Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Contents
CHAPTER 1: Introduction to Cryptography............................................................................. 1
Common Goals in Cryptography ............................................................................................ 1
Basic Terms in Cryptography .................................................................................................. 2
Generic Model of Secure Communication ............................................................................. 3
OSI Security Architecture ....................................................................................................... 4
Types of attacks ...................................................................................................................... 5
Types of Cryptographic Systems............................................................................................. 6
Symmetric Key Cryptography ............................................................................................. 6
Public-Key Cryptography .................................................................................................... 6
Conventional Encryption Model: ............................................................................................ 7
Cryptanalysis ...................................................................................................................... 8
CHAPTER 2: Classical Cipher Scheme ..................................................................................... 9
Transposition Ciphers: Moving Around .............................................................................. 9
Hill Cipher ......................................................................................................................... 10
Symmetric Cipher Model .................................................................................................. 13
Caesar Cipher ................................................................................................................... 14
Monoalphabetic Ciphers .................................................................................................. 16
Playfair Cipher .................................................................................................................. 17
CHAPTER 3: Mathematical Foundation ................................................................................ 19
GROUP.............................................................................................................................. 19
Rings ................................................................................................................................. 23
Integral Domains .............................................................................................................. 23
Fields ................................................................................................................................ 24
Modular Arithmetic .......................................................................................................... 25
Euclidean Algorithm ......................................................................................................... 30
CHAPTER 4: Modern Symmetric Ciphers.............................................................................. 32
Block Cipher Modes of Operation .................................................................................... 33
Shannon Theory of Confusion and Diffusion .................................................................... 36
Feistel Cipher .................................................................................................................... 37
The Data Encryption Standard (DES) ................................................................................ 38
IDEA (International Data Encryption Algorithm)............................................................... 41
Advanced Encryption Standard ........................................................................................ 44
CHAPTER 5: Public Key Cryptography................................................................................... 47
RSA Cryptosystem ............................................................................................................ 47
I
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
II
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Cryptography is the study of information hiding and verification. It includes the protocols,
algorithms and strategies to securely and consistently prevent or delay unauthorized access to
sensitive information and enable verifiability of every component in a communication.
Cryptography is derived from the Greek words: krypts, "hidden", and grphein, "to write" - or
"hidden writing". People who study and develop cryptography are called cryptographers.
The study of how to circumvent the use of cryptography for unintended recipients is called
cryptanalysis, or codebreaking. Cryptography and cryptanalysis are sometimes grouped
together under the umbrella term cryptology, encompassing the entire subject. In practice,
"cryptography" is also often used to refer to the field as a whole, especially as an applied
science. At the dawn of the 21 century in an ever more interconnected and technological world
cryptography started to be ubiquitous as well as the reliance on the benefits it brings, especially
the increased security and verifiability.
Cryptography is an interdisciplinary subject, drawing from several fields. Before the time of
computers, it was closely related to linguistics. Nowadays the emphasis has shifted, and
cryptography makes extensive use of technical areas of mathematics, especially those areas
collectively known as discrete mathematics. This includes topics from number theory,
information theory, computational complexity, statistics and combinatorics. It is also a branch
of engineering, but an unusual one as it must deal with active, intelligent and malevolent
opposition.
Computer Security generic name for the collection of tools designed to protect data
and to thwart hackers.
Network Security measures to protect data during their transmission.
Internet Security measures to protect data during their transmission over a collection
or interconnected networks.
Not all cryptographic systems achieve all of the above goals. Some applications of cryptography
have different goals; for example some situations require repudiation where a participant can
plausibly deny that they are a sender or receiver of a message, or extend this goals to include
variations like:
1. message access control: Who are the valid recipients of the message.
2. message availability: By providing means to limit the validity of the message, channel,
emitter or recipient in time or space.
1
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Decode = to convert the encoded message back to its original alphabet and original form the
term plaintext will apply to either the original or the encoded form. The process of encoding a
message is not an obscure process, and the result that we get can be considered equivalent to
the plaintext message.
Stream cipher = a cipher which acts on the plaintext one symbol at a time.
Substitution cipher = a stream cipher which acts on the plaintext by making a substitution of
the characters with elements of a new alphabet or by a permutation of the characters in the
plaintext alphabet.
Transposition cipher = a block cipher which acts on the plaintext by permuting the positions of
the characters in the plaintext.
Encryption is the process of turning a clear-text message (Plaintext) into a data stream which
looks like a meaningless and random sequence of bits (ciphertext). The process of turning
ciphertext back into plaintext is called decryption.
Cryptography deals with making communications secure. Cryptanalysis deals with breaking
ciphertext, that is, recovering plaintext without knowing the key. Cryptology is a branch of
mathematics which deals with both cryptography and cryptanalysis.
2
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
All modern ciphers use keys together with plaintext as the input to produce ciphertext. The
same or a different key is supplied to the decryption function to recover plaintext from
ciphertext. The details of a cryptographic algorithm are usually made public. It is the key that
the security of a modern cipher lies in, not the details of the cipher.
Symmetric algorithms use the same key for encryption and decryption. These algorithms
require that both the sender and receiver agree on a key before they can exchange messages
securely.
Some symmetric algorithms operate on 1 bit (or sometimes 1 byte) of plaintext at a time. They
are called stream ciphers. Other algorithms operate on blocks of bits at a time. They are called
block ciphers. Most modern block ciphers use the block size of 64 bits.
Public-key algorithms (also known as asymmetric algorithms) use two different keys (a key pair)
for encryption and decryption. The keys in a key pair are mathematically related, but it is
computationally infeasible to deduce one key from the other. These algorithms are called
"public-key" because the encryption key can be made public. Anyone can use the public key to
encrypt a message, but only the owner of the corresponding private key can decrypt it.
Some public-key algorithms such as RSA allow the process to work in the opposite direction as
well: a message can be encrypted with a private key and decrypted with the corresponding
public key. If Alice (or anyone else) can decrypt a message with Bob's public key she knows that
the message must have come from Bob because no one else has Bob's private key. Digital
signatures work this way.
3
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Security aspects come into play when it is necessary or desirable to protect the information
transmission from an opponent who may present a threat to confidentiality, authenticity, and
so on. All the techniques for providing security have two components:
A security-related transformation on the information to be sent. Examples include the
encryption of the message, which scrambles the message so that it is unreadable by the
opponent, and the addition of a code based on the contents of the message, which can be
used to verify the identity of the sender
Some secret information shared by the two principals and, it is hoped, unknown to the
opponent. An example is an encryption key used in conjunction with the transformation to
scramble the message before transmission and unscramble it on reception.
A trusted third party may be needed to achieve secure transmission. For example, a third party
may be responsible for distributing the secret information to the two principals while keeping
it from any opponent. Or a third party may be needed to arbitrate disputes between the two
principals concerning the authenticity of a message transmission.
This general model shows that there are four basic tasks in designing a particular security
service:
1. Design an algorithm for performing the security-related transformation. The
algorithm should be such that an opponent cannot defeat its purpose.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of the secret information.
4. Specify a protocol to be used by the two principals that makes use of the security
algorithm and the secret information to achieve a particular security service.
A general model of these other situations is illustrated by Figure below, which reflects a concern
for protecting an information system from unwanted access. Most readers are familiar with the
concerns caused by the existence of hackers, who attempt to penetrate systems that can be
accessed over a network. The hacker can be someone who, with no malign intent, simply gets
satisfaction from breaking and entering a computer system. Or, the intruder can be a
disgruntled employee who wishes to do damage, or a criminal who seeks to exploit computer
assets for financial gain (e.g., obtaining credit card numbers or performing illegal money
transfers).
4
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
This standardized architecture defines security requirements and specifies means by which
these requirements might be satisfied.
Types of attacks
An attack usually is perpetrated by someone with bad intentions: black hatted attacks falls in
this category, while other perform penetration testing on an organization information system
to find out if all foreseen controls are in place.
The attacks can be classified according to their origin: i.e. if it is conducted using one or more
computers: in the last case is called a distributed attack. Botnets are used to conduct
distributed attacks.
5
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Other classifications are according to the procedures used or the type of vulnerabilities
exploited: attacks can be concentrated on network mechanisms or host features.
Some attacks are physical: i.e. theft or damage of computers and other equipment. Others are
attempts to force changes in the logic used by computers or network protocols in order to
achieve unforeseen (by the original designer) result but useful for the attacker. Software used
to for logical attacks on computers is called malware.
Public-Key Cryptography
A cryptographic system that uses two keys
A public key known to everyone
A private key or secret key known only to the recipient of the message
For example, when A wants to send a message to B, A uses Bs public key to encrypt the
message. B uses the private key to decrypt it.
An important element in this system is that the public and private keys are related in such a
6
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
way that only the public key can be used to encrypt the message and only private key can be
used to decrypt it. Moreover, it is virtually impossible to assume the private key if know the
public key.
The most popular Public-key cryptography is Pretty Good Privacy (PGP). The only difficulty with
Public-Key system is that you need to know the recipients public key to encrypt a message.
Once the ciphertext is produced, it may be transmitted. Upon reception, the ciphertext can be
transformed back to the original plaintext by using a decryption algorithm and the same key
that was used for encryption.
Referring to figure above, with the message X and the encryption key K as input, the encryption
algorithm forms the ciphertext.
Y=Ek (X)
The intended receiver, in possession of the key is able to invert the transformation
X=Dk (Y)
An opponent, observing Y but not having access to K or X, may attempt to recover X or K or
both X and K. It is assumed that the opponent knows the encryption (E) and decryption (D)
algorithms. If the opponent is interested in only this particular message, then the focus of the
effort is to recover X by generating a plaintext estimate X^. Often, however, the opponent is
interested in being able to read future messages as well, in which case an attempt is made to
recover K by generating an estimate K^.
7
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Cryptanalysis
The process of attempting to discover X or Y or both is known as cryptanalysis. The strategy
used by the cryptanalysis depends on the nature of the encryption scheme and the information
available to the cryptanalyst.
The following table summarizes the various types of cryptanalytic attacks based on the amount
of information known to the cryptanalyst.
Steganography
Steganography (pronounced STEHG-uh-NAH-gruhf-ee, from Greek steganos, or "covered," and
graphie, or "writing") is the hiding of a secret message within an ordinary message and the
extraction of it at its destination. Steganography takes cryptography a step farther by hiding an
encrypted message so that no one suspects it exists. Ideally, anyone scanning your data will fail
to know it contains encrypted data.
In modern digital steganography, data is first encrypted by the usual means and then inserted,
using a special algorithm, into redundant (that is, provided but unneeded) data that is part of
a particular file format such as a JPEG image. Think of all the bits that represent the same color
pixels repeated in a row. By applying the encrypted data to this redundant data in some random
or non-conspicuous way, the result will be data that appears to have the "noise" patterns of
regular, nonencrypted data. A trademark or other identifying symbol hidden in software code
is sometimes known as a watermark.
Recently revived, this formerly obsolete term gained currency in its day (1500) from a work by
Johannes Trithemius, Steganographia, ostensibly a system of angel magic but also claiming to
include a synthesis of how to learn and know things contained within a system of cryptography.
The book was privately circulated but never published by the author because those who read
it found it rather fearsome.
8
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Read L A S T N I
T E W A S H
down E A V E N P
L E A S E M
A R R Y M E
To encipher the text, we only read letters down the first column, then letters down from the
second column, and so on. The ciphered letters are the same as the plaintext letters except
that they are positioned to form a new pattern, as given below.
Ciphertext: LTELA AEAER SWVAR TAESY NSNEM IHPME
To decipher the received ciphertext, the receiver must know two things: the length and width
of the grid and the way letters are read from the grid.
Note 1: The transposition cipher is also known as permutation cipher. We know give the
mathematical description of the permutation cryptosystem as follows:
Def: Permutation Cipher
Let m be a positive integer. Let P =C = (Z26)m and let K consist of all permutations of {1, , m}.
For a key (i.e., a permutation) , we define
e (x1, , x m)=( x(1), , x(m)) and
d (y1, , ym)=( y-1(1), , y-1(m)) ,
where -1 is the inverse permutation to .
Example 2: Suppose m = 6 and the key is the following permutation :
x 1 2 3 4 5 6
(x) 3 6 1 5 2 4
Note that the first row of this diagram lists the values of x, 1 x 6, and the 2nd row lists the
corresponding values of (x).
The inverse permutation -1 can be constructed by interchanging the two rows in this diagram,
and rearranging the columns so that the first row is in increasing order. Thus, carrying out these
operations, we get the following decryption permutation -1 as:
x 1 2 3 4 5 6
(x)
-1 3 5 1 6 4 2
Now, suppose we are given the plaintext
Plaintext: she sells seashells by the seashore
We first partition the plaintext into groups of six letters, and then rearrange each group of six
letters according to permutation . The result is shown in the following 6x6 grid.
x 1 2 3 4 5 6
(x)
9
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
E E S L S H
S A L S E S
L S H B L E
H S Y E E T
H R A E O S
Hill Cipher
Another interesting multi-alphabetic cipher is the Hill cipher, developed by the mathematician
Lester Hill in 1929. The idea is based on linear transposition. In fact, permutation cipher is a
special case of the Hill cipher.
Example 1: Consider the plaintext paymoremoney, and use the encryption key
17 17 5
K 21 18 21
2 2 19
Find the resulting ciphertext.
Solution:
Plaintext: paymoremoney
15 0 24
The first three letters of the plaintext are represented by vector (x1, x2, x3)=(15, 0, 24)
Thus:
y1 x1 17 17 5 15
y2 K x2 21 18 21 0
y x 2 2 19 24
3 3
That is:
10
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
y1 375 11 L
y2 819 mod 26 13 N
y 489 18 S
3
Continuing in this fashion, the ciphertext for the entire plaintext is:
Ciphertext: LNSHDLEWMTRW
Q.E.D.
Decryption requires using the inverse of the matrix K. The inverse K1 of a matrix K is defined
by the equation K K1= K1K =I, where I is the diagonal matrix that is all zeros except for ones
along the main diagonal from upper left to lower right.
Note 2: The inverse of a matrix does not always exist, but when it does, it satisfies the preceding
equation.
Note 3: It is easily shown that if the matrix K1 is applied to the above resulting ciphertext,
then the plaintext can be recovered.
He has also estimated the decryption matrix from some previous analysis for this Hill Cipher to
be:
4 9 15
1
K 15 17 6
24 0 17
What is the plaintext?
and let
Note 1: Hill Cipher completely hides single-letter frequencies. Use of a larger matrix hides more
frequency information.
11
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Note 2: The weakness of the Hill Cipher is that it is easily broken with a known plaintext attack.
Cj=KPj 1jm
X = (Pij)
Y = (Cij)
Example 2: It is known that the plaintext friday is encrypted using a 22 Hill Cipher to
yield the ciphertext PQCFKU. Find the key matrix K for this cryptosystem.
Solution:
Plaintext: f r i d a y
Pij : 15 17 8 3 0 24
Ciphertext: P Q C F K U
Cij : 15 16 2 5 10 20
For the unknown key matrix is K, we can write the following plaintext-ciphertext pairs:
KPj = Cj 1jm
Using the first two plaintext-ciphertext pairs, we can write the following matrix equation:
15 16 5 17
K mod 26
2 5 8 3
12
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
1
5 17 15 16
K = mod 26
8 3 2 5
9 1 15 16
= mod 26
2 15 2 5
7 19
=
8 3
Therefore, we obtained the key matrix! The result can be verified by testing the remaining
plaintext- ciphertext pair.
Note 3 : From the above example and other examples worked out so far, we may conclude that
neither cipher schemes of Substitution nor Transposition are strong enough to stand
cryptanalytic attacks. One may find that using the two types together creates much better
concealment than either method above. In fact, using substitution and transposition cipher
methods repeatedly on ciphertext provides strong disguising patterns.
Exercise 2: Why transposition ciphers are used if they are so easy to crack?
Answer: Transposition can be looked at a set of instructions, one instruction for each
letter, easily implemented by a computer and can be difficult to crack if they are repeatedly
used on the same plaintext!
Exercise 3: Repeat the transposition cipher used in Exercise 1 (on page 17) twice for the
plaintext used:
Solution:
Plaintext: lastnitewasheavenpleasemarryme
1st transposed ciphertext: LTELAAEAERSWVARTAESYNSNEMIHPME
2nd transposed ciphertext: LEVSMTAAYIEERNHLRTSPASANMAWEE
LTELA AEAER SWVAR TAESY
last nite was heaven please marry me NSNEM I HPME
Read
down L A S T N I L T E L A A
T E W A S H E A E R S W
E A V E N P V A R T A E
L E A S E M S Y N S N E
A R R Y M E M I H P M E
13
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
We assume that it is impractical to decrypt a message on the basis of the ciphertext plus
knowledge of the encryption/decryption algorithm, i.e. we do not need to keep the algorithm
secret; we need to keep only the key secret.
We can write:
Y=EK(X)
X= DK(Y)
Caesar Cipher
It was used by Julius Caesar. The Caesar cipher involves replacing each letter of the alphabet
with the letter standing three places further down the alphabet
For example
Plain: meet me after the toga party
Cipher: PHHW PH DIWHU WKH WRJD SDUWB
Transformation is made using the following mapping:
14
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
Cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Let us assign a numerical equivalent to each letter from 0 to 25. Then the algorithm may be
expressed as follows. For each plaintext letter p, substitute the ciphertext letter C:
C=E(p)=(p+3) mod 26
A shift may be of any amount, so that general Caesar algorithm is
C=E(p)=(p+k) mod 26,
where k takes on a value in the range 1 to 25. The decryption algorithm is simply
p=D(C)=(C-k) mod 26
If it is known that a given ciphertext is a Caesar cipher, then a brute-force cryptanalysis is easily
performed: simply try all possible 25 keys.
15
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Furthermore, if the input is compressed in some manner, again recognition is difficult. Below
is example of compression by ZIP:
Monoalphabetic Ciphers
With only 25 keys Caesar cipher is far from secure. A dramatic increase in the key space may
be achieved by allowing an arbitrary substitution. If instead of
Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
Cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
the cipher line can be any permutation of the 26 alphabetic symbols, then there are 26! or
greater than 4*1026 possible keys. There is however another line of attack. If the cryptanalyst
knows the nature of the plaintext (e.g., non-compressed English text), then the analyst can
exploit the regularities of the language.
As a first step, relative frequency of the letters can be determined and compared to a standard
frequency distribution for English:
16
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Comparing this with Fig.1.8, it seems likely that cipher letters P and Z are the equivalents of
plain letters e and t, but it is not certain which is which. The letters S,U,O,M, and H are all of
the relatively high frequency and probably correspond to plain letters from the set
{a,h,i,n,o,r,s}. The letters with the lowest frequencies (A,B,G,Y,I,J) are likely included in the set
{b,j,k,q,v,x,z}. Now we could make some tentative assignments and start to fill plaintext to see
if it looks like a reasonable skeleton of a message.
Another way, to consider frequency of two-letter combinations, is known as digrams. The most
common digram is th. In our ciphertext, the most common digram is ZW, which appears 3
times. So, we make correspondence: Z t, W h. Then, P is equated with e. Now notice that
sequence ZWP appears in the ciphertext, and we can translate it as the. Next, notice ZWSZ in
the first line. If they form a complete word, it will be th_t. If so, S equates with a. So far, then,
we have
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
t a e e te a t h at e e a a
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
e t ta t ha e ee a e th t a
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
e e e tat e t he et
Continued analysis of frequencies plus trial and error may lead us to the solution:
it was disclosed yesterday that several informal but
direct contacts have been made with political
representatives of the viet cong in Moscow
Two principal methods are used in substitution ciphers to lessen the extent to which the
structure of the plaintext survives in the ciphertext: One approach is to encrypt multiple letters
of the plaintext (Playfair Cipher, Hill Cipher), and the other is to use multiple cipher alphabets
(Polyalphabetic Ciphers)
Playfair Cipher
The best-known multiple-letter encryption cipher is the Playfair (invented in 1854 by Sir Charles
Wheatstone, but it bears the name of his friend Baron Playfair of St. Andrews, who championed
the cipher at the British foreign office), which treats digrams in the plaintext as single units and
translates these units into ciphertext digrams.
The Playfair algorithm is based on the use of a 5x5 matrix of letters constructed using a
keyword. In the case of keyword monarchy, matrix is as follows:
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
17
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
The matrix is constructed by filling in the letters of the keyword (minus duplicates) from left to
right and from top to bottom, and then filling in the remainder of the matrix with the remaining
letters in alphabetic order. The letters I and J count as one letter. Plaintext is encrypted two
letters at a time, according to the following rules:
a. Repeating plaintext letters that would fall in the same pair are separated with a filler
letter, such as x, so that balloon will be treated as ba lx lo on
b. Plaintext letters that would fall in the same row of matrix are each replaced with the
letter to the right, with the first element of the row circularly following the last. For
example, ar is encrypted as RM.
c. Plaintext letters that fall in the same column are each replaced by the letter beneath,
with the top element of the row circularly following the last. For example, mu is
encrypted as CM.
d. Otherwise, each plaintext letter is replaced by the letter that lies in its own row and
the column occupied by the other plaintext letter. Thus, hs becomes BP, and ea
becomes IM (or JM, as the encipherer wishes).
Despite this level of confidence in its security, the Playfair cipher is relatively easy to break
because it still leaves much of the structure of the plaintext language intact. A few hundred
letters of ciphertext are generally sufficient.
18
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
A set is said to be a group under a particular operation if the operation obeys these conditions.
For example, the integers Z are a group under addition, but not under multiplication (because
left inverses do not exist for most integers).
Associativity can easily be extended to operations on four or more elements. For example,
(ab)(cd) = a(b(cd)) = a((bc)d).
The operation is not necessarily commutative. However, we can prove that the operations in
properties (2) and (3) are commutative, so that every left identity is also a right identity and
every left inverse is also a right inverse.
Theorem 1.1. Every element in a group G commutes with its left inverse, i.e., aa -1 = e for every a
G.
Proof. Let (a -1) -1 be the left inverse of a -1. Then (a -1) -1a -1 = e.
Consider (a -1) -1a -1aa -1. We associate it in two ways:
(a -1) -1a -1aa -1= ((a -1) -1a -1)(aa -1) = e(aa -1) = aa -1,
(a -1) -1a -1aa -1= (a -1) -1((a -1a)a -1) = (a -1) -1(ea -1) = (a -1) -1a -1 = e,
and the desired result follows.
Theorem 1.2. Every element in a group G commutes with the identity, i.e., ae = a for every a G.
Proof. This is easily proven by using associativity and the previous theorem:
ae = a(a -1a) = (aa -1)a = ea = a.
Since there is no difference between left and right identities and inverses, they are called simply
identities and inverses.
Theorem 1.3. A group has only one identity and each element has only one inverse.
Proof. Let f be an identity. Then fe = e. But fe = f because the left identity e is also a right identity.
Hence f=e.
Let b be an inverse for a. Then ba = e. Postmultiplying by a -1 yields
(ba)a -1 = ea -1,
b(aa -1) = a -1,
be = a -1,
b = a -1.
The identity is its own inverse. However, it may not be unique in this respect. For example, the
set of all nonzero real numbers is a group under multiplication. The identity 1 is its own inverse,
but so is -1.
If a group contains only a finite number of elements, the number of elements is called the order
of the group.
19
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Of course, in f(e) = e, the first e refers to the identity of the first group, and the second e refers
to the identity of the second group.
There are many examples of groups. The set of real numbers is a group under addition, but not
under multiplication because zero has no inverse. The set {0, 1, ..., N-1} is a group under addition
modulo N. The set of all permutations of a set is a group under composition. If the set has n
elements, the group is called the symmetric group and is usually represented by Sn.
Subgroups
A subset H of a group G is called a subgroup if it is a group with the same binary operation,
which is the case when
H is closed under the group operation, i.e., when a H and b H then ab H;
if a H then a -1 H; and
The group identity e H. (This can be deduced from the first two conditions if H is
nonempty.)
The smallest subgroup contains only the identity element, and the largest is the group itself.
Theorem 2.1. The subgroup generated by an element of a group is isomorphic to the integers Z
under addition or to {0, 1, ..., r-1} under addition modulo r for some positive integer r, which is
called the order of the element.
Proof. If the element is the identity, the result is obvious and its order is 1.
If the powers of a are all distinct, then H is isomorphic to Z, where the isomorphism
f : Z H is defined by
f(n) = a n.
If the powers of a are not all distinct, then let m and n be two integers with m < n and
a m = a n.
Then multiply by a -m to obtain:
e = a n-m.
Let r be the smallest positive integer such that
a r = e.
By the division algorithm, n = rq + s for any integer n, where 0 <= s < r. Hence
20
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
a n = a rqa s = (a r) qa s = e qa s = a s.
Hence {e, a, a 2, ..., a r-1} constitute the entire subgroup. These elements are all distinct; assume,
for purpose of contradiction, that
am = an
0 <= m < n < r.
Then
a n-m = e,
which is impossible because n-m is less than r.
It is fairly easy to show that {e, a, a 2, ..., a r-1} are a subgroup isomorphic to {0, 1, ..., r-1} under
addition modulo r.
For finite groups, the following theorem, called Lagrange's Theorem, gives a simple relation
between the order of the group and the orders of its subgroups.
Theorem 2.2. The order of a subgroup of a finite group divides the order of the group.
Proof. Let H be a subgroup of the finite group G. For any a G, the coset of H with respect to a
is {ax | x H}, which we shall call coset(a).
An element of coset(a) can be expressed as ax for only one value of x in H; for if ax = ay then a
-1
ax = a -1ay, ex = ey, and x = y. Therefore, every coset contains the same number of elements as
H. (Notice that H itself is coset(e).)
Suppose coset(a) and coset(b) have an element in common. Then ax = by for some x and y H.
Then any other element az coset(a) is also in coset(b) because
az = axx -1z = byx -1z
and yx -1z is in H. Similarly, every element of coset(b) is also in coset(a), and the two cosets are
identical.
Hence the number of elements in G is the product of the number of elements in H (or any other
coset) and the number of cosets.
Corollary 2.3. The order of an element of a finite group divides the order of the group.
Corollary 2.4. If the order of a finite group is a prime number p, then the group is isomorphic to
Zp.
Classification of Finite Groups
The classification of finite groups is a large and interesting topic in mathematics. Groups that
are isomorphic to each other are not considered different, so we will often speak of isomorphic
groups as the same. If groups with a particular property are all isomorphic to each other, we
will speak of the group with that property.
A group isomorphic to Zn (the integers {0, 1, ..., n-1} under addition modulo n) is called the cyclic
group of order n, and it is often written as Cn.
It is clear that the only groups of order 1, 2 and 3 are C1, C2 and C3, respectively. More generally,
if p is a prime number, then the only group of order p is Cp.
21
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
It is fairly easy to show that this is a group. If G and H are finite, G H is also finite and its order
is the product of the orders of G and H. Moreover, the order of an element (a,b) is the least
common multiple of the orders of a and b.
There are at least two groups of order 4: C4 and C2 C2. These two groups are not isomorphic,
because C4 has an element of order 4 and C2 C2 does not. It can be shown that these are the
only groups of order 4.
The symmetric group Sn of permutations of a set with n elements is a group of order n!. The set
of all even permutations of such a set is a group of order n!/2 called an alternating group, and
it is often written as An.
Permutation groups are especially important, because every group of order n is isomorphic to
a subgroup of Sn. This is fairly easy to prove. Let a be an element of the group G. The function
Ta : G G defined by Ta(x) = ax is called a translation of the group. It is easily shown to be a
permutation. The set of all such permutations is a group under composition, and the
association of a with Ta is an isomorphism.
4. Commutative Groups
If the group operation is commutative (ab = ba for every a and b in the group), then the group
is called a commutative group or an abelian group. The symbols for regular addition (which is
commutative) are often used for a commutative group:
Regular Group Notation Commutative Group Notation
ab a+b
e 0
a -1 -a
an na
ab -1 a-b
The integers are a commutative group under addition. The groups of order 1, 2, 3, 4 and 5
defined in the previous section are commutative. The smallest group which is not commutative
is S3, which has six elements.
Every cyclic group is commutative.
Theorem 4.1. If the orders of two elements of a commutative group are relatively prime, the order
of their product is the product of their orders.
Proof. Let a and b be two elements of a commutative group with relatively prime orders r and
s, respectively. Then the order of ab is the smallest positive integer m for which (ab) m = e, or
equivalently a m = b -m.
Raise each side to the s-th power to obtain a ms = b -ms = (b -s) m = e m = e. Hence r divides ms.
Since r and s are relatively prime, r divides m. Similarly, s divides m. Since r and s are relatively
prime, rs divides m. Since (ab) rs = a rs b rs = ee = e, m divides rs. and hence m = rs.
Actually, it is not necessary that the entire group be commutative. It is sufficient that the two
elements commute with each other.
22
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Rings
A ring is a set R and two binary operations, called addition and multiplication, with the following
properties:
The ring is a commutative group under addition.
Multiplication is associative:
a(bc) = (ab)c
Multiplication distributes over addition:
a(b+c) = ab + ac
(a+b)c = ac + bc
The properties of multiplication involving zero (the additive identity) and signed ring elements
are the same as those derived for the integers (which are a ring), and the proofs are the same,
but slightly more complicated because multiplication is not necessarily commutative:
0x = x0 = 0
(-x)y = x(-y) = -(xy)
(-x)(-y) = xy
A ring isomorphism between the rings R and S is a one-to-one correspondence f: R
S which preserves the ring operations:
f(x+y) = f(x) + f(y)
f(xy) = f(x) f(y)
There are minor variations in the definition of a ring; what we have presented is the minimal
definition. Some authors require that a ring have a unit, which is an identity element for
multiplication; i.e. a number 1 such that 1a = a1 = a for every element a of the ring. Also, it is
often required that 0 1, because a ring in which 0 = 1 is a trivial ring with only one element.
The integers are a commutative ring with a unit. The even integers are a commutative ring
without a unit. The set ZM, previously defined as the integers {0, 1, ..., M-1}, where addition
and multiplication are modulo M, is a commutative ring with a unit. We shall see some
noncommutative rings later.
A left ideal of a ring is a nonempty subset closed under subtraction and left multiplication by
any ring element; i.e. if x and y are in the ideal and a is any ring element, then x-y and ax are in
the ideal. Similarly, a right ideal of a ring is a nonempty subset closed under subtraction and
right multiplication by any ring element; i.e. if x and y are in the ideal and a is any ring element,
then x-y and xa are in the ideal. An ideal is a set that is both a left ideal and a right ideal.
Obviously, in a commutative ring there are no differences among the three kinds of ideals.
Although an ideal is required to be closed only under subtraction, it is easy to show that it is
also closed under addition. If x and y are in the ideal, then 0 is in the ideal because it is equal to
x-x, -y is in the ideal because it is equal to 0-y, and x+y is in the ideal because it is equal to x-(-
y).
Ring theory is a well-developed branch of mathematics, but we need only these basic concepts.
We will deal mainly with rings that have additional properties.
Integral Domains
An integral domain is a commutative ring with unit (and 0 1) in which there are no zero
divisors; i.e., xy = 0 implies that x=0 or y=0 (or both).
23
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
The integers are an integral domain; this is the reason for the name. The set ZM, previously
defined as the integers {0, 1, ..., M-1}, where addition and multiplication are modulo M, is an
integral domain if M is prime.
Since an integral domain is a group under addition, the order of a nonzero element a is the
smallest positive value of n, if any, such that na = 0 (where na = a+a+a+...+a (n times)). Every
nonzero element has the same order as 1 because na = (n1)a = 0 only when n1 = 0.
The order must be prime. If it could be factored as n = ab, then 1+1+...+1 (a times) and 1+1+...+1
(b times) would be two nonzero elements whose product would be zero.
The order of any nonzero element of an integral domain is often called the characteristic of the
integral domain, especially when the integral domain is also a field.
Fields
An integral domain is a field if every nonzero element x has a reciprocal x -1 such that xx
-1 = x -1x = 1. Notice that the reciprocal is just the inverse under multiplication; therefore,
the nonzero elements of a field are a commutative group under multiplication. The real
numbers are one familiar field, and the ring Zp is a field if p is prime. In fact, it is fairly
easy to prove that any finite integral domain is a field.
From this definition and the properties of fields, we can derive the usual rules for
operations on fractions:
a/b = c/d if, and only if, ad = bc
a/b + c/d = (ad + bc) / (bd)
(a/b) (c/d) = (ac) / (bd)
(a/b) -1 = b/a
(-b)/a = b/(-a)a = -(a/b)
0/a = 0
a/1 = a
A subfield of a field is a subset which is a field under the same addition and
multiplication operations.
24
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Modular Arithmetic
Many complex cryptographic algorithms are actually based on fairly simple modular arithmetic.
In modular arithmetic, the numbers we are dealing with are just integers and the operations
used are addition, subtraction, multiplication and division. The only difference between
modular arithmetic and the arithmetic you learned in your primary school is that in modular
arithmetic all operations are performed regarding a positive integer, i.e. the modulus.
Before going into modular arithmetic, let's review some basic concepts. The division theorem
tells us that for two integers a and b where b 0, there always exists unique integers q and r
such that a = qb + r and 0 r < |b|. For example, a = 17, b=3, we can find q = 5 and r = 2 so that
17 = 3*5+2. a is called the dividend, b is called the divisor, q is called the quotient and r is called
the remainder. If r = 0, then we say b divides a or a is divisible by b. This establishes a natural
congruence relation on the integers. For a positive integer n, two integers a and b are said to
be congruent modulo n (or a is congruent to b modulo n), if a and b have the same remainder
when divided by n (or equivalently if a b is divisible by n). It can be expressed as a b mod n.
n is called the modulus. For example:
Two odd numbers are congruent modulo 2 because all odd numbers can be written as
2n+1;
Two even numbers are congruent modulo 2 because all even numbers can be written
as 2n+0;
38 23 mod 15 because 38 = 15*2 + 8 and 23 = 15 +8;
-1 1 mod 2 because -1 = -1*2+1 and 1 = 0*2+1;
8 3 mod 5 because 8 = 5+3 and 3 = 0*5+3;
-8 2 mod 5 because -8 = -2*5+2 and 2 = 0*5+2;
8 -8 mod 5 because 8 = 5+3 and -8 = -2*5+2. The remainders 3 and 2 are not the
same.
You need to be careful with negative numbers. They are usually not congruent to their positive
counter parts, as you can see in the above examples. Congruence is an equivalence relation, if
a and b are congruent modulo n, then they have no difference in modular arithmetic under
modulo n. Because of this, in modular n arithmetic we usually use only n numbers 0,1,2,...,n-1.
All the other numbers can be found congruent to one of the n numbers.
So how to perform arithmetic operations with moduli? For addition, subtraction and
multiplication, it is quite simple: calculate as in ordinary arithmetic and reduce the result to the
smallest positive reminder by dividing the modulus. For example:
12+9 21 1 mod 5
12-9 3 mod 5
12+3 15 0 mod 5
15-23 -8 2 mod 5
35*7 245 0 mod 5
-47*(5+1) -282 3 mod 5
373 50653 3 mod 5 (exponentiation is just a shorthand for repeated multiplication)
Sometimes the calculation can be simplified because for any integer a1, b1, a2 and b2, if we know
that a1 b1 mod n and a2 b2 mod n then the following always holds:
a1+a2 b1+b2 mod n
a1-a2 b1-b2 mod n
a1*a2 b1*b2 mod n
For example, 35 0 mod 5 therefore 35*7 0*7 0 mod 5. Also 37 2 mod 5 so 373 23 8
3 mod 5.
25
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
But for division, it is not so simple because division is not defined for every number. That means
that it is not always possible to perform division in modular arithmetic. First of all, as in ordinary
arithmetic, division by zero is not defined so 0 cannot be the divisor. The tricky bit is that the
multiples of the modulus are congruent to 0. For example, 6, -6, 12, -12, ... are all congruent to
0 when the modulus is 6. So not only 4/0 is not allowed, 4/12 is also not allowed when the
modulus is 6. Secondly, going back to the very basics: what does "division" mean in ordinary
arithmetic? When we say 12 divided by 4 equals 3, we mean that there is a number 3 such that
3*4 = 12. So division is defined through multiplication. But you run into problems extending
this to modular arithmetic. let's have a look at the following table:
Suppose you are working in mod 6 and want to compute 4/5. As we said before, you actually
need to find x such that 5*x 4 mod 6. From the above table, we can find that 2 and only 2
satisfies this equation. That means 4/5 2 mod 6.
Now suppose you want to compute 4/2 ? mod 6.
It seems easy because 2*2 4 mod 6.
However, there is another possibility: 2*5 4 mod 6.
This time division is not uniquely defined, because there are two numbers that can multiply by
2 to give 4. In such cases, division is not allowed.
Then when modular division is defined? When the multiplicative inverse (or just inverse) of the
divisor exists.
The inverse of an integer a under modulus n is an integer b such that a*b 1 mod n. An integer
can have either one or no inverse. The inverse of a can be another integer or a itself. In the
above table, we can see that 1 has an inverse, which is itself and 5 also has an inverse which is
also itself. But 2, 3 and 4 do not have inverses. Whether an integer has the inverse or not
depends on the integer itself and also the modulus.
You can see that when the modulus is 6, 2 has no inverse. But when the modulus is 5, the
inverse of 2 is 3. The rule is that the inverse of an integer a exists iff a and the modulus n are
coprime. That is, the only positive integer which divides both a and n is 1. In particular, when n
is prime, then every integer except 0 and the multiples of n is coprime to n, so every number
except 0 has a corresponding inverse under modulo n. Sometimes it is easy to determine
whether two integers are coprime. But most of the time it is not easy. For example, are 357
and 63 coprime? You may not be able to answer immediately. Fortunately, we can use the
26
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Euclidean algorithm to find out. The Euclidean algorithm describes how to find what is called
the greatest common divisor (gcd) of two positive integers. Of course, if the gcd of two integers
is 1, they are coprime. Let me show you by an example.
We start with two positive integers 357 and 63. The first step of the Euclidean algorithm is to
divide the bigger integer by the smaller one, so we have:
35763, quotient = 5 remainder = 42
Then divide the divisor in last step by the remainder:
6342, quotient =1 remainder=21
Continue to divide the previous divisors by the remainders, until the remainder is 0:
4221, quotient =2 remainder =0
The divisor in the last step is the gcd of the two input integers.
To see why the algorithm works, we follow the division steps backwards. From the last step, we
know that 21 divides 42. In the step before, we have 63 = 1*42 +21. Because 21 divides both
42 and 21, it must also divide 63. In the first step, we have 357 = 5*63 +42, again 21 divides
both 63 and 42 so it must also divide 357. Since 21 divides both 63 and 357, it is indeed a
common divisor of those two integers. Now we need to prove that it is the greatest. The proof
is based on a theorem which says:
For any non-negative integers a and b, and any integers x and y, c = x*a + y*b must be
a multiple of the gcd of a and b.
What we want to show is that 21 =x*357 + y*63 for some x and y. If this is true, then 21 must
be the gcd. Now let's start:
From step 1, we have 357-5*63=42
From step 2. we have 63-42=21
Substitutes 42 with 357 -5*63, now we have 21 = 63-357+5*63 = -1*357+6*63
So the Euclidean algorithm indeed outputs the gcd. If the gcd is 1, we can conclude a and b are
coprime.
Knowing that an integer a and a modulus n are coprime is not enough. How can we find the
multiplicative inverse of a? Well, since the gcd of a and n is 1, we know we can find a pair (x,y)
such that 1 = x*a+y*n. Then x*a = -y*n+1. That means x*a 1 mod n, in other words, x is the
multiplicative inverse of a under modulo n. This can be done by running an extended version
of Euclidean algorithm which tracks x when computing the gcd. In the extended Euclidean
algorithm, we first initialize x1 =0 and x2 =1, then in the following steps, compute xi = xi-2 -xi-1qi-2
where qi-2 is the quotient computed in step i-2. When the remainder becomes 0, continue the
calculation of x for one more round. The final x is the inverse. Here is an example that shows
how to find the inverse of 15 when the modulus is 26:
step 1: 2615, quotient q1= 1, remainder = 11, x1 = 0
step 2: 1511, quotient q2 = 1, remainder = 4, x2 = 1
step 3: 114, quotient q3 = 2, remainder = 3, x3 = x1-x2q1 = 0- 1*1 = -1
step 4: 43, quotient q4 = 1, remainder = 1, x4 = x2-x3q2 = 1- (-1)*1 = 2
step 5: 31, quotient q5 = 3, remainder = 0, x5 = x3-x4q3 = -1- 2*2 = -5
step 6: x6 = x4-x5q4 = 2- (-5)*1 = 7
To verify, 15*7 = 105 = 4*26+1, so 15*7 1 mod 26, which means 7 is the multiplicative inverse
of 15 under modulo 26.
27
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
The property of being prime is called primality. A simple but slow method of verifying the
primality of a given number n is known as trial division. It consists of testing whether n is a
multiple of any integer between 2 and . Algorithms much more efficient than trial division
have been devised to test the primality of large numbers. As of January 2016, the largest known
prime number has 22,338,618 decimal digits.
In number theory, two integers a and b are said to be relatively prime, mutually prime, or
coprime (also spelled co-prime) if the only positive integer that divides both of them is 1. That
is, the only common positive factor of the two numbers is 1. This is equivalent to their greatest
common divisor being 1. The numerator and denominator of a reduced fraction are coprime.
In addition to gcd(a, b)=1 and (a, b) =1 the notation a b is sometimes used to indicate that a
and b are relatively prime.
For example, 14 and 15 are coprime, being commonly divisible by only 1, but 14 and 21 are not,
because they are both divisible by 7. The numbers 1 and 1 are the only integers coprime to
every integer, and they are the only integers to be coprime with 0.
A fast way to determine whether two numbers are coprime is given by the Euclidean algorithm.
The number of integers coprime to a positive integer n, between 1 and n, is given by Euler's
totient function (or Euler's phi function) (n).
A set of integers can also be called coprime if its elements share no common positive factor
except 1. A set of integers is said to be pairwise coprime if a and b are coprime for every pair
(a, b) of different integers in it.
Congruence
Let n be a positive integer. We say two integers are congruent modulo n" if they differ by an
integral multiple of the integer n. For example, if n = 5 we can say that 3 is congruent to 23
modulo 5 (and write it as 3 23 modulo 5) since the integers 3 and 23 differ by 4x5 = 20. The
statement a b (mod n) is equivalent to the statement a - b is divisible by n or the statement
there is an integer k for which a - b = kn. The integer n is called the modulus of the congruence.
An alternate definition: a b (mod n) if and only if a and b have the same remainder when divided
by n.
The modulus arithmetic concept occurs in everyday life in telling time. Clocks go up to 12 and
then start over, thus giving time modulus 12. The congruence relation a b (mod n) creates a
set of equivalence classes on the set of integers in which two integers are in the same class if
they are congruent modulus n, i.e. if they leave the same remainder when divided by n.
28
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Residue classes
Residue classes of integers mod n. The congruence relation a b (mod n) on the set of integers
I separates the integers into n equivalence classes,
[0]n, [1]n, [2]n, ... ,[n-1]n,
called residue classes modulo n. Each equivalence class [r]n consists of all integers congruent to
r where r is one of the integers 0,1,2,...,n-1. These n integers 0,1,2,...,n-1 are called the class
representatives. Thus equivalence class [3]n consists of all integers congruent to 3 mod n where
the integer 3 is the class representative.
I/(n), the set of all residue classes mod n. We denote the set of all residue classes modulo n by
I/(n). For example,
I/(4) = { [0]4, [1]4, [2]4, [3]4 }
and
I/(n) = { [0]n,, [1]n,, [2]n,, ... ,[n-1]n, }
This group is called the residue class group modulo m. Its order is (m), where means Eulers
totient function. For example, the prime classes modulo 8 (i.e. 1+8, 3+8, 5+8, 7+8) form
a group isomorphic to the Klein 4-group.
The prime classes are the units of the residue class ring /m = m consisting of all residue
classes modulo m.
Primality Test
Fermats Little Theorem
According to Fermats Little Theorem if p is a prime number and a is a positive integer less
than p, then
ap= a (mod p) or
a(p-1) = 1 (mod p)
If p is the number which we want to test for primality, then we could randomly choose a, such
that a < p and then calculate (a(p-1))%p. If the result is not 1, then by Fermats Little Theorem p
cannot be prime. What if that is not the case? We can choose another a and then do the same
test again. We could stop after some number of iterations and if the result is always 1 in each
of them, then we can state with very high probability that p is prime. The more iterations we
do, the higher is the probability that our result is correct. You can notice that if the method
29
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
returns composite, then the number is sure to be composite, otherwise it will be probably
prime.
If p is prime and x2 = 1 (mod p), then x = +1 or -1 (mod p). We could prove this as follows:
x2 = 1 (mod p)
x2 - 1 = 0 (mod p)
(x-1) (x+1) = 0 (mod p)
Now if p does not divide both (x-1) and (x+1) and it divides their product, then it cannot be a
prime, which is a contradiction. Hence, p will either divide (x-1) or it will divide (x+1), so x = +1
or -1 (mod p).
Recall that the Greatest Common Divisor (GCD) of two integers A and B is the largest integer
that divides both A and B.
Euclidean Algorithm
The Euclidean Algorithm is a technique for quickly finding the GCD of two integers.
Example:
Find the GCD of 270 and 192
a = 270, b = 192
a 0, b 0
Use long division to find that 270/192 = 1 with a remainder of 78.
We can write this as: 270 = 192 * 1 +78
Find gcd(192, 78), since gcd(270, 192) = gcd(192, 78)
Now, a = 192, b = 78
a 0, b 0
Use long division to find that 192/78 = 2 with a remainder of 36.
We can write this as: 192 = 78 * 2 + 36
Find gcd(78, 36), since gcd(192, 78) = gcd(78, 36)
Again, a = 78, b = 36
a 0, b 0
Use long division to find that 78/36 = 2 with a remainder of 6.
We can write this as: 78 = 36 * 2 + 6
Find gcd(36, 6), since gcd(78, 36) = gcd(36, 6)
Again, a=36, b=6
a 0, b 0
Use long division to find that 36/6 = 6 with a remainder of 0.
We can write this as: 36 = 6 * 6 + 0
Find gcd(6, 0), since gcd(36, 6) = gcd(6, 0)
30
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
a = 6, b = 0
a 0, b =0,
gcd(6, 0) = 6
So, we have shown:
gcd(270, 192) = gcd(192, 78) = gcd(78, 36) = gcd(36, 6) = gcd(6, 0) = 6
gcd(270, 192) = 6
Example
Let a = 2322, b = 654.
2322 = 6543 + 360 gcd(2322, 654) = gcd(654, 360)
654 = 3601 + 294 gcd(654, 360) = gcd(360, 294)
360 = 2941 + 66 gcd(360, 294) = gcd(294, 66)
294 = 664 + 30 gcd(294, 66) = gcd(66, 30)
66 = 302 + 6 gcd(66, 30) = gcd(30, 6)
30 = 65 gcd(30, 6) = 6
Therefore, gcd(2322, 654) = 6.
31
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
A block cipher takes a block of plaintext bits and generates a block of ciphertext bits, generally
of same size. The size of block is fixed in the given scheme. The choice of block size does not
directly affect to the strength of encryption scheme. The strength of cipher depends up on the
key length.
Block Size
Though any size of block is acceptable, following aspects are borne in mind while selecting a
size of a block.
Avoid very small block size: Say a block size is m bits. Then the possible plaintext
bits combinations are then 2m. If the attacker discovers the plain text blocks
corresponding to some previously sent ciphertext blocks, then the attacker can
launch a type of dictionary attack by building up a dictionary of
plaintext/ciphertext pairs sent using that encryption key. A larger block size makes
attack harder as the dictionary needs to be larger.
Do not have very large block size: With very large block size, the cipher becomes
inefficient to operate. Such plaintexts will need to be padded before being
encrypted.
Multiples of 8 bit: A preferred block size is a multiple of 8 as it is easy for
implementation as most computer processor handle data in multiple of 8 bits.
32
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Too much padding makes the system inefficient. Also, padding may render the system insecure
at times, if the padding is done with same bits always.
The ECB mode is deterministic, that is, if plaintext block P1, P2,, Pm are encrypted twice
under the same key, the output ciphertext blocks will be the same. In fact, for a given key
technically we can create a codebook of ciphertexts for all possible plaintext blocks.
Encryption would then entail only looking up for required plaintext and select the
corresponding ciphertext. Thus, the operation is analogous to the assignment of code words
in a codebook, and hence gets an official name - Electronic Codebook mode of operation
(ECB). It is illustrated as follows:
33
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
34
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Operation
The operation of CFB mode is depicted in the following illustration. For example, in the present
system, a message block has a size s bits where 1 < s < n. The CFB mode requires an
initialization vector (IV) as the initial random n-bit input block. The IV need not be secret. Steps
of operation are:
Load the IV in the top register.
Encrypt the data value in top register with underlying block cipher with key K.
Take only s number of most significant bits (left bits) of output of encryption process
and XOR them with s bit plaintext message block to generate ciphertext block.
Feed ciphertext block into top register by shifting already present data to the left and
continue the operation till all plaintext blocks are processed.
Essentially, the previous ciphertext block is encrypted with the key, and then the result
is XORed to the current plaintext block.
Similar steps are followed for decryption. Pre-decided IV is initially loaded at the start
of decryption.
35
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Operation
Both encryption and decryption in CTR mode are depicted in the following illustration. Steps
in operation are:
Load the initial counter value in the top register is the same for both the sender and
the receiver. It plays the same role as the IV in CFB (and CBC) mode.
Encrypt the contents of the counter with the key and place the result in the bottom
register.
Take the first plaintext block P1 and XOR this to the contents of the bottom register.
The result of this is C1. Send C1 to the receiver and update the counter. The counter
update replaces the ciphertext feedback in CFB mode.
Continue in this manner until the last plaintext block has been encrypted.
The decryption is the reverse process. The ciphertext block is XORed with the output
of encrypted contents of counter value. After decryption of each ciphertext block
counter is updated as in case of encryption.
36
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Diffusion means that the output bits should depend on the input bits in a very complex way. In
a cipher with good diffusion, if one bit of the plaintext is changed, then the ciphertext should
change completely, in an unpredictable or pseudorandom manner. In particular, for a
randomly chosen input, if one flips the i-th bit, then the probability that the j-th output bit will
change should be one half, for any i and j - this is termed the strict avalanche criterion. More
generally, one may require that flipping a fixed set of bits should change each output bit with
probability one half.
One aim of confusion is to make it very hard to find the key even if one has a large number of
plaintext-ciphertext pairs produced with the same key. Therefore, each bit of the ciphertext
should depend on the entire key, and in different ways on different bits of the key. In particular,
changing one bit of the key should change the ciphertext completely.
Feistel Cipher
Feistel Cipher is not a specific scheme of block cipher. It is a design model from which many
different block ciphers are derived. DES is just one example of a Feistel Cipher. A cryptographic
system based on Feistel cipher structure uses the same algorithm for both encryption and
decryption.
Encryption Process
The encryption process uses the Feistel structure consisting multiple rounds of processing of
the plaintext, each round consisting of a substitution step followed by a permutation step.
Feistel Structure is shown in the following illustration-
The input block to each round is divided into two halves that can be denoted as L
and R for the left half and the right half.
In each round, the right half of the block, R, goes through unchanged. But the left
half, L, goes through an operation that depends on R and the encryption key. First,
we apply an encrypting function f that takes two input - the key K and R. The
function produces the output f(R,K). Then, we XOR the output of the mathematical
function with L.
37
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
In real implementation of the Feistel Cipher, such as DES, instead of using the
whole encryption key during each round, a round-dependent key (a subkey) is
derived from the encryption key. This means that each round uses a different key,
although all these subkeys are related to the original key.
The permutation step at the end of each round swaps the modified L and
unmodified R. Therefore, the L for the next round would be R of the current round.
And R for the next round be the output L of the current round.
Above substitution and permutation steps form a round. The number of rounds
are specified by the algorithm design.
Once the last round is completed then the two sub blocks, R and L are
concatenated in this order to form the ciphertext block.
The difficult part of designing a Feistel Cipher is selection of round function f. In order to be
unbreakable scheme, this function needs to have several important properties that are beyond
the scope of our discussion.
Decryption Process
The process of decryption in Feistel cipher is almost similar. Instead of starting with a block of
plaintext, the ciphertext block is fed into the start of the Feistel structure and then the process
thereafter is exactly the same as described in the given illustration. The process is said to be
almost similar and not exactly same. In the case of decryption, the only difference is that the
subkeys used in encryption are used in the reverse order. The final swapping of L and R in
last step of the Feistel Cipher is essential. If these are not swapped then the resulting ciphertext
could not be decrypted using the same algorithm.
Number of Rounds
The number of rounds used in a Feistel Cipher depends on desired security from the system.
More number of rounds provide more secure system. But at the same time, more rounds mean
the inefficient slow encryption and decryption processes. Number of rounds in the systems
thus depend upon efficiencysecurity tradeoff.
38
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Since DES is based on the Feistel Cipher, all that is required to specify DES is:
Round function
Key schedule
Any additional processing Initial and final permutation
Round Function
The heart of this cipher is the DES function, f. The DES function applies a 48-bit key to the
rightmost 32 bits to produce a 32-bit output.
39
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Expansion Permutation Box Since right input is 32-bit and round key is a 48-bit, we
first need to expand right input to 48 bits. Permutation logic is graphically depicted in
the following illustration
XOR (Whitener). After the expansion permutation, DES does XOR operation on the
expanded right section and the round key. The round key is used only in this operation.
Substitution Boxes. The S-boxes carry out the real mixing (confusion). DES uses 8 S-
boxes, each with a 6-bit input and a 4-bit output. Refer the following illustration
There is a total of eight S-box tables. The output of all eight s-boxes is then combined
in to 32-bit section.
Straight Permutation The
32-bit output of S-boxes is
then subjected to the
straight permutation with
rule shown in the following
illustration:
40
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Key Generation
The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key. The process of
key generation is depicted in the following illustration
The logic for Parity drop, shifting, and Compression P-box is given in the DES description.
DES Analysis
The DES satisfies both the desired properties of block cipher. These two properties make cipher
very strong.
Avalanche effect A small change in plaintext results in the very grate change in the
ciphertext.
Completeness Each bit of ciphertext depends on many bits of plaintext.
During the last few years, cryptanalysis have found some weaknesses in DES when key selected
are weak keys. These keys shall be avoided. DES has proved to be a very well-designed block
cipher. There have been no significant cryptanalytic attacks on DES other than exhaustive key
search.
41
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
IDEA uses 52 subkeys, each 16 bits long. Two are used during each round proper, and four are
used before every round and after the last round. It has eight rounds.
The plaintext block in IDEA is divided into four quarters, each 16 bits long. Three operations are
used in IDEA to combine two 16 bit values to produce a 16 bit result, addition, XOR, and
multiplication. Addition is normal addition with carries, modulo 65,536. Multiplication, as used
in IDEA, requires some explanation.
Multiplication by zero always produces zero, and is not invertible. Multiplication modulo n is
also not invertible whenever it is by a number which is not relatively prime to n. The way
multiplication is used in IDEA, it is necessary that it be always invertible. This is true of
multiplication IDEA style.
The number 65,537, which is 2^16+1, is a prime number. (Incidentally, 2^8+1, or 257, is also
prime, and so is 2^4+1, or 17, but 2^32+1 is not prime, so IDEA cannot be trivially scaled up to
a 128-bit block size.) Thus, if one forms a multiplication table for the numbers from 1 through
65,536, each row and column will contain every number once only, forming a Latin square, and
providing an invertible operation. The numbers that 16 bits normally represent are from 0 to
65,535 (or, perhaps even more commonly, from -32,768 to 32,767). In IDEA, for purposes of
multiplication, a 16 bit word containing all zeroes is considered to represent the number
65,536; other numbers are represented in conventional unsigned notation, and multiplication
is modulo the prime number 65,537.
Description of IDEA
Let the four quarters of the plaintext be called A, B, C, and D, and the 52 subkeys called K(1)
through K(52).
The intricacies of IDEA encryption may be made somewhat clearer by examining the following
diagrams:
42
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Details: Overview:
Decryption
How can the round in IDEA be reversed, since all four quarters of the block are changed at the
same time, based on a function of all four of their old values? Well, the trick to that is that A
xor C isn't changed when both A and C are XORed by the same value, that value cancels out, no
matter what that value might be. And the same applies to B xor D. And since the values used
are functions of (A xor C) and (B xor D), they are still available.
This cross-footed round, rather than a Feistel round, is the most striking distinguishing factor
of IDEA, although its use of multiplication, addition, and XOR to avoid the use of S-boxes is also
important.
Those that are added are replaced by their two's complement. Those that are multiplied in are
replaced by their multiplicative inverse, modulo 65,537, in IDEA notation when used to change
blocks directly, but those used to calculate the cross-footed F-functions are not changed. Keys
XORed in would not need to be changed, but there aren't any such keys in IDEA. Due to the
placement of the swap, the first four keys for decryption are moved somewhat differently than
the other keys used for the same operation between rounds.
43
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
The following is repeated eight times, adding 6 to every decryption key's index and
subtracting 6 from every encryption key's index:
KD(5) = K(47)
KD(6) = K(48)
KD(7) = 1/K(43)
KD(8) = -K(45)
KD(9) = -K(44)
KD(10) = 1/K(46)
Subkey Generation
The 128-bit key of IDEA is taken as the first eight subkeys, K(1) through K(8). The next eight
subkeys are obtained the same way, after a 25-bit circular left shift, and this is repeated until
all encryption subkeys are derived. This method of subkey generation is regular, and this may
be a weakness. However, IDEA is considered to be highly secure, having stood up to all forms
of attack so far tried by the academic community.
A replacement for DES was needed as its key size was too small. With increasing computing
power, it was considered vulnerable against exhaustive key search attack. Triple DES was
designed to overcome this drawback but it was found slow.
Operation of AES
AES is an iterative rather than Feistel cipher. It is based on substitutionpermutation network.
It comprises of a series of linked operations, some of which involve replacing inputs by specific
outputs (substitutions) and others involve shuffling bits around (permutations).
Interestingly, AES performs all its computations on bytes rather than bits. Hence, AES treats
the 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four columns and
four rows for processing as a matrix.
Unlike DES, the number of rounds in AES is variable and depends on the length of the key. AES
uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys.
Each of these rounds uses a different 128-bit round key, which is calculated from the original
AES key.
44
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Encryption Process
Here, we restrict to description of a typical round of AES encryption. Each round comprise of
four sub-processes. The first round process is depicted below
Shiftrows
Each of the four rows of the matrix is shifted to the left. Any entries that fall off are re-inserted
on the right side of row. Shift is carried out as follows
First row is not shifted.
Second row is shifted one (byte) position to the left.
Third row is shifted two positions to the left.
Fourth row is shifted three positions to the left.
The result is a new matrix consisting of the same 16 bytes but shifted with respect to
each other.
45
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
MixColumns
Each column of four bytes is now transformed using a special mathematical function. This
function takes as input the four bytes of one column and outputs four completely new bytes,
which replace the original column. The result is another new matrix consisting of 16 new bytes.
It should be noted that this step is not performed in the last round.
Addroundkey
The 16 bytes of the matrix are now considered as 128 bits and are XORed to the 128 bits of
the round key. If this is the last round then the output is the ciphertext. Otherwise, the resulting
128 bits are interpreted as 16 bytes and we begin another similar round.
Decryption Process
The process of decryption of an AES ciphertext is similar to the encryption process in the
reverse order. Each round consists of the four processes conducted in the reverse order
Add round key
Mix columns
Shift rows
Byte substitution
Since sub-processes in each round are in reverse manner, unlike for a Feistel Cipher, the
encryption and decryption algorithms needs to be separately implemented, although they are
very closely related.
AES Analysis
In present day cryptography, AES is widely adopted and supported in both hardware and
software. Till date, no practical cryptanalytic attacks against AES has been discovered.
Additionally, AES has built-in flexibility of key length, which allows a degree of future-proofing
against progress in the ability to perform exhaustive key searches.
However, just as for DES, the AES security is assured only if it is correctly implemented and
good key management is employed.
46
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
There are three types of Public Key Encryption schemes. We discuss them in following sections
RSA Cryptosystem
This cryptosystem is one the initial system. It remains most employed cryptosystem even
today. The system was invented by three scholars Ron Rivest, Adi Shamir, and Len Adleman and
hence, it is termed as RSA cryptosystem. We will see two aspects of the RSA cryptosystem,
firstly generation of key pair and secondly encryption-decryption algorithms.
47
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
RSA Encryption
Suppose the sender wish to send some text message to someone whose public
key is (n, e).
The sender then represents the plaintext as a series of numbers less than n.
To encrypt the first plaintext P, which is a number modulo n. The encryption
process is simple mathematical step as:
C = Pe mod n
48
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
RSA Decryption
The decryption process for RSA is also very straightforward. Suppose that the
receiver of public-key pair (n, e) has received a ciphertext C.
Receiver raises C to the power of his private key d. The result modulo n will be the
plaintext P.
Plaintext = Cd mod n
Returning again to our numerical example, the ciphertext C = 82 would get
decrypted to number 10 using private key 29
Plaintext = 8229 mod 91 = 10
RSA Analysis
The security of RSA depends on the strengths of two separate functions. The RSA cryptosystem
is most popular public-key cryptosystem strength of which is based on the practical difficulty
of factoring the very large numbers.
Encryption Function It is considered as a one-way function of converting
plaintext into ciphertext and it can be reversed only with the knowledge of private
key d.
Key Generation The difficulty of determining a private key from an RSA public
key is equivalent to factoring the modulus n. An attacker thus cannot use
knowledge of an RSA public key to determine an RSA private key unless he can
factor n. It is also a one-way function, going from p & q values to modulus n is easy
but reverse is not possible.
If either of these two functions are proved non-one-way, then RSA will be broken. In fact, if a
technique for factoring efficiently is developed then RSA will no longer be safe.
The strength of RSA encryption drastically goes down against attacks if the number p and q
are not large primes and/ or chosen public key e is a small number.
49
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
As you can see, any positive integer modulo 10 is just the last digit in base 10: 1537%10 is 7,
etc. You can think of "modulo 10" for positive integers as meaning "ignore all decimal digits
except the last one".
Doing "modular arithmetic" with "modulus" 10 means doing addition, subtraction, and
multiplication (including powers) where you only care about the remainder modulo 10. You can
use some other modulus m instead of 10, as long as it's the same through the whole problem.
It works very smoothly.
The "as often as you want" principle: If you are doing modular arithmetic to find an the answer
modulo m, you can take the remainder modulo m as often as you want during the calculations,
without changing the answer.
Example 1. To find 1537 x 4248 modulo 10, you could multiply out and take the last digit, but a
better way would be to replace 1537 by 7 and 4248 by 8 to start, find 7 x 8 = 56, and then take
56 mod 10 to get 6 as the answer.
A handy standard notation is to write a b (mod m) if a and b have the same remainder modulo
m. This is read "a is congruent to b modulo m". In this notation the example just mentioned
looks like this: 1537 x 4248 7 x 8 = 56 6 (mod 10).
One solution. 28 = 256; 11 goes into 256 with quotient 23 and remainder 3.
Another solution. Find 22, 24, 28 by squaring repeatedly, but take remainders mod 11 each
chance you get: 22 = 4, 24 = 42 = 16 5, 28 52 = 25 3.
Notice that the powers of 2 run through all possible remainders modulo 11, except 0. We say
2 is a "generator" modulo 11. There is a theorem that if you take a prime modulus, then there
is always some generator, and in fact 2 often works. If 2 doesn't, maybe 3 will.
Steps:
1. Alice and Bob, using insecure communication, agree on a huge prime p and a generator
g. They don't care if someone listens in.
2. Alice chooses some large random integer xA < p and keeps it secret. Likewise, Bob
chooses xB < p and keeps it secret. These are their "private keys".
3. Alice computes her "public key" yA gxA (mod p) and sends it to Bob using insecure
communication. Bob computes his public key yB gxB and sends it to Alice.
Here 0 < yA < p, 0 < yB < p.
50
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
As already mentioned, sending these public keys with insecure communication is safe
because it would be too hard for someone to compute xA from yA or xB from yB, just like
the powers of 2 above.
4. Alice computes zA yBxA (mod p) and Bob computes zB yAx B (mod p).
Here zA < p, zB < p.
But zA = zB, since zA yBx A (gxB )xA = g(x A xB) (mod p) and similarly zB (gx A )xB =
g(xA xB) (mod p). So this value is their shared secret key. They can use it to encrypt and
decrypt the rest of their communication by some faster method.
In this calculation, notice that the step yBxA (gxB )xA involved replacing g xB by its
remainder yB, (in the reverse direction) so we were really using the "as often as you
want" principle.
51
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
The authentication process is based on a measure of risk. High risk systems, applications and
information require different forms of authentication that more accurately confirm the user's
digital identity as being who they claim to be than would a low risk application, where the
confirmation of the digital identity is not as important from a risk perspective. This is commonly
referred to as "stronger authentication".
Authentication technology provides the basis for access control in computer systems. If the
identity of a user can be correctly verified, legitimate users can be granted access to system
resources. Conversely, those attempting to gain access without proper authorization can be
denied. As used in this bulletin, authentication is defined as the act of verifying the identity of
a user. Once a user's identity is verified, access control techniques may be used to mediate the
user's access to data. Authentication processes are dependent upon identity verification and
registration processes.
Authentication
Authentication technology provides the basis for access control in computer systems. If the
identity of a user can be correctly verified, legitimate users can be granted access to system
resources. Conversely, those attempting to gain access without proper authorization can be
denied. As used in this bulletin, authentication is defined as the act of verifying the identity of
a user. Once a user's identity is verified, access control techniques may be used to mediate the
user's access to data. A variety of methods are available for performing user authentication.
The traditional method for authenticating users has been to provide them with a secret
password, which they must use when requesting access to a particular system. Password
systems can be effective if managed properly (Federal Information Processing Standard [FIPS]
112), but they seldom are. Authentication which relies solely on passwords has often failed to
provide adequate protection for computer systems for a number of reasons. If users are
allowed to make up their own passwords, they tend to choose ones that are easy to remember
and therefore easy to guess. If passwords are generated from a random combination of
characters, users often write them down because they are difficult to remember.
52
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Password Authentication
In most enterprises, the use of passwords is the primary means of authenticating a user.
Unfortunately, it is also the weakest form of authentication. In today's digital world, the ways
to bypass this form of security are trivial. While many enterprises focus on strengthening
passwords, these efforts are by and large meaningless in the face of the tools that attackers
can use. The tools provide criminals with easy ability to hack, trap, or crack most passwords
easily.
The first attack tool against password authentication is a hardware keyboard logger. Legally
available online for $40, these devices plug into the connection between the keyboard and the
computer. They record every keystroke, with some models able to do time and date stamps
against the data. A hardware keyboard logger looks like a small hardware piece of computer
connections, takes only 10 seconds to install and is not detectable by any means of
commercially available software.
The use of password authentication is further weakened by software attacks. This year alone,
it is estimated that there will be several thousand-different malware password logging attack
programs will be created. Some of these are very sophisticated and can be ordered by the
internet to attack certain types of firewalls. These password authentication logging software
programs are embedded in email that are activated by clicking on the links in the email or by
visiting a fake site that looks like the normal commercial site (phishing attack).
Some of the password authentication attacks are so sophisticated that there embed
themselves on the core root operating systems kernel (rootkit attacks). Rootkit attacks are now
acknowledged by Microsoft to be so insidious that the only way to remove them is to re-image
every computer on the infected enterprise network!
No. The use of passwords can be used in a layered identity defense strategy. What this means
is that your enterprise will allow the use of user id and password to gain general access to low
risk enterprise applications and information e.g. the enterprise portal. However, when the user
tries to access applications or information that is higher risk, the enterprise single sign on
system will require stronger authentication. This may include the use of security tokens, digital
certificates, biometrics, smartcards or combinations thereof in addition to the password.
LDAP Authentication
Lightweight Directory Access Protocol (LDAP) directories and LDAP authentication have
become one of the enterprise user infrastructure cornerstones. As the enterprise has digitized
and opened itself up to customer, business partner, vendor and wide-spread employee access
to pieces of most enterprise applications, the need to know who the user is has significantly
increased from a security perspective. Who is the user trying to access an application? What is
the strength of authentication by which the application can trust the user trying to access the
application? What are the user's authorization privileges?
The frequency with which to authenticate who a user is has also increased. Thus in medium to
large enterprise it is not uncommon to have several thousand to several hundred of thousand
identity look-ups per second.
The above are the reasons why LDAP directories and authentication have taken on such a
dominant role in enterprise authentication. LDAP directories offer the following features:
53
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
They are very quick for doing identity reads against as compared to traditional databases.
a. They are low cost - in fact some LDAP directories are available for free
b. Virtual LDAP directories enable quick linkage between multiple databases and
multiple LDAP directories.
c. LDAP directories are excellent for doing rapid LDAP authentication against for
any digitized authentication.
d. LDAP directories have a universal protocol enabling quick interaction and
exchange of identity information between enterprises.
e. LDAP directories can be easily partitioned to place the directory close to the
end user, thus improving performance and reducing network load.
Unique Enterprise ID
Next it's important that in cases where multiple data sources have the same identity
information that a universal identity id be deployed. For example, if a user named John Jones
is in the HRMS as J Jones, in the payroll system as John Jones, in the shipping system as JJONES
etc, then it becomes important to know at the enterprise level a common id for John Jones.
This usually means creation of a unique alphanumeric id for each user. Without this, the
enterprise LDAP authentication won't work since John Jones won't know which id to use in
authentication. Further, the handoff to the applications after LDAP authentication won't work
since the LDAP directory has to communicate with the application that John Jones has
successfully authenticated.
54
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
form or simply have an entry point for the id and password. This information is then sent to the
LDAP directory (make sure the information is sent encrypted and not in open text). The
directory takes this information and compares it to the id and password stored in the LDAP
directory. If it is the same, the LDAP authentication is successful. In network operating systems,
the network then takes over and proceeds with user authorization and allows them to use the
network.
Authentication - Biometrics
Biometrics used for authentication is currently in fashion in the authentication industry. The
UK and US governments are rapidly deploying them in their visas, passports and personal
identification cards. Many other industries are adopting biometrics as authentication
mechanisms for accessing bank machines, doorway access control and time card reporting and
general computer desktop access. Authentication is the process of determining if a user or
identity is who they claim to be. The authentication process is based on risk. Higher risk
situations require more identity verification certainty. Biometrics can play a useful role in
verifying the identity along with other factors.
55
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
the chances increase that the identity presenting their biometric may not be the person who
is registered with the biometric. Therefore, the use of multi-factor authentication mechanisms
is used.
The use of biometrics as a deterrent against identity theft is being much touted at the moment.
However, the use of biometrics alone will not likely deter criminals from finding ways around
the use of biometrics. Remember that what is being presented are a set of computer bits that
represent the biometric to the authentication server. Therefore, it is extremely likely that
criminals will adjust their attack vectors and try to capture the biometric from the person, and
then replay these on the enterprise.
The user wishes to send an email to a business associate. The user digitally signs the email with
their private key. The email is sent to the business associate. The business associate uses the
sending user's public key to decrypt the message. The use of digital certificates in this example
provides confidentiality, message integrity and user authentication without having to exchange
secrets in advance.
PKI was oversold on its capabilities when it was originally introduced several years ago. There
were serious problems with browser incompatibilities, costs associated with issuing and
managing digital certificates and a business environment that had not yet widely adopted the
internet to rethink business processes between enterprises.
One-Time Passwords
One-time password security tokens, like secureID by RSA, are one way of significantly reducing
the risk of using passwords. Unlike passwords which are changed every 60-90 days or longer,
a secureID token works differently. On the small screen of the key fob the user carries with
them are numbers that change every 60 seconds. The numbers displayed on the screen change
randomly to the end user. They are generated by a mathematical algorithm that is only known
to the enterprise security server.
56
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
The user logs on to the enterprise network. During the logon sequence the user is requested
to enter in their id and then the number displayed on the screen. This information is sent via
encryption to the enterprise security server. If the number on the screen matches the
mathematical algorithm and the id, then the user is authenticated.
The devices are tamper proof/resistant. They are pre-programmed from the factory and ready
for immediate use. By combining a secret that the user knows (their id) with the one-time
password, the authentication is much stronger than that from a traditional password.
The ability of the microchip and memory enable the card to encrypt any identity information
contained in the card as well as encrypting the RF connection between the contact less smart
card and the card reader.
Selection of the access control cards should be done in context of the enterprise access control
and identity management systems. For example, will the cards and readers integrate with the
enterprise Lightweight Directory Access Protocol (LDAP)? Can the access control provisioning
57
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
system create, modify or terminate an identity on the access control card identity server?
What is the strength of authentication required for the access control card? Is it easy to tamper
with?
Authentication - Wireless
Most modern wireless networks do user authentication using Remote Authentication Dial-In
User Service (RADIUS) protocol. RADIUS handles the overall authentication process of the
user's session on the wireless device as well as also handling the authorization and auditing.
Typically, when you logon to your ISP using a wireless device, you are required to provide
authentication information. Often, this uses Extensible Authentication Protocol (EAP). The
type of authentication you use is determined by the EAP authentication method. There are
many different EAP methods. This can range from the use of an id and password (very
insecure), to digital certificates, security tokens and even biometrics.
The RADIUS system takes the EAP Authentication Method, challenges the user with the
appropriate authentication method, receives the authentication response and then verifies it,
often against an enterprise LDAP directory. If the authentication is successful, the RADIUS
server will then authorize IP addresses, the tunneling protocol used to create virtual private
networks, etc. Further, the RADIUS server keeps tracks of when a user session begins and ends.
For senior executives, who do require fairly open access to the applications and information
systems via their wireless device, issue them with something like a secureID from RSA one-time
password generator and have the executives be required to enter this in order to authenticate
their wireless device to the network. This reduces the risk that the user on the end of the
wireless device is not the identity you issued the id and password to.
Digital Signatures
In many instances, it is not necessary to authenticate communicating parties; for instance,
when downloading application updates or patches from the Internet. From a security point of-
view, the server does not need to screen who is downloading the software. The user
downloading the software does not necessarily care what particular server it is downloading
from. However, the user may want to be assured that the downloadable data is genuine and
not a Trojan Horse or other malicious or invalid information. In this instance, a digital signature
would best serve to authenticate the downloadable data. Key fingerprint = AF19 FA27
2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
A digital signature is a digest calculated from a signed document (typically a one-way hash
function) which is then signed (encrypted with private key). The client verifies the digest
signature by decrypting it with the servers public key and compares it to the digest value
calculated from the message received. The signature can also be used by the server to verify
data the client is sending.
58
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
As with symmetric encryption the main security worry is how the secret key is shared.
A hash function is therefore something that takes an input (which can be any data - numbers,
files, etc) and outputs a hash. A hash is usually displayed as a hexadecimal number.
This is the hash function md5, which from any input data creates a 32-character hexadecimal
output. Hash functions are generally irreversible (one-way), which means you cant figure out
the input if you only know the output unless you try every possible input (which is called a
brute-force attack).
Hash functions are often used for proving that something is the same as something else,
without revealing the information beforehand. Heres an example.
Lets say Alice is bragging to Bob that she knows the answer to the challenge question in their
Math class. Bob wants her to prove that she knows the answer, without her telling him what it
is. So, Alice hashes her answer (lets say the answer was 42) to produce this hash:
Alice gives this hash to Bob. Bob cannot find out what the answer is from this hash but when
he finds the answer himself, he can hash his answer and if he gets the same result, then he
knows that Alice did indeed have the answer. Hashes are often used in this context of verifying
information without revealing it to the party that is verifying.
59
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
government agencies to provide better online security standards for organizations and the
public.
Within the family of secure hash algorithms, there are several instances of these tools that
were set up to facilitate better digital security. The first one, SHA-0, was developed in 1993.
Like its successor, SHA-1, SHA-0 features 16-bit hashing.
The next secure hash algorithm, SHA-2, involves a set of two functions with 256-bit and 512-
bit technologies, respectively. There is also a top-level secure hash algorithm known as SHA-3
or "Keccak" that developed from a crowd sourcing contest to see who could design another
new algorithm for cybersecurity.
All of these secure hash algorithms are part of new encryption standards to keep sensitive data
safe and prevent different types of attacks. Although some of these were developed by
agencies like the National Security Agency, and some by independent developers, all of them
are related to the general functions of hash encryption that shields data in certain database
and network scenarios, helping to evolve cybersecurity in the digital age.
The CAS protocol involves at least three parties: a client web browser, the web application
requesting authentication, and the CAS server. It may also involve a back-end service, such as
a database server, that does not have its own HTTP interface but communicates with a web
application.
When the client visits an application desiring to authenticate to it, the application redirects it
to CAS. CAS validates the client's authenticity, usually by checking a username and password
against a database (such as Kerberos, LDAP or Active Directory).
If the authentication succeeds, CAS returns the client to the application, passing along a service
ticket. The application then validates the ticket by contacting CAS over a secure connection and
providing its own service identifier and the ticket. CAS then gives the application trusted
information about whether a particular user has successfully authenticated.
CAS allows multi-tier authentication via proxy address. A cooperating back-end service, like a
database or mail server, can participate in CAS, validating the authenticity of users via
information it receives from web applications. Thus, a webmail client and a webmail server can
all implement CAS.
60
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
Types of Attack
Without security measures and controls in place, your data might be subjected to an attack.
Some attacks are passive, meaning information is monitored; others are active, meaning the
information is altered with intent to corrupt or destroy the data or the network itself.
Your networks and data are vulnerable to any of the following types of attacks if you do not
have a security plan in place.
1. Eavesdropping
In general, the majority of network communications occur in an unsecured or
"cleartext" format, which allows an attacker who has gained access to data paths in
your network to "listen in" or interpret (read) the traffic. When an attacker is
eavesdropping on your communications, it is referred to as sniffing or snooping. The
ability of an eavesdropper to monitor the network is generally the biggest security
problem that administrators face in an enterprise. Without strong encryption services
that are based on cryptography, your data can be read by others as it traverses the
network.
2. Data Modification
After an attacker has read your data, the next logical step is to alter it. An attacker can
modify the data in the packet without the knowledge of the sender or receiver. Even if
you do not require confidentiality for all communications, you do not want any of your
messages to be modified in transit. For example, if you are exchanging purchase
requisitions, you do not want the items, amounts, or billing information to be modified.
After gaining access to the network with a valid IP address, the attacker can modify,
reroute, or delete your data. The attacker can also conduct other types of attacks, as
described in the following sections.
4. Password-Based Attacks
A common denominator of most operating system and network security plans is
password-based access control. This means your access rights to a computer and
network resources are determined by who you are, that is, your user name and your
password.
When an attacker finds a valid user account, the attacker has the same rights as the
real user. Therefore, if the user has administrator-level rights, the attacker also can
create accounts for subsequent access at a later time.
61
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
After gaining access to your network with a valid account, an attacker can do any of
the following:
Obtain lists of valid user and computer names and network information.
Modify server and network configurations, including access controls and
routing tables.
Modify, reroute, or delete your data.
5. Denial-of-Service Attack
Unlike a password-based attack, the denial-of-service attack prevents normal use of
your computer or network by valid users.
After gaining access to your network, the attacker can do any of the following:
Randomize the attention of your internal Information Systems staff so that
they do not see the intrusion immediately, which allows the attacker to make
more attacks during the diversion.
Send invalid data to applications or network services, which causes abnormal
termination or behavior of the applications or services.
Flood a computer or the entire network with traffic until a shutdown occurs
because of the overload.
Block traffic, which results in a loss of access to network resources by
authorized users.
6. Man-in-the-Middle Attack
As the name indicates, a man-in-the-middle attack occurs when someone between you
and the person with whom you are communicating is actively monitoring, capturing,
and controlling your communication transparently. For example, the attacker can re-
route a data exchange. When computers are communicating at low levels of the
network layer, the computers might not be able to determine with whom they are
exchanging data.
Man-in-the-middle attacks are like someone assuming your identity in order to read
your message. The person on the other end might believe it is you because the attacker
might be actively replying as you to keep the exchange going and gain more
information. This attack is capable of the same damage as an application-layer attack,
described later in this section.
7. Compromised-Key Attack
A key is a secret code or number necessary to interpret secured information. Although
obtaining a key is a difficult and resource-intensive process for an attacker, it is
possible. After an attacker obtains a key, that key is referred to as a compromised key.
8. Sniffer Attack
A sniffer is an application or device that can read, monitor, and capture network data
exchanges and read network packets. If the packets are not encrypted, a sniffer
62
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
provides a full view of the data inside the packet. Even encapsulated (tunneled) packets
can be broken open and read unless they are encrypted and the attacker does not have
access to the key.
9. Application-Layer Attack
An application-layer attack targets application server by deliberately causing a fault in
a server's operating system or applications. This results in the attacker gaining the
ability to bypass normal access controls. The attacker takes advantage of this situation,
gaining control of your application, system, or network, and can do any of the
following:
Read, add, delete, or modify your data or operating system.
Introduce a virus program that uses your computers and software applications
to copy viruses throughout your network.
Introduce a sniffer program to analyze your network and gain information that
can eventually be used to crash or to corrupt your systems and network.
Abnormally terminate your data applications or operating systems.
Disable other security controls to enable future attacks.
Pretty Good Privacy uses a variation of the public key system. In this system, each user has an
encryption key that is publicly known and a private key that is known only to that user. You
encrypt a message you send to someone else using their public key. When they receive it, they
decrypt it using their private key. Since encrypting an entire message can be time-consuming,
PGP uses a faster encryption algorithm to encrypt the message and then uses the public key to
encrypt the shorter key that was used to encrypt the entire message. Both the encrypted
message and the short key are sent to the receiver who first uses the receiver's private key to
decrypt the short key and then uses that key to decrypt the message.
PGP comes in two public key versions -- Rivest-Shamir-Adleman (RSA) and Diffie-Hellman. The
RSA version, for which PGP must pay a license fee to RSA, uses the IDEA algorithm to generate
a short key for the entire message and RSA to encrypt the short key. The Diffie-Hellman version
uses the CAST algorithm for the short key to encrypt the message and the Diffie-Hellman
algorithm to encrypt the short key.
When sending digital signatures, PGP uses an efficient algorithm that generates a hash (a
mathematical summary) from the user's name and other signature information. This hash code
is then encrypted with the sender's private key. The receiver uses the sender's public key to
decrypt the hash code. If it matches the hash code sent as the digital signature for the message,
the receiver is sure that the message has arrived securely from the stated sender. PGP's RSA
version uses the MD5 algorithm to generate the hash code. PGP's Diffie-Hellman version uses
the SHA-1 algorithm to generate the hash code.
63
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
IPSec
IPSec which works at the network layer is a framework consisting of protocols and algorithms
for protecting data through an un-trusted network such as the internet. IPSec provides data
security in various ways such as encrypting and authenticating data, protection against
masquerading and manipulation. IPSec is a complex framework consisting of many settings,
which is why it provides a powerful and flexible set of security features that can be used.
IPSec is a collection of different protocols or algorithms. IPSec traffic can be configured using
over 30 different settings. IPSec is used to secure traffic from site to site or site to a mobile
user. As the world is constantly changing and growing with technology, IPSec suits this as its a
framework, which allows you add new and better algorithms coming out.
When two IPSec gateways want to make a VPN connection between them, they negotiate on
various settings and parameters and must make an agreement on the parameters used. For
example, what type of authentication and encryption will be used within the VPN tunnel. This
is generally called VPN negotiation.
IPSec does not use RSA for data encryption. It uses DES, 3DES, or AES. IPSec uses RSA for IKE
internet key exchange for during peer authentication phase, to ensure the other side is
authentic and who they say they are.
5 phases of IPSec
1 define interesting traffic
2 IKE phase 1 key exchange phase
3 IKE phase 2 IPSec policy and transform sets are processed
4 Transfer data After the tunnels are established you transfer the data.
5 Tear down the tunnel
IPSec uses two different protocols to encapsulate the data over a VPN tunnel:
Encapsulation Security Payload (ESP): IP Protocol 50
Authentication Header (AH): IP Protocol 51
SSL allows sensitive information such as credit card numbers, social security numbers, and login
credentials to be transmitted securely. Normally, data sent between browsers and web servers
is sent in plain textleaving you vulnerable to eavesdropping. If an attacker is able to intercept
all data being sent between a browser and a web server, they can see and use that information.
64
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
More specifically, SSL is a security protocol. Protocols describe how algorithms should be used.
In this case, the SSL protocol determines variables of the encryption for both the link and the
data being transmitted.
All browsers have the capability to interact with secured web servers using the SSL protocol.
However, the browser and the server need what is called an SSL Certificate to be able to
establish a secure connection.
SSL secures millions of peoples data on the Internet every day, especially during online
transactions or when transmitting confidential information. Internet users have come to
associate their online security with the lock icon that comes with an SSL-secured website or
green address bar that comes with an Extended Validation SSL-secured website. SSL-secured
websites also begin with https rather than http.
Essentially, three keys are used to set up the SSL connection: the public, private, and session
keys. Anything encrypted with the public key can only be decrypted with the private key, and
vice versa.
Because encrypting and decrypting with private and public key takes a lot of processing power,
they are only used during the SSL Handshake to create a symmetric session key. After the
secure connection is made, the session key is used to encrypt all transmitted data.
1. Browser connects to a web server (website) secured with SSL (https). Browser requests
that the server identify itself.
2. Server sends a copy of its SSL Certificate, including the servers public key.
3. Browser checks the certificate root against a list of trusted CAs and that the certificate
is unexpired, unrevoked, and that its common name is valid for the website that it is
connecting to. If the browser trusts the certificate, it creates, encrypts, and sends back
a symmetric session key using the servers public key.
4. Server decrypts the symmetric session key using its private key and sends back an
acknowledgement encrypted with the session key to start the encrypted session.
5. Server and Browser now encrypt all transmitted data with the session key.
65
Cryptography (BE VIII Semester) | Chandra Bilash Bhurtel
SET allowed parties to identify themselves to each other and exchange information securely.
Binding of identities was based on X.509 certificates with several extensions. SET used a
cryptographic blinding algorithm that, in effect, would have let merchants substitute a
certificate for a user's credit-card number. If SET were used, the merchant itself would never
have had to know the credit-card numbers being sent from the buyer, which would have
provided verified good payment but protected customers and credit companies from fraud.
SET was intended to become the de facto standard payment method on the Internet between
the merchants, the buyers, and the credit-card companies.
Kerberos
Kerberos authentication was developed at the Massachusetts Institute of Technology (MIT).
There are two main components: a ticket, which is used for user authentication and securing
data, and an authenticator that is used to verify that the user is the same user to whom the
ticket was initially granted. When a user logs into a system, the system connects to the Kerberos
server where it retrieves a session key to be used between the user and the ticket granting
service (TGS). This is encrypted with a key based on the user's password. If the user provides
the right password the end system is able to decrypt the session key. After this is done, the user
password is erased from memory to avoid being compromise. The ticket (Ticket granting ticket:
TGT) expires after a set amount of time.
When a user wants to connect to a service to which he does not already have a ticket, the user
connects to the TGS and gets a ticket that can only be used to access the particular service the
ticket was granted for. The user can now connect through an encrypted channel to the server.
After the ticket expires, the user must request a new one from the TGS.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
The major issue with Kerberos is its scalability. The Kerberos server must store secret keys for
each of the users and each of the TGSs. Kerberos can get very complex in enterprise
implementations where trust relationship need to be in place between multiple organizations.
66