Professional Documents
Culture Documents
Chapter-3.2 Cryptography and Encryption Techniques
Chapter-3.2 Cryptography and Encryption Techniques
Chapter-3.2 Cryptography and Encryption Techniques
Fundamental of
Software Security
Chapter 3.2
Cryptography and Encryption Techniques
Cryptography and Encryption Techniques
❖ Terminology
▪ Cryptography: Schemes for encryption and decryption; It comes from the Greek words for
secret writing.
▪ Secret Key: is also input to the algorithm; the exact substitutions and transformations
performed by the algorithm depend on the key; larger key size means greater security but
may decrease encryption/decryption speed.
▪ Ciphertext: the scrambled message produced as output. It depends on the plaintext and
the secret key. (the coded message).
▪ Description
▪Alternatively, the terms encode and decode or encipher and decipher are used instead
of encrypt and decrypt.
Cont. Cryptography and Encryption Techniques
o For instance, the plaintext message "I want cookies" can be denoted as the
message string <I, ,w,a,n,t, , c,o,o,k,i,e,s>.
o It can be transformed into ciphertext <c1, c2, …, c14>, and the encryption
algorithm tells us how the transformation is done.
Cont. Cryptography and Encryption Techniques
❖ Notation
▪ Given
• P = Plaintext
• C = Ciphertext
▪ C = EK(P) Encryption
▪ P = DK(C) Decryption
P = DK(EK(P))
C = EK(DK(C))
▪ Note : The two basic building blocks of all encryption techniques are substitution and
transposition.
SUBSTITUTION CIPHERS
❖ To substitute a character or symbol for each character of the original message.
❖ This technique is called a monoalphabetic cipher or simple substitution.
❖ Caesar Cipher - Early Example of a Substitution Cipher by Julius Caesar. Named after the man who
used it.
The Caesar Cipher (the simplest and widely used)
▪ Each letter is translated to the letter a fixed number of places after it in the alphabet.
▪ Caesar used a shift of 3, so plaintext letter pi was enciphered as ciphertext letter ci by the rule
ci = E(pi) = pi + 3
▪ A full translation chart of the Caesar cipher is shown here.
Advantage:
▪ Simple
Disadvantage:
▪ Algorithm has to be secret, Once Algorithm is known all messages can
be decrypted
Cont.
1. Encrypt the message UNIVERSISTY with the Caesar cipher with 4 as the key.
2. The message FUBSWRJUDSKB was encrypted using the Caesar cipher with 3 as the
key. Decrypt the message.
TRANSPOSITIONS (PERMUTATIONS)
▪ A Transposition is an encryption in which the letters of the message are rearranged.
▪ With transposition, the cryptography aims for diffusion, widely spreading the information from the
message or the key across the ciphertext.
▪Transposition is a rearrangement of the symbols of a message, it is also known as a permutation.
Columnar Transpositions (the popular type)
The columnar transposition is a rearrangement of the characters of the plaintext into columns.
The following set of characters is a five-column transposition.
The plaintext characters are written in rows of five and arranged one row after another, as shown
here.
THIS IS A MESSAGE TO SHOW HOW A COLUMNAR TRANSPOSITION WORKS
Cont.
1. Encipher WE ARE DISCOVERED AND FLEE AT ONCE using a simple 6 column transposition
cipher.
2. Decrypt the message ITYBA WOFAM APOLE NLOL TATG that was encrypted using a simple 5
column transposition
Cryptography Categories
▪ Stream cipher: encrypts plaintext one byte at a time, although a stream cipher
designed to operate on one bit at a time or on units larger than a byte at a time.
▪ Block cipher: splits the plaintext into fixed sized blocks and generates fixed sized
blocks of ciphertext.
Cont.
▪ Symmetric Key Cryptography also known as Symmetric Encryption is when a secret key
is leveraged for both encryption and decryption functions.
▪ This method is the opposite of asymmetric encryption where one key is used to encrypt
and another is used to decrypt.
▪ During this process, data is converted to a format that cannot be read or inspected by
anyone who does not have the secret key that was used to encrypt it.
Cont.
▪ In Symmetric-key encryption the message is encrypted by using a key and the same
key is used to decrypt the message which makes it easy to use but less secure. It also
requires a safe method to transfer the key from one party to another.
▪ By making the key more longer it is also safe against brute force attacks.
▪ The longer the key the stronger security is achieved, preventing any attack.
▪ Keystream can be designed more efficiently by including more number of 1s and 0s, for making
cryptanalysis more difficult.
▪ Considerable benefit of a stream cipher is, it requires few lines of code compared to block cipher.
Cont.
Cont.
For Encryption, For Decryption,
▪ Plain Text and Keystream produces Cipher Text ▪ Cipher Text and Keystream gives the original Plain
(Same keystream will be used for decryption.). Text (Same keystream will be used for encryption.).
▪ The Plaintext will undergo XOR operation with ▪ The Ciphertext will undergo XOR operation with
keystream bit-by-bit and produces the Cipher keystream bit-by-bit and produces the actual Plain
Text. Text.
Example – Example –
Popular stream ciphers: A5/1 and Rc-4: Read about these for further understanding
Block Cipher
▪ Block cipher splits the plaintext into fixed sized blocks and generates fixed sized
blocks of ciphertext.
▪ The ciphertext is obtained from the plaintext by iterating a function F over some
number of rounds.
▪ Block cipher splits the plaintext into fixed sized blocks and generates fixed sized blocks of
ciphertext.
Cont.
Feistel Structure for Block Ciphers
In cryptography, a Feistel cipher is a symmetric structure used in the construction of block ciphers, named
after the German IBM cryptographer Horst Feistel ;
Confusion
• DES was then approved by NBS in 1978 and was standardized by ANSI under the
name of ANSI X3.92, also known as DEA (Data Encryption Algorithm)
Cont.
▪ DES utilizes block cipher, which means that during the encryption process, the plaintext is broken
into fixed length blocks of 64 bits
• A block cipher processes the input one block of elements at a time, producing an output
block for each input block; larger block sizes mean greater security but reduced
encryption/ decryption speed; a block size of 128 bits is a reasonable tradeoff and is
nearly universal among recent block cipher designs.
• A stream cipher processes the input elements continuously, producing output one
element at a time, as it goes along.
▪ The key in DES is 56 bits; 8-bit out of the total 64-bit block key is used for parity check (for
example, if odd parity is used, each byte has an odd number of bits)
▪
Cont.
DES Encryption
▪ Data is divided into 64-bit blocks; the key is 56 bits
▪ The processing has three phases
▪ Phase 1
• The 64-bit plaintext passes through an initial permutation (IP) that rearranges the bits to produce the permuted
input; no elements are added or deleted or replaced, rather the order in which the elements appear in the sequence
is changed
▪ Phase 2
• The 64 bits are then divided into two 32-bit halves called L and R.
• The encryption then proceeds through 16 rounds of the same function, each using the L and R parts, and a
subkey.
• In each round, the new L part is simply a copy of the incoming R part
• The R and Subkeys are processed in the so called
✓ f-function, and exclusive-or of the output of the f-function with the existing L part to create the new R
part
▪ Phase 3
• The pre output is passed through a permutation that is the inverse of the initial permutation (IP-1), to produce the 64-
bit ciphertext
Cont.
DES uses the Feistel cipher structure with 16 rounds of processing
▪ In AES the number of rounds to be carried out depends on the length of the key being used to encrypt
data. The 128-bit key size has ten rounds, the 192-bit key size has 12 rounds, and the 256-bit key size
has 14 rounds.
▪ C = EKE(P)
▪ P = DKD(C)
P = DKD[EKE(P)]
▪ The two keys have the property that deriving the private key from the public key
is computationally infeasible
Cont.
▪ Proposed by Diffie and Hellman in 1976
▪ It is a revolutionary concept since it avoids the need of using a secure channel to communicate the
key
▪ It has made cryptography available for the general public and made many of today’s online
applications feasible
• Public-key algorithms are based on mathematical functions rather than on substitution and
permutation.
• Public-key cryptography is asymmetric, involving the use of two separate keys, in contrast to
symmetric encryption, which uses only one key.
• The use of two keys has profound consequences in the areas of confidentiality, key
distribution, and authentication
Cont.
▪ Properties of Public Key Cryptosystem
• If you have the private key, you can easily decrypt what is encrypted by the public key.
• Otherwise, it is computationally infeasible to decrypt what has been encrypted by the public
key.
3. If Bob wishes to send a confidential message to Alice, Bob encrypts the message using
Alice’s public key
4. When Alice receives the message, she decrypts it using her private key. No other recipient can
decrypt the message because only Alice knows Alice’s private key
At any time, a user can change its private key and publish the companion public key to replace its
old public key.
Cont.
Applications of Public-Key Cryptosystems
▪ RSA - Rivest-Shamir-Adleman
▪ DSS - Digital Signature Standard
▪ Diffie-Hellman
▪ Elliptic Curve Cryptography (ECC) algorithms
▪ You can read about Diffie-Hellman and Elliptic Curve Cryptography (ECC) algorithms
RSA (Rivest-Shamir-Adleman)
▪ The most widely used public-key cryptosystem is RSA
▪ Principle: No mathematical method is yet known to efficiently find the prime factors of large
numbers
▪ In RSA, the private and public keys are constructed from very large prime numbers
(consisting of hundred of decimal digits)
▪ Breaking RSA is equivalent to finding the prime factors: this is known to be computationally
infeasible, i.e., security is based on the difficulty of factoring large integers
▪ It is only the person who has produced the keys from the prime number who can decrypt
messages
Cont.
▪ RSA - Key Generating Algorithm
1. Choose two large prime numbers, p and q
2. Compute n = pq and (phi) φ = (p-1)(q-1)
3. Choose an integer e, 1 < e < φ, such that GCD(e, φ) = 1
▪ (Note: The Greatest Common Divisor of two integers is the largest positive integer that
exactly divides both integers) or e and φ are relatively prime (two integers are relatively
prime if their only common positive integer factor is 1)
4. Determine the secret exponent d, 1 < d < φ, such that φ divides (ed-1)
5. The public key is the pair of integers (e, n) and the private key is (d, n), i.e., both sender and
receiver must know the value of n.
o The sender knows the value of e, and only the receiver knows the value of d
▪ Keep all the values d, p, q and φ secret
▪ n is known as the modulus
▪ e is known as the public exponent or encryption exponent
▪ d is known as the secret exponent or decryption exponent
Cont.
▪ RSA- Encryption
▪ Sender A does the following
▪ Obtains the recipient B's public key (e, n)
▪ Represents the plaintext message as a positive integer M
▪ Computes the ciphertext C = Me mod n
▪ Sends the ciphertext C to B
▪ RSA- Decryption
▪ Recipient B does the following
▪ Uses his/her private key (d, n) to compute M = Cd mod n
▪ Extracts the plaintext from the message representative M
2. n = pq = 11*3 = 33
φ = (p-1)(q-1) = 10*2 = 20
▪ Where, M – Plaintext, H - Hash function, h - Hash digest , ‘+’ - Bundle both plaintext and digest, E–
Encryption, D – Decryption
Cont.
▪ The image in the pervious slide shows the entire process, from the signing of the key to its
verification. So, go through each step to understand the procedure thoroughly.
Step 1: M, the original message is first passed to a hash function denoted by H# to create a
digest.
Step 2: Next, it bundles the message together with the hash digest h and encrypts it using the
sender’s private key.
Step 3: It sends the encrypted bundle to the receiver, who can decrypt it using the sender’s public
key.
Step 4: Once it decrypts the message, it is passed through the same hash function (H#), to
generate a similar digest.
Step 5: It compares the newly generated hash with the bundled hash value received along with
the message. If they match, it verifies data integrity.
How Digital signature works
Cont.
▪ So the Steps in Digital signature algorithm in general
1) Key Generation
2) Signature Generation
3) Signature Verification
▪ For digital signatures, however, is the reverse of asymmetric encryption is true.
✓The signature is encrypted using the private key and decrypted with the public key.
✓Because the keys are linked, decoding it with the public key verifies that the proper private
key was used to sign the document, thereby verifying the signature's provenance.
▪ Having understood the functionality of the DSA Algorithm, you must know the advantages this
algorithm offers over alternative standards like the RSA algorithm.
Cont.
❖ Out of all cryptographic primitives, the digital signature using public key cryptography is considered as
very important and useful tool to achieve information security.
❖ Let us briefly see how this is achieved by the digital signature −
▪Message authentication − When the verifier validates the digital signature using public key of a
sender, he is assured that signature has been created only by sender who possess the corresponding
secret private key and no one else.
▪ Data Integrity − In case an attacker has access to the data and modifies it, the digital
signature verification at receiver end fails.
✓ The hash of modified data and the output provided by the verification algorithm will not match.
Hence, receiver can safely deny the message assuming that data integrity has been breached.
▪Non-repudiation − Since it is assumed that only the signer has the knowledge of the signature key,
he can only create unique signature on a given data.
✓ Thus the receiver can present data and the digital signature to a third party as evidence if any
dispute arises.
Hash Functions
▪ Hash functions are extremely useful and appear in almost all information security
applications.
▪ It is a mathematical function that converts a numerical input value into another
compressed numerical value. The input to the hash function is of arbitrary length but
output is always of fixed length.
▪ Values returned by a hash function are called message digest (is a fixed size numeric
representation of the contents of a message, computed by a hash function) or
simply hash values.
▪ A hash function H takes a message m of arbitrary length and produces a bit string h, h=
H(m)
▪ When the hash value h is sent with the message m, it enables to determine whether m
has been modified or not; the principal objective of a hash function is data integrity.
Cont.
▪ When a hash function is used to provide message authentication (integrity), the hash
function value is often referred to as a message digest.
▪ The two most common hashing algorithms are MD5 (Message Digest version 5) and
Secure Hash Algorithm or SHA (SHA-1 and later versions like SHA-256).
Key Management in Cryptography
In cryptography, it is a very tedious task to distribute the public and private keys
between sender and receiver. If the key is known to the third party (forger/eavesdropper)
then the whole security mechanism becomes worthless. So, there comes the need to secure
the exchange of keys.
There are two aspects for Key Management:
1.Distribution of public keys.
▪ It requires users to know the public key for the directory. Whenever the keys are needed, real-time
access to the directory is made by the user to obtain any desired public key securely.
Cont.
4. Public Certification: This time authority provides a certificate (which binds an identity to the public
key) to allow key exchange without real-time access to the public authority each time.
▪ The certificate is accompanied by some other info such as period of validity, rights of use, etc.
▪ All of this content is signed by the private key of the certificate authority and it can be verified by
▪ First sender and receiver both request CA for a certificate which contains a public key and
other information and then they can exchange these certificates and can start
communication.
End