Chapter 30

Cryptography

30.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
 30-1
INTRODUCTION
Let us introduce the issues involved in cryptography.
First, we need to define some terms; then we give some
taxonomies.

Topics discussed in this section:

Definitions
Two Categories

30.2
Need for Security

■ Some people who cause security problems

and why.
• Network security problems can be divided roughly into four closely intertwined areas:
– secrecy,
– authentication,
– Non-repudiation, and
– integrity control.
• Secrecy: Confidentiality, keeping information out of hands of unauthorized users.
• Authentication: Determine whom you are talking to before revealing sensitive
information.
• Non-repudiation: Deals with signatures. How would u prove that customer placed an
order. What if he deny later?
• Integrity Control: Finally, how can you be sure that a message you received was
really the one sent and not something that a malicious adversary modified at transit?
• Cryptography comes from the Greek words for ''secret writing.'‘
Encryption + Decryption = Cryptography.
• Types:
– Cipher : cipher is a character-for-character or bit-for-bit transformation, without
regard to the linguistic structure of the message.
– Code : a code replaces one word with another word or symbol.
• Used with U.S. Armed forces during World War II in Pacific against Japan.
• U.S broke Japanese code but the Japanese never broke Navajo code(Cipher and
Code) which played a crucial role in American victories in Pacific.
• Four group of people contributed to cryptography: the military, the diplomatic corps,
diarists, and lovers. ☺ ☺ ☺ ☺
• The messages to be encrypted, known as the plaintext, are transformed by a function that is
parameterized by a key.
• The output of the encryption process, known as the cipher-text, is then transmitted, often by
messenger or radio.
• We assume that the enemy, or intruder, hears and accurately copies down the complete
cipher-text.
• But, he does not know what the decryption key is and so cannot decrypt the ciphertext easily.
• Intruder is needed to break this code.
• The art of breaking ciphers, called cryptanalysis, and the art devising them (cryptography) is
collectively known as cryptology.
• What is the relation between plaintext, ciphertext, and keys? See next fig.
• We will use C = EK(P) to mean that the encryption of the plaintext P using key K gives the
ciphertext C.
• Similarly, P = DK(C) represents the decryption of C to get the plaintext again.
Dk(Ek(P)) = P
• Secrecy lies exclusively in the keys is called Kerckhoff's principle, named after the
Flemish military cryptographer Auguste Kerckhoff who first stated it in 1883 (Kerckhoff, 1883).
• Kerckhoff's principle: All algorithms must be public; only the keys are secret.
• Trying to keep the algorithm secret is known in the trade as security by obscurity.
• The longer the key, the higher the work factor the cryptanalyst has to deal with.
• Newspaper cryptograms could be broken trivially if the cryptanalyst were allowed to ask such
questions as: What is the encryption of ABCDEFGHIJKL? ☺ ☺ ☺ ☺
• Encryption Methods:
– Substitution Ciphers
– Transposition Ciphers
 Figure 30.1 Cryptography
components

Sender
Receiver
Plaintext
Cipher text
Encryption
Decryption

30.6
 Figure 30.2 Categories of
cryptography

30.7
 Figure 30.3 Symmetric-key
cryptography

30.8
 Note

In symmetric-key cryptography, the

same key is used by the sender
(for encryption)
and the receiver (for decryption).
The key is shared.

30.9
 Figure 30.4 Asymmetric-key
cryptography

30.10
 Figure 30.5 Keys used in
cryptography

30.11
 Figure 30.6 Comparison between two categories of
cryptography

30.12
 30-2 SYMMETRIC-KEY CRYPTOGRAPHY

Symmetric-key cryptography started thousands of years

ago when people needed to exchange secrets (for
example, in a war). We still mainly use symmetric-key
cryptography in our network security.

Topics discussed in this section:

Traditional Ciphers
Simple Modern Ciphers
Modern Round Ciphers
Mode of Operation

30.13
 Figure 30.7 Traditional ciphers

30.14
Encryption Model

■ The encryption model (for a symmetric-

key cipher).
 Substitution Cipher
■ In a substitution cipher each letter or group of letters is
replaced by another letter or group of letters to disguise it.
■ Caesar Ciphers:
■ One of the oldest known ciphers is the Caesar cipher, attributed to
Julius Caesar.
■ In this method,
■ a becomes D,
■ b becomes E,
■ c becomes F,
■ ... , and
■ z becomes C.
■ For example, ‘attack’ becomes ‘DWWDFN’.
■ Plaintext will be given in lower case letters, and ciphertext in upper
case letters.
■ Caesar cipher allows the ciphertext alphabet to be shifted by k
letters, instead of always 3.
■ In this case k becomes a key to the general method of circularly
shifted alphabets.
■ Disadvantage: Can’t fool everyone. Easy to convert to plaintext.
Predictable key.
 Note

A substitution cipher replaces one

symbol with another.

30.17
 Example
30.1
The following shows a plaintext and its corresponding
ciphertext. Is the cipher monoalphabetic? Key = +3

Solution
The cipher is probably monoalphabetic because both
occurrences of L’s are encrypted as O’s.

30.18
■ Mono-alphabetic substitution:
■ The next improvement is to have each of the symbols in the plaintext, say,
the 26 letters for simplicity, map onto some other letter.
■ For example,
■ plaintext:
abcdefghijklmnopqrstuvwxyz
■ ciphertext:
QWERTYUIOPASDFGHJKLZXCVBNM
■ The general system of symbol-for-symbol substitution is called a
monoalphabetic substitution
■ key being the 26-letter string corresponding to the full alphabet.
■ ‘attack’ would be transformed into the ciphertext ‘QZZQEA’.
■ 26! = 4 x 1026 possible keys can be used.
■ Even at 1 nsec per solution, a computer would take 1010 years to try all the
keys.
■ Disadvantage:
■ How to carry 26 lettered key? CD? Written? How? Risky.
■ Predicting is possible.
■ e is the most common letter, followed by t, o, a, n, i, etc.
■ The most common two-letter combinations, or digrams, are th, in, er, re, and an.
■ The most common three-letter combinations, or trigrams, are the, ing, and, and Ion.
■ Conclusion? If ‘thYt’ stands for that, means ‘a’ has code ‘Y’. substitution of
‘Y’ to ‘a’ would predict many digraphs and trigraphs such as ‘aWZ’ stands for
‘and’. Cryptanalyst would try hard, he can predict the key.
 Example
30.2
The following shows a plaintext and its corresponding
ciphertext. Is the cipher monoalphabetic?

Solution
The cipher is not monoalphabetic because each
occurrence of L is encrypted by a different character.
The first L is encrypted as N; the second as Z.

30.20
 Note

The shift cipher is sometimes referred to

as the Caesar cipher.

30.21
 Example
30.3
Use the shift cipher with key = 15 to encrypt the message
“HELLO.”

Solution
We encrypt one character at a time. Each character is
shifted 15 characters down. Letter H is encrypted to W.
Letter E is encrypted to T. The first L is encrypted to A.
The second L is also encrypted to A. And O is encrypted to
D. The cipher text is WTAAD.

30.22
 Example
30.4
Use the shift cipher with key = 15 to decrypt the message
“WTAAD.”

Solution
We decrypt one character at a time. Each character is
shifted 15 characters up. Letter W is decrypted to H.
Letter T is decrypted to E. The first A is decrypted to L.
The second A is decrypted to L. And, finally, D is
decrypted to O. The plaintext is HELLO.

30.23
 Note

A transposition cipher reorders

(permutes) symbols in a block of
symbols.

30.24
Transposition Ciphers

■ A transposition cipher.
■ Transposition cipher reorder the letters but do not
disguise them.
■ The cipher is keyed by a word or phrase not containing
any repeated letters.
■ In this example, MEGABUCK is the key.
■ The purpose of the key is to number the columns.
■ Plaintext is written horizontally, in rows, padded to fill the
matrix if need be.
■ The ciphertext is read out by columns, starting with the
column whose key letter is the lowest.
■ Every letter represents itself, keeping the frequency
distribution intact.
■ How to break the cipher as cryptanalyst?
■ Suppose ‘million dollars’ occurs somewhere in message.
■ Observes digrams MO, IL, LL, LA, IR by wrapping around.
■ For k columns, k(k-1) columns can be examined.
■ Advantage: tough to determine the column sequence.
 Figure 30.8 Transposition cipher

30.27
 Example
30.5
Encrypt the message “HELLO MY DEAR,” using the key
shown in Figure 30.8.

Solution
We first remove the spaces in the message. We then divide
the text into blocks of four characters. We add a bogus
character Z at the end of the third block. The result is
HELL OMYD EARZ. We create a three-block ciphertext
ELHLMDOYAZER.

30.28
 Example
30.6
Using Example 30.5, decrypt the message
“ELHLMDOYAZER”.

Solution
The result is HELL OMYD EARZ. After removing the
bogus character and combining the characters, we get the
original message “HELLO MY DEAR.”

30.29
 Figure 30.9 XOR cipher

30.30
 Figure 30.10 Rotation
cipher

30.31
 Figure 30.11 S-box

30.32
 Figure 30.12 P-boxes: straight, expansion, and
compression

30.33
Product Ciphers

■ Basic elements of product ciphers. (a) P-

box. (b) S-box. (c) Product.
■ S-Box:
■ a 3-bit plaintext is entered and a 3-bit ciphertext is output.
■ The 3-bit input selects one of the eight lines exiting from the
first stage and sets it to 1.
■ The second stage is a P-box.
■ The third stage encodes the selected input line in binary
again.
■ 01234567 is input then output would be 24506713.
■ Product Cipher:
■ Powerful tool in which p-box and s-box is cascaded forming
whole series of boxes to form a product cipher.
■ 12 input lines in p-box.
■ 212 = 4096 crossed wires are needed in middle stage.
■ Input is broken into 3 bits, each substituted independently.
■ K bit input to produce k bit output, k is 64 to 256.
■ Less general, more powerful, becoming complicated function.
Feistel Cipher Structure

■ Virtually all conventional block encryption

algorithms, including DES, have a
structure first described by Horst Feistel of
IBM in 1973.
■ Hence, Feistel is called the father of
Cryptography.
■ The realization of a Feistel Network
depends on the choice of the following
parameters and design features (see next
slide):
Feistel Cipher Structure
■ Block size: larger block sizes mean greater security
■ Key Size: larger key size means greater security
■ Number of rounds: multiple rounds offer increasing
security
■ Subkey generation algorithm: greater complexity will
lead to greater difficulty of cryptanalysis
■ Round function: greater complexity means greater
resistance of cryptanalysis
■ Fast software encryption/decryption: the speed of
execution of the algorithm becomes a concern
■ Ease of analysis: It should be difficult to analyse the
cipher text and conversion of ciphertext to plaintext
must be impossible.
 Data Encryption Standard (DES)

■ The most widely used encryption scheme.

■ NIST (National Institute of Standards & Technology), as
FIPS PUB 46 (Federal Information Processing Standards).
■ The algorithm is referred to the Data Encryption
Algorithm (DEA).
■ DES is a block cipher.
■ Minor variation of Feistel.
■ It has 16 rounds of processing.
■ The plaintext is processed in 64-bit blocks.
■ The key is 56 bits in length, which is divided into 16
subkeys, each one is used for each round.
■ Decryption:
■ Use ciphertext as input to DES.
■ Use subkeys Ki in reverse order till K is reached. i.e K16 to K2,
K1.
 Figure 30.13 DES

30.40
 Figure 30.14 One round in DES
ciphers

30.41
■ DES (Data Encryption Standard), was widely adopted by the industry for use in security products.
■ DES procedure:
■ Enciphering a 64-bit data block and a
■ 56-bit key
■ Step 1: Stage 1: An initial transposition (permutation)
■ Step 2: Iteration 1 to 16: rounds of a complex key dependent calculation.
■ Step 3: Stage ‘second last’: 32 bit exchange of leftmost 32 bits with rightmost 32 bits.
■ Step 4: Stage ‘last’: A final transposition, obtained by just reversing the obtained transposition.
■ Output: 64 bit ciphertext.
■ Iteration 1 to 16 procedure:
■ Each stage takes two 32-bit inputs and produces two 32-bit outputs.
■ Each of 16 iterations uses different key.
■ The left output is simply a copy of the right input.
■ The right output is the bitwise XOR of the left input and a function of the right input and the key
for this stage, Ki.
■ All the complexity lies in this function.
■ Whitening:
■ Technique used to make DES sronger.
■ XORing random 64bit key with each plaintext block before feeding it into DES.
■ And then again XORing a second 64 bit key with resulting ciphertext before transmitting it.
■ It can be removed easily by running reverse operation.
■ It adds more bits to the key length.
■ Time consuming.
■ In 1977, standford cryptography researchers Diffie and Hellman designed a machine that breaks DES
within 1 day.
■ With key length of 56bits, there are 256 = 7.2 x 1016 possible
keys.
■ Here, brute-force attack appears impractical. How?
■ Trying each key per microsecond would take more than 10
thousand years to break cipher.
■ So? DES is secure?
■ Yes or No?
■ DES finally and definitively proved insecure in July 1998, when
the Electronic Frontier Foundation (EFF98) announced that it had
broken a DES encryption using a special-purpose “DES Cracker”
machine that was built for less than $250,000.
■ The attack took less than 3 days to break cipher.
■ Problem?
■ Solution?
■ So a 128-bit key is guaranteed to result in an algorithm that is
unbreakable by brute force or EFF98.
■ 128-bit key would take over 1018years to break the code using
the EFF cracker.
 Figure 30.16 Triple DES

30.45
Triple DES

■ (a) Triple encryption using DES.

■ (b) Decryption.
■ IBM realized that DES key length was too short and developed: : triple DES.
■ Here,
■ 2 keys,
■ 3 stages
■ Procedure:
■ Step 1: the plaintext is encrypted using DES in the usual way with K 1.
■ Step 2: DES is run in decryption mode, using K 2 as the key.
■ Step 3: Finally, another DES encryption is done with K 1.
■ Why 2 keys are used instead of 3?
■ Another key would just add overhead for little benefit. So 2 keys are enough.
■ Why EDE instead of EEE?
■ Backward compatibility with single encryption decryption algorithm by just replacing
k1 = k2.
■ Advantage / Attraction of People:
■ 168 bit key length which overcomes the
vulnerability of brute force attack.
■ Same algorithm procedure as DES.
■ Very resistant to cryptanalysis.
■ Disadvantage:
■ Algorithm is relatively sluggish in software,
does not produce efficient software codes.
■ Slower due to 3 times more rounds then DES.
■ Both DES and 3DES use 64 bit block size,
larger block size is desirable for efficiency and
security.
■ Solution?
■ AES.
AES – The Advanced Encryption Standard
■ DES began approaching the end of its useful life, even with triple DES.
■ NIST (National Institute of Standards and Technology), the agency of
the U.S. Dept. of Commerce charged with approving standards for the
U.S. Federal Government, decided that the government needed a new
cryptographic standard for unclassified use as there were problems
with DES to be standardized.
■ They conducted a conference which had following rules for computing
cryptography algorithm:
■ Rules for AES proposals:
1. The algorithm must be a symmetric block cipher.
2. The full design must be public.
3. Key lengths of 128, 192, and 256 bits supported.
4. Both software and hardware implementations required
5. The algorithm must be public or licensed on nondiscriminatory terms.
■ Out of 16 proposals, 5 were sort listed and 1 was awarded as the best
solution/ algorithm so far provided.
■ Name: Rijndael (from: Joan Daelmen and Vincent Rijnmen, 86 votes).
■ Let us see that in detail.
 Table 30.1 AES configuration

30.49
 Note

AES has three different configurations

with respect to the number of rounds
and key size.

30.50
 Figure 30.17 AES

30.51
 Figure 30.18 Structure of each
round

30.52
■ Step 1: does a byte-for-byte substitution on state. Each byte in turn is
used as an index into an S-box to replace its value by the contents of
that S-box entry. This step is a straight mono-alphabetic substitution
cipher. Unlike DES, which has multiple S-boxes, Rijndael has only one
S-box.
■ Step 2: rotates each of the four rows to the left. Row 0 is rotated 0
bytes (i.e., not changed), row 1 is rotated 1 byte, row 2 is rotated 2
bytes, and row 3 is rotated 3 bytes. This step diffuses the contents of
the current data around the block, analogous to the permutations.
■ Step 3: mixes up each column independently of the other ones. The
mixing is done using matrix multiplication in which the new column is
the product of the old column and a constant matrix, with the
multiplication done using the finite Galois field, GF(28).
■ Step 4: XORs the key for this round into the state array.
■ Decryption?
■ Decryption can be done just by running the algorithm backward.
■ However, there is also a trick available in which decryption can be done by
running the encryption algorithm, using different tables.
■ Advantages:
■ Great speed
■ Great security
■ Good software implementation on 2GHz machine, achieve 700Mbps
encryption rate and encrypt over 100 MPEG-2 videos in real time.
■ Hardware implementation is also faster.
 Figure 30.19 Modes of operation for block
ciphers

30.56
 Figure 30.20 ECB mode

30.57
 Electronic Code Book Mode

■ Step 1: Break it up into consecutive 8 byte (64 bits) blocks.

■ Step 2: Encrypt them one after another with the same key.
■ Step 3: Last piece of plaintext is padded out to 64bits, if need
be.
■ Also called ECB mode.
■ Intruder Enjoys by: making a copy of the 12th ciphertext block
(which contains Kim's bonus) and use it to replace the 4th
ciphertext block (which contains Leslie's bonus) even without
knowing what the 12th block says.
 Cipher Block Chaining Mode

■ Cipher block chaining. (a) Encryption. (b) Decryption.

■ Overcome the disadvantage of ECB mode.
■ Each plaintext block is XORed with previous ciphertext block before being encrypted.
■ Step 1: The first block is XORed with a randomly chosen IV (Initialization Vector), which is
transmitted (in plaintext) along with the ciphertext.
■ C0 = E(P0 XOR IV)
■ Step 2: Then we compute C1 = E(P1 XOR C0), and so on….
■ Decryption ?
■ also uses XOR to reverse the process, with P0 = IV XOR D(C0), and so on.
■ Advantage:
■ Same plaintext block will not result in the same ciphertext block, making cryptanalysis more difficult.
■ Disadvantage:
■ Have to wait until an entire 64-bit block to arrive before decryption can begin.
 Figure 30.21 CBC mode

30.60
 Cipher Feedback Mode

■ (a) Encryption. (b) Decryption.

■ Overcome the disadvantage of Cipher Block Chaining Mode.
■ Use Triple(DES), Only 128 bit shift register is used.
■ Step 1: The leftmost byte of that ciphertext is extracted and XORed with P 10.
■ Step 2: That byte is transmitted on the transmission line.
■ Step 3: In addition, the shift register is shifted left 8 bits, causing C 2 to fall off the left end, and
C10 is inserted in the position just vacated at the right end by C 9.
■ Need: initialization vector to start the ball rolling.
■ Decryption? Decryption with cipher feedback mode just does the same thing as encryption.
(not decryption).
■ Disadvantage? One bit transmission error may exist. if one bit of the ciphertext is accidentally
inverted during transmission, the 8 bytes that are decrypted while the bad byte is in the shift
register will be corrupted.
 Figure 30.22 CFB mode

30.62
 Stream Cipher Mode / OFB

■ A stream cipher. (a) Encryption. (b) Decryption.

■ Overcome the disadvantage of 1 bit error.
■ Step 1: It works by encrypting an initialization vector, using a key to get an output block.
■ Step 2: The output block is then encrypted, using the key to get a second output block.
■ Step 3: This block is then encrypted to get a third block, and so on.
■ Step 4: The (arbitrarily large) sequence of output blocks, called the key stream, is treated like a
one-time pad and XORed with the plaintext to get the ciphertext.
■ Note:
■ IV is used only on the first step.
■ Key-stream is independent of the data,
■ so it can be computed in advance, if need be, and
■ It is completely insensitive to transmission errors.
■ Decryption? Decryption occurs by generating the same keystream at the receiving side.
■ Disadvantage:
■ Never to use same (key,IV) pair twice otherwise may result to keystream reuse attack.
■ Decrypting all the blocks ahead of it, an expensive proposition.
 Figure 30.23 OFB mode

30.64
 30-3 ASYMMETRIC-KEY CRYPTOGRAPHY

An asymmetric-key (or public-key) cipher uses two

keys: one private and one public. We discuss two
algorithms: RSA and Diffie-Hellman.

Topics discussed in this section:

RSA
Diffie-Hellman

30.65
 PUBLIC KEY ALGORITHM: RSA
● RSA –Rivest–Shamir –Adelman
● Used for all, Encryption, Authentication and Digital Signing.
● Has long keys. i.e1024 bits which makes is secure.
● Key advantage: difficulty of factoring large integers.
● General Algorithm:
1. Generate two large random prime numbers, pand q, equal in size
such that n=pq and φ= (p-1)(q-1).
2. Compute n= pq and φ= (p-1)(q-1)
3. Choose an integer ‘e’ such that 1 < e <φ gcd(e,φ) = 1.
4. Compute secret exponent d, 1 < d < φsuch that ed=1(mod φ).
5. The public key is (n,e) and private key (n,d). Keep secret p, q, φ.
● Note:
● ‘n’ is modulus
● ‘e’ and ‘d’ is private key for encryption and decryption
respectively.
● ‘p’, ‘q’ and ‘φ’ is secret key.
RSA

■ An example of the RSA algorithm.

 Figure 30.24 RSA

30.69
Key Generation Steps:
■ 1. Select two prime numbers, p = 17 and q=11.
■ 2. Calculate n = pq = 17 × 11 = 187.
■ 3. Calculate f(n) = (p-1)(q-1) =16 × 10 =160.
■ 4. Select e such that e is relatively prime to f(n)
=160 and less than f(n); we choose e=7.
■ 5. Determine d such that de mod 160 =1 and d
< 160.The correct value is d = 23, because 23 ×
7= 161.

■ The resulting keys are public keys and private key

are {7, 187} and {23,187}.
Example:
■ Keys for a plaintext input of M = 88.
■ Encryption:
■ To calculate C = 887 mod 187:
■ 887 mod 187 = [(884 mod 187) × (882 mod
187) × (881 mod 187)] mod 187
■ 881 mod 187 = 88
■ 882 mod 187 = 7744 mod 187 = 77
■ 884 mod 187= 59,969,536 mod 187 = 132
■ 887 mod 187 = (88 × 77 × 132) mod 187
=894,432 mod 187 = 11
Example of RSA Algorithm
■ Decryption:
M =1123 mod 187:
■ 1123 mod 187 = [(111 mod 187) × (112 mod
187) × (114 mod 187) × (118 mod 187) ×
(118 mod 187)] mod 187
■ 111 mod 187 = 11
■ 112 mod 187 = 121
■ 114 mod 187 = 14,641 mod 187 = 55
■ 118 mod 187 = 214,358,881 mod 187 = 33
■ 1123 mod 187 = (11 × 121 × 55 × 33 × 33)
mod 187 = 79,720,245 mod 187 = 88
■ Limitations of RSA:
■ To defeat the RSA algorithm: Use brute-
force approach, i.e try all possible private
keys.
■ The larger the number of bits in e and d,
the more secure the algorithm.
■ Because the calculations involved (both in
key generation and in
encryption/decryption) are complex, the
larger the size of the key, the slower the
system will run.
Diffie-Hellman
■ The first published public-key algorithm.
■ Purpose: Exchange a secret key securely.
(Also limitation).
■ Algorithm depends for its effectiveness on
the difficulty of computing discrete
logarithms.
■ There are two publicly known numbers:
■ a prime number q and
■ an integer α that is (alpha) α primitive root of q.
■ Suppose the users A and B wish to exchange a key.
■ User A selects a random integer XA < q and computes
YA = aXA mod q.
■ B independently selects a random integer XB < q and computes YB = aXB
mod q.
■ Each side keeps the X value private and makes the Y value available
publicly to the other side.
■ User A computes the key as K = (YA)XB mod q.
■ And user B computes the key as
■ K = (YB )XA mod q.
■ = (aXB mod q)XA mod q
■ = (aXB)XA mod q
■ = aXBXA mod q
■ = (aXA)XB mod q
■ = (aXA mod q)XB mod q
■ K = (YA)XB mod q
■ The result is that the two sides have exchanged a secret value.
■ As XA and XB are private, an adversary only
has the following ingredients to work with:
q, ,YA, and YB.
■ Thus, the adversary is forced to take a
discrete logarithm to determine the key.
■ To determine the private key of user B, an
adversary must compute XB = dlogα,q(YB).
■ Security lies with calculation of discrete
logarithms.
■ Lets take one example supporting the
algorithm.
Example:
■ The prime number q = 353 and a primitive root of q = 353, in
this case α = 3.
■ A and B select secret keys XA =97 and XB =233, respectively.
Each computes its public key:
A computes YA = 397 mod 353 = 40.
B computes YB =3233 mod 353 = 248.
■ After they exchange public keys, each can compute the
common secret key:
■ A computes K =(YB) mod 353= 24897 mod 353= 160.
■ B computes K =(YA) mod 353= 40233 mod 353= 160.
■ We assume an attacker would have available the following
information: q = 353; α = 3; YA = 40; YB = 248.
■ In this simple example, it would be possible to determine the
secret key 160 by brute force.
■ The brute-force approach is to calculate powers of 3 modulo
353, stopping when the result equals either 40 or 248. The
desired answer is reached with the exponent value of 97, which
provides 397 mod 353= 40.
■ With larger numbers, the problem becomes impractical.
 Limitations of Diffie-Hellman
■ The technique does not protect against replay attacks.
■ Man-In-The-Middle-Attack:
■ 1. Darth generating two private keys XD1 and XD2, and then
computing the corresponding public keys YD1 and YD2.
■ 2. Alice transmites YA to Bob.
■ 3. Darth intercepts YA and transmits YD1 to Bob. Darth also
calculates K2 = (YA)XD2 mod q.
■ 4. Bob receives YD1 and calculates K1 = (YD1)XB mod q.
■ 5. Bob transmits YB to Alice.
■ 6. Darth intercepts YB and transmits YD2 to Alice. Darth calculates
K1 = (YB)XD1 mod q.
■ 7. Alice receives YD2 and calculates K2 = (YD2)XA mod q.
■ At this point, Bob and Alice think that they share a secret key.
But actually situation is different.
■ Darth simply wants to eavesdrop. Or modify the message going
to Bob.
 Note

The symmetric (shared) key in the

Diffie-Hellman protocol is
K = gxy mod p.

30.83
 Example
30.10
Let us give a trivial example to make the procedure clear.
Our example uses small numbers, but note that in a real
situation, the numbers are very large. Assume g = 7 and
p = 23. The steps are as follows:
1. Alice chooses x = 3 and calculates R1 = 73 mod 23 = 21.
2. Bob chooses y = 6 and calculates R2 = 76 mod 23 = 4.
3. Alice sends the number 21 to Bob.
4. Bob sends the number 4 to Alice.
5. Alice calculates the symmetric key K = 43 mod 23 = 18.
6. Bob calculates the symmetric key K = 216 mod 23 = 18.
The value of K is the same for both Alice and Bob;
gxy mod p = 718 mod 23 = 18.
30.84
 Figure 30.27 Diffie-Hellman
idea

30.85
 Figure 30.28 Man-in-the-middle
attack

30.86