INFORMATION SECURITY 1030106503

5TH SEM

INFORMATION SECURITY(1030106503)

THEORY NOTES

UNIT-V CONFIDENTIALITY USING SYMMETRIC ENCRYPTION

5.1 Placement of Encryption Function

If encryption is to be used to counter attacks on confidentiality, we need to decide what to

encrypt and where the encryption function should be located. To begin, this section examines the
potential locations of security attacks and then looks at the two major approaches to encryption
placement: link and end to end.

There are a large number of locations at which an attack can occur. Furthermore, for wide area
communications, many of these locations are not under the physical control of the end user. Even in
the case of local area networks, in which physical security measures are possible, there is always the
threat of the disgruntled employee.

Link versus End-to-End Encryption

The most powerful and most common approach to securing the points of vulnerability
highlighted in the preceding section is encryption. If encryption is to be used to counter these attacks,
then we need to decide what to encrypt and where the encryption gear should be located. There are
two fundamental alternatives: link encryption and end-to-end encryption.

Prepared By- Hiral Page

 INFORMATION SECURITY 1030106503

Basic Approaches
Link to Link Encryption:

With link encryption, each vulnerable communications link is equipped on both ends with an
encryption device. Thus, all traffic over all communications links is secured. One of its disadvantages
is that the message must be decrypted each time it enters a switch because the switch must read the
address (logical connection number) in the packet header in order to route the frame. Thus, the
message is vulnerable at each switch. If working with a public network, the user has no control over
the security of the nodes.

Several implications of link encryption should be noted. For this strategy to be effective, all the
potential links in a path from source to destination must use link encryption. Each pair of nodes that
share a link should share a unique key, with a different key used on each link. Thus, many keys must
be provided.

Prepared By- Hiral Page

 INFORMATION 10301065
End-To-End Encryption

With end-to-end encryption, the encryption process is carried out at the two end systems. The
source host or terminal encrypts the data. The data in encrypted form are then transmitted unaltered
across the network to the destination terminal or host. The destination shares a key with the source
and so is able to decrypt the data. This plan seems to secure the transmission against attacks on the
network links or switches. Thus, end-to-end encryption relieves the end user of concerns about the
degree of security of networks and links that support the communication. There is, however, still a
weak spot.

Consider the following situation. A host connects to a frame relay or ATM network, sets up a
logical connection to another host, and is prepared to transfer data to that other host by using end-to-
end encryption. Data are transmitted over such a network in the form of packets that consist of a
header and some user data. What part of each packet will the host encrypt? Suppose that the host
encrypts the entire packet, including the header. This will not work because, remember, only the other
host can perform the decryption. The frame relay or ATM switch will receive an encrypted packet
and be unable to read the header. Therefore, it will not be able to route the packet. It follows that the
host may encrypt only the user data portion of the packet and must leave the header in the clear.

Thus, with end-to-end encryption, the user data are secure. However, the traffic pattern is not,
because packet headers are transmitted in the clear. On the other hand, end-to-end encryption does
provide a degree of authentication. If two end systems share an encryption key, then a recipient is
assured that any message that it receives comes from the alleged sender, because only that sender
shares the relevant key. Such authentication is not inherent in a link encryption scheme.

To achieve greater security, both link and end-to-end encryption are needed, as is shown in
Figure 7.2. When both forms of encryption are employed, the host encrypts the user data portion of a
packet using an end-to-end encryption key. The entire packet is then encrypted using a link
encryption key. As the packet traverses the network, each switch
decrypts the packet, using a link encryption key to read the header, and then encrypts the

Prepared By- Hiral Page 3

 INFORMATION 10301065
entire packet again for sending it out on the next link. Now the entire packet is secure except for the
time that the packet is actually in the memory of a packet switch, at which time the packet header is
in the clear.

Link Encryption End-to-End Encryption

Link encryption encrypts all the data along a end-to-end encryption, the headers, addresses,
specific communication path. Not only is the routing, and trailer information are not
user information encrypted, but the header, encrypted, enabling attackers to learn more about
trailers, addresses, and routing data that are a captured packet and where it is
part of the packets are also encrypted. headed.

All data are encrypted, including headers, Headers, addresses, and routing information
addresses, and routing information. are not encrypted, and therefore not protected.

It works at a lower layer in the OSI model. It works at Network layer.

All of the information is encrypted, and the The packets do not need to be decrypted and
packets must be decrypted at each hop so then encrypted again at each hop, because the
the router, or other intermediate device, headers and trailers are not encrypted.
knows where to send the packet next.

Prepared By- Hiral Page 4

 INFORMATION 10301065
Characteristics of Link and End-to-End Encryption

Logical Placement of End-to-End Encryption Function

5.2 Traffic Confidentiality

The following types of information that can be derived from a traffic analysis attack:

● Identities of partners
● How frequently the partners are communicating
● Message pattern, message length, or quantity of messages that suggest important information
is being exchanged
● The events that correlate with special conversations between particular partners

Another concern related to traffic is the use of traffic patterns to create a covert channel.
Typically, the channel is used to transfer information in a way that violates a security policy. For
example, an employee may wish to communicate information to an outsider in a way that is not
detected by management and that requires simple eavesdropping on the part of the outsider.

Prepared By- Hiral Page 5

 INFORMATION 10301065
Link Encryption Approach

With the use of link encryption, network-layer headers (e.g., frame or cell header) are
encrypted, reducing the opportunity for traffic analysis. However, it is still possible in those
circumstances for an attacker to assess the amount of traffic on a network and to observe the amount
of traffic entering and leaving each end system. An effective countermeasure to this attack is traffic
padding, illustrated in Figure 7.6.
Traffic padding produces ciphertext output continuously, even in the absence of plaintext. A
continuous random data stream is generated. When plaintext is available, it is encrypted and
transmitted. When input plaintext is not present, random data are encrypted and transmitted. This
makes it impossible for an attacker to distinguish between true data flow and padding and therefore
impossible to deduce the amount of traffic.

Prepared By- Hiral Page 6

 INFORMATION 10301065

End-to-End Encryption Approach

Traffic padding is essentially a link encryption function. If only end-to-end encryption is

employed, then the measures available to the defender are more limited. For example, if encryption is
implemented at the application layer, then an opponent can determine which transport entities are
engaged in dialogue.

One technique that might prove useful is to pad out data units to a uniform length at either the
transport or application level. In addition, null messages can be inserted randomly into the stream.
These tactics deny an opponent knowledge about the amount of data exchanged between end users and
obscure the underlying traffic pattern.

5.3 Key Distribution

For symmetric encryption to work, the two parties to an exchange must share the same key,
and that key must be protected from access by others. Furthermore, frequent key changes are usually
desirable to limit the amount of data compromised if an attacker learns the key. Therefore, the term
that refers to the means of delivering a key to two parties who wish to exchange data, without
allowing others to see the key. For two parties A and B, key distribution can be achieved in a number
of ways, as follows:

1. A can select a key and physically deliver it to B.

2. A third party can select the key and physically deliver it to A and B.
3. If A and B have previously and recently used a key, one party can transmit the new key to
the other, encrypted using the old key.
4. If A and B each has an encrypted connection to a third party C, C can deliver a key on
the encrypted links to A and B

Prepared By- Hiral Page 7

 INFORMATION 10301065
Physical delivery (1 & 2) is simplest - but only applicable when there is personal contact between
recipient and key issuer. This is fine for link encryption where devices & keys occur in pairs, but does not
scale as number of parties who wish to communicate grows. 3 is mostly based on 1 or 2 occurring first.

A third party, whom all parties trust, can be used as a trusted intermediary to mediate the
establishment of secure communications between them (4). Must trust intermediary not to abuse the
knowledge of all session keys. As number of parties grow, some variant of 4 is only practical solution
to the huge growth in number of keys potentially needed.

Key distribution centre:

● The use of a key distribution center is based on the use of a hierarchy of keys. At a minimum,
two levels of keys are used.
● Communication between end systems is encrypted using a temporary key, often referred to as
a session key.
● Typically, the session key is used for the duration of a logical connection and then discarded
● master key is shared by the key distribution center and an end system or user and used to
encrypt the session key.

Key Distribution Scenario:

Prepared By- Hiral Page 8

 INFORMATION 10301065
Let us assume that user A wishes to establish a logical connection with B and requires a one-
time session key to protect the data transmitted over the connection. A has a master key, Ka, known
only to itself and the KDC; similarly, B shares the master key Kb with the KDC. The following steps
occur:

A issues a request to the KDC for a session key to protect a logical connection to B. The message
includes the identity of A and B and a unique identifier, N1, for this transaction, which we refer to as a
nonce. The nonce may be a timestamp, a counter, or a random number; the minimum requirement is that
it differs with each request. Also, to prevent masquerade, it should be difficult for an opponent to guess
the nonce. Thus, a random number is a good choice for a nonce.
2. The KDC responds with a message encrypted using Ka Thus, A is the only one who can successfully
read the message, and A knows that it originated at the KDC. The message includes two items
intended for A:

• The one-time session key, Ks, to be used for the session

• The original request message, including the nonce, to enable A to match this response
with the appropriate request

Thus, A can verify that its original request was not altered before reception by the KDC and,
because of the nonce, that this is not a replay of some previous request.

In addition, the message includes two items intended for B:

• The one-time session key, Ks to be used for the session

• An identifier of A (e.g., its network address), IDA

These last two items are encrypted with Kb (the master key that the KDC shares with B). They are to
be sent to B to establish the connection and prove A's identity.

● A stores the session key for use in the upcoming session and forwards to B the information that
originated at the KDC for B, namely, E(Kb, [Ks || IDA]). Because this information is encrypted
with Kb, it is protected from eavesdropping. B now knows the session key (Ks), knows that the
other party is A (from IDA), and knows that the information originated at the KDC (because it
is encrypted using Kb).

At this point, a session key has been securely delivered to A and B, and they may begin their
protected exchange. However, two additional steps are desirable:

● Using the newly minted session key for encryption, B sends a nonce, N2, to A.

● Also using Ks, A responds with f(N2), where f is a function that performs some transformation on
N2 (e.g., adding one).

Prepared By- Hiral Page 9

 INFORMATION 10301065

These steps assure B that the original message it received (step 3) was not a replay.

Note that the actual key distribution involves only steps 1 through 3 but that steps 4 and 5, as well as 3,
perform an authentication function.

Major Issues with KDC:

For very large networks, a hierarchy of KDCs can be established. For communication among
entities within the same local domain, the local KDC is responsible for key distribution. If two
entities in different domains desire a shared key, then the corresponding local KDCs can
communicate through a (hierarchy of) global KDC(s)

To balance security & effort, a new session key should be used for each new connection-
oriented session. For a connectionless protocol, a new session key is used for a certain fixed period
only or for a certain number of transactions.

An automated key distribution approach provides the flexibility and dynamic characteristics
needed to allow a number of terminal users to access a number of hosts and for the hosts to exchange
data with each other, provided they trust the system to act on their behalf.

The use of a key distribution center imposes the requirement that the KDC be trusted and be
protected from subversion. This requirement can be avoided if key distribution is fully decentralized.

In addition to separating master keys from session keys, may wish to define different types of
session keys on the basis of use.

5.4 Random Number Generation

Random numbers play an important role in the use of encryption for various network security applications.
A brief overview of the use of random numbers in network security and some approaches to generating
random numbers are:

• Required for generating session keys

• Public key generation

• Keystream for one-time pad

In all the cases where the random numbers are used, the requirements are:

• The numbers should be generated such that statistically randomness is maintained with uniform distribution
• Those random numbers should be independent and unpredictable

Prepared By- Hiral Page

 INFORMATION 10301065

● Usages of random numbers:

○ Reciprocal authentication.
○ Session key generation.
○ Generation of keys for the RSA public-key encryption algorithm.
● Requirements for sequence of random number:
○ Randomness:
■ Randomness criteria:
■ Uniform distribution:
The distribution of numbers in the sequence should be uniform; that is,
the frequency of occurrence of each of the numbers should be
approximately the same.
■ Independence:
■ No one value in the sequence can be inferred from the others.
○ Unpredictability.

Pseudorandom numbers are resulting sequences will pass many reasonable tests of randomnes

Prepared By- Hiral Page

 INFORMATION 10301065
5.5 PRINCIPLES OF PUBLIC KEY CRYPTOGRAPHY

There are two basic principles of any cryptosystem i.e. confidentiality and authenticity. We have seen that
the symmetric cryptosystem has a problem associated with these two principles.

In symmetric cryptography, the problem associated with confidentiality is that we all know in symmetric
cryptography a secret key is used to encrypt as well as decrypt the message. So, this key must be shared
by both the communicating parties by any means or they must rely on a third party for the distribution of
the key i.e. key distribution centre. But relying on a third party again risk the secrecy of the secret key.

Symmetric key also had an issue with authentication. To become widespread there was a need for digital
signatures that assure all parties that a particular message has been sent from a particular person.

The public key cryptosystem is successful in achieving both these principles i.e. confidentiality and
authenticity.

We begin with first, encrypting the message using the senders private key. Now, as the message is
encrypted using the sender’s private key it is confirmed that the message has been prepared by the sender.
This does the function of the digital signature.
Nobody is able o modify the message without having the sender’s private key. So, public key cryptosystem
has achieved authentication in both the terms data integrity and source.

Now, the message that was first encrypted with the sender’s private key is again encrypted using the
intended receiver’s public key.

M’ = E(PUR ,E(PRS, M)

The final cipher text can only be decrypted by the intended receiver’s private key which is only known to
him. In this way, the public key cryptography achieves confidentiality.

The decryption of the final cipher text is:

M = D(PUS, D(PRR, M’)

There is a drawback with this approach. We all know that the public key cryptosystem is based on
mathematical function and has too much of computation which makes it complex. To achieve
both confidentiality and authenticity the public key algorithm has to be applied four times.

Public key Cryptosystem

Any public key cryptographic algorithm has six elements as follow:

Prepared By- Hiral Page

 INFORMATION 10301065
1. Plain Text
This is a readable message which is given as input to the algorithm. In a public key algorithm, the
plain text is encrypted in blocks.
2. Encryption Algorithm
The encryption algorithm is implemented on the plain text which performs several transformations on
plain text.
3. Public and Private keys
These are the set of keys among which if one is used for encryption the other would be used for
decryption. The transformation of plain text by encryption algorithm depends on the key chosen from
the set to encrypt the plain text.
4. Cipher Text
This is the output of encryption algorithm. The generated cipher text totally depends on the key
selected from the set of the public and private key. Both of these keys, one at a time with plain
text would produce different cipher texts.
5. Decryption Algorithm
This would accept the output of the encryption algorithm i.e. the cipher text and will apply the related
key to produce the original plain text.

Now let us discuss the steps in public key cryptography.

Step 1. Each user has to generate two keys one of which will be used for encryption and other for
decryption of messages.

Step 2. Each user has a pair of keys, among which one has to be made public by each user. And the other has
to be kept secret.

Step 3. If a user has to send a message to a particular receiver then the sender must encrypt the message
using the intended receivers public key and then send the encrypted message to the receiver.

Step 4. On receiving the message, the receiver has to decrypt the message using his private key.

Prepared By- Hiral Page

 INFORMATION SECURITY 1030106503

In public key cryptography, there is no need for key distribution as we have seen in symmetric key
cryptography. As long as this private key is kept secret no one can interpret the message. In future, the user
can change its private key and publish its related public key in order to replace the old public key.

Public Key Cryptography Requirements

To accomplish the public key cryptography there are following requirements as discussed below.

● The computation of the pair of keys i.e. private key and the public key must be easy.
● Knowing the encryption algorithm and public key of the intended receiver, computation of
cipher text must be easy.
● For a receiver of the message, it should be computationally easy to decrypt the obtained cipher
text using his private key.
● It is also required that any opponent in the network knowing the public key should be unable
to determine its corresponding private key.
● Having the cipher text and public key an opponent should be unable to determine the
original message.
● The two keys i.e. public and private key can be implemented in both
orders D[PU, E(PR, M)] = D[PR, E(PU, M)]

Weakness of the Public Key Encryption:

Prepared By- Hiral Page

 INFORMATION SECURITY 1030106503
● Public key Encryption is vulnerable to Brute-force attack.
● This algorithm also fails when the user lost his private key, then the Public key Encryption
becomes the most vulnerable algorithm.
● Public Key Encryption also is weak towards man in the middle attack. In this attack a third party
can disrupt the public key communication and then modify the public keys.
● If user private key used for certificate creation higher in the PKI(Public Key Infrastructure) server
hierarchy is compromised, or accidentally disclosed, then a “man-in-the-middle attack” is also
possible, making any subordinate certificate wholly insecure. This is also the weakness of Public key
Encryption

Public Key Cryptosystem Applications

In public key cryptography, every user has to generate a pair of keys among which one is kept secret known
as a private key and other is made public hence called as a public key. Now, the decision of whether the
sender’s private key or receiver’s pubic key will be used to encrypt the original message depends totally on
application.

We can classify the applications of the public key cryptosystem as below:

a. Encryption/Decryption

If the purpose of an application is to encrypt and decrypt the message then the sender has to encrypt the
message using the intended receivers public and the receiver can decrypt the message using his own private
key.

b. Digital Signature

If the purpose of the application is to authenticate the user then the message is signed or encrypted using the
senders private key. As only the sender can have its private key, it assures all parties that the message is
sent by the particular person.

c. Key Exchange

The two communicating parties exchange a secret key (maybe a private key) for symmetric encryption to
secure a particular transaction. This secret key is valid for a short period.

Well, some algorithms implement all the three application and some implement one or two among these
applications. Below is the image showing you the details of algorithm possessing these applications.

Prepared By- Hiral Page

 INFORMATION SECURITY 1030106503

Public Key Cryptanalysis

To prevent the brute force attack the key size must be kept large enough so that it would be impractical
for an adversary to calculate the encryption and decryption. But the key size should not be so large such
that it would become impractical to compute practical encryption and decryption.

Another type of attack in public key cryptography is that the adversary would try to compute private key
knowing the public key.

One more type of attack is probable message attack. If an adversary knows that the encrypted message from
a particular sender is a 56-bit key. Then he would simply encrypt all possible 56-bit keys using the sender’s
public key as the public key is known to all. And then match all the encrypted messages with the cipher
text. This type of attack can be prevented by appending some random bits to the original message.

5.6 Key Management in Cryptography

In cryptography, it is a very tedious task to distribute the public and private keys between sender and
receiver. If the key is known to the third party (forger/eavesdropper) then the whole security mechanism
becomes worthless. So, there comes the need to secure the exchange of keys.
There are two aspects for Key Management:
1. Distribution of public keys.
2. Use of public-key encryption to distribute
secrets. Distribution of Public Key:
The public key can be distributed in four ways:
1. Public announcement
2. Publicly available directory
3. Public-key authority
4. Public-key certificates.
These are explained as following below:

Prepared By- Hiral Page

 INFORMATION 10301065
1. Public Announcement: Here the public key is broadcasted to everyone. The major weakness of this
method is a forgery. Anyone can create a key claiming to be someone else and broadcast it. Until forgery
is discovered can masquerade as claimed user.

2. Publicly Available Directory: In this type, the public key is stored in a public directory. Directories
are trusted here, with properties like Participant Registration, access and allow to modify values at any
time, contains entries like {name, public-key}. Directories can be accessed electronically still vulnerable
to forgery or tampering.
3. Public Key Authority: It is similar to the directory but, improves security by tightening control over the
distribution of keys from the directory. It requires users to know the public key for the directory.
Whenever the keys are needed, real-time access to the directory is made by the user to obtain any desired
public key securely.
4. Public Certification: This time authority provides a certificate (which binds an identity to the public key)
to allow key exchange without real-time access to the public authority each time. The certificate is
accompanied by some other info such as period of validity, rights of use, etc. All of this content is signed
by the private key of the certificate authority and it can be verified by anyone possessing the authority’s
public key.
First sender and receiver both request CA for a certificate which contains a public key and other information
and then they can exchange these certificates and can start communication

5.7 Diffie Hellman Key Exchange Algorithm for Key Generation

The algorithm is based on Elliptic Curve Cryptography, a method of doing public-key cryptography based
on the algebra structure of elliptic curves over finite fields. The DH also uses the trapdoor function, just like
many other ways to do public-key cryptography. The simple idea of understanding to the DH Algorithm is
the following.

1. The first party picks two prime numbers, g and p and tells them to the second party.

Prepared By- Hiral Page

 INFORMATION 10301065
2. The second party then picks a secret number (let’s call it a), and then it computes g mod p and sends the
a

result back to the first party; let’s call the result A. Keep in mind that the secret number is not sent to
anyone, only the result is.

3. Then the first party does the same; it selects a secret number b and calculates the result B similor to the

4. step 2. Then, this result is sent to the second party.

5. The second party takes the received number B and calculates Ba mod p

6. The first party takes the received number A and calculates Ab mod p

the answer in step 5 is the same as the answer in step 4. This means both parties will get the same answer no
matter the order of exponentiation.
(ga mod p)b mod p = gab mod p
(gb mod p)a mod p = gba mod p

The number we came within steps 4 and 5 will be taken as the shared secret key. This key can be used to do
any encryption of data that will be transmitted, such as blowfish, AES, etc.

5.7 Diffie Hellman Algorithm

1.
key =(YA)XBmod q -> this is the same as calculated by B

2.
Global Public Elements

● q: q is a prime number
● a: a < q and α is the primitive root of q
3.
Key generation for user A

● Select a Private key XA Here, XA <q

Now, Calculation of Public key YA YA = aXA mod q

4.
Key generation for user B

● Select a Private key XB Here, XB <q

● Now, Calculation of Public key YB YB = aXb mod q

5.
Calculation of Secret Key by A

● key =(YB)XA mod q

Prepared By- Hiral Page

 INFORMATION 10301065
6.
Calculation of Secret Key by B

● key =(YA)XB mod

q Example

1. Alice and Bob both use public numbers P = 23, G = 5

2. Alice selected private key a = 4, and Bob selected b = 3 as the private key

3. Both Alice and bob now calculate the value of x and y as follows:

● Alice: x = (54 mod 23) = 4

● Bob: y = (53 mod 23) = 10

4. Now, both Alice and Bob exchange public numbers with each other.

5. Alice and Bob now calculate the symmetric keys

● Alice: ka = ya mod p = 104 mod 23 = 18

● Bob: kb = xb mod p = 43 mod 23 = 18

6. 18 is the shared secret key.

Uses of Diffie Hellman Algorithm

Aside from using the algorithm for generating public keys, there are some other places where DH Algorithm
can be used:

● Encryption: The Diffie Hellman key exchange algorithm can be used to encrypt; one of the first
schemes to do is ElGamal encryption. One modern example of it is called Integrated
Encryption Scheme, which provides security against chosen plain text and chosen clipboard
attacks.
● Password Authenticated Agreement: When two parties share a password, a password-authenticated
key agreement can be used to prevent the Man in the middle attack. This key Agreement can be in
the form of Diffie-Hellman. Secure Remote Password Protocol is a good example that is based on
this technique.
● Forward Secrecy: Forward secrecy-based protocols can generate new key pairs for each new
session, and they can automatically discard them when the session is finished. In these forward
Secrecy protocols, more often than not, the Diffie Hellman key exchange is used.

Advantages of the Diffie Hellman Algorithm

● The sender and receiver don’t need any prior knowledge of each other.
● Once the keys are exchanged, the communication of data can be done through an insecure channel.

Prepared By- Hiral Page

 INFORMATION 10301065
● The sharing of the secret key is safe.

Prepared By- Hiral Page

 INFORMATION 10301065
Disadvantages of the Diffie Hellman Algorithm

● The algorithm can not be sued for any asymmetric key exchange.
● Similarly, it can not be used for signing digital signatures.
● Since it doesn’t authenticate any party in the transmission, the Diffie Hellman key exchange
is susceptible to a man-in-the-middle attack.

Conclusion
The Diffie Hellman key Exchange has proved to be a useful key exchange system due to its advantages.
While it is really tough for someone snooping the network to decrypt the data and get the keys, it is still
possible if the numbers generated are not entirely random. Also, the key exchange system makes it possible
to do a man in the middle attack; to avoid it, both parties should be very careful at the beginning of the
exchange.

Recommended Article

This has been a guide to Diffie Hellman Key Exchange Algorithm. Here we discuss the uses, different
algorithms, advantages, and disadvantages. You can also go through our other suggested articles to learn
more

1. Machine Learning Algorithms

2. Encryption Algorithm
3. Classification Algorithms
4. Types of Algorithms

5.8 RSA

RSA algorithm is asymmetric cryptography algorithm. Asymmetric actually means that it works on two
different keys i.e. Public Key and Private Key. As the name describes that the Public Key is given to
everyone and Private key is kept private.
An example of asymmetric cryptography :
1. A client (for example browser) sends its public key to the server and requests for some data.
2. The server encrypts the data using client’s public key and sends the encrypted data.
3. Client receives this data and decrypts it.

Since this is asymmetric, nobody else except browser can decrypt the data even if a third party has public
key of browser.
The idea! The idea of RSA is based on the fact that it is difficult to factorize a large integer. The public key
consists of two numbers where one number is multiplication of two large prime numbers. And private key is
also derived from the same two prime numbers. So if somebody can factorize the large number, the private
key is compromised. Therefore encryption strength totally lies on the key size and if we double or triple the
key size, the strength of encryption increases exponentially. RSA keys can be typically 1024 or 2048 bits

Prepared By- Hiral Page

 INFORMATION 10301065
long, but experts believe that 1024 bit keys could be broken in the near future. But till now it seems to be an
infeasible task.

RSA algorithm processes plaintext blocks, with each block having a binary value less than some number

step 1: Generate the RSA modulus

The initial procedure begins with selection of two prime numbers namely p and q, and then calculating their
product N, as shown −
N=p*q
Here, let N be the specified large number.
Step 2: Derived Number (e)
Consider number e as a derived number which should be greater than 1 and less than (p-1) and (q-1). The
primary condition will be that there should be no common factor of (p-1) and (q-1) except 1
Step 3: Public key
The specified pair of numbers n and e forms the RSA public key and it is made public.
Step 4: Private Key
Private Key d is calculated from the numbers p, q and e. The mathematical relationship between the numbers
is as follows −
ed = 1 mod (p-1) (q-1)
The above formula is the basic formula for Extended Euclidean Algorithm, which takes p and q as the input
parameters.
Encryption Formula
Consider a sender who sends the plain text message to someone whose public key is (n,e). To encrypt the
plain text message in the given scenario, use the following syntax −
C = Pe mod n
Decryption Formula
The decryption process is very straightforward and includes analytics for calculation in a systematic
approach. Considering receiver C has the private key d, the result modulus will be calculated as −
Plaintext = Cd mod n

Generating RSA keys

The following steps are involved in generating RSA keys −
● Create two large prime numbers namely p and q. The product of these numbers will be called
n, where n= p*q

Prepared By- Hiral Page

 INFORMATION 10301065
● Generate a random number which is relatively prime with (p-1) and (q-1). Let the number be
called as e.
● Calculate the modular inverse of e. The calculated inverse will be called as d.

Generating Public Key :

● Select two prime no's. Suppose P = 53 and Q = 59.
● Now First part of the Public key : n = P*Q = 3127.

● We also need a small exponent say e :

● But e Must be

● An integer.
● Not be a factor of n.
● 1 < e < Φ(n) [Φ(n) is discussed below],
● Let us now consider it to be equal to 3.

● Our Public Key is made of n and

e>> Generating Private Key :

● We need to calculate Φ(n) :
● Such that Φ(n) = (P-1)(Q-1)
● so, Φ(n) = 3016

● Now calculate Private Key, d :

● d = (k*Φ(n) + 1) / e for some integer k
● For k = 2, value of d is 2011.
Now we are ready with our – Public Key ( n = 3127 and e = 3) and Private Key(d = 2011)
Now we will encrypt “HI” :
● Convert letters to numbers : H = 8 and I = 9

● Thus Encrypted Data c = 89e mod n.

● Thus our Encrypted Data comes out to be 1394

Now we will decrypt 1394 :

● Decrypted Data = cd mod n.

● Thus our Encrypted Data comes out to be 89

8 = H and I = 9 i.e. "HI"

Prepared By- Hiral Page

 INFORMATION 10301065

Prepared By- Hiral Page

 INFORMATION 10301065
These steps assure B that the original message it received (step 3) was not a replay.

Note that the actual key distribution involves only steps 1 through 3 but that steps 4 and 5, as well as 3,
perform an authentication function.

Major Issues with KDC:

For very large networks, a hierarchy of KDCs can be established. For communication among
entities within the same local domain, the local KDC is responsible for key distribution. If two
entities in different domains desire a shared key, then the corresponding local KDCs can
communicate through a (hierarchy of) global KDC(s)

To balance security & effort, a new session key should be used for each new connection-
oriented session. For a connectionless protocol, a new session key is used for a certain fixed period
only or for a certain number of transactions.

An automated key distribution approach provides the flexibility and dynamic characteristics
needed to allow a number of terminal users to access a number of hosts and for the hosts to exchange
data with each other, provided they trust the system to act on their behalf.

The use of a key distribution center imposes the requirement that the KDC be trusted and be
protected from subversion. This requirement can be avoided if key distribution is fully decentralized.

In addition to separating master keys from session keys, may wish to define different types of
session keys on the basis of use.

5.4 Random Number Generation

Random numbers play an important role in the use of encryption for various network security applications.
A brief overview of the use of random numbers in network security and some approaches to generating
random numbers are:

• Required for generating session keys

• Public key generation

• Keystream for one-time pad

In all the cases where the random numbers are used, the requirements are:

• The numbers should be generated such that statistically randomness is maintained with uniform distribution
• Those random numbers should be independent and unpredictable

Prepared By- Hiral Page

 INFORMATION 10301065
● Usages of random numbers:
○ Reciprocal authentication.
○ Session key generation.
○ Generation of keys for the RSA public-key encryption algorithm.
● Requirements for sequence of random number:
○ Randomness:
■ Randomness criteria:
■ Uniform distribution:
The distribution of numbers in the sequence should be uniform; that is,
the frequency of occurrence of each of the numbers should be
approximately the same.
■ Independence:
■ No one value in the sequence can be inferred from the others.
○ Unpredictability.

Pseudorandom numbers are resulting sequences will pass many reasonable tests of randomnes

Prepared By- Hiral Page

 INFORMATION 10301065
5.5 PRINCIPLES OF PUBLIC KEY CRYPTOGRAPHY

There are two basic principles of any cryptosystem i.e. confidentiality and authenticity. We have seen that
the symmetric cryptosystem has a problem associated with these two principles.

In symmetric cryptography, the problem associated with confidentiality is that we all know in symmetric
cryptography a secret key is used to encrypt as well as decrypt the message. So, this key must be shared
by both the communicating parties by any means or they must rely on a third party for the distribution of
the key i.e. key distribution centre. But relying on a third party again risk the secrecy of the secret key.

Symmetric key also had an issue with authentication. To become widespread there was a need for digital
signatures that assure all parties that a particular message has been sent from a particular person.

The public key cryptosystem is successful in achieving both these principles i.e. confidentiality and
authenticity.

We begin with first, encrypting the message using the senders private key. Now, as the message is
encrypted using the sender’s private key it is confirmed that the message has been prepared by the sender.
This does the function of the digital signature.
Nobody is able o modify the message without having the sender’s private key. So, public key cryptosystem
has achieved authentication in both the terms data integrity and source.

Now, the message that was first encrypted with the sender’s private key is again encrypted using the
intended receiver’s public key.

M’ = E(PUR ,E(PRS, M)

The final cipher text can only be decrypted by the intended receiver’s private key which is only known to
him. In this way, the public key cryptography achieves confidentiality.

The decryption of the final cipher text is:

M = D(PUS, D(PRR, M’)

There is a drawback with this approach. We all know that the public key cryptosystem is based on
mathematical function and has too much of computation which makes it complex. To achieve
both confidentiality and authenticity the public key algorithm has to be applied four times.

Public key Cryptosystem

Any public key cryptographic algorithm has six elements as follow:

Prepared By- Hiral Page

 INFORMATION 10301065
6. Plain Text
This is a readable message which is given as input to the algorithm. In a public key algorithm, the
plain text is encrypted in blocks.
7. Encryption Algorithm
The encryption algorithm is implemented on the plain text which performs several transformations on
plain text.
8. Public and Private keys
These are the set of keys among which if one is used for encryption the other would be used for
decryption. The transformation of plain text by encryption algorithm depends on the key chosen from
the set to encrypt the plain text.
9. Cipher Text
This is the output of encryption algorithm. The generated cipher text totally depends on the key
selected from the set of the public and private key. Both of these keys, one at a time with plain
text would produce different cipher texts.
10. Decryption Algorithm
This would accept the output of the encryption algorithm i.e. the cipher text and will apply the related
key to produce the original plain text.

Now let us discuss the steps in public key cryptography.

Step 1. Each user has to generate two keys one of which will be used for encryption and other for
decryption of messages.

Step 2. Each user has a pair of keys, among which one has to be made public by each user. And the other has
to be kept secret.

Step 3. If a user has to send a message to a particular receiver then the sender must encrypt the message
using the intended receivers public key and then send the encrypted message to the receiver.

Step 4. On receiving the message, the receiver has to decrypt the message using his private key.

Prepared By- Hiral Page

 INFORMATION SECURITY 1030106503

In public key cryptography, there is no need for key distribution as we have seen in symmetric key
cryptography. As long as this private key is kept secret no one can interpret the message. In future, the user
can change its private key and publish its related public key in order to replace the old public key.

Public Key Cryptography Requirements

To accomplish the public key cryptography there are following requirements as discussed below.

● The computation of the pair of keys i.e. private key and the public key must be easy.
● Knowing the encryption algorithm and public key of the intended receiver, computation of
cipher text must be easy.
● For a receiver of the message, it should be computationally easy to decrypt the obtained cipher
text using his private key.
● It is also required that any opponent in the network knowing the public key should be unable
to determine its corresponding private key.
● Having the cipher text and public key an opponent should be unable to determine the
original message.
● The two keys i.e. public and private key can be implemented in both
orders D[PU, E(PR, M)] = D[PR, E(PU, M)]

Weakness of the Public Key Encryption:

Prepared By- Hiral Page

 INFORMATION SECURITY 1030106503
● Public key Encryption is vulnerable to Brute-force attack.
● This algorithm also fails when the user lost his private key, then the Public key Encryption
becomes the most vulnerable algorithm.
● Public Key Encryption also is weak towards man in the middle attack. In this attack a third party
can disrupt the public key communication and then modify the public keys.
● If user private key used for certificate creation higher in the PKI(Public Key Infrastructure) server
hierarchy is compromised, or accidentally disclosed, then a “man-in-the-middle attack” is also
possible, making any subordinate certificate wholly insecure. This is also the weakness of Public key
Encryption

Public Key Cryptosystem Applications

In public key cryptography, every user has to generate a pair of keys among which one is kept secret known
as a private key and other is made public hence called as a public key. Now, the decision of whether the
sender’s private key or receiver’s pubic key will be used to encrypt the original message depends totally on
application.

We can classify the applications of the public key cryptosystem as below:

a. Encryption/Decryption

If the purpose of an application is to encrypt and decrypt the message then the sender has to encrypt the
message using the intended receivers public and the receiver can decrypt the message using his own private
key.

b. Digital Signature

If the purpose of the application is to authenticate the user then the message is signed or encrypted using the
senders private key. As only the sender can have its private key, it assures all parties that the message is
sent by the particular person.

c. Key Exchange

The two communicating parties exchange a secret key (maybe a private key) for symmetric encryption to
secure a particular transaction. This secret key is valid for a short period.

Well, some algorithms implement all the three application and some implement one or two among these
applications. Below is the image showing you the details of algorithm possessing these applications.

Prepared By- Hiral Page

 INFORMATION SECURITY 1030106503

Public Key Cryptanalysis

To prevent the brute force attack the key size must be kept large enough so that it would be impractical
for an adversary to calculate the encryption and decryption. But the key size should not be so large such
that it would become impractical to compute practical encryption and decryption.

Another type of attack in public key cryptography is that the adversary would try to compute private key
knowing the public key.

One more type of attack is probable message attack. If an adversary knows that the encrypted message from
a particular sender is a 56-bit key. Then he would simply encrypt all possible 56-bit keys using the sender’s
public key as the public key is known to all. And then match all the encrypted messages with the cipher
text. This type of attack can be prevented by appending some random bits to the original message.

5.6 Key Management in Cryptography

In cryptography, it is a very tedious task to distribute the public and private keys between sender and
receiver. If the key is known to the third party (forger/eavesdropper) then the whole security mechanism
becomes worthless. So, there comes the need to secure the exchange of keys.
There are two aspects for Key Management:
3. Distribution of public keys.
4. Use of public-key encryption to distribute
secrets. Distribution of Public Key:
The public key can be distributed in four ways:
5. Public announcement
6. Publicly available directory
7. Public-key authority
8. Public-key certificates.
These are explained as following below:

Prepared By- Hiral Page

 INFORMATION 10301065
1. Public Announcement: Here the public key is broadcasted to everyone. The major weakness of this
method is a forgery. Anyone can create a key claiming to be someone else and broadcast it. Until forgery
is discovered can masquerade as claimed user.

2. Publicly Available Directory: In this type, the public key is stored in a public directory. Directories
are trusted here, with properties like Participant Registration, access and allow to modify values at any
time, contains entries like {name, public-key}. Directories can be accessed electronically still vulnerable
to forgery or tampering.
3. Public Key Authority: It is similar to the directory but, improves security by tightening control over the
distribution of keys from the directory. It requires users to know the public key for the directory.
Whenever the keys are needed, real-time access to the directory is made by the user to obtain any desired
public key securely.
4. Public Certification: This time authority provides a certificate (which binds an identity to the public key)
to allow key exchange without real-time access to the public authority each time. The certificate is
accompanied by some other info such as period of validity, rights of use, etc. All of this content is signed
by the private key of the certificate authority and it can be verified by anyone possessing the authority’s
public key.
First sender and receiver both request CA for a certificate which contains a public key and other information
and then they can exchange these certificates and can start communication

5.7 Diffie Hellman Key Exchange Algorithm for Key Generation

The algorithm is based on Elliptic Curve Cryptography, a method of doing public-key cryptography based
on the algebra structure of elliptic curves over finite fields. The DH also uses the trapdoor function, just like
many other ways to do public-key cryptography. The simple idea of understanding to the DH Algorithm is
the following.

1. The first party picks two prime numbers, g and p and tells them to the second party.

Prepared By- Hiral Page

 INFORMATION 10301065
2. The second party then picks a secret number (let’s call it a), and then it computes g mod p and sends the
a

result back to the first party; let’s call the result A. Keep in mind that the secret number is not sent to
anyone, only the result is.

3. Then the first party does the same; it selects a secret number b and calculates the result B similor to the

4. step 2. Then, this result is sent to the second party.

5. The second party takes the received number B and calculates Ba mod p

6. The first party takes the received number A and calculates Ab mod p

the answer in step 5 is the same as the answer in step 4. This means both parties will get the same answer no
matter the order of exponentiation.
(ga mod p)b mod p = gab mod p
(gb mod p)a mod p = gba mod p

The number we came within steps 4 and 5 will be taken as the shared secret key. This key can be used to do
any encryption of data that will be transmitted, such as blowfish, AES, etc.

Diffie Hellman Algorithm

1.
key =(YA)XBmod q -> this is the same as calculated by B

2.
Global Public Elements

● q: q is a prime number
● a: a < q and α is the primitive root of q
3.
Key generation for user A

● Select a Private key XA Here, XA <q

Now, Calculation of Public key YA YA = aXA mod q

4.
Key generation for user B

● Select a Private key XB Here, XB <q

● Now, Calculation of Public key YB YB = aXb mod q

5.
Calculation of Secret Key by A

● key =(YB)XA mod q

Prepared By- Hiral Page

 INFORMATION 10301065
6.
Calculation of Secret Key by B

● key =(YA)XB mod

q Example

1. Alice and Bob both use public numbers P = 23, G = 5

2. Alice selected private key a = 4, and Bob selected b = 3 as the private key

3. Both Alice and bob now calculate the value of x and y as follows:

● Alice: x = (54 mod 23) = 4

● Bob: y = (53 mod 23) = 10

4. Now, both Alice and Bob exchange public numbers with each other.

5. Alice and Bob now calculate the symmetric keys

● Alice: ka = ya mod p = 104 mod 23 = 18

● Bob: kb = xb mod p = 43 mod 23 = 18

6. 18 is the shared secret key.

Uses of Diffie Hellman Algorithm

Aside from using the algorithm for generating public keys, there are some other places where DH Algorithm
can be used:

● Encryption: The Diffie Hellman key exchange algorithm can be used to encrypt; one of the first
schemes to do is ElGamal encryption. One modern example of it is called Integrated
Encryption Scheme, which provides security against chosen plain text and chosen clipboard
attacks.
● Password Authenticated Agreement: When two parties share a password, a password-authenticated
key agreement can be used to prevent the Man in the middle attack. This key Agreement can be in
the form of Diffie-Hellman. Secure Remote Password Protocol is a good example that is based on
this technique.
● Forward Secrecy: Forward secrecy-based protocols can generate new key pairs for each new
session, and they can automatically discard them when the session is finished. In these forward
Secrecy protocols, more often than not, the Diffie Hellman key exchange is used.

Advantages of the Diffie Hellman Algorithm

● The sender and receiver don’t need any prior knowledge of each other.
● Once the keys are exchanged, the communication of data can be done through an insecure channel.

Prepared By- Hiral Page

 INFORMATION 10301065
● The sharing of the secret key is safe.

Prepared By- Hiral Page

 INFORMATION 10301065
Disadvantages of the Diffie Hellman Algorithm

● The algorithm can not be sued for any asymmetric key exchange.
● Similarly, it can not be used for signing digital signatures.
● Since it doesn’t authenticate any party in the transmission, the Diffie Hellman key exchange
is susceptible to a man-in-the-middle attack.

Conclusion
The Diffie Hellman key Exchange has proved to be a useful key exchange system due to its advantages.
While it is really tough for someone snooping the network to decrypt the data and get the keys, it is still
possible if the numbers generated are not entirely random. Also, the key exchange system makes it possible
to do a man in the middle attack; to avoid it, both parties should be very careful at the beginning of the
exchange.

Recommended Article

This has been a guide to Diffie Hellman Key Exchange Algorithm. Here we discuss the uses, different
algorithms, advantages, and disadvantages. You can also go through our other suggested articles to learn
more

5. Machine Learning Algorithms

6. Encryption Algorithm
7. Classification Algorithms
8. Types of Algorithms

5.8 RSA

RSA algorithm is asymmetric cryptography algorithm. Asymmetric actually means that it works on two
different keys i.e. Public Key and Private Key. As the name describes that the Public Key is given to
everyone and Private key is kept private.
An example of asymmetric cryptography :
4. A client (for example browser) sends its public key to the server and requests for some data.
5. The server encrypts the data using client’s public key and sends the encrypted data.
6. Client receives this data and decrypts it.

Since this is asymmetric, nobody else except browser can decrypt the data even if a third party has public
key of browser.
The idea! The idea of RSA is based on the fact that it is difficult to factorize a large integer. The public key
consists of two numbers where one number is multiplication of two large prime numbers. And private key is
also derived from the same two prime numbers. So if somebody can factorize the large number, the private
key is compromised. Therefore encryption strength totally lies on the key size and if we double or triple the
key size, the strength of encryption increases exponentially. RSA keys can be typically 1024 or 2048 bits

Prepared By- Hiral Page

 INFORMATION 10301065
long, but experts believe that 1024 bit keys could be broken in the near future. But till now it seems to be an
infeasible task.

RSA algorithm processes plaintext blocks, with each block having a binary value less than some number

step 1: Generate the RSA modulus

The initial procedure begins with selection of two prime numbers namely p and q, and then calculating their
product N, as shown −
N=p*q
Here, let N be the specified large number.
Step 2: Derived Number (e)
Consider number e as a derived number which should be greater than 1 and less than (p-1) and (q-1). The
primary condition will be that there should be no common factor of (p-1) and (q-1) except 1
Step 3: Public key
The specified pair of numbers n and e forms the RSA public key and it is made public.
Step 4: Private Key
Private Key d is calculated from the numbers p, q and e. The mathematical relationship between the numbers
is as follows −
ed = 1 mod (p-1) (q-1)
The above formula is the basic formula for Extended Euclidean Algorithm, which takes p and q as the input
parameters.
Encryption Formula
Consider a sender who sends the plain text message to someone whose public key is (n,e). To encrypt the
plain text message in the given scenario, use the following syntax −
C = Pe mod n
Decryption Formula
The decryption process is very straightforward and includes analytics for calculation in a systematic
approach. Considering receiver C has the private key d, the result modulus will be calculated as −
Plaintext = Cd mod n

Generating RSA keys

The following steps are involved in generating RSA keys −
● Create two large prime numbers namely p and q. The product of these numbers will be called
n, where n= p*q

Prepared By- Hiral Page

 INFORMATION 10301065
● Generate a random number which is relatively prime with (p-1) and (q-1). Let the number be
called as e.
● Calculate the modular inverse of e. The calculated inverse will be called as d.

Generating Public Key :

● Select two prime no's. Suppose P = 53 and Q = 59.
● Now First part of the Public key : n = P*Q = 3127.

● We also need a small exponent say e :

● But e Must be

● An integer.
● Not be a factor of n.
● 1 < e < Φ(n) [Φ(n) is discussed below],
● Let us now consider it to be equal to 3.

● Our Public Key is made of n and

e>> Generating Private Key :

● We need to calculate Φ(n) :
● Such that Φ(n) = (P-1)(Q-1)
● so, Φ(n) = 3016

● Now calculate Private Key, d :

● d = (k*Φ(n) + 1) / e for some integer k
● For k = 2, value of d is 2011.
Now we are ready with our – Public Key ( n = 3127 and e = 3) and Private Key(d = 2011)
Now we will encrypt “HI” :
● Convert letters to numbers : H = 8 and I = 9

● Thus Encrypted Data c = 89e mod n.

● Thus our Encrypted Data comes out to be 1394

Now we will decrypt 1394 :

● Decrypted Data = cd mod n.

● Thus our Encrypted Data comes out to be 89

8 = H and I = 9 i.e. "HI"

Prepared By- Hiral Page

 INFORMATION 10301065

Prepared By- Hiral Page