Module IV

● Cryptographic Techniques,
● Key length,
● Key Management,
● Public Key Cryptography Versus Symmetric Cryptography,
● Encrypting communication Channel,
● Encrypting Data for storage
● Hardware vs software Encryption.
● Cryptographic Algorithm,
● Information theory,
● Data Encryption Standard (DES),
● IDEA,
● Blowfish.

CRYPTOGRAPHIC TECHNIQUE

Cryptography is the technique of securing information and communications through use of

codes so that only those persons for whom the information is intended can understand it and
process it. Thus preventing unauthorized access to information. The prefix “crypt” means
“hidden” and the suffix graphy means “writing”. In Cryptography the techniques which are use to
protect information are obtained from mathematical concepts and a set of rule based
calculations known as algorithms to convert messages in ways that make it hard to decode it.
These algorithms are used for cryptographic key generation, digital signing, verification to
protect data privacy, web browsing on the internet and to protect confidential transactions such
as credit card and debit card transactions.

Techniques used For Cryptography:

In today’s age of computers cryptography is often associated with the process where an
ordinary plain text is converted to cipher text which is the text made such that the intended
receiver of the text can only decode it and hence this process is known as encryption. The
process of conversion of cipher text to plain text is known as decryption.

KEY LENGTH

In cryptography, key size, key length, or key space refer to the number of bits in a key used by a
cryptographic algorithm. Key length defines the upper-bound on an algorithm's security,
because the security of all algorithms can be violated by brute-force attacks.
Key length is equal to the number of bits in an encryption algorithm’s key. A short key length
means poor security. However, a long key length does not necessarily mean good security. The
key length determines the maximum number of combinations required to break an encryption
algorithm.
Symmetric, or secret key encryption, uses a single key for both encryption and decryption.
Symmetric key encryption is used to encrypt large amounts of data efficiently. Advanced
Encryption Standard (AES) keys are symmetric keys that can be three different key lengths
(128, 192, or 256 bits).
The symmetric encryption mechanism must use a minimum key size of 128 bits.
The private key is a scalar twice the size of the security level. A typical value is 256 bits. The
public key is a group element, which is much larger than the private key. A typical value is 2048
bits.

KEY MANAGEMENT

In cryptography, it is a very tedious task to distribute the public and private keys between sender
and receiver. If the key is known to the third party (forger/eavesdropper) then the whole security
mechanism becomes worthless. So, there comes the need to secure the exchange of keys.

There are two aspects for Key Management:

● Distribution of public keys.

● Use of public-key encryption to distribute secrets.

Distribution of Public Key:

The public key can be distributed in four ways:

● Public announcement
● Publicly available directory
● Public-key authority
● Public-key certificates.
These are explained as following below:

1. Public Announcement: Here the public key is broadcasted to everyone. The major
weakness of this method is forgery. Anyone can create a key claiming to be someone else and
broadcast it. Until forgery is discovered can masquerade as claimed users.
2. Publicly Available Directory: In this type, the public key is stored in a public directory.
Directories are trusted here, with properties like Participant Registration, access and allow to
modify values at any time, containing entries like {name, public-key}. Directories can be
accessed electronically still vulnerable to forgery or tampering.

3. Public Key Authority: It is similar to the directory but improves security by tightening control
over the distribution of keys from the directory. It requires users to know the public key for the
directory. Whenever the keys are needed, real-time access to the directory is made by the user
to obtain any desired public key securely.

4. Public Certification: This time authority provides a certificate (which binds an identity to the
public key) to allow key exchange without real-time access to the public authority each time.
The certificate is accompanied by some other info such as period of validity, rights of use, etc.
All of this content is signed by the private key of the certificate authority and it can be verified by
anyone possessing the authority’s public key.

PUBLIC KEY CRYPTOGRAPHY VERSUS SYMMETRIC CRYPTOGRAPHY.

Public key cryptography

● It is defined as the technique that uses two different keys for encryption and decryption.
● It is also called Asymmetric key encryption.
● It is inefficient as this technique is used only for short messages.
● It is slower as it uses two different keys; both keys are related to each other through the
complicated mathematical process.
● It is free to use.
● The main purpose of the public key algorithm is to share the keys securely.
● There is a less possibility of key loss, as the key is held publicly.

Symmetric key cryptography

● It is defined as the technique that uses a single shared key (secret key) to encrypt and
decrypt the message.
● It is also called symmetric key encryption. It is because the same secret key is used in
bidirectional communication.
● It is efficient as this technique is recommended for large amounts of text.
● It is faster as it uses a single key for encryption and decryption.
 ● Apart from the sender and receiver, the private key is kept secret and not public to
anyone.
● The main purpose of the secret key algorithm is to transmit the bulk data.
● There is a possibility of losing the key that renders the system void.

ENCRYPTING COMMUNICATION CHANNEL

In theory, this encryption can take place at any layer in the OSI (Open Systems Interconnect)
communications model.In
practice, it takes place either at the lowest layers (one and two) or at higher layers. If it takes
place at
the lowest layers, it is called link-by-link encryption; everything going through a particular data
the link is encrypted. If it takes place at higher layers, it is called end-to-end encryption; the data
are
encrypted selectively and stay encrypted until they are decrypted by the intended final recipient.

Link-by-Link Encryption

This type of encryption is very effective. Because everything is encrypted, a cryptanalyst can get
no
information about the structure of the information. He has no idea who is talking to whom, how
long
the messages they are sending are, what times of day they communicate, and so on. This is
called
traffic-flow security: the enemy is not only denied access to the information, but also access to
the
knowledge of where and how much information is flowing.
Security does not depend on any traffic management techniques. Key management is also
simple;
only the two endpoints of the line need a common key, and they can change their key
independently
from the rest of the network.

End to end encryption

This approach avoids the encryption/decryption problem at the physical layer. By providing
end-toend encryption, the data remains encrypted until it reaches its final destination (see
Figure 10.2). The
primary problem with end-to-end encryption is that the routing information for the data is not
encrypted; a good cryptanalyst can learn much from who is talking to whom, at what times and
for
how long, without ever knowing the contents of those conversations.

End-to-End Encryption: Advantages and Disadvantages

Advantages:

● Higher secrecy level.

Disadvantages:

● Requires a more complex key-management system.

● Traffic analysis is possible, since routing information is not encrypted.
● Encryption is offline.

Link-by-Link Encryption: Advantages and Disadvantages

Advantages:

● Easier operation, since it can be made transparent to the user. That is, everything is
encrypted before being sent over the link.
● Only one set of keys per link is required.
● Provides traffic-flow security, since any routing information is encrypted.
● Encryption is online.

Disadvantages:

● Data is exposed in the intermediate nodes.

ENCRYPTING DATA FOR STORAGE

The encryption key has the same value as the message, only it is smaller. In effect,
cryptography
converts large secrets into smaller ones. Being smaller, they can be easily lost. Key
management
procedures should assume that the same keys will be used again and again, and that data may
sit on a
disk for years before being decrypted.

Other problems particular to encrypting computer data for storage were listed in:
● — The data may also exist in plaintext form, either on another disk, in another computer,
or on paper. There is much more opportunity for a cryptanalyst to perform a
known-plaintext attack.
● — In database applications, pieces of data may be smaller than the block size of most
algorithms. This will cause the ciphertext to be considerably larger than the plaintext.
● — The speed of I/O devices demands fast encryption and decryption, and will probably
require encryption hardware. In some applications, special high-speed algorithms may
be required.
● — Safe, long-term storage for keys is required.
● — Key management is much more complicated, since different people need access to
different files, different portions of the same file, and so forth.

Dereferencing key

When encrypting a large hard drive, you have two options. You can encrypt all the data using a
single key. This gives a cryptanalyst a large amount of ciphertext to analyze and makes it
impossible
to allow multiple users to see only parts of the drive. Or, you can encrypt each file with a
different
key, forcing users to memorize a different key for each file.

Driver-Level vs. File-Level Encryption

There are two ways to encrypt a hard drive:

● at the file level .
● at the driver level.
Encryption at the
file level means that every file is encrypted separately. To use a file that’s been encrypted, you
must
first decrypt the file, then use it, and then re-encrypt it.

Providing Random Access to an Encrypted Drive

Most systems expect to be able to access individual disk sectors randomly. This adds some
complication for using many stream ciphers and block ciphers in any chaining mode. Several
solutions are possible.
Use the sector address to generate a unique IV for each sector being encrypted or
decrypted.The drawback is that each sector will always be encrypted with the same IV. Make
sure this is not a
security problem.

HARDWARE V/S SOFTWARE ENCRYPTION

Software Encryption: Software Encryption, as the name suggests, is a process of keeping data
safe using the software. In this, the software is generally installed in the host computer that
encrypts and decrypts data. It is more cost-effective for smaller companies. In this, the
password is the key that one needs to have access to data. It usually shares processing
resources with all other programs or processes on the system that might have an impact on the
performance of all other functions of the system.

Hardware Encryption: Hardware Encryption, as the name suggests, is a process of keeping

data safe using a dedicated and separate processor. It is more cost-effective for larger
companies because it does not require any additional software installation. In this password,
biometrics such as fingerprints can be used to have access to data. It provides much greater
throughput capacity and speed in a large-scale environment. It also includes faster algorithm
processing, tamper-proof or tamper-resistant key storage, and protection against unauthorized
code.

Difference between Software Encryption and Hardware Encryption:

Software encryption

● It simply uses symmetric cryptography where the same key is used for encryption and
decryption.
● It generally allows to encrypt data during the backup job, data replication job, or auxiliary
copy job.
● It is cost-effective and cheap to implement as compared to hardware encryption.
● It is less secure as compared to hardware encryption.
● Software encryption systems usually have built-in recovery mechanisms but should set
up their recovery options in advance.
● Its encrypted storage is less expensive than a hardware tool.
● It uses computer resources to encrypt data and perform cryptographic operations.
● It needs to be reinstalled if OS is changed because software encryption exists in the
software of the machine.
● It can be copied to different drives or computers if one wants to expand security to other
machines.
● It uses computer processor to handle data encryption and therefore slows down overall
system performance.
● It does not require any additional hardware.
 ● Software-based encryption encrypts data and performs other cryptographic operations
using the computer’s resources. The user’s password is frequently used as the
encryption key that scrambles the data in software encryption.
● It uses secret keys generated from encryption software that runs on PCs.
● Brute force attack involves repeatedly guessing a password or encryption key. Although
software-based encryption techniques impose a constraint on the number of decryption
or login tries, hackers can still access the computer’s memory and reset the attempt
counter, due to which they get an endless amount of time to guess the password or key.
● Examples of such encryption tools include BitLocker, etc.
● Some software encryption systems, such as BitLocker, include built-in recovery
techniques, but you must set them up ahead of time.
● Some encryption software is difficult to operate, and users may choose to disable it,
destroying all protection. Because usage of encryption software tools can slow down
your computer as data is continually encrypted and decrypted.
● Cost-effective in small application environments.

Hardware Encryption

● It simply uses the onboard security of devices to perform encryption and decryption.
● It generally allows to encrypt data on tape drives that have built-in encryption
capabilities.
● It is costly to implement as compared to software encryption.
● It is more secure and safer as compared to software encryption because the encryption
process is separate from the rest of the machine making it much hardware to break or
intercept.
● Hardware encryption systems do not include additional recovery options.
● Its encrypted storage is more expensive than a software tool.
● It uses a dedicated processor that is physically located on an encrypted drive instead of
the computer processor.
● It will remain in place no matter what happens to the computer system because
hardware encryption exists outside of the computer’s software.
● One has to purchase an additional drive with hardware encryption if one wants to
expand security because it only covers one drive at a time.
● It runs on its hardware i.e.; encryption happens within the separate processor and
therefore has no effect on overall system performance.
● It usually requires a separate dedicated processor.
● Instead of the computer’s processor, hardware-based encryption employs a specialized
processor that is physically located on the encrypted drive.
● This encryption processor may additionally include a random number generator, which
generates an encryption key that is unlocked by the user’s password.
● It uses a secret key generated from the physical attribute of the storage device.
● This technique of brute force attack will not work since hardware-based encryption is
processed on a specialized chip that cannot be accessed by the computer.
 ● Hardware encryption can be present on external hard drives or solid-state drives called
Self-Encrypting Drives (SEDs), as well as in cell phones; examples are Apple’s Touch ID
and ace ID.
● Hardware-encrypted data is also more difficult to retrieve in the event of theft, as
hardware encrypted devices are designed to hinder data recovery in the event of theft.
● Because the encryption is constantly on, neither end-users nor malware can disable it.
● Cost-effective in medium and larger application environments.

CRYPTOGRAPHIC ALGORITHM

A cryptographic algorithm is the mathematical equation used to scramble the plain text and
make it unreadable. They are used for data encryption, authentication and digital signatures.
There are three types of cryptography:

● Symmetric-key cryptography -
Both sender and receiver share a single key and the sender uses this key to encrypt plaintext.
The cipher text is sent to the receiver, and the receiver can apply this same key to decrypt the
message and recover the plain text from the sender.
● Public-key or asymmetric cryptography –
In public key cryptography (PKI), also known as asymmetric cryptography, there are two related
keys called the public and private key. While the public key may be freely distributed, the paired
private key must remain confidential. The public key is used for encryption and the private key is
used for decryption.
The most used asymmetric cryptography algorithms are RSA and ECC. TLS/SSL certificates
frequently use RSA keys, and the recommended size of these keys is continually increasing to
maintain sufficient cryptographic strength. An alternative to RSA is ECC, which can offer the
same level of cryptographic strength at much smaller key sizes, offering improved security with
reduced computational and storage requirements.
● Hash-function –
No key is used in this algorithm, but a fixed-length value is calculated from the plaintext, which
makes it impossible for the contents of the plaintext to be recovered. Hash functions are often
used by computer systems to encrypt passwords. A popular hash algorithm is 256-SHA.
INFORMATION THEORY

Information is the source of a communication system, whether it is analog or digital. Information

theory is a mathematical approach to the study of coding of information along with the
quantification, storage, and communication of information.
Conditions of Occurrence of Events

● If we consider an event, there are three conditions of occurrence.

● If the event has not occurred, there is a condition of uncertainty.

● If the event has just occurred, there is a condition of surprise.

● If the event has occurred, a time back, there is a condition of having some information.
Hence, these three occur at different times. The difference in these conditions, help us have a
knowledge on the probabilities of occurrence of events.

Entropy

When we observe the possibilities of occurrence of an event, whether surprising or uncertain it

would be, it means that we are trying to have an idea on the average content of the information
from the source of the event.

Entropy can be defined as a measure of the average information content per source symbol.
Claude Shannon, the “father of the Information Theory”, has given a formula for it as

$$H = -\sum_{i} p_i\log_{b}p_i$$

Where $p_i$ is the probability of the occurrence of character number i from a given stream of
characters and b is the base of the algorithm used. Hence, this is also called Shannon's
Entropy.

The amount of uncertainty remaining about the channel input after observing the channel
output, is called Conditional Entropy. It is denoted by $H(x \arrowvert y)$.

Discrete Memoryless Source

A source from which the data is being emitted at successive intervals, which is independent of
previous values, can be termed as a discrete memoryless source.

This source is discrete as it is not considered for a continuous time interval, but at discrete time
intervals. This source is memoryless as it is fresh at each instant of time, without considering the
previous values.
Source Coding

According to the definition, “Given a discrete memoryless source of entropy $H(\delta)$, the
average code-word length $\bar{L}$ for any source encoding is bounded as $\bar{L}\geq
H(\delta)$”.

In simpler words, the code-word (For example: Morse code for the word QUEUE is -.- ..- . ..- . )
is always greater than or equal to the source code (QUEUE in example). Which means, the
symbols in the code word are greater than or equal to the alphabets in the source code.

Channel Coding
The channel coding in a communication system introduces redundancy with a control, so as to
improve the reliability of the system. Source coding reduces redundancy to improve the
efficiency of the system.

Channel coding consists of two parts of action.

● Mapping incoming data sequence into a channel input sequence.

● Inverse mapping the channel output sequence into an output data sequence.
The final target is that the overall effect of the channel noise should be minimized.

The mapping is done by the transmitter, with the help of an encoder, whereas the inverse
mapping is done at the receiver by a decoder.

DATA ENCRYPTION STANDARD (DES)

The Data Encryption Standard (DES) is a symmetric-key block cipher published by the National
Institute of Standards and Technology (NIST).

DES is an implementation of a Feistel Cipher. It uses a 16 round Feistel structure. The block
size is 64-bit. Though, key length is 64-bit, DES has an effective key length of 56 bits, since 8 of
the 64 bits of the key are not used by the encryption algorithm (function as check bits only).
General Structure of DES is depicted in the following illustration

ation −

Since DES is based on the Feistel Cipher, all that is required to specify DES is −

● Round function
● Key schedule
● Any additional processing − Initial and final permutation

Initial and Final Permutation

The initial and final permutations are straight Permutation boxes (P-boxes) that are inverses of
each other. They have no cryptography significance in DES. The initial and final permutations
are shown as follows −
Round Function
The heart of this cipher is the DES function, f. The DES function applies a 48-bit key to the
rightmost 32 bits to produce a 32-bit output.

● Expansion Permutation Box − Since the right input is 32-bit and the round key is
48-bit, we first need to expand the right input to 48 bits. Permutation logic is graphically
depicted in the following illustration −

● The graphically depicted permutation logic is generally described as table in DES

specification illustrated as shown −
 ● XOR (Whitener). − After the expansion permutation, DES does XOR operation on the
expanded right section and the round key. The round key is used only in this operation.

● Substitution Boxes. − The S-boxes carry out the real mixing (confusion). DES uses 8
S-boxes, each with a 6-bit input and a 4-bit output. Refer the following illustration −

● The S-box rule is illustrated below:

● There are a total of eight S-box tables. The output of all eight s-boxes is then combined
into a 32 bit section.

● Straight Permutation − The 32 bit output of S-boxes is then subjected to the straight
permutation with rule shown in the following illustration:

Key Generation

The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key. The process of
key generation is depicted in the following illustration −−
DES Analysis

The DES satisfies both the desired properties of block cipher. These two properties make cipher
very strong.

● Avalanche effect − A small change in plaintext results in a very great change in the
ciphertext.

● Completeness − Each bit of ciphertext depends on many bits of plaintext.

During the last few years, cryptanalysis have found some weaknesses in DES when keys
selected are weak keys. These keys shall be avoided.

DES has proved to be a very well designed block cipher. There have been no significant
cryptanalytic attacks on DES other than exhaustive key search.

IDEA
IDEA is a block cipher and it operates on 64 bit plaintext and 128 bit key. IDEA is reversible like
DES, that is, the equivalent algorithm can be used for encryption and decryption. IDEA needs
both diffusion and confusion for encryption.

The 64-bit plaintext is divided into four portions of 16 bit plaintext (P1 to P4). These are input to
the first round. There are eight such rounds. The key includes 128 bits. In each round, six
sub-keys are produced from the original key, each of these sub-key includes 16 bits.
For the first round it can have keys K1 to K6, for the second round it can have keys K7 to K12
and finally the last round. The final step includes an output transformation, which needs four
subkeys (K49 to K52).

The final output is the output created by the output transformation step. The blocks C1to C4 are
linked to form the final output.

Rounds − There are eight rounds in IDEA. Each round contains a sequence of operations on
the four data blocks, utilizing six keys. The Add * and Multiply * The following step of each round
are not easy addition and multiplication but they are addition module 216 i.e., 65536 and
Multiplication Module 216 + 1 i. e. , 65537.

Sub-key generation for a round −

● In the first round bit position 1-96 of the keys are utilized. Bits 97-128 remain unutilized.
They are given to round 2.

● In round second bits 97-128 are first used, thus circular left shift of 25 bit appears and
new bits from 26-89 are used. Bits position 90-128 and 1-25 remains unused.

● In round third unused bits 90-128 and 1-25 are first used again, circular left shift of 25 bit
appears and bit position 51-82 are used. Bit position 83-128 and 1-50 remains unused.

● In the fourth round bit 83-128 and 1-50 are used.

● In the fifth round circular left-shift of 25 bits appears and bit positions 76-128 and 1-43
are used. Bit position 44-75 remains unused.

● In the sixth round an unused bit of the fifth round is used and a left circular shift of 25 bit
occurs thus making bit position 37-100 unused.

● In the seventh round unused bits of the sixth round i.e., 37-100 are first used and circular
left shifts of 25 bit appear at position 126-128 and 1-29 are used. Bit 30-125 remains
unused.

● Unused bit position 30-125 from round seven is used and the key is disabled.
Output Transformation − It is a one-time operation. It takes place at the end of the 8th round.
Therefore 64-bit value is divided into four sub-blocks (say R1 to R4) and four subkeys are used
here.

IDEA Decryption − The decryption procedure is the equivalent of the encryption process. There
are some alterations in the generation and design of subkeys. The decryption subkeys are
opposite of the encryption subkeys.
BLOWFISH

Blowfish is the symmetric block cipher algorithm and it encrypts the block information of 64-bits
at a time. It follows the Feistel network and the working procedure of this algorithm is divided
into two parts.

Subkey Generation − This process transforms the key upto 448 bits long to subkeys adding
4168 bits.

Data-Encryption − In the data encryption process, it will iterate 16 times of the network. Each
round includes the key-dependent permutation, and the key and data- dependent substitution.

The operations in the algorithms are XORs or additions on 32-bit words. The only additional
operations are four indexed array information lookups per round.

Let us discuss these two parts are as follows −

Sub-key Generation − Blowfish cryptographic algorithm uses a huge number of subkeys.

These keys are created earlier to any of the data encryption or the decryption.
The p-array includes 18, 32-bit sub keys −

P1,P2,………….,P18.

There are four 32-bit S-Boxes includes 256 entries each −

S1,0, S1,1,………. S1,255

S2,0, S2,1,……….. S2,255

S3,0, S3,1,……….. S3,255

S4,0, S4,1,………... S4,255

Data Encryption − Blowfish is a Feistel network including 16 rounds.

The input is a 64-bit data element, x.

Divide x into two 32-bit halves : xL, xR.

Then, for i = 1 to 16;

xL = xLXOR Pi

xR = F(xL) XOR xR
Swap xL and xR

After the 16th round, Swap xL and xR again to undo the last swap.

Then, ciphertext = concatenation of xL and xR, xR = xR XOR P17 and xL = xL XOR P18.

Finally, recombine xL and xR to get the ciphertext. Decryption is the equivalent as encryption,
other than P1, P2,……P18 are utilized in the reverse order.