Scanned By MX Scanner

Scanned By MX Scanner
Scanned By MX Scanner
Scanned By MX Scanner
Scanned By MX Scanner
Scanned By MX Scanner
Scanned By MX Scanner
Scanned By MX Scanner
 Chapter 6
Data Encryption Standard
(DES)

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 6.1
 CONFUSION VS DIFFUSION
Confusion: to make the relation between the plaintext and the cipher text
as complex as possible
Change key values each round
Performed through substitution
Complicates plaintext/key relationship
Caesar ciphers have poor confusion
Polyalphabetic substitutions have good confusion
Diffusion: Change location of plaintext in cipher text
Done through
transposition

6.2
6.3
6.4
6.5
6-1 INTRODUCTION

The Data Encryption Standard (DES) is a symmetric-

key block cipher published by the National Institute of
Standards and Technology (NIST).

Topics discussed in this section:

6.1.1 History
6.1.2 Overview

6.7
 6.1.2 Overview

DES is a block cipher, as shown in Figure 6.1.

Figure 6.1 Encryption and decryption with DES

6.9
6-2 DES STRUCTURE

The encryption process is made of two permutations

(P-boxes), which we call initial and final
permutations, and sixteen Feistel rounds.

Topics discussed in this section:

6.2.1 Initial and Final Permutations
6.2.2 Rounds
6.2.3 Cipher and Reverse Cipher
6.2.4 Examples
6.10
6-2 Continue

Figure 6.2 General structure of DES

6.11
6.12
6.13
6.14
6.2.1 Initial and Final Permutations

Figure 6.3 Initial and final permutation steps in DES

6.15
6.2.1 Continue
Table 6.1 Initial and final permutation tables

6.16
 6.2.1 Continued

Example 6.1

Find the output of the final permutation box when the final
permutation input is given in hexadecimal as:

Solution
Only bit 25 and bit 63 are 1s; the other bits are 0s. In the final
permutation, bit 25 becomes bit 64 and bit 63 becomes bit 15.
The result is

6.17
 6.2.1 Continued

Example 6.2
Prove that the initial and final permutations are the inverse
of each other by finding the output of the initial permutation
if the input is

Solution
The input has only two 1s; the output must also have only two
1s. Using Table 6.1, we can find the output related to these
two bits. Bit 15 in the input becomes bit 63 in the output. Bit
64 in the input becomes bit 25 in the output. So the output has
only two 1s, bit 25 and bit 63. The result in hexadecimal is

6.18
 6.2.1 Continued

Note

The initial and final permutations are

straight P-boxes that are inverses
of each other.
They have no cryptography significance in
DES.

6.19
 6.2.2 Continued
DES Function
The heart of DES is the DES function. The DES function
applies a 48-bit key to the rightmost 32 bits to produce a
32-bit output.

Figure 6.5
DES function

6.21
 6.2.2 Continue
Expansion P-box
Since RI−1 is a 32-bit input and KI is a 48-bit key, we first
need to expand RI−1 to 48 bits.

Figure 6.6 Expansion permutation

6.22
 6.2.2 Continue
Although the relationship between the input and output
can be defined mathematically, DES uses Table 6.2 to
define this P-box.

Table 6.6 Expansion P-box table

6.23
 6.2.2 Continue
Whitener (XOR)
After the expansion permutation, DES uses the XOR
operation on the expanded right section and the round
key. Note that both the right section and the key are 48-
bits in length. Also note that the round key is used only in
this operation.

6.24
 6.2.2 Continue
S-Boxes
The S-boxes do the real mixing (confusion). DES uses 8
S-boxes, each with a 6-bit input and a 4-bit output. See
Figure 6.7.

Figure 6.7 S-boxes

6.25
S-BOX USED IN DES – S1
AND S2
• Since Z= 4821976F9A73HEX = 010010 000010 000110
010111 011011 111001 101001 110011
  S1(010010) is the value 10 (at row 0 and column
10012= 910 )
S12 (at row 0 and column
  S2(000010) = 110 = 0001
0001
Row 0 142=4110
13) 1 2 15 11 8 3 10 6 12 5 9 0 7
Row 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
Row 2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
Row 3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S2
Row 0 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
Row 1 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
Row 2 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
Row 3 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S-BOX USED IN DES – S3
AND S4
• Since Z= 4821976F9A73HEX = 010010 000010 000110
010111 011011 111001 101001 110011
  S3(000110) = 1410 = 11102
  S4(010111) = 1210 = 11002
S3
Row 0 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
Row 1 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
Row 2 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
Row 3 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S4
Row 0 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
Row 1 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
Row 2 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
Row 3 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
S-BOX USED IN DES – S5
AND S6
• Since Z= 4821 976F 9A73HEX = 010010 000010 000110
010111 011011 111001 101001 110011
  S5(011011) = 910 = 10012
  S6(111001) = 610 = 01102
S5
Row 0 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
Row 1 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
Row 2 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
Row 3 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S6
Row 0 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
Row 1 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
Row 2 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
Row 3 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S-BOX USED IN DES – S7
AND S8
• Since Z= 4821976F9A73HEX = 010010 000010 000110
010111 011011 111001 101001 110011
  S7(101001) = 110 = 00012
  S8(010011) = 910 = 11002
S7
Row 0 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
Row 1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
Row 2 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
Row 3 6 11 13 8 1 4 0 7 9 5 0 15 14 2 3 12
S8
Row 0 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
Row 1 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
Row 2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
Row 3 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
COMBINE ALL 8 S-BOXES
Now we have all outputs from 8 S-boxes
S(Z) = 1010 0001 1110 1100 1001 0110 0001
1100 = A1EC961CHEX
Input the result into P-box!
Z

S1 S2 S3 S4 S5 S6 S7 S8

A1EC961CHEX
P
32 bits
 6.2.2 Continued
Example 6.3

The input to S-box 1 is 100011. What is the output?

Solution
If we write the first and the sixth bits together, we get 11 in
binary, which is 3 in decimal. The remaining bits are 0001 in
binary, which is 1 in decimal. We look for the value in row 3,
column 1, in Table 6.3 (S-box 1). The result is 12 in decimal,
which in binary is 1100. So the input 100011 yields the output
1100.

6.31
 6.2.2 Continued
Example 6.4

The input to S-box 8 is 000000. What is the output?

Solution
If we write the first and the sixth bits together, we get 00 in
binary, which is 0 in decimal. The remaining bits are 0000 in
binary, which is 0 in decimal. We look for the value in row 0,
column 0, in Table 6.10 (S-box 8). The result is 13 in decimal,
which is 1101 in binary. So the input 000000 yields the output
1101.

6.32
 6.2.2 Continue
Straight Permutation

Table 6.11 Straight permutation table

7th Bit in I/P becomes 2nd bit in

o/p

6.33
6.2.3 Continued

Figure 6.10
Key generation

6.41
 6.2.3 Continued
Table 6.12 Parity-bit drop table : Drops parity bits ( 8,16, 24, 32… 64)
and permutes the rest.

Table 6.13 Number of bits shifts

6.42
6.2.3 Continued

Table 6.14 Key-compression table

6.43
6.44
6.50
6.65
6-4 Multiple DES

The major criticism of DES regards its key length.

Fortunately DES is not a group. This means that we
can use double or triple DES to increase the key size.

Topics discussed in this section:

6.4.1 Double DES
6.4.4 Triple DES
6.66
DOUBLE DES
TRIPLE DES WITH 3-KEY
TRIPLE DES WITH 3-KEY
 Chapter 6
Data Encryption Standard
(DES)

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 6.1
 CONFUSION VS DIFFUSION
Confusion: to make the relation between the plaintext and the cipher text
as complex as possible
Change key values each round
Performed through substitution
Complicates plaintext/key relationship
Caesar ciphers have poor confusion
Polyalphabetic substitutions have good confusion
Diffusion: Change location of plaintext in cipher text
Done through
transposition

6.2
6.3
6.4
6.5
6-1 INTRODUCTION

The Data Encryption Standard (DES) is a symmetric-

key block cipher published by the National Institute of
Standards and Technology (NIST).

Topics discussed in this section:

6.1.1 History
6.1.2 Overview

6.7
 6.1.2 Overview

DES is a block cipher, as shown in Figure 6.1.

Figure 6.1 Encryption and decryption with DES

6.9
6-2 DES STRUCTURE

The encryption process is made of two permutations

(P-boxes), which we call initial and final
permutations, and sixteen Feistel rounds.

Topics discussed in this section:

6.2.1 Initial and Final Permutations
6.2.2 Rounds
6.2.3 Cipher and Reverse Cipher
6.2.4 Examples
6.10
6-2 Continue

Figure 6.2 General structure of DES

6.11
6.12
6.13
6.14
6.2.1 Initial and Final Permutations

Figure 6.3 Initial and final permutation steps in DES

6.15
6.2.1 Continue
Table 6.1 Initial and final permutation tables

6.16
 6.2.1 Continued

Example 6.1

Find the output of the final permutation box when the final
permutation input is given in hexadecimal as:

Solution
Only bit 25 and bit 63 are 1s; the other bits are 0s. In the final
permutation, bit 25 becomes bit 64 and bit 63 becomes bit 15.
The result is

6.17
 6.2.1 Continued

Example 6.2
Prove that the initial and final permutations are the inverse
of each other by finding the output of the initial permutation
if the input is

Solution
The input has only two 1s; the output must also have only two
1s. Using Table 6.1, we can find the output related to these
two bits. Bit 15 in the input becomes bit 63 in the output. Bit
64 in the input becomes bit 25 in the output. So the output has
only two 1s, bit 25 and bit 63. The result in hexadecimal is

6.18
 6.2.1 Continued

Note

The initial and final permutations are

straight P-boxes that are inverses
of each other.
They have no cryptography significance in
DES.

6.19
 6.2.2 Continued
DES Function
The heart of DES is the DES function. The DES function
applies a 48-bit key to the rightmost 32 bits to produce a
32-bit output.

Figure 6.5
DES function

6.21
 6.2.2 Continue
Expansion P-box
Since RI−1 is a 32-bit input and KI is a 48-bit key, we first
need to expand RI−1 to 48 bits.

Figure 6.6 Expansion permutation

6.22
 6.2.2 Continue
Although the relationship between the input and output
can be defined mathematically, DES uses Table 6.2 to
define this P-box.

Table 6.6 Expansion P-box table

6.23
 6.2.2 Continue
Whitener (XOR)
After the expansion permutation, DES uses the XOR
operation on the expanded right section and the round
key. Note that both the right section and the key are 48-
bits in length. Also note that the round key is used only in
this operation.

6.24
 6.2.2 Continue
S-Boxes
The S-boxes do the real mixing (confusion). DES uses 8
S-boxes, each with a 6-bit input and a 4-bit output. See
Figure 6.7.

Figure 6.7 S-boxes

6.25
S-BOX USED IN DES – S1
AND S2
• Since Z= 4821976F9A73HEX = 010010 000010 000110
010111 011011 111001 101001 110011
  S1(010010) is the value 10 (at row 0 and column
10012= 910 )
S12 (at row 0 and column
  S2(000010) = 110 = 0001
0001
Row 0 142=4110
13) 1 2 15 11 8 3 10 6 12 5 9 0 7
Row 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
Row 2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
Row 3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S2
Row 0 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
Row 1 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
Row 2 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
Row 3 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S-BOX USED IN DES – S3
AND S4
• Since Z= 4821976F9A73HEX = 010010 000010 000110
010111 011011 111001 101001 110011
  S3(000110) = 1410 = 11102
  S4(010111) = 1210 = 11002
S3
Row 0 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
Row 1 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
Row 2 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
Row 3 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S4
Row 0 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
Row 1 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
Row 2 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
Row 3 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
S-BOX USED IN DES – S5
AND S6
• Since Z= 4821 976F 9A73HEX = 010010 000010 000110
010111 011011 111001 101001 110011
  S5(011011) = 910 = 10012
  S6(111001) = 610 = 01102
S5
Row 0 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
Row 1 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
Row 2 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
Row 3 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S6
Row 0 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
Row 1 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
Row 2 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
Row 3 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S-BOX USED IN DES – S7
AND S8
• Since Z= 4821976F9A73HEX = 010010 000010 000110
010111 011011 111001 101001 110011
  S7(101001) = 110 = 00012
  S8(010011) = 910 = 11002
S7
Row 0 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
Row 1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
Row 2 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
Row 3 6 11 13 8 1 4 0 7 9 5 0 15 14 2 3 12
S8
Row 0 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
Row 1 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
Row 2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
Row 3 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
COMBINE ALL 8 S-BOXES
Now we have all outputs from 8 S-boxes
S(Z) = 1010 0001 1110 1100 1001 0110 0001
1100 = A1EC961CHEX
Input the result into P-box!
Z

S1 S2 S3 S4 S5 S6 S7 S8

A1EC961CHEX
P
32 bits
 6.2.2 Continued
Example 6.3

The input to S-box 1 is 100011. What is the output?

Solution
If we write the first and the sixth bits together, we get 11 in
binary, which is 3 in decimal. The remaining bits are 0001 in
binary, which is 1 in decimal. We look for the value in row 3,
column 1, in Table 6.3 (S-box 1). The result is 12 in decimal,
which in binary is 1100. So the input 100011 yields the output
1100.

6.31
 6.2.2 Continued
Example 6.4

The input to S-box 8 is 000000. What is the output?

Solution
If we write the first and the sixth bits together, we get 00 in
binary, which is 0 in decimal. The remaining bits are 0000 in
binary, which is 0 in decimal. We look for the value in row 0,
column 0, in Table 6.10 (S-box 8). The result is 13 in decimal,
which is 1101 in binary. So the input 000000 yields the output
1101.

6.32
 6.2.2 Continue
Straight Permutation

Table 6.11 Straight permutation table

7th Bit in I/P becomes 2nd bit in

o/p

6.33
6.2.3 Continued

Figure 6.10
Key generation

6.41
 6.2.3 Continued
Table 6.12 Parity-bit drop table : Drops parity bits ( 8,16, 24, 32… 64)
and permutes the rest.

Table 6.13 Number of bits shifts

6.42
6.2.3 Continued

Table 6.14 Key-compression table

6.43
6.44
6.50
6.65
6-4 Multiple DES

The major criticism of DES regards its key length.

Fortunately DES is not a group. This means that we
can use double or triple DES to increase the key size.

Topics discussed in this section:

6.4.1 Double DES
6.4.4 Triple DES
6.66
DOUBLE DES
TRIPLE DES WITH 3-KEY
TRIPLE DES WITH 3-KEY
 Chapter 1
Introduction

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
1.1
 Chapter 1
Objectives
❑ To define three security goals
❑ To define security attacks that threaten security
goals
❑ To define security services and how they are
related to the three security goals
❑ To define security mechanisms to provide security
services
❑ To introduce two techniques, cryptography and
steganography, to implement security mechanisms.

1.2
1.3
1.4
 1-1 SECURITY GOALS

This section defines three security goals.

Topics discussed in this section:

1.1.1 Confidentiality
1.1.2 Integrity
1.1.3 Security

1.5
 1.1 Continued
Figure 1.1 Taxonomy of security goals

1.6
 1.1.1 Confidentiality

Confidentiality is probably the most common aspect of

information security. We need to protect our confidential
information. An organization needs to guard against those
malicious actions that endanger the confidentiality of its
information.

1.7
 1.1.2 Integrity

Information needs to be changed constantly. Integrity

means that changes need to be done only by authorized
entities and through authorized mechanisms.

1.8
 1.1.3 Availability

The information created and stored by an organization

needs to be available to authorized entities. Information
needs to be constantly changed, which means it must be
accessible to authorized entities.

1.9
 1-2 ATTACKS

The three goals of security⎯confidentiality, integrity,

and availability⎯can be threatened by security
attacks.

Topics discussed in this section:

1.2.1 Attacks Threatening Confidentiality
1.2.2 Attacks Threatening Integrity
1.2.3 Attacks Threatening Availability
1.2.4 Passive versus Active Attacks
1.10
1.2 Continued

Figure 1.2 Taxonomy of attacks with relation to security goals

1.11
 1.2.1 Attacks Threatening Confidentiality

Snooping refers to unauthorized access to or interception

of data.

Traffic analysis refers to obtaining some other type of

information by monitoring online traffic.

1.12
 1.2.2 Attacks Threatening Integrity

Modification means that the attacker intercepts the

message and changes it.

Masquerading or spoofing happens when the attacker

impersonates somebody else.

Replaying means the attacker obtains a copy

of a message sent by a user and later tries to replay it.

Repudiation means that sender of the message might later

deny that she has sent the message; the receiver of the
message might later deny that he has received the message.

1.13
 1.2.3 Attacks Threatening Availability

Denial of service (DoS) is a very common attack. It may

slow down or totally interrupt the service of a system.

1.14
 1.2.4 Passive Versus Active Attacks

Table 1.1 Categorization of passive and active attacks

1.15
 1-3 SERVICES AND MECHANISMS

ITU-T provides some security services and some

mechanisms to implement those services. Security
services and mechanisms are closely related because a
mechanism or combination of mechanisms are used to
provide a service..

Topics discussed in this section:

1.3.1 Security Services
1.3.2 Security Mechanism
1.3.3 Relation between Services and Mechanisms

1.16
 1.3.1 Security Services
Figure 1.3 Security services

1.17
 1.3.2 Security Mechanism
Figure 1.4 Security mechanisms

1.18
 1.3.3 Relation between Services and Mechanisms

Table 1.2 Relation between security services and mechanisms

1.19
 1-4 TECHNIQUES

Mechanisms discussed in the previous sections are

only theoretical recipes to implement security. The
actual implementation of security goals needs some
techniques. Two techniques are prevalent today:
cryptography and steganography.

Topics discussed in this section:

1.4.1 Cryptography
1.4.2 Steganography

1.20
1.21
 Symmetric--key Distribution
Symmetric

 Symmetric
Symmetric--key cryptography is more efficient than
asymmetric--key cryptography for enciphering large
asymmetric
messages.. Symmetric
messages Symmetric--key cryptography, however, needs a
shared secret key between two parties
parties..
 If Alice wants to exchange messages with N people, she needs
N different symmetric (secret) keys.keys. If N people need to
communicate
i t with
ith each
h other,
th a total
t t l off N(N
N(N--1)/
)/22 keys
k would
ld
be needed assuming a single key is used in both directions of
communications between a pair of peoplepeople.. This is normally
referred to as the N^2
N^2 problem
problem..
 The distribution of keys is another problemproblem.. We need an
efficient and reliable (trusted) way to maintain and distribute
secret keys.
keys.
15.2
 Key-Distribution Center: KDC

Each person establishes a shared key with the Key-distribution center

(KDC).

15.3
 Key-Distribution Center: KDC

The procedure to get a session key between Alice and Bob is as follows

 Alice sends a request to KDC stating that she needs a session

(temporary) secret key between herself and Bob. Alice uses her secret
key with the KDC to authenticate her request and herself to the KDC.
 The KDC informs Bob about Alice’s request.
 If Bob agrees and authenticates himself using his secret key with the
KDC, a session key is created between the two.

15.4
 Flat Multiple KDCs.

When the number of people using a KDC increases, the system becomes
unmanageable. To solve this problem, we divide the community into
domains. Each domain has one KDC (or more if redundancy is desired
for fault tolerance). If Alice is in one domain and Bob is in another
domain, Alice contacts her KDC which in turn contacts the KDC in
Bob’s domain. The two KDC’s can create a secret key between Alice
and Bob. This system is called Flat multiple KDCs.

15.5
 Hierarchical Multiple KDCs

The hierarchical multiple KDC system has one (or more) KDC at the top of the
hierarchy. For example, if Alice and Bob are in two different countries. Alice sends
the request to her local KDC, which relays the request to the national KDC, which
forwards it to the international KDC
KDC. The request is then relayed all the way down
to the local KDC where Bob lives.

15.6
 Session Keys
 The
Th secret key
k established
bli h d between
b the
h KDC andd a member
b can
be used only between that member and the KDC, not between two
members.
 The KDC can help two members (after authenticating their secret
key with the KDC) establish a temporary key that can be used by
the two members for a single session.
session After communication is
terminated, the session key becomes invalid.

A session symmetric key between two parties is

used onlyy once.

15.7
 A Simple Protocol Using a KDC

1 Alice sends a plaintext message to

KDC to request a symmetric session key
between herself and Bob.
2 The KDC creates a ticket encrypted
using Bob’s key KB containing the
session key. The ticket and the session
key are sent to Alice in a message
encrypted using Alice’s key KA. Alice
decrypts the message and retrieves the
session key and Bob’s ticket.
ticket
3 Alice sends the ticket to Bob who
opens (decrypts) the ticket and obtains
the value of the session key.
key

This simple protocol is prone to replay

attacks. An adversaryy can save the
message (ticket) in step 3 and replay it
later.
 Needham-Schroeder Protocol

1 Alice sends a message to KDC

that includes her nonce RA.
2 The KDC sends an encrypted
message to Alice that includes Alice’s
nonce, the session key, and an
encrypted ticket to B that includes the
session key. The ticket is encrypted
using Bob’s key and the whole
message is encrypted using Alice’s
key.
key
3 Alice sends the ticket to Bob.
4 Bob decrypts the ticket and sends
his challenge RB to Alice encrypted
with the session key.
5 Alice responds by sending to Bob
the encrypted
yp value RB-1 ((rather than
RB to prevent replay attacks).

15.9
 Otway-Rees Protocol

1 Alice sends a message to Bob that

includes a common nonce R and her
challenge RA and a ticket to the KDC
containing
i i both
b h R andd RA. The
Th ticket
i k
is encrypted with Alice’s secret key.
2 Bob creates a similar ticket but
with his own nonce RB. Bob sends
both tickets to KDC.
3 The KDC creates a message that

contains R, a ticket for Alice with

nonce RA and a ticket for Bob with
nonce RB. The tickets contain the
session key.
y The KDC sends the
message to Bob.
4 Bob sends Alice her ticket.

5 Alice sends a short (hello) message

encrypted with the session key to Bob.
 Kerberos

Kerberos is an authentication protocol, and at the same

A backbone
time KDC network
a KDC, that has allows
becomeseveral LANs toSeveral
very popular.
popular be
connected..including
connected
systems, In a backbone
Windowsnetwork,
2000, no usestation is
Kerberos.
directly connected
Originally designed to
at the
MIT,backbone
backbone; ; thethrough
it has gone stationsseveral
are
part of a LAN, and the backbone connects the LANs
versions. LANs..

Kerberos has separated user verification from the process

of issuing tickets that allow the user to access different
servers. Kerberos
K b i designed
is d i d to t supportt client-server
li t
applications, such as FTP, in which the client process at
the user site communicates with the server process at the
server site.
15.11
 Kerberos Servers

Authentication Server (AS): is

the KDC in the Kerberos
protocol.
l E h user registers
Each i
with AS and is granted a user ID
and password.
Ticket-Granting Server (TGS)
issues a ticket for the real server
(Bob) It also provides the
(Bob).
session key (KAB) between the
user and the real server.
R l Server
Real S (B b) provides
(Bob) id
services for the user (Alice).

15.12
 Kerberos Operation
Diagram
g is on next slide
The client process (Alice) can access the real server process (Bob) in six
steps
1 Alice sends her request to AS in plaintext.
2 The AS sends a message encrypted with Alice’s key KA-AS. The
message contains a session key KA-TGS that will be used by Alice to contact
TGS and a ticket for TGS encrypted using TGS’s key KAS-TGS. When the
message arrives, Alice types her password which is used by the client
process to create KA-AS, then decrypt the message to extract the session key
and the ticket.
3 Alice sends three items to TGS: the ticket from AS, AS the name of the
real server (Bob), and a timestamp encrypted with KA-TGS.
4 TGS sends to Alice two tickets both containing the session key KA-B
between Alice and Bob.
Bob Alice
Alice’ss ticket is encrypted with the session key
KA-TGS and Bob’s ticket is encrypted with Bob’s password/key KTGS_B.
5 Alice sends Bob’s ticket with the timestamp encrypted with KA-B.
6 Bob responds
p byy subtractingg 1 from
f the timestampp and encrypts
yp the
response with KA-B.

15.13
 Kerberos Operation

15.14
Kerberos 4 Overview
 Public--key Distribution
Public

In asymmetric
asymmetric--key cryptography, people do not need to
know a symmetric shared key key;; everyone shields a
private key and advertises a public key
key..

Public Announcement
Bob makes his public key available on
his web site. Alice can get Bob’s public
key by accessing Bob’s site or sending
email to him.
him This method is simple but
is not secure and is subject to forgery.

15.16
 Trusted Center

The trusted center retains and updates a

directory of public keys. Each user must
register with the trusted center and
establish a user ID and password. The
user can then deliver his/her public key
for insertion into the directory.

The center can publicly advertise the

directoryy and respond
p to inquiries
q about
public keys.

15.17
 Controlled Trusted Center
A controlled trusted center achieves higher level of
security by adding control on the distribution of
the public key. Requests for the public key must
i l d a timestamp.
include i The
Th response off theh center to
the request includes the timestamp signed with the
private key of the center. Alice decrypts the
response using the center’s public key to verify the
timestamp before accepting Bob’s public key.

15.18
 Certification Authority
Security
S i certificates
ifi are usedd to reduce
d the
h load
l d on trustedd
centers.
 A server ((Bob)) can request
q a certificate
f ffrom a certification
f
authority (CA), which could be a cross-certified* company or
state or federal organization. Bob’s request contains his
identification and his public key.
key
 The CA checks the identification of Bob. If verified, the CA
writes Bob’s public key on the certificate and signs it with its
own private
i key.
k
 Bob can now upload the signed certificate and store it on his
site or Bob mayy send the certificate
f to users upon
p request.
q
 Any user who wants Bob’s public key can download the
certificate and decrypts it using the CA’s public key to extract
Bob’ss public key.
Bob
* Cross-certification will be explained at the end of this chapter
15.19
 Certification Authority

15.20
 X.509
Thee Internet
te et cocommunity
u ity hasas accepted tthee ITU-T*
U recommendation
eco e datio X.509
.509 as
a way to unify certificate formats. In X.509, the certificate has the following
important fields:
Version number: this field is the version of X.509 (current version is 3).
Serial number: this field is the serial number assigned to each certificate and
is unique for each certificate issuer.
Signature algorithm ID: this field identifies the signature algorithm used in
the certificate. This field is repeated in the signature field.
Issuer name: this field identifies the CA that issued the certificate.
Validity Period: this field defines the earliest (not before) time and the latest
(not after) time during which the certificate is valid.
valid
Subject name: this field defines the entity that owns the public key stored in
this certificate.
Subject public key: this field gives the value of the public key of the owner of
the certificate and defines the public key algorithm.
Signature: this field contains the digest of all other fields in the certificate
encrypted
yp byy the CA’s pprivate key,
y, and also contains the ID off the signature
g
algorithm.
* ITU-T = International Telecommunication Union- Telecommunication Standardization Sector
15.21
 X.509
I X.509,
In X 509 the
th certificate
tifi t has
h the
th following
f ll i fields:
fi ld

The optional Issuer or Subject unique identifier allows two issuers or two subjects to have
the same value in the Issuer or Subject name field, provided their unique identifiers are
different.
15.22
 X.509
Certificate Renewal
Each certificate has a period of validity. If there is no problem with
the certificate, the CA issues a new certificate before the old one
expires.
Certificate
f Revocation
In some cases a certificate must be revoked before its expiration (e.g.,
the private key of the subject or of the CA has been compromised). The
revocation is done by periodically issuing a certificate revocation list
(CRL) that contains all revoked certificates that have not expired on the
date the CRL is issued. To ensure the validity of a certificate, the user
must check the latest CRL published by the CA that issued the
certificate.
 Public-Key Infrastructure (PKI)
PKI is a model for creating
creating, distributing and revoking certificates based
on the X.509. IETF (Internet Engineering Task Force) has created the
public-key infrastructure X.509 (PKIX).

Some duties of PKI

 Issue, renew and revoke
certificates.
 Store and update private keys
for members who wish to hold
their private keys at a safe
place.
l
 Provide services to other
Internet security protocols that
need public key info such as
IPSec and TLS.
 Provide access control, i.e.,
provide different levels of
access to the information stored
in its database.
15.24
 Public-Key Infrastructures (PKI)
PKI Trust Model
For scalability, there should be many certification
authorities in the world;; each CA handles a specified
p f
number of certificates. The PKI trust model defines rules
that specify how a user can verify a certificate received from
a CA.
CA

As an example, the PKI hierarchical trust model defines

hierarchical rules that specify how a user can verify a
certificate received from a CA.

PKI uses the following notation to denote the certificate

issued and signed by certification authority X for entity Y

X << Y >>
15.25
 Public-Key Infrastructures (PKI)
Example
p 15.3
User1 knows only the public key of the root CA. Show how can User1 obtain
a verified copy of User3’s public key.
Solution
User3 sends a chain of certificates, CA<<CA1>> and CA1<<User3>>, to User1.
a. User1 validates CA<<CA1>> using the public key of CA.
b. User1 extracts the public key of CA1 from CA<<CA1>>.
c. User1
U 1 validates
lid t CA1<<User3>>
CA1<<U 3>> using i the
th public
bli key
k off CA1.
CA1
d. User1 extracts the public key of User 3 from CA1<<User3>>.
Users1 has used the following chain CA<<CA1>> CA1<<User3>>
CA Hierarchy-Certificate Validation Path (Chain)
A only knows the public key of X and B only knows the public key of Z.
Z
A acquires B’s certificate using the chain: X<<W>> W<<V>> V<<Y>> Y<<Z>> Z<<B>>
B acquires A’s certificate using the chain: Z<<Y>> Y<<V>> V<<W>> W<<X>> X<<A>>

Because X signed a certificate for the Because Z signed a certificate for

public key of Z, a shorter chain for A the public key of X, a shorter
to acquire B’s certificate is as follows: chain for B to acquire A’s
X<<Z>> Z<<B>> certificate is as follows:
Z<<X>> X<<A>>

Figure 14.5 (Stallings Book)

 Public-Key Infrastructures (PKI)

Example 15.4
Some Web browsers,, such Internet Explorer,p , include a set of
certificates from independent roots without a single, high-level,
authority to certify each root. One can find the
list of these roots in the Internet Explorer at Tools/Internet
Options/Contents/Certificate/Trusted roots (using pull-down
menu). The user then can choose any of these roots and view the
certificate.

15.28
 Message Integrity
and
Authentication

11.1
 11-1 MESSAGE INTEGRITY

The cryptography systems that we have studied so far

provide secrecy, or confidentiality, but not integrity.
However, there are occasions where we may not even
need secrecy but instead must have integrity.

11.2
 11.1.1 Document and Fingerprint

One way to preserve the integrity of a document is

through the use of a fingerprint. If Alice needs to be sure
that the contents of her document will not be changed,
she can put her fingerprint at the bottom of the document.

11.3
 11.1.2 Message and Message Digest

The electronic equivalent of the document and fingerprint

pair is the message and digest pair.

Figure 11.1 Message and digest

11.4
 11.1.3 Difference

The two pairs (document / fingerprint) and (message /

message digest) are similar, with some differences. The
document and fingerprint are physically linked together.
The message and message digest can be unlinked
separately, and, most importantly, the message digest
needs to be safe from change.

Note
The message digest needs to be safe from change.

11.5
 11.1.4 Checking Integrity

Figure 11.2 Checking integrity

11.6
 11.1.5 Cryptographic Hash Function Criteria

A cryptographic hash function must satisfy three criteria:

preimage resistance, second preimage resistance, and
collision resistance.

Figure 11.3 Criteria of a cryptographic hash function

11.7
 11.1.5 Continued

Preimage Resistance

Figure 11.4 Preimage

11.8
 11.1.5 Continued
Second Preimage Resistance

Figure 11.5 Second preimage

11.9
 11.1.5 Continued

Collision Resistance

Figure 11.6 Collision

11.10
 11-2 RANDOM ORACLE MODEL
The Random Oracle Model, which was introduced in
1993 by Bellare and Rogaway, is an ideal
mathematical model for a hash function. A function
based on this model behaves as follows
1.When a message of any length given, the oracle creates and
gives a fixed length message digest of random string of 0’s
and 1’s by recording message and message digest.

2. When a message is given for which a digest exists, the

oracle simply gives the digest in the record.

3. The digest for a new message needs to be chosen

independently from all previous messages.

11.11
 11-2 Continued
Example 11.4

The oracle in Example 11.3 cannot use a formula or algorithm to

create the digest for a message. For example, imagine the oracle
uses the formula h(M) = M mod n. Now suppose that the oracle
has already given h(M1) and h(M2). If a new message is presented
as M3 = M1 + M2, the oracle does not have to calculate the h(M3).
The new digest is just [h(M1) + h(M2)] mod n since

This violates the third requirement that each digest must be

randomly chosen based on the message given to the oracle.

11.12
 11-3 MESSAGE AUTHENTICATION

A message digest does not authenticate the sender of

the message.

The digest created by a cryptographic hash function is

normally called a modification detection code (MDC).

For message authentication we need message

authentication code (MAC).

11.13
 11.3.1 Modification Detection Code (MDC)

A modification detection code (MDC) is a message digest

that can prove the integrity of the message

11.14
 11.3.1 Continued

Figure 11.9 Modification detection code (MDC)

11.15
 11.3.2 Message Authentication Code (MAC)

Figure 11.10 Message authentication code

11.16
 11.3.2 Continued

Note
The security of a MAC depends on the security of
the underlying hash algorithm.

11.17
 11.3.2 Continued

Nested MAC
Figure 11.11 Nested MAC

11.18
 HMAC: NIST issued standard for MAC

HMAC

Figure 11.12
Details of HMAC

11.19
11.20
 Hash Functions

12.21
 12-1 INTRODUCTION

A cryptographic hash function takes a message of arbitrary length

and creates a message digest of fixed length.
Ex: cryptographic hash algorithms SHA-512, Whirlpool etc..

Iterated hash functions

12.22
 12.1.1 Iterated Hash Function

Merkle-Damgard Scheme

Figure 12.1 Merkle-Damgard scheme

12.23
 12.1.2 Two Groups of Compression Functions

1. The compression function is made from scratch.

Message Digest (MD)

2. A symmetric-key block cipher serves as a compression

function.
Whirlpool

12.24
 12.1.2 Continued

12.25
 12.1.2 Continued

Rabin Scheme

Figure 12.2 Rabin scheme

Challenge: MIM
12.26
 12.1.2 Continued

Davies-Meyer Scheme

Figure 12.3 Davies-Meyer scheme

Uses forward feed mechanism

12.27
 12.1.2 Continued

Matyas-Meyer-Oseas Scheme

Figure 12.4 Matyas-Meyer-Oseas scheme

Dual version of previous one.

Used if datablock and cipher key are same
(eg:AES)
12.28
 12.1.2 Continued
Miyaguchi-Preneel Scheme(used Whirlpool)

Figure 12.5 Miyaguchi-Preneel scheme

Extended version of previous one. To make the

algorithm stronger against
12.29 attack,plaintext,ciphertext,key all X-ORed
 12-2 SHA-512

SHA-512 is the version of SHA with a 512-

bit message digest.
It is based on the Merkle-Damgard
scheme.

12.30
 12.2.1 Introduction

Figure 12.6 Message digest creation SHA-512

12.31
 12.2.1 Continued

Message Preparation
SHA-512 insists that the length of the original message be
less than 2128 bits.

Note
SHA-512 creates a 512-bit message digest out of a
message less than 2128.

12.32
 12.2.1 Continued

Example 12.2
This example also concerns the message length in SHA-512. How
many pages are occupied by a message of 2128 bits?

Solution
Suppose that a character is 32, or 26, bits. Each page is less than
2048, or approximately 212, characters. So 2128 bits need at least
2128 / 218, or 2110, pages. This again shows that we need not worry
about the message length restriction.

12.33
 12.2.1 Continued

Figure 12.7 Padding and length field in SHA-512

12.34
 12.2.1 Continued

Example 12.3
What is the number of padding bits if the length of the original
message is 2590 bits?

Solution
We can calculate the number of padding bits as follows:

The padding consists of one 1 followed by 353 0’s.

12.35
 12.2.1 Continued

Example 12.4
Do we need padding if the length of the original message is already
a multiple of 1024 bits?

Solution
Yes we do, because we need to add the length field. So padding is
needed to make the new block a multiple of 1024 bits.

12.36
 12.2.1 Continued

Example 12.5
What is the minimum and maximum number of padding bits that
can be added to a message?

Solution

a. The minimum length of padding is 0 and it happens when

(−M − 128) mod 1024 is 0. This means that |M| = −128 mod
1024 = 896 mod 1024 bits. In other words, the last block in the
original message is 896 bits. We add a 128-bit length field to
make the block complete.

12.37
 12.2.1 Continued

Example 12.5 Continued

b) The maximum length of padding is 1023 and it happens when

(−|M| −128) = 1023 mod 1024. This means that the length of the
original message is |M| = (−128 −1023) mod 1024 or the length
is |M| = 897 mod 1024. In this case, we cannot just add the
length field because the length of the last block exceeds one bit
more than 1024. So we need to add 897 bits to complete this
block and create a second block of 896 bits. Now the length can
be added to make this block complete.

12.38
 12.2.1 Continued

Words

Figure 12.8 A message block and the digest as words

12.39
 12.2.1 Continued

Word Expansion
Figure 12.9 Word expansion in SHA-512

12.40
 12.2.1 Continued

Example 12.6

Show how W60 is made.

Solution
Each word in the range W16 to W79 is made from four
previously-made words. W60 is made as

12.41
 12.2.1 Continued

Message Digest Initialization

12.42
 12.2.2 Compression Function
Figure 12.10 Compression function in SHA-512

12.43
 12.2.2 Continued
Figure 12.11 Structure of each round in SHA-512

12.44
 12.2.2 Continued
Majority Function

Conditional Function

Rotate Functions

12.45
 12.2.2 Continued

12.46
 12.2.2 Continued

There are 80 constants, K0 to K79, each of 64 bits. Similar

These values are calculated from the first 80 prime
numbers (2, 3,…, 409). For example, the 80th prime is
409, with the cubic root (409)1/3 = 7.42291412044.
Converting this number to binary with only 64 bits in the
fraction part, we get

The fraction part: (6C44198C4A475817)16

12.47
 12-3 WHIRLPOOL

Whirlpool is an iterated cryptographic hash function,

based on the Miyaguchi-Preneel scheme, that uses a
symmetric-key block cipher in place of the
compression function.
The block cipher is a modified AES cipher that has
been tailored for this purpose.

12.48
 12-3 Continued

Figure 12.12 Whirlpool hash function

12.49
 12.3.1 Whirlpool Cipher
Figure 12.13 General idea of the Whirlpool cipher

12.50
 12.3.1 Continued
Figure 12.14 Block and state in the Whirlpool cipher

12.51
 12.3.1 Continued

Structure of Each Round

Each round uses four
transformations.

Figure 12.15 Structure of

each round in the Whirlpool
cipher

12.52
 12.3.1 Continued

SubBytes Like in AES, SubBytes provide a nonlinear

transformation.
Figure 12.16 SubBytes transformations in the Whirlpool cipher

12.53
 12.3.1 Continued

12.54
 12.3.1 Continued

ShiftColumns
Figure 12.18 ShiftColumns transformation in the Whirlpool cipher

12.55
 12.3.1 Continued

Figure 12.19 MixRows transformation in the Whirlpool cipher

12.56
 12.3.1 Continued

Figure 12.20 AddRoundKey transformation in the Whirlpool cipher

12.57
 12.3.1 Continued
Figure 12.21 Key expansion in the Whirlpool cipher

12.58
 12.3.1 Continued

Figure 12.22 Round constant for the third round

12.59
 12.3.2 Summary

12.60
 12.3.3 Analysis

Although Whirlpool has not been extensively studied or

tested, it is based on a robust scheme (Miyaguchi-
Preneel), and for a compression function uses a cipher
that is based on AES, a cryptosystem that has been proved
very resistant to attacks. In addition, the size of the
message digest is the same as for SHA-512. Therefore it is
expected to be a very strong cryptographic hash function.

12.61
 Chapter 8

Encipherment Using
Modern Symmetric-Key
Ciphers
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

8.1
 Chapter 18
Objectives
❏ To show how modern standard ciphers, such as
DES or AES, can be used to encipher long
messages.
❏ To discuss five modes of operation designed to be
used with modern block ciphers.
❏ To define which mode of operation creates stream
ciphers out of the underlying block ciphers.
❏ To discuss the security issues and the error
propagation of different modes of operation.
❏ To discuss two stream ciphers used for real-time
processing of data.
8.2
 8-1 USE OF MODERN BLOCK CIPHERS

Symmetric-key encipherment can be done using

modern block ciphers. Modes of operation have been
devised to encipher text of any size employing either
DES or AES.

Topics discussed in this section:

8.1.1 Electronic Codebook (ECB) Mode
8.1.2 Cipher Block Chaining (CBC) Mode
8.1.3 Cipher Feedback (CFB) Mode
8.1.4 Output Feedback (OFB) Mode
8.1.5 Counter (CTR) Mode

8.3
 8-1 Continued

Figure 8.1 Modes of operation

8.4
 8.1.1 Electronic Codebook (ECB) Mode

The simplest mode of operation is called the electronic

codebook (ECB) mode.

Figure 8.2 Electronic codebook (ECB) mode

8.5
 8.1.1 Continued

Error Propagation
A single bit error in transmission can create errors in
several in the corresponding block. However, the error
does not have any effect on the other blocks.

8.8
 8.1.2 Cipher Block Chaining (CBC) Mode

In CBC mode, each plaintext block is exclusive-ored with

the previous ciphertext block before being encrypted.
Figure 8.3 Cipher block chaining (CBC) mode

8.10
 8.1.2 Continued
Figure 8.3 Cipher block chaining (CBC) mode

8.11
 8.1.3 Cipher Feedback (CFB) Mode
In some situations, we need to use DES or AES as secure
ciphers, but the plaintext or ciphertext block sizes are to
be smaller.
Figure 8.4 Encryption in cipher feedback (CFB) mode

8.15
 8.1.3 Continued

Note
In CFB mode, encipherment and decipherment use
the encryption function of the underlying block
cipher.

The relation between plaintext and ciphertext blocks is

shown below:

8.16
 8.1.3 Continued

8.18
 18.1.4 Output Feedback (OFB) Mode

In this mode each bit in the ciphertext is independent of

the previous bit or bits. This avoids error propagation.
Figure 8.6 Encryption in output feedback (OFB) mode

8.19
 8.1.4 Continued

8.21
 8.1.5 Counter (CTR) Mode

In the counter (CTR) mode, there is no feedback. The

pseudorandomness in the key stream is achieved using a
counter.
Figure 8.8 Encryption in counter (CTR) mode

8.22
 8.1.5 Continued

8.24
 8.1.5 Continued

Comparison of Different Modes

8.25
 Public key distribution
• Public announcement
• Publicly available directory
• Public-key authority
• Public-key certificates
 Public key certificates
• Public key authority could be bottle neck.
• Solution : Certificates.
X.509 Certificates
Notations
 Obtaining a Certificate

User certificates generated by the CA have the following characteristics.

1.Any user with access to the public key of the CA can verify the user
public key that was certified.
2.No party other than CA can modify the certificate with out this being
detected.
 CA Hierarchy

• if both users share a common CA then they are assumed to know its
public key
• otherwise CAs must form a hierarchy
• use certificates linking members of hierarchy to validate other CAs
– each CA has certificates for clients (forward) and parent
(backward)
• each client trusts parents certificates
• enable verification of any certificate from one CA by users of all
other CAs in hierarchy
CA Hierarchy Use
 CA Hierarchy Use

EX:
A verify the certificate of B, Z<<B>>
X<<W>>,W<<V>>,V<<Y>>,Y<<Z>>,Z<<B>>

B verify the certificate of A, X<<A>>

Z<<Y>>,Y<<V>>,V<<W>>,W<<X>>,X<<A>>
 Certificate Revocation

• Certificates have a period of validity

• may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
• CAs maintain a list of revoked certificates, but not expired
– the Certificate Revocation List (CRL)
• users should check certificates with CA’s CRL
 X.509 Version 3

X.509 v2 drawbacks-
• 1.Subject field is inadequate to convey the identity of a key owner to
a public key user and recognizes entities by e-mail address,a URL
etc.
• 2.there is a need to indicate security policy information.this enables
a security application or function such as IPSec,to relate an X.509
certificate to a given policy.
• 3.there is a need to limit the damage that can result from a faulty or
malicious CA by setting constraints on the applicability of a
particular cetificate.
• 4.it is important to be able to identify different keys to be used by the
same owner at different times.This feature supports key life cycle
management-in particular the ability to update keypairs for users
and CA on regular basis under exceptional conditions.
 Extensions
• Three categories-
• 1.Key and Policy Information
• 2.Certificate subject and issuer attributes
• 3.Certification Path constraints.
9/25/21, 10:34 AM Security of RSA - GeeksforGeeks

Security of RSA:- 
These are explained as following below. 

1. Plain text attacks: 

It is classified into 3 subcategories:- 

Short message attack: 

In this we assume that attacker knows some blocks of plain text and tries to decode
cipher text with the help of that. So, to prevent this pad the plain text before encrypting. 
Cycling attack: 
In this attacker will think that plain text is converted into cipher text using permutation
and he will apply right for conversion. But attacker does not right plain text. Hence will
keep doing it. 
Unconcealed Message attack: 
Sometimes happened that plain text is same as cipher text after encryption. So it must be
checked it cannot be attacked. 

2. Chosen cipher attack: 

In this attacker is able to find out plain text based on cipher text using the Extended
Euclidean Algorithm. 

3. Factorisation attack: 
If attacker will able to know P and Q using N, then he could find out value of private key.
This can be failed when N contains atleast 300 longer digits in decimal terms, attacker will
not able to find. Hence it fails. 

https://www.geeksforgeeks.org/security-of-rsa/ 1/2
9/25/21, 10:34 AM Security of RSA - GeeksforGeeks

4. Attacks on Encryption key: 

If we take smaller value of E in RSA this may occuR so to avoid this take value of E =
2^16+1 (atleast). 

5. Attacks on Decryption key: 

Revealed decryption exponent attack: 

If attacker somehow guess decryption key D, not only the cipher text generated by
encryption the plain text with corresponding encryption key is in danger, but even future
messages are also in danger. So, it is advised to take fresh values of two prime numbers
(i.e; P and Q), N and E. 
Low decryption exponent attack: 
If we take smaller value of D in RSA this may occur so to avoid this take value of D =
2^16+1(atleast). 
 

Attention reader! Don’t stop learning now.  Practice GATE exam well before the actual exam
with the subject-wise and overall quizzes available in GATE Test Series Course.

Learn all GATE CS concepts with Free Live Classes on our youtube channel.

Like 0

Previous Next

https://www.geeksforgeeks.org/security-of-rsa/ 2/2
 V SEMESTER B.TECH. (CCE) IN - SEMESTER EXAMINATIONS NOVEMBER 2021
SUBJECT: INFORMATION SECURITY [ICT 3172] SET 1 SCHEME
Date of Exam: 17/11/2021 Time of Exam: 4:00 PM TO 5:30 PM Max. Marks: 20

1. Give an example of replay attacks. List and explain any three general approaches for
dealing with replay attacks. 3

Suppose Alice wants to prove her identity to Bob. Bob requests her password as proof
of identity, which Alice dutifully provides (possibly after some transformation like
hashing, or even salting, the password); meanwhile, Eve is eavesdropping on the
conversation and keeps the password (or the hash). After the interchange is over, Eve
(acting as Alice) connects to Bob; when asked for proof of identity, Eve sends Alice's
password (or hash) read from the last session which Bob accepts, thus granting Eve
access. [1 M]

Ways to prevent : [2M]

Session IDs, also known as session tokens, are one mechanism that can be used to help
avoid replay attacks. The way of generating a session ID works as follows.
1. Bob sends a one-time token to Alice, which Alice uses to transform the password
and send the result to Bob. For example, she would use the token to compute a
hash function of the session token and append it to the password to be used.
2. On his side Bob performs the same computation with the session token.
3. If and only if both Alice’s and Bob’s values match, the login is successful.
4. Now suppose an attacker Eve has captured this value and tries to use it on another
session. Bob would send a different session token, and when Eve replies with her
captured value it will be different from Bob's computation so he will know it is
not Alice.
One-time passwords are similar to session tokens in that the password expires after it
has been used or after a very short amount of time. They can be used to authenticate
individual transactions in addition to sessions.
Bob can also send nonces but should then include a message authentication code
(MAC), which Alice should check.
 Timestamping is another way of preventing a replay attack.Synchronization should be
achieved using a secure protocol. For example, Bob periodically broadcasts the time on
his clock together with a MAC. When Alice wants to send Bob a message, she includes
her best estimate of the time on his clock in her message, which is also authenticated.
Bob only accepts messages for which the timestamp is within a reasonable tolerance.
2. Eve secretly uses Alice computer and types the cipher text “IRRMNMOWAGN”. She
gets the plain text “WarmMorning”. If Alice is using Keyed Transposition Cipher, answer
the following questions
a). What type of attack was launched here? Explain
b). Using the same key, decipher “SENNOYPFUNR”.
c). Encrypt the text decrypted above using row transposition cipher with the key =3. 3
d). What is the size of the permutation key?
a) The type of attack launched here is chosen cipher text with pattern attack. Here
attacker gains control of decryption PC. Key is deduced by identifying the pattern
amongst plain text and cipher text [1]
b) Key :9 7 3 4 10 5 6 1 2 11 8
PT: Funny Person [1]
c) FYSUNPRONEN [0.5]
d) 11 [0.5]
3. How many nonces are used in Needham Schroeder protocol and Otway Rees protocol?
Are there any differences in number of nonces? Why? Justify your answer.

Assume Eve records the exchanges in a session between Alice and Bob. If is somehow
successful to obtain the session key, KAB, Eve now launches a new session starting with
the third exchange; she resends the ticket to Bob. Bob responds by sending a new nonce,
RB. Eve can decrypt this message (she knows the session key) and obtain RB. Eve now
responds using RB−1. A session has been created between Bob and Eve. The flaw in the
protocol is that there is not a nonce that glues the five exchanges in the session. The first
nonce, RA, is active only for the first two messages; the second nonce, RB, is active only
for the last two messages. Eve can partially replay the second part of the these messages.
In Otway-Rees protocol, a third nonce, R, is used to be active during all four exchanges. 3
Eve cannot replay only part of the message.
4. Difference between stateful and stateless IDS. Comment on their levels of security in
detecting intrusion with examples.

3
5. Given the hex code of the ciphertext {41 9c 12 3c 5a 3d 23 2a 6b 4a 5e 4d 7c 90 4b 2f}
and the initial key {73 61 74 69 73 68 63 6a 69 73 62 6f 72 69 6e 67} answer the following
by applying the functions of Advanced Encryption Standard- AES 128. Refer to the tables
5 (a) and 5 (b).
i. Show the original State displayed as 4X4 matrix.
ii. Show the value of the State after SubBytes.
iii. For the above output, show the value of the State after ShiftRows.
iv. Using Key Expansion method compute W4 and W5 for the initial key stream given
above.
Table 5 (a): RCON Constants

Table 5(b): Sub Bytes

I Part 1 and 2 =1 M Part 3 =1M Part 4 =2M

41 5𝑎 6𝑏 7𝑐
9𝑐 3𝑑 4𝑎 90
12 23 5𝑒 4𝑏
3𝑐 2𝑎 4𝑑 2𝑓
II
83 𝑏𝑒 7𝑓 10
91 27 𝑑6 60
𝑐9 26 58 𝑏3
𝑒𝑏 𝑒5 𝑒3 15
III 83 𝑏𝑒 7𝑓 10
27 𝑑6 60 91
58 𝑏3 𝑐9 26
15 𝑒𝑏 𝑒5 𝑒3
𝑤0 𝑤1 𝑤2 𝑤3
73 73 69 72
61 68 73 69
74 63 62 6𝑒
69 6𝑎 6𝑓 67
69
6𝑒
Rot Word (w3) =
67
72
𝑓9
Subword (Rot Word (w3)) = 9𝑓
85
40
𝑓8
Subword (Rot Word (w3)) xor Rcon (1) =9𝑓
85
40
8𝑏
𝑓𝑒
W4= w0 xor (Subword (Rot Word (w3)) * Rcon (1)) =
𝑓1
29
𝑓8
W5= w1 xor w4=96
92
43
6. In RSA, given N= 187 and encryption key = 7, find the corresponding decryption
key. Decrypt the cipher message if C=11. Derive and explain the following attacks
against RSA:
a). Cycling attack
b). Chosen Cipher Text attack 4

Select two large primes: p, q, p ≠ q p = 17, q = 11 n = p×q = 17×11 = 187 , Φ( n) =

(p-1)(q-1) = 16x10 = 160 Select e, such that gcd(, e) = 1; 0 < e <  say, e = 7
d = d=e-1 mod (n) = 23 [0.5]
Pu K = {7, 187}
Pr K= {23, 187}
Decryption:
M = 1123 mod 187 = 88 [0.5]
Attacks: [1.5 *2=3]
 a) Cycling attack: If Cipher Text is a permutation of Plain Text, then
continuous encryption of CT results in PT
Intercepted Cipher Text : C
C1=Ce mod n
C2=C1e mod n

Ck=Ck-1e mod n if Ck=C Stop P = CK-1

b) Chosen Cipher Text attack

• Alice sends C=Pe mod n to Bob
• Eve intercepts C and does the following
1. Eve choses a random integer X in Z*n
2. Eve calculates Y= C*Xe mod n
3. Eve sends Y for decryption to Bob Z=Ydmod n
Z=Ydmod n= (C*Xe) dmod n= Cd*X mod n= P*X mod n
P=Z*X-1mod n