Computer Network Security Chapter 3: Cryptography and Public key Infrastructure

Chapter 3: Cryptography and Public Key Infrastructure

1. INTRODUCTION OF CRYPTOGRAPHY
An original message is known as the plaintext, while the coded message is called the ciphertext. The process
of converting from plaintext to ciphertext is known as enciphering or encryption; restoring the plaintext
from the ciphertext is deciphering or decryption. The many schemes used for encryption constitute the
area of study known as cryptography. Such a scheme is known as a cryptographic system or a cipher.
Techniques used for deciphering a message without any knowledge of the enciphering details fall into the
area of cryptanalysis. Cryptanalysis is what the layperson calls “breaking the code.” The areas of
cryptography and cryptanalysis together are called cryptology.
There are five primary functions of cryptography today:
1. Privacy/confidentiality: Ensuring that no one can read the message except the intended receiver.
2. Authentication: The process of proving one's identity.
3. Integrity: Assuring the receiver that the received message has not been altered in any way from the
original.
4. Non-repudiation: A mechanism to prove that the sender really sent this message.
5. Key exchange: The method by which crypto keys are shared between sender and receiver.
In cryptography, we start with the unencrypted data, referred to as plaintext. Plaintext is encrypted
into ciphertext, which will in turn (usually) be decrypted into usable plaintext. The encryption and
decryption is based upon the type of cryptography scheme being employed and some form of key. For those
who like formulas, this process is sometimes written as:
C = Ek(P)
P = Dk(C)
where P = plaintext, C = ciphertext, E = the encryption method, D = the decryption method, and k = the
key.

2. TYPES OF CRYPTOGRAPHIC ALGORITHMS

Cryptographic algorithms can be categorized based on the number of keys that are employed for encryption
and decryption. These are:
 Secret Key Cryptography (SKC): Uses a single key for both encryption and decryption; also
called symmetric encryption. Primarily used for privacy and confidentiality.
 Public Key Cryptography (PKC): Uses one key for encryption and another for decryption; also
called asymmetric encryption. Primarily used for authentication, non-repudiation, and key
exchange.
 Hash Functions: Uses a mathematical transformation to irreversibly "encrypt" information,
providing a digital fingerprint. Primarily used for message integrity.
pg. 1
Computer Network Security Chapter 3: Cryptography and Public key Infrastructure

Figure 1: Three types of cryptography: secret key, public key, and hash function.

3. SECRET KEY CRYPTOGRAPHY (SYMMETRIC ENCRYPTION)

Secret key cryptography methods employ a single key for both encryption and decryption. The sender uses
the key to encrypt the plaintext and sends the ciphertext to the receiver. The receiver applies the same key
to decrypt the message and recover the plaintext. Because a single key is used for both functions, secret
key cryptography is also called symmetric encryption.
A symmetric encryption scheme has five ingredients as shown in figure 2:
 Plaintext: This is the original intelligible message or data that is fed into the algorithm as input.
 Encryption algorithm: The encryption algorithm performs various substitutions and transformations
on the plaintext.
 Secret key: The secret key is also input to the encryption algorithm. The key is a value independent
of the plaintext and of the algorithm. The algorithm will produce a different output depending on
the specific key being used at the time. The exact substitutions and transformations performed by
the algorithm depend on the key.
 Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the
secret key. For a given message, two different keys will produce two different ciphertexts. The
ciphertext is an apparently random stream of data and, as it stands, is unintelligible.
 Decryption algorithm: This is essentially the encryption algorithm run in reverse. It takes the
ciphertext and the secret key and produces the original plaintext.

pg. 2
Computer Network Security Chapter 3: Cryptography and Public key Infrastructure

Figure 2: Simplified Model of Symmetric Encryption

A substitution technique is one in which the letters of plaintext are replaced by other letters or by numbers
or symbols. If the plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit
patterns with ciphertext bit patterns. Different types of encryption techniques are listed and described
below.
A. Caesar’s Cipher
B. Playfair Cipher
C. Keyword Cipher
D. Vigenere (Polyalphabetic) Cipher,
E. One Time Pad (Vermin Cipher)

A. Caesar’s Cipher
The Caesar cipher involves replacing each letter of the alphabet with the letter standing three places further
down the alphabet. For example,
plain: meet me after the toga party
cipher: PHHW PH DIWHU WKH WRJD SDUWB

The alphabet is wrapped around, so that the letter following Z is A. We can define the transformation by
listing all possibilities, as follows:

Let us assign a numerical equivalent to each letter:

pg. 3
Computer Network Security Chapter 3: Cryptography and Public key Infrastructure

Then the algorithm can be expressed as follows.

To do the encryption, for each plaintext letter p, substitute the ciphertext letter C:
C = E(3, p) = (p + 3) mod 26
Example: for plaintext letter M number is 12
C=(12+3) mod 26 = 15 so, for number 15 alphabet is “P”

To do the decryption, for each plaintext letter C, substitute the ciphertext letter p:
p = D(3, C) = (C - 3) mod 26

Example: for cipher text “P” number is 15

P=(15-3) mod 26= 12 so, for number 12 alphabet is “M”.

A shift may be of any amount, so that the general Caesar algorithm is

C = E(k, p) = (p + k) mod 26
Where k takes on a value in the range 1 to 25.The decryption algorithm is simply
p = D(k, C) = (C - k) mod 26
If we use any value k then it is known as shift cipher.

B. Playfair Cipher
The Playfair cipher encrypts pairs of letters (digraphs), instead of single letters. The Playfair cipher uses a 5
by 5 table containing a key word or phrase. To generate the table, one would first fill in the spaces of the
table with the letters of the keyword (dropping any duplicate letters), then fill the remaining spaces with
the rest of the letters of the alphabet in order (to reduce the alphabet to fit WE can either omit "Q" or use
I and J together). In the example to the right, the keyword is "keyword".

K E Y W O
R D A B C
F G H I J
L M N P S
T U V X Z
To encrypt a message, one would break the message into groups of 2 letters. If there is a dangling letter at
the end, we add an X.
pg. 4
Computer Network Security Chapter 3: Cryptography and Public key Infrastructure

For example. "Secret Message" becomes "SE CR ET ME SS AG EX".

We now take each group and find them out on the table. Noticing the location of the two letters in the
table, we apply the following rules, in order.
1 If both letters are the same, add an X between them. Encrypt the new pair, re-pair the remaining
letters and continue.
2 If the letters appear on the same row of table, replace them with the letters to their immediate right
respectively, wrapping around to the left side of the row if necessary. For example, using the table
above, the letter pair GJ would be encoded as HF.
3 If the letters appear on the same column of your table, replace them with the letters immediately
below, wrapping around to the top if necessary. For example, using the table above, the letter pair
MD would be encoded as UG.
4 If the letters are on different rows and columns, replace them with the letters on the same row
respectively but at the other pair of corners of the rectangle defined by the original pair. The order
is important - the first letter of the pair should be replaced first. For example, using the table above,
the letter pair EB would be encoded as WD.
To decipher, ignore rule 1. In rules 2 and 3 shift up and left instead of down and right. Rule 4 remains the
same. Once it is done, drop any extra Xs that don't make sense in the final message and locate any missing
Qs or any Is and Js as required.

C. Keyword Cipher
The Keyword cipher is identical to the Caesar Cipher with the exception that the substitution alphabet used
can be represented with a keyword. To create a substitution alphabet from a keyword, we first write down
the alphabet. Below this we write down the keyword (omitting duplicate letters) followed by the remaining
unused letters of the alphabet.
ABCDEFGHIJKLMNOPQRSTUVWXYZ
KEYWORDABCFGHIJLMNPQSTUVXZ
To encipher a plaintext message, we convert all letters from the top row to their corresponding letter on
the bottom row (A to K, B to E, etc).

D. Vigenere Cipher
The Vigenere cipher consists of using several Caesar ciphers in sequence with different shift values. To
encipher, a table of alphabets can be used, termed as a Vigenere table. It consists of the alphabet written
out 26 times in different rows, each alphabet shifted cyclically to the left compared to the previous alphabet,
corresponding to the 26 possible Caesar ciphers. At different points in the encryption process, the cipher
uses a different alphabet from one of the rows. The alphabet used at each point depends on a repeating
keyword.

pg. 5
Computer Network Security Chapter 3: Cryptography and Public key Infrastructure

For example, suppose that the plaintext to be encrypted is:

ATTACKATDAWN
The person sending the message chooses a keyword and repeats it until it matches the length of the
plaintext, for example, the keyword "LEMON":
LEMONLEMONLE
Each letter is encoded by finding the intersection in the grid between the plaintext letter and keyword letter.
For example, the first letter of the plaintext, A, is enciphered using the alphabet in row L, which is the first
letter of the key. This is done by looking at the letter in row L and column A of the Vigenere square, namely
L. Similarly, for the second letter of the plaintext, the second letter of the key is used; the letter at row E
and column T is X. The rest of the plaintext is enciphered in a similar fashion:

Plaintext: A T T A C K A T D A W N
Key: L E M O N L E M O N L E
Ciphertext: L X F O P V E F R N H R

Decryption is performed by finding the position of the ciphertext letter in a row of the table, and then taking
the label of the column in which it appears as the plaintext. For example, in row L, the ciphertext L appears
in column A, which taken as the first plaintext letter. The second letter is decrypted by looking up X in row
E of the table; it appears in column T, which is taken as the plaintext letter.

pg. 6
Computer Network Security Chapter 3: Cryptography and Public key Infrastructure

Another example:
Encryption:
Step 1: write plaintext and expand key upto the length of plaintext as shown below. Plaintext (Today is
Friday) & Key (DAY)

Step 2: consider plaintext letter as a column and key letter as a row and make a straight line from both of
it, whenever they intersect that letter will be used as a ciphertext for them. For plaintext “T” and key “D”
ciphertext will be “W”. Likewise for others OBDYGVFPLDYB

Decryption:
Step 1: write ciphertext and expand key upto the length of the ciphertext as shown below.

Step 2: consider plaintext letter as a column and key letter as a row and make a straight line from both of
it, whenever they intersect that letter will be used as a ciphertext for them. For ciphertext “W” and key “D”
plaintext will be “T ”. Likewise for others ODAYISFRIDAY
Vigenère can also be viewed algebraically. If the letters A–Z are taken to be the numbers 0–25, and addition
is performed modulo 26, then Vigenère encryption E using the key K can be written,

here i= letter position in the plaintext.

For example: consider previous example plaintext “Today is Friday” and key “Day”, In this example at 0 th
position plaintext for “T” number is 19 and “D” number is 3. By using above method
Ci = Ek(Mi) = ( T + D ) mod 26 = (19+3) mod 26 = 22 = W
and decryption D using the key K ,

here i= letter position in the plaintext.

For example: consider previous example plaintext “Today is Friday” and key “Day”, In this example at 0 th
position plaintext for “T” number is 19 and “D” number is 3. By using above method

Mi = Dk(Mi) = ( W - D) mod 26 = (22-3) mod 26 = 19 = T

E. One time pad(vermin Cipher):

It is also known a vermin cipher. In cryptography, a one-time pad (OTP) is an encryption technique that
cannot be cracked if used correctly. In this technique, a plaintext is paired with random, secret key (or pad).
pg. 7
Computer Network Security Chapter 3: Cryptography and Public key Infrastructure

Then, each bit or character of the plaintext is encrypted by combining it with the corresponding bit or
character from the pad using modular addition. If the key is truly random, and at least as long as the
plaintext, and never reused in whole or in part, and kept completely secret, then the resulting ciphertext
twill be impossible to decrypt or break. It has also been proven that any cipher with the perfect secrecy
property must use keys with effectively the same requirements as OTP keys. However, practical problems
have prevented one-time pads from being widely used.
Plaintext : Hello
Random key: XMCKL
Encryption:
Step 1: write your plaintext and replace each alphabet by its according number (A=0, B=1…….Z=25).
H E L L O
7 4 11 11 14

Step 2: generate random key as size of the plaintext replace each alphabet by its according number (A=0,
B=1…….Z=25).
X M C K L
23 12 2 10 11

Step 3: add plaintext letter number to its respective key letter number.
7 4 11 11 14
23 12 2 10 11
After Addition of above two rows
30 16 13 21 25

Step 4: if it is greater than 26 then take module 26.

30 16 13 21 25
Greater than 26 then take
Module 26
4 16 13 21 25

Step 5: replace each number by its according letter (A=0, B=1,…..Z=25)

4 16 13 21 25
E Q N V Z

Decryption:
Step 1: write ciphertext and replace each letter by its according number (A=0, B=1…….Z=25).
E Q N V Z
4 16 13 21 25

Step 2: use sender side generated random key and replace each letter by its according number (A=0,
B=1…….Z=25).
X M C K L
23 12 2 10 11

Step 3: subtract plaintext letter number from its respective key letter number.
pg. 8
Computer Network Security Chapter 3: Cryptography and Public key Infrastructure

4 16 13 21 25
23 12 2 10 11
After Subtraction of above two
rows
-19 4 11 11 14

Step 4: if it is less than 0 then add 26 to it.

-19 4 11 11 14
Less than 0 then add 26
7 4 11 11 14

Step 5: replace each number by its according letter (A=0, B=1,…..Z=25).

7 4 11 11 14
H E L L O

4. PUBLIC KEY CRYPTOGRAPHY (ASYMMETRIC ENCRYPTION)

This method employs two keys that are mathematically related although knowledge of one key does not
allow someone to easily determine the other key. One key is used to encrypt the plaintext and the other
key is used to decrypt the ciphertext. The important point here is that it does not matter which key is applied
first, but that both keys are required for the process to work. Because a pair of keys are required, this
approach is also called asymmetric cryptography.
In this, one of the keys is designated the public key and may be advertised as widely as the owner wants.
The other key is designated the private key and is never revealed to another party. It is straight forward to
send messages under this scheme. Suppose Alice wants to send Bob a message. Alice encrypts some
information using Bob's public key; Bob decrypts the ciphertext using his private key.

Digital Signature and Verification

Digital signature is a mechanism by which a message is authenticated i.e. proving that a message is
effectively coming from a given sender, much like a signature on a paper document. A digital signature is a
technique that binds a person/entity to the digital data. This binding can be independently verified by
receiver as well as any third party. Digital signature is a cryptographic value that is calculated from the data
and a secret key known only by the signer.
For instance, suppose that Alice wants to digitally sign a message to Bob. To do so, she uses her private-key
to encrypt the message; she then sends the message along with her public-key (typically, the public key is
attached to the signed message). Since Alice’s public-key is the only key that can decrypt that message, a
successful decryption constitutes a Digital Signature Verification, meaning that there is no doubt that it is
Alice’s private key that encrypted the message.

pg. 9
Computer Network Security Chapter 3: Cryptography and Public key Infrastructure

Figure 3: Digital Signature/Verification principles

Model of Digital Signature

The digital signature scheme is based on public key cryptography. The model of digital signature scheme is
depicted in the following illustration –

Figure 4: Digital Signature Model

The following points explain the entire process in detail −

 Each person adopting this scheme has a public-private key pair.
 Generally, the key pairs used for encryption/decryption and signing/verifying are different. The
private key used for signing is referred to as the signature key and the public key as the verification
key.
 Signer feeds data to the hash function and generates hash of data.
 Hash value and signature key are then fed to the signature algorithm which produces the digital
signature on given hash. Signature is appended to the data and then both are sent to the verifier.
 Verifier feeds the digital signature and the verification key into the verification algorithm. The
verification algorithm gives some value as output.
 Verifier also runs same hash function on received data to generate hash value.
 For verification, this hash value and output of verification algorithm are compared. Based on the
comparison result, verifier decides whether the digital signature is valid.

pg. 10
Computer Network Security Chapter 3: Cryptography and Public key Infrastructure

 Since digital signature is created by ‘private’ key of signer and no one else can have this key; the
signer cannot repudiate signing the data in future.

Importance of Digital Signature

Out of all cryptographic primitives, the digital signature using public key cryptography is considered as very
important and useful tool to achieve information security.
Apart from ability to provide non-repudiation (identifying the sender authentication) of message, the digital
signature also provides message authentication and data integrity. Let us briefly see how this is achieved
by the digital signature −
 Message authentication − When the verifier validates the digital signature using public key of a
sender, he is assured that signature has been created only by sender who possess the
corresponding secret private key and no one else.
 Data Integrity − In case an attacker has access to the data and modifies it, the digital signature
verification at receiver end fails. The hash of modified data and the output provided by the
verification algorithm will not match. Hence, receiver can safely deny the message assuming that
data integrity has been breached.
 Non-repudiation − Since it is assumed that only the signer has the knowledge of the signature key,
he can only create unique signature on a given data. Thus the receiver can present data and the
digital signature to a third party as evidence if any dispute arises in the future.
By adding public-key encryption to digital signature scheme, we can create a cryptosystem that can provide
the four essential elements of security namely − Privacy, Authentication, Integrity, and Non-repudiation.

Encryption with Digital Signature

In many digital communications, it is desirable to exchange an encrypted messages than plaintext to
achieve confidentiality. In public key encryption scheme, a public (encryption) key of sender is available in
open domain, and hence anyone can spoof his identity and send any encrypted message to the receiver.
This makes it essential for users employing public key cryptography for encryption to seek digital signatures
along with encrypted data to be assured of message authentication and non-repudiation.
This can archived by combining digital signatures with encryption scheme. Let us briefly discuss how to
achieve this requirement. There are two possibilities, sign-then-encrypt and encrypt-then-sign.
However, the crypto system based on sign-then-encrypt can be exploited by receiver to spoof identity of
sender and sent that data to third party. Hence, this method is not preferred. The process of encrypt-then-
sign is more reliable and widely adopted. This is depicted in the following illustration –

pg. 11
Computer Network Security Chapter 3: Cryptography and Public key Infrastructure

Figure 5: encrypt-then-sign based digital signature

The receiver after receiving the encrypted data and signature on it, first verifies the signature using sender’s
public key. After ensuring the validity of the signature, he then retrieves the data through decryption using
his private key.

5. PUBLIC KEY INFRASTRUCTURE

The most distinct feature of Public Key Infrastructure is that it uses a pair of keys to achieve the underlying
security service. The key pair comprises of private key and public key.
Since the public keys are in open domain, they are likely to be abused. It is, thus, necessary to establish
and maintain some kind of trusted infrastructure to manage these keys.

Key Management
There are some important aspects of key management which are as
follows −
 Cryptographic keys are nothing but special pieces of data. Key
management refers to the secure administration of
cryptographic keys.
 Key management deals with entire key lifecycle as depicted in
the following illustration −

 There are two specific requirements of key management for public key cryptography.
o Secrecy of private keys. Throughout the key lifecycle, secret keys must remain secret from
all parties except those who are owner and are authorized to use them.
o Assurance of public keys. In public key
Figure 6: key lifecycle
cryptography, the public keys are in open
domain and seen as public pieces of data. By default there are no assurances of whether a
public key is correct, with whom it can be associated, or what it can be used for. Thus key
pg. 12
Computer Network Security Chapter 3: Cryptography and Public key Infrastructure

management of public keys needs to focus much more explicitly on assurance of purpose of
public keys.

The most crucial requirement of ‘assurance of public key’ can be achieved through the public-key
infrastructure (PKI), a key management systems for supporting public-key cryptography.

5.1 Public Key Infrastructure (PKI)

PKI provides assurance of public key. It provides the identification of public keys and their distribution. An
anatomy of PKI comprises of the following components.
 Public Key Certificate, commonly referred to as ‘digital certificate’.
 Private Key tokens.
 Certification Authority.
 Registration Authority.
 Certificate Management System.

5.1.1 Digital Certificate

For analogy, a certificate can be
considered as the ID card issued to the
person. People use ID cards such as a
driver's license, passport to prove their
identity. A digital certificate does the
same basic thing in the electronic world,
but with one difference.
Digital Certificates are not only issued to
people but they can be issued to
computers, software packages or
anything else that need to prove the
identity in the electronic world.
The process of obtaining Digital Certificate by a person/entity is depicted in the following illustration.

As shown in the illustration, the Certifying Authority (CA) accepts the application from a client to certify his
public key. The CA, after duly verifying identity of client, issues a digital certificate to that client.

5.1.2 Certifying Authority (CA)

The CA issues certificate to a client and
Figure 7: process of obtaining Digital Certificate by a person/entity
assist other users to verify the certificate.
The CA takes responsibility for identifying correctly the identity of the client asking for a certificate to be
issued, and ensures that the information contained within the certificate is correct and digitally signs it.
pg. 13
Computer Network Security Chapter 3: Cryptography and Public key Infrastructure

The key functions of a CA are as follows −

 Generating key pairs − The CA may generate a key pair independently or jointly with the client.
 Issuing digital certificates − The CA could be thought of as the PKI equivalent of a passport agency −
the CA issues a certificate after client provides the credentials to confirm his identity. The CA then
signs the certificate to prevent modification of the details contained in the certificate.
 Publishing Certificates − The CA need to publish certificates so that users can find them. There are
two ways of achieving this. One is to publish certificates in the equivalent of an electronic telephone
directory. The other is to send your certificate out to those people you think might need it by one
means or another.
 Verifying Certificates − The CA makes its public key available in environment to assist verification of
his signature on clients’ digital certificate.
 Revocation of Certificates − At times, CA revokes the certificate issued due to some reason such as
compromise of private key by user or loss of trust in the client. After revocation, CA maintains the
list of all revoked certificate that is available to the environment.
There are four typical classes of certificate −
 Class 1 − These certificates can be easily acquired by supplying an email address.
 Class 2 − These certificates require additional personal information to be supplied.
 Class 3 − These certificates can only be purchased after checks have been made about the
requestor’s identity.
 Class 4 − They may be used by governments and financial organizations needing very high levels of
trust.

5.1.3 Registration Authority (RA)

CA may use a third-party Registration Authority (RA) to perform the necessary checks on the person or
company requesting the certificate to confirm their identity. The RA may appear to the client as a CA, but
they do not actually sign the certificate that is issued.

5.1.4 Certificate Management System (CMS)

It is the management system through which certificates are published, temporarily or permanently
suspended, renewed, or revoked. Certificate management systems do not normally delete certificates
because it may be necessary to prove their status at a point in time, perhaps for legal reasons. A CA along
with associated RA runs certificate management systems to be able to track their responsibilities and
liabilities.

5.1.5 Private Key Tokens

While the public key of a client is stored on the certificate, the associated secret private key can be stored
on the key owner’s computer. This method is generally not adopted. If an attacker gains access to the

pg. 14
Computer Network Security Chapter 3: Cryptography and Public key Infrastructure

computer, he can easily gain access to private key. For this reason, a private key is stored on secure
removable storage token access to which is protected through a password.
Different vendors often use different and sometimes proprietary storage formats for storing keys. For
example, Entrust uses the proprietary .epf format, while Verisign, GlobalSign, and Baltimore use the
standard .p12 format.

pg. 15