UNIT-2

SYMMETRIC KEY CIPHERS

BLOCK CIPHER PRICNIPLLES

Stream Ciphers and Block Ciphers

A stream cipher is one that encrypts a digital data stream one bit or one byte
at a time.

Examples of classical stream ciphers are the autokeyed Vigenère cipher and the
Vernam cipher.

In the ideal case, a one-time pad version of the Vernam cipher would be used, in
which the keystream (Ki) is as long as the plaintext bit stream (Pi). If the
cryptographic keystream is random, then this cipher is unbreakable by any
means other than acquiring the keystream.

The bit-stream generator is a key-controlled algorithm and must produce a bit

stream that is cryptographically strong.

A block cipher is one in which a block of plaintext is treated as a whole and used
to produce a ciphertext block of equal length. Typically, a block size of 64 or
128 bits is used. As with a stream cipher, the two users share a symmetric
encryption key.

V SAMBASIVA, Assistant Professor, Dept of CSE 1

Motivation for the Feistel Cipher Structure

A block cipher operates on a plaintext block of n bits to produce a ciphertext

block of n bits. There are 2n possible different plaintext blocks and, for the
encryption to be reversible (i.e., for decryption to be possible), each must
produce a unique ciphertext block.

The logic of a general substitution cipher for A 4-bit input produces one of 16
possible input states, which is mapped by the substitution cipher into a unique
one of 16 possible output states, each of which is represented by 4 ciphertext
bits.

V SAMBASIVA, Assistant Professor, Dept of CSE 2

V SAMBASIVA, Assistant Professor, Dept of CSE 3
Block Cipher Principles

A block cipher is designed by considering its three critical aspects which are
listed as below:

1. Number of Rounds
2. Design of Function F
3. Key Schedule Algorithm

1. Number of Rounds

The number of rounds judges the strength of the block cipher algorithm. It is
considered that more is the number of rounds, difficult is for cryptanalysis to
break the algorithm.

It is considered that even if the function F is relatively weak, the number of

rounds would make the algorithm tough to break.

2. Design of Function F

The function F of the block cipher must be designed such that it must be
impossible for any cryptanalysis to unscramble the substitution. The criterion
that strengthens the function F is it non-linearity.

More the function F is nonlinear, more it would be difficult to crack it. Well,
while designing the function F it should be confirmed that it has a good
avalanche property which states that a change in one-bit of input must reflect
the change in many bits of output.

The Function F should be designed such that it possesses a bit independence

criterion which states that the output bits must change independently if there
is any change in the input bit.

3. Key Schedule Algorithm

It is suggested that the key schedule should confirm the strict avalanche
effect and bit independence criterion.

DATA ENCRYPTION STANDARD

The Data Encryption Standard (DES) is a symmetric-key block cipher published

by the National Institute of Standards and Technology (NIST).

DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure.

The block size is 64-bit. Though, key length is 64-bit, DES has an effective key
length of 56 bits, since 8 of the 64 bits of the key are not used by the

V SAMBASIVA, Assistant Professor, Dept of CSE 4

encryption algorithm (function as check bits only). General Structure of DES is
depicted in the following illustration –

Since DES is based on the Feistel Cipher, all that is required to specify DES is −

 Round function
 Key schedule
 Any additional processing − Initial and final permutation
Initial and Final Permutation

The initial and final permutations are straight Permutation boxes (P-boxes) that
are inverses of each other. They have no cryptography significance in DES. The
initial and final permutations are shown as follows −

V SAMBASIVA, Assistant Professor, Dept of CSE 5

Round Function

The heart of this cipher is the DES function, f. The DES function applies a 48-
bit key to the rightmost 32 bits to produce a 32-bit output.

Expansion Permutation Box − Since right input is 32-bit and round key is a 48-
bit, we first need to expand right input to 48 bits. Permutation logic is
graphically depicted in the following illustration

The graphically depicted permutation logic is generally described as table in

DES specification illustrated as shown

V SAMBASIVA, Assistant Professor, Dept of CSE 6

  XOR (Whitener). − After the expansion permutation, DES does XOR
operation on the expanded right section and the round key. The round key
is used only in this operation.
 Substitution Boxes. − The S-boxes carry out the real mixing (confusion).
DES uses 8 S-boxes, each with a 6-bit input and a 4-bit output. Refer the
following illustration −

The S-box rule is illustrated below

-box tables. The output of all eight s-boxes is

then combined in to 32 bit section.

V SAMBASIVA, Assistant Professor, Dept of CSE 7

 Straight Permutation − The 32 bit output of S-boxes is then subjected to
the straight permutation with rule shown in the following illustration:

Key Generation

The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key.
The process of key generation is depicted in the following illustration

ADVANCED ENCRYPTION STANDARD

The Advanced Encryption Standard (AES) was published by the National

Institute of Standards and Technology (NIST) in 2001. AES is a symmetric
block cipher that is intended to replace DES as the approved standard for a
wide range of applications.

AES is a block cipher intended to replace DES for commercial applications. It

uses a 128-bit block size and a key size of 128, 192, or 256 bits.

AES does not use a Feistel structure. Instead, each full round consists of four
separate functions: byte substitution, permutation, arithmetic operations over a
finite field, and XOR with a key.

V SAMBASIVA, Assistant Professor, Dept of CSE 8

General Structure

Figure shows the overall structure of the AES encryption process. The cipher
takes a plaintext block size of 128 bits, or 16 bytes. The key length can be 16,
24, or 32 bytes (128, 192, or 256 bits). The algorithm is referred to as AES-
128, AES-192, or AES-256, depending on the key length.

Advanced Encryption Standard is found at least six time faster than triple DES.
A replacement for DES was needed as its key size was too small. With
increasing computing power, it was considered vulnerable against exhaustive key
search attack. Triple DES was designed to overcome this drawback but it was
found slow.

The features of AES are as follows −

 Symmetric key symmetric block cipher

 128-bit data, 128/192/256-bit keys

V SAMBASIVA, Assistant Professor, Dept of CSE 9

  Stronger and faster than Triple-DES
 Provide full specification and design details
 Software implementable in C and Java

Operation of AES

AES is an iterative rather than Feistel cipher. It is based on „substitution–

permutation network‟. It comprises of a series of linked operations, some of
which involve replacing inputs by specific outputs (substitutions) and others
involve shuffling bits around (permutations).

Interestingly, AES performs all its computations on bytes rather than bits.
Hence, AES treats the 128 bits of a plaintext block as 16 bytes. These 16 bytes
are arranged in four columns and four rows for processing as a matrix −

Unlike DES, the number of rounds in AES is variable and depends on the length
of the key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and
14 rounds for 256-bit keys. Each of these rounds uses a different 128-bit
round key, which is calculated from the original AES key.

The schematic of AES structure is given in the following illustration

Encryption Process

Here, we restrict to description of a typical round of AES encryption. Each

round comprise of four sub-processes. The first round process is depicted
below −

V SAMBASIVA, Assistant Professor, Dept of CSE 10

Byte Substitution (SubBytes)

The 16 input bytes are substituted by looking up a fixed table (S-box) given in
design. The result is in a matrix of four rows and four columns.

Shiftrows

Each of the four rows of the matrix is shifted to the left. Any entries that „fall
off‟ are re-inserted on the right side of row. Shift is carried out as follows −

 First row is not shifted.

 Second row is shifted one (byte) position to the left.
 Third row is shifted two positions to the left.
 Fourth row is shifted three positions to the left.
 The result is a new matrix consisting of the same 16 bytes but shifted
with respect to each other.

[ b0 | b1 | b2 | b3 ] [ b0 | b1 | b2 | b3 ]
| b4 | b5 | b6 | b7 | -> | b5 | b6 | b7 | b4 |
| b8 | b9 | b10 | b11 | | b10 | b11 | b8 | b9 |
[ b12 | b13 | b14 | b15 ] [ b15 | b12 | b13 | b14 ]
MixColumns

Each column of four bytes is now transformed using a special mathematical

function. This function takes as input the four bytes of one column and outputs
four completely new bytes, which replace the original column. The result is
another new matrix consisting of 16 new bytes. It should be noted that this
step is not performed in the last round.

[ c0 ] [ 2 3 1 1 ] [ b0 ]
| c1 | = | 1 2 3 1 || b1 |
| c2 | | 1 1 2 3 || b2 |
[ c3 ] [ 3 1 1 2 ][ b3 ]

V SAMBASIVA, Assistant Professor, Dept of CSE 11

Addroundkey

The 16 bytes of the matrix are now considered as 128 bits and are XORed to
the 128 bits of the round key. If this is the last round then the output is the
ciphertext. Otherwise, the resulting 128 bits are interpreted as 16 bytes and
we begin another similar round.

Decryption Process

The process of decryption of an AES ciphertext is similar to the encryption

process in the reverse order. Each round consists of the four processes
conducted in the reverse order −

 Add round key

 Mix columns
 Shift rows
 Byte substitution

Since sub-processes in each round are in reverse manner, unlike for a Feistel
Cipher, the encryption and decryption algorithms needs to be separately
implemented, although they are very closely related.

AES Analysis

In present day cryptography, AES is widely adopted and supported in both

hardware and software. Till date, no practical cryptanalytic attacks against AES
has been discovered. Additionally, AES has built-in flexibility of key length,
which allows a degree of „future-proofing‟ against progress in the ability to
perform exhaustive key searches.

However, just as for DES, the AES security is assured only if it is correctly
implemented and good key management is employed.

BLOWFISH ALGORITHM

Blowfish is an encryption technique designed by Bruce Schneier in 1993 as an

alternative to DES Encryption Technique. It is significantly faster than DES
and provides a good encryption rate with no effective cryptanalysis technique
found to date. It is one of the first, secure block cyphers not subject to any
patents and hence freely available for anyone to use.

V SAMBASIVA, Assistant Professor, Dept of CSE 12

 1. blockSize: 64-bits
2. keySize: 32-bits to 448-bits variable size
3. number of subkeys: 18 [P-array]
4. number of rounds: 16
5. number of substitution boxes: 4 [each having 512 entries of 32-bits each]

Blowfish Encryption Algorithm

The entire encryption process can be elaborated as:

Lets see each step one by one:

Step1: Generation of subkeys:

 18 subkeys{P[0]…P[17]} are needed in both encryption as well as

decryption process and the same subkeys are used for both the
processes.
 These 18 subkeys are stored in a P-array with each array element being a
32-bit entry.

V SAMBASIVA, Assistant Professor, Dept of CSE 13

  It is initialized with the digits of pi(?).
 The hexadecimal representation of each of the subkeys is given by:

Now each of the subkey is changed with respect to the input key as:

P[0] = P[0] xor 1st 32-bits of input key

P[1] = P[1] xor 2nd 32-bits of input key
.
.
.
P[i] = P[i] xor (i+1)th 32-bits of input key
(roll over to 1st 32-bits depending on the key length)
.
.
.
P[17] = P[17] xor 18th 32-bits of input key
(roll over to 1st 32-bits depending on key length)

The resultant P-array holds 18 subkeys that is used during the entire
encryption process

Step2: initialise Substitution Boxes:

 4 Substitution boxes(S-boxes) are needed{S[0]…S[4]} in both encryption

aswell as decryption process with each S-box having 256
entries{S[i][0]…S[i][255], 0&lei&le4} where each entry is 32-bit.
 It is initialized with the digits of pi(?) after initializing the P-array.

Step3: Encryption:

 The encryption function consists of two parts:

a. Rounds: The encryption consists of 16 rounds with each round(Ri)

V SAMBASIVA, Assistant Professor, Dept of CSE 14

 taking inputs the plainText(P.T.) from previous round and corresponding
subkey(Pi). The description of each round is as follows:

The description of the function ” F ” is as follows:

Here the function “add” is addition modulo 2^32.

b. Post-processing: The output after the 16 rounds is processed as follows:

V SAMBASIVA, Assistant Professor, Dept of CSE 15

DIFFERENTIAL AND LINEAR CRYPTANALYSIS

One of the most significant advances in cryptanalysis in recent years is

differential cryptanalysis.

DIFFERENTIAL CRYPTANALYSIS ATTACK The differential cryptanalysis

attack is complex, provides a complete description. The rationale behind
differential cryptanalysis is to observe the behaviour of pairs of text blocks
evolving along each round of the cipher, instead of observing the evolution of a
single text block.

Linear Cryptanalysis

V SAMBASIVA, Assistant Professor, Dept of CSE 16

This attack is based on finding linear approximations to describe the
transformations performed in DES. This method can find a DES key given 243
known plaintexts, as compared to 247 chosen plaintexts for differential
cryptanalysis. Although this is a minor improvement, because it may be easier to
acquire known plaintext rather than chosen plaintext, it still leaves linear
cryptanalysis infeasible as an attack on DES.

BLOCK CIPHER MODES OF OPERATION

A block cipher processes the data blocks of fixed size. Usually, the size of a
message is larger than the block size. Hence, the long message is divided into a
series of sequential message blocks, and the cipher operates on these blocks
one at a time.

Electronic Code Book (ECB) Mode

This mode is a most straightforward way of processing a series of sequentially listed message
blocks.

Operation

 The user takes the first block of plaintext and encrypts it with the key
to produce the first block of ciphertext.
 He then takes the second block of plaintext and follows the same process
with same key and so on so forth.

The ECB mode is deterministic, that is, if plaintext block P1, P2,…, Pm are
encrypted twice under the same key, the output ciphertext blocks will be the
same.

V SAMBASIVA, Assistant Professor, Dept of CSE 17

In fact, for a given key technically we can create a codebook of ciphertexts for
all possible plaintext blocks. Encryption would then entail only looking up for
required plaintext and select the corresponding ciphertext. Thus, the operation
is analogous to the assignment of code words in a codebook, and hence gets an
official name − Electronic Codebook mode of operation (ECB). It is illustrated as
follows

Analysis of ECB Mode

In reality, any application data usually have partial information which can be
guessed. For example, the range of salary can be guessed. A ciphertext from
ECB can allow an attacker to guess the plaintext by trial-and-error if the
plaintext message is within predictable.

For example, if a ciphertext from the ECB mode is known to encrypt a salary
figure, then a small number of trials will allow an attacker to recover the figure.
In general, we do not wish to use a deterministic cipher, and hence the ECB
mode should not be used in most applications.

Cipher Block Chaining (CBC) Mode

CBC mode of operation provides message dependence for generating ciphertext

and makes the system non-deterministic.

Operation

The operation of CBC mode is depicted in the following illustration. The steps
are as follows −

 Load the n-bit Initialization Vector (IV) in the top register.

 XOR the n-bit plaintext block with data value in top register.
 Encrypt the result of XOR operation with underlying block cipher with
key K.
 Feed ciphertext block into top register and continue the operation till all
plaintext blocks are processed.
 For decryption, IV data is XORed with first ciphertext block decrypted.
The first ciphertext block is also fed into to register replacing IV for
decrypting next ciphertext block.

V SAMBASIVA, Assistant Professor, Dept of CSE 18

Analysis of CBC Mode

In CBC mode, the current plaintext block is added to the previous ciphertext
block, and then the result is encrypted with the key. Decryption is thus the
reverse process, which involves decrypting the current ciphertext and then
adding the previous ciphertext block to the result.

Advantage of CBC over ECB is that changing IV results in different ciphertext

for identical message. On the drawback side, the error in transmission gets
propagated to few further block during decryption due to chaining effect.

It is worth mentioning that CBC mode forms the basis for a well-known data
origin authentication mechanism. Thus, it has an advantage for those
applications that require both symmetric encryption and data origin
authentication.

Cipher Feedback (CFB) Mode

In this mode, each ciphertext block gets „fed back‟ into the encryption process
in order to encrypt the next plaintext block.

Operation

The operation of CFB mode is depicted in the following illustration. For example,
in the present system, a message block has a size „s‟ bits where 1 < s < n. The
CFB mode requires an initialization vector (IV) as the initial random n-bit input
block. The IV need not be secret. Steps of operation are −

 Load the IV in the top register.

 Encrypt the data value in top register with underlying block cipher with
key K.
 Take only „s‟ number of most significant bits (left bits) of output of
encryption process and XOR them with „s‟ bit plaintext message block to
generate ciphertext block.
 Feed ciphertext block into top register by shifting already present data
to the left and continue the operation till all plaintext blocks are
processed.

V SAMBASIVA, Assistant Professor, Dept of CSE 19

  Essentially, the previous ciphertext block is encrypted with the key, and
then the result is XORed to the current plaintext block.
 Similar steps are followed for decryption. Pre-decided IV is initially
loaded at the start of decryption.

Analysis of CFB Mode

CFB mode differs significantly from ECB mode, the ciphertext corresponding to
a given plaintext block depends not just on that plaintext block and the key, but
also on the previous ciphertext block. In other words, the ciphertext block is
dependent of message.

CFB has a very strange feature. In this mode, user decrypts the ciphertext
using only the encryption process of the block cipher. The decryption algorithm
of the underlying block cipher is never used.

Apparently, CFB mode is converting a block cipher into a type of stream cipher.
The encryption algorithm is used as a key-stream generator to produce key-
stream that is placed in the bottom register. This key stream is then XORed
with the plaintext as in case of stream cipher.

By converting a block cipher into a stream cipher, CFB mode provides some of
the advantageous properties of a stream cipher while retaining the
advantageous properties of a block cipher.

On the flip side, the error of transmission gets propagated due to changing of
blocks.

Output Feedback (OFB) Mode

It involves feeding the successive output blocks from the underlying block
cipher back to it. These feedback blocks provide string of bits to feed the
encryption algorithm which act as the key-stream generator as in case of CFB
mode.

V SAMBASIVA, Assistant Professor, Dept of CSE 20

The key stream generated is XOR-ed with the plaintext blocks. The OFB mode
requires an IV as the initial random n-bit input block. The IV need not be
secret.

The operation is depicted in the following illustration –

Counter (CTR) Mode

It can be considered as a counter-based version of CFB mode without the

feedback. In this mode, both the sender and receiver need to access to a
reliable counter, which computes a new shared value each time a ciphertext
block is exchanged. This shared counter is not necessarily a secret value, but
challenge is that both sides must keep the counter synchronized.

Operation

Both encryption and decryption in CTR mode are depicted in the following
illustration. Steps in operation are −

 Load the initial counter value in the top register is the same for both the
sender and the receiver. It plays the same role as the IV in CFB (and
CBC) mode.
 Encrypt the contents of the counter with the key and place the result in
the bottom register.
 Take the first plaintext block P1 and XOR this to the contents of the
bottom register. The result of this is C1. Send C1 to the receiver and
update the counter. The counter update replaces the ciphertext
feedback in CFB mode.
 Continue in this manner until the last plaintext block has been encrypted.
 The decryption is the reverse process. The ciphertext block is XORed
with the output of encrypted contents of counter value. After decryption
of each ciphertext block counter is updated as in case of encryption.

V SAMBASIVA, Assistant Professor, Dept of CSE 21

STREAM CIPHERS

A typical stream cipher encrypts plaintext one byte at a time, although a stream
cipher may be designed to operate on one bit at a time or on units larger than a
byte at a time. A key is input to a pseudorandom bit generator that produces a
stream of 8-bit numbers that are apparently random. The output of the
generator, called a keystream, is combined one byte at a time with the plaintext
stream using the bit- wise exclusive-OR (XOR) operation. For example, if the
next byte generated by the generator is 01101100 and the next plaintext byte
is 11001100, then the resulting ciphertext byte is

STREAM CIPHERS

V SAMBASIVA, Assistant Professor, Dept of CSE 22

Decryption requires the use of the same pseudorandom sequence

RC4

RC4 is a stream cipher designed in 1987 by Ron Rivest for RSA Security. It is a
vari- able key size stream cipher with byte-oriented operations. The algorithm
is based on the use of a random permutation. Analysis shows that the period of
the cipher is over-whelmingly likely to be greater than 10100. Eight to sixteen
machine operations are required per output byte, and the cipher can be
expected to run very quickly in software. RC4 is used in the Secure Sockets
Layer/Transport Layer Security (SSL/TLS) standards that have been defined
for communication between Web browsers and servers.

The RC4 algorithm is remarkably simple and quite easy to explain. A vari- able-
length key of from 1 to 256 bytes (8 to 2048 bits) is used to initialize a 256-
byte state vector S, with elements S[0],S[1],S[2],. . . . . S[255].

Initialization of S

To begin, the entries of are set equal to the values from 0 through 255 in
ascending order; that is, S[0],S[1],S[2],. . . . . S[255]=255.

A temporary vector, T, is also created. If the length of the key K is 256 bytes,
then T is transferred to T. Otherwise, for a key of length keylen bytes, the
first keylen elements of T are copied from K, and then K is repeated as many
times as necessary to fill out T. These preliminary operations can be
summarized as

V SAMBASIVA, Assistant Professor, Dept of CSE 23

Stream Generation

Once the S vector is initialized, the input key is no longer used. Stream
generation involves cycling through all the elements of S[i] , and for each S[i],
swapping S[i] with another byte in S according to a scheme dictated by the
current configuration of S. After S[255]is reached, the process continues,
starting over again at S[0].

/* Stream Generation */
i, j = 0;
while (true)
i = (i + 1) mod 256;
j = (j + S[i]) mod 256;
Swap (S[i], S[j]);
t = (S[i] + S[j]) mod 256;
k = S[t];

LOCATION AND PLACEMENT OF ENCRYPTION FUNCTION

If encryption is to be used to counter attacks on confidentiality, we need to

decide what to encrypt and where the encryption function should be located. To
begin, this section examines the potential locations of security attacks and then
looks at the two major approaches to encryption placement: link and end to end.

Potential Locations for Confidentiality Attacks

As an example, consider a user workstation in a typical business organization.

Figure 7.1 suggests the types of communications facilities that might be
employed by such a workstation and therefore gives an indication of the points
of vulnerability.

V SAMBASIVA, Assistant Professor, Dept of CSE 24

 Figure 7.1. Points of Vulnerability

In most organizations, workstations are attached to local area networks (LANs).

Typically, the user can reach other workstations, hosts, and servers directly on
the LAN or on other LANs in the same building that are interconnected with
bridges and routers. Here, then, is the first point of vulnerability. In this case,
the main concern is eavesdropping by another employee. Typically, a LAN is a
broadcast network: Transmission from any station to any other station is visible
on the LAN medium to all stations. Data are transmitted in the form of frames,
with each frame containing the source and destination address. An
eavesdropper can monitor the traffic on the LAN and capture any traffic
desired on the basis of source and destination addresses. If part or all of the
LAN is wireless, then the potential for eavesdropping is greater.

Link versus End-to-End Encryption

The most powerful and most common approach to securing the points of
vulnerability highlighted in the preceding section is encryption. If encryption is
to be used to counter these attacks, then we need to decide what to encrypt
and where the encryption gear should be located. As Figure indicates, there are
two fundamental alternatives: link encryption and end-to-end encryption.

V SAMBASIVA, Assistant Professor, Dept of CSE 25

 Encryption Across a Packet-Switching Network

V SAMBASIVA, Assistant Professor, Dept of CSE 26

PRINCIPLES OF PUBLIC KEY CRYPTOSYSTEMS

The concept of public-key cryptography evolved from an attempt to attack two

of the most difficult problems associated with symmetric encryption. The first
problem is that of key distribution.

The second problem that Diffie pondered, and one that was apparently
unrelated to the first, was that of digital signatures.

Public key Cryptosystem − Asymmetric algorithms depends on one key for

encryption and a distinct but related key for decryption. These algorithms have
the following characteristics which are as follows −

V SAMBASIVA, Assistant Professor, Dept of CSE 27

  It is computationally infeasible to decide the decryption key given only
information of the cryptographic algorithm and the encryption key.
 There are two related keys such as one can be used for encryption, with
the other used for decryption.

A public key encryption scheme has the following ingredients which are as
follows

 Plaintext − This is the readable message or information that is informer

into the algorithm as input.
 Encryption algorithm − The encryption algorithm performs several
conversion on the plaintext.
 Public and Private keys − This is a set of keys that have been selected so
that if one can be used for encryption, and the other can be used for
decryption.
 Ciphertext − This is scrambled message generated as output. It based on
the plaintext and the key. For a given message, there are two specific
keys will create two different ciphertexts.
 Decryption Algorithm − This algorithm get the ciphertext and the
matching key and create the original plaintext.

The essential steps are the following.

1. Each user generates a pair of keys to be used for the encryption and
decryption of messages.

2. Each user places one of the two keys in a public register or other accessible
file. This is the public key.The companion key is kept private. As in Figure
suggests, each user maintains a collection of public keys obtained from others.

3. If Bob wishes to send a confidential message to Alice, Bob encrypts the

message using Alice‟s public key.

4. When Alice receives the message, she decrypts it using her private key. No
other recipient can decrypt the message because only Alice knows Alice‟s
private key.

V SAMBASIVA, Assistant Professor, Dept of CSE 28

Public Key Cryptography Requirements

To accomplish the public key cryptography there are following requirements as

discussed below.

 The computation of the pair of keys i.e. private key and the public key
must be easy.
 Knowing the encryption algorithm and public key of the intended receiver,
computation of cipher text must be easy.
 For a receiver of the message, it should be computationally easy to
decrypt the obtained cipher text using his private key.
 It is also required that any opponent in the network knowing the public
key should be unable to determine its corresponding private key.
 Having the cipher text and public key an opponent should be unable to
determine the original message.
 The two keys i.e. public and private key can be implemented in both
orders D[PU, E(PR, M)] = D[PR, E(PU, M)]

V SAMBASIVA, Assistant Professor, Dept of CSE 29

RSA ALGORITHM

In this algorithm two keys were used. One is private key and another one is
public key.

V SAMBASIVA, Assistant Professor, Dept of CSE 30

Diffie–Hellman Key Exchange/Agreement Algorithm

In this scheme the two parties, who want to communicate securely, can agree on
a symmetric key using this technique. This key can then be used for encryption/
decryption. However, we must note that Diffie–Hellman key exchange algorithm
can be used only for key agreement, but not for encryption or decryption of
messages. Once both the parties agree on the key to be used, they need to use
other symmetric key encryption algorithms for actual encryption or decryption
of messages.

V SAMBASIVA, Assistant Professor, Dept of CSE 31

Description of the Algorithm

Diffie–Hellman key exchange algorithm

V SAMBASIVA, Assistant Professor, Dept of CSE 32

Example of the Algorithm

ELAGAMAL CRYPTOGRAPHY (ECC)

In this ECC we have three phases

1. Key generation
2. Encryption
3. Decryption

V SAMBASIVA, Assistant Professor, Dept of CSE 33

 ElGamal process as follows,

V SAMBASIVA, Assistant Professor, Dept of CSE 34

KEY DISTRIBUTION
 Key distribution is the function that delivers a key to two parties who
wish to exchange secure encrypted data. Some sort of mechanism or
protocol is needed to provide for the secure distribution of keys.
 Key distribution often involves the use of master keys, which are
infrequently used and are long lasting, and session keys, which are
generated and distributed for temporary use between two parties.
 Public-key encryption schemes are secure only if the authenticity of the
public key is assured. A public-key certificate scheme provides the
necessary security.
 X.509 defines the format for public-key certificates. This format is
widely used in a variety of applications.
 A public-key infrastructure (PKI) is defined as the set of hardware,
software, people, policies, and procedures needed to create, manage,

V SAMBASIVA, Assistant Professor, Dept of CSE 35

 store, distribute, and revoke digital certificates based on asymmetric
cryptography.
 Typically, PKI implementations make use of X.509 certificates

A Key Distribution Scenario

User A wishes to establish a logical connection with B and requires a one-time

session key to protect the data transmitted over the connection. A has a master
key, Ka, known only to itself and the KDC; similarly, B shares the master key
Kbwith the KDC.

Hierarchical Key Control

It is not necessary to limit the key distribution function to a single KDC.

Indeed, for very large networks, it may not be practical to do so. As an
alternative, a hierarchy of KDCs can be established. For example, there can be
local KDCs, each responsible for a small domain of the overall internetwork, such
as a single LAN or a single building.

A hierarchical scheme minimizes the effort involved in master key distribution,

because most master keys are those shared by a local KDC with its local
entities. Furthermore, such a scheme limits the damage of a faulty or subverted
KDC to its local area only.

Session Key Lifetime

The more frequently session keys are exchanged, the more secure they are,
because the opponent has less ciphertext to work with for any given session

V SAMBASIVA, Assistant Professor, Dept of CSE 36

key. On the other hand, the distribution of session keys delays the start of any
exchange and places a burden on network capacity. A security manager must try
to balance these competing considerations in determining the lifetime of a
particular session key.

Decentralized Key Control

The use of a key distribution center imposes the requirement that the KDC be
trusted and be protected from subversion. This requirement can be avoided if
key distribution is fully decentralized. Although full decentralization is not
practical for larger networks using symmetric encryption only, it may be useful
within a local context.

A decentralized approach requires that each end system be able to

communicate in a secure manner with all potential partner end systems for
purposes of session key distribution. Thus, there may need to be as many as
n(n-1)/2 master keys for a configuration with n end systems.

Distribution of Public Key:

The public key can be distributed in four ways:

1. Public announcement
2. Publicly available directory
3. Public-key authority
4. Public-key certificates.

These are explained as following below:

1. Public Announcement: Here the public key is broadcasted to everyone. The

major weakness of this method is a forgery. Anyone can create a key claiming to
be someone else and broadcast it. Until forgery is discovered can masquerade as
claimed user.

V SAMBASIVA, Assistant Professor, Dept of CSE 37

2. Publicly Available Directory: In this type, the public key is stored in a public
directory. Directories are trusted here, with properties like Participant
Registration, access and allow to modify values at any time, contains entries like
{name, public-key}. Directories can be accessed electronically still vulnerable to
forgery or tampering.

3. Public Key Authority: It is similar to the directory but, improves security by

tightening control over the distribution of keys from the directory. It requires
users to know the public key for the directory. Whenever the keys are needed,
real-time access to the directory is made by the user to obtain any desired
public key securely.

4. Public Certification: This time authority provides a certificate (which binds

an identity to the public key) to allow key exchange without real-time access to
the public authority each time. The certificate is accompanied by some other
info such as period of validity, rights of use, etc. All of this content is signed by
the private key of the certificate authority and it can be verified by anyone
possessing the authority‟s public key.

V SAMBASIVA, Assistant Professor, Dept of CSE 38