1. Cryptography Techniques (CNET-326)
All Chapters (From 1 to 7).
For Exam Preparation Consult Book of this course. Questions will be asked from the Book.

3. Chapter -1 CLASSICAL ENCRYPTION TECHNIQUES
Cryptography Techniques
(CNET-326)

4. Brief Overview
An original message is known as the plaintext, while the coded message is called the ciphertext.
The process of converting from plaintext to ciphertext is known as enciphering or encryption.
Restoring the plaintext from the ciphertext is deciphering or decryption.
The many schemes used for encryption constitute the area of study known as cryptography.
Such a scheme is known as a cryptographic system or a cipher.
Techniques used for deciphering a message without any knowledge of the enciphering details fall into the area of cryptanalysis.
Cryptanalysis is what the layperson calls “breaking the code.”
The areas of cryptography and cryptanalysis together are called cryptology.

5. Symmetric Cipher Model
Detail the five ingredients of the symmetric cipher model, shown in Stallings Figure 2.1:
plaintext - original message
encryption algorithm – performs substitutions/transformations on plaintext
secret key – control exact substitutions/transformations used in encryption algorithm
ciphertext - scrambled message
decryption algorithm – inverse of encryption algorithm

6. Requirements Two requirements for secure use of symmetric encryption:
a strong encryption algorithm
a secret key known only to sender / receiver
mathematically have:
Y = E(K, X)
X = D(K, Y)
assume encryption algorithm is known
implies a secure channel to distribute key
There are two requirements for secure use of conventional encryption that mean we assume that it is impractical to decrypt a message on the basis of the cipher- text plus knowledge of the encryption/decryption algorithm, and hence do not need to keep the algorithm secret; rather we only need to keep the key secret. This feature of symmetric encryption is what makes it feasible for widespread use. It allows easy distribution of s/w and h/w implementations.
Can take a closer look at the essential elements of a symmetric encryption scheme: mathematically it can be considered a pair of functions with: plaintext X, ciphertext Y, key K, encryption algorithm E, decryption algorithm D. The intended receiver, in possession of the key, is able to invert the transformation. An opponent, observing Y but not having access to K or X, may attempt to recover X or K.

7. Cryptography can characterize cryptographic system by:
Type of encryption operations used
substitution
transposition
product
Number of keys used
single-key or private
two-key or public
way in which plaintext is processed
Block
Stream
Cryptographic systems can be characterized along these three independent dimensions.
The type of operations used for transforming plaintext to ciphertext. All encryption algorithms are based on two general principles: substitution, in which each element in the plaintext (bit, letter, group of bits or letters) is mapped into another element, and transposition, in which elements in the plaintext are rearranged. The fundamental requirement is that no information be lost (that is, that all operations are reversible). Most systems, referred to as product systems, involve multiple stages of substitutions and transpositions.
The number of keys used. If both sender and receiver use the same key, the system is referred to as symmetric, single-key, secret-key, or conventional encryption. If the sender and receiver use different keys, the system is referred to as asymmetric, two-key, or public-key encryption.
The way in which the plaintext is processed. A block cipher processes the input one block of elements at a time, producing an output block for each input block. A stream cipher processes the input elements continuously, producing output one element at a time, as it goes along.

8. Cryptanalysis objective to recover key not just message
general approaches:
cryptanalytic attack
brute-force attack
if either succeed all key use compromised
Typically objective is to recover the key in use rather then simply to recover the plaintext of a single ciphertext. There are two general approaches:
Cryptanalysis: relies on the nature of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext or even some sample plaintext- ciphertext pairs. This type of attack exploits the characteristics of the algorithm to attempt to deduce a specific plaintext or to deduce the key being used.
Brute-force attacks try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained. On average,half of all possible keys must be tried to achieve success.
If either type of attack succeeds in deducing the key, the effect is catastrophic: All future and past messages encrypted with that key are compromised.

9. Cryptanalytic Attacks
ciphertext only
only know algorithm & ciphertext, is statistical, know or can identify plaintext
known plaintext
know/suspect plaintext & ciphertext
chosen plaintext
select plaintext and obtain ciphertext
chosen ciphertext
select ciphertext and obtain plaintext
chosen text
select plaintext or ciphertext to en/decrypt
Stallings Table 2.1 summarizes the various types of cryptanalytic attacks, based on the amount of information known to the cryptanalyst, from least to most. The most difficult problem is presented when all that is available is the ciphertext only. In some cases, not even the encryption algorithm is known, but in general we can assume that the opponent does know the algorithm used for encryption. Then with increasing information have the other attacks. Generally, an encryption algorithm is designed to withstand a known-plaintext attack.

10. Classical Substitution Ciphers
where letters of plaintext are replaced by other letters or by numbers or symbols
or if plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns .

11. Caesar Cipher earliest known substitution cipher by Julius Caesar
first attested use in military affairs
replaces each letter by 3rd letter on
example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB

12. Caesar Cipher can define transformation as:
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
mathematically give each letter a number
a b c d e f g h i j k l m n o p q r s t u v w x y z
then have Caesar cipher as:
c = E(k, p) = (p + k) mod (26)
p = D(k, c) = (c – k) mod (26)

13. Hill Cipher
Invented by Lester S. Hill in 1929, the Hill cipher is a polygraphic substitution cipher based on linear algebra. Hill used matrices and matrix multiplication to mix up the plaintext.
Hill's major contribution was the use of mathematics to design and analyse cryptosystems. It is important to note that the analysis of this algorithm requires a branch of mathematics known as number theory

14. Hill Cipher
Example: Suppose the KEYS are :

15. Hill Cipher

16. Vernam Cipher
ultimate defense is to use a key as long as the plaintext
with no statistical relationship to it
invented by AT&T engineer Gilbert Vernam in 1918
originally proposed using a very long but eventually repeating key

17. Vernam Cipher

18. One-Time Pad
if a truly random key as long as the message is used, the cipher will be secure
called a One-Time pad
is unbreakable since ciphertext bears no statistical relationship to the plaintext
since for any plaintext & any ciphertext there exists a key mapping one to other
can only use the key once though
problems in generation & safe distribution of key
The One-Time Pad is an evolution of the Vernham cipher. An Army Signal Corp officer, Joseph Mauborgne, proposed an improvement using a random key that was truly as long as the message, with no repetitions, which thus totally obscures the original message. It produces random output that bears no statistical relationship to the plaintext. Because the ciphertext contains no information whatsoever about the plaintext, there is simply no way to break the code, since any plaintext can be mapped to any ciphertext given some key.
The one-time pad offers complete security but, in practice, has two fundamental difficulties:
There is the practical problem of making large quantities of random keys.
And the problem of key distribution and protection, where for every message to be sent, a key of equal length is needed by both sender and receiver.
Because of these difficulties, the one-time pad is of limited utility, and is useful primarily for low-bandwidth channels requiring very high security. The one-time pad is the only cryptosystem that exhibits what is referred to as perfect secrecy.

19. One-Time Pad
Example: Suppose Alice wishes to send the message "HELLO" to Bob. It is common, but not required, to assign each letter a numerical value: e.g. "A" is 0, "B" is 1, and so on. In this example, the technique is to combine the key and the message using modular addition. The numerical values of corresponding message and key letters are added together, modulo 26. If key material begins with "XMCKL" and the message is "HELLO", then the coding would be done as follows:
H E L L O message
7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message
+ 23 (X) 12 (M) 2 (C) 10 (K) 11 (L) key
= message + key
= 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) message + key (mod 26)
E Q N V Z → ciphertext
The One-Time Pad is an evolution of the Vernham cipher. An Army Signal Corp officer, Joseph Mauborgne, proposed an improvement using a random key that was truly as long as the message, with no repetitions, which thus totally obscures the original message. It produces random output that bears no statistical relationship to the plaintext. Because the ciphertext contains no information whatsoever about the plaintext, there is simply no way to break the code, since any plaintext can be mapped to any ciphertext given some key.
The one-time pad offers complete security but, in practice, has two fundamental difficulties:
There is the practical problem of making large quantities of random keys.
And the problem of key distribution and protection, where for every message to be sent, a key of equal length is needed by both sender and receiver.
Because of these difficulties, the one-time pad is of limited utility, and is useful primarily for low-bandwidth channels requiring very high security. The one-time pad is the only cryptosystem that exhibits what is referred to as perfect secrecy.

20. One-Time Pad
If a number is larger than 25, then the remainder after subtraction of 26 is taken in modular arithmetic fashion. This simply means that if your computations "go past" Z, you start again at A. The ciphertext to be sent to Bob is thus "EQNVZ". Bob uses the matching key page and the same process, but in reverse, to obtain the plaintext. Here the key is subtracted from the ciphertext, again using modular arithmetic
E Q N V Z ciphertext 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) ciphertext- 23 (X) 12 (M) 2 (C) 10 (K) 11 (L) key= ciphertext — key= 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) ciphertext — key (mod 26) H E L L O → message  Similar to the above, if a number is negative then 26 is added to make the number positive.
Thus Bob recovers Alice's plaintext, the message "HELLO".
The One-Time Pad is an evolution of the Vernham cipher. An Army Signal Corp officer, Joseph Mauborgne, proposed an improvement using a random key that was truly as long as the message, with no repetitions, which thus totally obscures the original message. It produces random output that bears no statistical relationship to the plaintext. Because the ciphertext contains no information whatsoever about the plaintext, there is simply no way to break the code, since any plaintext can be mapped to any ciphertext given some key.
The one-time pad offers complete security but, in practice, has two fundamental difficulties:
There is the practical problem of making large quantities of random keys.
And the problem of key distribution and protection, where for every message to be sent, a key of equal length is needed by both sender and receiver.
Because of these difficulties, the one-time pad is of limited utility, and is useful primarily for low-bandwidth channels requiring very high security. The one-time pad is the only cryptosystem that exhibits what is referred to as perfect secrecy.

21. Row Transposition Ciphers
is a more complex transposition
write letters of message out in rows over a specified number of columns
then reorder the columns according to some key before reading off the rows
Key:
Column Out
Plaintext: a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ
A more complex transposition cipher is to write the message in a rectangle, row by row, and read the message off shuffling the order of the columns in each row. The order of the columns then becomes the key to the algorithm. In the example shown, the key is , that is use column 4 first, then column3, then 1 etc (as shown in the Column Out row).
A pure transposition cipher is easily recognized because it has the same letter frequencies as the original plaintext. For the type of columnar transposition just shown, cryptanalysis is fairly straightforward and involves laying out the ciphertext in a matrix and playing around with column positions. Digram and trigram frequency tables can be useful.

22. Steganography An alternative to encryption Hides existence of message
using only a subset of letters/words in a longer message marked in some way
using invisible ink
hiding in LSB in graphic image or sound file
has drawbacks
high overhead to hide relatively few info bits
advantage is can obscure encryption use
Steganography is an alternative to encryption which hides the very existence of a message by some means. There are a large range of techniques for doing this.
Steganography has a number of drawbacks when compared to encryption. It requires a lot of overhead to hide a relatively few bits of information.
Also, once the system is discovered, it becomes virtually worthless, although a message can be first encrypted and then hidden using steganography. The advantage of steganography is that it can be employed by parties who have something to lose should the fact of their secret communication (not necessarily the content) be discovered.

24. Cryptography Techniques (CNET-326)
Chapter -2 BLOCK CIPHERS : THE DATA ENCRYPTION STANDARD and ADVANCED ENCRYPTION STANDARD
Cryptography Techniques
(CNET-326)

25. Block vs Stream Ciphers
Block ciphers: A block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length. Typically, a block size of 64 or 128 bits is used.
Stream ciphers: A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Examples of classical stream ciphers are the autokeyed Vigenère cipher and the Vernam cipher.
Block ciphers work a on block / word at a time, which is some number of bits. All of these bits have to be available before the block can be processed. Stream ciphers work on a bit or byte of the message at a time, hence process it as a “stream”. Block ciphers are currently better analysed, and seem to have a broader range of applications, hence focus on them.

26. Block vs Stream Ciphers

27. Block vs Stream Ciphers

28. Data Encryption Standard (DES)

29. DES Encryption Overview
The overall scheme for DES encryption is illustrated in Stallings Figure3.4, which takes as input 64-bits of data and of key.
The left side shows the basic process for enciphering a 64-bit data block which consists of:
- an initial permutation (IP) which shuffles the 64-bit input block
- 16 rounds of a complex key dependent round function involving substitutions & permutations
- a final permutation, being the inverse of IP
The right side shows the handling of the 56-bit key and consists of:
- an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves
- 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves

30. Initial Permutation IP
first step of the data computation
IP reorders the input data bits
even bits to LH half, odd bits to RH half
quite regular in structure (easy in h/w)
example:
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
The initial permutation and its inverse are defined by tables, as shown in Stallings Tables 3.2a and 3.2b, respectively. The tables are to be interpreted as follows. The input to a table consists of 64 bits numbered left to right from 1 to 64. The 64 entries in the permutation table contain a permutation of the numbers from 1 to 64. Each entry in the permutation table indicates the position of a numbered input bit in the output, which also consists of 64 bits.
Note that the bit numbering for DES reflects IBM mainframe practice, and is the opposite of what we now mostly use - so be careful! Numbers from Bit 1 (leftmost, most significant) to bit 32/48/64 etc (rightmost, least significant).
Note that examples are specified using hexadecimal.
Here a 64-bit plaintext value of “675a6967 5e5a6b5a” (written in left & right halves) after permuting with IP becomes “ffb2194d 004df6fb”.

31. DES Round Structure uses two 32-bit L & R halves
as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1  F(Ri–1, Ki)
F takes 32-bit R half and 48-bit subkey:
expands R to 48-bits using perm E
adds to subkey using XOR
passes through 8 S-boxes to get 32-bit result
finally permutes using 32-bit perm P
Detail here the internal structure of the DES round function F, which takes R half & subkey, and processes them through E, add subkey, S & P.
This follows the classic structure for a feistel cipher.
Note that the s-boxes provide the “confusion” of data and key values, whilst the permutation P then spreads this as widely as possible, so each S-box output affects as many S-box inputs in the next round as possible, giving “diffusion”.

32. DES Round Structure
Stallings Figure 3.6 illustrates the internal structure of the DES round function F. The R input is first expanded to 48 bits by using expansion table E that defines a permutation plus an expansion that involves duplication of 16 of the R bits (Stallings Table 3.2c). The resulting 48 bits are XORed with Ki. This 48-bit result passes through a substitution function comprising 8 S-boxes which each map 6 input bits to 4 output bits, producing a 32-bit output, which is then permuted by permutation P as defined by Stallings Table 3.2d.

33. DES Decryption decrypt must unwind steps of data computation
with Feistel design, do encryption steps again using subkeys in reverse order (SK16 … SK1)
IP undoes final FP step of encryption
1st round with SK16 undoes 16th encrypt round ….
16th round with SK1 undoes 1st encrypt round
then final FP undoes initial encryption IP
thus recovering original data value
As with any Feistel cipher, DES decryption uses the same algorithm as encryption except that the subkeys are used in reverse order SK16 .. SK1.
If you trace through the DES overview diagram can see how each decryption step top to bottom with reversed subkeys, undoes the equivalent encryption step moving from bottom to top.

34. The AES Cipher - Rijndael
designed by Rijmen-Daemen in Belgium
has 128/192/256 bit keys, 128 bit data
an iterative rather than feistel cipher
processes data as block of 4 columns of 4 bytes
operates on entire data block in every round
designed to be:
resistant against known attacks
speed and code compactness on many CPUs
design simplicity
The Rijndael proposal for AES defined a cipher in which the block length and the key length can be independently specified to be 128,192,or 256 bits. The AES specification uses the same three key size alternatives but limits the block length to 128 bits. Rijndael is an academic submission, based on the earlier Square cipher, from Belgium academics Dr Joan Daemen and Dr Vincent Rijmen. It is an iterative cipher (operates on entire data block in every round) rather than feistel (operate on halves at a time), and was designed to have characteristics of: Resistance against all known attacks, Speed and code compactness on a wide range of platforms, & Design simplicity.

35. AES Encryption Process
Stallings Figure 5.1 shows the overall encryption process in AES.

36. AES Structure data block of 4 columns of 4 bytes is state
key is expanded to array of words
has 9/11/13 rounds in which state undergoes:
byte substitution (1 S-box used on every byte)
shift rows (permute bytes between groups/columns)
mix columns (subs using matrix multiply of groups)
add round key (XOR state with key material)
view as alternating XOR key & scramble data bytes
initial XOR key material & incomplete last round
with fast XOR & table lookup implementation

37. AES Structure
Stallings Figure 5.3 shows the structure of AES in more detail. The cipher consists of N rounds, where the number of rounds depends on the key length: 10 rounds for a 16-byte key; 12 rounds for a 24-byte key; and 14 rounds for a 32-byte key. The first N – 1 rounds consist of four distinct transformation functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey, which are described subsequently. The final round contains only 3 transformation, and there is a initial single transformation (AddRoundKey) before the first round, which can be considered Round 0. Each transformation takes one or more 4 x 4 matrices as input and produces a 4 x 4 matrix as output. Figure 5.1 shows that the output of each round is a 4 x 4 matrix, with the output of the final round being the ciphertext. Also, the key expansion function generates N + 1 round keys, each of which is a distinct 4 x 4 matrix. Each round key serve as one of the inputs to the AddRoundKey transformation in each round.

38. Some Comments on AES an iterative rather than feistel cipher
key expanded into array of 32-bit words
four words form round key in each round
4 different stages are used as shown
has a simple structure
only AddRoundKey uses key
AddRoundKey a form of Vernam cipher
each stage is easily reversible
decryption uses keys in reverse order
decryption does recover plaintext
final round has only 3 stages
Before delving into details, can make several comments about the overall AES structure. See text for details.

39. AES Decryption
AES decryption is not identical to encryption since steps done in reverse
but can define an equivalent inverse cipher with steps as for encryption
but using inverses of each step
with a different key schedule
works since result is unchanged when
swap byte substitution & shift rows
swap mix columns & add (tweaked) round key
The AES decryption cipher is not identical to the encryption cipher (Stallings Figure 5.3). The sequence of transformations for decryption differs from that for encryption, although the form of the key schedules for encryption and decryption is the same. This has the disadvantage that two separate software or firmware modules are needed for applications that require both encryption and decryption. There is, however, an equivalent version of the decryption algorithm that has the same structure as the encryption algorithm, with the same sequence of transformations as the encryption algorithm (with transformations replaced by their inverses). To achieve this equivalence, a change in key schedule is needed.
By constructing an equivalent inverse cipher with steps in same order as for encryption, we can derive a more efficient implementation. Clearly swapping the byte substitutions and shift rows has no effect, since work just on bytes. Swapping the mix columns and add round key steps requires the inverse mix columns step be applied to the round keys first – this makes the decryption key schedule a little more complex with this construction, but allows the use of same h/w or s/w for the data en/decrypt computation.

40. AES Decryption
Illustrate the equivalent inverse cipher with Stallings Figure 5.10.

42. Chapter -3 BLOCK CIPHER OPERATIONS and STREAM CIPHERS
Cryptography Techniques
(CNET-326)

43. Multiple Encryption & DES.

44. Double-DES?
The simplest form of multiple encryption has two encryption stages and two keys - Double-DES.
Have concern that there might be a single key that is equivalent to using 2 keys as above, not likely but only finally proved in 1992.
More seriously have the “meet-in-the-middle” attack, first described by Diffie in It is a known plaintext attack (ie have know pair (P,C), and attempts to find by trial-and-error a value X in the “middle” of the double-DES encryption of this pair, and chances of this are much better at O(2^56) than exhaustive search at O(2^112).

45. Triple-DES with Two-Keys
Triple-DES with two keys is a popular alternative to single-DES, but suffers from being 3 times slower to run. The use of encryption & decryption stages are equivalent, but the chosen structure allows for compatibility with single-DES implementations. 3DES with two keys is a relatively popular alternative to DES and has been adopted for use in the key management standards ANS X9.17 and ISO Currently, there are no practical cryptanalytic attacks on 3DES. Coppersmith notes that the cost of a brute-force key search on 3DES is on the order of 2^112 (=5*10^33) and estimates that the cost of differential cryptanalysis suffers an exponential growth, compared to single DES, exceeding 10^52.

46. Multiple Encryption

47. Modes of Operation
DES (or any block cipher) forms a basic building block, which en/decrypts a fixed sized block of data. However to use these in practise, we usually need to handle arbitrary amounts of data, which may be available in advance (in which case a block mode is appropriate), and may only be available a bit/byte at a time (in which case a stream mode is used). To apply a block cipher in a variety of applications, four “modes of operation” have been defined by NIST (FIPS 81). The four modes are intended to cover virtually all the possible applications of encryption for which a block cipher could be used. As new applications and requirements have appeared, NIST has expanded the list of recommended modes to five in Special Publication A. These modes are intended for use with any symmetric block cipher, including triple DES and AES.

48. Modes of Operation

49. Electronic Codebook Book (ECB)
Stallings Figure 6.3 illustrates the Electronic Codebook (ECB) Mode.

50. Cipher Block Chaining (CBC)
Stallings Figure 6.4 illustrates the Cipher Block Chaining (CBC) Mode.

51. Cipher FeedBack (CFB)
Stallings Figure 6.5 illustrates the Cipher FeedBack (CFB) Mode.

52. Output FeedBack (OFB)
Stallings Figure 6.6 illustrates the Output FeedBack (OFB) Mode.

53. Counter (CTR)
Stallings Figure 6.7 illustrates the Counter (CTR) Mode.

54. Stream Ciphers

55. Stream Cipher Structure
Stallings Figure 6.8 illustrates the general structure of a stream cipher, where a key is input to a pseudorandom bit generator that produces an apparently random keystream of bits, and which are XOR’d with message to encrypt it, and XOR’d again to decrypt it by the receiver.

56. Stream Cipher Properties
some design considerations are:
long period with no repetitions
statistically random
depends on large enough key
large linear complexity
properly designed, can be as secure as a block cipher with same size key
but usually simpler & faster

57. RC4
RC4 is a stream cipher designed in 1987 by Ron Rivest for RSA Security. It is a variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation.
widely used (web SSL/TLS, wireless WEP)
key forms random permutation of all 8-bit values
uses that permutation to scramble input info processed a byte at a time

58. RC4 Key Schedule starts with an array S of numbers: 0..255
use key to well and truly shuffle
S forms internal state of the cipher
for i = 0 to 255 do
S[i] = i
T[i] = K[i mod keylen])
j = 0
j = (j + S[i] + T[i]) (mod 256)
swap (S[i], S[j])
The RC4 key schedule initialises the state S to the numbers , and then walks through each entry in turn, using its current value plus the next byte of key to pick another entry in the array, and swaps their values over. After doing this 256 times, the result is a well and truly shuffled array. The total number of possible states is 256! - a truly enormous number, much larger even than the 2048-bit (256*8) max key allowed can select.

59. RC4 Encryption encryption continues shuffling array values
sum of shuffled pair selects "stream key" value from permutation
XOR S[t] with next byte of message to en/decrypt
i = j = 0
for each message byte Mi
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]
To form the stream key for en/decryption (which are identical), RC4 continues to shuffle the permutation array S by continuing to swap each element in turn with some other entry, and using the sum of these two entry values to select another value from the permutation to use as the stream key, which is then XOR’d with the current message byte.

60. RC4 Security claimed secure against known attacks
have some analyses, none practical
result is very non-linear
since RC4 is a stream cipher, must never reuse a key
have a concern with WEP, but due to key handling rather than RC4 itself

62. Chapter -4 PUBLIC-KEY CRYPTOGRAPHY AND RSA
Cryptography Techniques
(CNET-326)

63. Private-Key Cryptography
traditional private/secret/single key cryptography uses one key
shared by both sender and receiver
if this key is disclosed communications are compromised
also is symmetric, parties are equal
hence does not protect sender from receiver forging a message & claiming is sent by sender
So far all the cryptosystems discussed, from earliest history to modern times, have been private/secret/single key (symmetric) systems.
All classical, and modern block and stream ciphers are of this form, and still rely on the fundamental building blocks of substitution and permutation (transposition).

64. Public-Key Cryptography
probably most significant advance in the 3000 year history of cryptography
uses two keys – a public & a private key
asymmetric since parties are not equal
uses clever application of number theoretic concepts to function
complements rather than replaces private key crypto
Will now discuss the radically different public key systems, in which two keys are used. The development of public-key cryptography is the greatest and perhaps the only true revolution in the entire history of cryptography. It is asymmetric, involving the use of two separate keys, in contrast to symmetric encryption,which uses only one key. Anyone knowing the public key can encrypt messages or verify signatures, but cannot decrypt messages or create signatures, counter-intuitive though this may seem. It works by the clever use of number theory problems that are easy one way but hard the other. Note that public key schemes are neither more nor less secure than private key (security depends on the key size for both), nor do they replace private key schemes (they are too slow to do so), rather they complement them. Both also have issues with key distribution, requiring the use of some suitable protocol.

65. Public-Key Cryptography

66. Public-Key Applications

67. RSA Published By Rivest, Shamir & Adleman of MIT in 1977
best known & widely used public-key scheme
based on exponentiation in a finite (Galois) field over integers modulo a prime
nb. exponentiation takes O((log n)3) operations (easy)
uses large integers (eg bits)
security due to cost of factoring large numbers
nb. factorization takes O(e log n log log n) operations (hard)
RSA is the best known, and by far the most widely used general public key encryption algorithm, and was first published by Rivest, Shamir & Adleman of MIT in 1978 [RIVE78]. Since that time RSA has reigned supreme as the most widely accepted and implemented general-purpose approach to public-key encryption. It is based on exponentiation in a finite (Galois) field over integers modulo a prime, using large integers (eg bits). Its security is due to the cost of factoring large numbers.

68. RSA Key Setup
RSA key setup is done once (rarely) when a user establishes (or replaces) their public key, using the steps as shown. The exponent e is usually fairly small, just must be relatively prime to ø(n). Need to compute its inverse mod ø(n) to find d. It is critically important that the factors p & q of the modulus n are kept secret, since if they become known, the system can be broken. Note that different users will have different moduli n.

69. RSA Encryption & Decryption

70. RSA Encryption & Decryption

71. RSA Example - Key Setup Select primes: p=17 & q=11
Compute n = pq =17 x 11=187
Compute ø(n)=(p–1)(q-1)=16 x 10=160
Select e: gcd(e,160)=1; choose e=7
Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23x7=161= 10x160+1
Publish public key PU={7,187}
Keep secret private key PR={23,187}
Here walk through example RSA key generation using “trivial” sized numbers.
Selecting primes requires the use of a primality test.
Finding d as inverse of e mod ø(n) requires use of Euclid’s Inverse algorithm (see Ch4)

72. RSA Example - En/Decryption
sample RSA encryption/decryption is:
given message M = 88 (nb. 88<187)
encryption:
C = 887 mod 187 = 11
decryption:
M = 1123 mod 187 = 88
Then show that the encryption and decryption operations are simple exponentiations mod 187.
Rather than having to laborious repeatedly multiply, can use the "square and multiply" algorithm with modulo reductions to implement all exponentiations quickly and efficiently (see next).

73. RSA Security

74. RSA Exercises

76. Chapter -5 OTHER PUBLIC-KEY CRYPTOSYSTEMS
Cryptography Techniques
(CNET-326)

77. Diffie-Hellman Key Exchange
The first published public-key algorithm appeared in the seminal paper by Diffie and Hellman that defined public-key cryptography [DIFF76b] and is generally
Referred to as Diffie-Hellman key exchange.1 A number
of commercial products employ this key exchange
technique.
The purpose of the algorithm is to enable two users to securely exchange a Key that can then be used for subsequent symmetric encryption of messages.
The Algorithm itself is limited to the exchange of secret values.

78. Diffie-Hellman Key Exchange
Figure 10.1 summarizes the Diffie-Hellman key exchange algorithm. For this
scheme, there are two publicly known numbers: a prime number q and an integer a
that is a primitive root of q. Suppose the users A and B wish to create a shared key.

79. Diffie-Hellman Key Exchange
The purpose of the algorithm is to enable two users to securely exchange a key that can then be used for subsequent encryption of messages. The algorithm itself is limited to the exchange of secret values, which depends on the value of the public/private keys of the participants. The Diffie-Hellman algorithm uses exponentiation in a finite (Galois) field (modulo a prime or a polynomial), and depends for its effectiveness on the difficulty of computing discrete logarithms.

80. Diffie-Hellman Setup all users agree on global parameters:
large prime integer or polynomial q
a being a primitive root mod q
each user (eg. A) generates their key
chooses a secret key (number): xA < q
compute their public key: yA = axA mod q
each user makes public that key yA
In the Diffie-Hellman key exchange algorithm, there are two publicly known numbers: a prime number q and an integer a that is a primitive root of q. The prime q and primitive root a can be common to all using some instance of the D-H scheme. Note that the primitive root a is a number whose powers successively generate all the elements mod q. Users Alice and Bob choose random secrets x's, and then "protect" them using exponentiation to create their public y's. For an attacker monitoring the exchange of the y's to recover either of the x's, they'd need to solve the discrete logarithm problem, which is hard.

81. Diffie-Hellman Key Exchange
shared session key for users A & B is KAB:
KAB = axA.xB mod q
= yAxB mod q (which B can compute)
= yBxA mod q (which A can compute)
KAB is used as session key in private-key encryption scheme between Alice and Bob
if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys
attacker needs an x, must solve discrete log
The actual key exchange for either party consists of raising the others "public key' to power of their private key. The resulting number (or as much of as is necessary) is used as the key for a block cipher or other private key scheme. For an attacker to obtain the same value they need at least one of the secret numbers, which means solving a discrete log, which is computationally infeasible given large enough numbers. Note that if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys.

82. Diffie-Hellman Example
users Alice & Bob who wish to swap keys:
agree on prime q=353 and a=3
select random secret keys:
A chooses xA=97, B chooses xB=233
compute respective public keys:
yA=397 mod 353 = 40 (Alice)
yB=3233 mod 353 = 248 (Bob)
compute shared session key as:
KAB= yBxA mod 353 = = 160 (Alice)
KAB= yAxB mod 353 = = 160 (Bob)
Here is an example of Diffie-Hellman from the text using prime q=353, showing how each computes its public key, and then how after they exchange public keys, each can compute the common secret key.I n this simple example, it would be possible by brute force to determine the secret key 160. In particular, an attacker E can determine the common key by discovering a solution to the equation 3a mod 353 = 40 or the equation 3b mod 353 = 248. The brute-force approach is to calculate powers of 3 modulo 353, stopping when the result equals either 40 or 248. The desired answer is reached with the exponent value of 97, which provides 397 mod 353 = 40. With larger numbers, the problem becomes impractical.

83. ElGamal Cryptography public-key cryptosystem related to D-H
so uses exponentiation in a finite (Galois)
with security based difficulty of computing discrete logarithms.

84. ElGamal Cryptosystem

85. ElGamal Cryptosystem

86. ElGamal Example
Here is an example of ElGamal from the text using the prime field GF(19); that is, q = 19. It has primitive roots {2, 3, 10, 13, 14, 15}, as shown in Table 8.3. We choose a = 10. Alice generates a key pair as shown. Suppose Bob wants to send the message with the value M = 17. Then he computes the ciphertext pair (11, 5) and sends this to Alice. Alice recovers the message by first recovering K, then computing its inverse (using the Extended Euclids Algorithm – see Ch 4), and finally recovering M.

87. Exercises

88. Exercises

90. Chapter -6 CRYPTOGRAPHIC HASH FUNCTIONS
Cryptography Techniques
(CNET-326)

91. Hash Function
A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M).
The kind of hash function needed for security applications is referred to as a cryptographic hash function.
A cryptographic hash function is an algorithm for which
it is computationally infeasible (because no attack is significantly
more efficient than brute force) to find either (a) a data object that
maps to a pre-specified hash result (the one-way property) or (b)
two data objects that map to the same hash result.

92. Hash Function
Figure 11.1 depicts the general operation of a cryptographic hash function.
Typically, the input is padded out to an integer multiple of some fixed length (e.g., 1024 bits), and the padding includes the value of the length of the original message in bits. The length field is a security measure to increase the difficulty for an attacker to produce an alternative message with the same hash value.

93. Hash Function

94. Applications of Hash Function
Applications of Cryptographic Hash Functions
1. Message Authentication
2. Digital Signatures

95. Applications of Cryptographic Hash Functions 1. Message Authentication
Message authentication is a mechanism or service used to verify the integrity of a message.
When a hash function is used to provide message authentication,
the hash function value is often referred to as a message digest.
The essence of the use of a hash function for message authentication is as
follows.
The sender computes a hash value as a function of the bits in the message
and transmits both the hash value and the message. The receiver performs the same hash calculation on the message bits and compares this value with the incoming hash value. If there is a mismatch, the receiver knows that the message (or possibly the hash value) has been altered (Figure 11.2a).

96. Use of hash function to check data integrity

97. Message Authentication Code (MAC)
Message authentication is achieved using a message authentication code (MAC), also known as a keyed hash function.
Typically, MACs are used between two parties that share a secret key to authenticate information exchanged between those parties. A MAC function takes as input a secret key and a data block and produces a hash value, referred to as the MAC, which is associated
with the protected message.
If the integrity of the message needs to be checked, the
MAC function can be applied to the message and the result compared with the associated MAC value.
An attacker who alters the message will be unable to alter the
associated MAC value without knowledge of the secret key

98. Message Authentication Code
Stallings Figure 11.4a “Message Authentication” shows the use of a MAC just for authentication.

99. Applications of Cryptographic Hash Functions 2. Digital Signatures
Another important application, which is similar to the message authentication
application,is the digital signature.
In the case of the digital signature, the hash value of a message
is encrypted with a user’s private key. Anyone who knows the user’s public key
can verify the integrity of the message that is associated with the digital signature.

100. Digital Signatures
Figure 11.4 illustrates, in a simplified fashion, how a hash code is used to provide a digital signature.
A. The hash code is encrypted, using public-key encryption with the sender’s private key.
B. If confidentiality as well as a digital signature is desired, then the message plus the private-key-encrypted hash code can be encrypted using a symmetric secret key.
This is a common technique.

101. Simplified Examples of Digital Signatures

102. Requirements for a CRYPTOGRAPHIC HASH FUNCTIONS H

104. Chapter -7 Digital Signatures
Cryptography Techniques
(CNET-326)

105. Digital Signatures
The most important development from the work on public-key cryptography is the digital signature.
The digital signature provides a set of security capabilities that would be difficult to implement in any other way.
Figure 13.1 is a generic model of the process of making and using digital signatures.
Bob can sign a message using a digital signature generation algorithm. The inputs to the algorithm are the message and Bob’s private key.
Any other user, say Alice, can verify the signature using a verification algorithm, whose inputs are the message, the signature, and Bob’s public key.

106. Digital Signature Model

107. Digital Signature Model
In simplified terms, the essence of the digital signature mechanism is shown in Stallings Figure This repeats the logic shown in Figure On example, using RSA, is available at this book's Web site.
We begin this chapter with an overview of digital signatures. Then, we introduce the Digital Signature Standard (DSS).

108. Digital Signature Properties
The digital signature must have the following
properties:
• It must verify the author and the date and time of the signature.
• It must authenticate the contents at the time of the signature.
• It must be verifiable by third parties, to resolve disputes.

109. Digital Signatures Requirements
On the basis of the properties and attacks just discussed, we can formulate the following requirements for a digital signature.
• The signature must be a bit pattern that depends on the message being signed.
• The signature must use some information unique to the sender to prevent both forgery and denial.
• It must be relatively easy to produce the digital signature.
• It must be relatively easy to recognize and verify the digital signature.
• It must be computationally infeasible to forge a digital signature.
• It must be practical to retain a copy of the digital signature in storage.