The main purpose of creating a temporary array is to provide an initial permutation for the S
array.

Internal
int i, j=0;
while(i<256){
j= (j + S[i] + T[i])mod 256; // T is the temporary vector created from the secret key.
int temp = 0;
temp = S[i]; //swap S[i] and S[j]
S[i] = S[j];
S[j] = temp;

i++;
}

Internal
After passing through KSA, its output acts as the input for PRGA. It outputs a key based on the state
of the array S modified by the KSA algorithm. The code for PRGA is as follows:

int i, j =0;
while(1){
i = ( i + 1 ) mod 256;
j = ( j + S[i] ) mod 256;
int temp = 0;
temp = S[i]; //swap S[i] and S[j]
S[i] = S[j];
S[j] = temp;
t = ( S[i] + S[j] ) mod 256 ;
k = S[t]; // k is the byte generated from S by scrambling entries in a calculated way
}

Step 2:

XOR the keystream produced with the plain text input

Internal
RC4 encryption algorithm comprises two components—KSA (Key scheduling algorithm) and PRGA
(Pseudo random generation algorithm). These two algorithms together help the rc4 algorithm to produce
the stream cipher

Internal
Advantages:

Fast and efficient: RC4 is a very fast and efficient encryption algorithm, which makes it suitable for use in
applications where speed and efficiency are critical.

Simple to implement: RC4 is a relatively simple algorithm to implement, which means that it can be easily
implemented in software or hardware.

Variable key size: RC4 supports variable key sizes, which makes it flexible and adaptable for different
security requirements.

Internal
Disadvantages:
Vulnerabilities: RC4 has several known vulnerabilities that make it unsuitable for new
applications.
.
Security weaknesses: RC4 has some inherent weaknesses in its design, which make it less
secure than other encryption algorithms, such as AES or ChaCha20.

Limited key length: The maximum key length for RC4 is 2048 bits, which may not be sufficient for
some applications that require stronger encryption.

Not recommended for new applications: Due to its vulnerabilities and weaknesses, RC4 is no
longer recommended for use in new applications. Other more secure stream cipher algorithms,
such as AES-CTR or ChaCha20, should be used instead.

Internal