Cryptographic Rotor Machines

Electric rotor machines were mechanical devices that allowed to use encryption algorithms that were
much more complex than ciphers, which were used manually.

They were developed in the middle of the second decade of the 20th century.

They became one of the most important cryptographic solutions in the world for the next tens of years.

Usage
The concept of using rotor machines in cryptography occurred to a number of inventors independently.
At present, two Dutch naval officers, Theo A. van Hengel (1875 – 1939) and R. P. C. Spengler (1875
– 1955) are considered to invent the first rotor cipher machine in 1915.
There were four more people who created (more or less independently) their own cryptographic rotor
machines not much time later: Edward Hebern, Arvid Damm, Hugo Koch and Arthur Scherbius.
Electro-mechanical machines fitted with movable rotors were able to produce long random keystreams,
thus allowing to encrypt messages by using complicated polyalphabetic substitution ciphers.

Description
The main idea that lies behind rotor machines is relatively simple.

One can imagine a simple device, similar to a typewriter, with a number of keys used to input text.

The number of keys may differ, however usually there are 26 to 32 characters.

Simple substitution cipher

Each keystroke produces an output character, depending of the internal construction of the machine.

In the simplest case, if only wires are used (without any rotors), each input key will be mapped to one
specific output character.

For example, if someone pressed K in the keyboard, the machine would always produce C.
As a result, the machine would encrypt the messages by using a simple substitution cipher.
Adding a rotor
Having a simple substitution machine, one can imagine adding an additional internal rotor with an internal
wiring.

The rotor will rotate with a gear, each time after a keystroke.

As a result, after pressing the same letter twice, it will be encoded differently due to different internal
wiring.

For example, if someone pressed KK in the keyboard, the machine would produce CB (because the wiring
changed after the first keystroke, due to the rotor movement).
The internal wiring of the rotor should be kept secret, however we may expect that over time the enemy
will discover its design.

It will make it easier for them to break the cipher but it won't compromise the security altogether.

To decode a ciphertext the receiver would need a machine with the same rotor.
Adding the rotor caused the encryption to become a stronger polyalphabetic substitution cipher.
Make it difficult
To improve the security, one could add more rotors.

The output of one rotor would be connected to the input of the second rotor.

Similarly, the second rotor output would be connected to the third one, and so on.

The strength of the encryption depends on several factors:

o the number of rotors inside the machine.

o the size of each rotor.
o the number of rotor types (with different internal wirings).
Each rotor would contain a different internal wiring.

The substitution performed by each rotor should be unknown for the enemy.

To make cryptanalysis more difficult and to ensure that the wiring inside each rotor changes with different
frequency, the discs should rotate with different speeds.

Additionally, depending on the design of the machine, some additional features may be added to the
machine, to ensure that the produced substitution is as random as possible (for example, an additional
fixed substitution that does not depends on the rotors).

Some rotor machines were designed to be symmetrical. That means that encrypting the same message
twice (with the same settings), would produce the original message.
Steganography
Steganography is the technique of hiding secret data within an ordinary, non-
secret, file or message in order to avoid detection; the secret data is then
extracted at its destination.

The use of steganography can be combined with encryption as an extra step

for hiding or protecting data.

The word steganography is derived from the Greek

words steganos (meaning hidden or covered) and the Greek root graph (meaning to
write).

Steganography can be used to conceal almost any type of digital content,

including text, image, video or audio content; the data to be hidden can be
hidden inside almost any other type of digital content.

The content to be concealed through steganography -- called hidden text -- is

often encrypted before being incorporated into the innocuous-seeming cover
text file or data stream.

If not encrypted, the hidden text is commonly processed in some way in order
to increase the difficulty of detecting the secret content.

The diagram below depicts a basic steganographic model.

As the image depicts, both cover file(X) and secret message(M) are fed into
steganographic encoder as input.
Steganographic Encoder function, f(X,M,K) embeds the secret message into a cover
file. Resulting Stego Object looks very similar to your cover file, with no visible
changes.

This completes encoding. To retrieve the secret message, Stego Object is fed into
Steganographic Decoder.

How is it different from cryptography? :

Cryptography and steganography are both methods used to hide or protect secret data.

However, they differ in the respect that cryptography makes the data unreadable, or
hides the meaning of the data, while steganography hides the existence of the data. 

cryptography is similar to writing a letter in a secret language: people can read it, but
won’t understand what it means.

However, the existence of a (probably secret) message would be obvious to anyone

who sees the letter, and if someone either knows or figures out your secret language,
then your message can easily be read. 

If you were to use steganography in the same situation, you would hide the letter
inside a pair of socks that you would be gifting the intended recipient of the letter.

To those who don’t know about the message, it would look like there was nothing
more to your gift than the socks.

But the intended recipient knows what to look for, and finds the message hidden in
them. 

Similarly, if two users exchanged media files over the internet, it would be more
difficult to determine whether these files contain hidden messages than if they were
communicating using cryptography. 
Steganography Techniques:
Depending on the nature of the cover object(actual object in which secret data is
embedded), steganography can be divided into five types:

1. Text Steganography
2. Image Steganography
3. Video Steganography
4. Audio Steganography
5. Network Steganography

Text Steganography

Text Steganography is hiding information inside the text files.

It involves things like changing the format of existing text, changing words within a
text, generating random character sequences or using context-free grammars to
generate readable texts.

Image Steganography

Hiding the data by taking the cover object as the image is known as image
steganography.  In digital steganography, images are widely used cover source
There are a lot of ways to hide information inside an image. 

Audio Steganography

In audio steganography, the secret message is embedded into an audio signal

which alters the binary sequence of the corresponding audio file. 

Hiding secret messages in digital sound is a much more difficult process when
compared to others, such as Image Steganography.

Video Steganography

In Video Steganography you can hide kind of data into digital video format.

The advantage of this type is a large amount of data can be hidden inside and the
fact that it is a moving stream of images and sounds. 

You can think of this as the combination of Image Steganography and Audio
Steganography.

Drawbacks:

Steganography has a number of drawbacks when compared to encryption. It

requires a lot of overhead to hide a relatively few bits of information.

Also, once the system is discovered, it becomes virtually worthless.

Electronic Code Book (ECB) –

 ECB mode stands for Electronic Code Block Mode. It is one of the simplest
modes of operation. In this mode, the plain text is divided into a block where
each block is 64 bits. Then each block is encrypted separately. The same key is
used for the encryption of all blocks. Each block is encrypted using the key and
makes the block of ciphertext.
 At the receiver side, the data is divided into a block, each of 64 bits. The same
key which is used for encryption is used for decryption. It takes the 64-bit
ciphertext and, by using the key convert the ciphertext into plain text.
 As the same key is used for all blocks’ encryption, if the block of plain text is
repeated in the original message, then the ciphertext’s corresponding block will
 also repeat. As the same key used for tor all block, to avoid the repetition of
block ECB mode is used for an only small message where the repetition of the
plain text block is less.
 Analysis of ECB Mode
 In reality, any application data usually have partial information which can be
guessed. For example, the range of salary can be guessed. A ciphertext from
ECB can allow an attacker to guess the plaintext by trial-and-error if the plaintext
message is within predictable.
 For example, if a ciphertext from the ECB mode is known to encrypt a salary
figure, then a small number of trials will allow an attacker to recover the figure. In
general, we do not wish to use a deterministic cipher, and hence the ECB mode
should not be used in most applications.

Pros:

1. Simple mode of the block cipher.

2.Ideal for short amount of data Ex: Secure Transfer of AES or DES key.
3.Independent-can encrypt any block.

4.Parallel encryption of blocks of bits is possible, thus it is a faster way of

encryption.

Cons:

1.Not secure for lengthy messages.

2.Cryptoanalyst can exploit the regularities of message.

3. A typical example of weakness of encryption using ECB mode is encoding a bitmap image
(for example a .bmp file). Even a strong encryption algorithm used in ECB mode cannot blur efficiently
the plaintext.

Cipher Block Chaining

 CBC Mode stands for Cipher block Mode at the sender side; the plain text is
divided into blocks. In this mode, IV(Initialization Vector) is used, which can
be a random block of text. IV is used to make the ciphertext of each block
unique.
 The first block of plain text and IV is combined using the XOR operation and
then encrypted the resultant message using the key and form the first block of
ciphertext. The first block of ciphertext is used as IV for the second block of
plain text. The same procedure will be followed for all blocks of plain text.
 At the receiver side, the ciphertext is divided into blocks. The first block
ciphertext is decrypted using the same key, which is used for encryption. The
decrypted result will be XOR with the IV and form the first block of plain text.
The second block of ciphertext is also decrypted using the same key, and the
result of the decryption will be XOR with the first block of ciphertext and form
the second block of plain text. The same procedure is used for all the blocks.
 CBC Mode ensures that if the block of plain text is repeated in the original
message, it will produce a different ciphertext for corresponding blocks.
Note that the key which is used in CBC mode is the same; only the IV is
different, which is initialized at a starting point.
Analysis of CBC Mode
In CBC mode, the current plaintext block is added to the previous ciphertext block, and
then the result is encrypted with the key.
Decryption is thus the reverse process, which involves decrypting the current ciphertext
and then adding the previous ciphertext block to the result.
Advantages of CBC – 
 CBC works well for input greater than b bits.
 CBC is a good authentication +confidentiality mechanism.
 Better resistive nature towards cryptanalysis than ECB.
Disadvantages of CBC –  
 Parallel encryption is not possible since every encryption requires a
previous cipher. 
 Cannot encrypt any block since we need the ciphertext of previous
block.
 Initialization Vector which must be known to sender and receiver.

Cipher Feedback Mode (CFB) – 

In this mode, each ciphertext block gets ‘fed back’ into the encryption process in order
to encrypt the next plaintext block.

CFB mode stands for Cipher Feedback Mode. In this mode, the data is encrypted in
the form of units where each unit is of 8 bits.

Like cipher block chaining mode, IV is initialized. The IV is kept in the shift register.
It is encrypted using the key and form the ciphertext.

In this mode the cipher is given as feedback to the next block of encryption with
some new specifications: first, an initial vector IV is used for first encryption and
output bits are divided as a set of s and b-s bits.

The left-hand side s bits are selected along with plaintext bits to which an XOR
operation is applied.

The result is given as input to a shift register having b-s bits to lhs, s bits to rhs
and the process continues.

The encryption and decryption process for the same is shown below, both of
them use encryption algorithms. 
Analysis of CFB Mode
CFB mode differs significantly from ECB mode, the ciphertext corresponding to a given
plaintext block depends not just on that plaintext block and the key, but also on the
previous ciphertext block.
In other words, the ciphertext block is dependent of message.
CFB has a very strange feature.
In this mode, user decrypts the ciphertext using only the encryption process of the
block cipher.
The decryption algorithm of the underlying block cipher is never used.
Apparently, CFB mode is converting a block cipher into a type of stream cipher.
The encryption algorithm is used as a key-stream generator to produce key-stream that
is placed in the bottom register.
This key stream is then XORed with the plaintext as in case of stream cipher.
Pros:
1. Can operate in real time.
2.Need of padding is eliminated.
3.Encryption fun does decryption as well.
4.Length of PT = Length of CT
Cons:
1.Chances of wastage of transmission capacity.
2.Not a typical stream cipher.

Output Feedback Mode – 

 OFB Mode stands for output feedback Mode. OFB mode is similar to CDB
mode; the only difference is in CFB, the ciphertext is used for the next stage of the
encryption process, whereas in OFB, the output of the IV encryption is used for the
next stage of the encryption process.
 The IV is encrypted using the key and form encrypted IV. Plain text and
leftmost 8 bits of encrypted IV are combined using XOR and produce the
ciphertext.
 In this output feedback mode, all bits of the block are sent instead of
sending selected s bits.


Pros:

1.In the case of CFB, a single bit error in a block is propagated to all
subsequent blocks. This problem is solved by OFB as it is free from bit errors in
the plaintext block. 

2.Bit errors in transmission do not propagate.

3.Same PT-Same Key – Different CT.

4.The PT length can be of random choice.

Cons:

1.Sender and Receiver can be synced.

2.More vulnerable to modification attack.

3.No parallelizable.

4.IV and keys must be regenerated every time.

Counter Mode – 

 CTR Mode stands for counter mode. As the name is counter, it uses the
sequence of numbers as an input for the algorithm. When the block is
encrypted, to fill the next register next counter value is used.
Note: the counter value will be incremented by 1.
 For encryption, the first counter is encrypted using a key, and then the plain
text is XOR with the encrypted result to form the ciphertext.
 The counter will be incremented by 1 for the next stage, and the same
procedure will be followed for all blocks. For decryption, the same sequence
will be used. Here to convert ciphertext into plain text, each ciphertext is XOR
with the encrypted counter. For the next stage, the counter will be incremented
by the same will be repeated for all Ciphertext blocks.
 The CTR mode is independent of feedback use and thus can be
implemented in parallel. 

Analysis of Counter Mode

It does not have message dependency and hence a ciphertext block does not depend
on the previous plaintext blocks.

Advantages of Counter –
  Since there is a different counter value for each block, the direct
plaintext and ciphertext relationship is avoided. This means that the
same plain text can map to different ciphertext.
 Parallel execution of encryption is possible as outputs from previous
stages are not chained as in the case of CBC. 
 Hardware efficiency.
 Software efficiency.
 Preprocessing.
 Random Access.
 Provable Security.
 Simplicity.
Disadvantages:
The serious disadvantage of CTR mode is that it requires a synchronous counter at sender and
receiver. Loss of synchronization leads to incorrect recovery of plaintext.
Aes Structure
Aes Introduction:
The more popular and widely adopted symmetric encryption algorithm likely to be
encountered nowadays is the Advanced Encryption Standard (AES).
It is found at least six time faster than triple DES.
A replacement for DES was needed as its key size was too small.
With increasing computing power, it was considered vulnerable against exhaustive key
search attack.
Triple DES was designed to overcome this drawback but it was found slow.

Advanced Encryption Standard (AES)  is a specification for the encryption of

electronic data established by the U.S National Institute of Standards and
Technology (NIST) in 2001.

 AES is a block cipher.

 The key size can be 128/192/256 bits.
 Encrypts data in blocks of 128 bits each.
That means it takes 128 bits as input and outputs 128 bits of encrypted cipher
text as output.

Working of the cipher :

AES performs operations on bytes of data rather than in bits. Since the block
size is 128 bits, the cipher processes 128 bits (or 16 bytes) of the input data at
a time.
The number of rounds depends on the key length as follows :
 128 bit key – 10 rounds
 192 bit key – 12 rounds
 256 bit key – 14 rounds
The features of AES are as follows −

 Symmetric key symmetric block cipher

 128-bit data, 128/192/256-bit keys
 Stronger and faster than Triple-DES
 Provide full specification and design details
 Software implementable in C and Java
The AES algorithm is a symmetrical block cipher algorithm that takes plain text
in blocks of 128 bits and converts them to ciphertext using keys of 128, 192,
and 256 bits.

AES Structure
The below fig shows the overall structure of the AES encryption process.
The cipher takes a plaintext block size of 128 bits, or 16 bytes.
The key length can be 16, 24, or 32 bytes (128, 192, or 256 bits).
The algorithm is referred to as AES-128, AES-192, or AES-256, depending on the
key length.
The cipher consists of N rounds, where the number of rounds depends on the key
length: 10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds
for a 32-byte key.
The first N - 1 rounds consist of four distinct transformation functions: SubBytes,
ShiftRows, MixColumns, and AddRoundKey, which are described subsequently.
The final round contains only three transformations, and there is a initial single
transformation (AddRoundKey) before the first round, which can be considered
Round 0.
Each transformation takes one or more 4 * 4 matrices as input and produces a 4 *
4 matrix as output.
The above figure shows that the output of each round is a 4 * 4 matrix, with the
output of the final round being the ciphertext.
Also, the key expansion function generates N + 1 round keys, each of which is a
distinct 4 * 4 matrix.
Each round key serves as one of the inputs to the AddRoundKey transformation in
each round.
AES Parameters:

AES-128 AES-128 AES-128

Key Size 128 192 256

Plain Text Size 128 128 128

Number of 10 12 14
rounds

Round key size 128 128 128

In all the variations the input size and output size remains the same i.e plain text
size and cipher text size remains the same.
Detailed Structure

 AES operates on a 128-bit plain text block as a single 4X4 matrix which

would have a total size of 16 bytes. Every 4 bytes would represent a
word.
  The 128-bit key is expanded to form an array containing 44, 32-bit
words. And at each round of AES 4 distinct words are served to the
round key process from the expanded key.
 A round has four functions among which one is of permutation and
three are of substitution:
Substitute Byte, Mix Column and Add Round Key functions
are substitution functions whereas Shift Rows is a permutation function.
 Subbytes: It uses S-box by which it performs byte by byte substitution
of the entire block (matrix). 
 Shift Rows: Rows of the matrix are shifted.
 Mix Columns: Columns are of the matrix are shuffled from right to left.
 Add round keys: Here, the Xor of the current block and the expanded
key is performed.
 Both the encryption and decryption process starts with the Add Round
Key function which is then followed by the nine-round which has all four
substitutions and permutation function but the last tenth round has only
three functions.
 Only the Add Round key function makes use of the key.
 During decryption, the inverse functions of Substitute Bytes, Mix
Columns and Shift Rows are used and the inverse of Add Round key is
carried out by XORing the same round key as in encryption with the
cipher block.
 While decryption the sequence of keys used during encryption is
reversed.
 In both the encryption and decryption, the last round always has
only three functions, Mix Column is ignored at the last round of AES.
 Every intermediate result is stored in the 4X4 state matrix.

Advanced Encryption Standard (AES) Encryption And

Decryption
The following fig represents the encryption  and decryption of Aes
Aes encryption:

Step 1: Initially the 16-byte key or a 4-word key is expanded to an array of 44

words where each word is of 4 bytes.

Step 2: At the very first of encryption process the 16-byte plain text block
or 4-word plain text block is XORed with the 4-word key i.e. W0, W1, W2, W3.
The resultant of this XOR is provided to the 1st round.
Step 3: In the first round, the result of XOR is processed by the Substitute
Bytes, Shift Rows, Mix Column and Add Round Key functions in the respective
sequence.

To the Add Round Key function, the next 4 words from the expanded key are
provided that are W4, W5, W6, W7. The corresponding result of first-round is
provided to the second round.

Step 4: All round till round nine, performs the same functions and in each
round, a distinct key is provided from the expanded key. In round ten only
three functions are performed on the input provided by round 9 that are
Substitute Bytes, Shift Rows and Add Round Key function.
The result of round 10 is the cipher text block of the corresponding pain text
block.

Advanced Encryption Standard (AES) Decryption

AES Encryption and  AES Decryption process are the same and it also starts
with the Add Round Key Function. The 16-byte cipher text in the form of 4X4
state matrix is XORed with the unique 4-word key.

The key sequence in encryption is reversed during the decryption. And all the
other round functions are also inversed in the decryption process to retrieve
the original 16-byte plain text block.

Round Functions
Each round function has four stages or four functions those are as follows:

Substitute Bytes

The input to Substitute Byte is a 4X4 state matrix of 16 bytes where each

element of the matrix is of 1 byte. Now AES has defined a 16X16
matrix namely S-box which contains a permutation of 256 8-bit values.

The Substitute Bytes function maps each byte element of state matrix to the
new value using the following procedure.
Step 1: A byte element in the state matrix would have 8-bits. The leftmost 4-
bit is used to retrieve the row value of S-box and the rightmost 4-bit are used
to retrieve the column value of S-box.

Step 2: This row value and column value act as an index to get the new value
from the S Box.

Let’s suppose a byte element S2,2 has a value 25 whose binary representation is

00011001. So, the leftmost 4-bit 0001 represents ‘1’ and the rightmost 1001
represents ‘9’. So, intersection value at row 1 and column 9 in S-box is ‘D4’. In
this way, the value 25 is mapped to the new value D4.

The Substitute Byte function maps each element of 4X4 state matrix to the
new value and forwards this newly formed 4X4 State matrix to Shift Rows
function.

Shift Rows

The input to Shift Row function is a 4X4 state matrix forwarded from the
Substitute Bytes function. The Shift row performs the circular left shift on the
rows of the matrix. On the first row, the circular left shift is performed by 0
bytes.
On the second row, a circular left shift is performed by 1 byte. On the third
row, the circular left shift is performed by 2 bytes. On the fourth row of the
input state matrix, the circular let shift is performed by 3 bytes. The resultant
4X4 state matrix of Shift Rows function is forwarded to the Mix Column
function.

Mix Columns

The input 4X4 state matrix is multiplied with a constant predefined matrix as

you can see in the figure below:

Each byte element of the resultant matrix of Mix Column function is the sum
of the product of one row of the defined matrix and one column of state
matrix. The product matrix of the Mix Column function is forwarded to the last
function of a round i.e. Add Round Key.
Add Round Key

In the Add Round Key function, the input state matrix is XORed with the 4-
words unique key. In each round the key used to XOR with state matrix is
distinct.

Add Round Key function is a column-wise function, a 4-byte state matrix

column is XORed with a 4-byte word of a key. It can also be taken as byte-
level function.

Aes

Advantage and Disadvantage of AES

Advantages

1. AES can be implemented on both hardware and software.

2. AES has three key length 128-bits,192-bits and 256-bits.
3. AES is implemented in a wide range of application as it is defined as the
standard by NIST.

Disadvantages

The key used in AES if not employed properly it can cause a cryptanalytic
attack. Therefore, key scheduling should be done carefully.
Pseudo Random Number Generator (PRNG)
Pseudo Random Number Generator(PRNG) refers to an algorithm that uses
mathematical formulas to produce sequences of random numbers.
PRNGs generate a sequence of numbers approximating the properties of
random numbers.
A PRNG starts from an arbitrary starting state using a seed state.
Many numbers are generated in a short time and can also be reproduced later,
if the starting point in the sequence is known.
Hence, the numbers are deterministic and efficient.
Why do we need PRNG?
With the advent of computers, programmers recognized the need for a means
of introducing randomness into a computer program.
However, surprising as it may seem, it is difficult to get a computer to do
something by chance as computer follows the given instructions blindly and is
therefore completely predictable.
It is not possible to generate truly random numbers from deterministic thing like
computers so PRNG is a technique developed to generate random numbers
using a computer.
How PRNG works?
Linear Congruential Generator  is most common and oldest algorithm for
generating pseudo-randomized numbers.
We generate the next random integer using the previous random integer, the
integer constants, and the integer modulus.
To get started, the algorithm requires an initial Seed, which must be provided by
some means.
The appearance of randomness is provided by performing modulo arithmetic..
Characteristics of PRNG
 Efficient: PRNG can produce many numbers in a short time and is
advantageous for applications that need many numbers
 Deterministic: A given sequence of numbers can be reproduced at a
later date if the starting point in the sequence is known.Determinism is
handy if you need to replay the same sequence of numbers again at a
later stage.
 Periodic: PRNGs are periodic, which means that the sequence will
eventually repeat itself. While periodicity is hardly ever a desirable
characteristic, modern PRNGs have a period that is so long that it can
be ignored for most practical purposes

Applications of PRNG
PRNGs are suitable for applications where many random numbers are required
and where it is useful that the same sequence can be replayed easily.
Popular examples of such applications are simulation and modeling
applications.
PRNGs are not suitable for applications where it is important that the numbers
are really unpredictable, such as data encryption and gambling.
Widely used PRNG algorithms : Lagged Fibonacci generators , linear
feedback shift registers , Blum Blum Shub.

Public Key Cryptography

Public Key Cryptography is
a cryptographic technique that involves ‘two distinct
keys’ for encryption and decryption.

That’s why it is also known as asymmetric-key cryptography.

The public key cryptography is totally based on the ‘invertible mathematical’

function which makes it different from the conventional symmetric key
cryptography.

It is not that symmetric key cryptosystem is less efficient than public key or the
public key cryptosystem is superior.

The security of any cryptosystem depends only on the length of key and
computation required in cracking the encrypted cipher text.

Principles of Public Key Cryptosystem

There are two basic principles of any cryptosystem
i.e. confidentiality and authenticity. We have seen that the symmetric
cryptosystem has a problem associated with these two principles.

In symmetric cryptography, the problem associated with confidentiality is that

we all know in symmetric cryptography a secret key is used to encrypt as well
as decrypt the message.

So, this key must be shared by both the communicating parties by any means
or they must rely on a third party for the distribution of the key i.e. key
distribution centre.
But relying on a third party again risk the secrecy of the secret key.

Symmetric key also had an issue with authentication.

To become widespread there was a need for digital signatures that assure all
parties that a particular message has been sent from a particular person.

The public key cryptosystem is successful in achieving both these principles i.e.
confidentiality and authenticity.

We begin with first, encrypting the message using the senders private key.
Now, as the message is encrypted using the sender’s private key it is confirmed
that the message has been prepared by the sender.

This does the function of the digital signature.

E(PRS, M)

Nobody is able o modify the message without having the sender’s private key.
So, public key cryptosystem has achieved authentication in both the terms
data integrity and source.

Now, the message that was first encrypted with the sender’s private key is
again encrypted using the intended receiver’s public key.

M’ = E(PUR ,E(PRS, M)

The final cipher text can only be decrypted by the intended receiver’s private
key which is only known to him. In this way, the public key cryptography
achieves confidentiality.

The decryption of the final cipher text is:

M = D(PUS, D(PRR, M’)

There is a drawback with this approach. We all know that the public key
cryptosystem is based on mathematical function and has too much of
computation which makes it complex. To achieve both confidentiality and
authenticity the public key algorithm has to be applied four times.
Public key Cryptosystem
Any public key cryptographic algorithm has six elements as follow:

1. Plain Text
This is a readable message which is given as input to the algorithm. In a
public key algorithm, the plain text is encrypted in blocks.

2. Encryption Algorithm
The encryption algorithm is implemented on the plain text which
performs several transformations on plain text.
 3. Public and Private keys
These are the set of keys among which if one is used for encryption the
other would be used for decryption. The transformation of plain text by
encryption algorithm depends on the key chosen from the set to encrypt
the plain text.
4. Cipher Text
This is the output of encryption algorithm. The generated cipher text
totally depends on the key selected from the set of the public and
private key. Both of these keys, one at a time with plain text would
produce different cipher texts.
5. Decryption Algorithm
This would accept the output of the encryption algorithm i.e. the cipher
text and will apply the related key to produce the original plain text.

Now let us discuss the steps in public key cryptography.

Step 1. Each user has to generate two keys one of which will be used for
encryption and other for decryption of messages.

Step 2. Each user has a pair of keys, among which one has to be made public
by each user. And the other has to be kept secret.

Step 3. If a user has to send a message to a particular receiver then the sender
must encrypt the message using the intended receivers public key and then
send the encrypted message to the receiver.

Step 4. On receiving the message, the receiver has to decrypt the message
using his private key.

In public key cryptography, there is no need for key distribution as we have

seen in symmetric key cryptography. As long as this private key is kept secret
no one can interpret the message. In future, the user can change its private key
and publish its related public key in order to replace the old public key.

Public Key Cryptography Requirements

To accomplish the public key cryptography there are following requirements as
discussed below.
  The computation of the pair of keys i.e. private key and the public key
must be easy.
 Knowing the encryption algorithm and public key of the intended
receiver, computation of cipher text must be easy.
 For a receiver of the message, it should be computationally easy to
decrypt the obtained cipher text using his private key.
 It is also required that any opponent in the network knowing the public
key should be unable to determine its corresponding private key.
 Having the cipher text and public key an opponent should be unable to
determine the original message.
 The two keys i.e. public and private key can be implemented in both
orders
D[PU, E(PR, M)] = D[PR, E(PU, M)]

Public Key Cryptosystem Applications

In public key cryptography, every user has to generate a pair of keys among
which one is kept secret known as a private key and other is made public
hence called as a public key. Now, the decision of whether the sender’s private
key or receiver’s pubic key will be used to encrypt the original message
depends totally on application.

We can classify the applications of the public key cryptosystem as below:

a. Encryption/Decryption

If the purpose of an application is to encrypt and decrypt the message then the
sender has to encrypt the message using the intended receivers public and the
receiver can decrypt the message using his own private key.

b. Digital Signature

If the purpose of the application is to authenticate the user then the message
is signed or encrypted using the senders private key. As only the sender can
have its private key, it assures all parties that the message is sent by the
particular person.

c. Key Exchange
The two communicating parties exchange a secret key (maybe a private key)
for symmetric encryption to secure a particular transaction. This secret key is
valid for a short period.

Well, some algorithms implement all the three application and some implement
one or two among these applications. Below is the image showing you the
details of algorithm possessing these applications.

Public Key Cryptanalysis

To prevent the brute force attack the key size must be kept large enough so
that it would be impractical for an adversary to calculate the encryption and
decryption. But the key size should not be so large such that it would become
impractical to compute practical encryption and decryption.

Another type of attack in public key cryptography is that the adversary would
try to compute private key knowing the public key.

One more type of attack is probable message attack.

If an adversary knows that the encrypted message from a particular sender is a

56-bit key.

Then he would simply encrypt all possible 56-bit keys using the sender’s public
key as the public key is known to all.
 And then match all the encrypted messages with the cipher text. This type of
attack can be prevented by appending some random bits to the original
message.

 Public key cryptosystem is one which involves two separate keys for

encryption and decryption.
 Each user participating in the communication has to generate two keys,
one is to be kept secret (private key) and one is to make public (public
key).
 Public key cryptosystem can achieve
both confidentiality and authenticity.
 The public key cryptosystem is based on invertible mathematics so it
has too much of computation.
 Large key size reduces the probability of brute force attack in public key
cryptosystem
 Examples of public key cryptosystem are RSA, Diffie-Hellman, DSS and
Elliptic curve.

So, this is all about the public key cryptosystem. 

RSA Algorithm
RSA is a public key cryptographic algorithm in which two different keys are
used to encrypt and decrypt the message. That’s why it is also called
an asymmetric key algorithm.

But what was the need of this asymmetric key cryptography? Why it evolved?
Let us discuss the reason behind the evolution of asymmetric key
cryptography. The Asymmetric key cryptography evolves due to the two
problems of symmetric key cryptography.

The first problem with symmetric key cryptography is the key distribution. The

two communicating parties may already be sharing the key which has been
distributed to them by any means or the key must be shared with the help of
a key distribution centre. But, using of key distribution centre compromises
the secrecy of the key which hampers confidentiality of the message.
The second problem with symmetric key cryptography is digital signatures.
That is, there was a requirement of digital signatures which would assure all
the parties that message has been sent from a particular individual. So, there
was a lack of authentication.

Both of these problems of symmetric key cryptography lead to the evolution

of asymmetric key cryptography. In the year 1978 the three inventors at MIT;
Rivest, Shamir and Adleman introduced RSA public key algorithm which
follows the essential steps below:

 In RSA public key cryptography each user has to generate two keys
a private key and a public key.
 The public key is circulated or published to all and hence others are
aware of it whereas, the private key is secretly kept with the user only.
 A sender has to encrypt the message using the intended receivers public
key.
 Only the intended receiver can crack the message. In between the
communication no one can harm to the confidentiality of the message as
the message can only be decrypted by the intended receiver’s private
key which is only known to that receiver.

M’= E(PUr, M) ………..Encryption

M = D(PRr, M’) ………..Decryption

M is the original message

M’ is encrypted message
E is an encryption algorithm
D is a decryption algorithm
PUr is the receivers public key
PRr is the receivers private key
PUs is the senders public key
PRs is the senders private key

The two problems of symmetric key cryptography i.e. confidentiality and

authentication can be overcome by the double use of public key cryptography.
1. First, encrypt the message by the sender’s private key which can be
decrypted by the sender’s public key(known to all). This provides a digital
signature to the sender’s message and thus authentication is achieved.

E(PRs, M)

2. In the next step, encrypt again with the receiver’s public key. This will allow
only the intended receiver to decrypt the message, this provides
the confidentiality to the message.

M’= E(PUr, E(PRs, M)

The Decryption is shown by the following expression:

M= D(PUs, E(PRr, M’)

Key Generation
Till now we have seen that every sender or a receiver must have two
keys a public key and a private key. In this section, we will discuss the steps to
derive a public and a private key.

In RSA, the encryption and decryption expressions are in the exponential form:

M’= Me mod n  …………. Encryption, Public key (e, n)

M= M’d mod n  …………. Decryption, Private key (d, n)

Steps to generate public key (e, n) & private key (d, n)

1. First, select two prime numbers p=7 and q=11.

2. Now calculate n= p X q = 7 X 11
n = 77
3. Calculate Ø(n)= Ø(pXq)
= Ø(p) X Ø(q)
= (p-1) X (q-1) ……. Ø (a) = (a-1) if a is a prime number.
=(7-1) X (11-1)
= 6X10
Ø(n) = 60
 4. Select e such that 1 ≤ e < Ø(n) and also ‘e’ should be coprime to Ø(n).
So, I select e=7.
Our Public Key for this particular example is (7,77).

1. Now we will determine the value of d. The value of d can be calculated
from the formula given below:

In the expression above we know that and e and Ø(n) are the coprime numbers
so in this case d is the multiplicative inverse of e. To calculate the value of d
use the formula below:

In this equation above we know the value of Ø(n), e, the value of i is unknown.
First, we have to put the value of i=1.

If the result is in decimals then we have to compute the equation again but this
time we have to increment the value of i by 1 so we will compute the equation
with i=2. Keep on incrementing the value of i till the above equation results in
a proper integer.

So, by trial and error method, for i=5 we get the result 43 i.e.

Now we have generated both the private and public key.

 Private Key (43, 77)
Public Key (7, 77)

RSA Encryption
Now, after generating the private and public key we will now encrypt the
message. In RSA the plain text is always encrypted in blocks. The binary
value of each plain text block should be <n. Encryption is done with the
intended receiver’s public key. The expression to calculate cipher text is as
follow:

M’= Me mod n

In our example, the value of e=7 and n=77 i.e. public key (e, n) and we have to
take the value of M such that M<n. We will take the value of M=15. So, the
expression becomes

M’= 157 mod 77

M’= [ (154 mod 77)*(152 mod 77)*

( 151 mod 77) ]mod77

M’= [(36)*(71)*(15)] mod77

M’=71 ……… Cipher Text

RSA Decryption
Done with the encryption now its time to decrypt the message. For decryption
in RSA, we require a cipher text and the private key of the corresponding
public key used in encryption.

In our example the cipher text we have M’=71 and the private key we have
(43, 77). The expression to calculate plain text is as follow:

M= M’d mod n

M= 7143 mod 77

M= 15
So, this is the method to encrypt and decrypt the message in RSA. It is very
important to remember that in RSA we have to encrypt the message using the
intended receiver’s public key. So, the message can only be decrypted by the
intended receiver private key. This provides confidentiality to our message.

Advantages and Disadvantages

Advantage

1. RSA is stronger than any other symmetric key algorithm.

2. RSA has overcome the weakness of symmetric algorithm i.e. authenticity
and confidentiality.

Disadvantage

1. RSA has too much computation.

The Security of RSA: Five possible approaches to attacking the RSA

algorithm are

• Brute force: This involves trying all possible private keys.

• Mathematical attacks: There are several approaches, all equivalent in

effort to factoring the product of two primes.

• Timing attacks: These depend on the running time of the decryption

algorithm.
• Hardware fault-based attack: This involves inducing hardware faults
in the processor that is generating digital signatures.

• Chosen ciphertext attacks: This type of attack exploits properties of

the RSA algorithm.

we provide an overview of mathematical and timing attacks.

The Factoring Problem We can identify three approaches to attacking

RSA mathematically.

1. Factor n into its two prime factors.

2. Determine f(n) directly, without first determining p and q.

3. Determine d directly, without first determining f(n).

Timing Attacks:
A timing attack is a security exploit that enables an attacker to spot
vulnerabilities in a local or a remote system to extract potentially sensitive
or secret information by observing the concerned system's response time to
various inputs.

A timing attack is a type of a broader class of attacks called Side-channel

attacks!

Timing attacks exploit the timing variations in cryptographic operations. 

Although the timing attack is a serious threat, there are simple

countermeasures that can be used, including the following

Constant exponentiation time: Ensure that all exponentiations take the

same amount of time before returning a result.

Random delay: Better performance could be achieved by adding a

random delay to the exponentiation algorithm to confuse the timing
attack.
• Blinding: Multiply the ciphertext by a random number before
performing exponentiation. This process prevents the attacker from
knowing what ciphertext bits are being processed inside the computer
and therefore prevents the bit-by-bit analysis essential to the timing
attack.
Fault-Based Attack:

The attack algorithm involves inducing single-bit errors and observing the results.

This attack, while worthy of consideration, does not appear to be a serious threat to
RSA.

Chosen Ciphertext Attack and Optimal Asymmetric Encryption Padding:

The basic RSA algorithm is vulnerable to a chosen ciphertext attack (CCA). CCA
is defined as an attack in which the adversary chooses a number of ciphertexts and
is then given the corresponding plaintexts, decrypted with the target’s private key.
Thus, the adversary could select a plaintext, encrypt it with the target’s public key,
and then be able to get the plaintext back by having it decrypted with the private
key.

To counter such attacks, RSA recommends modifying the plaintext using a

procedure known as optimal asymmetric encryption padding (OAEP).

Diffie Hellman key exchange:

Whitefield Diffie and Martin Hellman develop Diffie Hellman key exchange
Algorithms in 1976 to overcome the problem of key agreement and exchange. 

The purpose of the algorithm is to enable two users to securely exchange a key that
can then be used for subsequent symmetric encryption of messages.

The algorithm itself is limited to the exchange of secret values.

The Diffie-Hellman algorithm depends for its effectiveness on the difficulty of

computing discrete logarithms.
The Algorithm Figure 10.1 summarizes the Diffie-Hellman key exchange
algorithm.

For this scheme, there are two publicly known numbers: a prime number q and an
integer a that is a primitive root of q.

Suppose the users A and B wish to create a shared key.

User A selects a random integer XA < q and computes

Similarly, user B independently selects a random integer XB < q and
computes
Each side keeps the X value private and makes the Y value available
publicly to the other side.

Thus, XA is A’s private key and YA is A’s corresponding public key, and
similarly for B.

User A computes the key as and user B computes the

key as

These two calculations produce identical results:

The security of the Diffie-Hellman key exchange lies in the fact that,
while it is relatively easy to calculate exponentials modulo a prime, it is
very difficult to calculate discrete logarithms.

For large primes, the latter task is considered infeasible.

Example

1. Alice and Bob both use public numbers P = 23, G = 5

2. Alice selected private key a = 4, and Bob selected b = 3 as the private key

3. Both Alice and bob now calculate the value of x and y as follows:

 Alice:    x = (54 mod 23) = 4

 Bob:    y = (53 mod 23) = 10
4. Now, both Alice and Bob exchange public numbers with each other.

5. Alice and Bob now calculate the symmetric keys

 Alice: ka = ya mod p = 104 mod 23 = 18

 Bob: kb = xb mod p = 43 mod 23 = 18

6. 18 is the shared secret key.

Uses of Diffie Hellman Algorithm

Aside from using the algorithm for generating public keys, there are some other
places where DH Algorithm can be used:

 Encryption: The Diffie Hellman key exchange algorithm can be used to

encrypt.
 Password Authenticated Agreement: When two parties share a password,
a password-authenticated key agreement can be used to prevent the Man in
the middle attack.
 This key Agreement can be in the form of Diffie-Hellman. Secure Remote
Password Protocol is a good example that is based on this technique.
 Forward Secrecy:  In these forward Secrecy protocols, more often than not,
the Diffie Hellman key exchange is used.

Advantages of the Diffie Hellman Algorithm

 The sender and receiver don’t need any prior knowledge of each other.
 Once the keys are exchanged, the communication of data can be done
through an insecure channel.
 The sharing of the secret key is safe.

Disadvantages of the Diffie Hellman Algorithm

 The algorithm can not be used for any asymmetric key exchange.
 Similarly, it can not be used for signing digital signatures.
 Since it doesn’t authenticate any party in the transmission, the Diffie
Hellman key exchange is susceptible to a man-in-the-middle attack.


At this point, Bob and Alice think that they share a secret key, but instead
Bob and Darth share secret key K1 and Alice and Darth share secret key K2.
All future communication between Bob and Alice is compromised in the
following way.

1. Alice sends an encrypted message M: E(K2, M).

 2. Darth intercepts the encrypted message and decrypts it to recover M.

3. Darth sends Bob E(K1, M) or E(K1, M′), where M′ is any message.

The key exchange protocol is vulnerable to such an attack because it does

not authenticate the participants.

This vulnerability can be overcome with the use of digital signatures and
public-key certificates

Cryptographic Hash Functions:

 A hash function H accepts a variable-length block of data M as input and

produces a fixed-size hash value h = H(M).

 A “good” hash function has the property that the results of applying the
function to a large set of inputs will produce outputs that are evenly distributed
and apparently random.

In general terms, the principal object of a hash function is data integrity. A change
to any bit or bits in M results, with high probability, in a change to the hash value.

 The kind of hash function needed for security applications is referred to as a

cryptographic hash function.
Cryptographic hash functions add security features to typical hash functions,
making it more difficult to detect the contents of a message or information
about recipients and senders. 

In particular, cryptographic hash functions exhibit these three properties:

 They are “collision-free.” This means that no two input hashes should

map to the same output hash. 
 They can be hidden. It should be difficult to guess the input value for a
hash function from its output. 
 They should be puzzle-friendly. It should be difficult to select an input
that provides a pre-defined output. Thus, the input should be selected
from a distribution that's as wide as possible.

Applications of Cryptographic Hash Functions:

The most versatile cryptographic algorithm is the cryptographic hash function.

It is used in a wide variety of security applications and Internet protocols.

The following are various applications where it is employed.

Message Authentication:
 Message authentication is a mechanism or service used to verify the integrity of
a message.

 Message authentication assures that data received are exactly as sent (i.e.,
there is no modification, insertion, deletion, or replay).

 When a hash function is used to provide message authentication, the hash

function value is often referred to as a message digest.

 The essence of the use of a hash function for message integrity is as follows. o
The sender computes a hash value as a function of the bits in the message and
transmits both the hash value and the message.

o The receiver performs the same hash calculation on the message bits and
compares this value with the incoming hash value.

o If there is a mismatch, the receiver knows that the message (or possibly the
hash value) has been altered (Figure a).

o The hash value must be transmitted in a secure fashion. That is, the hash value
must be protected so that if an adversary alters or replaces the message, it is not
feasible for adversary to also alter the hash value to fool the receiver. This type of
attack is shown in Figure b.
Contd (cw)

After notes in cw this…

(diagram i,ii,v,vi are examples of mac in cw)

More commonly, message authentication is achieved using a message

authentication code (MAC), also known as a keyed hash function.

 Typically, MACs are used between two parties that share a secret key to
authenticate information exchanged between those parties.

 A MAC function takes as input a secret key and a data block and produces a
hash value, referred to as the MAC, which is associated with the protected
message.

 If the integrity of the message needs to be checked, the MAC function can be
applied to the message and the result compared with the associated MAC value.

 An attacker who alters the message will be unable to alter the associated MAC
value without knowledge of the secret key.

Digital Signatures:

 Another important application, which is similar to the message authentication

application, is the digital signature.

 The operation of the digital signature is similar to that of the MAC.

 In the case of the digital signature, the hash value of a message is encrypted
with a user’s private key.

 Anyone who knows the user’s public key can verify the integrity of the message
that is associated with the digital signature.

 In this case, an attacker who wishes to alter the message would need to know
the user’s private key.

Following figures illustrates, in a simplified fashion, how a hash code is used to

provide a digital signature.

a. The hash code is encrypted, using public-key encryption with the sender’s
private key. As with Figure b, this provides authentication. It also provides a digital
signature, because only the sender could have produced the encrypted hash
code. In fact, this is the essence of the digital signature technique.

(refer diagram iii in cw)

b. If confidentiality as well as a digital signature is desired, then the message plus

the private-keyencrypted hash code can be encrypted using a symmetric secret
key. This is a common technique.

(refer diagram iv in cw)

Other Applications:

 Hash functions are commonly used to create a one-way password file.

 Hash functions can be used for intrusion detection and virus detection.

 A cryptographic hash function can be used to construct a pseudorandom

function (PRF) or a pseudorandom number generator (PRNG).

Two-Simple Hash Functions:

 To get the understanding of security considerations involved in cryptographic
hash functions, we present two simple, insecure hash functions in this section.
 All hash functions operate using the following general principles.
o The input (message, file, etc.) is viewed as a sequence of n -bit blocks.
o The input is processed one block at a time in an iterative fashion to produce an
n-bit hash function.
 One of the simplest hash functions is the bit-by-bit exclusive-OR (XOR) of every
block. This can be expressed as:
Ci = bi1 ⊕bi2 ⊕ … ⊕bim
where Ci = i th bit of the hash code, 1 … i … n
m = number of n-bit blocks in the input
 bij = i th bit in j th block
⊕ = XOR operation
A simple way to improve matters is to perform a one-bit circular shift, or rotation,
on the hash value after each block is processed.
The procedure can be summarized as follows.
1. Initially set the n-bit hash value to zero.
2. Process each successive n-bit block of data as follows:
a. Rotate the current hash value to the left by one bit.
b. XOR the block into the hash value.
 This has the effect of “randomizing” the input more completely and overcoming
any regularities that appear in the input.
 Although the second procedure provides a good measure of data integrity, it is
virtually useless for data security when an encrypted hash code is used with a
plaintext message.
 Although a simple XOR or rotated XOR (RXOR) is insufficient if only the hash
code is encrypted, you may still feel that such a simple function could be useful
when the message together with the hash code is encrypted.

Message Authentication Requirements:

In the context of communications across a network, the following attacks can be
identified.
1. Disclosure: Release of message contents to any person or process not
possessing the appropriate cryptographic key.
2. Traffic analysis: Discovery of the pattern of traffic between parties.
In a connection-oriented application, the frequency and duration of connections
could be determined.
In either a connection oriented or connectionless environment, the number and
length of messages between parties could be determined.
3. Masquerade: Insertion of messages into the network from a fraudulent source.
This includes the creation of messages by an opponent that are purported to
come from an authorized entity.
Also included are fraudulent acknowledgments of message receipt or nonreceipt
by someone other than the message recipient.
4. Content modification: Changes to the contents of a message, including
insertion, deletion, transposition, and modification.
5. Sequence modification: Any modification to a sequence of messages between
parties, including insertion, deletion, and reordering.
6. modification: Delay or replay of messages.
In a connection-oriented application, an entire session or sequence of messages
could be a replay of some previous valid session, or individual messages in the
sequence could be delayed or replayed.
In a connectionless application, an individual message (e.g., datagram) could be
delayed or replayed.
7. Source repudiation: Denial of transmission of message by source. 9. Destination
repudiation: Denial of receipt of message by destination.
 Measures to deal with the first two attacks are in the realm of message
confidentiality and are dealt with in Encryption techniques.
 Measures to deal with items (3) through (6) in the foregoing list are generally
regarded as message authentication.
 Mechanisms for dealing specifically with item (7) come under the heading of
digital signatures.
 Generally, a digital signature technique will also counter some or all of the
attacks listed under items (3) through (6).
Dealing with item (8) may require a combination of the use of digital signatures
and a protocol designed to counter this attack.
 In summary, message authentication is a procedure to verify that received
messages come from the alleged source and have not been altered.
 Message authentication may also verify sequencing and timeliness.
 A digital signature is an authentication technique that also includes measures to
counter repudiation by the source.
Message Authentication Functions:
 Any message authentication or digital signature mechanism has two levels of
functionality.
 At the lower level, there must be some sort of function that produces an
authenticator: a value to be used to authenticate a message.
 This lower-level function is then used as a primitive in a higher-level
authentication protocol that enables a receiver to verify the authenticity of a
message.
 We are concerned with the types of functions that may be used to produce an
authenticator. These may be grouped into three classes.
o Hash function: A function that maps a message of any length into a fixed-length
hash value, which serves as the authenticator
o Message encryption: The ciphertext of the entire message serves as its
authenticator
o Message authentication code (MAC): A function of the message and a secret
key that produces a fixed-length value that serves as the authenticator.
Message Encryption:
Message encryption by itself can provide a measure of authentication.
The analysis differs for symmetric and public-key encryption schemes.
Symmetric Encryption: Consider the straightforward use of symmetric encryption
(Figure a).
 A message M transmitted from source A to destination B is encrypted using a
secret key K shared by A and B.
If no other party knows the key, then confidentiality is provided: No other party
can recover the plaintext of the message.

Public-Key Encryption:
 The straightforward use of public-key encryption (Figure b) provides
confidentiality but not authentication.
 The source (A) uses the public key PUb of the destination (B) to encrypt M.
Because only B has the corresponding private key PRb, only B can decrypt the
message.
This scheme provides no authentication, because any opponent could also use
B’s public key to encrypt a message and claim to be A.
 To provide authentication, A uses its private key to encrypt the message, and B
uses A’s public key to decrypt (Figure c).
This provides authentication using the same type of reasoning as in the symmetric
encryption case: The message must have come from A because A is the only party
that possesses PRa and therefore the only party with the information necessary
to construct ciphertext that can be decrypted with PUa.
 There must be some internal structure to the plaintext so that the receiver can
distinguish between well-formed plaintext and random bits.
 Assuming there is such structure, then the scheme of Figure c does provide
authentication. It also provides what is known as digital signature.
To provide both confidentiality and authentication, A can encrypt M first using its
private key, which provides the digital signature, and then using B’s public key,
which provides confidentiality (Figure d).
 The disadvantage of this approach is that the public-key algorithm, which is
complex.
Message Authentication Code :
 An alternative authentication technique involves the use of a secret key to
generate a small fixed-size block of data, known as a cryptographic checksum or
MAC, that is appended to the message.
 This technique assumes that two communicating parties, say A and B, share a
common secret key K.
 When A has a message to send to B, it calculates the MAC as a function of the
message and the key:
MAC = C(K, M)
where M = input message
C = MAC function
K = shared secret key
MAC = message authentication code
 The message plus MAC are transmitted to the intended recipient.
 The recipient performs the same calculation on the received message, using the
same secret key, to generate a new MAC.
 The received MAC is compared to the calculated MAC (Figure a).
 A MAC function is similar to encryption. One difference is that the MAC
algorithm need not be reversible, as it must be for decryption.
 In general, the MAC function is a many-to-one function.
(refer cw for diagrams)

Requirements for Message Authentication Codes:

MAC’s based on hash functions:

HMAC Design Objectives:

RFC 2104 lists the following design objectives for HMAC.
• To use, without modifications, available hash functions. In particular, to use
hash functions that perform well in software and for which code is freely and
widely available.
• To allow for easy replaceability of the embedded hash function in case faster or
more secure hash functions are found or required.
• To preserve the original performance of the hash function without incurring a
significant degradation.
• To use and handle keys in a simple way.
• To have a well understood cryptographic analysis of the strength of the
authentication mechanism based on reasonable assumptions about the
embedded hash function.
HMAC Algorithm
H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-160)
IV = initial value input to hash function
M = message input to HMAC (including the padding specified in the embedded
hash function)
Yi = i th block of M, 0 ≤i ≤(L – 1)
L =number of blocks in M
b = number of bits in a block
n =length of hash code produced by embedded hash function
K = secret key; recommended length is ≥n; if key length is greater than b, the key
is input to the hash function to produce an n-bit key
K+ = K padded with zeros on the left so that the result is b bits in length
ipad _ 00110110 (36 in hexadecimal) repeated b/8 times
opad _ 01011100 (5C in hexadecimal) repeated b/8 times

HMAC can be expressed as:

HMAC(K, M) = H[(K+ ⊕ opad) || H[(K+ ⊕ ipad) || M]]
The algorithm is as follows:
1. Append zeros to the left end of K to create a b-bit string K+ (e.g., if K is of length
160 bits and , then will be appended with 44 zeroes).
2. XOR (bitwise exclusive-OR) with ipad to produce the b-bit block Si.
3. Append M to Si.
4. Apply H to the stream generated in step 3.
5. XOR K+ with opad to produce the b-bit block So
6. Append the hash result from step 4 to So.
7. Apply H to the stream generated in step 6 and output the result.
Security of HMAC:
The security of a MAC function is generally expressed in terms of the probability
of successful forgery with a given amount of time spent by the forger and a given
number of message-tag pairs created with the same key.
In essence, it is proved that for a given level of effort (time, message–tag pairs) on
messages generated by a legitimate user and seen by the attacker, the probability
of successful attack on HMAC is equivalent to one of the following attacks on the
embedded hash function.
1. The attacker is able to compute an output of the compression function even
with an IV that is random, secret, and unknown to the attacker.
2. The attacker finds collisions in the hash function even when the IV is random
and secret.
However, when attacking HMAC, the attacker cannot generate message/ code
pairs off line because the attacker does not know K.
Therefore, the attacker must observe a sequence of messages generated by
HMAC under the same key and perform the attack on these known messages.
For a hash code length of 128 bits, this requires 264 observed blocks (272 bits)
generated using the same key.
Thus, if speed is a concern, it is fully acceptable to use MD5 rather than SHA-1 as
the embedded hash function for HMAC.
Advantages
 HMACs are ideal for high-performance systems like routers due to the
use of hash functions which are calculated and verified quickly unlike
the public key systems.
  Digital signatures are larger than HMACs, yet the HMACs provide
comparably higher security.
 HMACs are used in administrations where public key systems are
prohibited.
Disadvantages 
 HMACs uses shared key which may lead to non-repudiation. If either
sender or receiver’s key is compromised then it will be easy for
attackers to create unauthorized messages.

MAC’s based on block ciphers:

DAA
CMAC:
MD5:
MD5 message-digest algorithm is the 5th version of the Message-Digest Algorithm
developed by Ron Rivest to produce a 128-bit message digest.
MD5 is quite fast than other versions of the message digest, which takes the plain text
of 512-bit blocks, which is further divided into 16 blocks, each of 32 bit and produces
the 128-bit message digest, which is a set of four blocks, each of 32 bits.
MD5 produces the message digest through five steps, i.e. padding, append length,
dividing the input into 512-bit blocks, initialising chaining variables a process blocks
and 4 rounds, and using different constant it in each iteration.

MD5 (Message Digest Method 5) is a cryptographic hash algorithm used to

generate a 128-bit digest from a string of any length.

It represents the digests as 32 digit hexadecimal numbers.

The digest size is always 128 bits

a minor change in the input string generate a drastically different digest.
This is essential to prevent similar hash generation as much as possible,
also known as a hash collision.

Steps in MD5 Algorithm

There are four major sections of the algorithm:

Padding Bits

When you receive the input string, you have to make sure the size is 64 bits short of a
multiple of 512. When it comes to padding the bits, you must add one(1) first, followed
by zeroes to round out the extra characters. 
Padding Length

You need to add a few more characters to make your final string a multiple of 512. To
do so, take the length of the initial input and express it in the form of 64 bits. On
combining the two, the final string is ready to be hashed.

Initialize MD Buffer

The entire string is converted into multiple blocks of 512 bits each. You also need to
initialize four different buffers, namely A, B, C, and D. These buffers are 32 bits each and
are initialized as follows:
Process Each Block
MD5 uses the auxiliary functions, which take the input as three 32-bit numbers and

produce 32-bit output. These functions use logical operators like OR, XOR, NOR.

F(X, Y, Z) XY v not (X)Z

G(X, Y, Z) XZ v Y not (Z)

H(X, Y, Z) X xor Y xor Z

I(X, Y, Z) Y xor (X v not (Z))

The content of four buffers are mixed with the input using this auxiliary buffer, and 16

rounds are performed using 16 basic operations.

Example:
 Input: This is an article about the cryptography algorithm

Output: e4d909c290dfb1ca068ffaddd22cbb0

MD5 Block Diagram:

Advantages and Disadvantages of MD5 Algorithm

Below are the advantages and disadvantages explained:
Advantages:

 MD5 Algorithms are useful because it is easier to compare and store these
smaller hashes than store a large variable length text.
 It is a widely used algorithm for one-way hashes used to verify without
necessarily giving the original value.
 MD5 algorithms are widely used to check the integrity of the files.
 Moreover, it is very easy to generate a message digest of the original message
using this algorithm.

Disadvantages:

 But for many years, MD5 has prone to hash collision weakness, i.e. it is
possible to create the same hash function for two different inputs.
 MD5 provides no security over these collision attacks.
 Moreover, it is quite slow then the optimized SHA algorithm.
 SHA is much secure than the MD5 algorithm.

 Digital Signature
 A digital signature is a mathematical technique used to validate the
authenticity and integrity of a message, software, or digital document. 
The below fig shows a generic model of the process of making and using digital
signatures.

Bob can sign a message using a digital signature generation algorithm.

The inputs to the algorithm are the message and Bob’s private key.

Any other user, say Alice, can verify the signature using a verification algorithm,
whose inputs are the message, the signature, and Bob’s public key.
Properties:

Message authentication protects two parties who exchange messages from any
third party.

However, it does not protect the two parties against each other.

Several forms of dispute between the two are possible.

For example, suppose that John sends an authenticated message to Mary,

Consider the following disputes that could arise.

1. Mary may forge a different message and claim that it came from John. Mary
would simply have to create a message and append an authentication code using
the key that John and Mary share.
2. John can deny sending the message.

Both scenarios are of legal concern.

In situations where there is not complete trust between sender and receiver,
something more than authentication is needed.

The most attractive solution to this problem is the digital signature.

The digital signature must have the following properties:

• It must verify the author and the date and time of the signature.

• It must authenticate the contents at the time of the signature.

• It must be verifiable by third parties, to resolve disputes. Thus, the digital

signature function includes the authentication function.

Attacks and Forgeries:

The following are the types of attacks, in order of increasing severity.
Here A denotes the user whose signature method is being attacked,
and C denotes the attacker.

• Key-only attack: C only knows A’s public key.

• Known message attack: C is given access to a set of messages and

their signatures.

• Generic chosen message attack: C chooses a list of messages before

attempting to breaks A’s signature scheme, independent of A’s public
key.

C then obtains from A valid signatures for the chosen messages.

The attack is generic, because it does not depend on A’s public key; the
same attack is used against everyone.

• Directed chosen message attack: Similar to the generic attack, except

that the list of messages to be signed is chosen after C knows A’s public
key but before any signatures are seen.

• Adaptive chosen message attack: C is allowed to use A as an “oracle.”

This means that C may request from A signatures of messages that
depend on previously obtained message-signature pairs.

The following forgeries defines success at breaking a signature scheme

as an outcome in which C can do any of the following with a non-
negligible probability:

• Total break: C determines A’s private key.

• Universal forgery: C finds an efficient signing algorithm that provides

an equivalent way of constructing signatures on arbitrary messages.
• Selective forgery: C forges a signature for a particular message
chosen by C.

• Existential forgery: C forges a signature for at least one message. C

has no control over the message. Consequently, this forgery may only
be a minor nuisance to A.

Digital Signature Requirements:

On the basis of the properties and attacks just discussed, we can

formulate the following requirements for a digital signature.

• The signature must be a bit pattern that depends on the message

being signed.

• The signature must use some information unique to the sender to

prevent both forgery and denial.

• It must be relatively easy to produce the digital signature.

• It must be relatively easy to recognize and verify the digital signature.

• It must be computationally infeasible to forge a digital signature,
either by constructing a new message for an existing digital signature or
by constructing a fraudulent digital signature for a given message.

• It must be practical to retain a copy of the digital signature in storage

Direct Digital Signature:

The term direct digital signature refers to a digital signature scheme that involves
only the communicating parties (source, destination).

Confidentiality can be provided by encrypting the entire message plus signature

with a shared secret key (symmetric encryption
 It is important to perform the signature function first and then an outer
confidentiality function.

If the signature is calculated on an encrypted message, then the third party also
needs access to the decryption key to read the original message.

However, if the signature is the inner operation, then the recipient can store the
plaintext message and its signature for later use in dispute resolution.

If a sender later wishes to deny sending a particular message, the sender can
claim that the private key was lost or stolen and that someone else forged his or
her signature.

. One example is to require every signed message to include a timestamp (date

and time).

Another threat is that some private key might actually be stolen from X at time T.

The opponent can then send a message signed with X’s signature and stamped
with a time before or equal to T.

The universally accepted technique for dealing with these threats is the use of a
digital certificate and certificate authorities.