Cryptography and Network Security

Introduction
to
Cryptography and
Network Security
Dr. Bimal Kumar Meher

Associate Professor. Dept. of CSE
Silicon Institute of Technology
What is Information Security?
n Information security (InfoSec), is the practice
of defending information from
n unauthorized access,
n disclosure,
n disruption,
n modification,
n inspection,
n recording,
n destruction.
Who needs Information Security?
n Government,
n Military,
n Corporations,
n Financial institutions,
n Hospitals
n Private businesses
n They have a great deal of
n confidential information about their employees,
customers, products, research and financial status.
Books for this Course
n Text Books:
n Cryptography and Network Security:
Principles and Practice- William Stallings, PHI.
n Network Security:Charlie Kaufman, Radia
Perlman, Mike Spencier, PHI
n Reference Book:
n Cryptography and Network Security- B.A.
Forouzan & D. Mukhopadhyay, McGraw Hill
Special Indian Edition.
Introduction
q Security goals or attributes called C I A Triad
q Three aspects of Security

qSecurity attacks
qSecurity services
qSecurity mechanisms
q To introduce two techniques, Cryptography and
Steganography to implement security mechanisms
C I A Triad
C I A
Confidentiality
• Confidentiality is to maintain secrecy of the

information from any unintended/unauthorized
person or process.
• Probably the most common aspect of information
security.
Message
Now my Acc.
Balance 2Lac.
Sender Receiver
EVE
Eavesdropper
Integrity
• Information needs to be changed whenever

there is a need.
• Integrity means that changes need to be done
only by authorized entities and through
authorized mechanisms.
Message Message
I am fine I am not fine
Sender Receiver
EVE
Attacker
Availability
• The information created and stored by an

organization needs to be available to authorized
entities only.
• It is the most essential attribute for the critical
information which are stored remotely.
Message
I need your
help urgently
Sender Receiver
EVE
Attacker
Three Aspects of Security
n Security Attacks: Any action that
compromises the security of data owned
by an organisation
n Security Services: It ensures the security
of the data and its transfer by using some
of the security mechanisms.
n Security Mechanisms: Processes those
are designed to detect, prevent, or recover
from a security attack.
Security Attacks
The three goals of security-Confidentiality,
Integrity, and Availability¾can be threatened by
security attacks.
1. Attacks on Confidentiality
2. Attacks on Integrity
3. Attacks on Availability
All these attacks can be broadly classified as

either Active or Passive attacks
Taxonomy of attacks with relation
to security goals
Attacks on Confidentiality
Snooping refers to unauthorized access to or

interception of data.
Traffic analysis refers to obtaining some specific

type of information by monitoring online traffic.
Attacks on Integrity
Modification means that the attacker intercepts the

message and changes it.
Masquerading or spoofing happens when the

attacker impersonates somebody else.
Attacks on Integrity
Replaying means the attacker obtains a copy

of a message sent by a user and later tries to replay
it.
Repudiation means that sender of the message

might later deny that he has sent the message; the
receiver of the message might later deny that he has
received the message.
Attacks on Availability
Denial of service (DoS) is a very powerful attack,

which may slow down or totally interrupt the service
of a system.
An attacker in DoS typically floods the targeted
machine (Server) with so many superfluous requests
that, the machine remains busy in servicing them;
As a result all legitimate requests from other systems
are prevented from servicing.
DDoS: More sophisticated attack using many
attack sources
Example of DoS Attack
Source: Cloudflare Inc. US

Active vs Passive Attacks
n Active attack may change the data or harm the

system.
n Passive attack is not to change the data or
harm the system, but to obtain the information.
n So it harms the sender and receiver of the message.
Active vs Passive
Eve
Eve
Active vs Passive Attacks(contd…)
Which one is difficult to detect?

Security Services
Peer-Entity Auth.
Data Origin Auth.
Access Control
Security
Confidentiality
Services
Data Integrity
Nonrepudiation
Availability
Security Mechanism
Relation between Services and Mechanisms
Mechanisms
Services Enciph Digital Access Data

erment Sign.
Auth.
Control Integrity Exch.
Traffic Routing
Pad. Control
Notari
zation
Peer-Entity Auth.
  
Data Origin Auth.
 
Access Control

Confidentiality
 
Data Integrity
  
Nonrepudiation
  
Availability
 
• Mechanisms discussed in the previous
sections are only theoretical recipes to
implement security.
• The actual implementation of security goals
needs some techniques.
• Two techniques mostly used: Cryptography
and Steganography.
Cryptography
• Cryptography, a word with Greek origin, means

“secret writing.”
• Now this term is used as the science and art of
transforming messages to make them secure and
immune to attacks.
Cryptography(contd…)
• Although Cryptography, earlier referred to

encryption/decryption, but now it is
defined as three distinct mechanisms:
• Symmetric key Encipherment

• Asymmetric key Encipherment
• Hashing
Symmetric Key Encipherment
n Also called Symmetric key cryptography
n Or Secret Key Cryptography
n The sender of the message uses some predefined
algorithm and a shared secret key for encryption.
n The receiver uses the same shared secret key for
decryption.
n It is something like Alice puts the message in a
box and locks the box using a key whose duplicate
key is available with Bob who can open the box
and takes the message from the box.
n Example: Decrypt: uknkeqp, qgjgaml
Asymmetric Key Encipherment
n Also called Public key encipherment
n Or public key cryptography
n Unlike symmetric, it uses two keys
n They are named as: public key & private key
n To send a message to Bob, Alice first encrypts the
message by using Bob’s public key.
n To decrypt the message, Bob uses his own private
key.
n The algorithm used here is more complex than the
previous one.
Hashing
n It is a process by which a fixed length message

digest is created out of a variable length
message.
n It is much smaller than the message to be sent.
n This is essential in
n Data integrity
n Digital signature
n Authentication
Steganography
The word steganography, with origin in Greek, means

“covered writing,” in contrast with cryptography,
which means “secret writing.”
Text Cover: Covering data with text
Assumption: single space => bit 0

double space=> bit 1
What is the secret data? !

Text Cover Example: Dictionary of words
It can be used to cover secret data.

Let we have a dictionary with 2 articles,
16 verbs, 32 nouns.
We agree with pattern article-noun-verb-
article-noun
Secret Data
HI
Then divide the secret binary data into 16
bit chunks and represent by above pattern
What is the possible text cover and secret data?
Image Cover: Color image
Secret data can be covered under color image.

Each pixel uses 3 bytes(24 bits) and they
represent RGB respectively.
In LSB method, the LSB is set to 0 for each byte
To hide a character, we change the LSB
to 1 in appropriate byte.
Pixel 1:
Pixel 2:
Pixel 3:
What is the secret data? 1001101 = M

Another Example
Mathematics of
Cryptography-I

Associate Professor, Dept. of CSE
Objective
q Euclidean algorithm
q Extended Euclidean algorithm(EEA)
q Modular arithmetic
q Matrix and Residue matrix
Set of Integers and Integer Division
In integer arithmetic, if we divide a by n, we can

get q and r .
Answer the following Question
-255=(-23 x 11) + (-2)

Divisbility
If a is not zero and we let r = 0 in the

division relation, we get
a=q×n
If the remainder is zero, n a

If the remainder is not zero, n a
Example: Divisibility
a. The integer 5 divides the integer 30 because
30 = 6 × 5. So, we can write 5 30
The number 8 42 because 42 = 5 × 8 + 2 has

a remainder of 2.
Properties: Divisibility
Property 1: if a|1, then a = ±1.
Property 2: if a|b and b|a, then a = ±b.
Property 3: if a|b and b|c, then a|c.
Property 4: if a|b and a|c, then

a|(m × b + n × c), where m
and n are arbitrary integers
Continued
Example
Answer the followings:
a. Given 3|15 and 15|45, Can we say 3|45?
b. Given 3|15 and 3|9, Can we say 3|66?

m=2
n=4
mb+nc=2x15+4x9=66
Divisibility
Fact 1: The integer 1 has only one

divisor, itself.
Fact 2: Any positive integer has at least

two divisors, 1 and itself (but it
can have more).
Common divisors of two integers
Greatest Common Divisor(GCD)
The greatest common divisor of two positive

integers is the largest integer that can divide
both integers.
Euclidean Algorithm
Fact 1: gcd (a, 0) = a
Fact 2: gcd (a, b) = gcd (b, r), where r is
the remainder of dividing a by b
Example: a=60, b=25

Gcd(60,25)=gcd(25,10)=gcd(10,5)=gcd(5,0)=Fact 1=5
Finding GCD(a,b) by using Euclidean Algo.
Relatively prime or Coprime
Note
When gcd (a, b) = 1, we say that a and b

are relatively prime.
Examples:
gcd(13,5)=1 => 13 and 5 are relatively prime
gcd(10,2)=2
gcd(9,3)=3
Finding GCD by using Euclidean Algo.
Example
Find the greatest common divisor of 25 and 60.
Solution:
We have gcd (25, 60) = 5.
GCD
Do by yourself
Extended Euclidean Algorithm (EEA)
Problem Given two integers a and b, find other
two integers, s and t, such that
• This equation is also called Bezout’s identity or

Bezout’s Lemma.
• s and t are called Bezout’s coefficients for (a,b).
Process of Extended Euclidean Algorithm
Extended Euclidean Algorithm(EEA)
Solving Problem by using EEA
Example
Given a = 161 and b = 28, find gcd (a, b) and the
values of s and t of Bezout’s identity (s x a + t x b
= gcd(a,b).
Solution
We get gcd (161, 28) = 7, s = −1 and t = 6.
Solving Problem by using EEA
Example
Given a = 17 and b = 0, find gcd (a, b) and the
values of s and t of Bezout’s identity (s x a + t x b
= gcd(a,b). .
Solution
We get gcd (17, 0) = 17, s = 1, and t = 0.
n If a is an integer and n is a positive integer,
we define r as the remainder (residue) such
as r = a mod n .
n So, we can write a = q x n + r.
n The integer n is called the modulus.
Examples: Modulo operation
Find the result of the following operations:
a. 27 mod 5 b. 36 mod 12
c. −18 mod 14 d. −7 mod 10
Solution:
a. Dividing 27 by 5 results in r = 2
b. Dividing 36 by 12 results in r = 0.
c. Dividing −18 by 14 results in r = −4. After
adding the modulus r = 10
d. Dividing −7 by 10 results in r = −7. After
adding the modulus to −7, r = 3.
Congruence
n This can be written with the help of a congruence
operator (≡) i.e. a ≡ b (mod n)
n Two integers a and b are said to be congruent
modulo n, if (a mod n)=(b mod n)
Examples:
Can we say 12 ≡ 23 mod 8 ?

14 ≡ 36 mod 7 ?
Properties of Congruence
1. a ≡ b (mod n) if n | (a-b)
2. a ≡ b (mod n) implies b ≡ a (mod n)
3. a ≡ b (mod n) and b ≡ c (mod n) imply
Examples: a ≡ c (mod n)
Example (Property 3):

• 2 ≡ 12 mod 10 and 12 ≡ 22 mod 10,
then 2 ≡ 22 mod 10
Concept of congruence relationship
The set Zn
• The (mod n) operator maps all integers into
the set of integers {0, 1, 2, …, (n-1)}
• This is also called the set of least residues
modulo n, or Zn
• What are the elements of set Z2 ,Z5 , Z10 ?
Z2= {0,1}
Z5 ={0, 1, 2, 3, 4}
Z10={0, 1, 2, 3, 4, 5, 6, 7, 8, 9}
Example: Modulo operator
Can you give an example of modulo operator, used

in our daily life ?
• We use a clock to measure time.

• Our clock system uses modulo 12 arithmetic.
• However, instead of a 0 we use the number 12.
Residue Classes
• Note that, Each integer in Z n is a
nonnegative integer.
• Each integer in Zn is a residue class.
• A residue class [r] or [r]n is defined as:
[r] = {a: a is an integer, a ≡ r (mod n) }
• Example: Take n=5, and find r. classes.
Operations on set Zn
• The three binary operations (+,  , )

defined on set Z can also be applied to
set Zn.
• The operations are done as usual just
like set Z, but, if the result exceeds
the numbers defined in Z n then it is
converted to a number in Zn using the
mod operator.
• This is called modular arithmetic
Zn: Examples
Perform the following operations (the inputs
come from Zn):
1. Add 7 to 14 in Z15.
2. Subtract 11 from 7 in Z13.
3. Multiply 11 by 7 in Z20.
Zn:Properties
Figure: Properties of mod operator
Examples: Operations in Zn
n (1,723,345 + 2,124,945) mod 11

= (8 + 9) mod 11 = 6
n (1,723,345 − 2,124,945) mod 11
= (8 − 9) mod 11 = 10
n (1,723,345 × 2,124,945) mod 11
= (8 × 9) mod 11 = 6
More Examples: Operations in Zn
Compute the followings:

1012 mod 3 = 1
1050 mod 7 = 350 mod 7 = 2
54 mod 7 = 2
32x25=(32)25=925 mod 7= (9 mod 7)25 =225 mod 7

225(mod 7)=2 x 224 mod 7=2 x (23x8)mod 7
=2 x (23mod 7)8= 2x18 mod 7=2 x 1=2
Square and Multiply Technique

Continued
Example
• Note that the remainder of an integer divided by 3 is the same

as the remainder of the sum of its decimal digits.
• We write an integer as the sum of its digits multiplied by the
powers of 10.
Inverse of a number in Zn
• In modular arithmetic, we often need to

find the inverse of a number relative to
an operation.
• It can be an additive inverse (relative to
an addition operation(+)) or
• a multiplicative inverse(relative to a
multiplication operation ()).
Additive Inverse
In Zn, two numbers a and b are additive inverses

of each other if
Note
• In modular arithmetic, each integer has an

additive inverse.
• The sum of an integer and its additive inverse is
congruent to 0 modulo n.
Examples
1. Find the additive inverse of 4 in Z7
Answer: 3
2. Find all additive inverse pairs in Z10.
Answer:
There are six pairs of additive inverses:
(0, 0), (1, 9), (2, 8), (3, 7), (4, 6), and (5, 5).
Multiplicative Inverse
In Zn, two numbers a and b are the multiplicative

inverse of each other if
Note
• In modular arithmetic, an integer may or may
not have a multiplicative inverse.
• When it has, the product of the integer and its
multiplicative inverse is congruent to 1 modulo n.
Examples
Example 1
Find the multiplicative inverse of 7 and 8 in Z10.
Multiplicative inverse of 7 is 3, but 8 has no
multiplicative inverse.
Note: gcd can help us to quickly find out whether a given number
has multiplicative inverse or not.
gcd(10,7)=1=> 7 has multiplicative inverse in modulo 10
gcd (10, 8) = 2 ≠ 1 => 8 has no multiplicative inverse in modulo 10
Example 2
Find all multiplicative inverses in Z10.
There are only three pairs: (1, 1), (3, 7) and (9, 9). The
numbers 0, 2, 4, 5, 6, and 8 do not have a multiplicative
inverse.
Continued
Example 3
Find all multiplicative inverse pairs in Z11.

We have seven pairs:
(1, 1), (2, 6), (3, 4), (5, 9), (7, 8), (9, 9), and (10, 10).
How to find out Multiplicative Inverse
of BIG Number?
Note
• The Extended Euclidean algorithm(EEA) finds
the multiplicative inverses of b in Zn when n
and b are given and gcd (n, b) = 1.
• The multiplicative inverse of b is the value of t
after being mapped to Zn.
Using Extended Euclidean algorithm to
find Multiplicative inverse
Continued
Example
Find the multiplicative inverse of 11 in Z26.
The gcd (26, 11) is 1; the inverse of 11 is 7(=19).

Continued
Example
Find the inverse of 12 in Z26.
The gcd (26, 12) is 2; the inverse does not exist.

Zn and Zn*
Note
• We need to use Zn when additive inverses are
needed
• We need to use Zn* when multiplicative
inverses are needed.
Two More Sets
• Cryptography often uses two more sets:

• Zp and Zp*.
• The modulus in these two sets is a prime
number.
What are the uses of Additive and
Multiplicative inverses in
Cryptography?
n When a sender uses a key for encryption, he
may choose an integer from the set Zn or Zn*
depending on the algorithms used.
n If he chooses from Zn, the receiver has to find
the additive inverse of that integer for getting
the key for decryption.
n Similar logic applies for multiplicative inverse
in Zn*.
• Matrices are widely used in Cryptography.
• A matrix is a linear array of l x m elements.
Examples of Matrices
Operations and Relations
Example
Addition and Subtraction

Continued
Example
Multiplication of a row matrix by a column matrix

Continued
Example
Multiplication of a 2 × 3 matrix by a 3 × 4 matrix

Continued
Example
Scalar multiplication
Determinant
The determinant of a square matrix A of size m × m

denoted as det (A) is a scalar calculated recursively as
shown below:
Note
The determinant is defined only for a

square matrix.
Continued
Example
Calculating the determinant of a 2 × 2 matrix based

on the determinant of a 1 × 1 matrix.
Continued
Example
Calculate the determinant of a 3 ´ 3 matrix given by:
5 2 1
3 0 -4
2 1 6
Inverse of a Square matrix
The inverse of a matrix A , denoted as A-1

should hold the following relation:
A A-1 =I,
where I is the identity matrix
Note
Multiplicative inverses are only defined

for square matrices.
Inverse(Continued)
a b
For A= ,
c d 
the inverse can be found by using the formula:
1 1  d b  1  d b 
A     
det A  c a  ad  bc  c a 
Residue Matrix and Inverse
• Cryptography uses residue matrices.
• Matrices where all elements are in Zn.
• A residue matrix has a multiplicative
inverse if gcd (det(A), n) = 1.
Example
Find the inverse of a matrix  7 3
  mod 26
1 2 
 12 21
The inverse of the given matrix   mod 26
7 3 
Traditional
Symmetric-Key Ciphers
Symmetric Key Cipher Model
Symmetric Key Cipher Model (Contd…)
Kerckhoff’s Principle
• Always assume that the adversary Eve,

knows the encryption/decryption algorithm.
• So, the resistance of the cipher must be based
only on the secrecy of the key.
Cryptography vs Cryptanalysis
As cryptography is the science and art of creating

secret codes, cryptanalysis is the science and art of
breaking the codes.
Cryptanalysis
Cipher-text only attack (COA):
Here, the attacker is assumed to have access only to
a set of ciphertexts. No knowledge of plain text. Ex. WEP
Known plaintext attack (KPA):
Here, the attacker has a set of ciphertexts to which he
knows the corresponding plaintext. Ex. Caesar Cipher.
Chosen plaintext attack (CPA):
Here, the attacker can obtain the ciphertexts for arbitrary
plaintexts he chooses. Ex. Enigma Cipher, Caesar Cipher
Chosen ciphertext attack (CCA):
Here, the attacker can obtain the plaintexts corresponding
to an arbitrary set of ciphertexts he chooses. Ex. ElGamal
• It is an encryption technique which
replaces/substitutes one symbol of the plain
text with another symbol.
• There are 3 types of Substitution ciphers :
• Additive cipher
• Multiplicative cipher
• Affine cipher
• Also we can classify this technique as:
• Monoalphabetic Substitution cipher
• Polyalphabetic Substitution cipher
Monoalphabetic vs Polyalphabetic
Note
• In monoalphabetic substitution, the relationship
between a symbol in the plaintext to a symbol
in the ciphertext is always one-to-one.
• But in polyalphabetic substitution, that

relationship is one-to-many.
Monoalphabetic vs Polyalphabetic Substitution
Example 1
The following shows a plaintext and its corresponding
ciphertext. The cipher is monoalphabetic because both l’s
are encrypted as O’s.
Example 2
The following shows a plaintext and its corresponding
ciphertext. The cipher is not monoalphabetic because each l
is encrypted by a different character.
ABNFZ
Additive Cipher
• The simplest substitution cipher is the additive cipher.

• This cipher is sometimes called a shift cipher or a
Caesar cipher, but the term additive cipher better
reveals its mathematical nature.
Table : Plaintext and cipher text in Z26

Additive Cipher (Contd…)
Note
• When the cipher is additive, the plaintext,
ciphertext, and key are integers in Z26.
Additive Cipher(Contd…)
Example
Use the additive cipher with key = 15 to encrypt the
message “hello”.
Solution
We apply the encryption algorithm to the plaintext,
character by character:
Additive Cipher(Contd…)
Example
Use the additive cipher with key = 15 to decrypt the

message “WTAAD”.
Solution
We apply the decryption algorithm to the plaintext
character by character as follows:
Brute force attack or exhaustive key search
To try all possible keys of the domain to break the cipher.
Eve has intercepted the ciphertext “UVACLYFZLJBYL”.
Show how she can use a brute-force attack.
Solution
Eve tries keys from 1 to 7. And he got the result at K=7.
Statistical attack
Based on the inherent properties of the language of plaintext
Table :Frequency of occurrence of letters in English
Table : digrams and trigrams

Statistical attack (Contd…)
Example
Eve has intercepted the following ciphertext. Using a

statistical attack, find the plaintext.
When Eve tabulates the frequency of letters in this

ciphertext, she gets: I =14, V =13, S =12, and so on. The
most common character is I with 14 occurrences. This
means key = 4.
Multiplicative Ciphers
P (C x
Note
• In a multiplicative cipher, the plaintext and
ciphertext are integers in Z26
• But, the key is an integer in Z26*.
Multiplicative Ciphers(Contd…)
Example 1
What is the key domain for any multiplicative cipher?
The key needs to be in Z26*. This set has only 12
members: 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25.
Example 2
Use a multiplicative cipher to encrypt the message “hello”
with a key of 7.
Affine Ciphers
• It is a combination of additive and multiplicative
ciphers with a pair of keys.
Affine Ciphers(Contd…)
Example
What is the key domain and its size in affine cipher ?
The affine cipher uses a pair of keys in which the first
key is from Z26* and the second is from Z26. The size
of the key domain is 26 × 12 = 312.
Example
Use affine cipher to encrypt the message “hello” with
the key pair (7, 2).
Affine Ciphers(Contd…)
Example
Use the affine cipher to decrypt the message “ZEBBW”
with the key pair (7, 2) in mod 26.
Note
• The additive cipher is a special case of an affine cipher in
which k1 = 1.
• The multiplicative cipher is a special case of affine cipher
in which k2 = 0.
Monoalphabetic Substitution Cipher
Is there any drawback of Affine cipher?

• Affine ciphers including additive and
multiplicative
ciphers have small key domains, hence very
vulnerable to brute-force attack.
• A better solution is to create a mapping between
each plaintext character and the corresponding
ciphertext character.
• Alice and Bob can agree on a table showing the
mapping for each character.
Monoalphabetic Substitution Cipher(Contd…)
Figure :An example key for monoalphabetic substitution cipher
Cryptanalysis: What is the Size of the key space ?

26!=4 x 1026 ,hence extremely difficult to brute force
attack,
But easy to statistical attack(?)

Playfair Cipher
• A multiple-letter encryption cipher developed by
Charles Wheatstone, but named after his friend
Baron Playfair who promoted it.
n The secret key in this cipher is made by a 5x5
matrix(I and J considered as one element).
n The encryption algo. takes a pair of letters (digrams)
form the plain text and translates into ciphertext pair.
n If two letters in the pair is same, then insert a bogus
letter.
n The cipher uses 3 rules for encryption:
Playfair Cipher(Contd…)
n If the two letters in a pair are located in the same row
of the secret key, the corresponding encrypted
character for each letter is the next letter to the right in
the same row(with wrapping to the beginning)
n If the two letters in a pair are located in the same
column of the secret key, the corresponding encrypted
character for each letter is the letter beneath it in the
same column(with wrapping to the beginning)
n If the two letters in a pair are not in the same row or
column of the secret key, the corresponding encrypted
character for each letter is a letter that is in its own row
but in the same column as the other.
Playfair Cipher(Contd..)
Example
Encrypt the plaintext “hello” using the key in above figure.
Cryptanalysis: Its key domain is 25!

• Hence difficult for brute force attack.
• Although it hides the single letter frequency, but digram
frequency is available for the attacker.
Hill Cipher
Invented by Lester S. Hill.
Here the plaintext is divided into equal-sized(m) blocks.
The key is a square matrix of size m x m , where m is the
block size.
Note:
Encryption: C=PK
Decryption: P=CK-1,
K is invertible.
The key matrix in the Hill cipher needs to have a

Hill Cipher (Contd…)
If plain text P = {P1, P2,…,Pm } and
cipher text C = {C1,C2,…,Cm} then we have:
Cryptanalysis: Brute force attack is difficult as the key

is a matrix of size mxm.
• And each entry in the matrix is chosen out of 26 values,
• Hence the size of the key domain is 26mxm.
• It also doesn’t preserve the letter frequencies.
Assignment-1
(Submission deadline: 20.9.21)
1. Show the process of encryption and decryption for the
plaintext “play" by using the Hill cipher with the key
K= 3 3
2 5
2. Find the multiplicative inverse of 19 in Z26 by using
Extended Euclidean Algorithm (show all the steps
involved in a table).
n Solve both the questions in plain paper.
n Write your name, registration no and sec. on each page.
n Then scan and submit in Google classroom (CNS
Assignment Submission) by using the class code vwi4liq

Polyalphabetic Substitution Ciphers
• A better method than Monoalphabetic substitution.

• Here, each occurrence of a character in plaintext
may have a different substitute in cipher text.
• The relationship between a character in the
plaintext to a character in the ciphertext is one-to-
many.
• All the ciphers has some common techniques:
• A set of related monoalphabetic substitution
rules is used
• A key determines which particular rule is
chosen for a given transformation
Vigenere Cipher
• It is a polyalphabetic cipher designed by
Blaise de Vigenere, French Mathematician (16th century)
• Here the key stream is a repetition of an initial secret
key stream of length m
• Let the plaintext P = p0, p1, p2,… , pn-1 and
• Key consisting of the sequence of letters K = k0, k1,
k2,…,km-1, where m < n.
• Then the ciphertext letters C = C0, C1, C2, …, Cn-1 is
calculated as follows:
Ci = (pi + ki mod m) mod 26
• Similarly, the plaintext can be calculated as
pi = (Ci - ki mod m) mod 26
Vigenere Cipher (Contd…)
Example
Encrypt the message “She is listening” using the 6-character
key “PASCAL”.
The initial key stream is (15, 0, 18, 2, 0, 11). The key stream
is the repetition of this initial key stream (as many times as
needed).
Vigenere Cipher (Contd…)
Cryptanalysis: Can we say Vigenere cipher is
secure ?
• The attacker has to know the Key length to attack.
• Once he knows the key length (say m), then he can apply
frequency analysis of plaintext language to attack each of
the m monoalphabetic ciphers.
• For example, with the keyword PASCAL, the letters in
positions 1, 7, 13, and so on are all encrypted with the
same letter of the Key.
• Key length can be predicted, if there occurs two identical
sequences of plaintext letters , as they will generate
identical ciphertext sequences.
Another Example of Vigenere Cipher
Plain Text (P): we are discovered save yourself

Key (K) : deceptive
Autokey Cipher
• The periodic nature of the keyword can be eliminated

by using a non-repeating keyword that is as long as
the message itself.
• So, Vigenere proposed an autokey system, in which a
keyword is concatenated with the plaintext itself to
provide a running key.
Autokey Cipher (Contd…)
Example
Plain Text (P): we are discovered save yourself

Key (K) : deceptive
Cryptanalysis :
Because the key and the plaintext share the
same frequency distribution of letters, a statistical
technique can be applied.
Vernam Cipher
n Introduced by an AT&T engineer Gilbert Vernam in
1918.
n He proposed to choose a very long Key that has no
statistical relationship to the plaintext.
n His system works on binary data (bits) rather than
letters.
Vernam Cipher (Contd…)
n So the Encryption process is given by:
where pi = ith binary digit of plaintext

ki = ith binary digit of key
ci = ith binary digit of ciphertext
 = exclusive-or (XOR) operation
n Because of the properties of the XOR, decryption
simply involves the same bitwise operation:
One-Time Pad
n It was an improvement over Vernam’s cipher.
n Vernam’s scheme, was using the key from a punched
paper tape which was running in loop.
n So, a key was used again when the tape completed a
cycle.
n Joseph Mauborgne (Army Signal Corp officer),
proposed an improvement to the Vernam cipher
n He suggested to use a random key as long as the size
of the message, so that the key need not be repeated.
n This is the only cryptosystem that exhibits perfect
secrecy.
One-Time Pad (Contd…)
n The key is to be used to encrypt and decrypt a single
message, and then it is discarded.
n Each new message requires a new key of the same
length as the new message.
n Therefore, it is called one-time pad, and has been
proved unbreakable.
n Drawbacks:
n There is the practical problem of creating large number of
random keys.
n Difficulty in key distribution and protection
TRANSPOSITION CIPHERS
• A transposition cipher does not substitute one
symbol for another, instead it changes the location of
the symbols.
• Therefore, it only transposes or reorders the symbols.
• Two types: keyless or keyed (transposition cipher)
Keyless Transposition Cipher (Rail Fence Cipher)
• The plaintext is arranged in two lines as a zigzag pattern

• The ciphertext is created reading the first line and
then the second line.
• After receiving the ciphertext, the receiver divides it into
two lines from the middle and then read the characters
in zigzag.
Example
n Let the plain text is: m e e t m e t o n i g h t
n Encryption:
n Arrange it in zigzag pattern:
n m e m t n g t
n e t e o i h
n Then read line by line.
n So the cipher text is: M E M T N G T E T E O I H
n Decryption:
n Divide the cipher text into two parts from the middle:
n M E M T N G T
n E T E O I H
n Then read in zig-zag style.
TRANSPOSITION CIPHERS (contd…)
Keyed Transposition Cipher:
• The drawback of keyless transposition is that, it has only
two rows (fixed).
• So, the cryptanalysis will be very easy for the attacker.
• only he has to know that rail fence has been used.
So, an improved method would be to use the key. It has

the following three steps:
• First the plaintext is written into a table row by row.
• Then the permutation is done by using a Permutation
Key (reordering the columns).
• Finally the new table is read column by column.
Example(Transposition Cipher)
Alice needs to send the message “Enemy attacks tonight” to
Bob.
The key used for encryption and decryption is a permutation

key, which shows how the characters are permuted
assuming 5 columns
The permutation yields:

Example(with steps)
Expressing Permutation Table as Keys
n Encryption Key : Permutation key for encryption can
be expressed as a sequence of column numbers of the
plaintext with index values of those positions as
column numbers in the ciphertext.
n Example: Let the encryption key is (3 1 4 5 2). First
entry (3) means content of column 3 of plaintext
becomes column 1 (1 is the index of that position) in
ciphertext. Second entry (1) means column 1 in
plaintext becomes column 2 in ciphertext and so on.
n Decryption Key : The decryption key for the above
example will be (2 5 1 3 4). First entry(2) means
content of column 2 in ciphertext would be column 1
(1 is the index of that position) in plaintext and so on.
Cryptanalysis of Transposition Cipher
• Statistical attack is possible as it preserves the
single letter frequency, but not the digrams &
trigrams.
• Bruteforce attack although possible, but Key
domain is huge
i.e. 1!+2!+3!+…+L!, where, L is the length
of the ciphertext.
• An attack called Pattern attack would be possible.
• It can be made more secure by using double
transposition.
Double Transposition Ciphers
Rotor Cipher
• It is based on the idea of multiple stages of
monoalphabetic substitution.
• It is an electro-mechanical system having a set of
independently rotating cylinders
through which electrical pulses
can flow.
• Each cylinder has 26 input pins
and 26 output pins, with internal
wiring that connects each input pin to a unique
output pin.
• If we map each input and output pin with a letter
of the alphabet, then a single cylinder defines a
mono-alphabetic substitution.
Rotor Cipher
• But the mapping between plaintext and ciphertext
characters changes after each rotation.
• Following is an example of rotations with 6 input and
6 output pins for simplicity.
Rotor Cipher (Contd…)
Cryptanalysis:
• If there is only one cylinder, then we have 26 different
substitutions(keys).
• If you have two cylinders then we have 26*26 keys.
• If you have three cylinders then we have 26 * 26 * 26 =
17,576 different substitutions.
• So, by adding more cylinders the keys can be increased.
• Also it is much more resistive to statistical attack,
when the no. of cylinders=5 (11,881,376 substitutions)
Because of this, a modified version of Rotor cipher
called Enigma Machine was extensively used by
German Army during World War-II.
German Military’s Enigma Machine
STREAM AND BLOCK CIPHERS
In a stream cipher, the encryption or decryption are done

on one symbol(such as a character or bit) at a time.
• Additive Cipher
• Monoalphabetic Substitution Cipher
• Vigenere Cipher
But, in a block cipher, a group of plaintext symbols of
size m(m>1) are encrypted together creating a group
of ciphertext of the same size.
Typically, a single key is used to encrypt the whole block.
• Playfair Cipher
• Hill Cipher
Mathematics of Cryptography-II
Algebraic Structures
Algebraic Structures
❏ Concept of algebraic structures :
Groups
Rings
Fields
❏ To emphasize on finite fields of type GF(p) and
GF(2n) that play significant role in modern
block cipher.
Groups
• A group (G) is a set of elements with a binary operation

(•) that satisfies four properties (or axioms).
❏ Closure
❏ Associativity
❏ Existence of identity
❏ Existence of inverse
• A commutative (abelian) group satisfies an extra property,
i.e.
❏ Commutativity
Groups (Contd…)
Although a group involves a single operation, the
properties imposed on the operation allow the use of a
pair of operations as long as they are inverses of each
other.
Example 1
The set Zn with the addition operator(+), G = < Zn , +>,
is a commutative group.
Example 2
The set Zn* with the multiplication operator(x), G = <Zn*,
x>, is also an abelian group.
More on Groups
q Finite Group : A group is finite if it has a finite no. of

elements
q Order of a Group: It is the no. of elements in a group.

Subgroup
A subset H of a group G is a subgroup of G if H itself
is a group w.r.t the operation on G.
That means:
1. For a and b elements of H, c = a o b is also an element
of H.
2. Both G and H should have the same identity element.
3. The inverse of an element a in H is also the inverse of
the element in G.
What are the subgroups of the group G = <Z8, +>?
The subgroups are: H1={0, 4} and
H2={0, 2, 4, 6}
Subgroup(Contd…)
Example
Is the group H = <Z10, +> a subgroup of the group

G = <Z12, +>?
The answer is no.
• Although H is a subset of G, the operations defined
for these two groups are different.
• The operation in H is addition modulo 10; the
operation in G is addition modulo 12.
Cyclic Group
• A group G is cyclic if every element of G can be
generated by using an element gG and
applying the group operator repeatedly on it.
• So, g is called the generator of the group.
• We can represent g0=e as an identity element.
• We also represent g -n = (g) n , where g is the
inverse element of g within the group.
• So, we represent all the elements as follows:
Cyclic Group(Contd…)
Example
How many generators are there for the cyclic group

G=<Z6,+> ?
The group G = <Z6, +> is a cyclic group with two
generators, g = 1 and g = 5.
Example:
Check whether group G=<Z10*,x> and G=<Z12*,x> are
cyclic groups? If yes find out their generators.
Zn*, the multiplicative group modulo n, is cyclic
if and only if n is 1 or 2 or 4 or pk or 2*pk for an
odd prime number p and k ≥ 1.
Ring
• A ring is a set R having two binary operations (+)
and (.) satisfying the following three sets of axioms:
• R is an abelian group under addition. That means:
• For a, b in R, a + b also in R (i.e., closure under +
•(a + b) + c = a + (b + c) for all a, b, c in R (i.e., +
is associative)
• a + b = b + a for all a, b in R (i.e., +
is commutative)
• There is an element 0 in R such that a + 0 = a for
all a in R (i.e., 0 is the additive identity)
• For each a in R there exists −a in R such that a +
(−a) = 0 (i.e., −a is the additive inverse of a).
Ring (contd…)
• R has following properties under multiplication:
• For a, b in R, a . b also in R (i.e., closure under .)
• (a . b) . c = a . (b . c) for all a, b, c in R (i.e.,
associative under .)
• distributive with respect to addition. That means:
a . (b + c) = (a . b) + (a . c) for
all a, b, c in R (left distributivity)
(b + c) . a = (b . a) + (c . a) for
all a, b, c in R (right distributivity)
• A ring R is said to be commutative if it satisfies the
commutative property. (a.b = b.a for all a, b in R)
Ring(Contd…)
Example
• The set Z of integers with two operations,

addition and multiplication, is a commutative ring.
• The set R of real numbers with two operations,
addition and multiplication, is also a commutative
ring
• The set of all square matrices of a fixed size,
with real elements, using the matrix addition and
multiplication
Integral domain
• It is a commutative ring with two extra properties as
follows:
• There is an element 1 in R such that a.1 = 1. a =
a
for all a in R (Multiplicative identity )
• If a, b in R and a.b = 0, then either a = 0 or b =
0 (No zero divisors)
Field
• A field F denoted by {F, +, .} is a set of elements
with two binary operations (+) and (.) often called
addition and multiplication respectively satisfy the
following axioms:
• F is an integral domain; that is, F satisfies axioms:
•Closure w.r.t addition and multiplication
•Associative w.r.t addition and multiplication
•Commutative w.r.t. addition and multiplication
•Additive identity and Additive inverse exist
•Distributivity of multiplication over addition
•multiplicative identity exists
•No zero divisor
Examples: Field
v The set of all real numbers under the operations of
arithmetic addition and multiplication is a field.
v The set of all rational numbers under the operations of
arithmetic addition and multiplication is a field.
v The set of all complex numbers under the operations of
complex arithmetic addition and multiplication is a field.
v What about Zn and Zn* ?
v What about Zp and Zp* ?
Examples: NOT a Field
v The set of all integers under the operations of
arithmetic addition and multiplication is NOT a field.
v The set of all even integers, positive, negative, and zero,
under the operations arithmetic addition and
multiplication is NOT a field.
Finite Fields
Galois showed that for a field to be finite, the

number of elements should be pn, where p is a prime
and n is a positive integer.
Note
A Galois field, GF(pn), is a finite field

with pn elements.
Field: GF(p)
• When n = 1, we have GF(p) field.
• This is also called a Prime field
• This field is consisting of the set Zp ={0, 1, 2,
…, p − 1}, having p elements.
• The binary operations + and . are defined
over the set. Therefore, addition, subtraction,
multiplication, and division can be performed
in the set.
• Each element of the set other than 0 has a
Field: GF(2)
Example
• A very common field in this category is GF(2)

• It can be denoted as GF(2)={0, 1} with two
operations, addition(+) and multiplication()
0 1
Field: GF(5)
Example
• We can define GF(5) on the set Z5 (5 is a prime)

with addition and multiplication operations as
shown below.
• In cryptography, we often need to use four
operations(addition, subtraction, multiplication,
and division).
• In other words, we need to use fields.
• The finite field GF(2 n ) is also called binary
extension field and it has a set of 2n elements.
• Each element in this set is an n-bit words.
Example
• Let us define a GF(22) field.

• The set has four 2-bit words: {00, 01, 10, 11}.
• We can redefine addition and multiplication for this field
in such a way that all properties of these operations are
satisfied.
So, multiplication
under GF(2n) may need
a division with
a predefined irreducible
polynomial to get the
result as an n-bit word.
In GF(22), it is 111
Polynomials
A polynomial of degree n − 1 is an expression of the
form
where x i is called the ith term and a i is called

coefficient of the ith term.
Continued
Example
Represent 8-bit word (10011001) by a polynomial.
8-bit word
Continued
Example
Find the bits of a 8bit word whose polynomial is given

by: x5 + x2 + x
To find the 8-bit word related to the polynomial x5 + x2
+ x, we first supply the omitted terms.
Since n = 8, it means the polynomial is of degree 7.

The expanded polynomial is
This is related to the 8-bit word 00100110.

GF(2n) Fields
Note
Polynomials representing n-bit words use

two fields: GF(2) and GF(2n).
Modulus in GF(2n) Fields
• For the sets of polynomials in GF(2n), a group of

polynomials of degree n is defined as the modulus.
• Such polynomials are referred to as irreducible
polynomials.
List of irreducible polynomials

Addition and Subtraction in GF(2n)
Note
Addition and subtraction operations on

polynomials are the same operation.
Example
Perform (x5 + x2 + x) Å (x3 + x2 + 1) in GF(28).
The symbol Å denotes polynomial addition.
It is the Exclusive-OR operation.

Multiplication in GF(2n)
1. The coefficient multiplication is done in GF(2).

2. Multiplying xi by xj results in xi+j.
3. The multiplication may create terms with degree
more than n − 1, which means the result needs to be
reduced using a modulus (irreducible) polynomial.
Example
Find the result of (x 5 + x 2 + x)  (x 7 + x 4 + x 3 + x 2 + x) in

GF(28) with irreducible polynomial (x8 + x4 + x3 + x + 1).
1. Do the normal multiplication of polynomials

2. Then reduce the resulting higher degree polynomial
by dividing the modulus and taking the remainder.
Continued
Polynomial division with coefficients in GF(2)
Example
How many elements are there in GF(2 3 )? Show the

addition and multiplication tables for the irreducible
polynomial (x3 + x2 + 1)
The GF(23) field has 8 elements.
Note that there are two irreducible polynomials for
degree 3. The other one, (x3 + x + 1), yields a totally
different table for multiplication.

Addition table for GF(23)
Multiplication table for GF(23)
Finding inverse in GF(2n) Field
Example
In GF (24), find the inverse of (x2 + 1) modulo (x4 + x + 1).
The answer is (x3 + x + 1) as shown in following Table

after applying Extended Euclidean algorithm (EEA).
Assignment 2
How many elements are there in GF(23)? Show

the multiplication table for the irreducible
polynomial (x3 + x + 1)
Using a Generator
Sometimes it is easier to define the elements of the

GF(2n) field using a generator.
1
Example
Generate the elements of the field GF(24) using the

irreducible polynomial ƒ(x) = x4 + x + 1.
The elements 0, g 0 , g 1 , g 2 , and g 3 can be easily
generated, because they are the 4-bit representations
of 0, 1, x1, x2, and x3.
Elements g4 through g14, which represent x4 though x14
need to be divided by the irreducible polynomial.
To avoid the polynomial division, we can take, f(g)=0

Then we get, g4 + g + 1 = 0 => g4 = g + 1
Generating all the elements of GF(24)
Example
Compute the following under the field GF(24) :

a. g3 + g12 + g7
b. g3 - g6
Example
Compute the following under the field GF(24) :

a. g9 x g11
b. g3 / g8
Note: For multiplication of two elements in the field,

use the equality gk = gk mod(2n-1) for any integer k.
Data Encryption Standard
(DES)

Associate Professor
Dept. of CSE
BKM/SIT
• DES is a symmetric-key block cipher for
encrypting digital data.
• Developed by IBM in early 1970s.
• It was a modified form of the project
called Lucifer by Horst Feistel.
• The cipher was first published by NIST
in 1973.
• It was finally published in FIPS in 1977.
NIST: National Institute of Standards and Technology
FIPS: Federal Information Processing Standard
BKM/SIT
DES Overview
BKM/SIT
DES Basics
n It takes plain text of size 64-bits &
produces Ciphertext of size 64-bits.
n But it has a cipher key of size 56-bits.
n Building blocks of DES
n P-Box
n S-Box
n XOR
n Sixteen Feistel rounds
BKM/SIT
General Structure of DES
BKM/SIT
Initial and Final Permutations
BKM/SIT
Initial and final permutation tables(Contd…)
Note: The indices (1 - 64) of the table (not shown)

represents output bits positions. The values
BKM/SIT
shown in the table represent input bit positions
Example 1
Find the output of the initial permutation box

when the input is given in hexadecimal as:
Solution
Only bit 15 and bit 64 are 1s; the other bits are 0s.
In the initial permutation, input bit 15 becomes
bit 63 in the output and input bit 64 becomes bit
25 in the output. The result is
BKM/SIT
Example 2
Find the output of the final permutation if the
input is
• The input has only two 1s; the output must

also have only two 1s.
• Using Table, we can find the output of these
two bits. Bit 25 in the input becomes bit 64 in
the output. Bit 63 in the input becomes bit 15
in the output.
• So the output has only two 1s, bit 15 and bit
64. The result in hexadecimal is
BKM/SIT
Note
The initial and final permutations are

straight P-boxes that are inverses
of each other.
BKM/SIT
Rounds
• DES uses 16
rounds.
• Each round of
DES is a Feistel
cipher.
• A Feistel cipher
has both invertible
and non-invertible
components
• Figure shows a
single round in
DES encryption
BKM/SIT
DES Function
• The heart of
DES is the DES
function.
• T h e D E S
function applies
a 48-bit key to
the rightmost 32
bits to produce a
32-bit output.
BKM/SIT
Expansion P-box in the Function
30
BKM/SIT
Expansion P-box (Cont…)
Expansion P-box
Since RI−1 is a 32-bit input and KI is a 48-bit key,
we first need to expand RI−1 to 48 bits.
BKM/SIT
Whitener (XOR)
• After the expansion permutation, DES uses
the XOR operation on the expanded right
section and the round key.
• Note that both the right section and the key
are 48-bits in length.
• Also note that the round key is used only in
this operation.
BKM/SIT
S-Boxes
• S-box provides the substitution function i.e. each

6-bit input block is replaced by a 4-bit output
block from the S-box.
• DES uses 8 such S-boxes
BKM/SIT
S-Box(Contd…)
S-box rule: The substitution in each box follows a
predefined rule based on a 4-row by 16-column table.
BKM/SIT
S-Box(Contd…)
• Following Table shows the contents for S-box 1.
• Refer textbook for the rest of the boxes .
Table: S-box 1
BKM/SIT
Continued
Example
The input to S-box 1 is 100011. What is the output?
• If we write the first and the sixth bits together, we

get 11 in binary, which is 3 in decimal.
• The remaining bits are 0001 in binary, which is 1 in
decimal.
• Now, check the value in row 3 & column 1 in S-box 1.

• The result is 12 in decimal, which in binary is 1100.
So the input 100011 yields the output 1100.
BKM/SIT
Straight Permutation Table(P Box)
BKM/SIT
General Structure of DES
BKM/SIT
Key Generation
The round-key
generator creates
sixteen 48-bit keys
s out of a 56-bit
cipher key.
BKM/SIT
Key Generation(Contd…)
Parity Drop: It is a compression transposition step.
It drops the parity bit (bit 8, 16, 24, 32,…, 64) from the
64-bit key and permutes the rest of the bits according to
the following table
Parity-bit drop table
BKM/SIT
Key Generation(Contd…)
The 56-bit key is now divided into two 28-bit parts.
Then each part is left shifted(circularly) by either
one or two bits in each round as shown in the table.
Number of bits shifts
Key-compression table of size 56x48
BKM/SIT
Analysis of DES
• The desired property of a block cipher is the
Avalanche effect.
• Avalanche effect means a small change in the
plaintext(or Key) should create a significant
change in the ciphertext (diffusion & confusion).
• Diffusion: The idea of diffusion is to hide the
relationship between the ciphertext and the plaintext.
• Confusion: The idea of confusion is to hide the
relationship between the ciphertext and the key.
BKM/SIT
Example
Let us encrypt two plaintext blocks (with
the same key) that differ only in one bit and
observe the differences in the number of
bits in each round.
BKM/SIT
Example (Contd…)
• Although the two plaintext blocks differ only
in the rightmost bit, the ciphertext blocks
differ in 29 bits.
• This means that changing approximately 1.5
percent of the plaintext creates a change of
approximately 45 percent in the ciphertext.
Number of bit differences for each round
BKM/SIT
Design Criteria
S-Boxes
The design provides confusion of bits from each round to
the next.
P-Boxes
They provide diffusion of bits.
Number of Rounds
DES uses sixteen rounds of Feistel ciphers. the ciphertext
is thoroughly a random function of plaintext and
ciphertext.
BKM/SIT
DES Weaknesses
• During the last few years researchers have found some
weaknesses in DES.
1. Weaknesses in S-boxes
2. Weaknesses in P-boxes
3. Weaknesses in Key
• What is the key domain of DES ?
• It is 256 number of possible keys.
Facts
• For a processor checking 1million keys/sec., it would take
more than 2000 years for brute-force attack.
• But, if we have 3500 networked computers, it may
find the key in 120 days!!!
BKM/SIT
Continued
1
• Let us try the first weak key in Table 1 to encrypt a

plaintext block two times.
• Check the result!!!
BKM/SIT
Multiple DES
• The major criticism of DES regards its
key length.
• Techniques like Differential(1980) and
Linear Cryptanalysis(1992) could able to
break the cipher
• But, Linear Cryptanalysis needs 2 4 7
known plaintexts to break the cipher
• Therefore, the designer proposed the
double or triple DES to increase the key
size and security.
BKM/SIT
Double DES (2DES)
BKM/SIT
Meet-in-the-Middle Attack
• A major drawback of 2DES is MIM attack.

• It is a known-plaintext attack.
• Because 2DES improves the vulnerability
slightly (to 257 tests), but not tremendously
(to 2112).
BKM/SIT
Triple DES(with two keys)
BKM/SIT
BKM/SIT
Triple DES with Three Keys
• The possibility of known-plaintext attacks

on triple DES with two keys has enticed
some applications to use triple DES with
three keys.
• Triple DES with three keys is used by
many applications such as PGP.
BKM/SIT
Advanced Encryption Standard
(AES)

Associate Professor
Dept. of CSE
BKM/SIT
Why AES ?
n 56-bit key size in DES becoming vulnerable to
brute force attacks.
n DES was designed primarily for hardware and is
relatively slow when implemented in software.
n While Triple-DES avoids the problem of a small
key size, it is very slow even in hardware; it is
unsuitable for limited-resource platforms.
n Potential security issues due to its block size (64
bits).
BKM/SIT
• The Advanced Encryption Standard (AES) is a
symmetric-key block cipher (also known as
Rijndael cipher)
• Published by the National Institute of Standards
and Technology (NIST) in December 2001(FIPS
197).
• Designers: Joan Daemen & Vincent Rijmen.
Cryptographer &
IT Security Architect, Chief Cryptographer,
STMicroelectronics Cryptomathic
BKM/SIT
Block size, Key size and No. of Rounds
• AES is a non-Feistel cipher that encrypts and
decrypts a data block of 128 bits.
• It uses 10, 12, or 14 rounds. The key size, which
can be 128, 192, or 256 bits, depends on the
number of rounds.
BKM/SIT
General design of AES
BKM/SIT
Data Units in AES
BKM/SIT
Block-to-state and State-to-block transformation
BKM/SIT
Example
Changing plaintext to state
BKM/SIT
Structure of Each Round during encryption
BKM/SIT
To provide security, AES uses four types of
transformations:
• Substitution(SubBytes),
• Permutation(ShiftRows),
• Mixing(MixColumns),
• Key-adding(AddRoundKey).
BKM/SIT
Substitution-SubBytes & InvSubBytes
• AES uses two invertible transformations.

• SubBytes is used at the encryption site InvSubBytes used at
decryption site.
• To substitute a byte, we interpret the byte as two
hexadecimal digits.
• It provides confusion effect
Note
The SubBytes operation involves 16

independent byte-to-byte transformations.
BKM/SIT
SubBytes Table
BKM/SIT
SubBytes Table –Contd…
BKM/SIT
InvSubBytes Table
BKM/SIT
InvSubBytes Table -Contd...
BKM/SIT
Example
• Figure shows SubBytes transformation and then

InvSubBytes transformation to create the original one.
• Note that if the two bytes have the same values, their
transformation is also the same.
BKM/SIT
Transformation Using the GF(28) Field
AES also defines the transformation algebraically using the

GF(28) field with the irreducible polynomials
(x8 + x4 + x3+ x + 1), as shown in next slide.
Note
The SubBytes and InvSubBytes transformations

are inverses of each other.
BKM/SIT
SubBytes and InvSubBytes processes
BKM/SIT
Example
Transform the byte 0C by subbyte routine and transform

the result back to get 0C by the invsubbyte routine.
BKM/SIT
Permutation-ShiftRows & InvShiftRows
• Another transformation found in a round is shifting, which

permutes the bytes.
• In the encryption, the transformation is called ShiftRows.
BKM/SIT
Example
Figure shows how a state is transformed using ShiftRows
transformation. The figure also shows that InvShiftRows
transformation creates the original state.
BKM/SIT
Mixing
• We need an interbyte transformation that changes the bits

inside a byte, based on the bits inside the neighboring
bytes.
• We need to mix bytes to provide diffusion at the bit level.
• Following figure shows mixing with matrix
multiplication
BKM/SIT
MixColumns
• The MixColumns transformation operates at the column

level.
• Each byte of a column is mapped into a new value that is a
function of all four bytes in that column.
BKM/SIT
InvMixColumns
The InvMixColumns transformation is similar to

MixColumns transformation, but with the constant matrix C-1
Note
The MixColumns and InvMixColumns

transformations are inverses of each other.
BKM/SIT
Mixing-Contd…
Constant matrices used by MixColumns and InvMixColumns
BKM/SIT
Example
• Figure shows state transformations using the

MixColumns and InvMixColumns transformation.
BKM/SIT
AddRoundKey
• This transformation proceeds one column at a time.

• It adds a word of the round key with respective column of
the state matrix.
• It is nothing but matrix addition, but by using XOR.
Note
The AddRoundKey transformation is the inverse

of itself.
BKM/SIT
AddRoundKey transformation
k0 k4 k8 k12
k1 k5 k9 k13
k2 k6 k10 k14
k3 k7 k11 k15
Key matrix
BKM/SIT
• To create round keys for each round, AES uses a
key-expansion process.
• If t he n u m b e r o f r o u n d s i s N r , t h e k e y -
expansion routine creates Nr + 1 ,128-bit round
keys from one single 128-bit cipher key.
• The key expansion routine creates round keys
word by word(word is an array of 4 bytes).
• The routine creates 4 x (Nr + 1) words called as
w0, w1, w2,…, w4(Nr + 1)-1
BKM/SIT
Therefore, in AES-128(10 rounds) has 44 words.
AES-192(12 rounds) has 52 words.
AES-256(14 rounds) has 60 words.
BKM/SIT
Key Expansion in AES-128
BKM/SIT
RCon Constants
• Each round constants, Rcon, is 4-byte value in which the

rightmost three bytes are always zero.
• Rcon[j]=(RC[j],0,0,0) with RC[1]=1 and RC[j]=2.RC[j-1].
• The multiplication is performed in GF(28) field.
BKM/SIT
Analysis of Key expansion
1. To know a cipher key, the attacker has to know all

the round keys.
2. Two different cipher key, may be close to each other,
but produce two expansions that differ in many bits
in most of the rounds.
3. It makes the diffusion stronger.
4. Rcons helps to remove any symmetry, that may arise
due to other transformations.
5. There are no weak keys in AES.
6. This can be easily implemented in any platform.
7. It can be implemented by using a single table or by
using GF(28) and GF(2) fields.
BKM/SIT
Round keys
Let us take cipher key 1 and cipher key 2 which differ
only in one bit:
And now compare the two sets of Round keys generated.
BKM/SIT
Avalanche effect
• Let us take all 0s for the plaintext and cipher key
shown below. See the ciphertext.
• Now change only one bit in the plaintext. For example,

one bit in the last byte. Apply AES and get ciphertexts.
• Now compare ciphertext 1 and ciphertext 2.The result

shows the effect of stronger diffusion and confusion.
• Changing a single bit in the plaintext has affected many
bits in the ciphertext.
BKM/SIT
NO Weak Keys in AES
Observation:
• Assume that all bits in the cipher key are 0s.
• The words in the pre-round and the first round are all
the same.
• In the second round, the first word matches with the
third; the second word matches with the fourth.
• However, after the second round the pattern disappears;
every word is different.
BKM/SIT
Security
AES was designed after DES. Most of the known attacks

on DES were already tested on AES.
Brute-Force Attack
Statistical Attacks
Numerous tests have failed to do statistical analysis of the
ciphertext.
Differential and Linear Attacks

There are no differential and linear attacks on AES as yet.
BKM/SIT
Implementation
• AES can be implemented in software, hardware, and

firmware.
• The implementation can use table lookup process or
routines that use a well-defined algebraic structure.
BKM/SIT
Simplicity and Cost
The algorithms used in AES are so simple that they can be

easily implemented using cheap processors and a minimum
amount of memory.
BKM/SIT
Assignment
n Write a short note on Blowfish cipher.
BKM/SIT
Mathematics of Cryptography-III
Prime Numbers and Related
Algorithms

Dept. of CSE
Objectives
❏ Prime numbers and their applications in cryptography.
❏ Primality test algorithms and their efficiencies.
❏ Factorization algorithms and applications in cryptography.
❏ Chinese remainder theorem and its application.
❏ Quadratic congruence.
❏ Modular exponentiation and logarithm.
1 Definition
2 Checking for Primeness
3 Euler’s Phi-Function
4 Fermat’s Little Theorem
5 Euler’s Theorem
6 Generating Primes
Prime Numbers
Example 1
What is the smallest prime?
Solution
The smallest prime is 2, which is divisible by 2 (itself) and 1.
Example 2
List the primes smaller than 10.
Solution
• There are four primes less than 10: 2, 3, 5, and 7.
• It is interesting to note that the percentage of primes in the
range 1 to 10 is 40%.
• The percentage decreases as the range increases.
Cardinality of Primes
Note
There is an infinite number of primes.
Number of Primes
Checking for Primeness
Given a number n, how can we determine if n is a prime?
We need to see if the number is divisible by all primes less

than or equal to
Note: Although this method is inefficient, but it is a good

start.
Sieve of Eratosthenes (To find all primes <n)
• Write down the integers sequentially from 2 to n:

(2, 3, 4, ..., n).
• Now, start from 2,the first prime number.
• Cross out all numbers which are divisible by 2 (every
second number).
• Then find the smallest remaining number >2.
• It is 3. So, cross out all numbers which are divisible by 3
(every third number).
• Continue until you have crossed out all numbers divisible
by  
• The numbers remaining are prime.
Euler’s Phi-Function
• Denoted as f(n), also called the Euler’s totient

function plays a very important role in
cryptography.
• It finds the no. of integers that are smaller than
n and relatively prime to n.
1
Euler’s Phi-Function (Contd…)
We can combine the above four rules to find the value of f(n).
For example, if n can be factored as

n = p1e × p2e × … × pke
1 2 k
then we combine the third and the fourth rule to find
Note
The difficulty of finding f(n) depends on the

difficulty of finding the factorization of n.
Example 1
What is the value of f(13)?
Solution
Because 13 is a prime, f(13) = (13 −1) = 12.
Example 2
Solution
We can use the third rule: f(10) = f(2) × f(5) = 1 × 4 = 4, because
2 and 5 are primes.
Example 3
Solution
We can write 240 = 24 × 31 × 51. Then
f(240) = (24 −23) × (31 − 30) × (51 − 50) = 64
Example 4
Can we say that f(49) = f(7) × f(7) = 6 × 6 = 36?
Solution
No. The third rule applies when m and n are relatively prime.
Here 49 = 72. We need to use the fourth rule: f(49) = 72 − 71 = 42.
Example 5
What is the number of elements in Z14*?
Solution
The answer is f(14) = f(7) × f(2) = 6 × 1 = 6. The members are 1,
3, 5, 9, 11, and 13.
Note
Interesting point: If n > 2, the value of f(n) is even.

Fermat’s Little Theorem
First Version: If p is prime and a is an integer

such that p doesn’t divide a, then
ap − 1 ≡ 1 mod p
Second Version: If p is a prime and a is an
integer, then
ap ≡ a mod p
Application: It is useful for quickly finding a solution to
some exponentiations.
Fermat’s Little Theorem (Contd…)
Example 1
Find the result of 610 mod 11.
We have 610 mod 11 = 1. This is the first version of Fermat’s
little theorem where p = 11.
Example 2
Here the exponent (12) and the modulus (11) are not the
same. With substitution this can be solved using Fermat’s
little theorem.
Fermat’s Little Theorem (Contd…)
It can also help us to find Multiplicative Inverses
a−1 mod p = a p − 2 mod p

Note
• Multiplicative inverses modulo a prime can be found without
using the Extended Euclidean Algorithm (EEA):
Euler’s Theorem
It is a generalization of Fermat’s Little Theorem
First Version: If a and n are coprime, then
af(n) ≡ 1 (mod n)
Second Version: If n=p x q, a<n, and k is an integer, then
a k × f(n) + 1 ≡ a (mod n)
Note
The second version of Euler’s theorem is used in the
RSA cryptosystem
Euler’s Theorem (Contd…)
Example 1

Solution
We have 624 mod 35 = 6f(35) mod 35 = 1.
Example 2
Solution
If we let k = 1 on the second version, we have
2062 mod 77 = (20 mod 77) (20f(77) + 1 mod 77) mod 77
= (20)(20) mod 77 = 15.
Euler’s Theorem (Contd…)
To find Multiplicative Inverses

Euler ’s theorem can be used to find multiplicative
inverses modulo a composite, where a and n are coprime.
a−1 mod n = af(n)−1 mod n

Find the inverse of the following:
a. 8-1 mod 77
b. 7-1 mod 15
c. 60-1 mod 187
d. 71-1 mod 100
Continued
• The answers to multiplicative inverses modulo a

composite can be found without using the extended
Euclidean algorithm if we know the factorization of the
composite:
• It is a challenging task in mathematics &
cryptography.
• There are two different types of algorithms.
• Deterministic Algorithms
• Probabilistic Algorithms
A deterministic algorithm always gives a correct answer
But a probabilistic algorithm gives an answer that is
Correct most of the time, BUT NOT ALL THE TIME.
Although a deterministic algorithm is ideal, it is normally
Less efficient than the corresponding probabilistic one.
Deterministic Algorithms
Divisibility Algorithm
The bit-operation complexity of the divisibility test

is exponential.
Continued
Example
Assume n has 200 bits. What is the number of bit operations
needed to run the divisibility-test algorithm in a computer
capable of doing 230 bit operations per second ?
Solution
The bit-operation complexity of this algorithm is 2n /2. This
b
means that the algorithm needs 2 100 bit operations. On a

computer capable of doing 230 bit operations per second, the
algorithm needs 270 seconds to do the testing (forever).
Continued
AKS Algorithm(2002): It is using the fact that :

(x-a)p ≡ (xp-a) mod p
Complexity:
Example
Assume n has 200 bits. What is the number of bit operations
needed to run the AKS algorithm on a computer capable of doing
1 billion bit operations per second?
Solution
This algorithm needs only (log 2 200) 1 2 = 39,547,615,483 bit
operations. On a computer capable of doing 1 billion bit
operations per second, the algorithm needs only 40 seconds.
The AKS Team
Padmashree Dr. Manindra Agrawal, Professor, Dept. of CSE, IIT Kanpur
The Clay Research Award, 2002.
Dr Meghnad Saha Award in Mathematical Sciences, 2003.
ICTP Prize, 2003.
Shanti Swarup Bhatnagar Award in Mathematical Sciences, 2003.
Distinguished Alumnus Award by IIT, Kanpur, 2003.
Godel Prize, for the paper "PRIMES is in P", 2006
in 2013
Fulkerson Prize for the paper "PRIMES is in P", 2006
Infosys Mathematics Prize, 2008.
G D Birla Award for Scientific Research, 2009.
Dr. Neeraj Kayal, Scientist, Microsoft Research India, Bangalore

Distinguished Alumnus award by IIT, Kanpur, 2003.
Dr. Nitin Saxena, Associate Professor, Dept. of CSE. IIT Kanpur
Distinguished Alumnus award by IIT, Kanpur, 2003.
Fermat Primality Test
n Input: An odd integer n ≥ 3 and security parameter t ≥1.
n Output: Either n is composite, or probably prime
n For i from 1 to t {
Choose a random integer a, 2 ≤ a ≤ n − 2
Compute r =an−1 mod n
If r ≠1 then return(“composite”) }
Return(“probably prime”).
n Note: This algorithm ensures that, if (r ≠ 1) then n is
surely composite, but there is no certainty that n is
prime if (r = 1).
n It claims that, this error occurs only when n is a base-a
pseudoprime for all a Є Zn*
Fermat Test(Contd…)
• These type of numbers are called Carmicheal numbers,
which are extremely rare (255 numbers in the range
from 3 to108)
• The first three numbers are 561, 1105, and 1729.
Example
Does the number 561 pass the Fermat test?
Solution
Using base a=2, we find
The number passes the Fermat test, but it is not a

prime, because 561 = 33 × 17.
Miller-Rabin Primality Test
It is based on the following fact:
Let n be an odd prime (n > 2).
It follows that n − 1 is even and we can write it as 2s.r, where s
and r are positive integers and r is odd.
Fact: For each a є Zn*, either
2d . r
ar≡1 mod n or a  1mod n for some 0 ≤ d ≤ s − 1.
Proof: By Fermat’s theorem, if we take square roots of an−1, we
will get either 1 or −1.
If we get −1 then the second equality holds.
If we don’t get −1, then we have exhausted all powers of 2 ( i.e.
2d ), and we are left with only r i.e. the first equality.
Miller-Rabin Primality Test (contd…)
The Miller–Rabin primality test is based on

the opposite of the above Fact.
That is, if we can find an a such that a r  1mod n and

a 2 r  1mod n , then n is not prime.
d
We call a as a witness for the compositeness of n.

Otherwise a is called a strong liar, and n is a strong
probable prime to base a.
Miller-Rabin Primality Test (contd…)
Example: Let us find out, if n = 221 is prime or not.
We write n − 1 = 220 as 22·55, so that we have s = 2 and r = 55.
We randomly select a number a such that 1 < a < n - 1,
say a = 174.
Now0
compute:
a 21.r mod n = 17455 mod 221 = 47 ≠ 1, n − 1
a 2 .r mod n = 174110 mod 221 = 220 = n − 1.
Since 220 ≡ −1 mod n, either 221 is prime, or 174 is a strong liar
for 221.
Let0 us try another random value of a, say a = 137:
a 21 .r mod n = 13755 mod 221 = 188 ≠ 1, n − 1
a 2 .r mod n = 137110 mod 221 = 205 ≠ n − 1.
So, 221 is composite as 221=13 x 17.
We can say, 137 is a witness for the compositeness of
221, and 174 was in fact a strong liar.
Miller-Rabin Primality Test Algorithm
INPUT: an odd integer n ≥ 3 and security parameter t ≥ 1.
1. Write n −1 = 2sr such that r is odd.
2. For i from 1 to t do the following:
Choose a random integer a, 2 ≤ a ≤ n − 2
Compute y = ar mod n
If y ≠ 1 and y ≠ n − 1 then do the following:
j←1.
While j ≤ s − 1 and y ≠ n − 1 do the following:
Compute y←y2 mod n.
If y = 1 then return(“composite”)
j←j + 1.
If y ≠ n − 1 then return (“composite”)
3. Return(“prime”)
Assignment
n By using Miller-Robin primality test

algorithm, show that 561 is not a prime
number.
• Also a challenging area like primality testing.
• It plays a very important role in the security of
several public-key cryptosystems.
Basic Concept: Any positive integer n greater than 1
can be written uniquely as:
where, p1, p2,…,pk are primes and e1, e2,…ek are

positive integers.
Fundamental Theorem of Arithmetic
Note: Factorization is an essential requirement for GCD & LCM
Greatest Common Divisor
Least Common Multiplier

Integer Factorization Algorithms
n Fact: No efficient algorithm(so far) for
factoring large composite number
n Let us assume that n = p * q is a number to
be factorized and p ≠ q.
n Our goal is to find one of the factors p or q
n This is the basis of some of the modern
cryptosystem design.
Trial Division
Pollard rho Factorization-Approach
n Suppose we pick a number uniformly at random
from 1 to 1000.
n What is the probability to get a number, say 42?
n 1/1000.
n Can we have a better approach?
n If we pick two random numbers i, j from 1 to
1000. What are the chances that i - j = 42 ?
n There are roughly 958 times 2 possible values of
i, j that ensure that i - j = 42
n So, probability is (958x2) / (1000x1000)≈1/500
Pollard rho Factorization
n Pick k numbers x1 to xk uniformly at random
between 2 and n-1.
n Check if GCD(|xi - xj|, n ) > 1.
n If yes, then GCD(|xi - xj|, n) is a factor of n
(either p or q).
n It uses a function f(x)=x2+a mod n that will
generate pseudo random numbers, where a
can be generated by using random number
generator.
Pollard rho Factorization(contd…)
n It starts with x1 = 2 or some other number. Then
find out x2 = f(x1), x3 = f(x2), ... .
n So, the general rule is xt+1 = f(xt)
n Let us take n = 55 and f(x) = x2 + 2 mod 55.
n xt xt+1 GCD (|xt - xt+1 |, n)
2 6 1
6 38 1
38 16 11
n Although this works, but in some cases it fails as it
goes into an infinite loop because, the function f cycles,
hence we never find a factor of n.
Example: Cycle detection x f(x)
n Let us take a set S={0,1,2,3,4,5,6,7,8} 0 6
n Take a function f that maps the set S to itself. 1 6
n If one starts from x0 = 2 and repeatedly 2 0
applies f(x), one sees the sequence of values 3 1
n 2, 0, 6, 3, 1, 6, 3, 1, 6, 3, 1, .... 4 4
n So, here the repeating subsequence of values
6, 3, 1 shows a cycle. 5 3
n But to know about the cycle, we have to 6 3
remember a large no of values when n is 7 4
very large. 8 0
n So, Pollard rho uses Floyd’s cycle detection
algorithm.
Cycle in Pollard rho Factorization
Floyd’s Cycle Detection in Pollard rho
n Here the idea is as follows:
n Let us have two runners A and B with B running twice as
fast as A.
n They start off at the same position and when B overtakes
A, we say that B has cycled around at least once.
n In the algorithm, A is taken as x and B is taken as y.
n Then f is applied one time on x and two times on y.
n Then the GCD is computed.
n If GCD=n, a cycle is detected and the algorithm fails
n In such case, we simply find a new function f(x) or start
from a new random seed for a.
Pollard rho Factorization Algorithm
)
Example: Pollard rho factorization
Let n = 8051 and f(x) = (x2 + 1 ) mod 8051.
i xi yi GCD(|xi-yi|,8051)
1 5 26 1
2 26 7474 1
3 677 871 97
Complexity: Pollard rho has a running time of O(n¼),
which is exponential.
Continued
Example
Assume that there is a computer that can perform 2 30

(almost 1 billion) bit operations per second. What is the
approximation time required to factor an integer of size
a. 60 decimal digits? b. 100 decimal digits?
Solution
a. A number of 60 decimal digits has almost 200 bits.
The complexity is then 2nb/4 or 250. With 230 operations
per second, the algorithm can be computed in 2 20
seconds, or almost 12 days.
b. A number of 100 decimal digits has almost 300 bits.
The complexity is 275. With 230 operations per second,
the algorithm can be computed in 245 seconds(many years
CHINESE REMAINDER THEOREM
n If the integers m1, m2, . . . , mk are pairwise

coprime, and a1, a2 … ak are integers s.t.0 ai< mi
then there is only one x (0 x< M) for which the
system of congruence equations hold. That means,
we have a unique solution modulo M = m1 x m2 x ...

x mk
Solution
n Compute M = m1 x m2 x ... x mk
n For each i = 1, 2, 3, ... , k compute yi = M / mi
n For each i = 1, 2, 3, ... , k compute
k
zi ≡ y i
-1 mod m
i
n Finally integer x =  a i y i z i is the solution to
the equations. i 1
n How to justify that the above value of x is in

fact the solution?
Proof
n For each i = 1, 2, 3, ... , k we have,
x (mod mi)≡ (a1y1z1 + a2y2z2+ ...+ akykzk ) (mod mi)
≡ aiyizi (mod mi) ( since yj ≡ 0 mod mi
for each j ≠ i )
≡ ai (mod mi) ( since yizi ≡ 1 mod mi)
Example 1
Find the solution to the simultaneous equations:
S o l u t i o n
We follow the four steps.
1. M = 3 × 5 × 7 = 105
2. y1 = 105 / 3 = 35, y2 = 105 / 5 = 21, y3 = 105 / 7 = 15
3. The inverses are z1=y1−1 = 2, z2=y2−1 = 1, z3=y3 −1 = 1
4. x = (2 × 35 × 2 + 3 × 21 × 1 + 2 × 15 × 1) mod 105 = 23
Example 2
Find an integer that has a remainder of 3 when divided

by 7 and 13, but is divisible by 12.
S o l u t i o n
This is a CRT problem. We can form three equations and
solve them to find the value of x.
If we follow the four steps, we find x = 276. We can check

that 276 = 3 mod 7, 276 = 3 mod 13 and 276 is divisible by
12 (the quotient is 23 and the remainder is zero).
Discrete Logarithm
Properties of a finite Group G = <Zp*, ×> :
1. Its elements include all integers from 1 to p − 1.
2. It is a cyclic group.
3. The elements can be created using gx where g is a

generator of the group and x is an integer from 1
to f(p) = p − 1.
3. It always has primitive roots (generators) and can

be taken as the base of logarithm.
Definition of Discrete Logarithm
• For any element x and y in the group G, we

can find y=gx (mod n)
• But finding x is a logarithmic relation
x=logg y, which is called discrete logarithm.
• g is called the primitive root or base of
the logarithm.
• We will denote it by Lg.
Definition of Discrete Logarithm
Solving for x in G=<Z 7 *, x> using Discrete

Logaritms.
:1
Note:
But, when p is large, it is difficult to find the
values of x by using such a table
Discrete Logarithm
Example
Find x in each of the following cases:
a. 4 ≡ 3x (mod 7)
b. 6 ≡ 5x (mod 7)
Solution
We can easily find the discrete logarithms by
referring Table 1.
a. 4 ≡ 3x mod 7 → x = L34 mod 7 = 4 mod 7
b. 6 ≡ 5x mod 7 → x = L56 mod 7 = 3 mod 7
Algorithms for Discrete Logarithm
• Baby-step giant-step
• Index Calculus
• Pohling-Hellman algorithm
• Pollard rho algorithm for logarithms
Note:But none of them run in polynomial time.

That is the basis of some modern cryptosystem
like El-Gamal, Diffie-Hellman and others.
Additional Tutorials
Primitive Roots In the group G = <Zn*, ×>, when the

order of an element is the same as f(n), that element is
called the primitive root of the group.
How to know instantly without finding f(n) ?
The group G = <Zn*, ×> has primitive roots only if
n is 2, 4, pt, or 2pt, p is an odd prime, t is an integer
How to know how many primitive roots in G?

If the group G = <Zn*, ×> has any primitive root, the
number of primitive roots is f(f(n)).
Example
For which value of n (=17, 20, 38, and 50), the group
G = <Zn*, ×> have primitive roots?
Solution
a. G = <Z17*, ×> has primitive roots, 17 is a prime.
b. G = <Z20*, ×> has no primitive roots.
c. G = <Z38*, ×> has primitive roots, 38 = 2 × 19 and
19 is prime.
d. G = <Z50*, ×>has primitive roots, 50 = 2 × 52 and 5
is a prime.
Continued
Cyclic Group If g is a primitive root in the group, we

can generate the set Zn* as Zn * = {g1, g2, g3, …, gf(n)}
Find out the primitive roots of the group G = <Z10*, ×>
The group G = <Z 10 *, ×> has two primitive roots
because f(f(10)) = 2.
The primitive roots are 3 and 7(find out how).
Following shows how to get Z10* using primitive roots.
Continued
Using Properties of Discrete Logarithms

:2
Using Algorithms Based on Discrete

Note
The discrete logarithm problem has the same
complexity as the factorization problem.
Asymmetric-Key
Cryptography

Associate Professor
Dept. of CSE
BKM/SIT
• What are the drawbacks of Symmetric key
cipher?
• No. of keys increases as no. of user increases.
• The difficulty of securely establishing a secret
key.
• key management becomes more complex.
• In asymmetric key cipher, two mathematically
interrelated keys are used.
• One is called public key and
• Other one is called private key.
BKM/SIT
ACM Turing Award Winner-2015
Whitfield Diffie and Martin Hellman,

authors of the first published paper
“New Directions in Cryptography” in 1976 led
foundation of new technique called
public-key cryptography and digital signature
BKM/SIT
Encryption & Decryption
• Assume that, Alice(A) is sender & Bob(B) is receiver.
• So, Bob should have two keys(Kpublic and Kprivate)
(Kpublic) (Kprivate)
(P ) (C ) (C ) (P )
C = f (Kpublic , P) P = g(Kprivate , C)
BKM/SIT
Trapdoor One-Way Function
• The main idea behind asymmetric-key

cryptography is the concept of the trapdoor one-
way function.
A function as rule mapping a domain to a range
BKM/SIT
One-Way Function (OWF)
• Given x, it is easy to compute y.

• But given y, finding x (i.e. f −1 ) is difficult.
Example
• When n is large, n = p × q is a one-way function.

• Given p and q , it is always easy to calculate n ;
• But given n, it is very difficult to compute p and q.
• This is the factorization problem which is a hard
problem in mathematics.
BKM/SIT
Trapdoor One-Way Function (TOWF)
• Given y and a trapdoor; x can be computed easily.
Example
• When n is large, the function y = xk mod n is a trapdoor

one-way function.
• Given x, k, and n, it is easy to calculate y.
• Given y, k, and n, it is very difficult to calculate x.
• However, if we know the trapdoor k′ such that
k × k ′ = 1 mod f(n), we can use x = yk′ mod n to find x.
BKM/SIT
• A well-known public-key algorithm developed in
1977.
• Invented by Rivest, Shamir, and Adleman at MIT.
• It is based on the Factorization Problem.
ACM Turing Award Winner-2002
Ron Rivest, Adi Shamir, Leonard Adleman,

Presently at MIT Presently at WIS Presently at USC
BKM/SIT
BKM/SIT
Two Algebraic Structures
• Let us assume:
Public key: (e,n)
Private key: (d)
• Key-Generation Group: G = <Z f(n)*,× >

• Encryption/Decryption Ring: R = <Zn , +, × >
BKM/SIT
RSA Key Generation Algorithm
BKM/SIT
RSA Encryption & Decryption
BKM/SIT
Proof of RSA
• Let us prove that, what Bob gets after decryption

is the plain text(P) sent by Alice.
• Let us assume that, Bob gets P1 after decryption.
• Hence, we need to prove that P1=P
BKM/SIT
Encryption, decryption, and key generation in RSA
BKM/SIT
Some Trivial Examples
Example
• Bob chooses p=7 and q=11 and calculates n = 77.

• So, the value of f(n) = (7 − 1)(11 − 1) or 60.
• Now he chooses two exponents, e and d, from Z60*.
• If he chooses e to be 13, then d will be 37. Because
e × d mod 60 = 1 (they are inverses of each)
• Let Alice wants to send the plaintext 5 to Bob. She uses
the public exponent 13 to encrypt 5.
• Bob receives the ciphertext 26 and uses the private key

37 to decipher the ciphertext:
BKM/SIT
Quiz:
Let the RSA modulus, n be 77. If the

encryption key is 7, the decryption key
is
(a) 51 (b) 29
(c) 43 (d) 58
BKM/SIT
A More realistic Example
• We choose a 512-bit p and q.

• Calculate n and f(n), then choose e and test for relative
primeness with f(n).
• Then calculate d. Finally, we show the results of
encryption and decryption. The integer p is a 159-digit
number.
BKM/SIT
Continued
The modulus n = p × q. It has 309 digits.
f(n) = (p − 1)(q − 1) has 309 digits.
BKM/SIT
Continued
Let Bob chooses e = 35535 and tests it to make sure it is

relatively prime with f(n). He then finds the inverse of e
modulo f(n) and calls it d.
BKM/SIT
Continued
Alice wants to send the message “THIS IS A TEST”, which

can be changed to a numeric value using the 00−26
encoding scheme (26 is the space character).
The ciphertext calculated by Alice is C = Pe, which is
BKM/SIT
Continued
Bob can recover the plaintext from the ciphertext using P =

Cd, which is
The recovered plaintext is “THIS IS A TEST” after

decoding.
BKM/SIT
Complexity of RSA
BKM/SIT
Attacks on RSA
n Factorization Attack
n Chosen-Ciphertext Attack
n Attacks on the encryption exponent
n Attacks on the decryption exponent
n Plaintext Attack
n Attacks on the modulus
To be secure from Factorization attack, RSA
presently requires that n should be more than 300
decimal digits which means that the modulus must
be at least 1024 bits
BKM/SIT
• Invented by Taher ElGamal in 1985.
• It is an asymmetric public-key cryptosystem
based on the discrete logarithm problem.
• The bit-operation complexity of encryption or
decryption is polynomial like RSA.
Taher ElGamal,
CTO, Security, salesforce.com
BKM/SIT
Key Generation Algorithm
BKM/SIT
ElGamal Encryption & Decryption Algorithm
BKM/SIT
Procedure
BKM/SIT
A Trivial Example
• Bob chooses p = 11, e1 = 2 and d = 3. e2 = e1d = 8.
• So the public keys are (2, 8, 11) and the private key is 3.
• Let Alice chooses r = 4 and calculates C1 and C2 for the
plaintext 7.
• Bob receives the ciphertext (5,6) and calculates the

plaintext.
BKM/SIT
Attacks on ElGamal Cryptosystem
• Low Modulus (p) attack.

• Known-Plaintext attack
Note
• To prevent the low modulus attack, p must be at least 300
digits.
• To prevent known-plaintext attack, r must be new for
each encryption.
BKM/SIT
ELLIPTIC CURVE CRYPTOSYSTEM
(ECC)
Although RSA and ElGamal are secure asymmetric-key
cryptosystems, their security comes with a price(?)
• Large Key size
• Researchers have looked for alternatives that give
the same level of security with smaller key sizes.
• Elliptic Curve Cryptosystem (ECC) invented
around 1985 is best alternative.
• Developed independently by Victor Miller & Neil
Koblitz.
• The mathematical basis of ECC is ECDLP (Elliptic
Curve Discrete Logarithm Problem) which has
exponential time complexity.
BKM/SIT
Key size: Equivalent strength
comparison
BKM/SIT
A comparison of public key
cryptosystems
BKM/SIT
Elliptic Curves over Real Numbers
The general equation for an elliptic curve is
Elliptic curves over real numbers use a special class of

elliptic curves of the form
It can be of two types: Non-Singular EC, if discriminant

D=4a3+27b2  0; otherwise singular
The non-singular will have three distinct roots, but singular
will not have three distinct roots.
BKM/SIT
Example: Two elliptic curves over a real field
• Both are nonsingular.

• However, the first has three real roots (x = −2, x = 0, and x = 2),
but the second has only one real root (x = 1) and two imaginary
roots.
• It has two components if D is negative (Fig.a)
• It has one component if D is positive (Fig.b)
BKM/SIT
Abelian Group: G <E,+>
n Here the elements of the Group are the points on
the elliptic curve E.
n Each point P(x,y) represent a pair of real numbers
that satisfy the given curve E.
n Operation on the G: Only Addition operation on
the points of the curve.
n But, the addition is different from normal addition
operation: It is to add two points on the curve to
get another point on the curve.
n R=P+Q, where, P(x1,y1), Q(x2,y2) and R(x3,y3)
BKM/SIT
Addition in Elliptic Curve(three cases)
• Note that, multiplying a point P on EC by a constant k

means adding the point P to itself k-times (R=kP ).
• For a given value of k and P it is easy to find R. But if P
and R is given, it is hard to find k. This is called ECDLP.
BKM/SIT
Addition in Elliptic Curve(Contd…)
(a)
(b)
(c) The intercepting point is at infinity; a point O as the

point at infinity or zero point, which is the additive identity
of the group.
BKM/SIT
Elliptic Curves over GF(p)
• Note that, we have defined an elliptic curve group G
an addition operation earlier.
• But, the operation on the coordinates of the point ne
a field like GF(p) or GF(2m)
• Hence, we will now deal with integers/polynomials a
modulo operation to get only integer/polynomial res
GF(p)
• We now represent the elliptic curve Ep(a,b), where,
p defines the modulus and a and b are the co-efficient of
the equation y2=x3+ax+b.
BKM/SIT
Points on an Elliptic Curve over GF(p)
Example
Let the elliptic curve be E13(1,1) and the equation be y2 =
x3 + x + 1, then find out the points on the curve.
BKM/SIT
Points on an Elliptic curve over GF(p)
(Contd…)
Example
Let us add two points in previous example. R = P + Q,
where P = (4, 2) and Q = (10, 6).
a. λ = (6 − 2) × (10 − 4)−1 mod 13 = 4 × 6−1 mod 13 = 5 mod 13.
b. x = (52 − 4 −10) mod 13 = 11 mod 13.
c. y = [5 (4 −11) − 2] mod 13 = 2 mod 13.
d. R = (11, 2), which is a point on the curve in previous example .
Finding Inverse of a point

The inverse of a point (x, y) is (x, −y), where −y is the
additive inverse of y.
Example: If p = 13, the inverse of (4, 2) is (4, 11).
BKM/SIT
Elliptic Curves over GF(2n)
To define an elliptic curve over GF(2 n ), the

equation is
where, b0 and the value of x, y, a, b are polynomials

representing n-bit words with co-efficient in GF(2).
Finding Inverse of a point

If P = (x, y), then −P = (x, x + y).
BKM/SIT
Points on an Elliptic Curve over GF(2n)
Example
Using the elliptic curve y2 + xy = x3 + g3x2 + 1, with

a = g3 and b = 1, we can find the points on this curve, as
shown below.
BKM/SIT
Elements of GF(23) by using generator g
• Let us take the field GF(23) with the irreducible
polynomial f(x) = x3 + x + 1.
• Its elements can be expressed as{0, 1, g, g2, g3, g4, g5,
g6} by using g as a generator(root).
• We can derive these from f(x) = x3 + x + 1 by writing
g3 +g + 1 = 0 or g3 = g + 1.
• Other powers of g can be calculated accordingly.
• The following shows the values of the g’s.
BKM/SIT
Adding Two Points on an Elliptic Curve
over GF(2n)
1. If P = (x1, y1), Q = (x2, y2), Q ≠ −P, and Q ≠ P, then R =
(x3, y3)= P + Q can be found as:
2. If Q = P, then R = P + P (or R = 2P) can be found as:
BKM/SIT
Examples
Example 1
Find R = P + Q, where P = (0, 1) and Q = (g2, 1).
We have λ = 0 , hence R = (g5, g4).
Example 2
Find R = 2P, where P = (g2, 1).
We have λ = g2 + 1/g2 = g2 + g5 = g + 1 , hence R = (g6, g5).
BKM/SIT
ECC Simulating ElGamal
ElGamal cryptosystem using the elliptic curve
BKM/SIT
ElGamal
BKM/SIT
Continued
Generating Public and Private Keys

Ep(a, b) e1(x1, y1) d e2(x2, y2) = d × e1(x1, y1)
Encryption
Decryption
BKM/SIT
Security in ECC
• To break the cipher, Eve needs to find r or d.

• But finding r or d needs to solve ECDLP.
• The only method available to solve it is the Pollard Rho
algorithm.
• But the problem is, it is quite infeasible to solve for
large value of r and p in GF(p) or m in GF(2m).
Note
The security of ECC depends on the difficulty of
solving the elliptic curve logarithm problem.
BKM/SIT
Message Integrity
and
Message Authentication

Associate Professor
Dept. of CSE
BKM/SIT
• So far we have studied how to achieve
secrecy(or confidentiality), but not integrity.
• However, there are occasions where we may
not even need secrecy but instead must have
integrity
• By putting the fingerprint/signature of the

owner of the document at the bottom of the
document.
BKM/SIT
Message and Message Digest
• The electronic equivalent of the document is the
Message.
• The electronic equivalent of fingerprint is
Message digest.
• A Hash Function is used to get the Message
Digest from the Message.
BKM/SIT
Difference
• The document and fingerprint can’t be separated

from each other.
• But, the message and message digest are two
separate entities(with some mathematical/logical
connection) and can be sent separately.
Note
The message digest needs to be safe from change.
BKM/SIT
Modification Detection Code (MDC)
• A modification detection code (MDC) is a

message digest that can prove the integrity of the
message: that message has not been changed.
• If Alice wants to send a message to Bob, she
creates a message digest, MDC, and sends both
the message and the MDC to Bob.
• Bob can create a new MDC from the received
message and compare the received MDC and the
new MDC.
• If they are the same, the message has not been
changed.
BKM/SIT
Modification Detection Code (MDC)
BKM/SIT
Cryptographic Hash Function
• A cryptographic hash function is a deterministic

procedure that takes an arbitrary block of data
and returns a fixed-size message digest called the
(cryptographic) hash value.
• A cryptographic hash function must satisfy three

criteria:
• preimage resistance
• second preimage resistance
• collision resistance
BKM/SIT
Preimage Resistance
• Given a hash y it should be difficult to find message

M such that y=h(M).
• Here, M is called the preimage of y.
• Since h is a many-to-one mapping, there would be
multiple preimages.
• This concept is related to that of one-way function
Preimage Attack
Given: y Find:M
such that y=h(M)
BKM/SIT
Second Preimage Resistance
• Given an input M, it should be difficult to find

another input M’, where MM’, s.t. h(M)=h(M’).
BKM/SIT
Collision Resistance
• It should be difficult to find two different messages

M and M’ s.t. h(M)=h(M’).
• Such a pair gives rise to Cryptographic hash
collision.
• In data integrity, collision is undesirable.
BKM/SIT
Pigeonhole Principle
• If n pigeonholes are occupied by n + 1 pigeons,

then at least one pigeonhole is occupied by two
pigeons.
• The generalized version of the pigeonhole
principle is that if n pigeonholes are occupied by
kn + 1 pigeons, then at least one pigeonhole is
occupied by k + 1 pigeons.
BKM/SIT
Pigeonhole Principle(Contd…)
Example
Assume that the messages in a hash function are 6 bits
long and the digests are only 4 bits long. Find out possible
no. of digests(pigeonholes) and messages(pigeons) and
prove the pigeonhole principle..
• Possible number of digests (pigeonholes) is 24 = 16,
• And the possible number of messages (pigeons) is 26 =
64.
• This means n = 16 and kn + 1 = 64, so k is larger than
3.
• The conclusion is that at least one digest corresponds
to five (=k + 1) messages.
BKM/SIT
RANDOM ORACLE MODEL
• It is an ideal mathematical model for a hash
function by Bellare and Rogaway (1993).
• Characteristics of this model:
• When a new message of any length is given, the
oracle creates a random fixed-length message
digest.
• When a message is given for which a digest exists,
the oracle simply gives the digest from the record.
• The digest for a new message shouldn’t match to
any previous digests.
BKM/SIT
Attacks on Random Oracle Model
• Suppose Eve is trying to attack a hash function.
• That means, for a given digest D, the
attacker(Eve) makes k queries to the Oracle so as
to match anyone with D, where, D is a random
variable having N(=2n) possible values between 0
to N-1.
• Following table shows the values of k with
probability of success(P=0.5) for different attacks:
BKM/SIT
Birthday Paradox
• What is the minimum number, k, of students in a
class room such that it is likely that at least two
students have the same birthday ?
BKM/SIT
Birthday Paradox
• What is the minimum number, k, of students in a
class room such that it is likely that at least two
students have the same birthday ?
• This problem can be generalized as:
• We have a uniformly distributed random variable
with N possible values (between 0 to N-1).
• What is the minimum number of instances, k,
such that it is likely that at least two instances are
equal ?
• So, here the digest is considered as a random
variable with possible values between 0 and N-1,
BKM/SITwhere N=2n.
Analysis of Preimage Attack
• The probability that the hash of an M[i], for any i, matches
with D is given by 1/N.
• Thus the probability it doesn’t match is 1-1/N.
• The probability that none of the k queries made by Eve
matches with D, is (1-1/N)k.
• Thus the success probability of Eve = 1- (1-1/N)k .
• Let us apply the series e-x =1- x + x2/2! - x3/3! + … to
approximate the probability.
• If x is small, we can replace 1-x by e-x .
• If N is large, then we can write 1-1/N = e-(1/N) .
• Thus we have P[success] = 1- e-k/N
• Assuming P=0.5, we get k = ln(0.5)N = 0.69x2n , where
N=2n
BKM/SIT
Example
A cryptographic hash function produces a digest of 64 bits.
How many digests does Eve need to create at the rate of 230
messages per second to find the original message with the
probability more than 0.5 for preimage attack?
Solution
• The number of digests to be created is k ≈ 0.69 × 2n ≈
0.69 × 264.
• This is a large number. Even if Eve can create 230 (almost
one billion) messages per second, it takes 0.69 × 2 34
seconds or more than 500 years.
• This means that a message digest of size 64 bits is secure
with respect to preimage attack
Caution: But, this digest size is not secure to collision attack.
BKM/SIT
Example
A cryptographic hash function uses a digest of 64 bits. How

many digests does Eve need to create at the rate of 2 20
messages per second, to find two messages with the same
digest with the probability more than 0.5?
Solution
• The number of digests to be created is k ≈ 1.18 × 2n/2 ≈
1.18 × 232.
• If Eve can test 2 20 (almost one million) messages per
second, it takes 1.18 × 2 12 seconds, or less than two
hours.
• This means that a message digest of size 64 bits is not
secure against the collision attack.
BKM/SIT
Standard Hash Functions
• MD5
• SHA-512
BKM/SIT
MESSAGE AUTHENTICATION
• A message digest discussed earlier (MDC)
does not authenticate the sender of the
message.
• That means, the receiver can’t able to know,
whether message has come from intended
sender or not.
• To provide message authentication, sender
Alice needs to provide a proof that it is Alice
sending the message and not an impostor.
• Therefore, we need a new mechanism called
message authentication code (MAC).
BKM/SIT
Message Authentication Code (MAC)
• It ensures the integrity as well as the originator
of the message.
• Therefore, MAC includes a Secret key (K) to
achieve this.
BKM/SIT
Security of MAC
• Suppose Eve has intercepted a message M and the digest
h(K|M). How can Eve forge a message without knowing
the secret key ?
• Methods of Attacks:
• Attack the key space
• Attack the MAC value
• Attack the key space
• If the attacker has a valid Message and MAC pair, then
he can try all possible keys (if the key domain is small)
• Since, MAC is many-to-one, so chance is there
more than one key produces the same MAC. Hence, he
can try additional Message-MAC pair to get unique key.
• Overall, he can try 2k possible keys for key of size k-bits.
BKM/SIT
Security of MAC
• Attack the MAC value
• Here, the attacker works on the MAC without attempting
to recover the key.
• That means, he generates a valid MAC for the given
Message or finds a message that matches a given MAC.
• In either case, he has to conduct the pre-image attack
which is of the order 2n.
BKM/SIT
Nested MAC
It provides improved security, as the hashing
is done in two steps.
BKM/SIT
HMAC
ipad=b/8 repetition of the
sequence 00110110
opad=b/8 repetition of the
sequence 01011100
HMAC-SHA-1 and HMAC-MD5

are used within the IPsec and
TLS protocols.
where, SHA-1 and MD5 are
cryptographic hash functions
BKM/SIT
Cryptographic
Hash Functions

Associate Professor
Dept. of CSE
BKM/SIT
Cryptographic Hash Functions
• A cryptographic hash function takes a
message of arbitrary length and creates a
message digest of fixed length.
• But, practically it is implemented by an
iterated scheme called Markle-Damgard
scheme.
• Instead of using a hash function with variable-
size input, a function with fixed-size input
called compression function is created and is
used necessary number of times.
BKM/SIT
Merkle-Damgard Scheme
• Combination of original message and length of the message

is padded with extra bits so that it can be evenly divided
into t block of n bits each.
• H0 is set to a fixed value called initial value(IV).
• The operation at each iteration: Hi=f (Hi-1,Mi)
• Ht is the final output called message digest.
BKM/SIT
Two Groups of Compression Functions
1. The compression function is made from scratch:
Message Digest(MD)
Secure Hash Algorithm(SHA)
2. A symmetric-key block cipher serves as a
compression function:
Whirlpool
BKM/SIT
MD4
• Developed by Ron Rivest in 1990.
• Hash Code size is128-bits.
• The message block size is 512-bits.
• Further each block is divided into words of 32-
bits each.
• Each block is compressed by a compression
function consists of three rounds having 16-
operations each.
i fi ci
0…15 F(x,y,z) 0x00000000
16…31 G(x,y,z) 0x5a827999
32…47 H(x,y,z) 0x6ed9eba1
BKM/SIT
MD4 Structure
Round 1
Round 2
Round 3 Ci
si
Note:
+ denotes addition modulo 232
<<Si denotes a circular left shift by si positions
Mi denotes the message word to compress
Ci defines a round constant, which is same for each operation in a round.
BKM/SIT
MD4(Contd…)
Initial Values(IV)
H1 (for Register A) 0x67452301
H2 (for Register B) 0xefcdab89
H3 (for Register C) 0x98badcfe
H4 (for Register D) 0x10325476
Bitwise Boolean Functions
F(x,y,z)=xy  xz  z
G(x,y,z)=xy  xz  yz
H(x,y,z)=x  y  z
i Si
0-15 3,7,11,19,3,7,11,19,3,7,11,19,3,7,11,19
16-31 3,5,9,13,3,5,9,13,3,5,9,13,3,5,9,13
32-47 3,9,11,15,3,9,11,15,3,9,11,15,3,9,11,15
BKM/SIT
MD5
• It is an improvement over MD4 by Ron Rivest.

• This was because, the first two rounds were
successfully attacked(cryptanalized) by Merkle
& Eli Biham.
• It has 4 rounds, and 16 operations in each
round. So total 64 operations.
BKM/SIT
MD5 Structure
Round 1
Round 2
Round 3
Round 4
Note:
+ denotes addition modulo 232
<<<s denotes a circular left shift by s places; s varies for each operation
Mi denotes the message word to compress
Ki defines a round constant, which is same for each step in a round.
BKM/SIT
MD5 (contd…)
There are four non-linear functions as follows:

F(x,y,z)=(x.y)+((!y).z)
G(x,y,z)=(x.y)+(y.(!z))
H(x,y,z)=x y z
I(x,y,z)=y  (x+(!z))
+ denotes OR, . denotes AND, ! denotes complement
BKM/SIT
Improvements of MD5 over MD4
• A fourth round has been added.

• The function G in round 2 was changed to less
symmetric form.
• The left circular shift operation is optimized to
obtain faster diffusion.
• Operation in each round uses different values of S
for shift.
• It has a stronger avalanche effect.
BKM/SIT
MD5 Example
• MD5("The quick brown fox jumps over the lazy dog")
= 9e107d9d372bb6826bd81d3542a419d6
• MD5("The quick brown fox jumps over the lazy dog.")
= e4d909c290d0fb1ca068ffaddf22cbd0
BKM/SIT
SHA-512
• Designed by National Security Agency and
published by NIST in 2001.
• SHA-512 belongs to the family of Hash functions
named as SHA-2 by NSA.
• This version, like the others in the SHA family of
algorithms, is based on the Merkle-Damgard scheme
and the latest of this family.
BKM/SIT
Message digest creation SHA-512
• Here, the length of the original message should be less

than 2128 bits, which is divided into N blocks of 1024bits.
• But, the message digest is only 512 bits including the
intermediate digests of each compression function .
BKM/SIT
Continued
Do we really worry for the SHA message length limitation ?
Suppose we need to send a message that is 2128 bits in length.

How long does it take for a communications network with a
data rate of 264 bits per second to send this message?
Solution
A communications network that can send 264 bits per second
is not yet available.
Even if it were, it would take many years to send this
message. This tells us that we do not need to worry about
the SHA-512 message length restriction.
BKM/SIT
Padding and length field in SHA-512
What is the number of padding bits if the length of the

original message is 2590 bits ?
Solution
We can calculate the number of padding bits as follows:
The padding consists of one 1 followed by 353 0’s.
BKM/SIT
Message Block, Message Digest and Words
• The algorithm operates on words.

• Hence Message block is divided into 16 words and size
of each word is 64 bits.
• Similarly the Message Digest consists of 8 words and
size of each word is 64 bits.
BKM/SIT
Compression Function SHA-512
BKM/SIT
Compression Function SHA-512
BKM/SIT
Message Digest Initialization Vectors(IV)
• These values are calculated from the first 8 prime numbers

(2, 3,…,19)
• by taking square root of these numbers and then
• converting them to binary with only 64 bits in their
fractional part.
BKM/SIT
Structure of each round in SHA-512
BKM/SIT
Structure of each round in SHA-512
BKM/SIT
Functions used in the Mixers
Majority Function
Conditional Function
Rotate Functions
BKM/SIT
Word expansion in SHA-512
• Although each message block is 1024 bits = 16 words of
64 bits each, but they have to be expanded to 80 words
as required by subsequent processing.
BKM/SIT
Constants used in 80 rounds of SHA-512
BKM/SIT
Generating the Constants
• There are 80 constants, K0 to K79, each of 64 bits.

• These values are calculated from the first 80 prime
numbers (2, 3,…, 409).
• For example, the 80th prime is 409, with the cubic root
(409)1/3 = 7.42291412044.
• Converting this number to binary with only 64 bits in
the fraction part, we get
The fraction part: (6C44198C4A475817)16
BKM/SIT
Example 1
We apply the Majority function on buffers A, B, and C.

If the leftmost hexadecimal digits of these buffers are
0x7, 0xA, and 0xE, respectively, what is the leftmost
digit of the result ?
Solution
The digits in binary are 0111, 1010, and 1110.
a. The first bits are 0, 1, and 1. The majority is 1.
b. The second bits are 1, 0, and 1. The majority is 1.
c. The third bits are 1, 1, and 1. The majority is 1.
d. The fourth bits are 1, 0, and 0. The majority is 0.
The result is 1110, or 0xE in hexadecimal.

BKM/SIT
Example 2
We apply the Conditional function on E, F, and G

buffers. If the leftmost hexadecimal digits of these
buffers are 0x9, 0xA, and 0xF respectively, what is the
leftmost digit of the result?
Solution
The digits in binary are 1001, 1010, and 1111.
a. The first bits are 1, 1, and 1. The result is F1, which is 1.
b. The second bits are 0, 0, and 1. The result is G2, which is 1.
c. The third bits are 0, 1, and 1. The result is G3, which is 1.
d. The fourth bits are 1, 0, and 1. The result is F4, which is 0.
The result is 1110, or 0xE in hexadecimal.

BKM/SIT
Analysis
• With a message digest of 512 bits, SHA-512 expected
to be resistant to all attacks, including collision attacks.
• But, more research and testing are needed to confirm
the claim.
BKM/SIT
Digital Signature

Associate Professor
Dept. of CSE
BKM/SIT
Introduction
• The purpose of a digital signature is to provide a

means for an entity to bind its identity with
information(message).
• Let us look at the differences between
conventional signatures and digital signatures
in terms of :
• Inclusion
• Verification Method
• Relationship
• Duplicity
BKM/SIT
Inclusion
• A conventional signature is included in

the document; it is part of the
document.
• But when we sign a document digitally,
we send the signature as a separate
document.
BKM/SIT
Verification Method
• For a conventional signature, when the

recipient receives a document, she compares
the signature on the document with the
signature on record.
• For a digital signature, the recipient receives
the message and the signature.
• The recipient needs to apply a verification
technique to the combination of the message
and the signature to verify the authenticity.
BKM/SIT
Relationship
• For a conventional signature, there is

normally a one-to-many relationship
between a signature and documents.
• For a digital signature, there is a one-
to-one relationship between a
signature and a message.
BKM/SIT
Duplicity
• In conventional signature, a copy of the

signed document can be distinguished from
the original one on file.
• In digital signature, there is no such
distinction unless there is a factor of time
on the document.
BKM/SIT
PROCESS
• The sender uses a signing algorithm to sign

the message(M).
• The message and the signature are sent to the
receiver.
• The receiver receives the message and the
signature and applies the verifying algorithm
on the signature to get the message, say M’.
• If M=M’ then, the message is accepted;
otherwise, it is rejected.
BKM/SIT
Do Digital Signature needs Keys?
Note
A digital signature needs a public-key system.
The signer signs with her private key; the verifier
verifies with the signer’s public key.
BKM/SIT
Public key Encryption/Decryption
vs Digital Signature
Note
A public key cryptosystem(used for

encryption/decryption) uses the private and public
keys of the receiver; But a digital signature uses
the private and public keys of the sender.
BKM/SIT
Digital Signature(Contd…)
Question: We know that public key cryptosystem is in-

efficient when dealing with long messages. Then how it
will be applied on digital signature which normally deal
with long messages ?
Solution: Signing the Digest of the message
BKM/SIT
SERVICES
• What are the different security services you

know ?
• message confidentiality,
• message authentication,
• message integrity, and
• nonrepudiation.
• What are the services digital signature going to
provide ?
• A digital signature can directly provide the last
three; for message confidentiality we still need
encryption/decryption.
BKM/SIT
Message Authentication
A secure digital signature scheme, like a secure

conventional signature can provide message authentication.
BKM/SIT
Message Integrity
The integrity of the message is preserved because we

cannot get the same signature if the message is changed.
BKM/SIT
Nonrepudiation
Note
Nonrepudiation can be provided using a trusted

party.
BKM/SIT
Confidentiality
Note
A digital signature does not provide privacy.

If there is a need for privacy, another layer of
encryption/decryption must be applied.
BKM/SIT
DIGITAL SIGNATURE SCHEMES
• Several digital signature algorithms have evolved
during the last few decades.
• They are based on public key cryptosystem.
• RSA Digital Signature

• ElGamal Digital Signature
• Schnorr Digital Signature
• Digital Signature Algorithm (DSS)
• Elliptic Curve Digital Signature Algorithm (ECDSA)
BKM/SIT
RSA Digital Signature
1. Key generation algo. 1. Select two large prime nos. p & q
2. Signing algo. 2. n=p*q
3. Φ(n) = (p-1) * (q-1)
3. Verifying algo. 4. Select e such that gcd(e, Φ(n))=1
5. d = e-1 mod Φ(n)
6. Public key(e,n) & Private key(d,n)
BKM/SIT
A Trivial Example
• Let Alice chooses p = 823 and q = 953.

• Then n = 784319 and f(n) = 782544.
• Suppose she chooses e = 313, then calculates d = 160009
• Now suppose, Alice wants to send a message with the value of
M = 19070 to Bob.
• She uses her private exponent, 160009, to sign the message:
• Alice sends the message and the signature to Bob. Bob

receives the message and the signature. He calculates
Bob accepts the message because he has verified Alice’s signature.
BKM/SIT
RSA Signature on the Message Digest
Note
When the digest is signed instead of the message itself,
the susceptibility of the RSA digital signature scheme
depends on the strength of the hash algorithm.
BKM/SIT
ElGamal Digital Signature
Key Generation
• The key generation procedure here is exactly the same as the one
used in the cryptosystem like RSA. This works on a group Zp*
• Bob receives M, S1, S2. Before finding V1 and V2, he checks

BKM/SIT if 0<S1<p and if 0<S2<p-1
A Trivial Example
• Let Alice choose p = 3119, e1 = 2, d = 127 and calculates e2 = 2127

mod 3119 = 1702.
• She announces e1, e2, and p publicly; she keeps d secret.
• Let, she chooses r to be 307. Let the message M=320.
• Then she generates the signature (S1, S2) as follows:
• Alice sends M, S 1 , and S 2 to Bob. Bob uses the public key to

calculate V1 and V2.
BKM/SIT
Schnorr Digital Signature Scheme
• This scheme is also based on discrete logarithm
problem.
• Here, the main part of signature generation
doesn’t depend on the message.
• Hence, it minimizes the message-dependant
computation.
Key Generation in Schnorr
1) Select primes p and q, such that q is a prime factor of p-1.
2) Chooses an integer e1 , such that e1q =1 mod p
3) Choose a random integer d (0< d < q) , as her private key.
5) Calculate e2 = e1d mod p.
6) So, public key is (e1, e2, p, q); and private key is (d).
BKM/SIT
Schnorr Digital Signature Algorithms
Signing the Message
1. Choose a random number r (0 < r < q).

2. Calculate S1 = h(M|e1r mod p).
3. Calculate S2 = r + d × S1 mod q.
4. Then send M, S1, and S2.
Verifying the Message
1. Compute V = h (M | e1S2 e2−S1 mod p).

2.If S 1 is congruent to V modulo p, the message is
accepted;
BKM/SIT
Signing and Verifying Process of Shnorr’s
BKM/SIT
A Trivial Example
Suppose we choose q = 103 and p = 2267. Note that p = 22 × q + 1.

We choose e0 = 2, which is a primitive in Z2267*. Then (p −1) / q =
22, so we have e1 = 222 mod 2267 = 354. We choose d = 30, so e2 =
35430 mod 2267 = 1206. Alice’s private key is now (d); her public
key is (e1, e2, p, q).
Alice wants to send a message M. She chooses r = 11 and calculates

e2 r = 35411 = 630 mod 2267. Assume that the message is 1000 and
concatenation means 1000630. Also assume that the hash of this
value gives the digest h(1000630) = 200. This means S1 = 200. Alice
calculates S2 = r + d × S1 mod q = 11 + 1026 × 200 mod 103 = 35.
Alice sends the message M =1000, S1 = 200, and S2 = 35.
BKM/SIT
Digital Signature Algorithm (DSA)
n It is also called the Digital Signature Standard(DSS).
n It is an efficient variant of ElGamal’s signature
scheme.
n The reduction in the running time arises due to Zq*
which is a subgroup of Zp*
BKM/SIT
DSA Key Generation
1) Choose primes p and q, such that q is prime divisor of
p-1. So, it uses the groups <Zp*, × > and <Zq*, ×>.
2) Then compute the generator(e 1 ) ≡ h (p-1)/q until e 1 ≠ 1

(mod p), where h is a random number.
3) So, the parameters for DSA are p, q and e1

4) Now, Alice chooses a random d ϵ {2,3,…,q-1} and
calculates e2 = e1d (mod p)
5) Alice’s public key is e2 and her private key is d.
BKM/SIT
DSA Signing and Verifying
BKM/SIT
A Trivial Example
• Let us choose p = 8081 and q = 101.

• Let us take h = 3 and calculate e1 = h (p−1)/q mod p = 6968.
• Let Alice chooses d = 61 as the private key and
• calculates e2 = e1d mod p = 2038.
• Now Alice can send a message to Bob.
• Assume that h(M) = 5000 and Alice chooses r = 61:
• Alice sends M, S1, and S2 to Bob.

• Bob uses the public keys to calculate V.
BKM/SIT
Comparative Analysis
DSS Versus RSA

Computation of DSS signatures is faster than computation
of RSA signatures when using the same p.
DSS Versus ElGamal

DSS signatures are smaller than ElGamal signatures
because q is smaller than p.
BKM/SIT
Elliptic Curve Digital Signature Algorithm
BKM/SIT
ECDSA(Contd…)
Key Generation
1) Alice chooses an elliptic curve Ep(a, b).
2) Alice chooses another prime q to be used in calculation.
3) Alice chooses the private key d, an integer.
4) Alice chooses e1(…, …), a point on the curve.
5) Alice calculates e2(…, …) = d × e1(…, …).
6) Alice’s public key is (a, b, p, q, e1, e2); her private key

BKM/SIT
is d.
ECDSA Signing and Verifying
BKM/SIT
Time Stamped Signatures
• Sometimes a signed document needs to be time

stamped to prevent it from being replayed by an
adversary.
• This is called time-stamped digital signature
scheme.
• Including the actual date and time on the
documents may create problem if clocks are not
synchronized and universal time is not used.
• One solution to this is to use nonce(a one time
random number)
BKM/SIT
Blind Signature
• Developed by David Chaum.

• This is a process by which a signature on a
document can be obtained from a Signer without
revealing the contents to the Signer.
Blind Signature Idea
• Let Bob has a secret message, which he wants to be
signed by Alice without revealing its content to her.
• So Bob creates a message and blinds it and send it to
Alice.
• Alice signs the blinded message and returns it to Bob.
• Then Bob unblinds the signature to obtain the
signature on the original message.
BKM/SIT
Key Management

Associate Professor
Dept. of CSE
BKM/SIT
Key Management
• Symmetric-key cryptography is more efficient
than asymmetric-key cryptography for
enciphering large messages.
• Symmetric-key cryptography, however, needs
a shared secret key between two parties.
• The distribution of keys is another problem.
• A Trusted third party.
• To reduce the no. of keys, each person
establishes a shared secret key with KDC.
BKM/SIT
Key-Distribution Center: KDC
• Alice sends a request to the KDC stating that she

needs a session key(temporary) between herself
& Bob.
• KDC informs Bob about Alice’s request.
• If Bob agrees, a session key is created between
the two.
BKM/SIT
Flat Multiple KDCs
• This is to avoid the bottleneck due to large no. of

users of KDC.
• We divide the entire world into domains.
• Each and every domain may have one or more
KDC
BKM/SIT
Hierarchical Multiple KDCs
BKM/SIT
Session Keys
• A KDC creates a secret key for each member.
• This secret key can be used only between the member
and the KDC, not between two members.
• If Alice needs to communicate secretly with Bob, she
needs another secret key between herself and Bob.
• Therefore, KDC can create a session key between Alice
& Bob.
• After communication ends, the session key is invalid.
Note
A session symmetric key between two parties is

used only once.
BKM/SIT
A Simple Protocol Using a KDC
Flaw: Replay Attack
BKM/SIT
Counter measures for Replay Attack
n By using random numbers used only once also
called nonce(used in HTTP digest access
authentication, IV and stream ciphers)
n By using session id or session token(often used
by shopping websites to assign a token to the
shopper for some time)
n By using one time passwords (often used by
banks and other finance companies)
n By timestamps (often used in digital
photographs, digital signatures, file system and
15.8
databases)
Needham-Schroeder Protocol
15.9
KERBEROS
• Kerberos is an authentication protocol, and at
the same time a KDC, that has become very
popular.
• Several OS, including Windows , use Kerberos.
• Originally designed at MIT, it has gone through
several versions(Latest: Kerberos-5).
• Three servers are involved:
• An authentication server(AS)
• A Ticket Granting server(TGS)
• A real(data) server
BKM/SIT
KERBEROS Contd…)
Authentication Server (AS)
• The authentication server (AS) is the KDC in the
Kerberos protocol.
• Each user registers with the AS & is granted used-id &
password.
• The AS verifies the user, issues a session key to be used
between Alice & TGS, and sends a ticket for the TGS .
BKM/SIT
KERBEROS Contd…)
Ticket-Granting Server (TGS)
• It is also a part of KDC,which issues a ticket for the
real server (Bob).
• It also provides the session key(KAB) between Alice &
Bob.
• Although Alice verifies her user-id only once with AS,
but she can contact TGS multiple times to obtain ticket
for different real servers.
Real Server
• The real server (Bob) provides services for the user
(Alice).
• Kerberos is designed for a client-server program, such
as FTP, HTTP etc. It is not used for person-to-person
BKM/SIT
authentication.
KERBEROS Server Operation
BKM/SIT
KERBEROS operation in detail
15.14
Using Different Servers
Which steps are required if Alice wants to receive

services from different servers ?
She needs to repeat only the last four steps.
15.15
SYMMETRIC-KEY AGREEMENT
• Alice and Bob can create a session key

between themselves without using a KDC.
• This method of session-key creation is
referred to as the symmetric-key agreement.
• An example is Diffie-Hellman key agreement.
BKM/SIT
Diffie-Hellman Key Agreement
• Alice chooses a large random number x s.t. 0≤x≤p-1

and calculates R1=gx mod p; where g is a generator of
order p-1 in the group <Zp*,x>
• Bob chooses another large random number y s.t.
0≤y≤p-1 and calculates R2=gy mod p
• Alice sends R1 to Bob. Note that Alice does not send
the value of x.
• Bob sends R2 to Alice. Again note that, he does not
send the value of y.
• Alice calculates K1=(R2)x mod p.
• Bob also calculates K2=(R1)y mod p. Whether K1=K2 ?
BKM/SIT
Diffie-Hellman Key Agreement
BKM/SIT
An Example
Alice and Bob want to exchange the shared secret key
by using Deffie-Hellman technique. Assuming, g = 7
and p = 23 find out the K. (Assume x=3 and y=6)
1. Alice chooses x = 3. So, R1 = 73 mod 23 = 21.
2. Bob chooses y = 6. So, R2 = 76 mod 23 = 4.
3. Alice sends the number 21 to Bob.
4. Bob sends the number 4 to Alice.
5. Alice calculates the symmetric key K = 43 mod 23 = 18.
6. Bob calculates the symmetric key K = 216 mod 23 = 18.
7. The value of K is the same for both Alice and Bob;
gxy mod p = 718 mod 23 = 18.
BKM/SIT
Security of Diffie-Hellman
Discrete Logarithm Attack

• The prime p must be very large(more than 300
decimal digits)
• p-1 has at least one large prime factor(more than 60
decimal digits)
• Bob and Alice must destroy x and y after using
them.
Man-in-the-Middle Attack
• Here Eve does not have to know the value of x and y
to attack the protocol.
• She can fool Alice & Bob by creating two keys: one
between herself and Alice & another between herself
and Bob.
BKM/SIT
Man-in-the-middle attack
BKM/SIT
Station-to-Station Key Agreement (A soln. to
Man-in-the-Middle Attack)
15.22
PUBLIC-KEY DISTRIBUTION
• The main issues are,

• How to distribute the public key ?
• How to make the public key secure?
1 Trusted Center
2 Controlled Trusted Center
3 Certification Authority
4 X.509
5 Public-Key Infrastructures (PKI)
BKM/SIT
Trusted Center
• A more secured approach than public announcement.
• A dynamically updated directory of public keys(sent
by the user) is maintained and advertised.
• Each user must be registered with TC.
BKM/SIT
Controlled Trusted Center
It provides another level of security by using timestamp.
Drawback: But, it creates heavy load on the TC if the no. of

requests are very large.
BKM/SIT
Certification Authority
• It binds a public key to an entity and issues a certificate.
• It has a well-known public key which can’t be forged.
BKM/SIT
Certificate Authority (as of Nov 2021)
Rank CA Market Share
1 IdenTrust 36.0%
2 Digicert 16.9%
3 Sectigo 15.3%
4 Let’s Encrypt 11.1%
5 GoDaddy 5.6%
BKM/SIT
X.509
• It is a standardised certificate format designed by ITU-T.
• All certificate authorities should follow it.
• It uses a well-known protocol called ASN.1.
BKM/SIT
X.509 (Certificate Request)
• An organization that wants a signed certificate,

requests one via a certificate signing request
(CSR).
• To do this, it first generates a key pair, keeping
the private key secret and using it to sign the
CSR.
• This contains information like:
• identity of the applicant
• applicant's public key (used to verify the
signature of the CSR)
Distinguished Name (DN) that the certificate
BKM/SIT
is for
X.509 (Certificate Request)-Contd…
• The CSR may be accompanied by other

credentials or proofs of identity required by the
certificate authority.
• The certification authority issues a certificate
binding a public key to a particular distinguished
name (DN).
• How the web browsers know about these CAs?
• The browsers' developers determine which CAs
are trusted third parties for the browsers' users.
BKM/SIT
X.509 (Certificate Request)-Contd…
• Browsers such as Internet Explorer, Firefox,

Opera, Safari and Chrome come with a
predetermined set of root certificates pre-installed
• Therefore, SSL certificates from major certificate
authorities will work instantly
BKM/SIT
X.509 (Contd…)
Certificate Renewal
• Each certificate has a period of validity. If there is no
problem with the certificate, the CA issues a new
certificate before the old one expires.
Certificate Revocation
• In some cases a certificate must be revoked before its
expiration.
• If User’s private key is compromised.
• If CA is not willing to certify the user
• If CA’s private key is compromised
• The revocation is done by periodically issuing a
Certificate Revocation list( CRL) .
BKM/SIT
X.509 (Contd…)
Certificate revocation format
BKM/SIT
Public-Key Infrastructures (PKI)
• It is a model for creating, distributing and revoking
Certificates based on X.509.
• It helps in secure information transfer in e-commerce,
Internet banking and confidential mail.
BKM/SIT
Trust Model of PKI
PKI hierarchical model
BKM/SIT
Browser Support for Certificates
• Web browsers, such as Netscape and Internet

Explorer, Safari, Chrome include a set of
certificate authorities(CAs)
• We can find the list of these roots in the Internet
Explorer at :
T o o l s / I n t e r n e t
Options/Contents/Certificate/Trusted roots (using
pull-down menu).
• The user then can choose any of this root and
view the certificate.
BKM/SIT
Security at the
Application Layer:
PGP and S/MIME

Associate Professor
Dept. of CSE
BKM/SIT
E-mail Architecture
BKM/SIT
E-mail Security
Cryptographic Algorithms
Since there is no session created between sender & receiver,
the sender of the message needs to include the name or
identifiers of the algorithms used in the message.
Cryptographic Secrets
The encryption is done using a symmetric-key algorithm,
and the secret key is sent to the receiver(with the message)
after encrypting it with the public key of the receiver.
Certificates
It is essential because the sender uses receiver's public key
and receiver may use sender’s public key.
BKM/SIT
PGP
• Pretty Good Privacy (PGP) is a protocol

which is used to create a secure e-mail
message or to store a file securely for future
retrieval.
• I t p r o v i d e s p r i v a c y, i n t e g r i t y a n d
authentication.
• Invented by Phil Zimmermann in 1991.
BKM/SIT
Some other features of PGP
Code Conversion
• PGP uses Radix-64 conversion to get ASCII data
from non-ASCII data.
Segmentation
• PGP allows segmentation of the message to get
uniform size unit of the message after applying
Radix-64 which is required by the underlying e-mail
protocol .
Compression
• PGP uses compression techniques to reduce the size
of the message.
BKM/SIT
Radix-64 conversion
• This is useful for sending image, audio, video etc.
• It divides the binary data into 24-bit blocks.
• Each block is then divided into four sections, 6bits each.
BKM/SIT
Continued
BKM/SIT
Key Rings in PGP
• Assuming that a person may send message to many

persons, PGP defines the concept of key rings.
BKM/SIT
Key Rings in PGP-Contd…
• Note that Alice has several pair of public/private keys

belonging to other people.
• Alice sending a message
• She uses her private key to sign the digest.
• She uses the receiver’s public key to encrypt a
newly created session key.
• She encrypts the message and signed digest with the
session key created.
• Bob receiving a message
• He uses his private key to decrypt the session key.
• He uses the session key to decrypt the message &
digest.
BKM/SIT
• He uses sender’s public key to verify the digest.
Alice Sending a message to Bob
BKM/SIT
PGP Algorithms
BKM/SIT
PGP Algorithms (Contd…)
BKM/SIT
BKM/SIT
BKM/SIT
Private key ring table maintained by each entity
• Used ID is usually the email-id of the user

• Key ID is the first(LSB) 64 bits of the public key.
• Public Key column lists the public key belonging to a
particular private key/public key pair.
• Encrypted private key column keeps the private
keys of the key ring in encrypted form.
• Timestamp holds the date and time of the key pair
creation.
BKM/SIT
Public key ring table maintained by each entity
• Used ID Here also the user-id is usually the e-mail id of the entity.
• Key ID Here also the key id is first 64 bits of the public key.
• Public Key This the public key of the entity.
• Producer Trust defines the trust level of the producer: full, partial
or none.
• Certificate(s) It holds the certificates signed by other entities for this
entity.
• Certificate Trust(s) It represents the certificate trust value of an
entity, which is taken from Producer Trust value after receiving a
certificate from another entity.
• Key Legitimacy This value is calculated by PGP based on the value
of the certificate trust and the weight for each certificate trust.
• Timestamp This column holds the date and time of the row creation.
BKM/SIT
Example
• A series of steps will show how a public key ring table is

formed for Alice.
BKM/SIT
Continued
BKM/SIT
Continued
BKM/SIT
Trust Model in PGP
• Following shows a model of trust for Alice at
some point in time.
• The diagram may change with changes in the
public key ring
BKM/SIT
Key Revocation
• It may become necessary for an entity to

revoke(withdraw) his or her public key from the ring.
• This may happen if the owner of the key feels that
the key is compromised (stolen, for example) or just
too old to be safe.
BKM/SIT
PGP vs X.509 Certificates
• PGP uses certificates to authenticate public

keys.
• Unlike X.509, there is no need of CAs.
• Anyone in the ring can sign a certificate for
anyone else in the ring.
• Protocols that use X.509 certificates depend
on the hierarchical structure of the trust.
• That means a single path from the fully
trusted authority to any certificate.
• But, in PGP there can be multiple paths from
fully or partially trusted authorities to any
certificate.
BKM/SIT
PGP Messages
• A PGP message is a combination of sequenced

and/or nested packets.
• Some examples are:
• Encrypted Message
• Signed Message
• Certificate Message
BKM/SIT
PGP Packets
Format of packet header
BKM/SIT
S/MIME
• Secure/Mul t i purpose Int e rne t M a i l E xt e nsi on
(S/MIME).
• This is an enhancement of the supplementary protocol
called MIME which has been integrated to the email
system.
• MIME helps to transmit non-ASCII data(which were
not allowed earlier) to be sent over the same email.
• MIME transforms non-ASCII data at the sender site to
NVT ASCII data and delivers it to the client MTA to be
sent through the Internet.
• At the receiving site, it is again transformed back to
original data.
BKM/SIT
MIME
BKM/SIT
MIME Header
BKM/SIT
MIME Header(Contd…)
Text
BKM/SIT
MIME Header(Contd…)
BKM/SIT
Quoted-printable
• This encoding can be suitable if the data consists of
mostly of ASCII characters with a small non-ASCII
portions.
• If a character is ASCII, it is sent as it is, but if it is
non-ASCII, it is sent as three characters.
• First character is a ‘=‘sign , then next two are the
hexadecimal representations of the byte.
BKM/SIT
S/MIME and CMS
Cryptographic Message Syntax (CMS)

• CMS is IETF’s standard for cryptographically
protected messages.
• This is based on popular industry standard
PKCS#7 (Public Key Cryptography
Specification).
• A S/MIME header specifies the content type as:
application/pkcs7-mime;
mime type=enveloped-data
for encrypting a MIME entity and inserting that into
an application/pkcs7-mime MIME entity.
BKM/SIT
Example
• The following shows an example of an enveloped-data

in which a small message is encrypted using triple DES.
BKM/SIT
Key Management
• The key management in S/MIME is a combination

of key management used by X.509 and PGP.
BKM/SIT
Cryptographic Algorithms
• S/MIME defines several cryptographic algorithms.

The term “must” means an absolute requirement; the
term “should” means recommendation
BKM/SIT
Security at the
Transport Layer:
SSL and TLS

Associate Professor
Dept. of CSE
BKM/SIT
SSL
• Secure Sockets Layer-developed by Netscape in
1994.
• It is a cryptographic protocol to provide
communications security over the internet.
• Provides following services to data received
from any application layer protocol(usually
HTTP).
• Message Integrity
• Confidentiality
• Authentication
• Fragmentation
•
BKM/SIT Compression
Location of SSL and TLS in the Internet model
• If the server and client are capable of running SSL

(or TLS) program, the client can use the URL
https://sitename.com instead of http://sitename.com.
BKM/SIT
SSL PROTOCOL
• SSL defines four protocols in two layers, as
shown below.
BKM/SIT
Handshake Protocol
BKM/SIT
Phase I of Handshake Protocol
BKM/SIT
Continued
Note
After Phase I, the client and server know the

following:
❏ The version of SSL
❏ The algorithms for key exchange, message
authentication, and encryption
❏ The compression method
❏ The two random numbers for key
generation
BKM/SIT
Phase II of Handshake Protocol
BKM/SIT
Continued
Note
After Phase II,

❏ The server is authenticated to the client.
❏ The client knows the public key of the
server if required.
BKM/SIT
Phase III of Handshake Protocol
BKM/SIT
Continued
Note
After Phase III,

❏ The client is authenticated to the server.
❏ Both the client and the server know the
pre-master secret.
BKM/SIT
Phase IV of Handshake Protocol
BKM/SIT
Continued
Note
After Phase IV, the client and server are

ready to exchange data.
BKM/SIT
Alert Protocol
• SSL uses this protocol for reporting errors and abnormal

conditions.
BKM/SIT
Record Protocol
• This protocol takes message from the upper layers
and does the job of Fragmentation and Compression.
BKM/SIT
Cryptographic Secrets
• SSL needs six cryptographic secrets: 4 keys and

2 IVs
• These secrets are generated using the steps:
• The client and server exchange two random
numbers: one is created by the client and the other
by server.
• The client and server exchange a special number
called the pre-master secret using one of the key-
exchange algorithms.
• A 48-byte master secret is created from the pre-
master secret by applying two hash function(SHA-1
and MD5).
BKM/SIT
Generation Process of Master Secret
BKM/SIT
Generation of Key Material from Master Secret
• The master secret is used to create variable-length key
material by applying the same set of hash functions &
prepending with different constants.
• The length of the key material block depends on the
cipher suite selected & size of the keys needed for the
suite.
BKM/SIT
Extractions of Cryptographic Secrets from
Key Material
• Six different keys are extracted from the key
material as shown below.
BKM/SIT
Key Exchange Algorithms
• We know that, Master Secret delivers six cryptographic
secrets(four keys and two IVs) for authentication and
encryption/decryption.
• The client/server needs one key for message
authentication, one key for encryption and one IV for
block encryption.
• The algorithms are:
• NULL
• RSA
• Anonymous Diffie-Hellman
• Ephemeral Diffie-Hellman
• Fixed Diffie-Hellman
• Fortezza
BKM/SIT
Null
• There is no key exchange in this method.

• No pre-master secret is established between the
client and the server.
• Both client and server need to know the value of the
pre-master secret.
BKM/SIT
RSA key exchange; server public key
• Here the pre-master secret is a 48-byte random number

created by the client, encrypted with server’s RSA
public key, and sent to the server.
BKM/SIT
Anonymous Diffie-Hellman
• Simplest and most insecure method.

• Chance of Man-in-the-Middle attack.
• It is called anonymous, because neither party
known to the other.
• The pre-master secret is established between client
and server using DH protocol
• The DH half keys are sent in plain text.
BKM/SIT
Ephemeral Diffie-Hellman key exchange
• This is a solution to Man-in-the-Middle attack.

• Each party sends a DH key signed by its private key.
• The receiver verifies the signature using the public
key of the sender.
• The pubic keys for verification are exchanged using
either RSA or DSS digital signature certificates.
BKM/SIT
Continued
Fixed Diffie-Hellman
• Another solution is the fixed Diffie-Hellman method.
• All entities in a group can prepare fixed DH
parameters (g and p).
• CA will send the certified half keys to each of the
parties.
Fortezza
• Fortezza is a registered trademark of the U.S.
National Security Agency (NSA).
• It is a family of security protocols developed for the
Defense Department.
BKM/SIT
Encryption/Decryption Algorithms
• All the algorithms are divided into six groups as shown

below.
• Only one is in stream mode; others are in block mode.
• All block protocols use an 8-byte initialization
vector(IV) except for Fortezza, which uses a 20-byte IV.
BKM/SIT
Hash Algorithm for message integrity
NULL: The two parties may decline to use an algorithm.

In this case, there is no hash function and the message is
not authenticated.
MD5: The two parties may choose MD5 as the hash
algorithm. In this case, a 128-key MD5 hash algorithm
is used.
SHA-1: The two parties may choose SHA as the hash
algorithm. In this case, a 160-bit SHA-1 hash algorithm
is used.
BKM/SIT
Cipher Suite
• The combination of key exchange, hash, and
encryption algorithms defines a cipher suite for each
SSL session.
• Each one starts with SSL; followed by key-
exchange algorithm, encryption algorithm and hash
algorithm.
Example:
This cipher suite defines DHE_RSA(ephemeral DH with

RSA digital signature) as the key exchange with
DES_CBC as the encryption algorithm and SHA as the
hash algorithm.
BKM/SIT
SSL cipher suite list
BKM/SIT
Compression Algorithms
• Compression is optional in SSLv3.

• No specific compression algorithm is defined for
SSLv3.
• Therefore, the default compression method is NULL.
BKM/SIT
Sessions and Connections
• For two entities to exchange data, the establishment of
a session is necessary, but not sufficient.
• So, they need to create a connection between them as
shown below.
• A session involves creating a master key, but not the
connection.
BKM/SIT
Continued
• After a session is established, the two parties

have common information like session id, the
certificate authenticating each one, the
compression method, the cipher suite and the
master secret.
• After a connection is established, the two
entities exchange two random numbers and
create the keys and parameters needed for
exchanging messages involving authentication
and privacy (using master key).
BKM/SIT
Session State
BKM/SIT
Connection State
BKM/SIT
• The Transport Layer Security (TLS) protocol is the
IETF standard version of the SSL protocol.
• The two are very similar, with slight differences.
• The current version of SSL is 3.0; the current
version of TLS is 1.0.
• SSLv3.0 is compatible with TLSv1.0.
• TLS does not support Fortezza for key exchange or
for encryption/decryption.
BKM/SIT
Cipher Suite for TLS
BKM/SIT
Generation of Cryptographic Secrets
• Generation of cryptographic secrets is more

complex than SSL.
• TLS defines two functions:
• The data-expansion function
• Pseudorandom function(PRF)
BKM/SIT
The data-expansion function
• The data expansion function uses a predefined
HMAC (either MD5 or SHA-1) to expand the
secret to longer one.
BKM/SIT
Pseudorandom Function(PRF)
• It combines two data-expansion functions: one

using MD5 and the other one using SHA-1.
• PRF takes three inputs: a secret, a label, and a seed.
• The label and seed is concatenated and serve as the
seed for each expansion function.
• The secret is divided into two halves; each half is
used as secret for each data-expansion function.
• Both the outputs are exclusive-ORed to get the
final expanded secret.
BKM/SIT
Pseudorandom Function(PRF)
BKM/SIT
Master secret generation
• TLS uses the PRF to create the master secret from the
pre-master secret.
• Here, the PM is taken as secret, the string “Master
Secret” as the label and the concatenation of CR and SR
as the seed.
• The label describes the type of output we want to create
& is actually the ASCII code of the string.
BKM/SIT
Key material generation
• The PRF is also used to generate the key material.

• Here, the secret is the Master secret, the label is the
“Key expansion” and seed is the concatenation of
SR and CR.
BKM/SIT
Alert Protocol
• TLS supports all of the alerts defined in SSL

except for NoCertificate.
• TLS also adds some new ones to the list.
BKM/SIT
Alerts defined for TLS
BKM/SIT
Handshake Protocol
• TLS has made some changes in the Handshake

Protocol
• Specifically, the details of the CertificateVerify
message and Finished message have been
changed.
BKM/SIT
Security at the
Network Layer: IPSec

Associate Professor
Dept. of CSE
BKM/SIT
• Internet Protocol Security
• It is a collection of protocols designed by the
IETF to provide security for packets at the IP
layer.
• It can enhance the security of email and other
client-server applications using HTTP and also
routing protocols.
• It is a must for those client-server programs that
don’t use TCP, but use UDP .
• Because, SSL/TLS designed for providing
security to TCP only.
BKM/SIT
TCP/IP Protocol Suite and IPSec
• It is supported by both IPv4 and IPv6.
BKM/SIT
Transport Mode vs Tunnel Mode
• IPSec operates in two different modes: transport

mode or tunnel mode.
• In transport mode, IPSec protects only the IP
payload (excluding IP header) which comes from
Transport layer to the Network layer.
• In tunnel mode, IPSec protects the entire IP
packet(including IP header).
BKM/SIT
IPSec in transport mode & tunnel mode
Transport mode
Tunnel mode
BKM/SIT
Comparison
Transport mode and tunnel mode
BKM/SIT
Security Protocols of IPSec
• IPSec defines two protocols to provide
authentication and/or encryption for packets
at the IP layer. They are:
• The Authentication Header (AH) Protocol
and
• The Encapsulating Security Payload (ESP)
Protocol
• Note: The ESP protocol was designed after
the AH protocol was already in use.
• ESP does whatever AH does with additional
functionality (privacy).
BKM/SIT
Authentication Header (AH)
The AH protocol provides source authentication

and data integrity, but not privacy.
BKM/SIT
Authentication Header (AH)
n Next Header: Type of the next header, indicating what
upper-layer protocol was protected.
n Payload Length: The length of this Authentication
Header.
n Security Parameter Index: Arbitrary value which is
used (together with the destination IP address) to
identify the security association of the receiving party.
n Sequence Number: A strictly increasing sequence
number (incremented by 1 for every packet sent) to
prevent replay attacks.
Encapsulating Security Payload (ESP)
ESP provides source authentication, data integrity,

and privacy.
BKM/SIT
SECURITY ALGORITHMS
• HMAC-SHA1/SHA2
• for integrity protection and authentication.
• TripleDES-CBC
• for confidentiality
• AES-CBC
• for confidentiality.
• AES-GCM
• for confidentiality and authentication
together efficiently.
BKM/SIT
SECURITY ASSOCIATION(SA)
• IPSec requires a logical relationship, called a

Security Association (SA), between two parties.
• It is a contract between two parties which can
create a secure channel between them.
• For example, an SA can be created between
Alice and Bob depending on their security
parameters and algorithms used for encryption,
authentication, integrity etc.
• We can classify the SA as outbound SA and
inbound SA.
BKM/SIT
An example of a simple SA
• But, the SA can be more complex if Alice wants to

send message to many people and Bob needs to
receive messages from many people.
• In addition, each site needs to have both inbound and
outbound SAs to allow bidirectional communication.
• Therefore, the set of SAs are collected into a database
called Security Association Database(SAD)
BKM/SIT
Security Association Database (SAD)
BKM/SIT
Typical SA Parameters
Parameters Description
BKM/SIT
SECURITY POLICY
• Note that, before using SAD, each host that is
using IPsec, needs to keep a Security Policy
Database(SPD).
• Security Policy defines
• the type of security applied to a packet when
it is to be sent or when it is to be received.
• Therefore, it is also classified as
• outbound SPD or
• inbound SPD.
BKM/SIT
An SPD
BKM/SIT
Outbound processing in SPD
BKM/SIT
Inbound processing in SPD
BKM/SIT
INTERNET KEY EXCHANGE (IKE)
• When a peer needs to send an IP packet, it consults

the SPD (and then SAD) to see if there is an SA for
that type of traffic.
• If there is no SA, then IKE is called to establish one
(either inbound or outbound SA)
• IKE is designed in two phases:
• Phase-I creates SAs for phase-II and
• Phase-II creates SAs for data exchange protocol.
• It is a complex protocol based on three other
protocols:
• Oakley
• SKEME
• ISAKMP
BKM/SIT
Diffie-Hellman Key-exchange Protocol
• The key-exchange idea in IKE is based on DH
protocol
• This protocol provides a session key between two
peers without the need for the existence of any
previous secret.
BKM/SIT
Weakness of Diffie-Hellman
• DH can subject to the following attacks:

• Clogging Attack(or Denial of Service Attack)
• Replay Attack
• Man-In-The-Middle Attack
• Therefore, these weaknesses has to be addressed
before deploying it into IKE.
BKM/SIT
Diffie-Hellman with cookies
• A cookie is the result of hashing:
• a unique id. of the peer(an IP address, port no. etc.),
• a secret random number known to both and
• a timestamp.
BKM/SIT
Protection against Attacks
Note
To protect against a clogging attack, IKE uses cookies.
Note
To protect against a replay attack, IKE uses nonces.
Note
To protect against man-in-the-middle attack, IKE requires
that each party shows that it possesses a secret.
BKM/SIT
ISKAMP
• Internet Security Association and Key Management
Protocol
• It is useful for managing Security Associations
(SAs).
• It also defines payloads for exchanging key
generation and authentication data in IKE.
• Following shows the general header:
BKM/SIT
Payloads
BKM/SIT
Firewall
and
Intrusion Detection System

Associate Professor
Dept. of CSE
What is a Firewall?
• A firewall is a network security system that
– monitors incoming and outgoing network traffic
and
– decides whether to allow or block specific traffic
based on a defined set of security rules.
• That means it imposes barrier between a trusted
network and untrusted network such as Internet.
• A firewall can be a hardware, software, or both.
• It implements VPNs using IPSec
Source IP Source Destination Destination Policy
Port IP Port
101.10.1.25 Any 205.23.1.24 25 Allow
201.22.12.10 Any 125.20.13.4 443 Deny
… … … … …
Types of Firewalls
• There are three types of firewalls.
– Packet filter (router) firewall
– Circuit level (gateway) firewall
– Application level (gateway) firewall
Packet filter Firewall
• It includes inspection of data packets based on
– physical network interface,
– IP header information, but not the data
– source and destination addresses and ports
– type of transport layer(TCP or UDP).
• Then it permits or denies permission as per
predefined rules.
Stateful Packet Filters
• Traditional packet filters do not examine
higher layer context
– i.e. matching return packets with outgoing flow
• Stateful packet filters address this need
• They examine each IP packet in context
– keep track of client-server sessions
– check each packet validly belongs to one
• Hence are better able to detect bogus packets
out of context
Application level(gateway) Firewall
• An application-level gateway (or proxy server),
acts as a relay of application-level traffic.
• It examines the network packets for valid data
at application layer before allowing a
connection.
• It has full access to protocol
– user requests service from proxy
– proxy validates request as legal
– then actions request and returns result to user
– can log / audit traffic at application level
Application level(gateway) Firewall
• It maintains a complete list of connection
states and validates user password and other
service requests.
• Proxy services are dedicated to a particular
protocol such as TELNET, FTP, SMTP or HTTP.
Circuit level (Gateway)Firewall
• A circuit-level gateway relays two TCP
connections,
– one between itself and an inside TCP user, and
– the other between itself and a TCP user on an
outside host
Circuit level (Gateway)Firewall
• Once the two connections are established, it
relays TCP data from one connection to the other
without examining its contents
• It is typically used when internal users are trusted
to decide what external services to access
• One of the most common circuit-level gateways is
SOCKS
• It consists of
– a SOCKS server on the firewall,
– a SOCKS library and
– SOCKS-aware applications on internal clients.
Bastion Host
• A bastion host provides a secure platform for
an application-level or circuit-level gateway, or
for external services.
• A bastion host may have two or more network
interfaces (or ports), and
• It enforces trusted separation between these
network connections, relaying traffic only
according to policy.
• It is thus potentially exposed to "hostile"
elements and must be secured.
Characteristics of Bastion Host
• Common characteristics of a bastion host:
– executes a secure version of its OS, making it a trusted
system
– has only essential services installed on the bastion
host
– may require additional authentication before a user is
allowed access to the proxy services
– maintains detailed audit information by logging all
traffic
– a proxy performs no write access other than to read
its initial configuration file
– each proxy run as a non-privileged user in a private
and secured directory
Firewall Limitations
• cannot protect from attacks bypassing it
– i.e. sneaker net, trusted organisations, trusted
services (i.e. SSL/SSH)
• cannot protect against internal threats
– i.e. disgruntled or colluding employees
• cannot protect against transfer of all virus
infected programs or files
– because of huge range of OS & file types
Firewall Configurations-I
• Here the Firewall consists of two systems:
• a packet-filtering router - allows Internet packets
to/from bastion only
• a bastion host - performs authentication and proxy
functions
• This has greater security than individual firewall,
as it implements both packet-level & application-
level filtering
Firewall Configurations-II
• It physically separates the external and internal
networks,
– ensuring two systems must be compromised to breach
security
• The advantages of dual layers of security are also
present here.
• The information server(or external hosts) are now
separated from the internal network, but
– can be allowed direct communication with the router if it
is a part of security policy.
Firewall Configurations-III
• It is the most secure configuration.
• It has two packet-filtering routers,
– one between the bastion host and the Internet and
– the other between the bastion host and the internal
network, creating an isolated subnetwork
• Both the Internet and the internal network have
access to hosts on the screened subnet,
– but traffic across the screened subnet is blocked.
Firewall Configurations-III(contd…)
• This configuration offers several advantages:
– There are now three levels of defense to thwart
intruders
– The outside router advertises only the existence of
the screened subnet to the Internet;
• therefore the internal network is invisible to the
Internet
– Similarly, the inside router advertises only the
existence of the screened subnet to the internal
network;
• hence systems on the inside network cannot construct
direct routes to the Internet
Intrusion Detection
• Intrusion detection is the process of
– monitoring the events occurring in a computer system
or network and
– analyzing them for signs of possible incidents(threats).
• Threats may include:
– Masquerader: An individual who is not authorized to
use the computer (outsider)
– Misfeasor: A legitimate user who accesses
unauthorized data, programs, resources(insider)
– Clandestine user: An individual who seizes supervisory
control of the system and uses this control to evade
auditing and access controls or to suppress audit
collection (either)
Intrusion Detection System
• An intrusion detection system (IDS) is software
that automates the intrusion detection
process.
• An intrusion prevention system (IPS) is
software that has all the capabilities of an
intrusion detection system and can also
attempt to stop possible incidents.
• Therefore, commonly known as IDPS.
IDPS Technologies
• Network-based
– It monitors the network traffic for particular
network segments or devices and
– Analyzes the network and application protocol to
identify suspicious activities.
• Deployment:
– It is most commonly deployed at a boundary
between networks
– Examples:in proximity to border firewalls or
routers, virtual private network (VPN) servers,
remote access servers, and wireless networks.
IDPS Technologies(Contd…)
• Wireless
– It monitors wireless network traffic
– Analyzes wireless protocols
– It cannot identify suspicious activity in the application
or higher-layer network protocols (e.g., TCP, UDP) that
the wireless network traffic is transferring.
• Deployment:
– It is most commonly deployed within range of an
organization’s wireless network to monitor it,
– but can also be deployed to locations where
unauthorized wireless networking could be occurring.
• Network Behaviour Analysis(NBA)
– It examines network traffic to identify threats that
generate unusual traffic flows,
– Ex. DDoS attacks, malwares, policy violations
• Deployment:
– NBA systems are most often deployed to monitor
flows on an organization’s internal networks,
– Also sometimes deployed where they can monitor
flows between an organization’s networks and
external networks (e.g., the Internet, business
partners’ networks).
• Host-based
– It monitors the characteristic of a single host and the
suspicious activities occurring inside
• Examples of the types of characteristics a host-based
IDPS might monitor are
– network traffic (only for that host),
– system logs,
– running processes,
– application activity,
– file access and modification, and
– system and application configuration changes.
• Deployment: Host-based IDPSs are most commonly
deployed on critical hosts such as publicly accessible
servers and servers containing sensitive information.
Usage of IDPS
• Identifying security policy problems
– Configuration error by Firewall
• Documenting the existing threats to an
organization.
– Maintaining a logs of threats
• Deterring individuals from violating security
policies.
– Fear in user’s mind
Usage of IDPS(Contd…)
• Preventing actions of IDPS
– Terminating connections or sessions that are
being used in the attack, Blocking access to
offending accounts or IPs.
• Changing the security environment
– Reconfiguration of network firewalls, fixing the
appln. Software bugs.
• Changing the content of the attack
– It can act like a proxy, unpackage the payloads of
the request and remove the malicious
attachments in case of emails
Intrusion Detection Techniques
• Signature-based detection
• Anomaly-based detection
• Stateful protocol analysis
Signature-based detection
• A signature is a pattern that corresponds to a
known threat.
• Signature-based detection is the process of
comparing signatures against observed events to
identify possible incidents.
• Examples:
– A telnet attempt with a username of “root”, which is a
violation of an organization’s security policy
– An e-mail with a subject of “Free pictures!” and an
attachment filename of “freepics.exe”, which are
characteristics of a known form of malware
Drawback
• They have little knowledge of network or application
protocols and cannot track complex communications.
• For example, they cannot pair a request with the
corresponding response.
• They also lack the ability to remember previous
requests when processing the current request.
• This limitation prevents signature-based detection
methods from detecting attacks that comprise
multiple events if none of the events contains a clear
indication of an attack.
Anomaly-based detection
• Anomaly-based detection is the process of
comparing definitions of what activity is considered
normal against observed events to identify significant
deviations.
• It has profiles that represent the normal behavior of
users, hosts, network connections, or applications.
– The profiles are developed by monitoring the
characteristics of typical activity over a period of time.
• Examples: The number of e-mails sent by a user, the
number of failed login attempts for a host, and the
level of processor usage, bandwidth usage for a host in
a given period of time.
• Profiles can either be static or dynamic.
Drawback
• Dynamic profiles although more suitable than
static profile, but they are susceptible to evasion
attacks.
• Example: An attacker can perform small amounts
of malicious activity occasionally, then slowly
increase the frequency and quantity of activity. If
the rate of change is sufficiently slow, the IDPS
might think the malicious activity is normal
behavior and include it in its profile.
• Another problem with building profiles is that it
can be very challenging in some cases to make
them accurate, because computing activity can
be so complex.
Drawback(Contd…)
• Example: if a particular maintenance activity that
performs large file transfers occurs only once a
month, it might not be observed during the
training period; when the maintenance occurs, it
is likely to be considered a significant deviation
from the profile and trigger an alert.
• They may often produce many false positives in
dynamic environments when the activities
deviates significantly from profiles.
• It is often difficult for analysts to determine why
a particular alert was generated, because of the
complexity of events and number of events that
may have caused the alert.
Statistical methods
• False positive: When the IDPS incorrectly
identifies a benign(harmless) activity as
malicious, a false positive alert said to be
occurred.
• False negative: When the IDPS fails to identify
a malicious activity, a false negative alert is
said to have occurred.
Stateful protocol analysis
• “Stateful” means, the IDPS is capable of
understanding and tracking the state of network,
transport, and application protocols that have a
notion of state.
• Here also the profile comparison is done between
normal activities and observed suspicious
activities.
• Unlike anomaly-based detection, which uses host
or network-specific profiles, stateful protocol
analysis relies on vendor-developed universal
profiles that specify how particular protocols
should and should not be used.
Stateful protocol analysis(Contd…)
• Example 1: when a user starts a File Transfer
Protocol (FTP) session, the session is initially in
the unauthenticated state.
• Unauthenticated users should only perform a
few commands in this state,
• such as viewing help information or providing
usernames and passwords.
Stateful protocol analysis(Contd…)
• Example 2: It can identify unexpected sequences of
commands, such as
– issuing the same command repeatedly or
– issuing a command without first issuing a command upon
which it is dependent.
• Example 3:The “protocol analysis” includes reasonable
checks for individual commands, such as minimum and
maximum lengths for arguments.
• If a command has a username argument with specific
length(max. 20 characters allowed), then an argument
with a length of 40 characters is suspicious. If the large
argument contains binary data, then it is even more
suspicious.
Drawbacks
• Very much resource-intensive because of the
complexity of the analysis and the overhead involved
in performing state tracking for many simultaneous
sessions.
• Cannot detect attacks that do not violate the
characteristics of generally acceptable protocol
behavior, such as performing many benign actions in a
short period of time to cause a denial of service.
• The protocol model used by an IDPS might conflict with
the way the protocol is implemented in particular
versions of specific applications and operating systems,
or how different client and server implementations of
the protocol interact.
Firewall vs IDS
• Firewall may not notify security violations, but may simply
block the attack or action violating the security policy of the
firewall. But an IDS can detect and warn about security
violations.
• Firewall cannot detect security breaches associated with
traffic that does not pass through it. Only IDS is aware of
traffic in the internal network
• Firewall is more likely to be attacked more often than IDS, as it
is the first level of defense to outside world.
• Firewall is usually helpless against tunneling attacks
• Therefore, it is good to have both IDS and firewall combined
into one program like Norton Internet Security.
36
Firewall vs IDS
37
Thank You…

Cryptography and Network Security

Uploaded by

Copyright:

Available Formats

You might also like

Cryptography and Network Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cryptography and Network Security

Uploaded by

Copyright:

Available Formats

Introduction

Dr. Bimal Kumar Meher

q Three aspects of Security

• Confidentiality is to maintain secrecy of the

• Information needs to be changed whenever

• The information created and stored by an

All these attacks can be broadly classified as

Snooping refers to unauthorized access to or

Traffic analysis refers to obtaining some specific

Modification means that the attacker intercepts the

Masquerading or spoofing happens when the

Replaying means the attacker obtains a copy

Repudiation means that sender of the message

Denial of service (DoS) is a very powerful attack,

Source: Cloudflare Inc. US

n Active attack may change the data or harm the

Which one is difficult to detect?

Data Origin Auth.

Services Enciph Digital Access Data

• Cryptography, a word with Greek origin, means

• Although Cryptography, earlier referred to

• Symmetric key Encipherment

n It is a process by which a fixed length message

The word steganography, with origin in Greek, means

Assumption: single space => bit 0

What is the secret data? !

It can be used to cover secret data.

Secret data can be covered under color image.

What is the secret data? 1001101 = M

Dr. Bimal Kumar Meher

In integer arithmetic, if we divide a by n, we can

-255=(-23 x 11) + (-2)

If a is not zero and we let r = 0 in the

If the remainder is zero, n a

The number 8 42 because 42 = 5 × 8 + 2 has

Property 1: if a|1, then a = ±1.

Property 2: if a|b and b|a, then a = ±b.

Property 3: if a|b and b|c, then a|c.

Property 4: if a|b and a|c, then

Answer the followings:

a. Given 3|15 and 15|45, Can we say 3|45?

b. Given 3|15 and 3|9, Can we say 3|66?

Fact 1: The integer 1 has only one

Fact 2: Any positive integer has at least

The greatest common divisor of two positive

Example: a=60, b=25

When gcd (a, b) = 1, we say that a and b

• This equation is also called Bezout’s identity or

Can we say 12 ≡ 23 mod 8 ?

Example (Property 3):

Can you give an example of modulo operator, used

• We use a clock to measure time.

• The three binary operations (+,  , )

n (1,723,345 + 2,124,945) mod 11

Compute the followings:

32x25=(32)25=925 mod 7= (9 mod 7)25 =225 mod 7

Square and Multiply Technique

• Note that the remainder of an integer divided by 3 is the same