Data & Network Security

Chapter – Cryptography
Outline
2.1 Introduction
2.2 Basic Cryptography Terminology covering:
2.2.1 Notions pertaining to the different (communication)
partners.
2.2.2 Secure/unsecure channel
2.2.3 Attackers and their capabilities
2.2.4 Encryption
2.2.5 Decryption
2.2.6 Keys and their characteristics, signatures.
2.3 Cipher types (e.g., Caesar cipher, affine cipher)
2.4 Cryptographic Algorithms.
2.5 Cryptographic Tools and its challeges
Learning Outcome
At the end of this chapter the students able to
• Define the cryptography definition
• Explain the terminologist use in cryptography.
• Apply some cryptography techniques/ approaches.
• Understand the concept of Public Key Infrastructure .
• Understand the challenge of Public Key
Infrastructure.
Introduction – Cryptography
• Originate from Greek – “kryptos” (secret) and
“graphia” (writing).
• Cryptography defined as secret writing.
• In technical, cryptography is a mapping of readable
text to a format that cannot be read (unreadable).
• e.g. ‘ME’ to ‘NB’
• In the early days, cryptography used to be performed
by using manual techniques.
Introduction – Cryptography
• 5 Century SM, Sparta people used a method to encrypt
message using a paper made from ‘daun lontar’ attach to
a wood.
• Then, information to be hid will be wrote on the ‘daun
lontar’.
• When the paper opened from the wood, the words
written will be scattered and hard to understand.
• To get back the original message, the paper must be
attached back to the same wood.
• In this case – the paper and wood used are key to this
system. This encrypted method called Scytale.
Introduction – Cryptography
• In Julius Caesar (around 2000 years ago), he used substitution
cryptography system created by himself.
• In this method – each word in text are move 2 places afterwards in
the ABC character table.
• e.g. word A substitute with C, B with D and so on.
• This method called Caesar cipher.
• However, this method had been broken through analysis towards
cipher text. Arabian is the first race that did the analysis towards
substitution cipher code.
• Qalqashandi created technique to solve the code by collecting all
the cipher characters and counting the frequency usage of each
character.
• Base on this table of frequency, cipher text could be decrypted to
get back the original text.
Simple Message Transmission
Sender Transmission Recipient

Outsider
(Block it , intercept , modify, fabricate )
(Intruder)

• Consider the steps involved in sending message from a

sender, to a recipient. If sender entrust the message to T
(transmission) ,who then delivers it to recipient, T
becomes the transmission medium. If an outsider want
to access the message ( to read, change or even destroy
it), we call an outsider the intruder.
Why Used Cryptography?
• Confidentiality – prevent from message being
disclosed to unauthorized users or parties. Message
is disclosed to authorized and to the intended parties
who have rights for that message only.
• Integrity – ascertain that no modification to the
message being received. This is to ensure that
message didn’t modify when sending from sender to
receiver.
Cont…
• Authentication – permit message receiver to verify
original message being sent. This is to make sure that
message could be verified with confident and
prevent from disguising.
• Non-repudiation – sender cannot deny later that
he/she has sent the message.
Terminology
• Human languages takes the form of plain text or clear
text.
• Message in plain text can be understood by anybody
knowing the language.
• Notably, we use plain text during electronics
conversations.
• e.g. send an email to someone.
• Clear text or plain text signifies a message that can be
understood by the sender, the recipient and also by
anyone else who gets an access to that message
Cont…
• In normal life, we do not bother about the fact that
someone could be overhearing us.
• However, there are situations where we are
concerned about the secrecy of our conversations.
• e.g. knowing bank account’s balance, secret message
from military officer, secret email, children or
primary school students hide their conversation
through code language.
Cont…
• Given P (plain text) wants to be transferred through
communication channel as a secret message.
• First, the P must be converted to another form. The
conversion process is called encryption.
• When this plain text message is codified using
suitable scheme, the resulting message is called as
cipher text (given C).
• Cipher means a code or a secret message.
Cont…
• Cryptography algorithm is a technique or rule to encrypt
that determined how easy or complex encryption
process is.
• Format transformation of the original text, P to a form or
cipher text format, C dependent to an additional
parameter, K called as key.
• Cipher text, C must undergo inverse process to get back
the plain text, P. This process could be done using second
key, K’.
• This inverse process is called decryption.
Cont…
• The learning about encryption and decryption is
called cryptography.
• The process to get the original text from cipher text
without key is called cryptanalysis.
• The discipline that combine the 2 divisions
(cryptography and cryptanalysis) is called cryptology.
Key = K Key = K’

Plain Text Cipher Text Original Text

P Sender C Recipient P
Encryption Decryption
Using Key in Cryptography

• The cryptosystem involves a set of rules for how to

encrypt the plaintext and how to decrypt the cipher text.
The encryption and decryption rules, called algorithms,
often use a device called a key, denoted by K.
 Symmetric Cryptosystem
P = D (K, E(K,P))
KEY

Original
Plaintext Ciphertext
Plaintext
Encryption Decryption

• The key that were used to encrypt and decrypt are

the same and mirror-image process.
Simplified Model of Symmetric
Encryption
Asymmetric Cryptosystem

P = D (KD, E(KE,P))
Encryption Key 1 Encryption Key 2

Original
Plaintext Ciphertext
Plaintext
Encryption Decryption

• The process of converting decrypt message to

original text involves a series of steps and a key that
are different from the encrypt process.
Cryptanalysis
• Recognize patterns in encrypted message, to be able
to break subsequent ones by applying a
straightforward decryption algorithm.
• Find weakness in the implementation or
environment of use of encryption.
• Find general weaknesses in an encryption algorithm,
without necessarily having intercepted any
messages.
Cipher types
• Cipher method can be divide into two types
– Bit stream
• Each bit in the plaintext is transformed into a cipher bit
one bit at a time.
– Block cipher
• The message is divide into blocks and each block of
plaintext bits is transformed into an encrypted block
cipher bits using an algorithm and a key.
• Example: 8, 16, 32, 64 bit blocks.
Classical Cryptography - Cipher
• In classic cryptography technique, there are 2 basic
components; substitution and transposition.
• Substitution cipher substitutes bit, character or one
block of character (e.g. one character substitutes to
another character: C substitutes with F).
• Transposition cipher (or called permutation cipher)
arranges back or transposes bit or character of
original text.
 Classical Cryptography
• Example of substitution cipher are Easy substitution,
Homophonic substitution , Polyalphabetic
substitution and Polygram substitution .
• Example of transposition cipher are Columnar
transposition, Rail fence and Vernam cipher.
• Elements of substitution and transposition are also
used in modern cryptography algorithm.
Substitution Cipher
• There are 4 kinds of substitution cipher; Mono-
alphabetic, Homophonic, Poly-alphabetic and Polygram.
• Caesar Cipher – proposed by Julius Caesar.
• Each alphabet in a message is replaced by an alphabet 3
places down the line.
• Very weak scheme of hiding plain text messages – to
break it, reverse Caesar Cipher process with the alphabet
that is 3 places up the line.
• e.g. A with X, B with Y, C with Z, D with A and so on.
Ceaser Cipher
Cipher text L V W X G B F U B S W R
Plain text I S T UD Y C R Y P T O
• Good in theory but not so good in practice.
• How to make the cipher more difficult can complicated?
• Cipher text alphabets corresponding to the original plain
text alphabets may not necessarily be 3 places down the
order, instead, can be any places down the order.
Ceaser Cipher
• then have Caesar cipher as:
– c = E(k, p) = (p + k) mod (26)
– p = D(k, c) = (c – k) mod (26)
• only have 26 possible ciphers
• A maps to A,B,..Z
• a brute force search - given ciphertext, just try all
shifts of letters
• eg. break ciphertext “VHFXULWB"
Mono-Alphabetic Cipher
• The major weakness of Caesar Cipher is its predictability.
• Rather than using a uniform scheme, use random
substitution. This means that in a given plain text
message, each A can be replaced by any other alphabet
(B through Z), each B can also be replaced by any other
random alphabet (A or C through Z) and so on.
• The crucial difference, there is no relation between the
replacement of B and replacement of A. That is, if
decided to replace A with D, not necessarily replace each
B with E – can replace B with other character.
Mono-Alphabetic Cipher
• now have a total of 26! = 4 x 1026 keys
• This is extremely hard to crack. It might actually take
years to try out these many combinations even with
the most modern computers.
• There is only one hitch. The cryptanalyst can try
different attacks based on her knowledge of the
English language.
Language Redundancy and Cryptanalysis
• human languages are redundant
eg "th lrd s m shphrd shll nt wnt"
• letters are not equally commonly used
• other letters like Z,J,K,Q,X are fairly rare
• have tables of single, double & triple letter
frequencies for various languages
• in English E is by far the most common letter
– followed by T,R,N,I,O,A,S
English Letter Frequencies
Use in Cryptanalysis
• key concept – mono alphabetic substitution ciphers
do not change relative letter frequencies
• discovered by Arabian scientists in 9th century
• calculate letter frequencies for ciphertext
• compare counts/plots against known values
• for mono-alphabetic must identify each letter
– tables of common double/triple letters help
Example Cryptanalysis
• given ciphertext:
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
• count relative letter frequencies (see text)
• guess ‘P & Z’ are ‘e’ and ‘t’
• guess ‘ZW’ is ‘th’ and hence ZWP is ‘the’
• proceeding with trial and error finally get:
it was disclosed yesterday that several informal but
direct contacts have been made with political
representatives of the viet cong in moscow
Homophonic Substitution Cipher
• Very similar to Mono-alphabetic Cipher.
• The difference between the 2 techniques is that
replacement alphabet set in simple substitution
technique is fixed (A with D..) whereas in the case of
Homophonic, one plain text alphabet can map to more
than one cipher text alphabet.
• e.g. A can be replaced by D, H, P, R; B can be replaced by
E, I, Q, S….
• Difficult to analyze compare with mono-alphabetic
because the frequency didn’t show the real usage of
each alphabet.
Polygram Substitution Cipher
• Rather replacing one plain text alphabet with one
cipher text alphabet at a time, a block of alphabets is
replaced with another block.
• It is done by dividing plain text to a group of
alphabet. This group can be 2 alphabets or more
than that.
• Playfair Cipher and Hill Cipher are examples of cipher
that used Polygram Substitution Cipher.
Playfair Cipher
• not even the large number of keys in a mono-
alphabetic cipher provides security
• one approach to improving security was to encrypt
multiple letters
• the Playfair Cipher is an example
• invented by Charles Wheatstone in 1854, but named
after his friend Baron Playfair
Playfair Cipher
• Playfair cipher algorithm based on 5 x 5 matrix and one
key. This matrix created using the key. There are 5 rules
to obey.
• e.g. given a key = LEDANG and plain text =
DATANETWORKSECURITY, what is the cipher text?

L E D A N
G B C F H
I/J K M O P
Q R S T U
V W X Y Z
Playfair Cipher
• plaintext is encrypted two letters at a time
• Below are set of rules of Playfair Cipher:
– divide plain text to a group of 2 alphabets each. DA, TA, NE, TW,
OR, KS, EC, UR, IT, Y. If a group is lack of one alphabet, fill it with
X. Y become YX.
– if a pair is a repeated letter, insert filler like 'X’
– if both letters fall in the same row, replace each with letter to
right (wrapping back to start from end)
– if both letters fall in the same column, replace each with the
letter below it (wrapping to top from bottom)
– otherwise each letter is replaced by the letter in the same row
and in the column of the other letter of the pair
Playfair Cipher
• DA, TA, NE, TW, OR, KS, EC, UR, IT, YX.

• DA – AN, TA – YF, NE – LD, TW – RY, OR – KT, KS – MR, EC

– DB, UR – QS, IT – OQ, YX – ZY
• Cipher Text = ANYFLDRYKTMRDBQSOQZY
Poly-Alphabetic Substitution Cipher
• Leon Battista invented the Polyalphabetic Cipher in
1568. This cipher has been broken many times, and
yet it has been used extensively. The Vigenere Cipher
and Beaufort Cipher are the examples of it.
• The cipher uses multiple one-character keys. Each of
the keys encrypts one plain text character.
Poly-Alphabetic Substitution Cipher
• The first key encrypts the first plain text character,
the second key encrypts the second plain text
character and so on.
• After all the keys are used, they are recycled. Thus, if
we have 30 one-letter keys, every 30th character in
the plain text would be replaced with the same key.
Vigenere Cipher
• Created by Blaise de Vigenere in 16 century. In this
cipher scheme, one rule set of Mono-alphabetic
substitution that is build from 26 Caesar Cipher with
a value started from 0 to 25 used with one value of
key.
• Base on this key, value for each cipher character is
determined.
• e.g. DATANETWORKSECURITY with LEDANG as key
value.
Vigenere Cipher
Vigenere Cipher
• P: D A T A N E T W O R K S E C U R I T Y
• K: L E D A N G L E D A N G L E D A N G L
• C: OE W A A K E A R R X Y P G X R V Z J

• First character in plain text, D is moved 11 steps (L key)

and so on.
• From this encryption scheme, it is found that alphabet ‘T’
is encrypted to several alphabet such as ‘W’, ‘E’ and ‘Z’.
So, the peak in the frequency alphabet table could be
reduced.
Vernam Cipher
• Created by Gilbert Vernam, AT&T engineer in 1918.
• This invention is a starts to modern cryptography.
• It can be called as a strong cipher that is immune to
attack because of the key characteristics.
• The characteristics are:
– The key must be one random value and
– The key length as long as the plain text
Vernam Cipher
E.g.:
T :V E R N A M S I F E R
Char Value : 21 4 17 13 0 12 18 8 5 4 17
Random K : 76 48 16 82 44 3 58 11 60 5 48
Add T + K : 97 52 33 95 44 15 76 19 65 9 65
C : T A H R S P Y T N J N
 One-Time Pads (OTP) Cipher
• OTP Cipher is a new version from Vernam Cipher. Also
from Gilbert Vernam in 1917.
• OTP is a strongest cryptography system in term of
security and cannot be broken using the latest
technology.
• This cipher is said as a perfect encryption scheme. It is
perfect because the cipher text production is a
random value that is not show any corresponding with
the plain text statistically.
One-Time Pads (OTP) Cipher
• OTP characteristics:
– Key that is randomly perfect
– Key that is no repetition and no meaning
– Key that is used one-time only for encryption and
decryption towards one plain text
• In theory, this cipher cannot be broken but till now, no hard
mathematical proof to explain the integrity of this system.
• However, this cipher cannot be practiced because of key
requirement.
• It is hard to generate a key that is random perfectly and in big
size.
Transposition Cipher
• Transposition techniques differ from substitution
techniques in the way that they do not simply replace
one alphabet with another.
• They also perform some permutation over the plain text
alphabets.
• these hide the message by rearranging the letter order
• without altering the actual letters used
• can recognise these since have the same frequency
distribution as the original text
Transposition Cipher
• Usually, the mapping done with geometric diagram
or matrix.
• The transposition encryption done by 2 steps:
– Plain text is arranges in the desired form. This
process referred to writing process
– Reading process. Is a method to transform plain
text that has gone through writing process to
produce cipher text
Plain text Form Cipher text
Writing process Reading process
Rail Fence Technique

• The Rail Fence is an example of transposition. It uses

a simple geometric form as below:
• Encryption : write message letters out diagonally
over a number of rows
• then read off cipher row by row
• eg. Encrypt msg “defend the east wall” with key is 2

d f n t e a t a l
e e d h e s w l
decryption: dfnteataleedheswl
Rail Fence Technique
• encryption process for the Rail Fence Cipher involves
reconstructing the diagonal grid used to encrypt the
message.
• write the message, but leaving a dash in place of the
spaces yet to be occupied.
• Then, replace all the dashes with the corresponding
letters, and read off the plaintext from the table.
• eg. Decrypt msg “dfnteataleedheswl” with key is 2
d f n t e a t a l
- - - - - - - -

d f n t e a t a l
e e d h e s w l

Clear text: defend the east wall

Rail Fence Technique
• Quiz: write the following sentence using Rail fence
technique (the key here is 3)

– “ defend the east wall of the castle”

Symmetric Encryption
• the universal technique for providing confidentiality
for transmitted or stored data

• also referred to as conventional encryption or single-

key encryption

• two requirements for secure use:

– need a strong encryption algorithm
– sender and receiver must have obtained copies
of the secret key in a secure fashion and must
keep the key secure
Figure 2.1 Simplified Model of Symmetric
Encryption
Attacking Symmetric Encryption
Cryptanalytic Attacks Brute-Force Attack
– rely on:
• nature of the algorithm
• try all possible keys on some
• some knowledge of the general
characteristics of the plaintext
ciphertext until an
• some sample plaintext-ciphertext intelligible translation into
pairs
– exploits the characteristics of the plaintext is obtained
algorithm to attempt to deduce a – on average half of all possible
specific plaintext or the key being
used keys must be tried to achieve
• if successful all future and past success
messages encrypted with that key
are compromised
Table 2.1

Average Time Required for Exhaustive Key Search

Table 2.2

Comparison of Three Popular Symmetric

Encryption Algorithms
 Asymmetric Encryption

• Also called as Public Key Cryptography, 2 different

keys (which form a key pair) are used.
• One key is used for encryption and only the other
corresponding key must be used for decryption.
• No other key can decrypt the message – not even the
original (the first) key used for encryption!
• The beauty of this scheme is that every
communicating party needs just a key pair.
Public-Key Encryption Structure

asymmetric
publicly • uses two
separate keys some form of
proposed by based on
• public key and protocol is
Diffie and mathematical private key needed for
Hellman in functions • public key is distribution
1976 made public for
others to use
Asymmetric Encryption
• One of the 2 keys is called as public key and the other is
the private key.
• The private key remains with you as a secret.
• The private key must not disclose to anybody
• However, the public key is for the general public.
• It is disclosed to all parties that you want to
communicate with.
• In this scheme, in fact, each party publishes its public key.
Asymmetric Encryption
• Suppose A wants to send a message to B without having
to worry about its security.
• Then, A and B should each have a private key and a
public key.
– A should keep her private key secret
– B should keep her private key secret
– A should inform B about her public key
– B should inform A about her public key
• Thus, we have a matrix as shown next.
 Asymmetric Encryption
Key details A should know B should know

A’s private key Yes No

A’s public key Yes Yes

B’s private key No Yes

B’s public key Yes Yes

• Asymmetric key cryptography works as follows:

– when A wants to send a message to B, A encrypts the
message using B’s public key. This is possible because A
knows B’s public key.
– A sends this message (which was encrypted with B’ public
key) to B.
– B decrypts A’s message using B’s private key.
Asymmetric Encryption
– Note that only B knows about her private key.
– Also note that the message can be decrypted only by
B’s private key and nothing else!
– Thus, no one else can make any sense out of the
message even if one can manage to intercept the
message.
– This is because the intruder (ideally) does not know
about B’s private key. It is only B’s private key that can
decrypt the message.
– Similarly, when B wants to send a message to A,
exactly reverse steps take place.
 Sender Receiver
(A) (B)
Encrypt Decrypt
with B’s with B’s
public key private key

Plain Plain Plain Plain

text text text text

A encrypts the message using B’s public key. Therefore only B can
decrypt the message back to its original form, using her private
key.
PUBLIC KEY CRYPTOSYSTEM
PUBLIC KEY CRYPTOSYSTEM
A public-key encryption scheme has six ingredients
Plaintext: This is the readable message or data that is fed into the algorithm as
input.
•Encryption algorithm: The encryption algorithm performs various
transformations on the plaintext.
•Public and private keys: This is a pair of keys that have been selected so that if
one is used for encryption, the other is used for decryption. The exact
transformations performed by the algorithm depend on the public or private key
that
is provided as input.
•Ciphertext: This is the scrambled message produced as output. It depends on the
plaintext and the key. For a given message, two different keys will produce two
different ciphertexts.
• Decryption algorithm: This algorithm accepts the ciphertext and the matching
key and produces the original plaintext.
PUBLIC KEY CRYPTOSYSTEM
The essential steps are the following.
1.Each user generates a pair of keys to be used for the encryption and decryption
of messages.
2.Each user places one of the two keys in a public register or other accessible file.
This is the public key. The companion key is kept private. As Figure 9.1a suggests,
each user maintains a collection of public keys obtained from others.
3.If Bob wishes to send a confidential message to Alice, Bob encrypts the message
using Alice’s public key.
4.When Alice receives the message, she decrypts it using her private key. No
other recipient can decrypt the message because only Alice knows Alice’s
private key.
With this approach, all participants have access to public keys, and private
keys are generated locally by each participant and therefore need never be
distributed. As long as a user’s private key remains protected and secret, incoming
communication is secure. At any time, a system can change its private key and
publish the companion public key to replace its old public key.
RSA ALGORITHM
• A number of algorithms have been proposed for public-key cryptography. One
of the first successful responses to the challenge was developed in 1977 by Ron
Rivest, Adi Shamir, and Len Adleman at MIT and first published in 1978.
• The Rivest-Shamir-Adleman (RSA) scheme has since that time reigned supreme
as the most widely accepted and implemented general-purpose approach to
public-key encryption.
• The RSA scheme is a block cipher in which the plaintext and ciphertext are
integers between 0 and n - 1 for some n
RSA ALGORITHM
RSA ALGORITHM
RSA ALGORITHM -EXAMPLE
RSA ALGORITHM -EXAMPLE
Real Life Implementation
• We can consider a practical situation that describes
asymmetric cryptography as used in real life.
• Suppose a bank accepts many requests for transaction
from its customers over an insecure network.
• The bank can have a private key-public key pair. The bank
can publish its public key to all its customers.
• The customers can use this public key of the bank for
encrypting messages before they send them to the bank.
The bank can decrypt all these encrypted messages with
its private key, remains with itself.
Applications for Public-Key Cryptosystems
Requirements for Public-Key Cryptosystems
computationally easy to
create key pairs

computationally easy
useful if either key can for sender knowing
be used for each role public key to encrypt
messages

computationally
computationally easy
infeasible for
for receiver knowing
opponent to
private key to decrypt
otherwise recover
ciphertext
original message
computationally
infeasible for opponent
to determine private
key from public key
 RSA (Rivest, most widely accepted and
block cipher in which the

Shamir, developed in 1977 implemented approach to

public-key encryption
plaintext and ciphertext are
integers between 0 and n-1
for some n.
Adleman)

Diffie-Hellman enables two users to

securely reach agreement
key exchange about a shared secret that
can be used as a secret key
limited to the exchange of
the keys
for subsequent symmetric
algorithm encryption of messages

Digital provides only a digital

Signature signature function with
SHA-1
cannot be used for
encryption or key exchange

Standard (DSS)

Elliptic curve
cryptography security like RSA, but with
much smaller keys

(ECC)
Key Exchange/Distribution
• How nice to combine two cryptography mechanisms?
Problems before?
• Combination must meet following obj:
– Solution completely secure
– Encryption & decryption -> not take a long time
– Generated cipher text -> compact in size
– Solution scale to a large number of users
– Key distribution problem must be solved
• In practice, symmetric & asymmetric are combined ->
very efficient security solution
Key Exchange/Distribution
• Suppose you need to send a protected message to
someone you do not know and who does not know
you
• Eg. Online income tax return
• You want the information to be protected
• And you do not necessarily know the person who is
receiving the information
• Situation : being able to exchange encryption key 
nobody can intercept it
Diffie-Hellman Key
• Whitefield Diffie and Martin Hellman
– devised an amazing solution to the problem
– called Diffie-Hellman Key Exchange/Agreement
Algorithm.
• The beauty of this scheme – two parties who want to
communicate securely can agree on a symmetric key
using this technique.
• However, must be noted DHKE/AA can be used only for
key agreement but not for encryption or decryption of
messages.
 Description and Mathematical Theory of the
Algorithm
• Alice and Bob want to agree upon a key to be used for
encrypting / decrypting messages that be exchanged between
them.
• 1. Firstly, Alice and Bob agree on one prime number, n and one
root number, g. These 2 integers need not be kept secret. Alice
and Bob can use an insecure channel to agree on them.
Let n = 11, g = 7.
 Diffie-Hellman Algorithm
Let n = 11, g = 7.

2. Alice chooses a private large random number x, and

calculates A: A=gx mod n
Let x = 3. Then we have, A = 73 mod 11 = 343 mod 11 = 2.

3. Alice sends the number A (public) to Bob.

Alice sends 2 to Bob.
4. Bob independently chooses another private large
random number y and calculates B such that: B = gy
mod n
Let y = 6. Then we have, B = 76 mod 11 = 117649 mod 11 = 4.
 Diffie-Hellman Algorithm
• 5. Bob sends the number B (public) to Alice
Bob sends 4 to Alice.

• 6. Alice now computes the secret key K1 as follows:

K1 = Bx mod n
We have, K1 = 43 mod 11 = 64 mod 11 = 9.

• 7. Bob now computes the secret key K2 as follows:

K2 = Ay mod n
We have, K2 = 26 mod 11 = 64 mod 11 = 9.
• Therefore in this case we have: K1 = K2 = K.
 Alice Bob
Using
Shared
Diffie-Hellman
Secret Calc Shared Secret Calc

1 23, 5 1 23, 5
3
2 6 56mod 23 = 8 8

1. Alice and Bob agree to use the same two numbers. For example, the base number g=5 and
prime number p=23
2. Alice now chooses a secret number x=6.
3. Alice performs the DH algorithm: gx modulo p = (56 modulo 23) = 8 (Y) and sends the new
number 8 (Y) to Bob.
Using Diffie-Hellman
Alice Bob
Shared Secret Calc Shared Secret Calc

5, 23 5, 23
6 56mod 23 = 8 8 15 4

19 515mod 23 = 19

5 196mod 23 = 2 6 815mod 23 = 2

4. Meanwhile Bob has also chosen a secret number x=15, performed the DH algorithm: gx
modulo p = (515 modulo 23) = 19 (Y) and sent the new number 19 (Y) to Alice.

5. Alice now computes Yx modulo p = (196 modulo 23) = 2.

The result (2) is the same for
6. Bob now computes Yx modulo p = (86 modulo 23) = 2. both Alice and Bob.
This number can now be used
as a shared secret key by the
encryption algorithm.
 Diffie-Hellman Algorithm
• An obvious question now is, if Alice and Bob can both
calculate K independently, so can an attacker! What
prevent this?
• The fact is, Alice and Bob exchange n, g, A and B (public).
Based on these values, x (Alice private key) and y (Bob
private key) cannot be calculated easily.
• Rouge X knows : n, g, A and B
• Try calculate = A(pubA)y(privB) mod n = 2y mod 11
= B(pubB)x(privA) mod n = 4x mod 11
• y (Bob private key) = 6 , x (Alice private key) = 3
Diffie-Hellman Algorithm
• Mathematically, the calculations do find out x and y
are extremely complicated, if they are sufficiently
large numbers.
• Consequently, an attacker cannot calculate x and y,
and therefore cannot derive K.
Data Encryption Standard
(DES)

the most widely used encryption scheme

• FIPS PUB 46
• referred to as the Data Encryption Algorithm
(DEA)
• uses 64 bit plaintext block and 56 bit key to
produce a 64 bit ciphertext block

strength concerns:
• concerns about algorithm
• DES is the most studied encryption algorithm in
existence
• use of 56-bit key
• Electronic Frontier Foundation (EFF) announced in July
1998 that it had broken a DES encryption
 Triple DES (3DES)
 repeats basic DES algorithm three times using either two
or three unique keys
 first standardized for use in financial applications in ANSI
standard X9.17 in 1985
 attractions:
 168-bit key length overcomes the vulnerability to
brute-force attack of DES
 underlying encryption algorithm is the same as in DES
 drawbacks:
 algorithm is sluggish in software
 uses a 64-bit block size
Advanced Encryption Standard (AES)

needed a NIST called for selected

replacement for proposals for a Rijndael in
3DES new AES in 1997 November 2001
should have a security
strength equal to or better
than 3DES

significantly improved
3DES was not efficiency
published as FIPS
reasonable for long
197
term use
symmetric block cipher

128 bit data and

128/192/256 bit keys
 Practical Security Issues

 typically symmetric encryption is applied to a unit of data

larger than a single 64-bit or 128-bit block
 electronic codebook (ECB) mode is the simplest approach
to multiple-block encryption
each block of plaintext is encrypted using the same key
cryptanalysts may be able to exploit regularities in the
plaintext
 modes of operation
alternative techniques developed to increase the security of
symmetric block encryption for large sequences
overcomes the weaknesses of ECB
Block & Stream Ciphers
Block Cipher

• processes the input one block of elements at a time

• produces an output block for each input block
• can reuse keys
• more common

Stream Cipher
• processes the input elements continuously
• produces output one element at a time
• primary advantage is that they are almost always faster and use far less
code
• encrypts plaintext one byte at a time
• pseudorandom stream is one that is unpredictable without knowledge
of the input key
Block Cipher
Encryption

Stream
Encryption
Block Cipher Modes
Electronic Codebook (ECB) Cipher block chaining (CBC)
Message of Five 64-Bit Blocks Message of Five 64-Bit Blocks
Initialization
Vector
DES

DES
DES

DES

DES

DES

DES

DES

DES

DES
Message Authentication
protects against
active attacks

verifies received • contents have not been altered

message is • from authentic source
• timely and in correct sequence
authentic
can use
• only sender & receiver share a
conventional key
encryption
Message Authentication Codes
Secure Hash
Functions
 Figure 2.6

Message
Authentication
Using a
One-Way
Hash Function
Security of Hash Functions
• there are two approaches to attacking a secure hash function:
– cryptanalysis
– exploit logical weaknesses in the algorithm
– brute-force attack
– strength of hash function depends solely on the length of the hash code
produced by the algorithm
• SHA, MD5 and MD4 most widely used hash algorithm
• additional secure hash function applications:
– passwords
» hash of a password is stored by an operating system
– intrusion detection
» store H(F) for each file on a system and secure the hash values
Digital Signatures
• used for authenticating both source and data
integrity
• created by encrypting hash code with private key
• does not provide confidentiality
• even in the case of complete encryption
• message is safe from alteration but not eavesdropping
Digital Envelopes

 protects a message
without needing to
first arrange for sender
and receiver to have
the same secret key

***equates to the same thing

as a sealed envelope
containing an unsigned
letter
 Public Key (Encrypt) + Private Key
(Decrypt) = Confidentiality
Computer A acquires
Computer B’s public key
Can I get your Public Key please? Bob’s Public
1 Key
Here is my Public Key.

Computer A transmits Bob’s Private

Bob’s Public 4
Key The encrypted message Key

to Computer B Encrypted Computer

Computer Text
B
A
Encryption Encryption
Algorithm
2 Algorithm

Encrypted 3 Computer B uses

Text its private key to
decrypt and reveal
Computer A uses Computer B’s
the message
public key to encrypt a message
using an agreed-upon algorithm
 Private Key (Encrypt) + Public Key
(Decrypt) = Authentication
Bob uses the public key to successfully
Alice encrypts a message decrypt the message and authenticate that
with her private key the message did, indeed, come from Alice.

1 Alice’s Private Encrypted

Key
Text

Encryption
Alice’s Public
Algorithm Alice transmits the 4 Key
encrypted message Encrypted
2 to Bob Text

Encrypted
Computer Text
3 Computer
Encryption
Algorithm
A B
Alice’s Public Can I get your Public Key please?
Key Here is my Public Key

Bob needs to verify that the message

actually came from Alice. He requests
and acquires Alice’s public key
 The Digital Signature Process
The sending device creates
a hash of the document
The receiving device Validity of the digital
accepts the document signature is verified
Data
Confirm with digital signature
and obtains the public key Signature Verified
Order
0a77b3440…
1
hash Signed Data 6

Signature Confirm
Order 4
Key
____________
Encrypted 0a77b3440…
hash Signature Signature is
2
Algorithm verified with the
The sending device 3 verification
encrypts only the hash key
0a77b3440…
with the private key
of the signer 5
The signature algorithm Verification
generates a digital signature Key
and obtains the public key
13-3 SERVICES

We discussed several security services in Chapter 1

including message confidentiality, message
authentication, message integrity, and nonrepudiation.
A digital signature can directly provide the last three;
for message confidentiality we still need
encryption/decryption.
Topics discussed in this section:
13.3.1 Message Authentication
13.3.2 Message Integrity
13.3.3 Nonrepudiation
13.3.4 Confidentiality
13.104
 13.3.1 Message Authentication

A secure digital signature scheme, like a secure

conventional signature can provide message
authentication.

Note

A digital signature provides message authentication.

13.105
 13.3.2 Message Integrity
The integrity of the message is preserved even if we sign
the whole message because we cannot get the same
signature if the message is changed.

Note

A digital signature provides message integrity.

13.106
13.3.3 Nonrepudiation
Figure 13.4 Using a trusted center for nonrepudiation

Note

Nonrepudiation can be provided using a trusted

13.107
party (Digital Certification)
13.3.4 Confidentiality
Figure 13.5 Adding confidentiality to a digital signature scheme

Note

A digital signature does not provide privacy.

If there is a need for privacy, another layer of
encryption/decryption must be applied.
13.108
Random Numbers
– keys for public-key
algorithms
– stream key for symmetric
stream cipher
– symmetric key for use as a
temporary session key or in
creating a digital envelope
Uses include – handshaking to prevent
replay attacks
generation of:
– session key
Practical Application:
Encryption of Stored Data

common to encrypt transmitted data

much less common for stored data

there is often little protection
beyond domain authentication
and operating system access

approaches to encrypt stored data:

controls

data are archived for indefinite

periods

use a commercially available library based tape background laptop/PC data

back-end appliance
encryption package encryption encryption
even though erased, until disk
sectors are reused data are
recoverable
 Summary
• symmetric encryption • digital signatures
– conventional or single-key only type – hash code is encrypted with private
used prior to public-key key
– five parts: plaintext, encryption • digital envelopes
algorithm, secret key, ciphertext, and – protects a message without needing
decryption algorithm to first arrange for sender and
– two attacks: cryptanalysis and brute receiver to have the same secret key
force
– most commonly used algorithms are
• random numbers
block ciphers (DES, triple DES, AES) – requirements: randomness and
unpredictability
• hash functions – validation: uniform distribution,
– message authentication independence
– creation of digital signatures – pseudorandom numbers
• public-key encryption
– based on mathematical functions
– asymmetric
– six ingredients: plaintext, encryption
algorithm, public and private key,
ciphertext, and decryption algorithm
References