UNIT –2

Symmetric Key Ciphers: Block Cipher Principles and Algorithms (DES, AES, and Blowfish),
Differential and Linear Cryptanalysis, Block Cipher Modes of Operations, Stream Ciphers,
RC4, Location and Placement of encryption function, Key Distribution.
Asymmetric Key Ciphers: Principles of Public Key Cryptosystems, Algorithms (RSA, Diffie-
Hellman, ECC), Key Distribution.

Conventional Encryption Principles

A Conventional/Symmetric encryption scheme has five ingredients:

1. Plain Text: This is the original message or data which is fed into the algorithm as input.

2. Encryption Algorithm: This encryption algorithm performs various substitutions and

transformations on the plain text.

3. Secret Key: The key is another input to the algor thm. The substitutions and transformations
performed by algorithm depend on the key.

4. Cipher Text: This is the scrambled (unreadable) message which is output of the encryption
algorithm. This cipher text is dependent on plaintext and secret key. For a given plaintext, two
different keys produce two different cipher texts.

5. Decryption Algorithm: This is the reverse of encryption algorithm. It takes the cipher text and
secret key as inputs and outputs the plain text.

20
The important point is that the security of conventional encrypt on depends on the secrecy of the
key, not the secrecy of the algorithm i.e. it is not necessary to keep the algorithm secret, but only
the key is to be kept secret. This feature that algorithm need not be kept secret made it feasible
for wide spread use and enabled manufacturers develop low cost chip implementation of data
encryption algorithms. With the use of conventional algorithm, the principal security problem is
maintaining the secrecy of the key.

Feistel Cipher Structure

The input to the encryption algorithm are a plaintext block of length 2w bits and a key
K. the plaintext block is divided into two halves L0 and R0. The two halves of the data pass
through „n‟ rounds of processing and then combine to produce the cipher text block. Each
round „i‟ has inputs Li-1 and Ri-1, derived from the previous round, as well as the subkey Ki,
derived from the overall key K. in general, the subkeys Ki are different from K and from each
other.
All rounds have the same structure. A substitution is performed on the left half of the data
(as similar to S-DES). This is done by applying a round function F to the right half

21
of the data and then taking the XOR of the output of that function and the left half of the data.
The round function has the same general structure for each round but is parameterized by the
round subkey ki. Following this substitution, a permutation is performed that consists of the
interchange of the two halves of the data. This structure is a particular form of the
substitution-permutation network. The exact realization of a Feistel network depends on the
choice of the following parameters and design features:
 Block size - Increasing size improves security, but slows cipher
 Key size - Increasing size improves security, makes exhaustive key searching
harder, but may slow cipher
 Number of rounds - Increasing number improves security, but slows cipher
 Subkey generation - Greater complexity can make analysis harder, but slows
cipher
 Round function - Greater complexity can make analysis harder, but slows cipher
 Fast software en/decryption & ease of analysis - re more recent concerns for
practical use and testing

22
The process of decryption is essentially the same as the encryption process. The rule is as

follows: use the cipher text as input to the algorithm, but use the subkey ki in reverse order.

i.e., kn in the first round, kn-1 in second round and so on. For clarity, we use the notation LE i

and REi for data traveling through the decryption algorithm. The diagram below indicates

that, at each round, the intermediate value of the decryption process is same (equal) to the

corresponding value of the encryption process with two halves of the value swapped.

23
 , REi || LEi (or) equivalently RD16-i || LD16-i

After the last iteration of the encryption process, the two halves of the output are swapped, so

that the cipher text is RE16 || LE16. The output of that round is the cipher text. Now take the

cipher text and use it as input to the same algorithm. The input to the first round is RE16 ||

LE16, which is equal to the 32-bit swap of the output of the sixteenth round of the encryption

process. Now we will see how the output of the first round of the decryption process is equal

to a 32-bit swap of the input to the sixteenth round of the encryption process.

First consider the encryption process,

LE16 = RE15
RE16 = LE15(+) F (RE15, K16)
On the decryption side, LD1 =RD0 = LE16 =RE15
RD1 = LD0 (+) F (RD0, K16)

= RE16 F (RE15, K16)

= [LE15 F (RE15, K16)] F (RE15, K16)

= LE15

Therefore, LD1 = RE15 RD1 = LE15 In general, for the ith iteration of the encryption

algorithm, LEi = REi-1 REi = LEi-1 F (REi-1, Ki)

Finally, the output of the last round of the decryption process is RE 0 || LE0. A 32-bit swap

recovers the original plaintext.

24
Definitions
Encryption: Converting a text into code or cipher.
Converting computer data and messages into something, incomprehensible use a key, so
that only a holder of the matching key can reconvert them.
Conventional or Symmetric or Secret Key or Single Key encryption:
Uses the same key for encryption & decryption.
Public Key encryption: Uses different keys for encryption & decryption

Conventional Encryption Principles

An encryption scheme has five ingredients:

1. Plaintext – Original message or data.

2. Encryption algorithm – performs substitutions & transformations on plaintext.

3. Secret Key – exact substitutions & transformations depend on this

4. Cipher text - output ie scrambled input.

5. Decryption algorithm - converts cipher text back to plaintext.

Simplified Data Encryption Standard (S-DES)

25
 The figure above illustrates the overall structure of the simplified DES. The S-DES
encryption algorithm takes an 8-bit block of plaintext (example: 10111101) and a 10-bit key
as input and produces an 8-bit block of cipher text as output. The S-DES decryption
algorithm takes an 8-bit block of cipher text and the same 10-bit key used to produce that
cipher text as input and produces the original 8-bit block of plaintext.

The encryption algorithm involves five functions:

 an initial permutation (IP)
 a complex function labeled fk, which involves both permutation and substitution
operations and depends on a key input
 a simple permutation function that switches (SW) the two halves of the data
 the function fk again
 a permutation function that is the inverse of the initial permutation
The function fk takes as input not only the data passing through the encryption algorithm, but
also an 8-bit key. Here a 10-bit key is us from which two 8-bit subkeys are generated. The
key is first subjected to a permutation (P10). Then a shift operation is performed. The output
of the shift o eration then passes through a permutation function that produces an 8-bit output
(P8) for the first subkey (K1). The output of the shift operation also feeds into another shift
and another instance of P8 to produce the second subkey (K2).
The encryption algorithm can be expressed as a composition composition1 of functions:
IP-1 ο fK2 ο SW ο fk1 ο IP
This can also be written as
Ciphertext = IP-1 (fK2 (SW (fk1 (IP (plaintext)))))
Where
K1 = P8 (Shift (P10 (Key)))
K2 = P8 (Shift (shift (P10 (Key))))
Decryption can be shown as
Plaintext = IP-1 (fK1 (SW (fk2 (IP (ciphertext)))))

26
 S-DES depends on the use of a 10-bit key shared between sender and receiver. From
this key, two 8-bit subkeys are produced for use n particular stages of the encryption and
decryption algorithm. First, permute the key in the following fashion. Let the 10-bit key be
designated as (k1, K2, k3, k4, k5, k6, k7, k8, k9, k10).
Then the permutation P10 is defined as:
P10 (k1, K2, k3, k4, k5, k6, k7, k8, k9, k10) = (k3, k5, K2, k7, k4, k10 10, k1, k9, k8, k6)
P10 can be concisely defined by the dis lay:
P10
3 5 2 7 4 10 1 9 8 6

This table is read from left to right; each position in the table gives the identity of the input
bit that produces the output bit in that position. So the first output bit is bit 3 of the input; the
second output bit is bit 5 of the input, and so on. For example, the key (1010000010) is
permuted to (10000 01100). Next, perform a circular left shift (LS-1), or rotation, separately
on the first five bits and the second five bits. In our example, the result is (00001 11000).
Next we apply P8, which picks out and permutes 8 of the 10 bits according to the following
rule:
P8
6 3 7 4 8 5 10 9

27
The result is subkey 1 (K1). In our example, this yields (10100100). We then go back to the
pair of 5-bit strings produced by the two LS-1 functions and performs a circular left shift of 2
bit positions on each string. In our example, the value (00001 11000) becomes (00100
00011). Finally, P8 is applied again to produce K2. In our example, the result is (01000011).
S-DES encryption
Encryption involves the sequential application of five functions.
Initial and Final Permutations The input to the algorithm is an 8-bit block of plaintext,
which we first permute using the IP function:
IP
2 6 3 1 4 8 5 7
This retains all 8 bits of the plaintext but mixes them up.
Consider the plaintext to be 11110011.
Permuted output = 10111101
At the end of the algorithm, the inverse permutation is use :
IP –1
4 1 3 5 7 2 8 6

The most complex Skyupscomponentof-DES is the function fk, which consists of a

combination of permutation and substitution functions. The functions can be expressed as
follows. Let L and R be the leftmost 4 bits and rightmost 4 bits of the 8-bit input to f K, and
let F be a mapping (not necessarily one to one) from 4-bit strings to 4-bit strings. Then we let
fk(L, R) = ( L (+) F( R, SK), R)
Where SK is a subkey and (+) is the bit-by-bit exclusive-OR function.
e.g., permuted output = 1011 1101 and suppose F (1101, SK) = (1110) for some key SK.
Then f K(10111101) = 10111110, 1101 = 01011101
We now describe the mapping F. The input is a 4-bit number (n1 n2 n3 n4). The first
operation is an expansion/permutation operation:

E/P
4 1 2 3 2 3 4 1

28
R= 1101 E/P output = 11101011 It is clearer to depict the result in this fashion:

The 8-bit subkey K1 = (k11, k12 12, k13 13, k14 14, k15 15, k16 16, k17 17, k18) is added to
this value using exclusive-OR:

Let us rename these 8 bits:

The first 4 bits (first row of the preceding matrix) are fed into the S-box S0 to produce a 2- bit
output, and the remaining 4 bits (second row) are fed into S1 to produce another 2- bit output.
These two boxes are defined as follows:
The S-boxes operate Skyups as follows. The first and fourth input bits are treated as a 2-bit

number that specify a row of the -box, and the second and third input bits specify a

column of the S-box. The entry in that row and column, in base 2, is the 2-bit output. For
example, if (p0,0 p0,3) = ) (00) and ( p0,1 p0,2) = (10), then the output is from row 0, column
2 of S0, which is 3, or (11) in ) binary. Similarly, (p1,0 p1,3) and ( p1,1 p1,2) are used to
index into a row and column of S1 to produce an additional 2 bits. Next, the 4 bits produced
by S0 and S1 undergo a further permutation as follows:
P4
2 4 3 1

The output of P4 is the output of the function F.

The Switch Function The function f K only alters the leftmost 4 bits of the input. The switch
function (SW) interchanges the left and right 4 bits so that the second instance of f K operates

29
on a different 4 bits. In this second instance, the E/P, S0, S1, and P4 functions are the same. The
key input is K2. Finally apply inverse permutation to get the ciphertext

Data Encryption Standard (DES)

The main standard for encrypting data was a symmetric algorithm known as the Data
Encryption Standard (DES). However, this has now been replaced by a new standard known as
the Advanced Encryption Standard (AES) which we will look at later. DES is a 64 bit block
cipher which means that it encrypts data 64 bits at a time. This is contrasted to a stream cipher in
which only one bit at a time (or sometimes small groups of bits such as a byte) is encrypted. DES
was the result of a research project set up by International Business Machines (IBM) corporation
in the late 1960’s which resulted in a cipher known as LUCIFER. In the early 1970’s it was
decided to commercialize LUCIFER and a number of significant changes were introduced. IBM
was not the only one involved in these changes as they sought technical advice from the National
Security Agency (NSA) (other outside consultants were involved but it is likely that the NSA
were the major contributors from a technical point of view). The alt red version of LUCIFER was
put forward as a proposal for the new national encryption standard requested by the National
Bureau of Standards (NBS)3 . It was finally adopted in 1977 as the Data Encryption Standard -
DES (FIPS PUB 46). Some of the changes made to LUCIFER have been the subject of much
controversy even to the present day. The most notable of these was the key size. LUCIFER used a
key size of 128 bits however this was reduced to 56 bits for DES. Even though DES actually
accepts a 64 bit key as input, the remaining eight bits are used for parity checking and have no
effect on DES’s security. Outsiders were convinced that the 56 bit key was an easy target for a
brute force attack4 due to its extremely small size. The need for the parity checking scheme was
also questioned without satisfying answers. Another controversial issue was that the S-boxes used
were designed under classified conditions and no reasons for their particular design were ever
given. This led people to assume that the NSA had introduced a “trapdoor” through which they
could decrypt any data encrypted by DES even without knowledge of the key. One startling
discovery was that the S-boxes appeared to be secure against an attack known as Differential
Cryptanalysis which was only publicly discovered by Biham and Shamir in 1990. This suggests
that the NSA were aware of this attack in 1977; 13 years earlier! In

30
fact the DES designers claimed that the reason they never made the design specifications for the
S-boxes available was that they knew about a number of attacks that weren’t public knowledge at
the time and they didn’t want them leaking - this is quite a plausible claim as differential
cryptanalysis has shown. However, despite all this controversy, in 1994 NIST reaffirmed DES for
government use for a further five years for use in areas other than “classified”. DES of course
isn’t the only symmetric cipher. There are many others, each with varying levels of complexity.
Such ciphers include: IDEA, RC4, RC5, RC6 and the new Advanced Encryption Standard (AES).
AES is an important algorithm and was originally meant to replace DES (and its more secure
variant triple DES) as the standard algorithm for non-classified material. However as of 2003,
AES with key sizes of 192 and 256 bits has been found to be secure enough to protect
information up to top secret. Since its creation, AES had underdone intense scrutiny as one would
expect for an algorithm that is to be used as the standard. To date it has withstood all attacks but
the search is still on and it remains to be seen Media whetherornotthis will last. We will look at
AES later in the course.
DES
DES (and most of the other major symmetric ciphers) is based on cipher known as the Feistel
block cipher. It consists of a number of rounds where each round contains bit-shuffling, non-
linear substitutions (S-boxes) and exclusive OR operations. As with most encryption
schemes, DES expects two inputs - the plaintext to be encrypted and the secret key. The
manner in which the plaintext is accepted, and the key arrangement used for encryption and
decryption, both determine the type of cipher it is. DES is therefore a symmetric, 64 bit block
cipher as it uses the same key for both encryption and decryption and only operates on 64 bit
blocks of data at a time5 (be they plaintext or ciphertext). The key size used is 56 bits,
however a 64 bit (or eight-byte) key is actually input. The least significant bit of each byte is
either used for parity (odd for DES) or set arbitrarily and does not increase the security in any
way. All blocks are numbered from left to right which makes the eight bit of each byte the
parity bit.

31
Once a plain-text message is received to be encrypted, it is arranged into 64 bit blocks
required for input. If the number of bits in the message is not evenly divisible by 64, then the
last block will be padded. Multiple permutations and substitutions are incorporated
throughout in order to increase the difficulty of performing a cryptanalysis on the cipher
Overall Structure
Figure below shows the sequence of events that occur during an encryption operation. DES
performs an initial permutation on the entire 64 bit block of data. It is then split into 2, 32 bit
sub-blocks, Li and Ri which are then passed into what is known as a round (see figure 2.3), of
which there are 16 (the subscript i in Li and Ri indicates the current round). Each of the
rounds are identical and the effectsMediaofincreasingtheir number is twofold - the algorithms
security is increased and its temporal efficiency decreased. Clearly these are two conflicting
outcomes and a compromise must be ma . For DES the number chosen was 16, probably to
guarantee the elimination of any correlation between the cipher text and either the plaintext
or key6 . At the end of the 16th round, the 32 bit Li and Ri output quantities are swapped to
create what is known as the pre-output. This [R16, L16] concatenation is permuted using a
function which is the exact inverse of the initial permutation. The output of this final
permutation is the 64 bit cipher text.

32
So in total the processing of the plaintext proceeds in three phases as can be seen from the
left hand side of figure

1. Initial permutation (IP - defined in table 2.1) rearranging the bits to form the
“permuted input”.

2. Followed by 16 iterations of the same function (substitution and permutation). The

output of the last iteration consists of 64 bits which is a function of the plaintext and key.
The left and right halves are swapped to produce the pre-output.
3. Finally, the pre-output is passed through a permutation (IP−1 - defined in table 2.1)
which is simply the inverse of the initial permutation (IP). The output of IP−1 is the 64-
bit cipher text

33
As figure shows, the inputs to each round consist of the Li , Ri pair and a 48 bit subkey which

is a shifted and contracted version of the original 56 bit key. The use of the key can be seen in

the right hand portion of figure 2.2: • Initially the key is passed through a permutation

function (PC1 - defined in table 2.2) • For each of the 16 iterations, a subkey (Ki) is produced

by a combination of a left circular shift and a permutation (PC2 - defined in table 2.2) which

is the same for each iteration. However, the resulting subkey is different for each iteration because of

repeated shifts.

34
Details Of Individual Rounds

35
The main operations on the data are encompassed into what is referred to as the cipher
function and is labeled F. This function accepts two different length inputs of 32 bits and 48
bits and outputs a single 32 bit number. Both the data and key are operated on in parallel,
however the operations are quite different. The 56 bit key is split into two 28 bit halves Ci
and Di (C and D being chosen so as not to be conf sed with L and R). The value of the key
used in any round is simply a left cyclic shift and a permuted contraction of that used in the
previous round. Mathematically, this can be written as

Ci = Lcsi(Ci−1), Di = Lcsi(Di−1)

Ki = P C2(Ci , Di)

where Lcsi is the left cyclic shift for round i, Ci and Di are the outputs after the shifts, P C2(.)
is a function which permutes and compresses a 56 bit number into a 48 bit number and Ki is
the actual key used in round i. The number of shifts is either one or two and is determined by
the round number i. For i = {1, 2, 9, 16} the number of shifts is one and for every other round
it is two

36
OX Details

37
International Data Encryption Algorithm (IDEA)

The International Data Encryption Algorithm (IDEA) is a symmetric-key block cipher that was
first introduced in 1991. It was designed to provide secure encryption for digital data and is
used in a variety of applications, such as secure communications, financial transactions, and
electronic voting systems.
IDEA uses a block cipher with a block size of 64 bits and a key size of 128 bits. It uses a series
of mathematical operations, including modular arithmetic, bit shifting, and exclusive OR (XOR)
operations, to transform the plaintext into ciphertext. The cipher is designed to be highly secure
and resistant to various types of attacks, including differential and linear cryptanalysis.
One of the strengths of IDEA is its efficient implementation in software and hardware. The
algorithm is relatively fast and requires only a small amount of memory and processing power.
This makes it a popular choice for use in embedded systems and other applications where
resources are limited.
IDEA has been widely used in various encryption applications, although it has been largely
replaced by newer encryption algorithms such as AES (Advanced Encryption Standard) in
recent years. However, IDEA is still considered to be a highly secure and effective encryption
algorithm, and it continues to be used in some legacy systems and applications.
In cryptography, block ciphers are very important in the designing of many cryptographic
algorithms and are widely used to encrypt the bulk of data in chunks. By chunks, it means
that the cipher takes a fixed size of the plaintext in the encryption process and generates a
fixed size ciphertext using a fixed-length key. An algorithm’s strength is determined by its key
length.
The Simplified International Data Encryption Algorithm (IDEA) isa symmetric key
block cipher that:

 uses a fixed-length plaintext of 16 bits and

 encrypts them in 4 chunks of 4 bits each
 to produce 16 bits ciphertext.
 The length of the key used is 32 bits.
 The key is also divided into 8 blocks of 4 bits each.

This algorithm involves a series of 4 identical complete rounds and 1half-round. Each
complete round involves a series of 14 steps that includes operations like:

 Bitwise XOR
 Addition modulo(24)
 Multiplication modulo (24)+1

After 4 complete rounds, the final “half-round” consists of only the first 4 out of the 14
steps previously used in the full rounds. To performthese rounds, each binary notation must
be converted to its equivalent decimal notation, perform the operation and the result obtained
should be converted back to the binary representation for the final result ofthat particular
step.
Key Schedule: 6 subkeys of 4 bits out of the 8 subkeys are used in each complete round, while
4 are used in the half-round. So, 4.5 rounds require 28 subkeys. The given key, ‘K’, directly
gives the first 8 subkeys. By rotating the main key left by 6 bits between each group of 8,
further groups of 8 subkeys are created, implying less than one rotation per round for the key (3
rotations).

K1 K2 K3 K4 K5 K6

Round 1 1101 1100 0110 1111 0011 1111

Round 2 0101 1001* 0001 1011 1100 1111

Round 3 1101 0110 0111 0111* 1111 0011

Round 4 1111 0101 1001 1101 1100 0110*

Round 4.5 1111 1101 0110 0111

* denotes a shift of bits

The 16-bit plaintext can be represented as X1 || X2 || X3 || X4, each of size 4 bits. The 32-bit key is broken
into 8 subkeys denoted as K1 || K2
|| K3 || K4 || K5 || K6 || K7 || K8, again of size 4 bits each. Each round of 14 steps uses the three algebraic
operation-Addition modulo (2^4), Multiplication modulo (2^4)+1 and Bitwise XOR. The steps involved are as
follows:

1. X1 * K1 2. X2 + K23. X3
+ K3
4. X4 * K4
5. Step 1 ^ Step 3
6. Step 2 ^ Step 4
7. Step 5 * K5
8. Step 6 + Step 7
9. Step 8 * K6
10. Step 7 + Step 9
11. Step 1 ^ Step 9
12. Step 3 ^ Step 9
13. Step 2 ^ Step 10
14. Step 4 ^ Step 10
The input to the next round is Step 11 || Step 13 || Step 12 || Step 14, which becomes X1 || X2 || X3 || X4.
This swap between 12 and 13 takes place after each complete round, except the last complete round (4th
round), where the input to the final half round is Step 11 || Step 12
|| Step 13 || Step 14.

After last complete round, the half-round is as follows:

1. X1 * K1
2. X2 + K2
3. X3 + K3
4. X4 * K4
The final output is obtained by concatenating the blocks.
Blowfish Algorithm
A symmetric block cipher designed by Bruce Schneier in 1993/94 •
characteristics:
• fast implementation on 32-bit CPUs
• compact in use of memory
• simple structure for analysis/implementation
• variable security by varying key size
• has been implemented in various products
Blowfish Key Schedule
• uses a 32 to 448 bit key, 32-bit words store in K-array Kj ,j from 1 to 14
• used to generate

• 18 32-bit subkeys stored in P array, P1 ….P18

• four 8x32 S-boxes stored in Si,j , each with 256 32-bit entries

Subkeys And S-Boxes Generation:

1. initialize P-arra and then 4 S-boxes in order using the fractional part of pi P 1 (
left most 32-bit), and so on,,, S4,255.
2. XOR P-array with key-Array (32-bit blocks) and reuse as needed: assume we have
up to k10 then P10 XOR K10,, P11 XOR K1 … P18 XOR K8
3. Encrypt 64-bit block of zeros, and use the result to update P1 and P2.
4. Encrypting output from previous step using current P & S and replace P 3 and P4.
Then encrypting current output and use it to update successive pairs of P.
5. After updating all P’s (last :P17 P18), start updating S values using the encrypted
output from previous step.
 requires 521 encryptions, hence slow in re-keying
 Not suitable for limited-memory applications.
Blowfish Encryption
 uses two main operations: addition modulo 232 , and XOR
 data is divided into two 32-bit halves L0 & R0
for i = 1 to 16 do
Ri = Li-1 XOR Pi;
Li = F[Ri] XOR Ri-1;
L17 = R16 XOR P18;
R17 = L16 XOR P17;
• where
F[a,b,c,d] = ((S1,a + S2,b) XOR S3,c) + S4,d
Block Cipher Modes Of Operations
 Direct use of a block cipher is in advisable
 Enemy can build up “code book” of plaintext/cipher text equivalents
 Beyond that, direct use only works on messages that is multiple of the cipher block size
in length
 Solution: five standard Modes of Operation: Electronic Code Book (ECB), Cipher Block
Chaining (CBC), CipherFeedback(CFB), Output Feedback (OFB), and Counter (CTR).

Electronic Code Book

 Direct use of the block cipher 
 Used primarily to transmit encrypted keys
 Very weak if used for general-purpose encryption; never use it for a file or a message.
 • Attacker can build codebook; no semantic security
 We write {P}k → C to denote “encryption of plaintext P with key k to produce cipher
text C”

44
Cipher Block Chaining
 We would like that same plaintext blocks produce different cipher text blocks.
 Cipher Block Chaining (see figure) allows this by XORing each plaintext with the
 Cipher text from the previous round (the first round using an Initialisation Vector
(IV)).
 As before, the same key is used for each block.
 Decryption works as shown in the figure because of the properties of the XOR
operation, i.e. IV ⊕ IV ⊕ P = P where IV is the Initialisation Vector and P is the
plaintext.
 Obviously the IV needs to be known by both sender and receiver and it should be
kept secret along with the key for maximum security.

Cipher Feedback (CFB) Mode

 The Cipher Feedback and Output Feedback allows a block cipher to be converted into
stream cipher.
 This eliminates the need to pad a message to be an integral number of blocks. It also
can operate in real time.
 Figure shows the CFB scheme.
 In this figure it assumed that the unit of transmission is s bits; a common value is s =8.

45
As with CBC, the units of plaintext are chained together, so that the ciphertext of any
plaintext unit is a function of all the preceding plaintext (which is split into s bit segments).
 The input to the encryption function is a shift register equal in length to the block
cipher of the algorithm (although the diagram shows 64 bits, which is block size used by
DES, this can be extended to other block sizes such as the 128 bits of AES).
 This is initially set to some Initialisation Vector (IV).

Output Feedback (Ofb) Mode

 The Output Feedback Mode is similar in structure to that of CFB, as seen in figure
13.
 As can be seen, it is the output of the encryption function that is fed back to the
shift register in OFB, whereas in CFB the cipher text unit is fed back to the shift
register.
 One advantage of the OFB method is that bit errors in transmission do not propagate.
 For example, if a bit error occurs in C1 only the recovered value of P1 is affected;
subsequent plaintext units are not corrupted.
With CFB, C1 also serves as input to the shift register and therefore causes additional
corruption downstream.

46
Counter Mode

Public Key Cryptography

The development of public-key cryptography is the greatest and perhaps the only true
revolution in the entire history of cryptography. It is asymmetric, involving the use of two
separate keys, in contrast to symmetric encryption, which uses only one key. Public key
schemes are neither more nor less secure than private key (security depends on the key size
for both). Public-key cryptography complements rather than replaces symmetric
cryptography. Both also have issues with key distribution, requiring the use

47
of some suitable protocol. The concept of public-key cryptography evolved from an attempt
to attack two of the most difficult problems associated with symmetric encryption:
1.) key distribution – how to have secure communications in general without having to trust a
KDC with your key

2.) digital signatures – how to verify a message comes intact from the claimed sender
Public-key/two-key/asymmetric cryptography involves the use of two keys:
 a public-key, which may be known by anybody, and can be used to encrypt
messages, and verify signatures
 a private-key, known only to the recipient, used to decrypt messages, and sign
(create) signatures.
 is asymmetric because those who encrypt messages or verify signatures cannot
decrypt messages or create signatures

Public-Key algorithms rely on one key for encryption and different but related key for
decryption. These algorithms have the following important characteristics:
 it is computationally infeasible to find decryption key knowing only algorithm &
encryption key
 it is computationally easy to en/decrypt messages when the relevant (en/decrypt)
key is known
 either of the two related keys can be used for encryption, with the other used for
decryption (for some algorithms like RSA)

The following figure illustrates public-key encryption process and shows that a public-key
encryption scheme has six ingredients: plaintext, encryption algorithm, public & private keys,
cipher text & decryption algorithm.

48
The essential steps involved in a public-key encryption scheme are given below:
1.) Each user generates a pair of keys to be used for encryption and decryption.

2.) Each user places one of the two keys in a public register and the other key is kept private.

3.) If B wants to send a confidential message to A, B encrypts the message using A’s public
key.

4.) When A receives the message, she decrypts it using her private key. Nobody else can
decrypt the message because that can only be done using A’s private key (Deducing a private
key should be infeasible).

5.) If a user wishes to change his keys –generate another pair of keys and publish the public
one: no interaction with other users is needed. Notations used in Public-key cryptography:
 The public key of user A will be denoted KUA.
 The private key of user A will be denoted KRA.
 Encryption method will be a function E.
 Decryption method will be a function D.
 If B wishes to send a plain message X to A, then he sends the cryptotext
Y=E(KUA,X)
 The intended receiver A will decrypt the message: D(KRA,Y)=X

The first attack on Public-key Cryptography is the attack on Authenticity. An attacker may
impersonate user B: he sends a message E(KUA,X) and claims in the message to be B –A has no
guarantee this is so. To overcome this, B will encrypt the message using his private key:
Y=E(KRB,X). Receiver decrypts using B’s public key KRB. This shows the authenticity of the
sender because (supposedly) he is the only one who knows the private key. The entire encrypted
message serves as a digital signature. This scheme is depicted in the following figure:

49
But, a drawback still exists. Anybody can decrypt the message using B’s public key. So, secrecy
or confidentiality is being compromised. One can provide both authentication and confidentiality
using the public-key scheme twice:

B encrypts X with his private key: Y=E(KRB,X)

B encrypts Y with A’s public key: Z=E(KUA,Y)

A will decrypt Z (and she is the only one capable of doing it): Y=D(KRA,Z)

A can now get the plaintext and ensure that it comes from B (he is the only one who knows
his private key): decrypt Y using B’s public key: X=E(KUB,Y).

50
Applications For Public-Key Cryptosystems:
1.) Encryption/decryption: sender encrypts the message with the receiver’s public key.

2.) Digital signature: sender “signs” the message (or a representative part of the message)
using his private key

3.) Key exchange: two sides cooperate to exchange a secret key for later use in a secret-key
cryptosystem.

The main requirements of Public-key cryptography are:

1. Computationally easy for a party B to generate a pair (public key KUb, privatekey
KRb).
2. Easy for sender A to generate cipher text:
3. Easy for the receiver B to decrypt cipher text using private key:
4. Computationally infeasible to determine private key (KRb) knowing public key
(KUb)
5. Computationally infeasible to recover message M, knowing KUb and cipher text C
6. either of the two keys can be used for encryption, with the other used for
decryption:
M= DKRb[EKUb(M)]=DKUb[EKRb(M)]
Easy is defined to mean a problem that can be solv ing polynomial time as a function of
input length. A problem is infeasible if the effort to solve it grows faster than polynomial time as
a function of input size. Public-key cryptosystems usually rely on difficult math functions rather
than -P networks as classical cryptosystems. One-way function is one, easy to calculate in one
direction, infeasible to calculate in the other direction (i.e., the inverse is infeasible to
compute). Trap-door function is a difficult function that becomes easy if some extra
information is known. Our aim to find a trap-door one-way function, which is easy to
calculate in one direction and infeasible to calculate in the other direction unless certain
additional information is known.
Security of Public-key schemes:
 Like private key schemes brute force exhaustive search attack is always
theoretically possible. But keys used are too large (>512bits).
 Security relies on a large enough difference in difficulty between easy
(en/decrypt) and hard (cryptanalysis) problems. More generally the hard problem
is known, it’s just made too hard to do in practice.

51
  Requires the use of very large numbers, hence is slow compared to private key
schemes

Rsa Algorithm
RSA is the best known, and by far the most widely used general public key encryption
algorithm, and was first published by Rivest, Shamir & Adleman of MIT in 1978 [RIVE78].
Since that time RSA has reigned supreme as the most widely accepted and implemented
general-purpose approach to public-key encryption. The RSA scheme is a block cipher in
which the plaintext and the ciphertext are integers between 0 and n-1 for some fixed n and
typical size for n is 1024 bits (or 309 decimal digits). It is based on exponentiation in a finite
(Galois) field over integers modulo a prime, using large integers (eg. 1024 bits). Its security is
due to the cost of factoring large numbers. RSA involves a public-key and a private-key
where the public key is known to ll and is used to encrypt data or message. The data or
message which has been encrypted using a public key can only be decryted by using its
corresponding private-k y. Each user generates a key pair i.e. public and private key using the
following steps:
 each user selects two large primes at random - p, q
 compute their system modulus n=p.q
 calculate ø(n), where ø(n)=(p-1)(q- 1)
 selecting at random the encry tion key e, where 1<e<ø(n),and gcd(e,ø(n))=1
 solve following equation to find decryption key d: e.d=1 mod ø(n) and 0≤d≤n
 publish their public encr ption key: KU={e,n}
 keep secret private decryption key: KR={d,n}

Both the sender and receiver must know the values of n and e, and only the receiver knows
the value of d. Encryption and Decryption are done using the following equations. To encrypt
a message M the sender:
– obtains public key of recipient KU={e,n}
– computes: C=Me mod n, where 0≤M<n
To decrypt the ciphertext C the owner:
– uses their private key KR={d,n}
– computes: M=Cd mod n = (Me) d mod n = Med mod n

52
For this algorithm to be satisfactory, the following requirements are to be met.
a) Its possible to find values of e, d, n such that Med = M mod n for all M<n
b) It is relatively easy to calculate Me and C for all values of M < n.
c) It is impossible to determine d given e and n

The way RSA works is based on Number theory: Fermat’s little theorem: if p is
prime and a is positive integer not divisible by p, then ap-1 ≡ 1 mod p. Corollary: For any
positive integer a and prime p, ap ≡ a mod p.
Fermat’s theorem, as useful as will turn out to be does not provide us with integers d,e we
are looking for –Euler’s theorem (a refinement of Fermat’s) does. Euler’s function associates to
any positive integer n, a number φ(n): the number of positive integers smaller than n and
relatively prime to n. For example, φ(37) = 36 i.e. φ(p) = p-1 for any prime p. For any two
primes p,q, φ(pq)=(p-1)(q-1). Euler’s theorem: for any relatively prime integers a,n we have
aφ(n)≡1 mod n. Corollary: For ny integers a,n we have aφ(n)+1≡a mod n Corollary: Let p,q
be two odd primes and n=pq. Then: φ(n)=(p-1)(q-
1) For any integer m with 0<m<n, m(p-1)(q-1)+1 ≡ m mod n For any integers k,m with
0<m<n, mk(p-1)(q-1)+1 ≡ m mod n Euler’s theorem provides us the numbers d, e such that
Med=M mod n. We have to choose d,e such that ed=kφ(n)+1, or equivalently, d≡e-1mod φ(n)

An example of RSA can be given as,

Select primes: p=17 & q=11
Compute n = pq =17×11=187
Compute ø(n)=(p–1)(q-1)=16×10=160
Select e : gcd(e,160)=1; choose e=7
Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23×7=161= 10×160+1
Publish public key KU={7,187}
Keep secret private key KR={23,187}
Now, given message M = 88 (nb. 88<187)
encryption: C = 887 mod 187 = 11
decryption: M = 1123 mod 187 = 88

53
Another example of RSA is given as,
Let p = 11, q = 13, e = 11, m = 7
n = pq i.e. n= 11*13 = 143
ø(n)= (p-1)(q-1) i.e. (11-1)(13-1) = 120
e.d=1 mod ø(n) i.e. 11d mod 120 = 1 i.e. (11*11) mod 120=1; so d
= 11 public key :{11,143} and private key: {11,143}
C=Me mod n, so ciphertext = 711mod143 = 727833 mod 143; i.e. C = 106
M=Cd mod n, plaintext = 10611 mod 143 = 1008 mod 143; i.e. M = 7

For RSA key generation,

Users of RSA must:
– Determine two primes at random - p, q

– select either e or d and compute the other

– means must be sufficiently large

– typically guess and use probabilistic test

Security of RSA
There are three main approaches of attacking RSA algorithm.
Brute force key search (infeasible given size of numbers) As explained before, involves
trying all possible private keys. Best defense is using large keys.
Mathematical attacks (based on difficulty of computing ø(N), by factoring modulus N)
There are several approaches, all equivalent in effect to factoring the product of two primes.
Some of them are given as:

54
– factor N=p.q, hence find ø(N) and then d

– determine ø(N) directly and find d

– find d directly

The possible defense would be using large keys and also choosing large numbers for p and q,
which should differ only by a few bits and are also on the order of magnitude 10 75 to 10100.
And gcd (p-1, q-1) should be small.

Diffie-Hellman Key Exchange

Diffie-Hellman key exchange (D-H) is a cryptographic protocol that allows two parties that
have no prior knowledge of each other to jointly establish a shared secret key over an insecure
communications channel. This key can then be used to encrypt subsequent communications

using a symmetric key cipherMedia.TheD-Hlgorithm depends for its effectiveness on the

difficulty of computing discrete logar thms.

First, a primitive root of a prime number p, can be fined as one whose powers generate all the
integers from 1 to p-1. If a is a primitive root of the prime number p, then the numbers, a mod
p, a2 mod p,..., ap-1 mod p, are distinct and consist of the integers from 1 through p 1 in some
permutation.
For any integer b and a primitive root a of prime number p, we can find a unique exponent

i such that .The exponent i is referred to as the discrete

logarithm of b for the base a, mod p. We express this value as dloga,p (b). The algorithm is
summarized below:

55
For this scheme, there are two publicly known numbers: a prime number q and an integer α
that is a primitive root of q. suppose the users A and B wish to exchange a key. User A
selects a random integer XA < q and computes YA = αXA mod q. Similarly, user B
independently selects a random integer XA < q and computes YB = αXB mod q. Each side
keeps the X value private and makes the Y value available publicly to the other side. User A
computes the key as K = (YB)XA mod q and user B computes the key as K = (YA)XB mod
q. These two calculations produce identical results.
Discrete Log Problem
The (discrete) exponentiation problem is as follows: Given a base a, an exponent b and a
modulus p, calculate c such that ab ≡ c (mod p) and 0 ≤ c < p. It turns out that this problem is
fairly easy and can be calculated "quickly" using fast-exponentiation. The discrete log
problem is the inverse problem: Given a base a, a result c (0 ≤ c < p) and a modulus p,

56
Calculate the exponent b such that ab ≡ c (mod p). It turns out that no one has found a
quick way to solve this problem With DLP, if P had 300 digits, Xa and Xb have more than
100 digits, it would take longer than the life of the universe to crack the method.
Examples for D-H key distribution scheme:
1) Let p = 37 and g = 13.

Let Alice pick a = 10. Alice calculates 1310 (mod 37) which is 4 and sends that to Bob. Let Bob
pick b = 7. Bob calculates 137 (mod 37) which is 32 and sends that to Alice. (Note: 6 and 7 are
secret to Alice and Bob, respectively, but both 4 and 32 are known by all.)
10 (mod 37) which is 30, the secret key.

7 (mod 37) which is 30, the same secret key.

2) Let p = 47 and g = 5. Let Alice pick a = 18. Alice calculates 5 18 (mod 47) which is 2 and
sends that to Bob. Let Bob pick b = 22. Bob calculates 5 22 (mod 47) which is 28 and sends
that to Alice.
18 (mod 47) which is 24, the secret key.
22 (mod 47) which is 24, the same secret key

Man-in-the-Middle Attack on D-H Protocol

Suppose Alice and Bob wish to exchange keys, and Darth is the adversary. The attack
proceeds as follows:
1. Darth prepares for the attack by generating two random private keys XD1 and XD2 and then
computing the corresponding public keys YD1 and YD2.

2. Alice transmits YA to Bob.

3. Darth intercepts YA and transmits YD1 to Bob. Darth also calculates K2 = (YA) XD2mod q.

4. Bob receives YD1 and calculates K1 = (YD1)XE mod q.

5. Bob transmits XA to Alice.

6. Darth intercepts XA and transmits YD2 to Alice. Darth calculates K1 = (YB) XD1 mod q.

7. Alice receives YD2 and calculates K2 = (YD2)XA mod q.

57
At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth
share secret key K1 and Alice and Darth share secret key K2. All future communication
between Bob and Alice is compromised in the following way:
1. Alice sends an encrypted message M: E(K2, M).

2. Darth intercepts the encrypted message and decrypts it, to recover M.

3. Darth sends Bob E(K1, M) or E(K1, M'), where M' is any message. In the first case, Darth
simply wants to eavesdrop on the communication without altering it. In the second case,
Darth wants to modify the message going to Bob.
The key exchange protocol is vulnerable to such an attack because it does not authenticate the
participants. This vulnerability can be overcome with the use of digital signatures and public-
key certificates.

Elliptic Curve Cryptography (Ecc)

Elliptic curve cryptography (ECC) is an approach to publ c-key cryptography based on the
algebraic structure of elliptic curves over finite fiel s. The use of elliptic curves in
cryptography was suggested independently by N al Koblitz and Victor S. Miller in 1985. The
principal attraction of ECC compared to RSA is that it appears to offer equal security for a far
smaller bitSkyupssize,therebyreducing the processing overhead.
Elliptic Curve over GF(p)
Let GF(p) be a finite field, > 3, and let a, b
4a3 + 27b2 ≡ 0 (mod p). An elliptic curve, E(a,b)(GF(p)),

is defined as the set of points (x,y) ᴄ GF(p) * GF(p) which satisfy the equation
y2 ≡ x3 + ax + b (mod p), together with a special point, O, called the point at infinity. Let P
and Q be two points on E(a,b)(GF(p)) and O is the point at infinity.
• P+O = O+P = P

• If P = (x1,y1) then -P = (x1 ,-y1) and P + (-P) = O.

• If P = (x1,y1) and Q = (x2,y2), and P and Q are not O.

then P +Q = (x3 ,y3) where

x3 = ƛ 2 - x1 - x2
86

58
y3 = ƛ (x1 - x3) - y1 and
ƛ = (y2-y1)/(x2-x1) if P ≠ Q
ƛ = (3x12+a)/ 2y1 if P = Q
An elliptic curve may be defined over any finite field GF(q). For GF(2m), the curve has a
different form:- y2 + xy = x3 + ax2 + b, where b !=0.
Cryptography with Elliptic Curves
The addition operation in ECC is the counterpart of modular multiplication in RSA, and multiple
additions are the counterpart of modular exponentiation. To form a cryptographic system using
elliptic curves, some kind of hard problem such as discrete logarithm or factorization of prime
numbers is needed. Considering the equation, Q=kP, where Q,P are points in an elliptic curve, it
is “easy” to compute Q given k,P , but “hard” to find k given Q,P. This is known as the elliptic
curve logarithm problem. K could be so large as to make brute-force fail.

Pick a prime number p= 2180 and elliptic curve parameters and b for the equation
y2 ≡ x3 + ax + b (mod p) which defines the elliptic group of points Ep(a,b). Select generator
point G=(x1,y1) in Ep(a,b) uch that the smallest value for which nG=O
be a very large prime number. Ep(a,b) and G are parameters of the
ECC Key Exchange
cryptosystem known to all participants. The following steps take place:
• A & B select private keys nA<n, nB<n
• compute public keys: PA=nA×G, PB=nB×G
• Compute shared key: K=nA×PB, K=nB×PA {same since K=nA×nB×G }
ECC Encryption/Decryption As with key exchange system, an encryption/decryption
system requires a point G and and elliptic group Ep(a,b) as parameters. First thing to be done
is to encode the plaintext message m to be sent as an x-y point Pm. Each user chooses private
key nA<n and computes public key PA=nA×G. To encrypt and send a message to Pm to B, A
chooses a random positive integer k and produces the ciphertext Cm consisting of the pair of
points Cm={kG, Pm+kPb}. here, A uses B’s public key. To

59
decrypt the ciphertext, B multiplies the first point in the pair by B’s secret key and subtracts
the result from the second point Pm+kPb – nB(kG) = Pm+k(nBG) – nB(kG) = Pm A has
masked the message Pm by adding kPb to it. Nobody but A knows the value of k, so even
though Pb is a public key, nobody can remove the mask kPb. For an attacker to recover the
message, he has to compute k given G and kG, which is assumed hard.
Security of ECC To protect a 128 bit AES key it would take a RSA Key Size of 3072 bits
whereas an ECC Key Size of 256 bits.

Hence for similar security ECC offers significant computational advantages.

Applications of ECC:
 Wireless communication devices
 Smart cards
 Web servers that need to handle many encryption sessions
 Any application where security is needed but lacks the power, storage and
computational power that is necessary for our current cryptosystems

Key Management
One of the major roles of public-key encryption has been to address the problem of key
distribution. Two distinct aspects to use of public key encryption are present.
 The distribution of public keys. 
 Use of public-key encryption to distribute secret keys. 

Distribution of Public Keys The most general schemes for distribution of public keys are
given below

60
Public Announcement Of Public Keys
Here any participant can send his or her public key to any other participant or broadcast the key to
the community at large. For example, many PGP users have adopted the practice of appending
their public key to messages that they send to public forums.

Though this approach seems convenient, it has a major drawback. Anyone can forge such a

public announcement. Some user could pretend to be user and send a public key to another

participant or broadcast such a public key. Until the time when A discovers about the forgery

and alerts other participants, the forger is able to read all encrypted messages intended for A

and can use the forged keys for authentication.

Publicly Available Directory

A greater degree of security can be achieved by maintaining a publicly available dynamic
directory of public keys. Maintenance and distribution of the public directory would have to
be the responsibility of some trusted entity or organization. It includes the following
elements:
1. The authority maintains a directory with a {name, public key} entry for each participant.
2. Each participant registers a public key with the directory authority. Registration would
have to be in person or by some form of secure authenticated communication.

61
 89

3. A participant may replace the existing key with a new one at any time, either because
of the desire to replace a public key that has already been used for a large amount of
data, or because the corresponding private key has been compromised in some way.
4. Participants could also access the directory electronically. For this purpose, secure,
authenticated communication from the authority to the participant is
Mandatory. This scheme has still got some vulnerability. If an adversary succeeds in
obtaining or computing the private key of the directory authority, the adversary could
authoritatively a out counterfeit public keys and subsequently impersonate any participant
and eavesdrop on messages sent to any participant. Or else, the adversary may tam er
with the records kept by the authority.

Public-Key Authority
Stronger security for public-key distribution can be achieved by providing tighter
control over the distribution of public keys from the directory. This scenario assumes the
existence of a public authority (whoever that may be) that maintains a dynamic directory of
public keys of all users. The public authority has its own (private key, public key) that it is
using to communicate to users. Each participant reliably knows a public key for the authority,
with only the authority knowing the corresponding private key. For example, consider that
Alice and Bob wish to communicate with each other and the following steps take place and
are also shown in the figure below:

62
1.) Alice sends a timestamped message to the central authority with a request for Bob’s
public key (the time stamp is to mark the moment of the request)

2.) The authority sends back a message encrypted w th its private key (for authentication) –
message contains Bob’s public k y and the original message of Alice – this way Alice knows
this is not a reply to an old request;

3.) Alice starts the communication to Bob by sending him an encrypted message containing
her identity IDA and a nonce N 1 (to identify uniquely this transaction)

4.) Bob requests Alice’s public key in the same way (step 1)

5.) Bob acquires Alice’s public key in the same way as Alice did. (Step-2)

6.) Bob replies to Alice by sending an encrypted message with N1 plus a new generated
nonce N2 (to identify uniquely the transaction)

7.) Alice replies once more encrypting Bob’s nonce N2 to assure bob that its correspondent is
Alice
Thus, a total of seven messages are required. However, the initial four messages need be used
only infrequently because both A and B can save the other's public key for future use, a
technique known as caching. Periodically, a user should request fresh copies of the public
keys of its correspondents to ensure currency.

63
Public-Key Certificates
The above technique looks attractive, but still has some drawbacks. For any
communication between any two users, the central authority must be consulted by both users
to get the newest public keys i.e. the central authority must be online 24 hours/day. If the
central authority goes offline, all secure communications get to a halt. This clearly leads to an
undesirable bottleneck. A further improvement is to use certificates, which can be used to
exchange keys without contacting a public-key authority, in a way that is as reliable as if the
keys were obtained directly from a public-key authority. A certificate binds an identity to
public key, with all contents signed by a trusted Public-Key or Certificate Authority (CA). A
user can present his or her public key to the authority in a secure manner, and obtain a
certificate. The user can then publish the certificate. Anyone needed this user's public key can
obtain the certificate and verify that it is valid by way of the attached trusted signature. A
participant can also convey its key information to another by transmitting its certificate.
Other participants can verify that the certificate was created by the authority. This certificate
issuing scheme does have the following requirements:
1. Any participant can read a certificate to determine the n me and public key of the
certificate's owner.

2. Any participant can verify that the certificate originate from the certificate authority and is
not counterfeit.

3. Only the certificate authority can create and update certificates.

4. Any participant can verify the currency of the certificate.

64
Application must be in person or by some form of secure authenticated communication. For
participant A, the authority provides a certificate of the form
CA = E(PRauth, [T||IDA||PUa]) where PRauth is the private key used by the authority and T is
a timestamp. A may then pass this certificate on to any other participant, who reads and
verifies the certificate as follows: D(PUauth, CA) = D(PUauth, E(PRauth, [T||IDA||PUa])) =
(T||IDA||PUa) The recipient uses the authority's public key, PUauth to decrypt the certificate.
Because the certificate is readable only using the authority's public key, this verifies that the
certificate came from the certificate authority. The elements IDA and PUa provide the
recipient with the name and public key of the certificate's holder. The timestamp T validates
the currency of the certificate. The timestamp counters the following scenario. A's private key
is learned by an adversary. A generates a new private/public key pair and applies to the
certificate authority for a new certificate. Meanwhile, the adversary replays the old certificate
to B. If B then encrypts messages using the compromised old public key, the adversary can re
d those messages. In this context, the compromise of a private key is comparable to the loss
of a credit card. The owner cancels the credit card number but is at risk until all possible
communicants are aware that the old credit card is obsolete. Thus, the timestamp serves as
something like an expiration date. If a certificate is sufficiently old, it is assumed to be
expired.
One scheme has becomeSkyupsuniversallyaccepted for formatting public-key certificates: the
X.509 standard. X.509 certificates are ed in most network security applications, including IP
security, secure sockets layer (SSL), secure electronic transactions (SET), and S/MIME.
Secret Key Distribution With Confidentiality And Authentication

It is assumed that A and B have exchanged public keys by one of the schemes described earlier.
Then the following steps occur:

65
 1. A uses B's public key to encrypt a message to B containing an
identifier of A (IDA) and a nonce (N1), which is used to identify this
transaction uniquely.
2. B sends a message to A encrypted with PUa and containing A's nonce
(N1) as well as a new nonce generated by B (N2) Because only B could
have decrypted message (1), the presence of N1 in message (2) assures
A that the correspondent is B.
3. A returns N2 encrypted using B's public key, to assure B that its correspondent is
A.
4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B.
Encryption of this message with B's public key ensures that only B can
read it; encryption with A's private key ensures that only A could have
sent it.
5. B computes D(PUa, D(PRb, M)) to recover the secret key.
The result is that this scheme ensures both confidentiality and
authentication in theexchange of a secret key.
Digital Signatures and Certificates:

Digital Signature
A digital signature is a mathematical technique used to validate the authenticity and
integrity of a message, software, or digital document.

1. Key Generation Algorithms: Digital signature is electronic signatures, which assure that
the message was sent by a particular sender. While performing digital transactions
authenticity and integrity should be assured, otherwise, the data can be altered or someone
can also act as if he was the sender and expect a reply.
2. Signing Algorithms: To create a digital signature, signing algorithms like email programs
create a one-way hash of the electronic data which is to be signed. The signing algorithm
then encrypts the hash value using the private key (signature key). This encrypted hash
along with other information like the hashing algorithm is the digital signature. This
digital signature is appended with the data and sent to the verifier. The reason for
encrypting the hash instead of the entire message or document is that a hash function
converts any arbitrary input into a much shorter fixed-length value. This saves time as
now instead of signing a long message a shorter hash value has to be signed and moreover
hashing is much faster than signing.
3. Signature Verification Algorithms : Verifier receives Digital Signature along with the
data. It then uses Verification algorithm to process on the digital signature and the public key
(verification key) and generates some value. It also applies the same hash function on the
received data and generates a hash value. Then the hash value and the output of the
verification algorithm are compared. If they both are equal, then the digital signature is
valid else it is invalid.

The steps followed in creating digital signature are :

1. Message digest is computed by applying hash function on the message and then message
digest is encrypted using private key of sender to form the digital signature. (digital
signature = encryption (private key of sender, message digest) and message digest =
message digest algorithm(message)).
2. Digital signature is then transmitted with the message.(message + digital signature is
transmitted)
3. Receiver decrypts the digital signature using the public key of sender.(This assures
authenticity, as only sender has his private key so only sender can encrypt using his
private key which can thus be decrypted by sender’s public key).
4. The receiver now has the message digest.
5. The receiver can compute the message digest from the message (actual message is sent
with the digital signature).
6. The message digest computed by receiver and the message digest (got by decryption on
digital signature) need to be same for ensuring integrity.
Message digest is computed using one-way hash function, i.e. a hash function in which
computation of hash value of a message is easy but computation of the message from hash
value of the message is very difficult.

Benefits of Digital Signatures

 Legal documents and contracts: Digital signatures are legally binding. This makes them
ideal for any legal document that requires a signature authenticated by one or more parties
and guarantees that the record has not been altered.
 Sales contracts: Digital signing of contracts and sales contracts authenticates the
identity of the seller and the buyer, and both parties can be sure that the signatures are
legally binding and thatthe terms of the agreement have not been changed.
 Financial Documents: Finance departments digitally sign invoicesso customers can trust
that the payment request is from the right seller, not from a bad actor trying to trick the
buyer into sending payments to a fraudulent account.
 Health Data: In the healthcare industry, privacy is paramount for both patient records
and research data. Digital signatures ensure that this confidential information was not
modified when it was transmitted between the consenting parties.
 Federal, state, and local government agencies have stricter policies and regulations than
many private sector companies. From
 approving permits to stamping them on a timesheet, digital signatures can optimize
productivity by ensuring the right person isinvolved with the proper approvals.
 Shipping Documents: Helps manufacturers avoid costly shipping errors by ensuring
cargo manifests or bills of lading are always correct. However, physical papers are
cumbersome, not always easily accessible during transport, and can be lost. By digitally
signing shipping documents, the sender and recipient can quickly access a file, check that
the signature is up to date, and ensure thatno tampering has occurred.
Drawbacks of Digital Signatures
 Dependence on Key Management: Digital signatures rely on the secure management of
cryptographic keys. This means that the sender must keep their private key safe and secure
from unauthorized access, while the recipient must verify the sender’s public key to ensure
its authenticity. Any failure in key management can compromise the security of the digital
signature.
 Complexity: Digital signatures require a complex process of key
generation, signing, and verification. This can make them difficult to implement and use for
non-technical users.
 Compatibility: Different digital signature algorithms and formats may not be compatible
with each other, making it difficult to exchange signed messages across different systems
and applications.
 Legal Recognition: Although digital signatures have legal recognition in many countries,
their legal status may not be clear inall jurisdictions. This can limit their usefulness in legal
or regulatory contexts.
 Revocation: In case of key compromise or other security issues, digital signatures must be
revoked to prevent their misuse. However, the revocation process can be complex and
may not be effective in all cases.
 Cost: Digital signatures may involve additional costs for key
management, certificate issuance, and other related services, which can make them
expensive for some users or organizations.
 Limited Scope: Digital signatures provide authentication and integrity protection for a
message, but they do not provide
 confidentiality or protection against other types of attacks, such as denial-of-service attacks or
malware.
Digital Certificate
Digital certificate is issued by a trusted third party which proves sender’s identity to the receiver and
receiver’s identity to the sender. A digital certificate is a certificate issued by a Certificate Authority (CA)
to verify the identity of the certificate holder. The CA issues an encrypted digital certificate containing the
applicant’s public key and avariety of other identification information. Digital certificate is used toattach
public key with a particular individual or an entity.
Digital certificate contains:- The authenticity
1. Name of certificate holder.
2. Serial number which is used to uniquely identify a certificate, the individual or the entity identified
by the certificate
3. Expiration dates.
4. Copy of certificate holder’s public key.(used for decrypting messages and
digital signatures)
5. Digital Signature of the certificate issuing authority.
Digital certificate is also sent with the digital signature and the message.