62

CHAPTER 3

RESEARCH METHODOLOGY

3.1 INTRODUCTION

After exploring the previous researches and techniques that have

been done, this chapter will discuss in details the methodology and the
framework to be used in this thesis. The following section describes the
technical background of the Encrypted key exchange protocol and the
undetectable online password guessing attack on it. In this study, the proposed
methodology will consider the several methodologies that had been followed
by previous researchers that relates to the thesis. To achieve better
performance, new techniques have been proposed based on methodologies
given in this chapter.

3.2 ENCRYPTED KEY EXCHANGE PROTOCOL

The key exchange protocol is one of the most elegant ways of

establishing secure communication between pair of users by using a session
key. The session key, which is exchanged between two users, assures the
secure communication for later sessions. In the line of key exchange protocol
development, password based key exchange mechanism achieved attention
due to its simplicity and wide range of applicability, as it requires the users to
remember the password. Even though the protocol is simple and efficient, it
should not be vulnerable to any type of off line, undetectable or detectable on
line password guessing attacks, since the passwords are of low-entropy.
 63

Let client A and client B be the two communication parties. Since

symmetric cryptosystem is used, both clients need to use the shared secret key
for their secured communication. As a initial process client A generates its
secret key. For exchange of the secret key, a trusted third party is to be used,
and here the server S is used. Client A now sends the encrypted secret key to
the trusted server. The server then checks for the authentication user A, and if
authenticated its shares the secret key to client B.

After receiving the shared secret key from the server, client B
verifies the authentication of the trusted server and client A. Once found
authenticated, client B accepts the key. As a result client B generate the
shared secret key, encrypted its and sends it to the trusted server. Server S
verifies the authentication on client B and accepts the key and sends it to
client A. On receiving the shared key client A verifies the authentication of
the trusted server and client B. if authenticated it verifies the shared secret key
received from client B. On verification the secured communication between
Client A and B begins.

3.2.1 Notations

The notations used in three party encrypted key exchange protocol

are defined as follows.

A, B: two communication parties,

S: the trusted server.

IDA, IDB, IDS: the identities of A, B, and S, respectively.

PWA, PWB: the passwords securely shared by A and B with

S, respectively.

EPW(·): a symmetric encryption scheme with a password PW.

 64

rA, rB: the random numbers chosen by A and B, respectively.

p: a large prime.

g: a generator of order p-1.

RA, RB, RS: the random exponents chosen by A, B, and S,

respectively.

NA, NB: NA=gRA mod p and NB=gRB mod p.

FS(·): the one-way trapdoor hash function (TDF) , where only

S knows the trapdoor.

fK(·): the pseudo random hash function (PRF) indexed by a

key K.

KAS, KBS: a one-time strong keys shared by A with S and B

with S, respectively.

3.2.2 Procedure

There are six steps followed by the communicating parties to begin

a secured communication by sharing the secret key with the help of a trusted
server. Shared Information represents the information that is to be shared
throughout the communication between the three communicating parties.

Shared Information: IDA , IDB , IDS , p, g , E(.) , FS(.) , fK (.)

The information that each client shares only with the server is their
corresponding passwords.

Information held by User A : pwA

Information held by User B : pwB

Information held by server S : pwA , pwB

 65

Step 1 : A, IDB, IDS, EPWA(NA), FS(rA), fKAS (NA)}.

User A chooses a random integer number r A and a random

exponent RA RZ*p, and then computes NA=gRA and KAS=NARA.
A by using his/her password PWA like
EPWA(NA), and computes two hash values FS (rA) and fKAS (NA).
Finally, A sends {IDA, IDB, IDS, EPWA(NA), FS (rA), fKAS(NA)}
to B.

User A User B Server

Choose nonce r A
Choose RA R Zp
Compute NA gRA(modp)
Compute KAS NArA(mod p)

{IDA,IDB,IDS,EpwA(NA),FS(rA),fKAS(NA)}

Figure:3.1 Message from Client A to Client B

Step 2 : A, IDB, IDS, EPWA(NA), FS (rA), fKAS (NA), EPWB (NB),

FS(rB), fKBS (NB)}. User B chooses a random integer number rB
and a random exponent RB RZ*p, and then computes NB=gRB
and KBS=NBRB.

Then, B encrypts NB by using his/her password PWB like

EPWB(NB), and computes two hash values FS (rB) and fKBS (NB).
Finally, B sends {IDA, IDB, IDS, EPWA(NA), FS (rA), fKAS (NA),
EPWB(NB), FS (rB), fKBS (NB)} to S.
 66

User A User B Server

Choose nonce rB
Choose RB RZp
Compute NB gRB(modp)
Compute KBS NBRB(mod p)
{IDA,IDB,IDS,,EpwA(NA),FS(rA),fKAS(NA),
EpwB(NB),FS(rB),fKBS(N}

Figure 3.2 Message from Client B to Server

RS
Step 3 : B , fKAS (IDA, IDB, KAS,NBRS), NARS, fKBS (IDA,IDB,
KBS, NA RS)}.

Server S decrypts EPWA(NA) and EPWB(NB) by using PWA and

PWB to get NA and NB, respectively. Then, S gets rA and rB from
FS (rA) and FS(rB) by using a trapdoor, respectively. To
authenticate A and B, S computes KAS=NArA and KBS=NB rB and
then verifies fKAS (NA) and fKBS (NB), respectively. If successful,
S chooses a random exponent RS RZ*p. and then computes
NARS and NBRS, respectively. Finally, S computes two hash
values fKAS (IDA, IDB, KAS, NBRS) and fKBS (IDA,IDB, KBS,
NARS), and sends {NBRS, fKAS (IDA, IDB, KAS,NBRS), NARS, fKBS
(IDA, IDB, KBS, NARS)} to B.
 67

User A User B Server

Decrypt EpwA(NA) and EpwB(NB)

Extract rA and rB from F S(rA)
and F S(rB )
Compute KAS NA rA (mod P)
Compute KBS NB rB (mod P)
Verify fKAS(NA) and fKBS(NB)
Choose RS R Zp

Compute NARS (mod p)

RS
and NB (mod p)

{NBRS,fKAS(IDA,IDB,KAS,NBRS),{NARS,fKBS(IDA,IDB,KBS,NARS)}

Figure 3.3 Message from Server to Client B

RS
Step 4 : B , f KAS (IDA, IDB, KAS, NBRS), fK(IDB, K)}

User A Server
User B

Verify fKBS(IDA,IDB,KBS,NARS)
Compute K (NARS)RB(mod p)

{ NBRS, fKAS(IDA,IDB,KAS,NBRS),fK(IDB,K)}

Figure 3.4 Message from Client B to Client A

By using KBS=NBrB, B authenticates S by checking fKBS

(IDA,IDB, KBS, NARS). If successful, B computes the session key
K=(NARS)RB=gRSRARB and hash value fK(IDB, K), and then sends
{NBRS, fKAS (IDA, IDB, KAS, NBRS), fK(IDB, K)} to A.
 68

Step 5 : K(IDA, K)}

By using KAS=NArA, A authenticates S by checking fKAS (IDA,

IDB, KAS, NBRS). If successful, A computes the session key
K=(NBRS)RA =gRSRARB, and authenticates B by checking fK(IDB,
K). If the authentication is passed, A computes and sends
fK(IDA, K) to B.

User A User B Server

Verify fKAS(IDA,IDB,KAS,NBRS
Compute K (NBRS)RA(mod p)
Verify fK(IDB,K)
{fK(IDA,K)}

Figure 3.5 Session Key Exchange

Step 6 : B authenticates A by checking fK(IDA, K). If successful, B

confirms A's knowledge of the session key K=g RSRARB.

User A User B Server

Verify fK(IDA,K)

Figure 3.6 Session Key verification

Finally client A and client B has exchanged the secret key and now
the secured communication begins using the shared secret key. The overall
representation of the encrypted key exchange protocol is shown in figure 3.7.
 69

Shared Information: IDA , IDB , IDS , p, g , E(.) , FS(.) , fK (.)

Information held by User A : pwA
Information held by User B : pwB
Information held by server S : pwA , pwB

User A User B Server S

Choose nonce rA
Choose RA R Zp
Compute NA gRA(modp)
Compute KAS NArA(mod p)
{IDA,IDB,IDS,EpwA(NA),FS(rA),fKAS(NA)}

Choose nonce rB
Choose RA RZp
Compute NA gRA(modp)
Compute KAS NArA(mod p)

{IDA,IDB,IDS,EpwA(NA),FS(rA),fKAS(NA),EpwB(NB),FS(rB),fKBS(NB)}
DecryptEpwA(NA) and E pwB(NB)
Extract rA and rB from Fs(rA) and Fs(rB)
compute KAS NArA(mod p)
compute KBS NBrB (mod p)
Verify fKAS(NA) and fKBS(NB)
Choose RS R Zp
Compute NARS (mod p) and NBRS(mod p)
{NBRS,fKAS(IDA,IDB,KAS,NBRS),NARS, fKBS(IDA,IDB,KBS,NARS)}

Verify fKBS(IDA,IDB,KBS,NARS)
Compute K (NARS)RB(mod p)

{NBRS, fKAS(IDA,IDB,KAS,NBRS),NARS,{fK(IDB,K)}

Verify fKAS(IDA,IDB,KAS,NBRS)
Compute K (NBRS)RA(mod p)
Verify fK (IDB,K)

{fK(IDA,K)}

Verify fK(IDA,K)

Figure 3.7 Encrypted Key Exchange protocol

 70

3.3 UNDETECTABLE PASSWORD GUESSING ATTACK ON

ENCRYPTED KEY EXCHANGE PROTOCOL

This section demonstrates the undetectable password guessing

attack on encrypted key exchange protocol. Assuming B as the malicious
party, the procedure of the attack is given below:

Step1 : A, IDB, IDS,EPWA(NA), FS(rA),fKAS (NA)}

Step2 : B records message {IDA, IDB, IDS,EPWA(NA),FS(rA), fKAS (NA)}

from A

Step3 : B guesses a password PWA* from password dictionary and gets

N*A

Step4 : B chooses a random integer rB and then computes KBS = N*ArB .

Then, B encrypts N*A by using its password PWB like EPWB
(N*A) and computes two hash values FS(rB) and fKBS (N*A).

Step5 : A, IDB, IDS,EPWA(NA), FS(rA),fKAS (NA),EPWB(N*A),

FS(rB), fKBS (N*A)} B transmits {IDA, IDB, IDS,EPWA(NA),
FS(rA),fKAS (NA),EPWB(NB), FS(rB), fKBS (NB)}

Step6 : *ARS , fKAS (IDA, IDB,KAS,N*ARS),NARS, fKBS(IDA,

IDB,KBS,NARS )}. After receiving the message, S can
authenticate A and B by verifying f KAS (NA) and fKBS (N'A),
respectively. S will compute fKAS (IDA, IDB,KAS,N'ARS ) and
fKBS(IDA, IDB,KBS,NARS ) to B.
 71

RS
Step7 : After receiving the message B simply compares N*A =
NARS.If N*A RS
= NARS, it follows that PWA* = PWA. The
diagrammatic representation of the same is shown in Figure 3.8.

Shared Information: IDA , IDB , IDS , p, g , E(.) , F S(.) , fK (.),

Information held by User A : PWA
Information held by User B : PWB ,
Information held by server S : PWA , PWB
User A Attacker B Server S

IDA, IDB, IDS, EPWA(NA), FS(rA), fKAS (NA)}.

Guess a password PW A*
Decrypt N*A (D PWA, (NA))
Choose nonce rB
Compute KBS N*A RB (mod p)
Encrypt E PWB(N*A)
Compute fKBS(N*A)

{IDA,IDB,IDS,EPWA(NA),FS(rA),fKAS(NA),EPWB(NB),FS(rB),fKBS (NB)}

Decrypt EpwA(NA) and EpwB(NB)

Extract rA and rB from FS(rA)
and FS(rB )
Compute KAS NA rA (mod P)
Compute KBS NB rB (mod P)
Verify fKAS(NA) and fKBS(NB)
Choose RS R Zp
Compute NARS (mod p)
and NBRS(mod p)
NB ,fKAS(IDA,IDB,KAS,NB ),{NARS,fKBS(IDA,IDB,KBS,NARS)}
RS RS

Verify N*A RS = N ARS

A=N A A=pw A
Otherwise, guess a password pw* A
Decrypt N* A (DPWA*(N A))
Compute KBS N*ArB (mod p)
Encrypt E PWB(N*A)
Compute f KBS(N* A) }

{IDA,IDB,IDS,EPWA(NA),F S(rA),fKAS(NA),EPWB(N*A),FS(rB),fKBS (N*A)}

Figure 3.8 Undetectable password guessing attack on EKE

 72

Shared Information: IDA , IDC , IDS , p, g , E(.) , F S(.) , fK (.),

Information held by User B : PW A
Information held by User C : PW C , Information held by server S : PW A , PW C

User B User C Server S

Choose nonce rA
Choose RA R Zp
Compute NA gRA(modp)
Compute KAS NArA(mod p)
B encrypts NA by using password of A i.e. PWA
(This is already obtained as shown in figure 3.8)
{IDA, IDC, IDS, EPWA(NA), FS(rA), fKAS (NA)}

Choose nonce rC
Choose RC R Zp
Compute NC gRC(modp)
Compute KCS NCrC(mod p)
{IDA,IDC,IDS,EPWA(NA),FS(rA),fKAS(NA),EPWC(NC),F S(rC),fKCS (NC)}

(As S Believes that A &C wants to establish a session)

Decrypt EpwA(NA) and Epwc(Nc)
Extract rA and rc from F S(rA) and FS(rc )
Compute KAS NA rA (mod P)
Compute KCS NC rB (mod P)
Verify fKAS(NA) and fKCS(NC)
Choose RS R Zp
Compute NARS (mod p)
and NCRS(mod p)
NC ,fKAS(IDA,IDC,KAS,NC ),{NA ,fKCS(IDA,IDC,KCS,NARS)}
RS RS RS

Verify fKCS(IDA,IDC,KCS,NARS) and Compute K (NARS)RC(mod p)

{NCRS, fKAS(IDA,IDC,KAS,NCRS),fK(IDC,K)}
Verify fKAS(IDA,IDC,KAS,NCRS) and Compute K (NCRS)RA(mod p)
B user Ida to make believe that it is A and computes f K(IDA,K)
Verify fK(IDC,K)

fK(IDA,K)

Verify fK(IDA,K)

Figure 3.9 Impersonation attack on EKE

 73

A malicious party B guesses the password of A using

Undetectable password guessing attack as discussed in section 3.3. B uses
the password of A for impersonating A, when A and C wants to
communicate. The following procedure presents the attack in detail.

Step 1 : B C:{IDA, IDC, IDS, E PWA(N A ), F S(r A), f KAS (NA)}

User B chooses a random integer RA number rA and a random

exponent RA Z*p , and then computes N A = g RA and K AS =
NA .Then, B encrypts NA by using password of A i.e. PWA
like EPWA (NA) and computes two hash values F S(rA) and fKAS
(NA). Finally, B sends {ID A,IDB ,ID S,EPWA (N A ), F S(r A), f KAS
(NA) }to C.

Step2 : C S: {IDA, IDC, ID S, EPWA (N A), F S(r A), f KAS (N A), E PWC(N C),
F S(rC ), f KCS (NC)}

User C chooses a random integer r C and a random exponent

RC Z*p, and then computes N C = gRC and K cs = NC RC. Then,
C encrypts N C by using its password PWC like E PWC (NC) and
computes two hash values F S(rC) and fKCS(N C ). Finally, C
sends {IDA,IDC,IDS,EPWA(NA), F S(rA), f KAS (N A ), EPWC (N C),
F S(rC ), f KCS (NC)} to S.

RS RS RS
Step3 : S C :{ NC , fKAS(IDA, ID C, K AS, NC ), NC , fKCS(IDA,
ID C, K CS, NARS )}

Server S decrypts E PWA(N A) and E PWC (N C ) by using PWA and

PWC (As S believes that A & C wants to establish a session)
to get NA and NC, respectively. Then, S gets r A and rC from
F S(rA) and FS(rC) by using a trap door, respectively. To
 74

authenticate A and C, S computes K AS = NArA and KCS = NC rC

and then verifies f KAS (NA) and fKCS (NC), respectively. If
successful, S chooses a random exponent R S Z*p and then
computes NARS and NC RS
respectively. Finally, S computes
two hash values fKAS (ID A , IDC,KAS,NC RS ), fKCS (ID A, ID C,K CS,
,NARS ), and sends { NC RS
, f KAS (ID A, IDC,KAS,NCRS ),NARS
,f KCS(IDA, IDC,KCS,NARS )} to C.

Step 4 : C B: { NC RS , f KAS (IDA, IDC,KAS,NCRS), fk(IDC,K)}.

By using K CS = NCrC, C authenticates S by checking f KCS(IDA,

IDC,KCS,NARS ).If successful, C computes the session key K =
(NARS )RC = gRS RARC and hash value fK(IDC,K), and then sends
RS
{NC , fKAS (IDA, IDC,KCS,NARS ), f K(IDC,K) } to B (thinking
B as A).

Step 5 : B C: {f K (IDA, K)} By using KAS = NArA , A authenticates S

by checking f KAS (IDA, IDC,KAS,NCRS ).

RS RA
If successful B computes the session key K = (N C ) =
gRSRARC and authenticates C by checking f K(IDC,K). If
authentication is passed, B computes and sends f K(IDA,K) (B
uses ID A to make C believe that it is A).

Step 6 : C authenticates A(C is thinking B as A) by checking

f K(IDA
session key K = gRSRARB Figure 3.9 illustrates impersonation
attack on ECC-3PEKE protocol. Similarly impersonation of
the responder works on the same protocol.
 75

The encrypted key exchange protocol is vulnerable to undetectable

password guessing attack. Once when the guessed password is verified to be
correct, the malicious party B uses the guessed password of A for
impersonating A, where A and C wishes to communicate. To overcome the
undetectable password guessing attack an enhanced protocol is proposed. The
proposed protocol is discussed in the forth coming chapters.

3.4 MATHEMATICAL BACKGROUND

Prime number

A prime number (or a prime) is a natural number which has exactly

two distinct natural number divisors 1 and itself. The fundamental theorem of
arithmetic establishes the central role of primes in number, theory. Any non-
zero natural number n can be factored into primes, written as a product of
primes or powers of primes. Moreover, this factorization is unique except for
a possible reordering of the factors.

The property of being a prime is called primality. Verifying the

primality of a given number n can be done by trial divisions, that is to say
dividing by all smaller numbers m , thereby checking whether is a
multiple of m , and therefore not prime, or composite. For big primes,
increasingly sophisticated algorithms which are faster than that technique
have been devised.

Cyclic group

In group theory, a cyclic group is a group that can be generated by a

single element, in the sense that the group has an element g (called a
"generator" of the group) such that, when written multiplicatively, every
 76

element of the group is a power of g (a multiple of g when the notation is

additive).

A group G is called cyclic if there exists an element g in G such

that G = <g> = { g n | n is an integer }. Since any group generated by an
element in a group is a subgroup of that group, showing that the only
subgroup of a group G that contains g is G itself suffices to show that G is
cyclic.

For example, if G = { g0, g1, g2, g3, g4, g5 } is a group, then g6 = g0,
and G is cyclic.

Properties

The fundamental theorem of cyclic group states that, if G is a cyclic

group of order then every subgroup of G is cyclic. Moreover, the order
of any subgroup of G is a divisor of n and for each positive divisor k of n
the group G has exactly one subgroup of order k . This property
characterizes finite cyclic groups, a group of order is cyclic if and only if
for every divisor d of n the group has at most one subgroup of order d .

Sometimes the equivalent statement is used. A group of order is

cyclic if and only if for every divisor d of the group has exactly one
subgroup of order d .

Generating set of a group

In abstract algebra, a generating set of a group G is a subset S

such that every element of G can be expressed as the product of finitely
many elements of S and their inverses.
 77

If S is a subset of a group G , then <S>, the subgroup generated

by S , is the smallest subgroup of G containing every element of S, meaning
the intersection over all subgroups containing the elements of S. Equivalently,
<S> is the subgroup of all elements of G that can be expressed as the finite
product of elements in S and their inverses.

If G = <S>, then S generates G, and the elements in S are called

generators or group generators. If S is the empty set, then <S> is the trivial
group {e}, since the empty product is considered to be the identity.

When there is only a single element x in S, <S> is usually written

as <x>. In this case, <x> is the cyclic subgroup of the powers of x , a cyclic
group, and this group is generated by x. Equivalently, an element x generates
a group saying that <x> equals the entire group G. For finite groups, it is also
equivalent that x has order |G|.

The Exclusive-OR (XOR) Function

Exclusive OR (XOR) is one of the fundamental mathematical

operations used in cryptography (and many other applications). Exclusive-OR
(XOR) function is defined as a bunch of primitive logical operations where
there are one or two inputs and a single output depending upon the operation.
The input and output are either TRUE or FALSE. The most elemental
Boolean operations are,

NOT: The output value is the inverse of the input value (i.e.,
the output is TRUE if the input is false, FALSE if the input is
true)
 78

AND: The output is TRUE if all inputs are true, otherwise

FALSE. (E.g., "the sky is blue AND the world is flat" is
FALSE while "the sky is blue AND security is a process" is
TRUE.)

OR: The output is TRUE if either or both inputs are true,

otherwise FALSE. (E.g., "the sky is blue OR the world is flat"
is TRUE and "the sky is blue OR security is a process" is
TRUE.)

XOR (Exclusive OR): The output is TRUE if exactly one of

the input is TRUE, otherwise FALSE. (E.g., "the sky is blue
XOR the world is flat" is TRUE while "the sky is blue XOR
security is a process" is FALSE.)

XOR 0 1

0 0 1

1 1 0

In an XOR operation, the output will be a 1 if one input is 1;

otherwise, the output is 0. The real significance of this is to look at the
"identity properties" of XOR. In particular, any value XORed with itself is 0
and any value XORed with 0 is just itself.

The modulo Function

The modulo function is the remainder function. It is commonly

used in programming and is critical to the operation of any mathematical
function using digital computers.
 79

To calculate X modulo Y (usually written X mod Y), it is necessary

to determine the remainder after removing all multiples of Y from X. Clearly,
the value X mod Y will be in the range from 0 to Y-1.Modulo arithmetic is
useful in crypto because it allows us to set the size of an operation and be sure
that we will never get numbers that are too large.

3.5 DESCRIPTION OF SYMMETRIC AND ASYMMETRIC

ENCRYPTION

3.5.1 Symmetric Encryption

Symmetric encryption is the oldest and best-known technique. A

secret key, which can be a number, a word, or just a string of random letters,
is applied to the text of a message to change the content in a particular way.
This might be as simple as shifting each letter by a number of places in the
alphabet. As long as both sender and recipient know the secret key, they can
encrypt and decrypt all messages that use this key.

3.5.2 Asymmetric Encryption

The problem with secret keys is exchanging them over the Internet
or a large network while preventing them from falling into the wrong hands.
Anyone who knows the secret key can decrypt the message. One answer is
asymmetric encryption, in which there are two related keys as a key pair. A
public key is made freely available to anyone who might want to send you a
message. A private key is kept secret, so that only you know it. Any message
(text, binary files, or documents) that are encrypted by using the public key
can only be decrypted by applying the same algorithm, but by using the
 80

matching private key. Any message that is encrypted by using the private key
can only be decrypted by using the matching public key.

This means that there is no worry about passing public keys over
the Internet (the keys are supposed to be public). A problem with asymmetric
encryption, however, is that it is slower than symmetric encryption. It requires
far more processing power to both encrypt and decrypt the content of the
message.

S-DES

The S-DES encryption algorithm takes an 8-bit block of plaintext

(example: 10111101) and a 10-bit key as input and produces an 8-bit block of
ciphertext as output. The S-DES decryption algorithm takes an 8-bit block of
ciphertext and the same 10-bit key used to produce that ciphertext as input
and produces the original 8-bit block of plaintext.

The encryption algorithm involves five functions: an initial

permutation (IP), a complex function labeled fK, which involves both
permutation and substitution operations and depends on, a key input; a simple
permutation function that switches (SW) the two halves of the data; the
function fK again; and finally a permutation function that is the inverse of the
initial permutation (IP-1).

The function fK takes as input not only the data passing through the
encryption algorithm, but also an 8-bit key. The algorithm could have been
designed to work with a 16-bit key, consisting of two 8-bit subkeys, one used
for each occurrence of fK. Alternatively, a single 8-bit key could have been
used, with the same key used twice in the algorithm.
 81

In this case, the key is first subjected to a permutation (P10). Then a

shift operation is performed. The output of the shift operation then passes
through a permutation function that produces an 8-bit output (P8) for the first
sub key (K1). The output of the shift operation is fed into another shift and
another instance of P8 to produce the second sub key (K2). The encryption
algorithm is as a composition composition1 of functions,

IP-1o fK2oSW o fK1oIP

which can also be written as:

ciphertext = IP(fk2(SW(fk1(IP(plaintext)))))

where K1 = P8( Shift (P10 (key)))

K2 = P8( Shift ( Shift (P10 (key))))

S-DES depends on the use of a 10-bit key shared between sender

and receiver. From this key, two 8-bit subkeys are produced for use in
particular stages of the encryption and decryption algorithm.

First, the key is permuted in the following fashion. Let the 10-bit
key be designated as (k1, k2,k3, k4, k5, k6, k7, k8, k9, k10 10). Then the
permutation P10 is defined as:

P10( k1, k2, k3, k4, k5, k6, k7, k8, k9, k10) = (k3, k5, k2, k7, k4, k10,
k1, k9, k8, k6) P10 can be concisely defined by the display:

Table 3.1 P10 permutation

Input K1 K2 K3 K4 K5 K10
Output K3 K5 K2 K7 K4 K10
 82

This Table 3.1 is read from left to right; each position in the table
gives the identity of the input bit that produces the output bit in that position.

So the first output bit is bit 3 of the input; the second output bit is
bit 5 of the input, and so on. For example, the key (1010000010) is permuted
to (1000001100). Next, perform a circular left shift (LS-1), or rotation,
separately on the first five bits and the second five bits. In our example, the
result is (00001 11000). Next we apply P8, which picks out and permutes 8 of
the 10 bits according to the following rule:

P8

6 3 7 4 8 5 10 9

The result is subkey 1 ( K1). In this example, it yields (10100100).

Go back to the pair of 5-bit strings produced by the two LS-1 functions and
perform a circular left shift of 2 bit positions on each string.

In this example, the value (00001 11000) becomes (00100 00011).

Finally, P8 is applied again to produce K2. The result is (01000011).

S-DES Encryption

Initial and Final Permutations

The input to the algorithm is an 8-bit block of plaintext, which is

permuted using the IP function:

IP

26314857
 83

This retains all 8 bits of the plaintext but mixes them up. At the end
of the algorithm, the inverse permutation is used.

1
IP

41357286

It is easy to show by example that the second permutation is indeed

the reverse of the first; that is, IP 1(IP (X)) = X.

The Function fK

The most complex component of S-DES is the function fK, which

consists of a combination of permutation and substitution functions. The
functions can be expressed as follows. Let L and R be the leftmost 4 bits and
rightmost 4 bits of the 8-bit input to f K, and let F be a mapping (not
necessarily one to one) from 4-bit strings to 4-bit strings. Then we let fK(L, R)
= ( ) L ! F( R, SK SK), ), R)

where SK is a subkey and ! is the bit-by-bit exclusive-OR function.

For example, suppose the output of the IP stage is (10111101) and

F(1101, SK SK) = (1110) for some key SK SK.

Then f K(10111101) = (01011101) because (1011) (! (1110) =

(0101).

In the mapping of function F. The input is a 4-bit number

(n1,n2,n3,n4). The first operation is an expansion/permutation operation:

E/P
41232341
 84

For what follows, it is clearer to depict the result in this fashion:

n4 n1 n2 n3

n2 n3 n4 n1

The 8-bit subkey K1 = ( k11 11, k12 12, k13 13, k14 14, k15 15,
k16 16, k17 17, k18 18) is added to this value using exclusive- OR:

n4 ! k11 n1 ! k12 n2 ! k13 n3 ! k14

n2 ! k15 n3 ! k16 n4 ! k17 n1 ! k18

Let us renaming these 8 bits:

p0,0 p0,1 p0,2 p0,3

p1,0 p1,1 p1,2 p1,3

The first 4 bits (first row of the preceding matrix) are fed into the S-
box S0 to produce a 2-bit output, and the remaining 4 bits (second row) are fed
into S1 to produce another 2-bit output. The S-boxes operate as follows. The first
and fourth input bits are treated as a 2-bit number that specify a row of the S-box,
and the second and third input bits specify a column of the S- box.

The entry in that row and column, in base 2, is the 2-bit output. For
example, if ( box. p0,0 p0,3 0,3) = (00) and ( p0,1 p0,2 0,2) = (10), then the
output is from row 0, column 2 of S0, which is 3, or (11) in binary. Similarly,
( p1,0 p1,3 1,3) and ( p1,1 p1,2 1,2) are used to index into a row and column
of S1 to produce an additional 2 bits. Next, the 4 bits produced by S0 and S1
undergo a further permutation as follows:

P4

2431
 85

The output of P4 is the output of the function F.

3.5.3 Switch Function

The function fK only alters the leftmost 4 bits of the input. The
switch function (SW) interchanges the left and right 4 bits so that the second
instance of fK operates on a different 4 bits. In this second instance, the E/P,
S0, S1, and P4 functions are the same. The key input is K2.

Five Functions to Encrypt

IP an initial permutation

fK - a complex, 2-input function

SW a simple permutation that swaps the two nybles

fK - a complex, 2-input function; again

IP inverse permutation of the initial permutation

Switch function consists of two different functions. Encryption at

the source side and decryption at the destination side. Encryption process
takes 8 bit plaintext as an input and undergoes initial permutation (IP) on
those 8 bits. The resultant permuted 8 bits then becomes the input to function
fK which is a complex two input function . The function fK is provided with
another input the key K1. The resultant of the function fK, becomes the input
to the function SW, the simple permutation that swaps the two nybles.

The output from the simple permutation is then given as an input to

the function fK, which now functions with the help of different key called K2.
 86

The resulting 8 bit of the function fK is then given as an input to the inverse
permutation IP-1, which is the inverse of the initial permutation IP.

The resulting 8 bit of the inverse initial permutation is the 8 bit

ciphertext. The decryption process is the inverse of the encryption process
which results in the 8 bit plain text. The diagrammatic representation of the
same is shown in the Figure 3.10.

Encryption Decryption
P10

8-Bit plaintext 8-Bit plaintext

SHIFT
IP IP-1
K1 P8 K1
fK fK

SHIFT
SW SW
K2 K2
P8
fK fK

IP-1 IP

8-Bit cipher text 8-Bit cipher text

Figure 3.10 Switch function

3.5.4 Encryption function

The 8 bit plain text is permuted using the initial permutation and
the output is fed into the function fK. The function fK divides the 8 bit
plaintext into two 4 bits. The right most 4 bits of the initial permuted output is
permuted again using expansion permutation E/P so that, it results in an 8 bit.
 87

The resulting 8 bits are EX-ORed with the 8 bit key input K1. The output of
the EX-OR gate 1 is then divided into the right most 4 and left most 4 bits.
Each 4 bit is given as an input to two different substitution boxes S0 and S1.
The output of the substitution boxes are permuted using P4 permutation. The
resulting 4 bit of the P4 permutation is then EX-ORed with the left most 4 bits
of the output of initial permutation using EX-OR gate 2.

IP

E/P

+ K1

S0 S1

P4

+ E/P

+ K2

S0 K2 S1

P4

IP -1

Figure 3.11 Encryption Details

 88

The 4 bit output of EX-OR gate 2 and the right most 4 bit of the
initial permutation are given as an input to the SW function. The SW function
is the simple permutation that swaps the rightmost 4 bit with the liftmost 4 bit.
The rightmost 4 bit of the SW function is then expanded to 8 bit using the
expansion permutation E/P. The Expanded 8 bit is then EX-OR ed with the
key input K2. The output of the EX-OR gate 3, 8 bit is divided into two
halves and are given as input to two different substitution boxes S0 and S1.

The output of the substitution boxes are then permuted using P4

expansion permutation. The resulting 4 bits are then EX-ORed with the
leftmost 4 bits of the SW function. The output of the EX-OR gate 4 is then
concatenated with the rightmost 4 bit of the SW function and the inverse
permutation of the initial permutation is performed on the 8 bit, which results
in the 8 bit ciphertext. The diagrammatic representation is shown in the
Figure 3.11.

Initial permutation

The initial permutation accepts 8 bit as input and produces an 8 bit

output. Each bit of the input is internally mapped to a different bit position of
the output. For example bit 0 of the input is mapped to bit 3 at the output. The
diagrammatic representation of the same is shown in the Figure 3.12.

k1 k2 k3 k4 k5 k6 k7 k8

k2 k6 k3 k1 k4 k8 k5 k7

Figure 3.12 Initial permutation (IP)

 89

Expansion/Permutation (E/P)

Expansion permutation is capable of accepting less number of

inputs and producing more number of outputs then the input taken. In 4 to 8
bit expansion permutation, 4 bit is given input to the permutation function.
The permutation function then expands the input by mapping a single input to
two or more output bits .In 4 to 8 bit expansion permutation, a single bit input
is mapped to two bits in the output, hence producing 8 bits as output. The
diagrammatic representation of the same is shown in the Figure 3.13.

Exp

k1 k2 k3 k4

k4 k1 k2 k3 k2 k3 k4 k1

Figure 3.13 Expansion/Permutation (E/P)

3.5.5 Key Generation function

Encryption process of the switch function requires two keys K1 and

K2. The key K1is generated and by processing key K1, K2 is generated.
Initially 10 bits are chosen and it is permuted using P10 permutation. The
resulting 10 bits of the initial P10 permutation is divided into two halves each
of 5 bit. The right 5 bit and left 5 bit are separately given to two different
shift (LS-1) functions for shifting the bits to the left. The resulting 10 bits
 90

from the shift function are given as an input to the P8 permutation. The P8
permutation accepts 10 bits as input and produces 8 bit as output. The
resulting 8 bit is taken as the key K1. The 5 bit output from the two shift
function (LS-1) is given as input to two different shift function (LS-2). The
resulting 10 bits from the two different (LS 2) functions are given as input to
P8 permutation. The P8 permutation function accepts 10 bits as input and
produces 8 bits as output. The 8 bit output from the P8 permutation function
is taken as the key input K2. The diagrammatic representation of the same is
shown in the Figure 3.14.

10

P10

5 5

LS-1 LS-1

5 5

P8
8
K1

LS-2 LS-2

5 5

P8

8
K2

Figure 3.14 Key Generation

 91

P10 Permutation

This permutation accepts 10 bit input and produces 10 bit output

and hence it is called P10 permutation function. Each bit in the input
corresponds to a different bit mapping at the output, so that; it produces a
different pattern of the output that varies from the input. The diagrammatic
representation of the same is shown in the Figure 3.15.

k1 k2 k3 k4 k5 k6 k7 k8 k9 k10

k3 k5 k2 k7 k4 k10 k1 k9 k8 k6

Figure 3.15 P10 Permutation

P8 Permutation

The permutation function accepts 10 bits as an input and produces

an 8 bit output and hence it is called 10 to 8 bit permutation. In this
permutation, selective 8 bit of the input is mapped to eight different pattern of
bits at the output and two bits from the input remain halted. Each single bit of
the input is mapped to exactly only one bit at the output. The diagrammatic
representation of the same is shown in the Figure 3.16.
 92

Permutate 10 into 8

k1 k2 k3 k4 k5 k6 k7 k8 k9 k10

k6 k3 k7 k4 k8 k5 k10 k9

Figure 3.16 P8 Permutation

Left shift (LS-1) function

In the left shift (LS-1) function, 5 bits are accepted as input. Each
bit in the input pattern is shifted one bit to its left. The leftmost bit is then
shifted towards the rightmost position. Hence the output bit pattern differs
entirely from the input bit pattern. The diagrammatic representation of the
same is shown in the Figure 3.17.

Left circular shift 1 each 5 bit group

k3 k5 k2 k7 k4 k10 k1 k9 k8 k6

k5 k2 k7 k4 k3 k1 k9 k8 k6 k10

Figure 3.17 Left shift (LS-1) function

 93

Left shift (LS-2) function

The left shift (LS-2) function also shifts the input bits to the left
where the leftmost two bit are shifted to the rightmost bit position at the
output. The leftmost bit occupies the second right position and the second left
bit occupies the rightmost bit position. The output of the shift operation
differs entirely from the input bit. The diagrammatic representation of the
same is shown in the Figure 3.18.

Left circular shift 2 each 5 bit group

k3 k5 k2 k7 k4 k10 k1 k9 k8 k6

k2 k7 k4 k3 k5 k9 k8 k6 k10 k1

Figure 3.18 Left shift (LS-2) function

Substitution Boxes

S0 S1

1 0 3 2 0 1 2 3
3 2 1 0 2 0 1 3
0 2 1 3 3 0 1 0
3 1 3 2 2 1 0 3

Figure 3.19 Substitution Boxes

 94

3.5.6 Trapdoor Function

RSA

The algorithm was publicly described in 1978 by Ron Rivest, Adi

Shamir, and Leonard Adleman at MIT. The letters RSA are the initials of
their surnames, listed in the same order. The RSA algorithm involves three
steps: key generation, encryption and decryption.

Key generation

RSA involves a public key and a private key. The public key can be
known to everyone and is used for encrypting messages. Messages encrypted
with the public key can only be decrypted using the private key. The keys for
the RSA algorithm are generated the following way:

Choose two distinct prime numbers p and q.

For security purposes, the integers p and q should be chosen

uniformly at random and should be of similar bit-length. Prime integers can
be efficiently found using a Primality test.

Compute n = pq.

n is used as the modulus for both the public and private keys

Compute the totient. Choose an integer e such that, and e and

share no divisors other than 1 (i.e. e and are coprime). e is released as the
public key exponent.
 95

Choosing e having a short addition chain results in more efficient

encryption. Small public exponents (such as e=3) could potentially lead to
greater security risks. Determine d (using modular arithmetic) which
satisfies the congruence relation. Stated differently, ( ) can be evenly
divided by the totient

This is often computed using the Extended Euclidean Algorithm.

d is kept as the private key exponent.The public key consists of

the modulus n and the public (or encryption) exponent e . The private key
consists of the modulus n and the private (or decryption) exponent d which
must be kept secret.

Encryption

A transmits its public key (n,e) to B and keeps the private key
secret. B then wishes to send message M to A. A first turns M into an integer
0 < m < n by using an agreed-upon reversible protocol known as a padding
scheme. it then computes the cipher corresponding to the message.
This can be done quickly using the method of exponentiation by squaring. B
then transmits to A.

Decryption

A can recover m from by using its private key exponent d by

the following computation:

Given m , she can recover the original message M by reversing the

padding scheme. The above decryption procedure works because now, since
 96

the last congruence directly follows from Euler's theorem when m is

relatively prime to n . By using the Chinese remainder theorem it can be
shown that the equations hold for all m .

This shows that the original message can be retrieved back:

Here is an example of RSA encryption and decryption.

Choose two prime numbers

p = 61 and q = 53

Compute n = pq

Compute the quotient

Choose e > 1 coprime to 3120

e = 17

Compute d such that e.g., by computing the modular

multiplicative inverse of e modulo :

d = 2753

since 17 · 2753 = 46801 and mod (46801,3120) = 1 this is the

correct answer.

The public key is (n = 3233, e = 17).

The private key is (n = 3233, d = 2753).

For example, to encrypt m = 123,

To decrypt c = 855
 97

Secure Hash Algorithm (SHA)

On iteration within the SHA-1 compression function, A, B, C, D

and E are 32-bit words of the state; F is a nonlinear function that varies; N
denotes a left bit rotation by n n varies for each operation. Wt is the
expanded message word of round t, Kt is the round constant of round t,
denotes addition modulo 232.

The original specification of the algorithm was Secure Hash

Standard, FIPS PUB 180, by US government standards agency NIST
(National Institute of Standards and Technology). This is now referred to as
SHA-0. It was withdrawn by NSA shortly after publication and was
superseded by the revised version, published in 1995 in FIPS PUB 180-1 and
commonly referred to as SHA-1. SHA-1 differs from SHA-0 only by a single
bitwise rotation in the message schedule of its compression function; this is
done, according to NSA, to correct a flaw in the original algorithm which
reduced its cryptographic security. However, NSA did not provide any further
explanation or identify the flaw that is corrected. Weaknesses have
subsequently been reported in both SHA-0 and SHA-1. SHA-1 appears to

change increased the security.

SHA-1 (as well as SHA-0) produces a 160-bit digest from a

message with a maximum length of (264 -1 is based on
principles similar to those used by Ronald L. Rivest of MIT in the design of
the MD4 and MD5 message digest algorithms, but has a more conservative
design.
 98

SHA1 Features:

The SHA1 is used to compute a message digest for a message

or data file that is provided as input.

The message or data file should be considered to be a bit

string.

The length of the message is the number of bits in the message

(the empty message has length 0).

If the number of bits in a message is a multiple of 8, for

compactness we can represent the message in hex.

The purpose of message padding is to make the total length of

a padded message a multiple of 512.

The SHA1 sequentially processes blocks of 512 bits when

computing the message digest.

As a summary, a "1" followed by m "0"s followed by a 64-bit

integer are appended to the end of the message to produce a
padded message of length 512 * n.

The 64-bit integer is l, the length of the original message.

The padded message is then processed by the SHA1 as n 512-

bit blocks.