RAJAGIRI SCHOOL OF

ENGINEERING & TECHNOLOGY

RAJAGIRI VALLEY, KAKKANAD, COCHIN – 682 039

DIVISION OF COMPUTING SCIENCES

SECURITY IN COMPUTING – MODULE III

 Index

1. Cryptography…………………………………………………………………….1

2. Fiestel Networks………………………...………………………………………10

3. Data Encryption Standard……………………………………………………..12

4. Modes of operation of DES……………………………...……………………..20

5. Public key Cryptography………………………………………………………26

6. RSA Algorithm……………………………………………………………….....28

7. Diffie Hellman Key Exchange………………………………………………….31

8. MAC and HASH function………………………………………………….….33

9. Digital Signature…………………………………………………………….…35

10. Questions……………………………………………………………………..…37

2
1. Cryptography

1.1 Introduction

Definitions

Plaintext "The original message before it is encoded."

Encoding/Encryption "The process of disguising the plaintext."
Ciphertext "The enciphered version of the plaintext."
Decoding/Decryption "The process of reverting the cipher text back to the plain
text."
Cryptography "The science of keeping messages secret and of ensuring
authentication."
Cryptanalysis "The science (and art) of deciphering encoded messages
without the knowledge of the used key."
Cryptology Greek: kryptós = hidden, lógos=science. "The combination of
cryptography and cryptanalysis "The science of hidden,
disguised information."

1.2 Types of Cryptography

1.2.1 Conventional Encryption/Private-key Cryptography

In a "One-Key-Encryption" or "Conventional Encryption", the sender and the recipient

share the same key as their common secret

(source: www.PGPi.com):

At some earlier point in time the two correspondents, the sender and the recipient, must
have agreed on that key. If they are in different locations, they must trust a courier or a

3
phone system to transmit the secret key in a secure manner. Surely, this is not very
practical, particularly when many (new) parties are involved.
However, the major problem is the total number of keys involved. 2 correspondents use 1
key, 3 use 3 keys, 4 use 6 keys, 5 use 10 keys, 100 use 4950 keys, 1000 use 499500 keys,
etc. And each key must be stored in a secure manner. Key management is enough of a
difficult task that a name was invented for it: The Key Distribution Problem. It is the
reason why One-Key-Cryptography is not appropriate for today's secure electronic data
transfers between many parties involved.
Every Cipher is made up of two ingredients: an encryption method (the "algorithm") and
the set of all possible keys (the "key space"). The sender may now choose from the
number of possible keys to encode his secret message. The security of the cryptosystem
shall not be based on keeping the algorithm secret, but solely keeping the key secret.
Private Key Cryptography means that the knowledge of the encoding key yields the
decoding key. Such Ciphers are therefore also called "Symmetric Ciphers". If a Cipher
only offers a small number of keys (i.e. the Caesar Cipher) it can be broken by simply
testing the possible keys. A huge number of keys assures the security of a cipher
Private Key Cryptography provides "high-security" ciphers, however, their usage is not
practical because of the key distribution problem. It describes the difficulty of
exchanging and handling a large number of keys. I.e. 1000 correspondents have to handle
a total of 499500 keys. The number of keys increases with the square of the number of
correspondents.
1.2.2 Two-key/Public-key Cryptography
The "Two-Key Cryptography" or "Public-Key Cryptography" was a major
breakthrough in 1976. It makes the inconceivable reality: A Public Key is used to encode
the plain text, its corresponding Private Key is used to decode the cipher text. The clue:
Although the encoding key available to the whole world, nobody is capable of figuring
out the decoding key. The figure below shows the how "Two-Key Cryptography" is
performed.

(source: www.PGPi.com):

The primary benefit of public key cryptography is that it allows people who have no
preexisting security arrangement to exchange messages securely. The need for sender and

4
receiver to share secret keys via some secure channel is eliminated; all communications
involve only public keys, and no private key is ever transmitted or shared.
1.2.3 Transposition and Substitution Ciphers
Substitution and Transposition Ciphers are two categories of ciphers used in classical
cryptography. Substitution and Transposition differ in how chunks of the message are
handled by the encryption process. Substitution ciphers encrypt plaintext by changing the
plaintext one piece at a time.
The Ceasar Cipher was an early substitution cipher. In the Caesar Cipher, each character
is shifted three places up. Therefore, A becomes D and B becomes E, etc...
This table shows "VOYAGER" being encrypted with the Caesar substution cipher:
Plaintext V O Y A G E R
Key +3 +3 +3 +3 +3 +3 +3
Ciphertext Y R B D J H U
Transposition ciphers encrypt plaintext by moving small pieces of the message around.
This table shows "VOYAGER" being encrypted with a primitive transposition cipher
where every two letters are switched with each other:
V OYAGE R
O VAYE GR

1.2.4 Stream and Block Ciphers

Block and Stream Ciphers are two categories of ciphers used in classical cryptography.
Block and Stream Ciphers differ in how large a piece of the message is processed in each
encryption operation. Block ciphers encrypt plaintext in chunks. Common block sizes are
64 and 128 bits. Stream ciphers encrypt plaintext one byte or one bit at a time. A stream
cipher can be thought of as a block cipher with a really small block size. Generally
speaking, block ciphers are more efficient for computers and stream ciphers are easier for
humans to do by hand.
1.3 Caesar Substitution
The simplest of all substitution ciphers is the one in which the cipher letters results from
shifting plain letters by the same distance. Among those, the best known is called "Caesar
Cipher", used by Julius Caesar, in which each A is encrypted as D, B as E, C as F,... etc.
Here key is 3

Mathematically, the encryption and decryption functions can be described as follows:

The sender encodes each plain text letter P using the key b as follows:
C= (P+b) mod 26
The recipient decodes each cipher text letter C using the key b as follows:
P=(C-b) mod 26

1.4 Playfair Cipher

5
The best known substitution cipher that encrypts pairs of letters is the Playfair Cipher
invented by Sir Charles Wheatstone but championed at the British Foreign Office by
Lyon Playfair, the first Baron Playfair of St. Andrews, whose name the cipher bears.
Here, a 5 x 5-square matrix containing the 26 letters of the alphabet (I and J are treated as
the same letter) is used to carry out the encryption. A key word, MONARCHY in this
example, is filled in first, and the remaining unused letters of the alphabet are entered in
their lexicographic order.

Pairs of plaintext letters are encrypted with the matrix by first locating the two plaintext
letters in the matrix. They are
(1) in different rows and columns or
(2) in the same row or
(3) in the same column or
(4) alike.

The corresponding encryption (replacement) rules are the following:

1. If the pair of letters are in different rows and columns, each letter is replaced by the
letter that is in the same row but in the other column; i.e., to encrypt WE, W is replaced
by U and E by G.
2. If two letters are in the same row simply shift both one position to the right. I.e. A and
R are in the same row. A is encrypted as R and R (reading the row cyclically) as M.
3. Similarly, if two letters are in the same column shift both one position down. I.e. I and
S are in the same column. I is encrypted as S and S as X.
4. If a double letter occurs, a spurious symbol, say Q, is introduced so that the MM in
SUMMER would encrypt into NL for MQ and CL for ME.
5. An X is appended to the end of the plaintext if necessary to cause the plaintext to have
an even number of letters.
1.5 Monoalphabetic substitution
The Caesar Cipher, the Multiplication Cipher and the Linear Cipher have one property in
common. They all fall in the category of Monoalphabetic Ciphers: "Same plain letters are
encoded to the same cipher letter." i.e. in the Caesar Cipher each "a" turned into "d", each
"b" turned into "e", etc.

The reason why such Ciphers can be broken is the following: Although letters are
changed the underlying letter frequencies are not! If the plain letter "a" occurs 10 times
its cipher letter will do so 10 times. Therefore, any monoalphabetic Cipher can be broken
with the aid of letter frequency analysis.

6
1.6 Polyalphabetic Substitution
Polyalphabetic substitution cipher is simply a substitution cipher with an alphabet that
changes. For example one could have two alphabets:
Plain Alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Cipher Alphabet #1: B D F H J L N P R T V X Z A C E G I K M O Q S U W Y
Cipher Alphabet #2: Z Y X W V U T S R Q P O N M L K J I H G F E D C B A
Now to encrypt the message ``The quick brown fox jumped over the lazy dog" we would
alternate between the two cipher alphabets, using #1 for every first letter and #2 for every
second, to get: ``Msj joxfp dicda ucu tfzkjw ceji msj xzyb hln". Polyalphabetic
substitution ciphers are useful because they cannot be broken using frequency
analysis.The number of letters encrypted before a polyalphabetic substitution cipher
returns to its first cipher alphabet is called its period. The larger the period, the stronger
the cipher.
Vigenere Cipher
The polyalphabetic substitution cipher involves the use of two or more cipher alphabets.
Instead of there being a one-to-one relationship between each letter and its substitute,
there is a one-to-many relationship between each letter and its substitutes.
The Vigenere Cipher , proposed by Blaise de Vigenere is a polyalphabetic substitution
based on the following tableau:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X

7
 Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
Note that each row of the table corresponds to a Caesar Cipher. The first row is a shift of
0; the second is a shift of 1; and the last is a shift of 25.
The Vigenere cipher uses this table together with a keyword to encipher a message. For
example, enciphering the plaintext message:
TO BE OR NOT TO BE THAT IS THE QUESTION
using the keyword RELATIONS. We begin by writing the keyword, repeated as many
times as necessary, above the plaintext message. To derive the ciphertext using the
tableau, for each letter in the plaintext, one finds the intersection of the row given by the
corresponding keyword letter and the column given by the plaintext letter itself to pick
out the ciphertext letter.
Keyword: RELAT IONSR ELATI ONSRE LATIO NSREL
Plaintext: TOBEO RNOTT OBETH ATIST HEQUE STION
Ciphertext: KSMEH ZBBLK SMEMP OGAJX SEJCS FLZSY
Decipherment of an encrypted message is equally straightforward. One writes the
keyword repeatedly above the message:
Keyword: RELAT IONSR ELATI ONSRE LATIO NSREL
Ciphertext: KSMEH ZBBLK SMEMP OGAJX SEJCS FLZSY
Plaintext: TOBEO RNOTT OBETH ATIST HEQUE STION
This time one uses the keyword letter to pick a column of the table and then traces down
the column to the row containing the ciphertext letter. The index of that row is the
plaintext letter.
The strength of the Vigenere cipher against frequency analysis can be seen by examining
the above ciphertext. Note that there are 7 'T's in the plaintext message and that they have
been encrypted by 'H,' 'L,' 'K,' 'M,' 'G,' 'X,' and 'L' respectively. This successfully masks
the frequency characteristics of the English 'T.' One way of looking at this is to notice
that each letter of our keyword RELATIONS picks out 1 of the 26 possible substitution
alphabets given in the Vigenere tableau. Thus, any message encrypted by a Vigenere
cipher is a collection of as many simple substitution ciphers as there are letters in the
keyword.
1.7 Cryptanalysis
Cryptanalysis (from the Greek kryptós, "hidden", and analýein, "to loosen" or "to untie")
is the study of methods for obtaining the meaning of encrypted information, without
access to the secret information which is normally required to do so. Typically, this
involves finding the secret key. In non-technical language, this is the practice of code
breaking or cracking the code, although these phrases also have a specialized technical
meaning
Types of Cryptanalytic attacks
1 Brute force Attacks: It is a method of defeating a cryptographic scheme by
trying a large number of possibilities; for example, exhaustively working through
all possible keys in order to decrypt a message. In most schemes, the theoretical
possibility of a brute force attack is recognized, but it is set up in such a way that
it would be computationally infeasible to carry out.
2 Ciphertext-only: the cryptanalyst has access only to a collection of ciphertexts or
codetexts.

8
3 Known-plaintext: the attacker has a set of ciphertexts to which he knows the
corresponding plaintext.
4 Chosen-plaintext (chosen-ciphertext): the attacker can obtain the ciphertexts
(plaintexts) corresponding to an arbitrary set of plaintexts (ciphertexts) of his own
choosing.
5 Adaptive chosen-plaintext: like a chosen-plaintext attack, except the attacker
can choose subsequent plaintexts based on information learned from previous
encryptions. Similarly Adaptive chosen ciphertext attack.
6 Related-key attack: Like a chosen-plaintext attack, except the attacker can
obtain ciphertexts encrypted under two different keys. The keys are unknown, but
the relationship between them is known; for example, two keys that differ in the
one bit.

9
2. Fiestel Networks
In cryptography, a Feistel cipher is a block cipher with a particular structure, named after
IBM cryptographer Horst Feistel; it is also commonly known as a Feistel network. A
large proportion of block ciphers use the scheme, including the Data Encryption
Standard(DES). The Feistel structure has the advantage that encryption and decryption
operations are very similar, even identical in some cases, requiring only a reversal of the
key schedule. Therefore the size of the code or circuitry required to implement such a
cipher is nearly halved.
Feistel networks and similar constructions are product ciphers, and so combine multiple
rounds of repeated operations, such as:
• Bit-shuffling (often called permutation boxes or P-boxes)
• Simple non-linear functions (often called substitution boxes or S-boxes)
• Linear mixing (in the sense of modular algebra) using XOR
to produce a function with large amounts of what Claude Shannon described as
"confusion and diffusion". Bit shuffling creates the diffusion effect, while substitution is
used for confusion. In Shannon's original definitions, confusion refers to making the
relationship between the key and the ciphertext as complex and involved as possible;
diffusion refers to the property that redundancy in the statistics of the plaintext is
"dissipated" in the statistics of the ciphertext.
The basic operation is as follows:
Split the plaintext block into two equal pieces, (L0, R0)

For each round , compute

L i = Ri − 1

where f is the round function and Ki is the sub-key.

Then the ciphertext is (Ln, Rn).
Regardless of the function f, decryption is accomplished via
R i − 1 = Li

One advantage of this model is that the function used does not have to be invertible, and
can be very complex. This diagram illustrates both encryption and decryption. Note the
reversal of the subkey order for decryption; this is the only difference between encryption
and decryption:

10
11
3. Data Encryption Standard
DES encrypts and decrypts data in 64-bit blocks, using a 64-bit key (although the
effective key strength is only 56 bits, as explained below). It takes a 64-bit block of
plaintext as input and outputs a 64-bit block of ciphertext. Since it always operates on
blocks of equal size and it uses both permutations and substitutions in the algorithm, DES
is both a block cipher and a product cipher.
DES has 16 rounds, meaning the main algorithm is repeated 16 times to produce the
ciphertext. It has been found that the number of rounds is exponentially proportional to
the amount of time required to find a key using a brute-force attack. So as the number of
rounds increases, the security of the algorithm increases exponentially.
The block diagram of DES is depicted below.

12
3.1 Key Scheduling
Although the input key for DES is 64 bits long, the actual key used by DES is only 56
bits in length. The bits at positions of multiples of eight are ignored, thus resulting in a
key length of 56 bits.
The first step is to pass the 64-bit key through a permutation called Permuted Choice 1,
or PC-1 for short. The table for this is given below. Note that in all subsequent
descriptions of bit numbers, 1 is the left-most bit in the number, and n is the rightmost bit.
PC-1: Permuted Choice 1
Bit 0 1 2 3 4 5 6
1 57 49 41 33 25 17 9
8 1 58 50 42 34 26 18
15 10 2 59 51 43 35 27
22 19 11 3 60 52 44 36
29 63 55 47 39 31 23 15
36 7 62 54 46 38 30 22
43 14 6 61 53 45 37 29
50 21 13 5 28 20 12 4

Now that we have the 56-bit key, the next step is to use this key to generate 16 48-bit
subkeys, called K[1]-K[16], which are used in the 16 rounds of DES for encryption and
decryption. The procedure for generating the subkeys - known as key scheduling - is
fairly simple:
1. Set the round number R to 1.
2. Split the current 56-bit key, K, up into two 28-bit blocks, L (the left-hand half) and R
(the right-hand half).
3. Rotate L left by the number of bits specified in the table below, and rotate R left by the
same number of bits as well.
4. Join L and R together to get the new K.
5. Apply Permuted Choice 2 (PC-2) to K to get the final K[R], where R is the round
number we are on.
6. Increment R by 1 and repeat the procedure until we have all 16 subkeys K[1]-K[16].
Here are the tables involved in these operations:

Subkey Rotation Table

Round Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Number of bits to 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
rotate
PC-2: Permuted Choice 2
Bit 0 1 2 3 4 5
1 14 17 11 24 1 5
7 3 28 15 6 21 10

13
 13 23 19 12 4 26 8
19 16 7 27 20 13 2
25 41 52 31 37 47 55
31 30 40 51 45 33 48
37 44 49 39 56 34 53
43 46 42 50 36 29 32

3.2 Plaintext Preparation

Once the key scheduling has been performed, the next step is to prepare the plaintext for
the actual encryption. This is done by passing the plaintext through a permutation called
the Initial Permutation, or IP for short. This table also has an inverse, called the Inverse
Initial Permutation, or IP^(-1). Sometimes IP^(-1) is also called the Final Permutation.
Both of these tables are shown below.
IP: Initial Permutation
Bit 0 1 2 3 4 5 6 7
1 58 50 42 34 26 18 10 2
9 60 52 44 36 28 20 12 4
17 62 54 46 38 30 22 14 6
25 64 56 48 40 32 24 16 8
33 57 49 41 33 25 17 9 1
41 59 51 43 35 27 19 11 3
49 61 53 45 37 29 21 13 5
57 63 55 47 39 31 23 15 7
IP^(-1): Inverse Initial Permutation
Bit 0 1 2 3 4 5 6 7
1 40 8 48 16 56 24 64 32
9 39 7 47 15 55 23 63 31
17 38 6 46 14 54 22 62 30
25 37 5 45 13 53 21 61 29
33 36 4 44 12 52 20 60 28
41 35 3 43 11 51 19 59 27
49 34 2 42 10 50 18 58 26
57 33 1 41 9 49 17 57 25
These tables are used just like PC-1 and PC-2 were for the key scheduling. By looking at
the table is becomes apparent why one permutation is called the inverse of the other. For
example, let's examine how bit 32 is transformed under IP. In the table, bit 32 is located
at the intersection of the column labeled 4 and the row labeled 25. So this bit becomes bit
29 of the 64-bit block after the permutation. Now let's apply IP^(-1). In IP^(-1), bit 29 is
located at the intersection of the column labeled 7 and the row labeled 25. So this bit
becomes bit 32 after the permutation. And this is the bit position that we started with
before the first permutation. So IP^(-1) really is the inverse of IP. It does the exact
opposite of IP. If you run a block of plaintext through IP and then pass the resulting block
through IP^(-1), you'll end up with the original block.

14
3.3 DES Core Function
Once the key scheduling and plaintext preparation have been completed, the actual
encryption or decryption is performed by the main DES algorithm. The 64-bit block of
input data is first split into two halves, L and R. L is the left-most 32 bits, and R is the
right-most 32 bits. The following process is repeated 16 times, making up the 16 rounds
of standard DES. We call the 16 sets of halves L[0]-L[15] and R[0]-R[15].
1. R[I-1] - where I is the round number, starting at 1 - is taken and fed into the E-Bit
Selection Table, which is like a permutation, except that some of the bits are used more
than once. This expands the number R[I-1] from 32 to 48 bits to prepare for the next step.
2. The 48-bit R[I-1] is XORed with K[I] and stored in a temporary buffer so that R[I-1] is
not modified.
3. The result from the previous step is now split into 8 segments of 6 bits each. The left-
most 6 bits are B[1], and the right-most 6 bits are B[8]. These blocks form the index into
the S-boxes, which are used in the next step. The Substitution boxes, known as S-boxes,
are a set of 8 two-dimensional arrays, each with 4 rows and 16 columns. The numbers in
the boxes are always 4 bits in length, so their values range from 0-15. The S-boxes are
numbered S[1]-S[8].
4. Starting with B[1], the first and last bits of the 6-bit block are taken and used as an
index into the row number of S[1], which can range from 0 to 3, and the middle four bits
are used as an index into the column number, which can range from 0 to 15. The number
from this position in the S-box is retrieved and stored away. This is repeated with B[2]
and S[2], B[3] and S[3], and the others up to B[8] and S[8]. At this point, we now have 8
4-bit numbers, which when strung together one after the other in the order of retrieval,
give a 32-bit result.
5. The result from the previous stage is now passed into the P Permutation.
6. This number is now XORed with L[I-1], and moved into R[I]. R[I-1] is moved into
L[I].
7. At this point we have a new L[I] and R[I]. Here, we increment I and repeat the core
function until I = 17, which means that 16 rounds have been executed and keys K[1]-
K[16] have all been used.
When L[16] and R[16] have been obtained, they are joined back together in the same
fashion they were split apart (L[16] is the left-hand half, R[16] is the right-hand half),
then the two halves are swapped, R[16] becomes the left-most 32 bits and L[16] becomes
the right-most 32 bits of the pre-output block and the resultant 64-bit number is called the
pre-output.

Tables used in the DES Core Function

15
 E-Bit Selection Table
Bit 0 1 2 3 4 5
1 32 1 2 3 4 5
7 4 5 6 7 8 9
13 8 9 10 11 12 13
19 12 13 14 15 16 17
25 16 17 18 19 20 21
31 20 21 22 23 24 25
37 24 25 26 27 28 29
43 28 29 30 31 32 1
P Permutation
Bit 0 1 2 3
1 16 7 20 21
5 29 12 28 17
9 1 15 23 26
13 5 18 31 10
17 2 8 24 14
21 32 27 3 9
25 19 13 30 6
29 22 11 4 25
S-Box 1: Substitution Box 1
Row / 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Column
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S-Box 2: Substitution Box 2
Row / 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Column
0 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
1 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
2 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
3 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S-Box 3: Substitution Box 3
Row / 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Column
0 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
1 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
2 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
3 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S-Box 4: Substitution Box 4
Row / Column 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
1 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9

16
2 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
3 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
S-Box 5: Substitution Box 5
Row / 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Column
0 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
1 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
2 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
3 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S-Box 6: Substitution Box 6
Row / 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Column
0 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
1 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
2 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
3 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S-Box 7: Substitution Box 7
Row / 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Column
0 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
2 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
3 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
S-Box 8: Substitution Box 8
Row / 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Column
0 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
1 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
3 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11

3.4 How to use the S-Boxes

The purpose of this example is to clarify how the S-boxes work. Suppose we have the
following 48-bit binary number:
011101000101110101000111101000011100101101011101
In order to pass this through steps 3 and 4 of the Core Function as outlined above, the
number is split up into 8 6-bit blocks, labeled B[1] to B[8] from left to right:
011101 000101 110101 000111 101000 011100 101101 011101
Now, eight numbers are extracted from the S-boxes - one from each box:
B[1] = S[1](01, 1110) = S[1][1][14] = 3 = 0011
B[2] = S[2](01, 0010) = S[2][1][2 ] = 4 = 0100
B[3] = S[3](11, 1010) = S[3][3][10] = 14 = 1110

17
B[4] = S[4](01, 0011) = S[4][1][3 ] = 5 = 0101
B[5] = S[5](10, 0100) = S[5][2][4 ] = 10 = 1010
B[6] = S[6](00, 1110) = S[6][0][14] = 5 = 0101
B[7] = S[7](11, 0110) = S[7][3][6 ] = 10 = 1010
B[8] = S[8](01, 1110) = S[8][1][14] = 9 = 1001
In each case of S[n][row][column], the first and last bits of the current B[n] are used as
the row index, and the middle four bits as the column index.
The results are now joined together to form a 32-bit number which serves as the input to
stage 5 of the Core Function (the P Permutation):
00110100111001011010010110101001
3.5 Ciphertext Preparation
The final step is to apply the permutation IP^(-1) to the pre-output. The result is the
completely encrypted ciphertext.
3.6 Encryption and Decryption
The same algorithm can be used for encryption or decryption. The method described
above will encrypt a block of plaintext and return a block of ciphertext. In order to
decrypt the ciphertext and get the original plaintext again, the procedure is simply
repeated but the subkeys are applied in reverse order, from K[16]-K[1]. That is, stage 2 of
the Core Function as outlined above changes from R[I-1] XOR K[I] to R[I-1] XOR K[17-
I]. Other than that, decryption is performed exactly the same as encryption.

3.7 Strength of DES

1 With a key length of 56 bits, a brute force attack becomes impractical

2 Design algorithm of S-boxes is kept a secret
3 DES is also resistant to timing attacks

3.8 Comparison of modern symmetric key algorithms

Algorithm Plaintext Ciphertext Key size Rounds Advantages

DES 64 bits 64 bits 56 bits 16 •Simple and fast
•Less mathematical
calculations
•Cryptanalysis is
difficult
3DES 64 bits 64 bits 168 bits 48 DES • More reliable
rounds •Easy to upgrade the
software to 3DES
•Longer keylength,
difficult to crytanalyse
AES 128 bits 128 bits 128/192/ 10/12/14 •Longer keylengths

18
 256 bits resp. supported
•More flexible
Blowfish 64 bits 64 bits 32-448 16 •Fast and secure
bits •Compact
RC5 32/64/128 32/64/128 0-2040 variable •Simple and fast
bits bits bits •Adaptable to processors
of different word length
•Data dependent
rotations

4 MODES OF OPERATION OF DES

4.1 ECB (Electronic Code Book)

19
 This is the regular DES algorithm. Data is divided into 64-bit blocks and each
block is encrypted one at a time. Separate encryptions with different blocks are
totally independent of each other. This means that if data is transmitted over a
network or phone line, transmission errors will only affect the block containing
the error. It also means, however, that the blocks can be rearranged, thus
scrambling a file beyond recognition, and this action would go undetected. ECB is
the weakest of the various modes because no additional security measures are
implemented besides the basic DES algorithm. However, ECB is the fastest and
easiest to implement, making it the most common mode of DES.

4.2 CBC (Cipher Block Chaining).

20
 In this mode of operation, each block of ECB encrypted ciphertext is XORed with
the next plaintext block to be encrypted, thus making all the blocks dependent on
all the previous blocks. This means that in order to find the plaintext of a
particular block, you need to know the ciphertext, the key, and the ciphertext for
the previous block. The first block to be encrypted has no previous ciphertext, so
the plaintext is XORed with a 64-bit number called the Initialization Vector, or IV
for short. So if data is transmitted over a network or phone line and there is a
transmission error, the error will be carried forward to all subsequent blocks since
each block is dependent upon the last. This mode of operation is more secure than
ECB because the extra XOR step adds one more layer to the encryption process.

4.3 CFB (Cipher Feed Back)

21
 In this mode, blocks of plaintext that are less than 64 bits long can be
encrypted. Normally, special processing has to be used to handle files whose size is
not a perfect multiple of 8 bytes, but this mode removes that necessity (Stealth
handles this case by adding several dummy bytes to the end of a file before
encrypting it). The plaintext itself is not actually passed through the DES algorithm,
but merely XORed with an output block from it, in the following manner: A 64-bit
block called the Shift Register is used as the input plaintext to DES. This is initially
set to some arbitrary value, and encrypted with the DES algorithm. The ciphertext is
then passed through an extra component called the M-box, which simply selects the
left-most M bits of the ciphertext, where M is the number of bits in the block we wish
to encrypt. This value is XORed with the real plaintext, and the output of that is the
final ciphertext. Finally, the ciphertext is fed back into the Shift Register, and used as
the plaintext seed for the next block to be encrypted. As with CBC mode, an error in
one block affects all subsequent blocks during data transmission. This mode of
operation is similar to CBC and is very secure, but it is slower than ECB due to the
added complexity.

22
4.4 OFB (Output Feed Back)

This is similar to CFB mode, except that the ciphertext output of DES is
fed back into the Shift Register, rather than the actual final ciphertext. The Shift
Register is set to an arbitrary initial value, and passed through the DES algorithm.
The output from DES is passed through the M-box and then fed back into the
Shift Register to prepare for the next block. This value is then XORed with the
real plaintext (which may be less than 64 bits in length, like CFB mode), and the
result is the final ciphertext. Note that unlike CFB and CBC, a transmission error
in one block will not affect subsequent blocks because once the recipient has the
initial Shift Register value, it will continue to generate new Shift Register

23
plaintext inputs without any further data input. However, this mode of operation is
less secure than CFB mode because only the real ciphertext and DES ciphertext
output is needed to find the plaintext of the most recent block. Knowledge of the
key is not required.

24
4.5 CTR (Counter)

A counter, equal to the plaintext block size is used. The counter value must be
different for each plaintext block that is encrypted. The counter is initialized to some
value and then incremented by 1 for each substitution. For encryption, the counter is
encrypted and then XORed with the plaintext block to produce the ciphertext block.

25
5. PUBLIC KEY CRYPTOGRAPHY

5.1 Comparison of Symmetric Key and Public Key Cryptography

With symmetric-key encryption, the encryption key can be calculated from the
decryption key and vice versa. With most symmetric algorithms, the same key is used for
both encryption and decryption, as shown in Figure

Implementations of symmetric-key encryption can be highly efficient, so that users do

not experience any significant time delay as a result of the encryption and decryption.
Symmetric-key encryption is effective only if the symmetric key is kept secret by the two
parties involved. If anyone else discovers the key, it affects both confidentiality and
authentication. A person with an unauthorized symmetric key not only can decrypt
messages sent with that key, but can encrypt new messages and send them as if they
came from one of the two parties who were originally using the key.

Public-key encryption (also called asymmetric encryption) involves a pair of keys--a

public key and a private key--associated with an entity that needs to authenticate its
identity electronically or to sign or encrypt data. Each public key is published, and the
corresponding private key is kept secret. Data encrypted with the public key can be
decrypted only with the private key. The figure shows a simplified view of the way
public-key encryption works.

The scheme lets us freely distribute a public key, and only you will be able to read data
encrypted using this key. In general, to send encrypted data to someone, we encrypt the
data with that person's public key, and the person receiving the encrypted data decrypts it
with the corresponding private key. Compared with symmetric-key encryption, public-
key encryption requires more computation and is therefore not always appropriate for
large amounts of data. However, it's possible to use public-key encryption to send a
symmetric key, which can then be used to encrypt additional data.

As it happens, the reverse of the scheme shown in Figure also works: data encrypted with
your private key can be decrypted only with your public key. This would not be a

26
desirable way to encrypt sensitive data, however, because it means that anyone with your
public key, which is by definition published, could decrypt the data. Nevertheless,
private-key encryption is useful, because it means you can use your private key to sign
data with your digital signature--an important requirement for electronic commerce and
other commercial applications of cryptography.

27
6. RSA Algorithm
The algorithm was described in 1977 by Ron Rivest, Adi Shamir and Len Adleman at
MIT; the letters RSA are the initials of their surnames. This is the most commonly used
algorithm in public key cryptography
6.1 Key Generation
Suppose a user X wishes to allow Y to send a private message over an insecure
transmission medium. X takes the following steps to generate a public key and a private
key:

1. Choose two large prime numbers and such that , randomly and
independently of each other.
2. Compute .

3. Compute the totient .

4. Choose an integer e such that which is coprime to .

5. Compute d such that

The public key consists of

• n, the modulus, and
• e, the public exponent (sometimes encryption exponent).
The private key consists of
• n, the modulus, which is public and appears in the public key, and
• d, the private exponent (sometimes decryption exponent), which must be kept
secret.
6.2 Encrypting messages
Suppose Bob wishes to send a message M to Alice. He turns M into a number m < n,
using some previously agreed-upon reversible protocol known as a padding scheme.
Bob now has m, and knows n and e, which Alice has announced. He then computes the
ciphertext c corresponding to m:

Bob then transmits c to Alice

6.3 Decrypting messages
Alice receives c from Bob, and knows her private key d. She can recover m from c by the
following procedure:

The proof is given in Appendix

28
6.4 A working example
Here is an example of RSA encryption and decryption. The parameters used here are
artificially smallWe let
p = 61 - first prime number (to be kept secret or deleted securely)
q = 53 - second prime number (to be kept secret or deleted securely)
n = pq = - modulus (to be made public)
3233
e = 17 - public exponent (to be made public)
d = 2753 - private exponent (to be kept secret)
The public key is (e, n). The private key is d. The encryption function is:
encrypt(m) = me mod n = m17 mod 3233
where m is the plaintext. The decryption function is:
decrypt(c) = cd mod n = c2753 mod 3233
where c is the ciphertext.
To encrypt the plaintext value 123, we calculate
encrypt(123) = 12317 mod 3233 = 855
To decrypt the ciphertext value 855, we calculate
decrypt(855) = 8552753 mod 3233 = 123

6.5 Security of RSA

The security of the RSA cryptosystem is based on two mathematical problems: the
problem of factoring very large numbers, and the RSA problem. Full decryption of an
RSA ciphertext is thought to be infeasible on the assumption that both of these problems
are hard, i.e., no efficient algorithm exists for solving them.

The RSA problem is defined as the task of taking eth roots modulo a composite n:
recovering a value m such that me=c mod n, where (e, n) is an RSA public key and c is an
RSA ciphertext. Currently the most promising approach to solving the RSA problem is to
factor the modulus n. With the ability to recover prime factors, an attacker can compute
the secret exponent d from a public key (e, n), then decrypt c using the standard
procedure. To accomplish this, an attacker factors n into p and q, and computes (p-1)(q-1)
which allows the determination of d from e. No polynomial-time method for factoring
large integers on a classical computer has yet been found, but it has not been proven that
none exists.

6.6 Practical Considerations

Speed
RSA is much slower than DES and other symmetric cryptosystems.

29
Key distribution
As with all ciphers, how RSA public keys are distributed is important to security. Key
distribution must be secured against a man-in-the-middle attack. In principle, neither
sender nor receiver would be able to detect an outsider’s presence. Defenses against such
attacks are often based on digital certificates.
Timing attacks

6.7 Comparison of RSA and DES

Feature DES RSA
speed high low
data block length 64 bits minimum 512 bits
key length 56 bits minimum 512 bits
use of data space full, 64 bits (264), 8 variable, limited, not
bytes defined,
ciphering & deciphering same different
key
ciphering & deciphering different same
algorithm
algorithm contains only no no
XOR and branching
cryptanalysis method differential method product factorization

30
7. Diffie Hellman Key Exchange
Diffie-Hellman key agreement was invented in 1976 during a collaboration between
Whitfield Diffie and Martin Hellman and was the first practical method for
establishing a shared secret over an unprotected communications channel.
7.1 Description
The simplest, and original, implementation of the protocol uses the multiplicative group
of integers modulo p, where p is prime and g is primitive mod p. Modulo (or mod) simply
means that the integers between 1 and p − 1 are used with normal multiplication,
exponentiation and division, except that after each operation the result keeps only the
remainder after dividing by p. Here is an example of the protocol:
1. Alice and Bob agree to use a prime number p=23 and base g=5.
2. Alice chooses a secret integer a=6, then sends Bob (ga mod p)
o 56 mod 23 = 8.
3. Bob chooses a secret integer b=15, then sends Alice (gb mod p)
o 515 mod 23 = 19.
4. Alice computes (gb mod p)a mod p
o 196 mod 23 = 2.
5. Bob computes (ga mod p)b mod p
815 mod 23 = 2.
Both Alice and Bob have arrived at the same value, because gab and gba are equal. Note
that only a, b, gab and gba are kept secret. All the other values are sent in the clear.
Once Alice and Bob compute the shared secret they can use it as an encryption
key, known only to them, for sending messages across the same open
communications channel. Of course, much larger values of a,b, and p would be
needed to make this example secure, since it is easy to try all the possible values
of gab mod 23 (there will be, at most, 22 such values, even if a and b are large). If
p was a prime of more than 300 digits, and a and b were at least 100 digits long,
then even the best known algorithms for finding a given only g, p, and ga mod p
(known as the discrete logarithm problem) would take longer than the lifetime of
the universe to run. g need not be large at all, and in practice is usually either 2 or
5.
Here's a more general description of the protocol:
1. Alice and Bob agree on a finite cyclic group G and a generating element g in G.
(This is usually done long before the rest of the protocol; g is assumed to be
known by all attackers.) We will write the group G multiplicatively.
2. Alice picks a random natural number a and sends ga to Bob.
3. Bob picks a random natural number b and sends gb to Alice.
4. Alice computes (gb)a.

31
5. Bob computes (ga)b. Both Alice and Bob are now in possession of the group
element gab which can serve as the shared secret key.
7.2 Security
The protocol is considered secure against eavesdroppers if G and g are chosen properly.
The eavesdropper must solve the Diffie-Hellman problem to obtain gab. This is
currently considered difficult. An efficient algorithm to solve the discrete
logarithm problem would make it easy to compute a or b and solve the Diffie-
Hellman problem, making this protocol insecure.
The order of G should be prime or have a large prime factor to prevent obtaining a or b.
The secret integers a and b are discarded at the end of the session. Therefore,
Diffie-Hellman key exchange by itself trivially achieves perfect forward secrecy
because no long-term private keying material exists to be disclosed.
7.3 Authentication
In the original description, the Diffie-Hellman exchange by itself does not provide
authentication of the parties, and is thus vulnerable to man in the middle attack.
The man-in-the-middle may establish two distinct Diffie-Hellman keys, one with
Alice and the other with Bob, and then try to masquerade as Alice to Bob and/or
vice-versa, perhaps by decrypting and re-encrypting messages passed between
them. Some method to authenticate these parties to each other is generally needed

32
8. Message Authentication Code (MAC) and Hash Functions
Message authentication is concerned with
a) Protecting integrity of the message
b) Validating identity of the originator
c) Non-repudiation of origin
There are three different ways to achieve message authentication
Message Encryption
MAC
Hash functions
Message encryption can be either a symmetric key encryption or public key encryption. If
symmetric key encryption is used receiver and sender should communicate the
secret key, which is a hazardous task. If public key encryption is used and public
key is used for encryption, there is no confidence of sender. However if sender
uses private key for encryption, both confidentiality and authentication is
provided. But still we need to recognize corrupted messages
8.1 MAC
A cryptographic message authentication code (MAC) is a short piece of information used
to authenticate a message. A MAC algorithm accepts as input a secret key and an
arbitrary-length message to be authenticated, and outputs a MAC (sometimes
known as a tag). The MAC value protects both a message's integrity as well as its
authenticity, by allowing verifiers (who also possess the secret key) to detect any
changes to the message content.
A MAC is a cryptographic checksum
MAC = CK(M)
MAC is a many-to-one function. Potentially many messages have same MAC. But
finding these needs to be very difficult
Requirements for MAC
1. Knowing a message and MAC, is infeasible to find another message with
same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the message

33
8.2 HASH Functions

A hash function H is a transformation that takes a variable-size input m and returns a

fixed-size string, which is called the hash value h (that is, h = H(m)). Hash functions with
just this property have a variety of general computational uses, but when employed in
cryptography the hash functions are usually chosen to have some additional properties.

The basic requirements for a cryptographic hash function are:

o the input can be of any length,

o the output has a fixed length,
o H(x) is relatively easy to compute for any given x ,
o H(x) is one-way,
o H(x) is collision-free.

A hash function H is said to be one-way if it is hard to invert, where "hard to invert"

means that given a hash value h, it is computationally infeasible to find some input x such
that H(x) = h.

If, given a message x, it is computationally infeasible to find a message y not equal to x

such that H(x) = H(y) then H is said to be a weakly collision-free hash function.

A strongly collision-free hash function H is one for which it is computationally infeasible

to find any two messages x and y such that H(x) = H(y).

34
9. Digital Signature
Digital signature (or public-key digital signature) is a type of method for authenticating
digital information analogous to ordinary physical signatures on paper, but
implemented using techniques from the field of public-key cryptography. A
digital signature method generally defines two complementary algorithms, one for
signing and the other for verification, and the output of the signing process is also
called a digital signature. Digital signature has also been used as a broader term
encompassing both public-key digital signature techniques and message
authentication codes.
Instead of encrypting the data itself, the signing software creates a one-way hash of the
data, then uses the private key to encrypt the hash. The encrypted hash, along with other
information, such as the hashing algorithm, is known as a digital signature. The figure
shows a simplified view of the way a digital signature can be used to validate the
integrity of signed data.

Using a digital signature to validate data integrity

The figure shows two items transferred to the recipient of some signed data: the original
data and the digital signature, which is basically a one-way hash (of the original data) that
has been encrypted with the signer's private key. To validate the integrity of the data, the
receiving software first uses the signer's public key to decrypt the hash. It then uses the
same hashing algorithm that generated the original hash to generate a new one-way hash
of the same data. (Information about the hashing algorithm used is sent with the digital
signature, although this isn't shown in the figure.) Finally, the receiving software
compares the new hash against the original hash. If the two hashes match, the data has
not changed since it was signed. If they don't match, the data may have been tampered
with since it was signed, or the signature may have been created with a private key that
doesn't correspond to the public key presented by the signer. If the two hashes match, the
recipient can be certain that the public key used to decrypt the digital signature
corresponds to the private key used to create the digital signature. Confirming the identity

35
of the signer, however, also requires some way of confirming that the public key really
belongs to a particular person or other entity
The significance of a digital signature is comparable to the significance of a handwritten
signature. Once you have signed some data, it is difficult to deny doing so later--
assuming that the private key has not been compromised or out of the owner's
control. This quality of digital signatures provides a high degree of non
repudiation--that is, digital signatures make it difficult for the signer to deny
having signed the data. In some situations, a digital signature may be as legally
binding as a handwritten signature.

36
 QUESTIONS

1. What is cryptography?
2. What is a block cipher?
3. What is a Fiestel cipher?
4. What are weak keys?
5. What is DES?
6. What is triple DES?
7. What are ECB and CBC modes?
8. What is Blowfish?
9. What is multiple encryption?
10. What is stream cipher?
11. What is public key cryptography?
12. What are the key management issues involved in public key cryptography?
13. What are certificates?
14. What are the advantages of public key cryptography over symmetric key
cryptography?
15. What is a one-way function?
16. What is the significance of one way function in cryptography?
17. What is RSA?
18. What are the different types of attacks on RSA?
19. What is the RSA factoring challenge?
20. How is RSA used for authentication in practice?
21. What is Diffie Hellman key exchange?
22. What is the significance of factoring in cryptography?
23. What is the discrete logarithm problem?
24. What are MACs?
25. What is a hash function?

37