Private-Key Cryptography

 traditional private/secret/single key cryptography uses one key

 shared by both sender and receiver
 if this key is disclosed, communications are compromised
 also is symmetric, parties are equal
 hence does not protect sender from receiver forging a message & claiming is sent by
sender

Public Key Cryptography

The development of public-key cryptography is the greatest and perhaps the only
true revolution in the entire history of cryptography. It is asymmetric, involving the use
of two separate keys, in contrast to symmetric encryption, which uses only one key. Public
key schemes are neither more nor less secure than private key (security depends on the
key size for both). Public-key cryptography complements rather than replaces symmetric
cryptography. Both also have issues with key distribution, requiring the use
of some suitable protocol. The concept of public-key cryptography evolved from an
attempt to attack two of the most difficult problems associated with symmetric
encryption:
1.) key distribution – how to have secure communications in general without having to
trust a KDC with your key
2.) digital signatures – how to verify a message comes intact from the claimed sender
Public-key/two-key/asymmetric cryptography involves the use of two keys:

 a public-key, which may be known by anybody, and can be used to

encrypt messages, and verify signatures
 a private-key, known only to the recipient, used to decrypt messages, and sign
(create) signatures.
 is asymmetric because those who encrypt messages or verify signatures
cannot decrypt messages or create signatures

Public-Key algorithms rely on one key for encryption and different but related key
for decryption. These algorithms have the following important characteristics:
 it is computationally infeasible to find decryption key knowing only
algorithm & encryption key
 it is computationally easy to en/decrypt messages when the relevant
(en/decrypt) key is known
 either of the two related keys can be used for encryption, with the other
used for decryption (for some algorithms like RSA)
The following figure illustrates public-key encryption process and shows that a public-
key encryption scheme has six ingredients: plaintext, encryption algorithm, public &
private keys, cipher text & decryption algorithm.
The essential steps involved in a public-key encryption scheme are given below:
1.) Each user generates a pair of keys to be used for encryption and decryption.

2.) Each user places one of the two keys in a public register and the other key is kept private.

3.) If B wants to send a confidential message to A, B encrypts the message using A’s public
key.
4.) When A receives the message, she decrypts it using her private key. Nobody else can
decrypt the message because that can only be done using A’s private key (Deducing a
private key should be infeasible).
5.) If a user wishes to change his keys –generate another pair of keys and publish the
public one: no interaction with other users is needed. Notations used in Public-key
cryptography:
 The public key of user A will be denoted KUA.
 The private key of user A will be denoted KRA.
 Encryption method will be a function E.
 Decryption method will be a function D.
 If B wishes to send a plain message X to A, then he sends the
cryptotext Y=E(KUA,X)
 The intended receiver A will decrypt the message: D(KRA,Y)=X

The first attack on Public-key Cryptography is the attack on Authenticity. An attacker

may impersonate user B: he sends a message E(KUA,X) and claims in the message to be
B –A has no guarantee this is so. To overcome this, B will encrypt the message using his
private key: Y=E(KRB,X). Receiver decrypts using B’s public key KRB. This shows the
authenticity of the sender because (supposedly) he is the only one who knows the private
key. The entire encrypted message serves as a digital signature. This scheme is depicted
in the following figure:
But, a drawback still exists. Anybody can decrypt the message using B’s public key. So,
secrecy or confidentiality is being compromised. One can provide both authentication and
confidentiality using the public-key scheme twice:

B encrypts X with his private key: Y=E(KRB,X)

B encrypts Y with A’s public key: Z=E(KUA,Y)
A will decrypt Z (and she is the only one capable of doing it): Y=D(KRA,Z)

A can now get the plaintext and ensure that it comes from B (he is the only one who
knows his private key): decrypt Y using B’s public key: X=E(KUB,Y).
Applications For Public-Key Cryptosystems:
1.) Encryption/decryption: sender encrypts the message with the receiver’s public key.

2.) Digital signature: sender “signs” the message (or a representative part of the
message) using his private key
3.) Key exchange: two sides cooperate to exchange a secret key for later use in a
secret-key cryptosystem.

The main requirements of Public-key cryptography are:

1. Computationally easy for a party B to generate a pair (public key KUb,
privatekey KRb).
2. Easy for sender A to generate cipher text:
3. Easy for the receiver B to decrypt cipher text using private key:
4. Computationally infeasible to determine private key (KRb) knowing public
key (KUb)
5. Computationally infeasible to recover message M, knowing KUb and cipher text C
6. either of the two keys can be used for encryption, with the other
used for decryption:
M= DKRb[EKUb(M)]=DKUb[EKRb(M)]
Easy is defined to mean a problem that can be solv ing polynomial time as a function of
input length. A problem is infeasible if the effort to solve it grows faster than
polynomial time as a function of input size. Public-key cryptosystems usually rely on
difficult math functions rather than -P networks as classical cryptosystems. One-way
function is one, easy to calculate in one direction, infeasible to calculate in the other
direction (i.e., the inverse is infeasible to compute). Trap-door function is a difficult
function that becomes easy if some extra information is known. Our aim to find a trap-
door one-way function, which is easy to calculate in one direction and infeasible to
calculate in the other direction unless certain additional information is known.
Security of Public-key schemes:
 Like private key schemes brute force exhaustive search attack is
always theoretically possible. But keys used are too large
(>512bits).
 Security relies on a large enough difference in difficulty between easy
(en/decrypt) and hard (cryptanalysis) problems. More generally the hard
problem is known, it’s just made too hard to do in practice.
  Requires the use of very large numbers, hence is slow compared to
private key schemes
RSA Algorithm

RSA is the best known, and by far the most widely used general public key
encryption algorithm, and was first published by Rivest, Shamir & Adleman of MIT in 1978
[RIVE78]. Since that time RSA has reigned supreme as the most widely accepted and
implemented general-purpose approach to public-key encryption. The RSA scheme is a
block cipher in which the plaintext and the ciphertext are integers between 0 and n-1 for
some fixed n and typical size for n is 1024 bits (or 309 decimal digits). It is based on
exponentiation in a finite (Galois) field over integers modulo a prime, using large integers
(eg. 1024 bits). Its security is due to the cost of factoring large numbers. RSA involves a
public-key and a private-key where the public key is known to ll and is used to encrypt
data or message. The data or message which has been encrypted using a public key can
only be decryted by using its corresponding private-k y. Each user generates a key pair
i.e. public and private key using the following steps:
 each user selects two large primes at random - p, q
 compute their system modulus n=p.q
 calculate ø(n), where ø(n)=(p-1)(q- 1)
 selecting at random the encry tion key e, where 1<e<ø(n),and gcd(e,ø(n))=1
 solve following equation to find decryption key d: e.d=1 mod ø(n) and 0≤d≤n
 publish their public encr ption key: KU={e,n}
 keep secret private decryption key: KR={d,n}

Both the sender and receiver must know the values of n and e, and only the receiver
knows the value of d. Encryption and Decryption are done using the following equations.
To encrypt a message M the sender:
– obtains public key of recipient KU={e,n}
– computes: C=Me mod n, where 0≤M<n
To decrypt the ciphertext C the owner:
– uses their private key KR={d,n}
– computes: M=Cd mod n = (Me) d mod n = Med mod n
For this algorithm to be satisfactory, the following requirements are to be met.
a) Its possible to find values of e, d, n such that Med = M mod n for all M<n
b) It is relatively easy to calculate Me and C for all values of M < n.

c) It is impossible to determine d given e and n

The way RSA works is based on Number theory: Fermat’s little theorem: if p is
prime and a is positive integer not divisible by p, then ap-1 ≡ 1 mod p. Corollary: For
any positive integer a and prime p, ap ≡ a mod p.
Fermat’s theorem, as useful as will turn out to be does not provide us with integers
d,e we are looking for –Euler’s theorem (a refinement of Fermat’s) does. Euler’s function
associates to any positive integer n, a number φ(n): the number of positive integers
smaller than n and relatively prime to n. For example, φ(37) = 36 i.e. φ(p) = p-1 for any
prime p. For any two primes p,q, φ(pq)=(p-1)(q-1). Euler’s theorem: for any relatively
prime integers a,n we have aφ(n)≡1 mod n. Corollary: For ny integers a,n we have
aφ(n)+1≡a mod n Corollary: Let p,q be two odd primes and n=pq. Then: φ(n)=(p-1)(q-
1) For any integer m with 0<m<n, m(p-1)(q-1)+1 ≡ m mod n For any integers k,m with
0<m<n, mk(p-1)(q-1)+1 ≡ m mod n Euler’s theorem provides us the numbers d, e such
that Med=M mod n. We have to choose d,e such that ed=kφ(n)+1, or equivalently, d≡e-
1mod φ(n)

An example of RSA can be given as,

Select primes: p=17 & q=11
Compute n = pq =17×11=187
Compute ø(n)=(p–1)(q-
1)=16×10=160 Select e :
gcd(e,160)=1; choose e=7
Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23×7=161= 10×160+1
Publish public key KU={7,187}
Keep secret private key KR={23,187}
Now, given message M = 88 (nb. 88<187)
encryption: C = 887 mod 187 = 11
decryption: M = 1123 mod 187 = 88
Another example of RSA is given as,
Let p = 11, q = 13, e = 11, m = 7
n = pq i.e. n= 11*13 = 143
ø(n)= (p-1)(q-1) i.e. (11-1)(13-1) = 120
e.d=1 mod ø(n) i.e. 11d mod 120 = 1 i.e. (11*11) mod 120=1; so d
= 11 public key :{11,143} and private key: {11,143}
C=Me mod n, so ciphertext = 711mod143 = 727833 mod 143; i.e. C = 106
M=Cd mod n, plaintext = 10611 mod 143 = 1008 mod 143; i.e. M = 7

For RSA key generation,

Users of RSA must:

– Determine two primes at random - p, q

– select either e or d and compute the other

– means must be sufficiently large

– typically guess and use probabilistic test

Security of RSA
There are three main approaches of attacking RSA algorithm.
Brute force key search (infeasible given size of numbers) As explained before,
involves trying all possible private keys. Best defense is using large keys.
Mathematical attacks (based on difficulty of computing ø(N), by factoring modulus N)
There are several approaches, all equivalent in effect to factoring the product of two
primes. Some of them are given as:
– factor N=p.q, hence find ø(N) and then d

– determine ø(N) directly and find d

– find d directly

The possible defense would be using large keys and also choosing large numbers for p
and q, which should differ only by a few bits and are also on the order of magnitude 1075
to 10100. And gcd (p-1, q-1) should be small.
Diffie-Hellman Key Exchange

Diffie-Hellman key exchange (D-H) is a cryptographic protocol that allows two parties
that have no prior knowledge of each other to jointly establish a shared secret key over
an insecure communications channel. This key can then be used to encrypt subsequent
communications

using a symmetric key cipherMedia.TheD-Hlgorithm depends for its effectiveness on the

difficulty of computing discrete logar thms.

First, a primitive root of a prime number p, can be fined as one whose powers generate
all the integers from 1 to p-1. If a is a primitive root of the prime number p, then the
numbers, a mod p, a2 mod p,..., ap-1 mod p, are distinct and consist of the integers from
1 through p 1 in some permutation.
For any integer b and a primitive root a of prime number p, we can find a unique exponent

i such that .The exponent i is referred to as the

discrete logarithm of b for the base a, mod p. We express this value as dloga,p (b). The
algorithm is summarized below:
For this scheme, there are two publicly known numbers: a prime number q and an integer
α that is a primitive root of q. suppose the users A and B wish to exchange a key. User A
selects a random integer XA < q and computes YA = αXA mod q. Similarly, user B
independently selects a random integer XA < q and computes YB = αXB mod q. Each side
keeps the X value private and makes the Y value available publicly to the other side. User
A computes the key as K = (YB)XA mod q and user B computes the key as K = (YA)XB mod
q. These two calculations produce identical results.
Discrete Log Problem
The (discrete) exponentiation problem is as follows: Given a base a, an exponent b and a
modulus p, calculate c such that ab ≡ c (mod p) and 0 ≤ c < p. It turns out that this problem
is fairly easy and can be calculated "quickly" using fast-exponentiation. The discrete log
problem is the inverse problem: Given a base a, a result c (0 ≤ c < p) and a modulus p,
Calculate the exponent b such that ab ≡ c (mod p). It turns out that no one has found a
quick way to solve this problem With DLP, if P had 300 digits, Xa and Xb have more than
100 digits, it would take longer than the life of the universe to crack the method.
Examples for D-H key distribution scheme:
1) Let p = 37 and g = 13.

Let Alice pick a = 10. Alice calculates 1310 (mod 37) which is 4 and sends that to Bob. Let
Bob pick b = 7. Bob calculates 137 (mod 37) which is 32 and sends that to Alice. (Note: 6
and 7 are secret to Alice and Bob, respectively, but both 4 and 32 are known by all.)
10 (mod 37) which is 30, the secret key.

7 (mod 37) which is 30, the same secret key.

2) Let p = 47 and g = 5. Let Alice pick a = 18. Alice calculates 518 (mod 47) which is 2 and
sends that to Bob. Let Bob pick b = 22. Bob calculates 522 (mod 47) which is 28 and sends
that to Alice.
18 (mod 47) which is 24, the secret key.

22 (mod 47) which is 24, the same secret key

Man-in-the-Middle Attack on D-H Protocol

Suppose Alice and Bob wish to exchange keys, and Darth is the adversary. The attack
proceeds as follows:
1. Darth prepares for the attack by generating two random private keys XD1 and XD2
and then computing the corresponding public keys YD1 and YD2.
2. Alice transmits YA to Bob.

3. Darth intercepts YA and transmits YD1 to Bob. Darth also calculates K2 = (YA) XD2mod q.

4. Bob receives YD1 and calculates K1 = (YD1)XE mod q.

5. Bob transmits XA to Alice.

6. Darth intercepts XA and transmits YD2 to Alice. Darth calculates K1 = (YB) XD1 mod q.

7. Alice receives YD2 and calculates K2 = (YD2)XA mod q.

At this point, Bob and Alice think that they share a secret key, but instead Bob and Darth
share secret key K1 and Alice and Darth share secret key K2. All future communication
between Bob and Alice is compromised in the following way:
1. Alice sends an encrypted message M: E(K2, M).

2. Darth intercepts the encrypted message and decrypts it, to recover M.

3. Darth sends Bob E(K1, M) or E(K1, M'), where M' is any message. In the first case, Darth
simply wants to eavesdrop on the communication without altering it. In the second case,
Darth wants to modify the message going to Bob.
The key exchange protocol is vulnerable to such an attack because it does not authenticate
the participants. This vulnerability can be overcome with the use of digital signatures and
public- key certificates.
Authentication Requirements
 In the context of communications across a network, the following eight attacks can be identified:
1. Disclosure
2. Traffic analysis
3. Masquerade
4. Content modification
5. Sequence modification
6. Timing modification
7. Source repudiation
8. Destination repudiation

1-2 : message confidentiality

3-6 : message authentication (here we are not directly worried about confidentiality, message
may be seen by others)
7 : digital signature
8 : combination of digital signature and protocol
p.s.: DOS attack is not listed here as it is not directly related to a message, but affects system
availability as a whole

Message Authentication

Message authentication is a procedure to verify that received messages come from

the alleged source and have not been altered. Message authentication may also verify
sequencing and timeliness. It is intended against the attacks like content modification,
sequence modification, timing modification and repudiation. For repudiation, concept of
digital signatures is used to counter it. There are three classes by which different types of
functions that may be used to produce an authenticator. They re:
 Message encryption–the ciphertext serves as auth nticator

 Message authentication code (MAC)–a public function of the message and a

secret key producing a fixed-length value to erve as authenticator. This does not
provide a digital signature because A and B share the same key.

 Hash function–a public function mapping an arbitrary length message into a

fixed- length hash value to serve as authenticator. This does not provide a digital
signature because there is no key.

MESSAGE ENCRYPTION:
Message encryption by itself can provide a measure of authentication. The analysis differs
for conventional and public-key encryption schemes. The message must have come from
the sender itself, because the ciphertext can be decrypted using his (secret or public) key.
Also, none of the bits in the message have been altered because an opponent does not
know how to manipulate the bits of the ciphertext to induce meaningful changes to the
plaintext. Often one needs alternative authentication schemes than just encrypting the
message.
 Sometimes one needs to avoid encryption of full messages due to legal requirements.
 Encryption and authentication may be separated in the system architecture.

The different ways in which message encryption can provide authentication,

confidentiality in both symmetric and asymmetric encryption techniques is explained
with the table below:

MESSAGE AUTHENTICATION CODE

An alternative authentication technique involves the use of a secret key to
generate a small fixed-size block of data, known as cryptographic checksum or MAC,
which is appended to the message. This technique assumes that both the communicating
parties say A and B share a common secret key K. When A has a message to send to B, it
calculates MAC as a function C of key and message given as: MAC=Ck(M) The message
and the MAC are transmitted to the intended recipient, who upon receiving performs the
same calculation on the received message, using the same secret key to generate a new
MAC. The received MAC is compared to the calculated MAC and only if they match, then:
1. The receiver is assured that the message has not been altered: Any alternations
been done the MAC’s do not match.
2. The receiver is assured that the message is from the alleged sender: No one
except the sender has the secret key and could prepare a message with a proper
MAC.
3. If the message includes a sequence number, then receiver is assured of proper
sequence as an attacker cannot successfully alter the sequence number.
Basic uses of Message Authentication Code (MAC) are shown in the figure:

There are three different situations where use of a MAC is desirable:

 If a message is broadcast to several destinations in a network (such as a military
control center), then it is cheaper and more reliable to have just one node responsible
to evaluate the authenticity –message will be sent in plain with an attached
authenticator.
 If one side has a heavy load, it cannot afford to decrypt all messages –it will just
check the authenticity of some randomly selected messages.
 Authentication of computer programs in plaintext is very attractive service as they
need not be decrypted every time wasting of processor resources. Integrity of the
program can always be checked by MAC.

MESSAGE AUTHENTICATION CODE BASED ON DES

The Data Authentication Algorithm, based on DES, has been one of the most widely used
MACs for a number of years. The algorithm is both a FIPS publication (FIPS PUB 113) and
an ANSI standard (X9.17). But, security weaknesses in this algorithm have been
discovered and it is being replaced by newer and stronger algorithms. The algorithm can
be defined as using the cipher block chaining (CBC) mode of operation of DES shown
below with an initialization vector of zero.

The data (e.g., message, record, file, or program) to be authenticated are grouped into
contiguous 64-bit blocks: D1, D2,..., DN. If necessary, the final block is padded on the right
with zeroes to form a full 64-bit block. Using the DES encryption algorithm, E, and a secret
key, K, a data authentication code (DAC) is calculated as follows:
The DAC consists of either the entire block ON or the leftmost M bits of the block, with 16
≤ M ≤ 64
Use of MAC needs a shared secret key between the communicating parties and also MAC
does not provide digital signature. The following table summarizes the confidentiality
and authentication implications of the approaches shown above.

HASH FUNCTION

A variation on the message authentication code is the one-way hash function. As

with the message authentication code, the hash function accepts a variable-size message
M as input and produces a fixed-size hash code H(M), sometimes called a message digest,
as output. The hash code is a function of all bits of the message and provides an error-
detection capability: A change to any bit or bits in the message results in a change to the
hash code. A variety of ways in which a hash code can be used to provide message
authentication is shown below and explained stepwise in the table.
 In cases where confidentiality is not required, methods b and c have an advantage
over those that encrypt the entire message in that less computation is required. Growing
interest for techniques that avoid encryption is due to reasons like, Encryption software
is quite slow and may be covered by patents. Also encryption hardware costs are not
negligible and the algorithms are subject to U.S export control. A fixed-length hash value
h is generated by a function H that takes as input a message of arbitrary length: h=H(M).
 A sends M and H(M)

 B authenticates the message by computing H(M) and checking the match

Requirements for a hash function: The purpose of a hash function is to produce a

“fingerprint” of a file, message, or other block of data. To be used for message
authentication, the hash function H must have the following properties
 H can be applied to a message of any size

 H produces fixed-length output

 Computationally easy to compute H(M) for any given M

  Computationally infeasible to find M such that H(M)=h,
for a given h, referred to as the one-way property
 Computationally infeasible to find M’ such that
H(M’)=H(M), for a given M, referred to as weak
collision resistance.
 Computationally infeasible to find M,M’ with
H(M)=H(M’) (to resist to birthday attacks), referred to
as strong collision resistance.
Examples of simple hash functions are:
 Bit-by-bit XOR of plaintext blocks: h= D1⊕D2⊕…⊕DN

 Rotated XOR –before each addition the hash value is rotated to the
left with 1 bit

 Cipher block chaining technique without a secret key.

Digital signature:
➢ It is an authentication mechanism that allows the sender to attach an electronic code
with the message. This electronic code acts as the signature of the sender and hence, is
named digital signature.
➢ It is done to ensure its authenticity and integrity.
➢ Digital signature uses the public-key cryptography technique. The sender uses his or
her private key and a signing algorithm to create a digital signature and the signed
document can be made public. The receiver, uses the public key of the
sender and a verifying algorithm to verify the digital signature.
➢ A normal message authentication scheme protects the two communicating parties
against attacks from a third party (intruder). However, a secure digital signature
scheme protects the two parties against each other also.
➢ Suppose A wants to send a signed message (message with A's digital signature) to B
through a network. For this, A encrypts the message using his or her private key, which
results in a signed message. The signed message is then sent through the network to B.
➢ Now, B attempts to decrypt the received message using A's public key in order to
verify that the received message has really come from A.
➢ If the message gets decrypted, B can believe that the message is from A. However, if
the message or the digital signature has been modified during transmission, it cannot be
decrypted using A's public key. From this, B can conclude that either
the message transmission has tampered with, or that the message has not been
generated by A.
Message integrity:
➢ Digital signatures also provide message integrity.
➢ If a message has a digital signature, then any change in the message after the
signature is attached will invalidate the signature.
➢ That is, it is not possible to get the same signature if the message is changed.
Moreover, there is no efficient way to modify a message and its signature such that a
new message with a valid signature is produced.
Non-repudiation:
➢ Digital signatures also ensure non-repudiation.
➢ For example, if A has sent a signed message to B, then in future A cannot deny about
the sending of the message. B can keep a copy of the message along with A's signature.
➢ In case A denies, B can use A’s public key to generate the original message. If the
newly created message is the same as that initially sent by A, it is proved that the
message has been sent by A only.
In the same way, B can never create a forged message bearing A's digital signature,
because only A can create his or her digital signatures with the help of that private key.
Message confidentiality:
➢ Digital signatures do not provide message confidentiality, because anyone knowing
the sender's public key can decrypt the message.

Digital signature process:

The digital signature process is shown in Figure. Suppose user A wants to send a signed
message to B through a network. To achieve this communication, these steps are
followed:
➢ A uses his private key (EA), applied to a signing algorithm, to sign the message (M).
➢ The message (M) along with A's digital signature (S) is sent to B.
➢ On receiving the message (M) and the signature (S), B uses A's public key
(DA),applied to the verifying algorithm, to verify the authenticity of the message. If the
message is authentic, B accepts the message, otherwise it is rejected.