Cryptography

CRYPTOGRAPHY
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Contents
CHAPTER 1: Introduction to Cryptography............................................................................. 1
Common Goals in Cryptography ............................................................................................ 1
Basic Terms in Cryptography .................................................................................................. 2
Generic Model of Secure Communication ............................................................................. 3
OSI Security Architecture ....................................................................................................... 4
Types of attacks ...................................................................................................................... 5
Types of Cryptographic Systems............................................................................................. 6
Symmetric Key Cryptography ............................................................................................. 6
Public-Key Cryptography .................................................................................................... 6
Conventional Encryption Model: ............................................................................................ 7
Cryptanalysis ...................................................................................................................... 8
CHAPTER 2: Classical Cipher Scheme ..................................................................................... 9
Transposition Ciphers: Moving Around .............................................................................. 9
Hill Cipher ......................................................................................................................... 10
Symmetric Cipher Model .................................................................................................. 13
Caesar Cipher ................................................................................................................... 14
Monoalphabetic Ciphers .................................................................................................. 16
Playfair Cipher .................................................................................................................. 17
CHAPTER 3: Mathematical Foundation ................................................................................ 19
GROUP.............................................................................................................................. 19
Rings ................................................................................................................................. 23
Integral Domains .............................................................................................................. 23
Fields ................................................................................................................................ 24
Modular Arithmetic .......................................................................................................... 25
Euclidean Algorithm ......................................................................................................... 30
CHAPTER 4: Modern Symmetric Ciphers.............................................................................. 32
Block Cipher Modes of Operation .................................................................................... 33
Shannon Theory of Confusion and Diffusion .................................................................... 36
Feistel Cipher .................................................................................................................... 37
The Data Encryption Standard (DES) ................................................................................ 38
IDEA (International Data Encryption Algorithm)............................................................... 41
Advanced Encryption Standard ........................................................................................ 44
CHAPTER 5: Public Key Cryptography................................................................................... 47
RSA Cryptosystem ............................................................................................................ 47
I
Diffie-Hellman Key Exchange ............................................................................................ 49

CHAPTER 6: Authentication Schemes................................................................................... 52
Authentication.................................................................................................................. 52
Password Authentication ................................................................................................. 53
LDAP Authentication ........................................................................................................ 53
Authentication - Biometrics.............................................................................................. 55
Authentication - PKI (Public Key Infrastructure) ............................................................... 56
Authentication - Security Tokens ..................................................................................... 56
One-Time Passwords ........................................................................................................ 56
Access Control Cards - Contact less Smart Card ............................................................... 57
Authentication - Wireless ................................................................................................. 58
Digital Signatures .............................................................................................................. 58
Message Authentication Code (MAC) .............................................................................. 59
Hash Functions (MD5) ...................................................................................................... 59
Secure Hash Algorithm (SHA) ........................................................................................... 59
Central Authentication Service (CAS) ............................................................................... 60
CHAPTER 7: Network Security .............................................................................................. 61
Types of Attack ................................................................................................................. 61
Pretty Good Privacy (PGP) ................................................................................................ 63
IPSec ................................................................................................................................. 64
Secure Sockets Layer (SSL) ............................................................................................... 64
Secure Electronic Transaction (SET) ................................................................................. 65
Kerberos ........................................................................................................................... 66
II
CHAPTER 1: Introduction to Cryptography
Cryptography is the study of information hiding and verification. It includes the protocols,
algorithms and strategies to securely and consistently prevent or delay unauthorized access to
sensitive information and enable verifiability of every component in a communication.
Cryptography is derived from the Greek words: krypts, "hidden", and grphein, "to write" - or
"hidden writing". People who study and develop cryptography are called cryptographers.
The study of how to circumvent the use of cryptography for unintended recipients is called
cryptanalysis, or codebreaking. Cryptography and cryptanalysis are sometimes grouped
together under the umbrella term cryptology, encompassing the entire subject. In practice,
"cryptography" is also often used to refer to the field as a whole, especially as an applied
science. At the dawn of the 21 century in an ever more interconnected and technological world
cryptography started to be ubiquitous as well as the reliance on the benefits it brings, especially
the increased security and verifiability.
Cryptography is an interdisciplinary subject, drawing from several fields. Before the time of
computers, it was closely related to linguistics. Nowadays the emphasis has shifted, and
cryptography makes extensive use of technical areas of mathematics, especially those areas
collectively known as discrete mathematics. This includes topics from number theory,
information theory, computational complexity, statistics and combinatorics. It is also a branch
of engineering, but an unusual one as it must deal with active, intelligent and malevolent
opposition.
Computer Security generic name for the collection of tools designed to protect data
and to thwart hackers.
Network Security measures to protect data during their transmission.
Internet Security measures to protect data during their transmission over a collection
or interconnected networks.
Common Goals in Cryptography

In essence, cryptography concerns four main goals. They are:
1. message confidentiality (or privacy): Only an authorized recipient should be able to
extract the contents of the message from its encrypted form. Resulting from steps to
hide, stop or delay free access to the encrypted information.
2. message integrity: The recipient should be able to determine if the message has been
altered.
3. sender authentication: The recipient should be able to verify from the message, the
identity of the sender, the origin or the path it traveled (or combinations) so to validate
claims from emitter or to validated the recipient expectations.
4. sender non-repudiation: The emitter should not be able to deny sending the message.
Not all cryptographic systems achieve all of the above goals. Some applications of cryptography
have different goals; for example some situations require repudiation where a participant can
plausibly deny that they are a sender or receiver of a message, or extend this goals to include
variations like:
1. message access control: Who are the valid recipients of the message.
2. message availability: By providing means to limit the validity of the message, channel,
emitter or recipient in time or space.
1
Basic Terms in Cryptography

Encryption = the process of disguising a message so as to hide the information it contains; this
process can include both encoding and enciphering.
Protocol = an algorithm, defined by a sequence of steps, precisely specifying the actions of

multiple parties in order to achieve an objective.
Plaintext = the message to be transmitted or stored.
Ciphertext = the disguised message.
Alphabet = a collection of symbols, also referred to as characters.
Character = an element of an alphabet.
Bit = a character 0 or 1 of the binary alphabet.
String = a finite sequence of characters in some alphabet.
Encode = to convert a message into a representation in a standard alphabet, such as to the

alphabet {A, . . . , Z} or to numerical alphabet.
Decode = to convert the encoded message back to its original alphabet and original form the
term plaintext will apply to either the original or the encoded form. The process of encoding a
message is not an obscure process, and the result that we get can be considered equivalent to
the plaintext message.
Cipher = a map from a space of plaintext to a space of ciphertext.
Encipher = to convert plaintext into ciphertext. Decipher = to convert ciphertext back to

plaintext.
Stream cipher = a cipher which acts on the plaintext one symbol at a time.
Block cipher = a cipher which acts on the plaintext in blocks of symbols.
Substitution cipher = a stream cipher which acts on the plaintext by making a substitution of
the characters with elements of a new alphabet or by a permutation of the characters in the
plaintext alphabet.
Transposition cipher = a block cipher which acts on the plaintext by permuting the positions of
the characters in the plaintext.
Encryption is the process of turning a clear-text message (Plaintext) into a data stream which
looks like a meaningless and random sequence of bits (ciphertext). The process of turning
ciphertext back into plaintext is called decryption.
Cryptography deals with making communications secure. Cryptanalysis deals with breaking
ciphertext, that is, recovering plaintext without knowing the key. Cryptology is a branch of
mathematics which deals with both cryptography and cryptanalysis.
2
A cryptographic algorithm, also known as a cipher, is a mathematical function which uses

plaintext as the input and produces ciphertext as the output and vice versa.
All modern ciphers use keys together with plaintext as the input to produce ciphertext. The
same or a different key is supplied to the decryption function to recover plaintext from
ciphertext. The details of a cryptographic algorithm are usually made public. It is the key that
the security of a modern cipher lies in, not the details of the cipher.
Symmetric algorithms use the same key for encryption and decryption. These algorithms
require that both the sender and receiver agree on a key before they can exchange messages
securely.
Some symmetric algorithms operate on 1 bit (or sometimes 1 byte) of plaintext at a time. They
are called stream ciphers. Other algorithms operate on blocks of bits at a time. They are called
block ciphers. Most modern block ciphers use the block size of 64 bits.
Public-key algorithms (also known as asymmetric algorithms) use two different keys (a key pair)
for encryption and decryption. The keys in a key pair are mathematically related, but it is
computationally infeasible to deduce one key from the other. These algorithms are called
"public-key" because the encryption key can be made public. Anyone can use the public key to
encrypt a message, but only the owner of the corresponding private key can decrypt it.
Some public-key algorithms such as RSA allow the process to work in the opposite direction as
well: a message can be encrypted with a private key and decrypted with the corresponding
public key. If Alice (or anyone else) can decrypt a message with Bob's public key she knows that
the message must have come from Bob because no one else has Bob's private key. Digital
signatures work this way.
Generic Model of Secure Communication

A model for much of what we will be discussing is captured, in very general terms, in Figure
below. A message is to be transferred from one party to another across some sort of internet.
The two parties, who are the principals in this transaction, must cooperate for the exchange to
take place. A logical information channel is established by defining a route through the internet
from source to destination and by the cooperative use of communication protocols (e.g.,
TCP/IP) by the two principals.
Figure 1.1 Network Security Model
3
Security aspects come into play when it is necessary or desirable to protect the information
transmission from an opponent who may present a threat to confidentiality, authenticity, and
so on. All the techniques for providing security have two components:
A security-related transformation on the information to be sent. Examples include the
encryption of the message, which scrambles the message so that it is unreadable by the
opponent, and the addition of a code based on the contents of the message, which can be
used to verify the identity of the sender
Some secret information shared by the two principals and, it is hoped, unknown to the
opponent. An example is an encryption key used in conjunction with the transformation to
scramble the message before transmission and unscramble it on reception.
A trusted third party may be needed to achieve secure transmission. For example, a third party
may be responsible for distributing the secret information to the two principals while keeping
it from any opponent. Or a third party may be needed to arbitrate disputes between the two
principals concerning the authenticity of a message transmission.
This general model shows that there are four basic tasks in designing a particular security
service:
1. Design an algorithm for performing the security-related transformation. The
algorithm should be such that an opponent cannot defeat its purpose.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of the secret information.
4. Specify a protocol to be used by the two principals that makes use of the security
algorithm and the secret information to achieve a particular security service.
A general model of these other situations is illustrated by Figure below, which reflects a concern
for protecting an information system from unwanted access. Most readers are familiar with the
concerns caused by the existence of hackers, who attempt to penetrate systems that can be
accessed over a network. The hacker can be someone who, with no malign intent, simply gets
satisfaction from breaking and entering a computer system. Or, the intruder can be a
disgruntled employee who wishes to do damage, or a criminal who seeks to exploit computer
assets for financial gain (e.g., obtaining credit card numbers or performing illegal money
transfers).
Figure 1.2 Network Access Security Model

Another type of unwanted access is the placement in a computer system of logic that exploits
vulnerabilities in the system and that can affect application programs as well as utility
programs, such as editors and compilers. Programs can present two kinds of threats:
Information access threats intercept or modify data on behalf of users who should
not have access to that data.
Service threats exploit service flaws in computers to inhibit use by legitimate users.
OSI Security Architecture

To get a sense of how system security is established about, we must know the generally
accepted architecture of cyber security setups. The Open System Interconnect(OSI) security
4
architecture was designated by the the ITU-T (International Telecommunication Union -

Telecommunication). The ITU-T decided that their standard "X.800" would be the ISO security
architecture.
This standardized architecture defines security requirements and specifies means by which
these requirements might be satisfied.
The OSI architecture focuses on

i. Security attacks
ii. Security services
iii. Security mechanisms
Network Security Model Exploit type

7) Physical Layer Physical break-in
6) VLAN Layer Network scanning local internal
5) ACL Layer Network scanning complete internal
4) Software Layer Software specific exploit (MS03-026)
3) User Layer Social Engineering an User
2) Administrative Layer Social Engineering an Administrator
1) IT Department Layer Social Engineering and IT Professional
Types of attacks
An attack usually is perpetrated by someone with bad intentions: black hatted attacks falls in
this category, while other perform penetration testing on an organization information system
to find out if all foreseen controls are in place.
The attacks can be classified according to their origin: i.e. if it is conducted using one or more
computers: in the last case is called a distributed attack. Botnets are used to conduct
distributed attacks.
5
Other classifications are according to the procedures used or the type of vulnerabilities
exploited: attacks can be concentrated on network mechanisms or host features.
Some attacks are physical: i.e. theft or damage of computers and other equipment. Others are
attempts to force changes in the logic used by computers or network protocols in order to
achieve unforeseen (by the original designer) result but useful for the attacker. Software used
to for logical attacks on computers is called malware.
The following is a partial short list of attacks:

Passive
Network
a. Wiretapping
b. Port scan
c. Idle scan
Active
Denial-of-service attack
Spoofing
Network
a. Man in the middle
b. ARP poisoning
c. Ping flood
d. Ping of death
e. Smurf attack
Host
a. Buffer overflow
b. Heap overflow
c. Stack overflow
d. Format string attack
Types of Cryptographic Systems

Cryptographic systems can be broadly classified into
Symmetric Key Systems
Public Key systems
Symmetric Key Cryptography

An encryption system in which the sender and receiver of a message share a single, common
key that is used to encrypt and decrypt the message. Symmetric key systems are simpler and
faster, but their main disadvantage is that the two parties must somehow exchange the key in
a secure way. Symmetric key cryptography is also called as Secret-key Cryptography. The most
popular symmetric key cryptography is Data Encryption Standard.
Public-Key Cryptography
A cryptographic system that uses two keys
A public key known to everyone
A private key or secret key known only to the recipient of the message
For example, when A wants to send a message to B, A uses Bs public key to encrypt the
message. B uses the private key to decrypt it.
An important element in this system is that the public and private keys are related in such a
6
way that only the public key can be used to encrypt the message and only private key can be
used to decrypt it. Moreover, it is virtually impossible to assume the private key if know the
public key.
The most popular Public-key cryptography is Pretty Good Privacy (PGP). The only difficulty with
Public-Key system is that you need to know the recipients public key to encrypt a message.
Conventional Encryption Model:

The following figure, which is on the next page, illustrates the conventional encryption process.
The original plaintext is converted into apparently random nonsense, called ciphertext. The
encryption process consists of an algorithm and a key. The key is a value independent of the
plaintext. The algorithm will produce a different output depending on the specific key being
used at the time. Changing the key changes, the output of the algorithm, i.e., the ciphertext.
Once the ciphertext is produced, it may be transmitted. Upon reception, the ciphertext can be
transformed back to the original plaintext by using a decryption algorithm and the same key
that was used for encryption.
Figure 1.3 Conventional Encryption Model
The security of conventional encryption depends on several factors:

The Encryption Algorithm- It must be powerful enough that it is impractical to decrypt
a message on the basis of the ciphertext alone.
Secrecy of the key- It was shown that the security of conventional encryption depends
on the secrecy of the key, not the secrecy of the algorithm.
Referring to figure above, with the message X and the encryption key K as input, the encryption
algorithm forms the ciphertext.
Y=Ek (X)
The intended receiver, in possession of the key is able to invert the transformation
X=Dk (Y)
An opponent, observing Y but not having access to K or X, may attempt to recover X or K or
both X and K. It is assumed that the opponent knows the encryption (E) and decryption (D)
algorithms. If the opponent is interested in only this particular message, then the focus of the
effort is to recover X by generating a plaintext estimate X^. Often, however, the opponent is
interested in being able to read future messages as well, in which case an attempt is made to
recover K by generating an estimate K^.
7
Cryptanalysis
The process of attempting to discover X or Y or both is known as cryptanalysis. The strategy
used by the cryptanalysis depends on the nature of the encryption scheme and the information
available to the cryptanalyst.
The following table summarizes the various types of cryptanalytic attacks based on the amount
of information known to the cryptanalyst.
Figure 1.4 Types of Attacks on Encrypted Message

Attack Type Knowledge Known to Cryptanalyst
Ciphertext Encryption algorithm
only Ciphertext to be decoded
Known Encryption algorithm
Plaintext Ciphertext to be decoded
One or more plaintext-ciphertext pairs formed with the same secret key
Chosen Encryption algorithm
Plaintext Ciphertext to be decoded
Plaintext message chosen by cryptanalyst, together with its corresponding
ciphertext generated with the same secret key
Chosen Encryption algorithm
Ciphertext Ciphertext to be decoded
Purported ciphertext chosen by cryptanalyst, together with its corresponding
decrypted plaintext generated with the secret key
Chosen text Encryption algorithm
Ciphertext to be decoded
Plaintext message chosen by cryptanalyst, together with its corresponding
ciphertext generated with the secret key
Purported ciphertext chosen by cryptanalyst, together with its corresponding
decrypted plaintext generated with the secret key
Steganography
Steganography (pronounced STEHG-uh-NAH-gruhf-ee, from Greek steganos, or "covered," and
graphie, or "writing") is the hiding of a secret message within an ordinary message and the
extraction of it at its destination. Steganography takes cryptography a step farther by hiding an
encrypted message so that no one suspects it exists. Ideally, anyone scanning your data will fail
to know it contains encrypted data.
In modern digital steganography, data is first encrypted by the usual means and then inserted,
using a special algorithm, into redundant (that is, provided but unneeded) data that is part of
a particular file format such as a JPEG image. Think of all the bits that represent the same color
pixels repeated in a row. By applying the encrypted data to this redundant data in some random
or non-conspicuous way, the result will be data that appears to have the "noise" patterns of
regular, nonencrypted data. A trademark or other identifying symbol hidden in software code
is sometimes known as a watermark.
Recently revived, this formerly obsolete term gained currency in its day (1500) from a work by
Johannes Trithemius, Steganographia, ostensibly a system of angel magic but also claiming to
include a synthesis of how to learn and know things contained within a system of cryptography.
The book was privately circulated but never published by the author because those who read
it found it rather fearsome.
8
CHAPTER 2: Classical Cipher Scheme

Transposition Ciphers: Moving Around
Changing the positions of plaintext letters is another enciphering technique. It is called
transposition, as in transferring position. Please note that many newspapers have transposition
puzzles called jumbles.
To illustrate this technique, lets do the following example.

Example 1:
Plaintext: last nite was heaven please marry me
We use a 5x6 grid to write the plaintext as:
Read L A S T N I
T E W A S H
down E A V E N P
L E A S E M
A R R Y M E
To encipher the text, we only read letters down the first column, then letters down from the
second column, and so on. The ciphered letters are the same as the plaintext letters except
that they are positioned to form a new pattern, as given below.
Ciphertext: LTELA AEAER SWVAR TAESY NSNEM IHPME
To decipher the received ciphertext, the receiver must know two things: the length and width
of the grid and the way letters are read from the grid.
Note 1: The transposition cipher is also known as permutation cipher. We know give the
mathematical description of the permutation cryptosystem as follows:
Def: Permutation Cipher
Let m be a positive integer. Let P =C = (Z26)m and let K consist of all permutations of {1, , m}.
For a key (i.e., a permutation) , we define
e (x1, , x m)=( x(1), , x(m)) and
d (y1, , ym)=( y-1(1), , y-1(m)) ,
where -1 is the inverse permutation to .
Example 2: Suppose m = 6 and the key is the following permutation :
x 1 2 3 4 5 6
(x) 3 6 1 5 2 4
Note that the first row of this diagram lists the values of x, 1 x 6, and the 2nd row lists the
corresponding values of (x).
The inverse permutation -1 can be constructed by interchanging the two rows in this diagram,
and rearranging the columns so that the first row is in increasing order. Thus, carrying out these
operations, we get the following decryption permutation -1 as:
x 1 2 3 4 5 6
(x)
-1 3 5 1 6 4 2
Now, suppose we are given the plaintext
Plaintext: she sells seashells by the seashore
We first partition the plaintext into groups of six letters, and then rearrange each group of six
letters according to permutation . The result is shown in the following 6x6 grid.
x 1 2 3 4 5 6
(x)
9
E E S L S H
S A L S E S
L S H B L E
H S Y E E T
H R A E O S
Hill Cipher
Another interesting multi-alphabetic cipher is the Hill cipher, developed by the mathematician
Lester Hill in 1929. The idea is based on linear transposition. In fact, permutation cipher is a
special case of the Hill cipher.
In this scheme, we take m linear combinations of the m successive plaintext alphabetic

characters and produce an m ciphertext letters for them. The substitution is determined by m
linear equations in which each letter is assigned its numerical value; i.e. {0, 1, 2, 25} = Z26.
For m = 3, the system can be described as follows:
y1 (k11 x1 k12 x2 k13 x3 ) mod 26

y2 (k21 x1 k22 x2 k23 x3 ) mod 26
y3 (k31 x1 k32 x2 k33 x3 ) mod 26
This can be expressed in terms of column vectors and matrices:

y1 k11 k12 k13 x1
y k k22 k23 x2
2 21
y3 k31 k32 k33 x3
or in a compact form
Y=KX
Where Y and X are column vectors of length 3, representing the ciphertext and plaintext letters,
and K is a 33 matrix, representing the encryption key. Operations are performed mod26.
Decryption requires using the inverse of matrix K.
Example 1: Consider the plaintext paymoremoney, and use the encryption key
17 17 5

K 21 18 21
2 2 19

Find the resulting ciphertext.
Solution:
Plaintext: paymoremoney
15 0 24
The first three letters of the plaintext are represented by vector (x1, x2, x3)=(15, 0, 24)
Thus:
y1 x1 17 17 5 15

y2 K x2 21 18 21 0
y x 2 2 19 24
3 3
That is:
10
y1 375 11 L

y2 819 mod 26 13 N
y 489 18 S
3
Continuing in this fashion, the ciphertext for the entire plaintext is:
Ciphertext: LNSHDLEWMTRW
Q.E.D.
Decryption requires using the inverse of the matrix K. The inverse K1 of a matrix K is defined
by the equation K K1= K1K =I, where I is the diagonal matrix that is all zeros except for ones
along the main diagonal from upper left to lower right.
Note 2: The inverse of a matrix does not always exist, but when it does, it satisfies the preceding
equation.
Exercise 1: Show that the inverse of matrix K used in above example is

4 9 15
1
K 15 17 6
24 0 17

Note 3: It is easily shown that if the matrix K1 is applied to the above resulting ciphertext,
then the plaintext can be recovered.
Exercise 2: A cryptanalyst receives the following ciphertext:

LNSHDLEWMTRW
He has also estimated the decryption matrix from some previous analysis for this Hill Cipher to
be:
4 9 15
1
K 15 17 6
24 0 17

What is the plaintext?
We now give a precise description of the Hill Cipher over Z26.
Definition: Hill Cipher Cryptosystem
Let m 2 be an integer, Let P=C=(Z26)m
and let
K = {mm invertible matrix over Z26}.
For a key K, we define:

C = EK(P)=KP
P = DK(C) = K1 C= K1 KP = P
Note 1: Hill Cipher completely hides single-letter frequencies. Use of a larger matrix hides more
frequency information.
11
Note 2: The weakness of the Hill Cipher is that it is easily broken with a known plaintext attack.
To show this, suppose we have m plaintext-ciphertext pairs, each of length m.

Let
Pj=(P1j, P2j, , Pmj)
Cj=(C1j, C2j, , Cmj)
Therefore, we can write
Cj=KPj 1jm
for some known key matrix K.
We now define the following two mm square matrices:
X = (Pij)
Y = (Cij)
Then, we can form the matrix equation Y=XK.

Now, we can find the unknown key matrix K from the equation K=X-1Y
Let us illustrate the above attack by a simple example.
Example 2: It is known that the plaintext friday is encrypted using a 22 Hill Cipher to
yield the ciphertext PQCFKU. Find the key matrix K for this cryptosystem.
Solution:
Plaintext: f r i d a y
Pij : 15 17 8 3 0 24
Ciphertext: P Q C F K U
Cij : 15 16 2 5 10 20
For the unknown key matrix is K, we can write the following plaintext-ciphertext pairs:
KPj = Cj 1jm
Using the first two plaintext-ciphertext pairs, we can write the following matrix equation:
15 16 5 17
K mod 26
2 5 8 3
12
1
5 17 15 16
K = mod 26
8 3 2 5
9 1 15 16
= mod 26
2 15 2 5
7 19
=
8 3
Therefore, we obtained the key matrix! The result can be verified by testing the remaining
plaintext- ciphertext pair.
Note 3 : From the above example and other examples worked out so far, we may conclude that
neither cipher schemes of Substitution nor Transposition are strong enough to stand
cryptanalytic attacks. One may find that using the two types together creates much better
concealment than either method above. In fact, using substitution and transposition cipher
methods repeatedly on ciphertext provides strong disguising patterns.
Exercise 2: Why transposition ciphers are used if they are so easy to crack?
Answer: Transposition can be looked at a set of instructions, one instruction for each
letter, easily implemented by a computer and can be difficult to crack if they are repeatedly
used on the same plaintext!
Exercise 3: Repeat the transposition cipher used in Exercise 1 (on page 17) twice for the
plaintext used:
Solution:
Plaintext: lastnitewasheavenpleasemarryme
1st transposed ciphertext: LTELAAEAERSWVARTAESYNSNEMIHPME
2nd transposed ciphertext: LEVSMTAAYIEERNHLRTSPASANMAWEE
LTELA AEAER SWVAR TAESY
last nite was heaven please marry me NSNEM I HPME
Read
down L A S T N I L T E L A A
T E W A S H E A E R S W
E A V E N P V A R T A E
L E A S E M S Y N S N E
A R R Y M E M I H P M E
(a) 1st transposed cipher. (b) The ou
Symmetric Cipher Model

Symmetric (conventional) encryption scheme has the following ingredients
13
Figure 2.1 Simplified Model of Symmetric Encryption

There are 2 requirements for secure use of conventional encryption:
a. We need a strong encryption algorithm the opponent should be unable to decrypt
ciphertext or to discover the key even if s/he is in the possession of a number of
ciphertexts together with the plaintext that produced each ciphertext
b. Sender and receiver must have obtained copies of the secret key in a secure fashion
and must keep the key secure. If someone can discover the key and knows the
algorithm, all communication using this key is readable
We assume that it is impractical to decrypt a message on the basis of the ciphertext plus
knowledge of the encryption/decryption algorithm, i.e. we do not need to keep the algorithm
secret; we need to keep only the key secret.
Lets consider essential elements of a symmetric encryption scheme:
We can write:
Y=EK(X)
X= DK(Y)
Opponent knows Y, E, D. He may be interested to recover X or/and K. Knowledge of K gives him

opportunity to read future messages.
Caesar Cipher
It was used by Julius Caesar. The Caesar cipher involves replacing each letter of the alphabet
with the letter standing three places further down the alphabet
For example
Plain: meet me after the toga party
Cipher: PHHW PH DIWHU WKH WRJD SDUWB
Transformation is made using the following mapping:
14
Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
Cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Let us assign a numerical equivalent to each letter from 0 to 25. Then the algorithm may be
expressed as follows. For each plaintext letter p, substitute the ciphertext letter C:
C=E(p)=(p+3) mod 26
A shift may be of any amount, so that general Caesar algorithm is
C=E(p)=(p+k) mod 26,
where k takes on a value in the range 1 to 25. The decryption algorithm is simply
p=D(C)=(C-k) mod 26
If it is known that a given ciphertext is a Caesar cipher, then a brute-force cryptanalysis is easily
performed: simply try all possible 25 keys.
Three important characteristics of this problem enable us to use brute-force cryptanalysis:

1. The encryption and decryption algorithms are known
2. There are only 25 keys to try
3. The language of the plaintext is known and easily recognizable
In most networking situations algorithms are assumed to be known. Brute-force analysis is

impractical when algorithm employs large of keys. The 3rd characteristic is also significant. If the
language of the plaintext is not known, then the plaintext output may not be recognizable.
Figure 2.2 Brute-Force Cryptanalysis of Caesar Cipher
15
Furthermore, if the input is compressed in some manner, again recognition is difficult. Below
is example of compression by ZIP:
Figure 2.3 Sample of Compressed Text

If this file is then encrypted with a simple substitution cipher (expanded to include more than
just 26 characters), then the plaintext may not be recognized
Monoalphabetic Ciphers
With only 25 keys Caesar cipher is far from secure. A dramatic increase in the key space may
be achieved by allowing an arbitrary substitution. If instead of
Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
Cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
the cipher line can be any permutation of the 26 alphabetic symbols, then there are 26! or
greater than 4*1026 possible keys. There is however another line of attack. If the cryptanalyst
knows the nature of the plaintext (e.g., non-compressed English text), then the analyst can
exploit the regularities of the language.
Lets consider example of ciphertext:

UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
As a first step, relative frequency of the letters can be determined and compared to a standard
frequency distribution for English:
Figure 2.4 Relative Frequency of Letters in English Text
16
The relative frequencies of the letters in the ciphertext (in percentages):

P 13.33 H 5.83 F 3.33 B 1.67 C 0.00
Z 11.67 D 5.00 W 3.33 G 1.67 K 0.00
S 8.33 E 5.00 Q 2.50 Y 1.67 L 0.00
U 8.33 V 4.17 T 2.50 I 0.83 N 0.00
O 7.50 X 4.17 A 1.67 J 0.83 R 0.00
M 6.67
Comparing this with Fig.1.8, it seems likely that cipher letters P and Z are the equivalents of
plain letters e and t, but it is not certain which is which. The letters S,U,O,M, and H are all of
the relatively high frequency and probably correspond to plain letters from the set
{a,h,i,n,o,r,s}. The letters with the lowest frequencies (A,B,G,Y,I,J) are likely included in the set
{b,j,k,q,v,x,z}. Now we could make some tentative assignments and start to fill plaintext to see
if it looks like a reasonable skeleton of a message.
Another way, to consider frequency of two-letter combinations, is known as digrams. The most
common digram is th. In our ciphertext, the most common digram is ZW, which appears 3
times. So, we make correspondence: Z t, W h. Then, P is equated with e. Now notice that
sequence ZWP appears in the ciphertext, and we can translate it as the. Next, notice ZWSZ in
the first line. If they form a complete word, it will be th_t. If so, S equates with a. So far, then,
we have
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
t a e e te a t h at e e a a
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
e t ta t ha e ee a e th t a
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
e e e tat e t he et
Continued analysis of frequencies plus trial and error may lead us to the solution:
it was disclosed yesterday that several informal but
direct contacts have been made with political
representatives of the viet cong in Moscow
Two principal methods are used in substitution ciphers to lessen the extent to which the
structure of the plaintext survives in the ciphertext: One approach is to encrypt multiple letters
of the plaintext (Playfair Cipher, Hill Cipher), and the other is to use multiple cipher alphabets
(Polyalphabetic Ciphers)
Playfair Cipher
The best-known multiple-letter encryption cipher is the Playfair (invented in 1854 by Sir Charles
Wheatstone, but it bears the name of his friend Baron Playfair of St. Andrews, who championed
the cipher at the British foreign office), which treats digrams in the plaintext as single units and
translates these units into ciphertext digrams.
The Playfair algorithm is based on the use of a 5x5 matrix of letters constructed using a
keyword. In the case of keyword monarchy, matrix is as follows:
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
17
The matrix is constructed by filling in the letters of the keyword (minus duplicates) from left to
right and from top to bottom, and then filling in the remainder of the matrix with the remaining
letters in alphabetic order. The letters I and J count as one letter. Plaintext is encrypted two
letters at a time, according to the following rules:
a. Repeating plaintext letters that would fall in the same pair are separated with a filler
letter, such as x, so that balloon will be treated as ba lx lo on
b. Plaintext letters that would fall in the same row of matrix are each replaced with the
letter to the right, with the first element of the row circularly following the last. For
example, ar is encrypted as RM.
c. Plaintext letters that fall in the same column are each replaced by the letter beneath,
with the top element of the row circularly following the last. For example, mu is
encrypted as CM.
d. Otherwise, each plaintext letter is replaced by the letter that lies in its own row and
the column occupied by the other plaintext letter. Thus, hs becomes BP, and ea
becomes IM (or JM, as the encipherer wishes).
As far as number of diagrams is 26x26=676 is significantly greater than number of letters,

frequency analysis becomes much more difficult. For these reasons, Playfair cipher was for a
long time considered unbreakable. It was used as standard field system by the British Army in
World War I and still enjoyed considerable use by U.S.Army and other Allied forces during
World War II.
Despite this level of confidence in its security, the Playfair cipher is relatively easy to break
because it still leaves much of the structure of the plaintext language intact. A few hundred
letters of ciphertext are generally sufficient.
18
CHAPTER 3: Mathematical Foundation

GROUP
Definition and Elementary Properties
A group is a set G and a binary operation with the following properties:
1. The operation is associative, i.e., (ab)c = a(bc) for any a, b and c G.
2. There is a special element e of G called a left identity, such that ea = a for all a G. (This
implies that a group must have at least one element.)
3. Every a G has a left inverse a -1 such that a -1a = e.
A set is said to be a group under a particular operation if the operation obeys these conditions.
For example, the integers Z are a group under addition, but not under multiplication (because
left inverses do not exist for most integers).
Associativity can easily be extended to operations on four or more elements. For example,
(ab)(cd) = a(b(cd)) = a((bc)d).
The operation is not necessarily commutative. However, we can prove that the operations in
properties (2) and (3) are commutative, so that every left identity is also a right identity and
every left inverse is also a right inverse.
Theorem 1.1. Every element in a group G commutes with its left inverse, i.e., aa -1 = e for every a
G.
Proof. Let (a -1) -1 be the left inverse of a -1. Then (a -1) -1a -1 = e.
Consider (a -1) -1a -1aa -1. We associate it in two ways:
(a -1) -1a -1aa -1= ((a -1) -1a -1)(aa -1) = e(aa -1) = aa -1,
(a -1) -1a -1aa -1= (a -1) -1((a -1a)a -1) = (a -1) -1(ea -1) = (a -1) -1a -1 = e,
and the desired result follows.
Theorem 1.2. Every element in a group G commutes with the identity, i.e., ae = a for every a G.
Proof. This is easily proven by using associativity and the previous theorem:
ae = a(a -1a) = (aa -1)a = ea = a.
Since there is no difference between left and right identities and inverses, they are called simply
identities and inverses.
Theorem 1.3. A group has only one identity and each element has only one inverse.
Proof. Let f be an identity. Then fe = e. But fe = f because the left identity e is also a right identity.
Hence f=e.
Let b be an inverse for a. Then ba = e. Postmultiplying by a -1 yields
(ba)a -1 = ea -1,
b(aa -1) = a -1,
be = a -1,
b = a -1.
The identity is its own inverse. However, it may not be unique in this respect. For example, the
set of all nonzero real numbers is a group under multiplication. The identity 1 is its own inverse,
but so is -1.
If a group contains only a finite number of elements, the number of elements is called the order
of the group.
19
Two groups G and H are isomorphic if there is one-to-one correspondence f : G H which

preserves the group operation, i.e., for every a and b G, f(ab) = f(a)f(b).
Such a function is called an isomorphism. Although an isomorphism is required to preserve only

the group operation, it is fairly easy to prove that it also preserves the identity and inverses:
f(e) = e.
f(a -1) = f(a) -1.
Of course, in f(e) = e, the first e refers to the identity of the first group, and the second e refers
to the identity of the second group.
There are many examples of groups. The set of real numbers is a group under addition, but not
under multiplication because zero has no inverse. The set {0, 1, ..., N-1} is a group under addition
modulo N. The set of all permutations of a set is a group under composition. If the set has n
elements, the group is called the symmetric group and is usually represented by Sn.
Subgroups
A subset H of a group G is called a subgroup if it is a group with the same binary operation,
which is the case when
H is closed under the group operation, i.e., when a H and b H then ab H;
if a H then a -1 H; and
The group identity e H. (This can be deduced from the first two conditions if H is
nonempty.)
The smallest subgroup contains only the identity element, and the largest is the group itself.
In any group, we can define an operation analogous to exponentiation in ordinary arithmetic.

Let a be a group element and n a positive integer. Then define
a n = aaa...a (repeated n times),
a 0 = e,
a -n = (a n) -1.
It is easy to show that this operation obeys the following rules of exponentiation, where m and
n are any integers:
a m+n = a ma n,
a mn = (a m) n
The set of all powers of a group element a is a subgroup called the subgroup generated by a.
Theorem 2.1. The subgroup generated by an element of a group is isomorphic to the integers Z
under addition or to {0, 1, ..., r-1} under addition modulo r for some positive integer r, which is
called the order of the element.
Proof. If the element is the identity, the result is obvious and its order is 1.
If the powers of a are all distinct, then H is isomorphic to Z, where the isomorphism
f : Z H is defined by
f(n) = a n.
If the powers of a are not all distinct, then let m and n be two integers with m < n and
a m = a n.
Then multiply by a -m to obtain:
e = a n-m.
Let r be the smallest positive integer such that
a r = e.
By the division algorithm, n = rq + s for any integer n, where 0 <= s < r. Hence
20
a n = a rqa s = (a r) qa s = e qa s = a s.
Hence {e, a, a 2, ..., a r-1} constitute the entire subgroup. These elements are all distinct; assume,
for purpose of contradiction, that
am = an
0 <= m < n < r.
Then
a n-m = e,
which is impossible because n-m is less than r.
It is fairly easy to show that {e, a, a 2, ..., a r-1} are a subgroup isomorphic to {0, 1, ..., r-1} under
addition modulo r.
For finite groups, the following theorem, called Lagrange's Theorem, gives a simple relation
between the order of the group and the orders of its subgroups.
Theorem 2.2. The order of a subgroup of a finite group divides the order of the group.
Proof. Let H be a subgroup of the finite group G. For any a G, the coset of H with respect to a
is {ax | x H}, which we shall call coset(a).
The union of all cosets is G, since every a G belongs to coset(a).
An element of coset(a) can be expressed as ax for only one value of x in H; for if ax = ay then a
-1
ax = a -1ay, ex = ey, and x = y. Therefore, every coset contains the same number of elements as
H. (Notice that H itself is coset(e).)
Suppose coset(a) and coset(b) have an element in common. Then ax = by for some x and y H.
Then any other element az coset(a) is also in coset(b) because
az = axx -1z = byx -1z
and yx -1z is in H. Similarly, every element of coset(b) is also in coset(a), and the two cosets are
identical.
Hence the number of elements in G is the product of the number of elements in H (or any other
coset) and the number of cosets.
Corollary 2.3. The order of an element of a finite group divides the order of the group.
Corollary 2.4. If the order of a finite group is a prime number p, then the group is isomorphic to
Zp.
Classification of Finite Groups
The classification of finite groups is a large and interesting topic in mathematics. Groups that
are isomorphic to each other are not considered different, so we will often speak of isomorphic
groups as the same. If groups with a particular property are all isomorphic to each other, we
will speak of the group with that property.
A group isomorphic to Zn (the integers {0, 1, ..., n-1} under addition modulo n) is called the cyclic
group of order n, and it is often written as Cn.
It is clear that the only groups of order 1, 2 and 3 are C1, C2 and C3, respectively. More generally,
if p is a prime number, then the only group of order p is Cp.
21
Consider the following operation on the cross product G H of two groups:

(a,b)(c,d) = (ac, bd).
It is fairly easy to show that this is a group. If G and H are finite, G H is also finite and its order
is the product of the orders of G and H. Moreover, the order of an element (a,b) is the least
common multiple of the orders of a and b.
There are at least two groups of order 4: C4 and C2 C2. These two groups are not isomorphic,
because C4 has an element of order 4 and C2 C2 does not. It can be shown that these are the
only groups of order 4.
The symmetric group Sn of permutations of a set with n elements is a group of order n!. The set
of all even permutations of such a set is a group of order n!/2 called an alternating group, and
it is often written as An.
Permutation groups are especially important, because every group of order n is isomorphic to
a subgroup of Sn. This is fairly easy to prove. Let a be an element of the group G. The function
Ta : G G defined by Ta(x) = ax is called a translation of the group. It is easily shown to be a
permutation. The set of all such permutations is a group under composition, and the
association of a with Ta is an isomorphism.
4. Commutative Groups
If the group operation is commutative (ab = ba for every a and b in the group), then the group
is called a commutative group or an abelian group. The symbols for regular addition (which is
commutative) are often used for a commutative group:
Regular Group Notation Commutative Group Notation
ab a+b
e 0
a -1 -a
an na
ab -1 a-b
The integers are a commutative group under addition. The groups of order 1, 2, 3, 4 and 5
defined in the previous section are commutative. The smallest group which is not commutative
is S3, which has six elements.
Every cyclic group is commutative.
Theorem 4.1. If the orders of two elements of a commutative group are relatively prime, the order
of their product is the product of their orders.
Proof. Let a and b be two elements of a commutative group with relatively prime orders r and
s, respectively. Then the order of ab is the smallest positive integer m for which (ab) m = e, or
equivalently a m = b -m.
Raise each side to the s-th power to obtain a ms = b -ms = (b -s) m = e m = e. Hence r divides ms.
Since r and s are relatively prime, r divides m. Similarly, s divides m. Since r and s are relatively
prime, rs divides m. Since (ab) rs = a rs b rs = ee = e, m divides rs. and hence m = rs.
Actually, it is not necessary that the entire group be commutative. It is sufficient that the two
elements commute with each other.
22
Rings
A ring is a set R and two binary operations, called addition and multiplication, with the following
properties:
The ring is a commutative group under addition.
Multiplication is associative:
a(bc) = (ab)c
Multiplication distributes over addition:
a(b+c) = ab + ac
(a+b)c = ac + bc
The properties of multiplication involving zero (the additive identity) and signed ring elements
are the same as those derived for the integers (which are a ring), and the proofs are the same,
but slightly more complicated because multiplication is not necessarily commutative:
0x = x0 = 0
(-x)y = x(-y) = -(xy)
(-x)(-y) = xy
A ring isomorphism between the rings R and S is a one-to-one correspondence f: R
S which preserves the ring operations:
f(x+y) = f(x) + f(y)
f(xy) = f(x) f(y)
There are minor variations in the definition of a ring; what we have presented is the minimal
definition. Some authors require that a ring have a unit, which is an identity element for
multiplication; i.e. a number 1 such that 1a = a1 = a for every element a of the ring. Also, it is
often required that 0 1, because a ring in which 0 = 1 is a trivial ring with only one element.
A commutative ring is a ring with commutative multiplication.
The integers are a commutative ring with a unit. The even integers are a commutative ring
without a unit. The set ZM, previously defined as the integers {0, 1, ..., M-1}, where addition
and multiplication are modulo M, is a commutative ring with a unit. We shall see some
noncommutative rings later.
A left ideal of a ring is a nonempty subset closed under subtraction and left multiplication by
any ring element; i.e. if x and y are in the ideal and a is any ring element, then x-y and ax are in
the ideal. Similarly, a right ideal of a ring is a nonempty subset closed under subtraction and
right multiplication by any ring element; i.e. if x and y are in the ideal and a is any ring element,
then x-y and xa are in the ideal. An ideal is a set that is both a left ideal and a right ideal.
Obviously, in a commutative ring there are no differences among the three kinds of ideals.
Although an ideal is required to be closed only under subtraction, it is easy to show that it is
also closed under addition. If x and y are in the ideal, then 0 is in the ideal because it is equal to
x-x, -y is in the ideal because it is equal to 0-y, and x+y is in the ideal because it is equal to x-(-
y).
Ring theory is a well-developed branch of mathematics, but we need only these basic concepts.
We will deal mainly with rings that have additional properties.
Integral Domains
An integral domain is a commutative ring with unit (and 0 1) in which there are no zero
divisors; i.e., xy = 0 implies that x=0 or y=0 (or both).
23
The integers are an integral domain; this is the reason for the name. The set ZM, previously
defined as the integers {0, 1, ..., M-1}, where addition and multiplication are modulo M, is an
integral domain if M is prime.
Since an integral domain is a group under addition, the order of a nonzero element a is the
smallest positive value of n, if any, such that na = 0 (where na = a+a+a+...+a (n times)). Every
nonzero element has the same order as 1 because na = (n1)a = 0 only when n1 = 0.
The order must be prime. If it could be factored as n = ab, then 1+1+...+1 (a times) and 1+1+...+1
(b times) would be two nonzero elements whose product would be zero.
The order of any nonzero element of an integral domain is often called the characteristic of the
integral domain, especially when the integral domain is also a field.
Fields
An integral domain is a field if every nonzero element x has a reciprocal x -1 such that xx
-1 = x -1x = 1. Notice that the reciprocal is just the inverse under multiplication; therefore,
the nonzero elements of a field are a commutative group under multiplication. The real
numbers are one familiar field, and the ring Zp is a field if p is prime. In fact, it is fairly
easy to prove that any finite integral domain is a field.
Division in a field is defined in the usual way:

x / y = x y -1, where the denominator y must be nonzero.
From this definition and the properties of fields, we can derive the usual rules for
operations on fractions:
a/b = c/d if, and only if, ad = bc
a/b + c/d = (ad + bc) / (bd)
(a/b) (c/d) = (ac) / (bd)
(a/b) -1 = b/a
(-b)/a = b/(-a)a = -(a/b)
0/a = 0
a/1 = a
A subfield of a field is a subset which is a field under the same addition and
multiplication operations.
Figure 3.1 Group, Ring & Fields
24
Modular Arithmetic
Many complex cryptographic algorithms are actually based on fairly simple modular arithmetic.
In modular arithmetic, the numbers we are dealing with are just integers and the operations
used are addition, subtraction, multiplication and division. The only difference between
modular arithmetic and the arithmetic you learned in your primary school is that in modular
arithmetic all operations are performed regarding a positive integer, i.e. the modulus.
Before going into modular arithmetic, let's review some basic concepts. The division theorem
tells us that for two integers a and b where b 0, there always exists unique integers q and r
such that a = qb + r and 0 r < |b|. For example, a = 17, b=3, we can find q = 5 and r = 2 so that
17 = 3*5+2. a is called the dividend, b is called the divisor, q is called the quotient and r is called
the remainder. If r = 0, then we say b divides a or a is divisible by b. This establishes a natural
congruence relation on the integers. For a positive integer n, two integers a and b are said to
be congruent modulo n (or a is congruent to b modulo n), if a and b have the same remainder
when divided by n (or equivalently if a b is divisible by n). It can be expressed as a b mod n.
n is called the modulus. For example:
Two odd numbers are congruent modulo 2 because all odd numbers can be written as
2n+1;
Two even numbers are congruent modulo 2 because all even numbers can be written
as 2n+0;
38 23 mod 15 because 38 = 15*2 + 8 and 23 = 15 +8;
-1 1 mod 2 because -1 = -1*2+1 and 1 = 0*2+1;
8 3 mod 5 because 8 = 5+3 and 3 = 0*5+3;
-8 2 mod 5 because -8 = -2*5+2 and 2 = 0*5+2;
8 -8 mod 5 because 8 = 5+3 and -8 = -2*5+2. The remainders 3 and 2 are not the
same.
You need to be careful with negative numbers. They are usually not congruent to their positive
counter parts, as you can see in the above examples. Congruence is an equivalence relation, if
a and b are congruent modulo n, then they have no difference in modular arithmetic under
modulo n. Because of this, in modular n arithmetic we usually use only n numbers 0,1,2,...,n-1.
All the other numbers can be found congruent to one of the n numbers.
So how to perform arithmetic operations with moduli? For addition, subtraction and
multiplication, it is quite simple: calculate as in ordinary arithmetic and reduce the result to the
smallest positive reminder by dividing the modulus. For example:
12+9 21 1 mod 5
12-9 3 mod 5
12+3 15 0 mod 5
15-23 -8 2 mod 5
35*7 245 0 mod 5
-47*(5+1) -282 3 mod 5
373 50653 3 mod 5 (exponentiation is just a shorthand for repeated multiplication)
Sometimes the calculation can be simplified because for any integer a1, b1, a2 and b2, if we know
that a1 b1 mod n and a2 b2 mod n then the following always holds:
a1+a2 b1+b2 mod n
a1-a2 b1-b2 mod n
a1*a2 b1*b2 mod n
For example, 35 0 mod 5 therefore 35*7 0*7 0 mod 5. Also 37 2 mod 5 so 373 23 8
3 mod 5.
25
But for division, it is not so simple because division is not defined for every number. That means
that it is not always possible to perform division in modular arithmetic. First of all, as in ordinary
arithmetic, division by zero is not defined so 0 cannot be the divisor. The tricky bit is that the
multiples of the modulus are congruent to 0. For example, 6, -6, 12, -12, ... are all congruent to
0 when the modulus is 6. So not only 4/0 is not allowed, 4/12 is also not allowed when the
modulus is 6. Secondly, going back to the very basics: what does "division" mean in ordinary
arithmetic? When we say 12 divided by 4 equals 3, we mean that there is a number 3 such that
3*4 = 12. So division is defined through multiplication. But you run into problems extending
this to modular arithmetic. let's have a look at the following table:
Table: Multiplication modulo 6

* 1 2 3 4 5
1 1 2 3 4 5
2 2 4 0 2 4
3 3 0 3 0 3
4 4 2 0 4 2
5 5 4 3 2 1
Suppose you are working in mod 6 and want to compute 4/5. As we said before, you actually
need to find x such that 5*x 4 mod 6. From the above table, we can find that 2 and only 2
satisfies this equation. That means 4/5 2 mod 6.
Now suppose you want to compute 4/2 ? mod 6.
It seems easy because 2*2 4 mod 6.
However, there is another possibility: 2*5 4 mod 6.
This time division is not uniquely defined, because there are two numbers that can multiply by
2 to give 4. In such cases, division is not allowed.
Then when modular division is defined? When the multiplicative inverse (or just inverse) of the
divisor exists.
The inverse of an integer a under modulus n is an integer b such that a*b 1 mod n. An integer
can have either one or no inverse. The inverse of a can be another integer or a itself. In the
above table, we can see that 1 has an inverse, which is itself and 5 also has an inverse which is
also itself. But 2, 3 and 4 do not have inverses. Whether an integer has the inverse or not
depends on the integer itself and also the modulus.
Table: Multiplication modulo 5

* 1 2 3 4
1 1 2 3 4
2 2 4 1 3
3 3 1 4 2
4 4 3 2 1
You can see that when the modulus is 6, 2 has no inverse. But when the modulus is 5, the
inverse of 2 is 3. The rule is that the inverse of an integer a exists iff a and the modulus n are
coprime. That is, the only positive integer which divides both a and n is 1. In particular, when n
is prime, then every integer except 0 and the multiples of n is coprime to n, so every number
except 0 has a corresponding inverse under modulo n. Sometimes it is easy to determine
whether two integers are coprime. But most of the time it is not easy. For example, are 357
and 63 coprime? You may not be able to answer immediately. Fortunately, we can use the
26
Euclidean algorithm to find out. The Euclidean algorithm describes how to find what is called
the greatest common divisor (gcd) of two positive integers. Of course, if the gcd of two integers
is 1, they are coprime. Let me show you by an example.
We start with two positive integers 357 and 63. The first step of the Euclidean algorithm is to
divide the bigger integer by the smaller one, so we have:
35763, quotient = 5 remainder = 42
Then divide the divisor in last step by the remainder:
6342, quotient =1 remainder=21
Continue to divide the previous divisors by the remainders, until the remainder is 0:
4221, quotient =2 remainder =0
The divisor in the last step is the gcd of the two input integers.
To see why the algorithm works, we follow the division steps backwards. From the last step, we
know that 21 divides 42. In the step before, we have 63 = 1*42 +21. Because 21 divides both
42 and 21, it must also divide 63. In the first step, we have 357 = 5*63 +42, again 21 divides
both 63 and 42 so it must also divide 357. Since 21 divides both 63 and 357, it is indeed a
common divisor of those two integers. Now we need to prove that it is the greatest. The proof
is based on a theorem which says:
For any non-negative integers a and b, and any integers x and y, c = x*a + y*b must be
a multiple of the gcd of a and b.
What we want to show is that 21 =x*357 + y*63 for some x and y. If this is true, then 21 must
be the gcd. Now let's start:
From step 1, we have 357-5*63=42
From step 2. we have 63-42=21
Substitutes 42 with 357 -5*63, now we have 21 = 63-357+5*63 = -1*357+6*63
So the Euclidean algorithm indeed outputs the gcd. If the gcd is 1, we can conclude a and b are
coprime.
Knowing that an integer a and a modulus n are coprime is not enough. How can we find the
multiplicative inverse of a? Well, since the gcd of a and n is 1, we know we can find a pair (x,y)
such that 1 = x*a+y*n. Then x*a = -y*n+1. That means x*a 1 mod n, in other words, x is the
multiplicative inverse of a under modulo n. This can be done by running an extended version
of Euclidean algorithm which tracks x when computing the gcd. In the extended Euclidean
algorithm, we first initialize x1 =0 and x2 =1, then in the following steps, compute xi = xi-2 -xi-1qi-2
where qi-2 is the quotient computed in step i-2. When the remainder becomes 0, continue the
calculation of x for one more round. The final x is the inverse. Here is an example that shows
how to find the inverse of 15 when the modulus is 26:
step 1: 2615, quotient q1= 1, remainder = 11, x1 = 0
step 2: 1511, quotient q2 = 1, remainder = 4, x2 = 1
step 3: 114, quotient q3 = 2, remainder = 3, x3 = x1-x2q1 = 0- 1*1 = -1
step 4: 43, quotient q4 = 1, remainder = 1, x4 = x2-x3q2 = 1- (-1)*1 = 2
step 5: 31, quotient q5 = 3, remainder = 0, x5 = x3-x4q3 = -1- 2*2 = -5
step 6: x6 = x4-x5q4 = 2- (-5)*1 = 7
To verify, 15*7 = 105 = 4*26+1, so 15*7 1 mod 26, which means 7 is the multiplicative inverse
of 15 under modulo 26.
27
Prime & Co-primes

A prime number (or a prime) is a natural number greater than 1 that has no positive divisors
other than 1 and itself. A natural number greater than 1 that is not a prime number is called a
composite number. For example, 5 is prime because 1 and 5 are its only positive integer factors,
whereas 6 is composite because it has the divisors 2 and 3 in addition to 1 and 6. The
fundamental theorem of arithmetic establishes the central role of primes in number theory:
any integer greater than 1 is either a prime itself or can be expressed as a product of primes
that is unique up to ordering. The uniqueness in this theorem requires excluding 1 as a prime
because one can include arbitrarily many instances of 1 in any factorization, e.g., 3, 1 3, 1 1
3, etc. are all valid factorizations of 3.
The property of being prime is called primality. A simple but slow method of verifying the
primality of a given number n is known as trial division. It consists of testing whether n is a
multiple of any integer between 2 and . Algorithms much more efficient than trial division
have been devised to test the primality of large numbers. As of January 2016, the largest known
prime number has 22,338,618 decimal digits.
In number theory, two integers a and b are said to be relatively prime, mutually prime, or
coprime (also spelled co-prime) if the only positive integer that divides both of them is 1. That
is, the only common positive factor of the two numbers is 1. This is equivalent to their greatest
common divisor being 1. The numerator and denominator of a reduced fraction are coprime.
In addition to gcd(a, b)=1 and (a, b) =1 the notation a b is sometimes used to indicate that a
and b are relatively prime.
For example, 14 and 15 are coprime, being commonly divisible by only 1, but 14 and 21 are not,
because they are both divisible by 7. The numbers 1 and 1 are the only integers coprime to
every integer, and they are the only integers to be coprime with 0.
A fast way to determine whether two numbers are coprime is given by the Euclidean algorithm.
The number of integers coprime to a positive integer n, between 1 and n, is given by Euler's
totient function (or Euler's phi function) (n).
A set of integers can also be called coprime if its elements share no common positive factor
except 1. A set of integers is said to be pairwise coprime if a and b are coprime for every pair
(a, b) of different integers in it.
Congruence
Let n be a positive integer. We say two integers are congruent modulo n" if they differ by an
integral multiple of the integer n. For example, if n = 5 we can say that 3 is congruent to 23
modulo 5 (and write it as 3 23 modulo 5) since the integers 3 and 23 differ by 4x5 = 20. The
statement a b (mod n) is equivalent to the statement a - b is divisible by n or the statement
there is an integer k for which a - b = kn. The integer n is called the modulus of the congruence.
An alternate definition: a b (mod n) if and only if a and b have the same remainder when divided
by n.
The modulus arithmetic concept occurs in everyday life in telling time. Clocks go up to 12 and
then start over, thus giving time modulus 12. The congruence relation a b (mod n) creates a
set of equivalence classes on the set of integers in which two integers are in the same class if
they are congruent modulus n, i.e. if they leave the same remainder when divided by n.
28
Residue classes
Residue classes of integers mod n. The congruence relation a b (mod n) on the set of integers
I separates the integers into n equivalence classes,
[0]n, [1]n, [2]n, ... ,[n-1]n,
called residue classes modulo n. Each equivalence class [r]n consists of all integers congruent to
r where r is one of the integers 0,1,2,...,n-1. These n integers 0,1,2,...,n-1 are called the class
representatives. Thus equivalence class [3]n consists of all integers congruent to 3 mod n where
the integer 3 is the class representative.
Example. The residue classes of integers mod 4 are:

[0]4 = { ... , -16, -12, -8, -4, 0, 4, 8, 12, 16, ... }
[1]4 = { ... , -15, -11, -7, -3, 1, 5, 9, 13, 17, ... }
[2]4 = { ... , -14, -10, -6, -2, 2, 6, 10,14, 18, ... }
[3]4 = { ... , -13, -9, -5, -1, 3, 7, 11, 15, 19, ... }
I/(n), the set of all residue classes mod n. We denote the set of all residue classes modulo n by
I/(n). For example,
I/(4) = { [0]4, [1]4, [2]4, [3]4 }
and
I/(n) = { [0]n,, [1]n,, [2]n,, ... ,[n-1]n, }
Prime Residue Class

Let m be a positive integer. There are m residue classes a+m modulo m. Such of them which
have
gcd(a,m)=1,
are called the prime residue classes or prime classes modulo m, and they form an Abelian group
with respect to the multiplication
(a+m)(b+m):=ab+m
This group is called the residue class group modulo m. Its order is (m), where means Eulers
totient function. For example, the prime classes modulo 8 (i.e. 1+8, 3+8, 5+8, 7+8) form
a group isomorphic to the Klein 4-group.
The prime classes are the units of the residue class ring /m = m consisting of all residue
classes modulo m.
Primality Test
Fermats Little Theorem
According to Fermats Little Theorem if p is a prime number and a is a positive integer less
than p, then
ap= a (mod p) or
a(p-1) = 1 (mod p)
If p is the number which we want to test for primality, then we could randomly choose a, such
that a < p and then calculate (a(p-1))%p. If the result is not 1, then by Fermats Little Theorem p
cannot be prime. What if that is not the case? We can choose another a and then do the same
test again. We could stop after some number of iterations and if the result is always 1 in each
of them, then we can state with very high probability that p is prime. The more iterations we
do, the higher is the probability that our result is correct. You can notice that if the method
29
returns composite, then the number is sure to be composite, otherwise it will be probably
prime.
Miller-Rabin Primality Test

The Miller-Rabin primality test or Rabin-Miller primality test is a primality test: an algorithm
which determines whether a given number is prime, similar to the Fermat primality test and
the SolovayStrassen primality test.
If p is prime and x2 = 1 (mod p), then x = +1 or -1 (mod p). We could prove this as follows:
x2 = 1 (mod p)
x2 - 1 = 0 (mod p)
(x-1) (x+1) = 0 (mod p)
Now if p does not divide both (x-1) and (x+1) and it divides their product, then it cannot be a
prime, which is a contradiction. Hence, p will either divide (x-1) or it will divide (x+1), so x = +1
or -1 (mod p).
Recall that the Greatest Common Divisor (GCD) of two integers A and B is the largest integer
that divides both A and B.
Euclidean Algorithm
The Euclidean Algorithm is a technique for quickly finding the GCD of two integers.
The Euclidean Algorithm for finding gcd(a,b) is as follows:

If a = 0 then gcd(a, b)=b, since the gcd(0, b)=b, and we can stop.
If b = 0 then gcd(a, b)=a, since the gcd(a, 0)=a, and we can stop.
Write a in quotient remainder form (a = b q + r)
Find gcd(b, r) using the Euclidean Algorithm since gcd(a, b) = gcd(b, r)
Example:
Find the GCD of 270 and 192
a = 270, b = 192
a 0, b 0
Use long division to find that 270/192 = 1 with a remainder of 78.
We can write this as: 270 = 192 * 1 +78
Find gcd(192, 78), since gcd(270, 192) = gcd(192, 78)
Now, a = 192, b = 78
a 0, b 0
We can write this as: 192 = 78 * 2 + 36
Again, a = 78, b = 36
a 0, b 0
Again, a=36, b=6
a 0, b 0
30
a = 6, b = 0
a 0, b =0,
gcd(6, 0) = 6
So, we have shown:
gcd(270, 192) = gcd(192, 78) = gcd(78, 36) = gcd(36, 6) = gcd(6, 0) = 6
gcd(270, 192) = 6
The algorithm is based on the following two observations:

1. If b|a then gcd(a, b) = b.
This is indeed so because no number (b, in particular) may have a divisor greater than
the number itself.
2. If a = bt + r, for integers t and r, then gcd(a, b) = gcd(b, r).
Indeed, every common divisor of a and b also divides r. Thus gcd(a, b) divides r. But,
of course, gcd(a, b)|b. Therefore, gcd(a, b) is a common divisor of b and r and
hence gcd(a, b) gcd(b, r). The reverse is also true because every divisor of b and r
also divides a.
Example
Let a = 2322, b = 654.
2322 = 6543 + 360 gcd(2322, 654) = gcd(654, 360)
654 = 3601 + 294 gcd(654, 360) = gcd(360, 294)
360 = 2941 + 66 gcd(360, 294) = gcd(294, 66)
294 = 664 + 30 gcd(294, 66) = gcd(66, 30)
66 = 302 + 6 gcd(66, 30) = gcd(30, 6)
30 = 65 gcd(30, 6) = 6
Therefore, gcd(2322, 654) = 6.
31
CHAPTER 4: Modern Symmetric Ciphers

Digital data is represented in strings of binary digits (bits) unlike alphabets. Modern
cryptosystems need to process this binary string to convert in to another binary string. Based
on how these binary strings are processed, a symmetric encryption schemes can be classified
in to:
a) Block Ciphers
In this scheme, the plain binary text is processed in blocks (groups) of bits at a time;
i.e. a block of plaintext bits is selected, a series of operations is performed on this block
to generate a block of ciphertext bits. The number of bits in a block is fixed. For
example, the schemes DES and AES have block sizes of 64 and 128, respectively.
b) Stream Ciphers
In this scheme, the plaintext is processed one bit at a time i.e. one bit of plaintext is
taken, and a series of operations is performed on it to generate one bit of ciphertext.
Technically, stream ciphers are block ciphers with a block size of one bit.
The basic scheme of a block cipher is depicted as follows:
A block cipher takes a block of plaintext bits and generates a block of ciphertext bits, generally
of same size. The size of block is fixed in the given scheme. The choice of block size does not
directly affect to the strength of encryption scheme. The strength of cipher depends up on the
key length.
Block Size
Though any size of block is acceptable, following aspects are borne in mind while selecting a
size of a block.
Avoid very small block size: Say a block size is m bits. Then the possible plaintext
bits combinations are then 2m. If the attacker discovers the plain text blocks
corresponding to some previously sent ciphertext blocks, then the attacker can
launch a type of dictionary attack by building up a dictionary of
plaintext/ciphertext pairs sent using that encryption key. A larger block size makes
attack harder as the dictionary needs to be larger.
Do not have very large block size: With very large block size, the cipher becomes
inefficient to operate. Such plaintexts will need to be padded before being
encrypted.
Multiples of 8 bit: A preferred block size is a multiple of 8 as it is easy for
implementation as most computer processor handle data in multiple of 8 bits.
Padding in Block Cipher

Block ciphers process blocks of fixed sizes (say 64 bits). The length of plaintexts is mostly not a
multiple of the block size. For example, a 150-bit plaintext provides two blocks of 64 bits each
with third block of balance 22 bits. The last block of bits needs to be padded up with redundant
information so that the length of the final block equal to block size of the scheme. In our
example, the remaining 22 bits need to have additional 42 redundant bits added to provide a
complete block. The process of adding bits to the last block is referred to as padding.
32
Too much padding makes the system inefficient. Also, padding may render the system insecure
at times, if the padding is done with same bits always.
Block Cipher Schemes

There is a vast number of block ciphers schemes that are in use. Many of them are publicly
known. Most popular and prominent block ciphers are listed below.
Digital Encryption Standard (DES): The popular block cipher of the 1990s. It is now
considered as a broken block cipher, due primarily to its small key size.
Triple DES: It is a variant scheme based on repeated DES applications. It is still a
respected block ciphers but inefficient compared to the new faster block ciphers
available.
Advanced Encryption Standard (AES): It is a relatively new block cipher based on
the encryption algorithm Rijndael that won the AES design competition.
IDEA: It is a sufficiently strong block cipher with a block size of 64 and a key size of
128 bits. A number of applications use IDEA encryption, including early versions of
Pretty Good Privacy (PGP) protocol. The use of IDEA scheme has a restricted
adoption due to patent issues.
Twofish: This scheme of block cipher uses block size of 128 bits and a key of
variable length. It was one of the AES finalists. It is based on the earlier block cipher
Blowfish with a block size of 64 bits.
Serpent: A block cipher with a block size of 128 bits and key lengths of 128, 192,
or 256 bits, which was also an AES competition finalist. It is a slower but has more
secure design than other block cipher.
Block Cipher Modes of Operation

A block cipher processes the data blocks of fixed size. Usually, the size of a message is larger
than the block size. Hence, the long message is divided into a series of sequential message
blocks, and the cipher operates on these blocks one at a time.
Electronic Code Book (ECB) Mode

This mode is a most straightforward way of processing a series of sequentially listed message
blocks.
Operation
The user takes the first block of plaintext and encrypts it with the key to produce the
first block of ciphertext.
He then takes the second block of plaintext and follows the same process with same
key and so on so forth.
The ECB mode is deterministic, that is, if plaintext block P1, P2,, Pm are encrypted twice
under the same key, the output ciphertext blocks will be the same. In fact, for a given key
technically we can create a codebook of ciphertexts for all possible plaintext blocks.
Encryption would then entail only looking up for required plaintext and select the
corresponding ciphertext. Thus, the operation is analogous to the assignment of code words
in a codebook, and hence gets an official name - Electronic Codebook mode of operation
(ECB). It is illustrated as follows:
33
Analysis of ECB Mode

In reality, any application data usually have partial information which can be guessed. For
example, the range of salary can be guessed. A ciphertext from ECB can allow an attacker to
guess the plaintext by trial-and-error if the plaintext message is within predictable. For
example, if a ciphertext from the ECB mode is known to encrypt a salary figure, then a small
number of trials will allow an attacker to recover the figure. In general, we do not wish to use
a deterministic cipher, and hence the ECB mode should not be used in most applications.
Cipher Block Chaining (CBC) Mode

CBC mode of operation provides message dependence for generating ciphertext and makes
the system non-deterministic.
Operation
The operation of CBC mode is depicted in the following illustration. The steps are as follows
Load the n-bit Initialization Vector (IV) in the top register.
XOR the n-bit plaintext block with data value in top register.
Encrypt the result of XOR operation with underlying block cipher with key K.
Feed ciphertext block into top register and continue the operation till all plaintext
blocks are processed.
For decryption, IV data is XORed with first ciphertext block decrypted. The first
ciphertext block is also fed into to register replacing IV for decrypting next ciphertext
block.
Analysis of CBC Mode

In CBC mode, the current plaintext block is added to the previous ciphertext block, and then
the result is encrypted with the key. Decryption is thus the reverse process, which involves
decrypting the current ciphertext and then adding the previous ciphertext block to the result.
Advantage of CBC over ECB is that changing IV results in different ciphertext for identical
message. On the drawback side, the error in transmission gets propagated to few further block
during decryption due to chaining effect. It is worth mentioning that CBC mode forms the basis
for a well-known data origin authentication mechanism. Thus, it has an advantage for those
applications that require both symmetric encryption and data origin authentication.
Cipher Feedback (CFB) Mode

In this mode, each ciphertext block gets fed back into the encryption process in order to
encrypt the next plaintext block.
34
Operation
The operation of CFB mode is depicted in the following illustration. For example, in the present
system, a message block has a size s bits where 1 < s < n. The CFB mode requires an
initialization vector (IV) as the initial random n-bit input block. The IV need not be secret. Steps
of operation are:
Load the IV in the top register.
Encrypt the data value in top register with underlying block cipher with key K.
Take only s number of most significant bits (left bits) of output of encryption process
and XOR them with s bit plaintext message block to generate ciphertext block.
Feed ciphertext block into top register by shifting already present data to the left and
continue the operation till all plaintext blocks are processed.
Essentially, the previous ciphertext block is encrypted with the key, and then the result
is XORed to the current plaintext block.
Similar steps are followed for decryption. Pre-decided IV is initially loaded at the start
of decryption.
Analysis of CFB Mode

CFB mode differs significantly from ECB mode, the ciphertext corresponding to a given
plaintext block depends not just on that plaintext block and the key, but also on the previous
ciphertext block. In other words, the ciphertext block is dependent of message. CFB has a very
strange feature. In this mode, user decrypts the ciphertext using only the encryption process
of the block cipher. The decryption algorithm of the underlying block cipher is never used.
Apparently, CFB mode is converting a block cipher into a type of stream cipher. The encryption
algorithm is used as a key-stream generator to produce key-stream that is placed in the bottom
register. This key stream is then XORed with the plaintext as in case of stream cipher. By
converting a block cipher into a stream cipher, CFB mode provides some of the advantageous
properties of a stream cipher while retaining the advantageous properties of a block cipher.
On the flip side, the error of transmission gets propagated due to changing of blocks.
Output Feedback (OFB) Mode

It involves feeding the successive output
blocks from the underlying block cipher back
to it. These feedback blocks provide string of
bits to feed the encryption algorithm which
act as the key-stream generator as in case of
CFB mode. The key stream generated is XOR-
ed with the plaintext blocks. The OFB mode
requires an IV as the initial random n-bit
input block. The IV need not be secret. The
operation is depicted in the illustration
35
Counter (CTR) Mode

It can be considered as a counter-based version of CFB mode without the feedback. In this
mode, both the sender and receiver need to access to a reliable counter, which computes a
new shared value each time a ciphertext block is exchanged. This shared counter is not
necessarily a secret value, but challenge is that both sides must keep the counter synchronized.
Operation
Both encryption and decryption in CTR mode are depicted in the following illustration. Steps
in operation are:
Load the initial counter value in the top register is the same for both the sender and
the receiver. It plays the same role as the IV in CFB (and CBC) mode.
Encrypt the contents of the counter with the key and place the result in the bottom
register.
Take the first plaintext block P1 and XOR this to the contents of the bottom register.
The result of this is C1. Send C1 to the receiver and update the counter. The counter
update replaces the ciphertext feedback in CFB mode.
Continue in this manner until the last plaintext block has been encrypted.
The decryption is the reverse process. The ciphertext block is XORed with the output
of encrypted contents of counter value. After decryption of each ciphertext block
counter is updated as in case of encryption.
Analysis of Counter Mode

It does not have message dependency and hence a ciphertext block does not depend on the
previous plaintext blocks. Like CFB mode, CTR mode does not involve the decryption process
of the block cipher. This is because the CTR mode is really using the block cipher to generate a
key-stream, which is encrypted using the XOR function. In other words, CTR mode also
converts a block cipher to a stream cipher. The serious disadvantage of CTR mode is that it
requires a synchronous counter at sender and receiver. Loss of synchronization leads to
incorrect recovery of plaintext. However, CTR mode has almost all advantages of CFB mode. In
addition, it does not propagate error of transmission at all.
Shannon Theory of Confusion and Diffusion

In Shannon's original definitions, confusion refers to making the relationship between
the key and the ciphertext as complex and involved as possible; diffusion refers to the property
that the redundancy in the statistics of the plaintext is "dissipated" in the statistics of
the ciphertext. In other words, the non-uniformity in the distribution of the individual letters
(and pairs of neighboring letters) in the plaintext should be redistributed into the non-
uniformity in the distribution of much larger structures of the ciphertext, which is much harder
to detect.
36
Diffusion means that the output bits should depend on the input bits in a very complex way. In
a cipher with good diffusion, if one bit of the plaintext is changed, then the ciphertext should
change completely, in an unpredictable or pseudorandom manner. In particular, for a
randomly chosen input, if one flips the i-th bit, then the probability that the j-th output bit will
change should be one half, for any i and j - this is termed the strict avalanche criterion. More
generally, one may require that flipping a fixed set of bits should change each output bit with
probability one half.
One aim of confusion is to make it very hard to find the key even if one has a large number of
plaintext-ciphertext pairs produced with the same key. Therefore, each bit of the ciphertext
should depend on the entire key, and in different ways on different bits of the key. In particular,
changing one bit of the key should change the ciphertext completely.
The simplest way to achieve both diffusion and confusion is a substitution-permutation

network. In these systems, the plaintext and the key often have a very similar role in producing
the output, hence it is the same mechanism that ensures both diffusion and confusion.
Feistel Cipher
Feistel Cipher is not a specific scheme of block cipher. It is a design model from which many
different block ciphers are derived. DES is just one example of a Feistel Cipher. A cryptographic
system based on Feistel cipher structure uses the same algorithm for both encryption and
decryption.
Encryption Process
The encryption process uses the Feistel structure consisting multiple rounds of processing of
the plaintext, each round consisting of a substitution step followed by a permutation step.
Feistel Structure is shown in the following illustration-
The input block to each round is divided into two halves that can be denoted as L
and R for the left half and the right half.
In each round, the right half of the block, R, goes through unchanged. But the left
half, L, goes through an operation that depends on R and the encryption key. First,
we apply an encrypting function f that takes two input - the key K and R. The
function produces the output f(R,K). Then, we XOR the output of the mathematical
function with L.
37
In real implementation of the Feistel Cipher, such as DES, instead of using the
whole encryption key during each round, a round-dependent key (a subkey) is
derived from the encryption key. This means that each round uses a different key,
although all these subkeys are related to the original key.
The permutation step at the end of each round swaps the modified L and
unmodified R. Therefore, the L for the next round would be R of the current round.
And R for the next round be the output L of the current round.
Above substitution and permutation steps form a round. The number of rounds
are specified by the algorithm design.
Once the last round is completed then the two sub blocks, R and L are
concatenated in this order to form the ciphertext block.
The difficult part of designing a Feistel Cipher is selection of round function f. In order to be
unbreakable scheme, this function needs to have several important properties that are beyond
the scope of our discussion.
Decryption Process
The process of decryption in Feistel cipher is almost similar. Instead of starting with a block of
plaintext, the ciphertext block is fed into the start of the Feistel structure and then the process
thereafter is exactly the same as described in the given illustration. The process is said to be
almost similar and not exactly same. In the case of decryption, the only difference is that the
subkeys used in encryption are used in the reverse order. The final swapping of L and R in
last step of the Feistel Cipher is essential. If these are not swapped then the resulting ciphertext
could not be decrypted using the same algorithm.
Number of Rounds
The number of rounds used in a Feistel Cipher depends on desired security from the system.
More number of rounds provide more secure system. But at the same time, more rounds mean
the inefficient slow encryption and decryption processes. Number of rounds in the systems
thus depend upon efficiencysecurity tradeoff.
The Data Encryption Standard (DES)

The Data Encryption
Standard (DES) is a
symmetric-key block
cipher published by the
National Institute of
Standards and
Technology (NIST). DES
is an implementation of
a Feistel Cipher. It uses
16 round Feistel
structure. The block size
is 64-bit. Though, key
length is 64-bit, DES has
an effective key length
of 56 bits, since 8 of the
64 bits of the key are not
used by the encryption
algorithm (function as
check bits only).
38
Since DES is based on the Feistel Cipher, all that is required to specify DES is:
Round function
Key schedule
Any additional processing Initial and final permutation
Initial and Final Permutation

The initial and final permutations are straight Permutation boxes (P-boxes) that are inverses of
each other. They have no cryptography significance in DES. The initial and final permutations
are shown as follows:
Round Function
The heart of this cipher is the DES function, f. The DES function applies a 48-bit key to the
rightmost 32 bits to produce a 32-bit output.
39
Expansion Permutation Box Since right input is 32-bit and round key is a 48-bit, we
first need to expand right input to 48 bits. Permutation logic is graphically depicted in
the following illustration
The graphically depicted permutation logic is generally described as table in DES

specification illustrated as shown:
XOR (Whitener). After the expansion permutation, DES does XOR operation on the
expanded right section and the round key. The round key is used only in this operation.
Substitution Boxes. The S-boxes carry out the real mixing (confusion). DES uses 8 S-
boxes, each with a 6-bit input and a 4-bit output. Refer the following illustration
The S-box rule is illustrated below
There is a total of eight S-box tables. The output of all eight s-boxes is then combined
in to 32-bit section.
Straight Permutation The
32-bit output of S-boxes is
then subjected to the
straight permutation with
rule shown in the following
illustration:
40
Key Generation
The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key. The process of
key generation is depicted in the following illustration
The logic for Parity drop, shifting, and Compression P-box is given in the DES description.
DES Analysis
The DES satisfies both the desired properties of block cipher. These two properties make cipher
very strong.
Avalanche effect A small change in plaintext results in the very grate change in the
ciphertext.
Completeness Each bit of ciphertext depends on many bits of plaintext.
During the last few years, cryptanalysis have found some weaknesses in DES when key selected
are weak keys. These keys shall be avoided. DES has proved to be a very well-designed block
cipher. There have been no significant cryptanalytic attacks on DES other than exhaustive key
search.
IDEA (International Data Encryption Algorithm)

IDEA, unlike the other block cipher algorithms discussed in this section, is patented by the Swiss
firm of Ascom. They have, however, been generous in allowing, with permission, free
noncommercial use of their algorithm, with the result that IDEA is best known as the block
cipher algorithm used within the popular encryption program PGP. The IDEA algorithm is
interesting in its own right. It includes some steps which, at first, make it appear that it might
be a non-invertible hash function instead of a block cipher. Also, it is interesting in that it
entirely avoids the use of any lookup tables or S-boxes.
41
IDEA uses 52 subkeys, each 16 bits long. Two are used during each round proper, and four are
used before every round and after the last round. It has eight rounds.
The plaintext block in IDEA is divided into four quarters, each 16 bits long. Three operations are
used in IDEA to combine two 16 bit values to produce a 16 bit result, addition, XOR, and
multiplication. Addition is normal addition with carries, modulo 65,536. Multiplication, as used
in IDEA, requires some explanation.
Multiplication by zero always produces zero, and is not invertible. Multiplication modulo n is
also not invertible whenever it is by a number which is not relatively prime to n. The way
multiplication is used in IDEA, it is necessary that it be always invertible. This is true of
multiplication IDEA style.
The number 65,537, which is 2^16+1, is a prime number. (Incidentally, 2^8+1, or 257, is also
prime, and so is 2^4+1, or 17, but 2^32+1 is not prime, so IDEA cannot be trivially scaled up to
a 128-bit block size.) Thus, if one forms a multiplication table for the numbers from 1 through
65,536, each row and column will contain every number once only, forming a Latin square, and
providing an invertible operation. The numbers that 16 bits normally represent are from 0 to
65,535 (or, perhaps even more commonly, from -32,768 to 32,767). In IDEA, for purposes of
multiplication, a 16 bit word containing all zeroes is considered to represent the number
65,536; other numbers are represented in conventional unsigned notation, and multiplication
is modulo the prime number 65,537.
Description of IDEA
Let the four quarters of the plaintext be called A, B, C, and D, and the 52 subkeys called K(1)
through K(52).
Before round 1, or as the first part of it, the following is done:

Multiply A by K(1). Add K(2) to B. Add K(3) to C. Multiply D by K(4).
Round 1 proper consists of the following:
Calculate A xor C (call it E) and B xor D (call it F).
Multiply E by K(5). Add the new value of E to F.
Multiply the new value of F by K(6). Add the result, which is also the new value of F,
to E.
Change both A and C by XORing the current value of F with each of them; change
both B and D by XORing the current value of E with each of them.
Swap B and C.
Repeat all of this eight times, or seven more times, using K(7) through K(12) the
second time, up to K(43) through K(48) the eighth time. Note that the swap of B and
C is not performed after round 8.
Then multiply A by K(49). Add K(50) to B. Add K(51) to C. Multiply D by K(52).
The intricacies of IDEA encryption may be made somewhat clearer by examining the following
diagrams:
42
Details: Overview:
Decryption
How can the round in IDEA be reversed, since all four quarters of the block are changed at the
same time, based on a function of all four of their old values? Well, the trick to that is that A
xor C isn't changed when both A and C are XORed by the same value, that value cancels out, no
matter what that value might be. And the same applies to B xor D. And since the values used
are functions of (A xor C) and (B xor D), they are still available.
This cross-footed round, rather than a Feistel round, is the most striking distinguishing factor
of IDEA, although its use of multiplication, addition, and XOR to avoid the use of S-boxes is also
important.
Those that are added are replaced by their two's complement. Those that are multiplied in are
replaced by their multiplicative inverse, modulo 65,537, in IDEA notation when used to change
blocks directly, but those used to calculate the cross-footed F-functions are not changed. Keys
XORed in would not need to be changed, but there aren't any such keys in IDEA. Due to the
placement of the swap, the first four keys for decryption are moved somewhat differently than
the other keys used for the same operation between rounds.
The decryption key schedule is:

The first four subkeys for decryption are:
KD(1) = 1/K(49)
KD(2) = -K(50)
KD(3) = -K(51)
KD(4) = 1/K(52)
and they do not quite follow the same pattern as the remaining subkeys which follow.
43
The following is repeated eight times, adding 6 to every decryption key's index and
subtracting 6 from every encryption key's index:
KD(5) = K(47)
KD(6) = K(48)
KD(7) = 1/K(43)
KD(8) = -K(45)
KD(9) = -K(44)
KD(10) = 1/K(46)
Subkey Generation
The 128-bit key of IDEA is taken as the first eight subkeys, K(1) through K(8). The next eight
subkeys are obtained the same way, after a 25-bit circular left shift, and this is repeated until
all encryption subkeys are derived. This method of subkey generation is regular, and this may
be a weakness. However, IDEA is considered to be highly secure, having stood up to all forms
of attack so far tried by the academic community.
Advanced Encryption Standard

The more popular and widely adopted symmetric encryption algorithm likely to be
encountered nowadays is the Advanced Encryption Standard (AES). It is found at least six time
faster than triple DES.
A replacement for DES was needed as its key size was too small. With increasing computing
power, it was considered vulnerable against exhaustive key search attack. Triple DES was
designed to overcome this drawback but it was found slow.
The features of AES are as follows:

Symmetric key symmetric block cipher
128-bit data, 128/192/256-bit keys
Stronger and faster than Triple-DES
Provide full specification and design details
Software implementable in C and Java
Operation of AES
AES is an iterative rather than Feistel cipher. It is based on substitutionpermutation network.
It comprises of a series of linked operations, some of which involve replacing inputs by specific
outputs (substitutions) and others involve shuffling bits around (permutations).
Interestingly, AES performs all its computations on bytes rather than bits. Hence, AES treats
the 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four columns and
four rows for processing as a matrix.
Unlike DES, the number of rounds in AES is variable and depends on the length of the key. AES
uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys.
Each of these rounds uses a different 128-bit round key, which is calculated from the original
AES key.
The schematic of AES structure is given in the following illustration:
44
Encryption Process
Here, we restrict to description of a typical round of AES encryption. Each round comprise of
four sub-processes. The first round process is depicted below
Byte Substitution (SubBytes)

The 16 input bytes are substituted by looking up a fixed table (S-box) given in design. The result
is in a matrix of four rows and four columns.
Shiftrows
Each of the four rows of the matrix is shifted to the left. Any entries that fall off are re-inserted
on the right side of row. Shift is carried out as follows
First row is not shifted.
Second row is shifted one (byte) position to the left.
Third row is shifted two positions to the left.
Fourth row is shifted three positions to the left.
The result is a new matrix consisting of the same 16 bytes but shifted with respect to
each other.
45
MixColumns
Each column of four bytes is now transformed using a special mathematical function. This
function takes as input the four bytes of one column and outputs four completely new bytes,
which replace the original column. The result is another new matrix consisting of 16 new bytes.
It should be noted that this step is not performed in the last round.
Addroundkey
The 16 bytes of the matrix are now considered as 128 bits and are XORed to the 128 bits of
the round key. If this is the last round then the output is the ciphertext. Otherwise, the resulting
128 bits are interpreted as 16 bytes and we begin another similar round.
Decryption Process
The process of decryption of an AES ciphertext is similar to the encryption process in the
reverse order. Each round consists of the four processes conducted in the reverse order
Add round key
Mix columns
Shift rows
Byte substitution
Since sub-processes in each round are in reverse manner, unlike for a Feistel Cipher, the
encryption and decryption algorithms needs to be separately implemented, although they are
very closely related.
AES Analysis
In present day cryptography, AES is widely adopted and supported in both hardware and
software. Till date, no practical cryptanalytic attacks against AES has been discovered.
Additionally, AES has built-in flexibility of key length, which allows a degree of future-proofing
against progress in the ability to perform exhaustive key searches.
However, just as for DES, the AES security is assured only if it is correctly implemented and
good key management is employed.
46
CHAPTER 5: Public Key Cryptography

Unlike symmetric key cryptography, we do not find historical use of public-key cryptography.
It is a relatively new concept. Symmetric cryptography was well suited for organizations such
as governments, military, and big financial corporations were involved in the classified
communication.
With the spread of more

unsecure computer networks
in last few decades, a genuine
need was felt to use
cryptography at larger scale.
The symmetric key was found
to be non-practical due to
challenges it faced for key
management. This gave rise to
the public key cryptosystems.
The process of encryption and

decryption is depicted in the
following illustration
The most important properties of public key encryption scheme are:
Different keys are used for encryption and decryption. This is a property which set this
scheme different than symmetric encryption scheme.
Each receiver possesses a unique decryption key, generally referred to as his private
key.
Receiver needs to publish an encryption key, referred to as his public key.
Some assurance of the authenticity of a public key is needed in this scheme to avoid
spoofing by adversary as the receiver. Generally, this type of cryptosystem involves
trusted third party which certifies that a particular public key belongs to a specific
person or entity only.
Encryption algorithm is complex enough to prohibit attacker from deducing the
plaintext from the ciphertext and the encryption (public) key.
Though private and public keys are related mathematically, it is not be feasible to
calculate the private key from the public key. In fact, intelligent part of any public-key
cryptosystem is in designing a relationship between two keys.
There are three types of Public Key Encryption schemes. We discuss them in following sections
RSA Cryptosystem
This cryptosystem is one the initial system. It remains most employed cryptosystem even
today. The system was invented by three scholars Ron Rivest, Adi Shamir, and Len Adleman and
hence, it is termed as RSA cryptosystem. We will see two aspects of the RSA cryptosystem,
firstly generation of key pair and secondly encryption-decryption algorithms.
Generation of RSA Key Pair

Each person or a party who desires to participate in communication using encryption needs to
generate a pair of keys, namely public key and private key. The process followed in the
generation of keys is described below
Generate the RSA modulus (n)
o Select two large primes, p and q.
47
o Calculate n=p*q. For strong unbreakable encryption, let n be a large number,

typically a minimum of 512 bits.
Find Derived Number (e)
o Number e must be greater than 1 and less than (p 1)(q 1).
o There must be no common factor for e and (p 1)(q 1) except for 1. In other
words two numbers e and (p 1)(q 1) are coprime.
Form the public key
o The pair of numbers (n, e) form the RSA public key and is made public.
o Interestingly, though n is part of the public key, difficulty in factorizing a large
prime number ensures that attacker cannot find in finite time the two primes
(p & q) used to obtain n. This is strength of RSA.
Generate the private key
o Private Key d is calculated from p, q, and e. For given n and e, there is unique
number d.
o Number d is the inverse of e modulo (p - 1)(q 1). This means that d is the
number less than (p - 1)(q - 1) such that when multiplied by e, it is equal to 1
modulo (p - 1)(q - 1).
o This relationship is written mathematically as follows
ed = 1 mod (p 1)(q 1)
o The Extended Euclidean Algorithm takes p, q, and e as input and gives d as
output.
Example
An example of generating RSA Key pair is given below. (For ease of understanding, the primes
p & q taken here are small values. Practically, these values are very high).
Let two primes be p = 7 and q = 13. Thus, modulus n = pq = 7 x 13 = 91.
Select e = 5, which is a valid choice since there is no number that is common factor
of 5 and (p 1)(q 1) = 6 12 = 72, except for 1.
The pair of numbers (n, e) = (91, 5) forms the public key and can be made available
to anyone whom we wish to be able to send us encrypted messages.
Input p = 7, q = 13, and e = 5 to the Extended Euclidean Algorithm. The output will
be d = 29.
Check that the d calculated is correct by computing
de = 29 5 = 145 = 1 mod 72
Hence, public key is (91, 5) and private keys is (91, 29).
Encryption and Decryption

Once the key pair has been generated, the process of encryption and decryption are relatively
straightforward and computationally easy. Interestingly, RSA does not directly operate on
strings of bits as in case of symmetric key encryption. It operates on numbers modulo n. Hence,
it is necessary to represent the plaintext as a series of numbers less than n.
RSA Encryption
Suppose the sender wish to send some text message to someone whose public
key is (n, e).
The sender then represents the plaintext as a series of numbers less than n.
To encrypt the first plaintext P, which is a number modulo n. The encryption
process is simple mathematical step as:
C = Pe mod n
48
In other words, the ciphertext C is equal to the plaintext P multiplied by itself e

times and then reduced modulo n. This means that C is also a number less than
n.
Returning to our Key Generation example with plaintext P = 10, we get ciphertext
C
C = 105 mod 91
RSA Decryption
The decryption process for RSA is also very straightforward. Suppose that the
receiver of public-key pair (n, e) has received a ciphertext C.
Receiver raises C to the power of his private key d. The result modulo n will be the
plaintext P.
Plaintext = Cd mod n
Returning again to our numerical example, the ciphertext C = 82 would get
decrypted to number 10 using private key 29
Plaintext = 8229 mod 91 = 10
RSA Analysis
The security of RSA depends on the strengths of two separate functions. The RSA cryptosystem
is most popular public-key cryptosystem strength of which is based on the practical difficulty
of factoring the very large numbers.
Encryption Function It is considered as a one-way function of converting
plaintext into ciphertext and it can be reversed only with the knowledge of private
key d.
Key Generation The difficulty of determining a private key from an RSA public
key is equivalent to factoring the modulus n. An attacker thus cannot use
knowledge of an RSA public key to determine an RSA private key unless he can
factor n. It is also a one-way function, going from p & q values to modulus n is easy
but reverse is not possible.
If either of these two functions are proved non-one-way, then RSA will be broken. In fact, if a
technique for factoring efficiently is developed then RSA will no longer be safe.
The strength of RSA encryption drastically goes down against attacks if the number p and q
are not large primes and/ or chosen public key e is a small number.
Diffie-Hellman Key Exchange

The Idea
Suppose two people, Alice and Bob [traditional names], want to use insecure email to agree on
a secret "shared key" that they can use to do further encryption for a long message. How is that
possible? The so-called Diffie-Hellman method provides a way. This method is one of the
ingredients of SSL, the encryption package that is part of the Netscape browser.
The mod Function

The main ingredient is the "remainder" or "modulo" or "mod" function, denoted % in Perl. For
example, 25%10 is 5 (say "25 mod 10 is 5") and 25%16 is 9 ("25 mod 16 is 9"). For n%10, the
result will always be one of 0,1,...,9.
49
As you can see, any positive integer modulo 10 is just the last digit in base 10: 1537%10 is 7,
etc. You can think of "modulo 10" for positive integers as meaning "ignore all decimal digits
except the last one".
Doing "modular arithmetic" with "modulus" 10 means doing addition, subtraction, and
multiplication (including powers) where you only care about the remainder modulo 10. You can
use some other modulus m instead of 10, as long as it's the same through the whole problem.
It works very smoothly.
The "as often as you want" principle: If you are doing modular arithmetic to find an the answer
modulo m, you can take the remainder modulo m as often as you want during the calculations,
without changing the answer.
Example 1. To find 1537 x 4248 modulo 10, you could multiply out and take the last digit, but a
better way would be to replace 1537 by 7 and 4248 by 8 to start, find 7 x 8 = 56, and then take
56 mod 10 to get 6 as the answer.
A handy standard notation is to write a b (mod m) if a and b have the same remainder modulo
m. This is read "a is congruent to b modulo m". In this notation the example just mentioned
looks like this: 1537 x 4248 7 x 8 = 56 6 (mod 10).
Example 2. Find 28 (mod 11).
One solution. 28 = 256; 11 goes into 256 with quotient 23 and remainder 3.
Another solution. Find 22, 24, 28 by squaring repeatedly, but take remainders mod 11 each
chance you get: 22 = 4, 24 = 42 = 16 5, 28 52 = 25 3.
Example 3. Find all the powers of 2 up to 210 each modulo 11.
Solution. Keep doubling, taking remainders modulo 11 whenever possible:

2, 4, 8, 16 5, 10, 20 9, 18 7, 14 3, 6, 12 1 (mod 11). So the answer is 2, 4, 8, 5, 10, 9,
7, 3, 6, 1.
Notice that the powers of 2 run through all possible remainders modulo 11, except 0. We say
2 is a "generator" modulo 11. There is a theorem that if you take a prime modulus, then there
is always some generator, and in fact 2 often works. If 2 doesn't, maybe 3 will.
The Diffie-Hellman Method

The idea of Diffie and Hellman is that it's easy to compute powers modulo a prime but hard to
reverse the process: If someone asks which power of 2 modulo 11 is 7, you'd have to
experiment a bit to answer, even though 11 is a small prime. If you use a huge prime istead,
then this becomes a very difficult problem even on a computer.
Steps:
1. Alice and Bob, using insecure communication, agree on a huge prime p and a generator
g. They don't care if someone listens in.
2. Alice chooses some large random integer xA < p and keeps it secret. Likewise, Bob
chooses xB < p and keeps it secret. These are their "private keys".
3. Alice computes her "public key" yA gxA (mod p) and sends it to Bob using insecure
communication. Bob computes his public key yB gxB and sends it to Alice.
Here 0 < yA < p, 0 < yB < p.
50
As already mentioned, sending these public keys with insecure communication is safe
because it would be too hard for someone to compute xA from yA or xB from yB, just like
the powers of 2 above.
4. Alice computes zA yBxA (mod p) and Bob computes zB yAx B (mod p).
Here zA < p, zB < p.
But zA = zB, since zA yBx A (gxB )xA = g(x A xB) (mod p) and similarly zB (gx A )xB =
g(xA xB) (mod p). So this value is their shared secret key. They can use it to encrypt and
decrypt the rest of their communication by some faster method.
In this calculation, notice that the step yBxA (gxB )xA involved replacing g xB by its
remainder yB, (in the reverse direction) so we were really using the "as often as you
want" principle.
51
CHAPTER 6: Authentication Schemes

Authentication is the process of determining if a user or identity is who they claim to be.
Authentication is accomplished using something the user knows (e.g. password), something
the user has (e.g. security token) or something of the user (e.g. biometric).
The authentication process is based on a measure of risk. High risk systems, applications and
information require different forms of authentication that more accurately confirm the user's
digital identity as being who they claim to be than would a low risk application, where the
confirmation of the digital identity is not as important from a risk perspective. This is commonly
referred to as "stronger authentication".
Authentication technology provides the basis for access control in computer systems. If the
identity of a user can be correctly verified, legitimate users can be granted access to system
resources. Conversely, those attempting to gain access without proper authorization can be
denied. As used in this bulletin, authentication is defined as the act of verifying the identity of
a user. Once a user's identity is verified, access control techniques may be used to mediate the
user's access to data. Authentication processes are dependent upon identity verification and
registration processes.
Authentication
Authentication technology provides the basis for access control in computer systems. If the
identity of a user can be correctly verified, legitimate users can be granted access to system
resources. Conversely, those attempting to gain access without proper authorization can be
denied. As used in this bulletin, authentication is defined as the act of verifying the identity of
a user. Once a user's identity is verified, access control techniques may be used to mediate the
user's access to data. A variety of methods are available for performing user authentication.
The traditional method for authenticating users has been to provide them with a secret
password, which they must use when requesting access to a particular system. Password
systems can be effective if managed properly (Federal Information Processing Standard [FIPS]
112), but they seldom are. Authentication which relies solely on passwords has often failed to
provide adequate protection for computer systems for a number of reasons. If users are
allowed to make up their own passwords, they tend to choose ones that are easy to remember
and therefore easy to guess. If passwords are generated from a random combination of
characters, users often write them down because they are difficult to remember.
Where password-only authentication is not adequate for an application, a number of

alternative methods can be used alone or in combination to increase the security of the
authentication process. The three generally accepted methods for verifying the identity of a
user are based on something the user knows, such as a password; something the user
possesses, such as an authentication token; and some physical characteristic of the user, such
as a fingerprint or voice pattern. A variety of methods are available for performing
authentication.
a. Password Authentication
b. Lightweight Directory Access Protocol (LDAP) Authentication
c. Biometric Authentication
d. PKI Authentication
e. Security Token Authentication
f. Smart Card Authentication
g. Wireless Authentication
52
Password Authentication
In most enterprises, the use of passwords is the primary means of authenticating a user.
Unfortunately, it is also the weakest form of authentication. In today's digital world, the ways
to bypass this form of security are trivial. While many enterprises focus on strengthening
passwords, these efforts are by and large meaningless in the face of the tools that attackers
can use. The tools provide criminals with easy ability to hack, trap, or crack most passwords
easily.
The first attack tool against password authentication is a hardware keyboard logger. Legally
available online for $40, these devices plug into the connection between the keyboard and the
computer. They record every keystroke, with some models able to do time and date stamps
against the data. A hardware keyboard logger looks like a small hardware piece of computer
connections, takes only 10 seconds to install and is not detectable by any means of
commercially available software.
The use of password authentication is further weakened by software attacks. This year alone,
it is estimated that there will be several thousand-different malware password logging attack
programs will be created. Some of these are very sophisticated and can be ordered by the
internet to attack certain types of firewalls. These password authentication logging software
programs are embedded in email that are activated by clicking on the links in the email or by
visiting a fake site that looks like the normal commercial site (phishing attack).
Some of the password authentication attacks are so sophisticated that there embed
themselves on the core root operating systems kernel (rootkit attacks). Rootkit attacks are now
acknowledged by Microsoft to be so insidious that the only way to remove them is to re-image
every computer on the infected enterprise network!
Does this mean that passwords shouldn't be used in your enterprise?
No. The use of passwords can be used in a layered identity defense strategy. What this means
is that your enterprise will allow the use of user id and password to gain general access to low
risk enterprise applications and information e.g. the enterprise portal. However, when the user
tries to access applications or information that is higher risk, the enterprise single sign on
system will require stronger authentication. This may include the use of security tokens, digital
certificates, biometrics, smartcards or combinations thereof in addition to the password.
LDAP Authentication
Lightweight Directory Access Protocol (LDAP) directories and LDAP authentication have
become one of the enterprise user infrastructure cornerstones. As the enterprise has digitized
and opened itself up to customer, business partner, vendor and wide-spread employee access
to pieces of most enterprise applications, the need to know who the user is has significantly
increased from a security perspective. Who is the user trying to access an application? What is
the strength of authentication by which the application can trust the user trying to access the
application? What are the user's authorization privileges?
The frequency with which to authenticate who a user is has also increased. Thus in medium to
large enterprise it is not uncommon to have several thousand to several hundred of thousand
identity look-ups per second.
The above are the reasons why LDAP directories and authentication have taken on such a
dominant role in enterprise authentication. LDAP directories offer the following features:
53
They are very quick for doing identity reads against as compared to traditional databases.
a. They are low cost - in fact some LDAP directories are available for free
b. Virtual LDAP directories enable quick linkage between multiple databases and
multiple LDAP directories.
c. LDAP directories are excellent for doing rapid LDAP authentication against for
any digitized authentication.
d. LDAP directories have a universal protocol enabling quick interaction and
exchange of identity information between enterprises.
e. LDAP directories can be easily partitioned to place the directory close to the
end user, thus improving performance and reducing network load.
Underlying Key Points in LDAP Authentication

Authoritative Identity Sources
In most medium to large enterprises, the authoritative source for employee information is
usually the Human Resource Management System (HRMS). Figuring out what system is
authoritative for customers, contractors, temps, business partners and vendors is usually much
more complicated. It is very important before LDAP authentication is implemented the
enterprise first determines which system or application will be authoritative for the identity
data. This also means cleaning up the associated business processes dealing with identity
creation, role changes and terminations. Often the authoritative identity source will have many
identities in their data stores listed as active who are no longer active. This can create security
holes in any LDAP authentication.
Unique Enterprise ID
Next it's important that in cases where multiple data sources have the same identity
information that a universal identity id be deployed. For example, if a user named John Jones
is in the HRMS as J Jones, in the payroll system as John Jones, in the shipping system as JJONES
etc, then it becomes important to know at the enterprise level a common id for John Jones.
This usually means creation of a unique alphanumeric id for each user. Without this, the
enterprise LDAP authentication won't work since John Jones won't know which id to use in
authentication. Further, the handoff to the applications after LDAP authentication won't work
since the LDAP directory has to communicate with the application that John Jones has
successfully authenticated.
Linkage of Authoritative Sources with the LDAP Directory

LDAP authentication relies upon the LDAP directory having the most up to date identity
information with which to do an authentication against. This requires that the authoritative
source be linked, at a minimum, on a nightly batch basis, and in many cases, on a identity event
basis. In the old days, of a few years ago, interfacing LDAP directories with authoritative source
data bases was expensive and time consuming to do. The synchronization of the LDAP
directories with the databases was critical and costly. Today however, LDAP virtual directories
are now mainstream tools. A LDAP virtual directory is one which sits in a virtual environment
and has its sources of identity information derived from pointers to specific tables in data stores
or, in other LDAP directories. LDAP virtual directories can usually be created in several hours or
a few days and put into operation very quickly.
LDAP Authentication in Practice

LDAP authentication is now very common in network operating systems. Microsoft uses this in
Win2003 with its Active Directory. All network operating systems today support the integration
of LDAP Authentication including Solaris, Novell, AIX, Linux and HPUX. In each of these cases,
the user usually enters in their id and password. The information may be presented as an online
54
form or simply have an entry point for the id and password. This information is then sent to the
LDAP directory (make sure the information is sent encrypted and not in open text). The
directory takes this information and compares it to the id and password stored in the LDAP
directory. If it is the same, the LDAP authentication is successful. In network operating systems,
the network then takes over and proceeds with user authorization and allows them to use the
network.
LDAP Authentication and Single Sign On

Single Sign On (SSO) systems mostly use LDAP authentication. The enterprise user logs on in
the morning and sees normally a form based enterprise login screen. The user enters in their
id and password. The SSO software then takes the information and sends it to the security
server using an encrypted connection. The security server in turn then logs on to the LDAP
server on behalf of the user by providing the LDAP server with the user's id and password. If
successful, the security server then proceeds with any authorization and/or lets the user
proceed to the application or resource they require.
Authentication - Biometrics
Biometrics used for authentication is currently in fashion in the authentication industry. The
UK and US governments are rapidly deploying them in their visas, passports and personal
identification cards. Many other industries are adopting biometrics as authentication
mechanisms for accessing bank machines, doorway access control and time card reporting and
general computer desktop access. Authentication is the process of determining if a user or
identity is who they claim to be. The authentication process is based on risk. Higher risk
situations require more identity verification certainty. Biometrics can play a useful role in
verifying the identity along with other factors.
What is biometric authentication?

Biometric authentication is the process of verifying if a user or identity is who they claim to be
using digitized biological pieces of the user. This can include finger scans, finger prints, iris
scans, face scans, voice recognition and signature scans. Other biometrics in research for
authentication includes vein scans and DNA.
Are all biometrics equal?

No. The type of biometric used and the way it is used results in different authentication results.
The table below lists current estimates for common biometric authentication systems:
Finger Voice Iris Face
Type Physical Behavioral Physical Physical
Method Active Active Active Passive
Equal Error Rate 2-3.3% <1% 4.1-4.6% 4.1%
Failure to Enroll 4% 2% 7% 1%
Nominal False Accept Rate 2.5% <1% 6% 4%
Nominal False Reject Rate 0.1% <1% 0.001% 10%
Liveness Aware No Yes No Possible
System Cost High Low Very High High
Why Biometrics Will Not Solve Identity Theft

Biometrics is very useful, in certain situations, as an authentication device. It is useful when
someone is watching the user use a biometric authentication device. This way the enterprise
can be relatively certain that there is no maleficence being done between the user, the
biometric hardware reader and the enterprise security system. However, when biometrics are
done remotely, with the enterprise not able to see and control the authentication hardware,
55
the chances increase that the identity presenting their biometric may not be the person who
is registered with the biometric. Therefore, the use of multi-factor authentication mechanisms
is used.
The use of biometrics as a deterrent against identity theft is being much touted at the moment.
However, the use of biometrics alone will not likely deter criminals from finding ways around
the use of biometrics. Remember that what is being presented are a set of computer bits that
represent the biometric to the authentication server. Therefore, it is extremely likely that
criminals will adjust their attack vectors and try to capture the biometric from the person, and
then replay these on the enterprise.
Authentication - PKI (Public Key Infrastructure)

A public key infrastructure is a system that provides for trusted third party user identity
inspection and assurance. Normally, this is done by a Certificate Authority (CA) and uses
cryptography involving public and private keys.
A typical PKI system consists of:
a. Client software
b. A Certificate Authority server
c. May involve smartcards
d. Operational procedures
How PKI infrastructure works:

The Certificate Authority checks the user. Different CA's have different identity validation
procedures. Some may grant the user a digital certificate with only a name and email address,
while others may involve personal interviews, background checks etc. The user is granted a
digital certificate. Often there are two components to these private and public keys.
The user wishes to send an email to a business associate. The user digitally signs the email with
their private key. The email is sent to the business associate. The business associate uses the
sending user's public key to decrypt the message. The use of digital certificates in this example
provides confidentiality, message integrity and user authentication without having to exchange
secrets in advance.
PKI was oversold on its capabilities when it was originally introduced several years ago. There
were serious problems with browser incompatibilities, costs associated with issuing and
managing digital certificates and a business environment that had not yet widely adopted the
internet to rethink business processes between enterprises.
Authentication - Security Tokens

37. Authentication is achieved by asking something you know, something you have or,
providing something you are or combinations thereof. Something you have, like a physical
token, is used often in real life e.g. a driver's license. In the digital world security tokens are
now commonly used. They are often one-time password security tokens and/or smart cards.
One-Time Passwords
One-time password security tokens, like secureID by RSA, are one way of significantly reducing
the risk of using passwords. Unlike passwords which are changed every 60-90 days or longer,
a secureID token works differently. On the small screen of the key fob the user carries with
them are numbers that change every 60 seconds. The numbers displayed on the screen change
randomly to the end user. They are generated by a mathematical algorithm that is only known
to the enterprise security server.
56
The user logs on to the enterprise network. During the logon sequence the user is requested
to enter in their id and then the number displayed on the screen. This information is sent via
encryption to the enterprise security server. If the number on the screen matches the
mathematical algorithm and the id, then the user is authenticated.
The devices are tamper proof/resistant. They are pre-programmed from the factory and ready
for immediate use. By combining a secret that the user knows (their id) with the one-time
password, the authentication is much stronger than that from a traditional password.
Authentication Weaknesses with Security Tokens

There are weaknesses with using only this approach. For instance, is someone is able to steal
or fraudulently obtain the key fob and, they also know the user's id, then they will be able to
successfully masquerade as the identity. Additionally, there are significant management costs
with the key fobs or credit card size tokens. Recent announcements in February 2007 by Entrust
selling one-time password tokens at $5 means that the price points are now much lower and
more affordable. Users need to be issued them physically, they need to be replaced when lost
(which is common) and recovered or terminated when an identity leaves the enterprise. Poor
de-provisioning processes may result in security holes being created by the identity still having
access to the network using their secureID token and id.
Access Control Cards - Contact less Smart Card

The contact less smart card has a microchip embedded in the card with internal memory. This
enables the card to:
a. Securely manage, store and offer data access to the card
b. Perform complex functions and calculations (e.g. encryption)
c. Interact with an RF device in an intelligent manner
Common applications of contact less smart cards include:

Mutual authentication:
The contactless smart card can verify that the card reader is authentic and then verify itself to
the card reader before starting a secure transaction Strong information security.
The ability of the microchip and memory enable the card to encrypt any identity information
contained in the card as well as encrypting the RF connection between the contact less smart
card and the card reader.
Tamper resistant security:

There are a number of hardware and software capabilities that is built into contact less smart
cards to detect and react to tamper methods and help counter attacks on the card.
Authentication and Authorization Information Access Control:

The contact less smart card can protect the information contained within the card by
authenticating the information requestor and then allowing only the release of information the
requestor is authorized for. The card owner may have additional methods such as a PIN
number or a biometric to approve release of the information. This is an example of strong
authentication.
Selection of the access control cards should be done in context of the enterprise access control
and identity management systems. For example, will the cards and readers integrate with the
enterprise Lightweight Directory Access Protocol (LDAP)? Can the access control provisioning
57
system create, modify or terminate an identity on the access control card identity server?
What is the strength of authentication required for the access control card? Is it easy to tamper
with?
Authentication - Wireless
Most modern wireless networks do user authentication using Remote Authentication Dial-In
User Service (RADIUS) protocol. RADIUS handles the overall authentication process of the
user's session on the wireless device as well as also handling the authorization and auditing.
Typically, when you logon to your ISP using a wireless device, you are required to provide
authentication information. Often, this uses Extensible Authentication Protocol (EAP). The
type of authentication you use is determined by the EAP authentication method. There are
many different EAP methods. This can range from the use of an id and password (very
insecure), to digital certificates, security tokens and even biometrics.
The RADIUS system takes the EAP Authentication Method, challenges the user with the
appropriate authentication method, receives the authentication response and then verifies it,
often against an enterprise LDAP directory. If the authentication is successful, the RADIUS
server will then authorize IP addresses, the tunneling protocol used to create virtual private
networks, etc. Further, the RADIUS server keeps tracks of when a user session begins and ends.
Wireless Authentication Challenges

Many wireless deployments continue to use the least secure authentication methods - id and
password. The use of this results in very insecure communications between the enterprise and
the wireless device. If you are forced to use this, then my advice is to lock down what the user
can access and severely restrict the information the user can obtain.
For senior executives, who do require fairly open access to the applications and information
systems via their wireless device, issue them with something like a secureID from RSA one-time
password generator and have the executives be required to enter this in order to authenticate
their wireless device to the network. This reduces the risk that the user on the end of the
wireless device is not the identity you issued the id and password to.
Digital Signatures
In many instances, it is not necessary to authenticate communicating parties; for instance,
when downloading application updates or patches from the Internet. From a security point of-
view, the server does not need to screen who is downloading the software. The user
downloading the software does not necessarily care what particular server it is downloading
from. However, the user may want to be assured that the downloadable data is genuine and
not a Trojan Horse or other malicious or invalid information. In this instance, a digital signature
would best serve to authenticate the downloadable data. Key fingerprint = AF19 FA27
2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
A digital signature is a digest calculated from a signed document (typically a one-way hash
function) which is then signed (encrypted with private key). The client verifies the digest
signature by decrypting it with the servers public key and compares it to the digest value
calculated from the message received. The signature can also be used by the server to verify
data the client is sending.
58
Message Authentication Code (MAC)

MAC algorithms can be used to authenticate messages as well as to ensure data integrity. They
may well be built from hash algorithms, but also rely on the sender and receiver having access
to a shared secret key (K).
As with symmetric encryption the main security worry is how the secret key is shared.
Hash Functions (MD5)

A hash function is simply a function that takes in input value, and from that input creates an
output value deterministic of the input value. For any x input value, you will always receive the
same y output value whenever the hash function is run. In this way, every input has a
determined output. A function is basically something that takes an input and from that input
derives an output.
A hash function is therefore something that takes an input (which can be any data - numbers,
files, etc) and outputs a hash. A hash is usually displayed as a hexadecimal number.
This is the hash function md5, which from any input data creates a 32-character hexadecimal
output. Hash functions are generally irreversible (one-way), which means you cant figure out
the input if you only know the output unless you try every possible input (which is called a
brute-force attack).
Hash functions are often used for proving that something is the same as something else,
without revealing the information beforehand. Heres an example.
Lets say Alice is bragging to Bob that she knows the answer to the challenge question in their
Math class. Bob wants her to prove that she knows the answer, without her telling him what it
is. So, Alice hashes her answer (lets say the answer was 42) to produce this hash:
Alice gives this hash to Bob. Bob cannot find out what the answer is from this hash but when
he finds the answer himself, he can hash his answer and if he gets the same result, then he
knows that Alice did indeed have the answer. Hashes are often used in this context of verifying
information without revealing it to the party that is verifying.
Secure Hash Algorithm (SHA)

A secure hash algorithm is actually a set of algorithms developed by the National Institutes of
Standards and Technology (NIST) and other government and private parties. These secure
encryptions or "file check" functions have arisen to meet some of the top cybersecurity
challenges of the 21st century, as a number of public service groups work with federal
59
government agencies to provide better online security standards for organizations and the
public.
Within the family of secure hash algorithms, there are several instances of these tools that
were set up to facilitate better digital security. The first one, SHA-0, was developed in 1993.
Like its successor, SHA-1, SHA-0 features 16-bit hashing.
The next secure hash algorithm, SHA-2, involves a set of two functions with 256-bit and 512-
bit technologies, respectively. There is also a top-level secure hash algorithm known as SHA-3
or "Keccak" that developed from a crowd sourcing contest to see who could design another
new algorithm for cybersecurity.
All of these secure hash algorithms are part of new encryption standards to keep sensitive data
safe and prevent different types of attacks. Although some of these were developed by
agencies like the National Security Agency, and some by independent developers, all of them
are related to the general functions of hash encryption that shields data in certain database
and network scenarios, helping to evolve cybersecurity in the digital age.
Central Authentication Service (CAS)

The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is
to permit a user to access multiple applications while providing their credentials (such as userid
and password) only once. It also allows web applications to authenticate users without gaining
access to a user's security credentials, such as a password. The name CAS also refers to a
software package that implements this protocol.
The CAS protocol involves at least three parties: a client web browser, the web application
requesting authentication, and the CAS server. It may also involve a back-end service, such as
a database server, that does not have its own HTTP interface but communicates with a web
application.
When the client visits an application desiring to authenticate to it, the application redirects it
to CAS. CAS validates the client's authenticity, usually by checking a username and password
against a database (such as Kerberos, LDAP or Active Directory).
If the authentication succeeds, CAS returns the client to the application, passing along a service
ticket. The application then validates the ticket by contacting CAS over a secure connection and
providing its own service identifier and the ticket. CAS then gives the application trusted
information about whether a particular user has successfully authenticated.
CAS allows multi-tier authentication via proxy address. A cooperating back-end service, like a
database or mail server, can participate in CAS, validating the authenticity of users via
information it receives from web applications. Thus, a webmail client and a webmail server can
all implement CAS.
60
CHAPTER 7: Network Security
Types of Attack
Without security measures and controls in place, your data might be subjected to an attack.
Some attacks are passive, meaning information is monitored; others are active, meaning the
information is altered with intent to corrupt or destroy the data or the network itself.
Your networks and data are vulnerable to any of the following types of attacks if you do not
have a security plan in place.
1. Eavesdropping
In general, the majority of network communications occur in an unsecured or
"cleartext" format, which allows an attacker who has gained access to data paths in
your network to "listen in" or interpret (read) the traffic. When an attacker is
eavesdropping on your communications, it is referred to as sniffing or snooping. The
ability of an eavesdropper to monitor the network is generally the biggest security
problem that administrators face in an enterprise. Without strong encryption services
that are based on cryptography, your data can be read by others as it traverses the
network.
2. Data Modification
After an attacker has read your data, the next logical step is to alter it. An attacker can
modify the data in the packet without the knowledge of the sender or receiver. Even if
you do not require confidentiality for all communications, you do not want any of your
messages to be modified in transit. For example, if you are exchanging purchase
requisitions, you do not want the items, amounts, or billing information to be modified.
3. Identity Spoofing (IP Address Spoofing)

Most networks and operating systems use the IP address of a computer to identify a
valid entity. In certain cases, it is possible for an IP address to be falsely assumed
identity spoofing. An attacker might also use special programs to construct IP packets
that appear to originate from valid addresses inside the corporate intranet.
After gaining access to the network with a valid IP address, the attacker can modify,
reroute, or delete your data. The attacker can also conduct other types of attacks, as
described in the following sections.
4. Password-Based Attacks
A common denominator of most operating system and network security plans is
password-based access control. This means your access rights to a computer and
network resources are determined by who you are, that is, your user name and your
password.
Older applications do not always protect identity information as it is passed through

the network for validation. This might allow an eavesdropper to gain access to the
network by posing as a valid user.
When an attacker finds a valid user account, the attacker has the same rights as the
real user. Therefore, if the user has administrator-level rights, the attacker also can
create accounts for subsequent access at a later time.
61
After gaining access to your network with a valid account, an attacker can do any of
the following:
Obtain lists of valid user and computer names and network information.
Modify server and network configurations, including access controls and
routing tables.
Modify, reroute, or delete your data.
5. Denial-of-Service Attack
Unlike a password-based attack, the denial-of-service attack prevents normal use of
your computer or network by valid users.
After gaining access to your network, the attacker can do any of the following:
Randomize the attention of your internal Information Systems staff so that
they do not see the intrusion immediately, which allows the attacker to make
more attacks during the diversion.
Send invalid data to applications or network services, which causes abnormal
termination or behavior of the applications or services.
Flood a computer or the entire network with traffic until a shutdown occurs
because of the overload.
Block traffic, which results in a loss of access to network resources by
authorized users.
6. Man-in-the-Middle Attack
As the name indicates, a man-in-the-middle attack occurs when someone between you
and the person with whom you are communicating is actively monitoring, capturing,
and controlling your communication transparently. For example, the attacker can re-
route a data exchange. When computers are communicating at low levels of the
network layer, the computers might not be able to determine with whom they are
exchanging data.
Man-in-the-middle attacks are like someone assuming your identity in order to read
your message. The person on the other end might believe it is you because the attacker
might be actively replying as you to keep the exchange going and gain more
information. This attack is capable of the same damage as an application-layer attack,
described later in this section.
7. Compromised-Key Attack
A key is a secret code or number necessary to interpret secured information. Although
obtaining a key is a difficult and resource-intensive process for an attacker, it is
possible. After an attacker obtains a key, that key is referred to as a compromised key.
An attacker uses the compromised key to gain access to a secured communication

without the sender or receiver being aware of the attack. With the compromised key,
the attacker can decrypt or modify data, and try to use the compromised key to
compute additional keys, which might allow the attacker access to other secured
communications.
8. Sniffer Attack
A sniffer is an application or device that can read, monitor, and capture network data
exchanges and read network packets. If the packets are not encrypted, a sniffer
62
provides a full view of the data inside the packet. Even encapsulated (tunneled) packets
can be broken open and read unless they are encrypted and the attacker does not have
access to the key.
Using a sniffer, an attacker can do any of the following:

Analyze your network and gain information to eventually cause your network
to crash or to become corrupted.
Read your communications.
9. Application-Layer Attack
An application-layer attack targets application server by deliberately causing a fault in
a server's operating system or applications. This results in the attacker gaining the
ability to bypass normal access controls. The attacker takes advantage of this situation,
gaining control of your application, system, or network, and can do any of the
following:
Read, add, delete, or modify your data or operating system.
Introduce a virus program that uses your computers and software applications
to copy viruses throughout your network.
Introduce a sniffer program to analyze your network and gain information that
can eventually be used to crash or to corrupt your systems and network.
Abnormally terminate your data applications or operating systems.
Disable other security controls to enable future attacks.
Pretty Good Privacy (PGP)

Pretty Good Privacy or PGP is a popular program used to encrypt and decrypt email over the
Internet, as well as authenticate messages with digital signatures and encrypted stored files.
Pretty Good Privacy uses a variation of the public key system. In this system, each user has an
encryption key that is publicly known and a private key that is known only to that user. You
encrypt a message you send to someone else using their public key. When they receive it, they
decrypt it using their private key. Since encrypting an entire message can be time-consuming,
PGP uses a faster encryption algorithm to encrypt the message and then uses the public key to
encrypt the shorter key that was used to encrypt the entire message. Both the encrypted
message and the short key are sent to the receiver who first uses the receiver's private key to
decrypt the short key and then uses that key to decrypt the message.
PGP comes in two public key versions -- Rivest-Shamir-Adleman (RSA) and Diffie-Hellman. The
RSA version, for which PGP must pay a license fee to RSA, uses the IDEA algorithm to generate
a short key for the entire message and RSA to encrypt the short key. The Diffie-Hellman version
uses the CAST algorithm for the short key to encrypt the message and the Diffie-Hellman
algorithm to encrypt the short key.
When sending digital signatures, PGP uses an efficient algorithm that generates a hash (a
mathematical summary) from the user's name and other signature information. This hash code
is then encrypted with the sender's private key. The receiver uses the sender's public key to
decrypt the hash code. If it matches the hash code sent as the digital signature for the message,
the receiver is sure that the message has arrived securely from the stated sender. PGP's RSA
version uses the MD5 algorithm to generate the hash code. PGP's Diffie-Hellman version uses
the SHA-1 algorithm to generate the hash code.
63
IPSec
IPSec which works at the network layer is a framework consisting of protocols and algorithms
for protecting data through an un-trusted network such as the internet. IPSec provides data
security in various ways such as encrypting and authenticating data, protection against
masquerading and manipulation. IPSec is a complex framework consisting of many settings,
which is why it provides a powerful and flexible set of security features that can be used.
IPSec is a collection of different protocols or algorithms. IPSec traffic can be configured using
over 30 different settings. IPSec is used to secure traffic from site to site or site to a mobile
user. As the world is constantly changing and growing with technology, IPSec suits this as its a
framework, which allows you add new and better algorithms coming out.
When two IPSec gateways want to make a VPN connection between them, they negotiate on
various settings and parameters and must make an agreement on the parameters used. For
example, what type of authentication and encryption will be used within the VPN tunnel. This
is generally called VPN negotiation.
IPSec does not use RSA for data encryption. It uses DES, 3DES, or AES. IPSec uses RSA for IKE
internet key exchange for during peer authentication phase, to ensure the other side is
authentic and who they say they are.
4 key functions or services of IPSec are as follows;

1 Confidentiality Encrypting data, and scrambling.
2 Data Integrity data has not been changed.
3 Data Authentication authenticating receiver. Sender receiver is who they say they
are.
4 Anti-replays each packet is unique, has not been duplicated or intercepted.
5 phases of IPSec
1 define interesting traffic
2 IKE phase 1 key exchange phase
3 IKE phase 2 IPSec policy and transform sets are processed
4 Transfer data After the tunnels are established you transfer the data.
5 Tear down the tunnel
IPSec uses two different protocols to encapsulate the data over a VPN tunnel:
Encapsulation Security Payload (ESP): IP Protocol 50
Authentication Header (AH): IP Protocol 51
ESP is more secure as it provides data encryption. AH just provides authentication.
Secure Sockets Layer (SSL)

Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link
between a server and a clienttypically a web server (website) and a browser, or a mail server
and a mail client (e.g., Outlook).
SSL allows sensitive information such as credit card numbers, social security numbers, and login
credentials to be transmitted securely. Normally, data sent between browsers and web servers
is sent in plain textleaving you vulnerable to eavesdropping. If an attacker is able to intercept
all data being sent between a browser and a web server, they can see and use that information.
64
More specifically, SSL is a security protocol. Protocols describe how algorithms should be used.
In this case, the SSL protocol determines variables of the encryption for both the link and the
data being transmitted.
All browsers have the capability to interact with secured web servers using the SSL protocol.
However, the browser and the server need what is called an SSL Certificate to be able to
establish a secure connection.
SSL secures millions of peoples data on the Internet every day, especially during online
transactions or when transmitting confidential information. Internet users have come to
associate their online security with the lock icon that comes with an SSL-secured website or
green address bar that comes with an Extended Validation SSL-secured website. SSL-secured
websites also begin with https rather than http.
How Does the SSL Certificate Create a Secure Connection?

When a browser attempts to access a website that is secured by SSL, the browser and the web
server establish an SSL connection using a process called an SSL Handshake (see diagram
below). Note that the SSL Handshake is invisible to the user and happens instantaneously.
Essentially, three keys are used to set up the SSL connection: the public, private, and session
keys. Anything encrypted with the public key can only be decrypted with the private key, and
vice versa.
Because encrypting and decrypting with private and public key takes a lot of processing power,
they are only used during the SSL Handshake to create a symmetric session key. After the
secure connection is made, the session key is used to encrypt all transmitted data.
1. Browser connects to a web server (website) secured with SSL (https). Browser requests
that the server identify itself.
2. Server sends a copy of its SSL Certificate, including the servers public key.
3. Browser checks the certificate root against a list of trusted CAs and that the certificate
is unexpired, unrevoked, and that its common name is valid for the website that it is
connecting to. If the browser trusts the certificate, it creates, encrypts, and sends back
a symmetric session key using the servers public key.
4. Server decrypts the symmetric session key using its private key and sends back an
acknowledgement encrypted with the session key to start the encrypted session.
5. Server and Browser now encrypt all transmitted data with the session key.
Secure Electronic Transaction (SET)

SET was developed by the SET Consortium, established in 1996 by VISA and MasterCard in
cooperation with GTE, IBM, Microsoft, Netscape, SAIC, Terisa Systems, RSA, and VeriSign. The
consortiums goal was to combine the card associations' similar but incompatible protocols
(STT from Visa/Microsoft and SEPP from MasterCard/IBM) into a single standard.
65
SET allowed parties to identify themselves to each other and exchange information securely.
Binding of identities was based on X.509 certificates with several extensions. SET used a
cryptographic blinding algorithm that, in effect, would have let merchants substitute a
certificate for a user's credit-card number. If SET were used, the merchant itself would never
have had to know the credit-card numbers being sent from the buyer, which would have
provided verified good payment but protected customers and credit companies from fraud.
SET was intended to become the de facto standard payment method on the Internet between
the merchants, the buyers, and the credit-card companies.
How SET Works?

Both cardholders and merchants must register with CA (certificate authority) first, before they
can buy or sell on the Internet. Once registration is done, cardholder and merchant can start
to do transactions, which involve 9 basic steps in this protocol, which is simplified.
1. Customer browses website and decides on what to purchase
2. Customer sends order and payment information, which includes 2 parts in one
message:
a. Purchase Order this part is for merchant
b. Card Information this part is for merchants bank only.
3. Merchant forwards card information (part b) to their bank
4. Merchants bank checks with Issuer for payment authorization
5. Issuer send authorization to Merchants bank
6. Merchants bank send authorization to merchant
7. Merchant completes the order and sends confirmation to the customer
8. Merchant captures the transaction from their bank
9. Issuer prints credit card bill (invoice) to customer
Kerberos
Kerberos authentication was developed at the Massachusetts Institute of Technology (MIT).
There are two main components: a ticket, which is used for user authentication and securing
data, and an authenticator that is used to verify that the user is the same user to whom the
ticket was initially granted. When a user logs into a system, the system connects to the Kerberos
server where it retrieves a session key to be used between the user and the ticket granting
service (TGS). This is encrypted with a key based on the user's password. If the user provides
the right password the end system is able to decrypt the session key. After this is done, the user
password is erased from memory to avoid being compromise. The ticket (Ticket granting ticket:
TGT) expires after a set amount of time.
When a user wants to connect to a service to which he does not already have a ticket, the user
connects to the TGS and gets a ticket that can only be used to access the particular service the
ticket was granted for. The user can now connect through an encrypted channel to the server.
After the ticket expires, the user must request a new one from the TGS.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
The major issue with Kerberos is its scalability. The Kerberos server must store secret keys for
each of the users and each of the TGSs. Kerberos can get very complex in enterprise
implementations where trust relationship need to be in place between multiple organizations.
66

Cryptography

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Cryptography

Caricato da

Copyright:

Formati disponibili

CRYPTOGRAPHY

Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel

Diffie-Hellman Key Exchange ............................................................................................ 49

CHAPTER 1: Introduction to Cryptography

Common Goals in Cryptography

Basic Terms in Cryptography

Protocol = an algorithm, defined by a sequence of steps, precisely specifying the actions of

Plaintext = the message to be transmitted or stored.

Ciphertext = the disguised message.

Alphabet = a collection of symbols, also referred to as characters.

Character = an element of an alphabet.

Bit = a character 0 or 1 of the binary alphabet.

String = a finite sequence of characters in some alphabet.

Encode = to convert a message into a representation in a standard alphabet, such as to the

Cipher = a map from a space of plaintext to a space of ciphertext.

Encipher = to convert plaintext into ciphertext. Decipher = to convert ciphertext back to

Block cipher = a cipher which acts on the plaintext in blocks of symbols.

A cryptographic algorithm, also known as a cipher, is a mathematical function which uses

Generic Model of Secure Communication

Figure 1.1 Network Security Model

Figure 1.2 Network Access Security Model

OSI Security Architecture

architecture was designated by the the ITU-T (International Telecommunication Union -

The OSI architecture focuses on

Network Security Model Exploit type

The following is a partial short list of attacks:

Types of Cryptographic Systems

Symmetric Key Cryptography

Conventional Encryption Model:

Figure 1.3 Conventional Encryption Model

The security of conventional encryption depends on several factors:

Figure 1.4 Types of Attacks on Encrypted Message

CHAPTER 2: Classical Cipher Scheme

To illustrate this technique, lets do the following example.

In this scheme, we take m linear combinations of the m successive plaintext alphabetic

y1 (k11 x1 k12 x2 k13 x3 ) mod 26

This can be expressed in terms of column vectors and matrices:

Exercise 1: Show that the inverse of matrix K used in above example is

Exercise 2: A cryptanalyst receives the following ciphertext:

We now give a precise description of the Hill Cipher over Z26.

Definition: Hill Cipher Cryptosystem

Let m 2 be an integer, Let P=C=(Z26)m

K = {mm invertible matrix over Z26}.

For a key K, we define:

To show this, suppose we have m plaintext-ciphertext pairs, each of length m.

Therefore, we can write

for some known key matrix K.

We now define the following two mm square matrices:

Then, we can form the matrix equation Y=XK.

(a) 1st transposed cipher. (b) The ou

Symmetric Cipher Model

Figure 2.1 Simplified Model of Symmetric Encryption

Lets consider essential elements of a symmetric encryption scheme:

Opponent knows Y, E, D. He may be interested to recover X or/and K. Knowledge of K gives him

Three important characteristics of this problem enable us to use brute-force cryptanalysis:

In most networking situations algorithms are assumed to be known. Brute-force analysis is

Figure 2.2 Brute-Force Cryptanalysis of Caesar Cipher

Figure 2.3 Sample of Compressed Text

Lets consider example of ciphertext:

Figure 2.4 Relative Frequency of Letters in English Text

The relative frequencies of the letters in the ciphertext (in percentages):

As far as number of diagrams is 26x26=676 is significantly greater than number of letters,

CHAPTER 3: Mathematical Foundation

Two groups G and H are isomorphic if there is one-to-one correspondence f : G H which