Cryptography has opened the doors of security for mankind.

1. An introduction to cryptography
By-Aditya Raina
aditya.raina@lucideus.com
I have given history short-shrift in my attempt to get to modern cryptography as
quickly as possible.Any mistakes in this document are mine. Please notify me of any
that you find at the above e-mail address.
Table of contents
Part I: Introduction
1 Vocabulary
2 Concepts
3 History
4 Crash Course in Number Theory
Part II: Cryptography
5. Simple Cryptosystems
6. Symmetric key cryptography
7. Cryptography Algorithms
7.1 Symmetric key Algorithms
1. Block Ciphers
1. A RIJNDAEL
1. B CAMELLIA
2. Stream Ciphers
2. A RABBIT
8.Finite Fields
9. Modern Stream Ciphers
9.1 RC4
9.2 One-Time Pads
10. Modern Block Ciphers
10.1 Modes of Operation of a Block Cipher
10.2 The Block Cipher DES
10.3 The Block Cipher AES
11. Public Key Cryptography
11.1 Public Key Algorithms
11.1.1. RSA
11.2. Key Management
11.2 .1 Finite Field Discrete Logarithm Problem
11.2.2. Diffie-Hellman Key Agreement
11.3. Elliptic Curve Cryptography
12. Hash functions and Message Authentication Codes
12. a SHA-0, SHA-1
12. b The MD5 hash function
12. c WHIRLPOOL
12. d RIPEMD
12. e SHACAL
12.1 Security of Hash Functions
12.2 MAC
13 Signatures and Authentication
13.1 Public Key digital signatures

2. Part III: Applications of Cryptography
14.1 E-mail Security
14.2 IP-Security
14.3 Web Security
15 Time-stamping
16 KERBEROS
17 Key Management and Salting
18 Quantum Cryptography
Part IV: Introduction to System Security
19. Intruders
19.1 Intrusion Detection
20. Password Management
20.1 Password Protection
21. Firewalls
21.1 Firewall Characteristics
22. Cryptography Failures
Part V: Cryptanalysis
23 Basic Concepts of Cryptanalysis
23.1 Cryptanalytic Attacks

3. Introduction To “Cryptography: A Black Art”
Cryptography is a fundamental building block for buildinginformation systems, and as
we enter the so-called "information age" of global networks, ubiquitous computing
devices, and electronic commerce, we can expect that the cryptography will become
more and more important with time.It is used to hide information. It is not only use by
spies but for phone, fax and e-mail communication, bank transactions, bank account
security, PINs, passwords and credit card transactions on the web. It is also used for
a variety of other information security issues including electronic signatures, which
are used to prove who sent a message.
The main goal of cryptography is to adequately address the following four areas in
both theory and practice:
a)Confidentiality is a service used to keep the content of information from all but
those authorized to have it. Secrecyis a term synonymous with confidentiality and
privacy. There are numerous approaches to providing confidentiality, ranging from
physical protection to mathematical algorithms which render data unintelligible.
b)Data integrity is a service which addresses the unauthorized alteration of data. To
assure data integrity, one must have the ability to detect data manipulation by
unauthorizedparties. Data manipulation includes such things as insertion, deletion,
and substitution.
3)Authentication is a service related to identification. This function applies to both
entities and information itself. Two parties entering into a communication should
identify each other. Information delivered over a channel should be authenticated as
to origin, date of origin, data content, time sent, etc. For these reasons this aspect of
cryptography is usually subdivided into two major classes: entity authentication and
data origin authentication. Data origin authentication implicitly provides data integrity
(for if a message is modified, the source has changed).
4)Non-repudiation is a service which prevents an entity from denying previous
commitments or actions. When disputes arise due to an entity denying that certain
actions were taken, a means to resolve the situation is necessary. For example, one
entity may authorize the purchase of property by another entity and later deny such
authorization was granted. A procedure involving a trusted third party is needed to
resolve the dispute.
1 Vocabulary
A plaintext message, or simply a plaintext, is a message to be communicated. A
misguided version of a plaintext message is a ciphertext message or simply a
ciphertext. The process of creating a ciphertext from a plaintext is called encryption.
The process of turning a ciphertext back into a plaintext is called decryption. The
verbs encipher and decipher are synonymous with the verbs encrypt and decrypt. In
England, cryptology is the study of encryption and decryption and cryptography is
the application of them. In the U.S., the terms are synonymous, and the latter term is
used more commonly. In non-technical English, the term encode is often used as a
synonym for encrypt. To encode a plaintext changes the plaintext into a series of bits
(Usually) or numbers (traditionally). A bit is simply a 0 or a 1. There is nothing secret
about encoding. A simple encoding of the alphabet would be A! 0,Z! 25. Using this,
we could encode the message HELLO as 7 4 11 11 14. The most common method
of encoding a message nowadays is to replace it by its ASCII equivalent, which is an
8 bit representation for each symbol. Decoding turns bits or numbers back into
plaintext.

4. Plaintext
encryption
cipher text decryptionplaintext
Figure1-1. Encryption and decryption
A stream cipher operates on a message symbol-by-symbol, or nowadays bit-by-bit.
A block cipher operates on blocks of symbols. A digraph is a pair of letters and a
trigraph is a triple of letters. These are blocks that were used historically in
cryptography.
The Advanced EncryptionStandard (AES) operates on 128 bit strings. So when
AES is used to encrypt a text message, it encrypts blocks of 128/8 = 16 symbols. A
transposition cipher rearranges the letters, symbols or bits in a plaintext. A
substitution cipher replaces letters, symbols or bits in a plaintext with others without
changing the order. A product cipher alternates transposition and substitution. The
concept of stream versus block cipher really only applies to substitution and
productciphers, not transposition ciphers. An algorithm is a series of steps performed
by a computer (nowadays) or a person (traditionally) to perform some task.
2. Cryptosystem:
In this meaning, the term Cryptosystem is used as shorthand for "cryptographic
system". A cryptographic system is any computer system that involves cryptography.
Such systems include for instance, a system for secure electronic mail which might
include methods for digital signatures, cryptographic hash functions, key
management techniques, and so on. Cryptographic systems are made up of
cryptographic primitives, and are usually rather complex. Because of this, breaking a
cryptosystem is not restricted to breaking the underlying cryptographic algorithms usually it is far easier to break the system as a whole, e.g., through the not
uncommon misconceptions of users in respect to the cryptosystem. The systematic
arrangement of cypher text can abide the security.
Meaning in the context of cryptography:
In this meaning, a Cryptosystem refers to a suite of algorithms needed to implement
a particular form of encryption and decryption. Typically, a cryptosystem consists of
three algorithms:
1. for key generation,
2. for encryption, and
3. for decryption.
The term cipher (sometimes cypher) is often used to refer to a pair of algorithms, one
for encryption and one for decryption. Therefore, the term "cryptosystem" is most
often used when the key generation algorithm is important. For this reason, the term
"cryptosystem" is commonly used to refer to public key techniques; however both
"cipher" and "cryptosystem" are used for symmetric key techniques.
CRYPTOSYSTEMS AND KEYS
By definition, a cryptosystem is the combination of three elements: an
encryptionengine, keying information, and operational procedures for their
secure use.

5. In order to cryptographically secure high-value data on a hard disk (or on back-up
media), it is necessary to employ a high-grade cryptosystem: one which even an
attacker possessing both a copy of your encryption engine and knowledge of your
operating procedures cannot break without your keying information.
Cryptanalysis is the process by which the enemy tries to turn Cipher text into
Plaintext. It can also mean the study of this.
Cryptosystems come in 3 kinds:
1. Those that have been broken (most).
2. Those that have not yet been analysed (because they are new and not yet widely
used).
3. Those that have been analysed but not broken. (RSA, Discrete log cryptosystems,
Triple-DES, AES).
# Three most common ways for the enemy to turn ciphertext into plaintext:
1. Steal/purchase/bribe to get key
2. Exploit sloppy implementation/protocol problems (hacking). Examples: someone
usedspouse‘s name as key, someone sent key along with message
3. Cryptanalysis
Alice is the sender of an encrypted message. Bob is the recipient. Eve is the
eavesdropper who tries to read the encrypted message.
3 History
400 BC Spartan sky tale cipher (sounds like Italy). Example of transposition cipher.
Letters were written on a long thin strip of leather wrapped around a cylinder. The
diameter of the cylinder was the key.
_____________________________
/T/H/I/S/I/S/_/
/
/ /H/O/W/I/T/
||
/ /W/O/U/L/D/
/
-----------------------------------------------Julius Caesar‘s substitution cipher. Shift all letters three to the right. In our alphabet
that would send A! D, B! E, Z! C.
Cryptography has a long and fascinating history. The predominant practitioners of
the art were those associated with the military, the diplomatic service and
government in general. Cryptography was used as a tool to protect national secrets
and strategies. The proliferation of computers &communications systems in the
1960s brought with it a demand from the private sector for means to protect
information in digital form and to provide security services. Beginning with the work
of Feistel at IBM in the early 1970s and culminating in 1977 with the adoption as a
U.S. Federal Information Processing Standard for encrypting unclassified
information, DES, the Data Encryption Standard, is the most well-known
cryptographic mechanism in history. It remains the standard means for securing
electronic commerce for many financial institutions around the world. The most
striking development in the history of cryptography came in 1976 when Diffie and
Hellman published ―New Directions in Cryptography‖. This paper introduced the
revolutionary concept of public-key cryptography and also provided a new and
ingenious method for key exchange, the security of which is based on the
intractability of the discrete logarithm problem. Although the authors had no practical
realization of a public-key encryption scheme at the time, the idea was clear and it
generated extensive interest and activity in the cryptographic community. In 1978
Rivest, Shamir, and Adleman discovered the first practical public-key encryption and

6. signature scheme, now referred to as RSA. The RSA scheme is based on another
hard mathematical problem, the intractability of factoring large integers. This
application of a hard mathematical problem to cryptography revitalized efforts to find
more efficient methods to factor.
The 1980s saw major advances in this area but none which rendered the RSA
system insecure. Another class of powerful and practical public-key schemes was
found by ElGamal in 1985. These are also based on the discrete logarithm problem.
One of the most significant contributions provided by public-key cryptography is the
digital signature. In 1991 the first international standard for digital signatures
(ISO/IEC 9796) was adopted. It is based on the RSA public-key scheme. In 1994 the
U.S. Government adopted the Digital Signature Standard, a mechanism based on
the El Gamal public key scheme.
The search for new public-key schemes, improvements to existing cryptographic
mechanisms, and proofs of security continues at a rapid pace. Various standards
and infrastructures involving cryptography are being put in place. Security products
are being developed to address the security needs of an information intensive
society.
4 Crash course in Number Theory
Let Z denote the integers . . . , −2, −1, 0, 1, 2, . ... The symbol 2 means is an element
of. Ifa, b 2 Z we say a divides b if b = na for some n 2 Z and write a|b. a divides b is
just another way of saying b is a multiple of a. So 3|12 since 12 = 4 · 3, 3|3 since 3 =
1 · 3, 5| − 5 since −5 = −1 · 5, 6|0 since 0 = 0 · 6. If x|1, what is x? (Answer ±1).
Properties:
If a, b, c 2 Z and a|b then a|bc. I.e., since 3|12 then 3|60.
If a|b and b|c then a|c.
If a|b and a|c then a|b ± c.
If a|b and a 6 |c (not divide) then a 6 |b ± c.
The primes are 2, 3, 5, 7, 11, 13 . ...
The Fundamental Theorem of Arithmetic: Any n 2 Z, n >1, can be written uniquely as
a product of powers of distinct primes. For example 90 = 21 · 32 · 51.
Given a, b € Z_0 (the non-negative integers), not both 0, the greatest common divisor
of a and b is the largest integer d dividing both a and b. It is denoted gcd(a, b) or just
(a, b). As examples: gcd (12, 18) = 6, gcd (12, 19) = 1.
To get the fraction 12/18 into lowest terms, cancel the 6‘s. The fraction 12/19 is
already in lowest terms.
If you have the factorization of a and b written out, then take the product of the
primes to the minimum of the two exponents, for each prime, to get the
gcd. 2520 = 23 · 32 · 51 · 71
and 2700 = 22 · 33 · 52 · 70 so gcd (2520, 2700) = 22 · 32 · 51 · 70 = 180.
Note 2520/180 = 14, 2700/180 = 15 and gcd (14, 15) = 1. We say that two numbers
with gcd equal to 1 are relatively prime.
Factoring is slow with large numbers. The Euclidean algorithm for gcd‘ing is very fast
with large numbers. Find gcd (329, 119). Recall long division. When dividing 119 into
329 you get 2 with remainder of 91. At each step, previous divisor and remainder
become the new dividend and divisor.
329 = 2 · 119 + 91
119 = 1 · 91 + 28
91 = 3 · 28 + 7
28 = 4 · 7 + 0
The number above the 0 is the gcd. So gcd (329, 119) = 7.

7. Part II -Cryptography
In this section we shall introduce the major methods of encryption, hashing and
signatures.
5Simple Cryptosystems
Let P be the set of possible plaintext messages. For example it might be the set { A,
B,. . . ,Z } of size 26 or the set { AA, AB, . . . ,ZZ } of size 26^2. Let C be the set of
possible ciphertext messages.
An enciphering transformation f is a map from P to C. f shouldn‘t send different
plaintext messages to the same ciphertext message (so f should be one-to-one or
injective).
We‘ll start with a cryptosystem based on single letters. You can replace letters by
other letters. Having a weird permutation is slow, like A! F, B! Q, C! N,. ... There‘s
less storage if you have a mathematical rule to govern encryption and decryption.
Shift transformation: P is plaintext letter/number A=0, B=1, Z=25. The Caesar cipher
is an example: Encryption is given by C _ P + 3(mod26) and so decryption is given
by P _ C − 3(mod26). This is the Caesar cipher. If you have an N letter alphabet, a
shift enciphering transformation is C _ P + b(modN) where b is the encrypting key
and –b is the decrypting key.
6.Symmetric key cryptography
In symmetric key cryptosystem, Alice and Bob must agree on a secret, shared key
ahead of time. We will consider stream ciphers and block ciphers.
7.CRYPTOGRAPHY ALGORITHMS
7.1SYMMETRIC KEY ALGORITHMS
I. BLOCK CIPHERS
Symmetric (secret key) encryption schemes use the same key for encryption and
decryption and usually have predefined key lengths. They provide a high security
and a high performance, but suffer from the key exchange problem. A group of n
entities needs to exchange n*(n−1)/2 different keys over secure channels. The
current state of the art in symmetric encryption is surely given by the five finalists of
the AES selection process. In the AES competition, the winner, Rijndael, got 86
votes at the last AES conference while Serpent got 59 votes, Twofish 31 votes, RC6
23 votes and MARS 13 votes Nechvatal et al.
A. RIJNDAEL
Rijndael, is a block cipher adopted as an encryption standard by the US government.
It is expected to be used worldwide and analysed extensively, as was the case with
its predecessor, the Data Encryption Standard (DES). AES was adopted by National
Institute of Standards and Technology (NIST) as US FIPS PUB 197 in November
2001 after a 5-year standardization process.
The cipher was developed by two Belgian cryptographers, Joan Daemen and
Vincent Rijmen, and submitted to the AES selection process under the name
"Rijndael", acombination of the names of the inventors. Strictly speaking, AES is not
precisely Rijndael (although in practice they are used interchangeably) as Rijndael

8. supports a larger range of block and key sizes; AES has a fixed block size of 128
bits and a key size of 128, 192 or 256 bits, whereas Rijndael can be specified with
key and block sizes in any multiple of 32 bits, with a minimum of 128 bits and a
maximum of 256 bits. The key is expanded using Rijndael's key schedule. Most of
AES calculations are done in a special finite field. AES operates on a 4×4 array of
bytes, termed the state -versions of Rijndael with a larger block size have additional
columns in the state.
For encryption, each round of AES, except the last round consists of four stages:
_ AddRoundKey — each byte of the state is combined with the round key; each
round key is derived from the cipher key using a key schedule.
_ SubBytes — a non-linear substitution step where each byte is replaced with
another according to a lookup table.
_ Shift Rows — a transposition step where each row of the state is shifted cyclically
a certain number of steps.
_ Mix Columns — a mixing operation which operates on the columns of the state,
combining the four bytes in each column using a linear transformation. The final
round replaces the Mix Columns stage with another instance of AddRoundKey.
SECURITY
As of 2006, the only successful attacks against AES have been side channel attacks.
The National Security Agency (NSA) reviewed all the AES finalists, including
Rijndael, and stated that all of them were secure enough for US Government nonclassified data. In June 2003, the US Government announced [9] that AES may be
used for classified information:
“The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and
256) are sufficient to protect classified information up to the SECRET level. TOP
SECRET information will require use of either the 192 or 256 key lengths. The
implementation of AES in products intended to protect national security systems
and/or information must be reviewed and certified by NSA prior to
their acquisition and use."
This marks the first time that the public has had access to a cipher approved by NSA
for TOP SECRET information. It is interesting to note that many public products use
128-bit secret keys by default; it is possible that NSA suspects a fundamental
weakness in keys this short, or they may simply prefer a safety margin for top secret
documents (which may require security decades into the future). The most common
way to attack block ciphers is to try various attacks on versions of the cipher with a
reduced number of rounds. AES has 10 rounds for 128-bit keys, 12 rounds for 192bit keys, and 14 rounds for 256-bit keys. As of 2006, the best known attacks are on 7
rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys.
Some cryptographers worry about the security of AES. They feel that the margin
between the number of rounds specified in the cipher and the best known attacks is
too small for comfort. The risk is that some way to improve these attacks might be
found and that, if so, the cipher could be broken. In this meaning, a cryptographic
"break" is anything faster than an exhaustive search, so an attack against 128-bit
key AES requiring 'only' 2120 operations would be considered a break even though it
would be, now, quite unfeasible. In practical application, any break of AES which is
only this 'good' would be irrelevant. For themoment, such concerns can be ignored.
The largest publicly-known brute-force attack has been against a 64 bit RC5 key by
distributed.net (finishing in 2002; Moore's Law implies that this is roughly equivalent
to an attack on a 66- bit key today). Another concern is the mathematical structure of
AES. Unlike most other block ciphers, AES has a very neat mathematicaldescription.

9. This has not yet led to any attacks, but some researchers are worried that future
attacks may find a way to exploit this structure. In 2002, a theoretical attack, termed
the "XSL attack", was announced by Nicolas Courtois and Josef Pieprzyk, showing a
potential weakness in the AES algorithm. Several cryptography experts have found
problems in the underlying mathematics of the proposed attack, suggesting that the
authors may have made a mistake in their estimates. Whether this line of attack can
be made to work against AES remains an open question. For the moment, the XSL
attack against AES appears speculative; it is unlikely that
anyone could carry out the current attack in practice.
B. CAMELLIA
The cipher was developed jointly by Mitsubishi and NTT in 2000 , and has similar
design elements to earlier block ciphers (E2 and MISTY1) from these companies.
Camellia has a block size of 128 bits, and can use 128-bit, 192-bit or 256-bit keys —
the same interface as the Advanced Encryption Standard. It is a Feistel cipher with
either 18 rounds (if the key is 128 bits) or 24 rounds (if the key is 192 or 256 bits).
Every six rounds, a logical transformation layer is applied: the so-called "FL-function"
or its inverse. The cipher also uses input and output key whitening.
We will focus on the use of the Camellia block cipher algorithm in Cipher Block
Chaining Mode, with an explicit Initialization Vector, as a confidentiality mechanism
within the context of the IPsec Encapsulating Security Payload (ESP). Camellia was
selected as a recommended cryptographic primitive by the EU NESSIE (New
European Schemes for Signatures, Integrity and Encryption) project and was
included in the list of cryptographic techniques for Japanese e-Government systems
that was selected by the Japan CRYPTREC (Cryptography Research, Evaluation
Committees). Camellia has been submitted to several other standardization bodies,
such as ISO (ISO/IEC 18033) and the IETF S/MIME Mail Security Working Group.
Camellia supports 128-bit block size and 128-, 192-, and 256-bit key lengths, i.e., the
same interface specifications as the Advanced Encryption Standard (AES).Camellia
is a symmetric cipher with a Feistel structure. Camillia was developed jointly by NTT
and Mitsubishi Electric Corporation in 2000. It was designed to withstand all known
cryptanalytic attacks, and it has been scrutinized by worldwide cryptographic
experts. Camellia is suitable for implementation in software and hardware, offering
encryption speed in software and hardware implementations that is comparable to
AES.
Camellia supports three key sizes: 128 bits, 192 bits, and 256 bits. The default key
size is 128 bits, and all implementations must support this key size. Implementations
may also support key sizes of 192 bits and 256 bits. Camellia uses a different
number of rounds for each of the defined key sizes. When a 128-bit key is used,
implementations must use 18 rounds. When a 192-bit key is used, implementations
must use 24 rounds. When a 256-bit key is used, implementations must use 24
rounds. At the time of writing this document, there are no known weak keys for
Camellia.
SECURITY
Implementations are encouraged to use the largest key sizes they can, taking into
account performance considerations for their particular hardware and software
configuration. Note that encryption necessarily affects both sides of a secure
channel, so such consideration must take into account not only the client side, but
also the server.

10. However, a key size of 128 bits is considered secure for the foreseeable future. No
security problem has been found on Camellia [CRYPTREC]. Although patented,
Camellia is available under a royalty-free license.
II. STREAM CIPHERS
A. RABBIT
Rabbit is a high-speed stream cipher first presented in February 2003 at the 10th
FSE workshop by Martin Boesgaard, Mette Vesterager, Thomas Christensen and
Erik Zenner. In May 2005, it was submitted to the eSTREAM. Cryptico has patented
the algorithm and requires a license fee for commercial use of the cipher. The
license fee is waived for non-commercial uses.
The internal state of the stream cipher consists of 513 bits. 512 bits are divided
between eight 32-bit state variables xj,I and eight 32-bit counter variables cj,i, where
xj,i is the state variable of subsystem j at iteration i, and cj,i denote the corresponding
counter variables. There is one counter carry bit, Á7,i, which needs to be stored
between iterations. This counter carry bit is initialized to zero. The eight state
variables and the eight counters are derived from the key at initialization.
The algorithm is initialized by expanding the 128-bit key into both the eight state
variables and the eight counters such that there is a one-to-one correspondence
between the key and the initial state variables, xj,0, and the initial counters, cj,0.
The key, K[127..0], is divided into eight subkeys: k0 = K[15..0], k1 = K[31..16], ..., k7
=K[127..112].
The state and counter variables are initialized from the sub keys as follows:
The system is iterated four times, according to the next statefunction defined below,
to diminish correlations between bits in the key and bits in the internal state
variables. Finally, the counter values are re-initialized according to:
cj,4=cj,4 XOR x(j+4 mod 8),4 to prevent recovery of the key by inversion of the
counter system. The core of the Rabbit algorithm is the iteration of the system
defined by the following equations:
x0,i+1 = g0,i + (g7,i<<< 16) + (g6,i<<< 16)
x1,i+1 = g1,i + (g0,i<<< 8) + g7,i
x2,i+1 = g2,i + (g1,i<<< 16) + (g0,i<<< 16)
x3,i+1 = g3,i + (g2,i<<< 8) + g1,i
x4,i+1 = g4,i + (g3,i<<< 16) + (g2,i<<< 16)
x5,i+1 = g5,i + (g4,i<<< 8) + g3,i
x6,i+1 = g6,i + (g5,i<<< 16) + (g4,i<<< 16)
x7,i+1 = g7,i + (g6,i<<< 8) + g5,i
gj,i = ((xj,i + cj,i)2 XOR ((xj,i + cj,i)2 >> 32) mod 232
where all additions are modulo 232 .
SECURITY
As of March 2006, no cryptographic weaknesses are known.
PERFORMANCE
Rabbit uses a 128-bit key and a 64-bit initialization vector. The cipher was designed
with high performance in software in mind, where fully optimized implementations
achieve an encryption speed of up to 3.7 cycles per byte on a Pentium 3, and of 9.7
cycles per byte on an ARM7. However, the cipher also turns out to be very fast and
compact in hardware. The core component of the cipher is a bitstream generator
which encrypts 128 message bits per iteration. The cipher's strength rests on strong

11. mixing of its inner state between two consecutive iterations. The mixing function is
entirely based on arithmetical operations that are available on a modern processor,
i.e., no S-boxes or lookup tables are required to implement the cipher.
8 Finite fields
If p is a prime we rename Z/pZ = Fp, the field with p elements = {0, 1, . . . , p − 1} with
+,−,×. Note all elements _ other than 0 have gcd(_, p) = 1 so we can find _−1(modp).
So we can divide by any non-0 element. So it‘s like other fields like the rationals,
reals and complex numbers. F_ p is {1, . . . , p − 1} here we do ×,÷. Note F_p has _(p −
1) generators g (also called primitive roots of p). The sets {g, g2, g3, . . . , gp−1} and
{1, 2, . . . , p−1} are the same (though the elements will be in different orders).
Example, F_ 5, g = 2: 21 = 2, 22 = 4, 23 = 3, 24 = 1. Also g = 3: 31 = 3, 32 = 4, 33 = 2,
34 = 1. For F_ 7, 21 = 2, 22 = 4, 23 = 1, 24 = 2, 25 = 4, 26 = 1, so 2 is not a generator. g =
3:31 = 3, 32 = 2, 33 = 6, 34 = 4, 35 = 5, 36 = 1.
9Modern stream ciphers
Modern stream ciphers are symmetric key cryptosystems. So Alice and Bob must
agree on a key beforehand. The plaintext is turned into ASCII. So the plaintext Go
would be encoded as 0100011101101111. There‘s a given (pseudo)random bit
generator. Alice and Bob agree on a seed, which acts as the symmetric/shared
/secret key. They both generate the same random bit stream like
0111110110001101, which we call the keystream. Alice gets the ciphertext by bit-bybit XOR‘ing, i.e. bit-by-bit addition mod 2. 0 XOR-ed0 = 0, 0 XOR-ed1 = 1, 1 XORed0 = 1, 1 XOR-ed1 = 0.
We could sequentially use the letters of a key word as key letters for monoalphabetic
substitution of sequential plaintext letters from separate substitution alphabets, equal
in number to the number of letters in the key. This polyalphabetic substitution cipher
blurs the statistics of the letter frequencies to an almost flat probability distribution.
Its modern version is the byte-by-byte addition of a key-stream to the plaintext - a
Vernam cipher. For all its apparent complexity, however, if you sample its cipher-text
at letter intervals equal to the length of the key, the old statistics jump out at you.
Friedman's brilliant index of coincidence statistic will betray that key length.
NOTE: An excellent source for understanding how many ways have been devised to
break apparently clever ciphers is US Army Field Manual FM-34-40-2, Basic
Cryptanalysis, the successor to TM 32-220. It will quickly show you why professional
creation of ciphers is restricted to those with proven experience in breaking the
codes and ciphers of others.
To counter this attack, we must have a secret key-stream as long as the message. If
it is used twice on messages of the same length, adding the two cipher-text streams
will cancel it out, leaving non-uniformly distributed letters for statistical cryptanalysis.
To be unbreakable, the key-stream must come from a onetime pad of length equal to
that of all the data bytes encrypted. All this keying material must be kept secret.
This horrendous keying materials management problem for the only proven
unbreakable cipher has led to searches for keying material generators which can

12. substitute. However, all such schemes are based on algorithms, and must therefore
leave patterns in the key streams for statistical analyses that can break them.
Their cryptographic strength is therefore a matter of degree (the cryptanalyst's work
factor), not an absolute. However, that strength can still be formidable.
One technique for achieving it is the use of Feistal networks, that generate blocks of
key stream from blocks of the message itself, through multiple rounds of groups of
permutations and substitutions, each dependent on transformations of a key. If they
are specifically structured to thwart all the known statistical cryptanalysis methods,
their cryptanalytic work factor can be made as large as that for exhaustive key
search.
RC4 is the most widely used stream cipher. Invented by Ron Rivest (R of RSA) in
1987. The RC stands for Ron‘s code. The pseudo random bit generator was kept
secret. The source code was published anonymously on Cypherpunks mailing list in
1994.
One-time pads
If the key (not the key stream) for a stream cipher is random and as long as the
plaintext then this is called a one-time-pad. The key must never be used again.
Cryptanalysis is provably impossible. This was used by Russians during the cold war
and by the phone linking the White House and the Kremlin. It is very impractical.
10Modern Block Ciphers
Most encryption now is done using block ciphers. The two most important historically
have been the Data Encryption Standard (DES) and the Advanced Encryption
Standard (AES). DES has a 56 bit key and 64 bit plaintext and ciphertext blocks.
AES has a 128 bit key, and 128 bit plaintext and ciphertext blocks.
10.1 Modes of Operation of a Block Cipher
NIST has defined five modes of operation:
CBC (Cipher Block Chaining),
ECB (Electronic Codebook),
CFB (Cipher Feedback),
OFB (Output Feedback), and
CTR (Counter).
The CBC mode is well defined and well understood for symmetric ciphers, and it is
currently required for all other ESP ciphers.
ECB: The simplest of the encryption modes is the electronic codebook (ECB) mode,
in which the message is split into blocks and each is encrypted separately. The
disadvantage of this method is that identical plaintext blocks are encrypted to
identical ciphertext blocks; thus, it does not hide data patterns well. In some senses
it doesn't provide message confidentiality at all, and it is not recommended for
cryptographic protocols.

13. CBC: In the cipher-block chaining (CBC) mode, each block of plaintext is XOR-ed
with the previous ciphertext block before being encrypted. This way, each cipher text
block is dependent on all plaintext blocks up to that point. Also, to make each
message unique, an initialization vector is used in the first block.
CFB The cipher feedback (CFB) mode, a close relative of CBC, makes a block
cipher into a self-synchronizing stream cipher. The operation is very similar; in
particular, CFB decryption is almost identical to CBC decryption performed
in reverse
OFB: The output feedback (OFB) mode makes a block cipher into a synchronous
stream cipher: it generates keystream blocks, which are then XORed with the
plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit
in the ciphertext produces a flipped bit in the plaintext at the same location. This
property allows many error correcting codes to function normally even if applied
before encryption. Because of the symmetry of the XOR operation, encryption and
decryption are exactly the same.
CTR: Like OFB, counter mode turns a block cipher into a stream cipher. It
generates the next keystream block by encrypting successive values of a "counter".
The counter can be any simple function which produces a sequence which is
guaranteed not to repeat for a long time, although an actual counter is the simplest
and most popular. CTR mode has very similar characteristics to OFB, but also allows
a random access property for decryption and is probably secure if the block cipher is
strong. CTR mode is also known as Segmented Integer Counter (SIC) mode.
10.2 The Block Cipher DES
The DES cipher was reviewed for NIST (then the National Bureau of Standards) by
the NSA, in its COMSEC role (as opposed to its code-breaking COMINT role). The
values of the constants in the DES S-box substitution tables were specifically chosen
to resist then-known-by-NSA cryptanalytic attacks, including the then-highlyclassified concept of differential cryptanalysis. Its key size was chosen to be secure
for at least a decade, while allowing implementations in 1970s integrated circuit
technology.
This 64-bit block cipher has successfully withstood public cryptanalysis for more than
20 years, a record matched by no other. In that time, however, the cost of specialpurpose key-search machines capable of brute force attacks on its 56-bit key space
has dropped below levels feasible for most governments (and some corporations).
NOTE: A thousand cooperating million-DES-encryptions-per-second machines, an
array affordable by many governments and corporations, could perform the 2-to-the55th-power trial encryptions required to search half the 56-bit key space of DES (the
amount necessary, on average) in a year. Ten thousand of them could do such an
exhaustive key search in little more than a month. With the speed-per-dollar of such
machines doubling every year or so, DES can hardly be considered secure for longterm use. Over two decades of unsuccessful cryptanalysis have shown the DES
cipher's cryptographic strength to be, in practical terms, equivalent to the size of its
key. Thus, an obvious place to look for its replacement is a version with a larger key.

14. TRIPLE-DES CIPHER
Unlike the available alternative block ciphers, the DES cipher has been proven
mathematically to not be an algebraic Group. Consequently, unlike those
alternatives, three-pass encryption with DES yields a product cipher with a key
space dimension equivalent to the sum of the sizes of the independent keys used in
those passes. (Two-pass use of any block cipher is vulnerable to meet-in-the-middle
attacks.) Each additional key-bit doubles the size of the key space. This is a crude,
but extremely effective approach to defeating exhaustive key-search attacks through
many years of increased computing power evolution.
NOTE: This type of product cipher can be attacked by two different types of keysearch methods:
(1) the obvious one of searching a 168-bit (3x56 bits) key-space, requiring an
average of 2-to-the-167th-power triple-DES encryptions to crack the key used for a
particular cipher-text (half the key space); or
(2) pre-computing 2-to-the-56th-power DES decryptions and checking the stored
table of results against an average of 2-to-the-111th-power double-DES encryptions.
The former attack requires a thousand million-DES-encryptions-per-second
machines to run for 10-to-the-31st-power millennia; the latter "only" requires them to
run for 64 million-million millennia, if all one thousand machines can access the
lookup table (which requires 500 million gigabytes of storage). Neither attack is taken
very seriously by professionals, who would attack the key (and all your other keys at
the same time) by exploiting cryptosystem implementation weaknesses or operator
mistakes.
EXPORT CONTROLS
The financial services and banking industry uses the DES cipher to secure trillions of
dollars of transactions. It has been moving toward standardizing on 112-bit (2-key)
triple-DES as its successor for the next century. (In 2-key triple-DES, the same key is
used for the first and third encryptions, requiring less keying material generation.)
However, the US Government has thus far refused to provide the required export
approvals, instead suggesting the use of its Escrowed Encryption Standard (FIPS
PUB 185). This mandates use of the now-declassified Skipjack cipher with an 80-bit
key (16 million times the size of the 56-bit DES key space), and a Law Enforcement
Access Field (LEAF) permitting key recovery without the user's cooperation.
NOTE: The Skipjack cipher is used in the Fortezza and Fortezza Plus encryption
engines for all SBU information in NSA's Multi-level Information System Security
Initiative (MISSI) system. NSA apparently considers this 64-bit block, 32-round,
Feistal network's 80-bit key size to be adequate for fulfilling its SBU INFOSEC
mission for the next decade or two.
Our software cryptosystems employ a full 168-bit (3-key) triple-DES algorithm in
cipher block chaining (CBC) mode. They incorporate neither a LEAF mechanism nor
covert channels for key recovery. (The Professional versions do, however, provide
you with the ability to generate secure split key shares that enable you to offer
emergency access to your encrypted data by multiple trusted parties acting in
concert.)
10.3 The Block Cipher AES
However, DES was not designed with Triple-DES in mind. Undoubtedly there would
be amore efficient algorithm with the same level of safety as Triple-DES. So in 1997,
the NationalInstitute of Standards and Technology (NIST) solicited proposals for
replacements of DES.In 2001, NIST chose 128-bit block Rijndael with a 128-bit key

15. to become the AdvancedEncryption Standard (AES). (If you don‘t speak Dutch,
Flemish or Afrikaans, then theclosest approximation to the pronunciation is Rinedoll). Rijndael is a symmetric-key blockcipher designed by Joan Daemen and
Vincent Rijmen.
The Rijndael proposal for AES defined a cipher in which the block length and the key
length can be independently specified to be 128, 192, or 256 bits. The AES
specification uses the same three key size alternatives but limits the block length to
128 bits. A number of AES parameters depend on the key length (Table 1.1). In the
description of this section, we assume a key length of 128 bits, which is likely to be
the one most commonly implemented.
Table 1.1 AES Parameters
Key size (words/bytes/bits)
4/16/128 6/24/192 8/32/256
Plaintext block size (words/bytes/bits) 4/16/128 4/16/128 4/16/128
Number of rounds
10
12
Round key size (words/bytes/bits)
4/16/128 4/16/128 4/16/128
Expanded key size (words/bytes)
44/176
52/208
14
60/240
Rijndael was designed to have the following characteristics:
Resistance against all known attacks
Speed and code compactness on a wide range of platforms
Design simplicity
About AES Structure:
1. The key that is provided as input is expanded into an array of forty-four 32-bit words.
Four distinct words (128 bits) serve as a round key for each round.
2. Four different stages are used, one of permutation and three of substitution:
o Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the
block
o ShiftRows: A simple permutation
8
o MixColumns: A substitution that makes use of arithmetic over GF(2 )
o AddRoundKey: A simple bitwise XOR of the current block with a portion of
the expanded key.

16. The Finite Field:
Both the key expansion and encryption algorithms of simplified AES depend on an
S-box that itself depends on the finite field with 16 elements.
Let F16 = F2[x]/(x4 + x + 1). The word nibble refers to a four-bit string, like 1011. We
will frequently associate an element b0x3 + b1x2 + b2x + b3 of F16 with the nibble
b0b1b2b3.
The S-box:The S-box is a map from nibbles to nibbles. It can be inverted. (For those
in the know, it is one-to-one and onto or bi-jective.)
The Simplified AES Algorithm:
The simplified AES algorithm operates on 16-bit plaintexts and generates 16-bit
ciphertexts, using the expanded key k0 . . . k47. The encryption algorithm consists of
the composition of 8 functions applied to the plaintext.Each function operates on a
state. A state consists of 4 nibbles.
The Function AKi : The abbreviation AK stands for add key. The function AKi consists
of XORing Ki with the state so that the subscripts of the bits in the state and the key
bits agree modulo 16. The Function NS: The abbreviation NS stands for nibble
substitution. The function NS replaces each nibble Ni in a state by S-box(Ni) without
changing the order of the nibbles.So it sends the state.
The Function SR: The abbreviation SR stands for shift row. The function SR takes
the state.
The Function MC: The abbreviation MC stands for mix column. A column [Ni,Nj ]
of the state is considered to be the element Niz + Nj of F16[z]/(z2 + 1).
The function MC multiplies each column by the polynomial c(z) = x2z + 1.
The simplest way to explain MC is to note that MC sends a column.
The Rounds: The composition of functions AKi _MC _ SR _NS is considered to be the
i-th round. So this simplified algorithm has two rounds. There is an extra AK before
the first round and the last round does not have an MC.
Security
As an encryption standard, AES needs to be resistant to all known cryptanalytic
attacks. Thus, AES was designed to be resistant against these attacks, especially
differential and linear cryptanalysis. To ensure such security, block ciphers in general
must have diffusion and non-linearity.
Efficiency
AES is expected to be used on many machines and devices of various sizes and
processing powers. For this reason, it was designed to be versatile. Versatility
means that the algorithm works efficiently on many platforms, ranging from desktop
computers to embedded devices such as cable boxes.
11Public Key Cryptography
In a symmetric key cryptosystem, if you know the encrypting key you can quickly
determine the decrypting key (C _ aP +b(modN) or they are the same (modern
stream cipher, AES). In public key cryptography, everyone has a public key and a
private key. There is now known way of quickly determining the private key from the
public key.

17. Main uses of public-key cryptography:
1) Agree on a key for a symmetric cryptosystem.
2) Digital signatures.
Public-key cryptography is rarely used for message exchange since it is slower than
symmetric key cryptosystems.
11.1 PUBLIC KEY ALGORITHMS
A. RIVEST SHAMIR & ADELMAN (RSA)
RSA involves two keys: public key and private key (a key is a constant number later
used in the encryption formula.) The public key can be known to everyone and is
used to encrypt messages. These messages can only be decrypted by use of the
private key. In other words, anybody can encrypt a message, but only the holder of a
private key can actually decrypt the message and read it. Intuitive example:
Bob wants to send Alice a secret message that only she canread. To do this, Alice
sends Bob a box with an open lock, for which only Alice has the key. Bob receives
the box, he writes the message in plain English, puts it in the box and locks it with
Alice's lock (now Bob can no longer read the message.) Bob sends the box to Alice
and she opens it with her key. In this example, the box with the lock is Alice's public
key, and the key to the lock is her private key.
Key generation
Suppose Alice and Bob are communicating over an insecure (open) channel, and
Alice wants Bob to send her a private (or secure) message. Using RSA, Alice will
take the following steps to generate a public key and a private key:
1. Choose two large prime numbers p and q such that p0q randomly and
independently of each other.
2. Compute n=p·q.
3. Compute the totient function: "(n)=(p-1)(q-1).
4. Choose an integer e such that 1<e<"(n) which is coprime to "(n).
5. Compute d such that de21(mod("(n)).
• The prime numbers can be probabilistically tested for primality.
• A popular choice for the public exponents is e=216+1=65537. Some applications
choose smaller values such as e = 3,5, or 35 instead. This is done in order to make
implementations on small devices (e.g. smart cards) easier, i.e. encryption and
signature verification is faster. But choosing small public exponents may lead to
greater security risks.
• Steps 4 and 5 can be performed with the extended Euclidean algorithm; see
modular arithmetic.
• Step 3 changed in PKCS#1 v2.0 to $=LCM(p-1,q-1) instead of "=(p-1)(q-1).
The public key consists of
• n, the modulus, and
• e, the public exponent (sometimes encryption exponent).
The private key consists of
• n, the modulus, which is public and appears in the public key, and
• d, the private exponent (sometimes decryption exponent), which must be kept
secret.
For reasons of efficiency sometimes a different form of the private key (including
CRT parameters) is stored:
• p and q, the primes from the key generation,
• d mod (p-1) and d mod (q-1) (often known as dmp1 and dmq1)

18. • (1/q) mod p (often known as iqmp)
Though this form allows faster decryption and signing using the Chinese Remainder
Theorem (CRT), it considerably lowers the security. In this form, all of the parts of
the private key must be kept secret. Yet, it is a bad idea to use it, since it enables
side channel attacks in particular if implemented on smart cards, which would
most benefit from the efficiency win. (Start with y = xemodn and let the card decrypt
that. So it computes yd(mod p) oryd(mod q) whose results give some value z. Now,
induce anerror in one of the computations. Then gcd(z − x,n) willreveal p or q.)
Alice transmits the public key to Bob, and keeps the private key secret. p and q are
sensitive since they are the factors of n, and allow computation of d given e. If p and
q are not stored in the CRT form of the private key, they are securely deleted along
with the other intermediate values from the key generation.
1) Encrypting messages
Suppose Bob wishes to send a message M to Alice. He turns M into a number m <n,
using some previously agreed-upon reversible protocol known as a padding
scheme. Bob now has m, and knows n and e, which Alice has announced. He then
computes the ciphertext ccorresponding to m:
c=me mod n
This can be done quickly using the method of exponentiation by squaring. Bob then
transmits c to Alice.
2) Decrypting messages
Alice receives c from Bob, and knows her private key d. She can recover m from c
by the following procedure:
m=cd mod n
Given m, she can recover the original message M. The decryption procedure works
because
cd 2 (me)d 2 med (mod n)
Now, sinceed 2 1 (mod p-1) and ed 2 1 (mod q-1),
Fermat's little theorem yields
med 2 m (mod p) and med 2 m (mod q)
Since p and q are distinct prime numbers, applying the Chinese remainder theorem
to these two congruence yields
med 2 m (mod pq). Thus, cd 2 m (mod n).
PERFORMANCE
RSA is much slower than DES and other symmetric cryptosystems. In practice, Bob
typically encrypts a secret message with a symmetric algorithm, encrypts the
(comparatively short) symmetric key with RSA, and transmits both the RSAencrypted symmetric key and the symmetrically-encrypted message to Alice.
This procedure raises additional security issues. For instance, it is of utmost
importance to use a strong random number generator for the symmetric key,
because otherwise Eve (an eavesdropper wanting to see what was sent) could
bypass RSA by guessing the symmetric key.

19. SECURITY
Public key algorithms have complex mathematics and need very long keys. Due to
this public key cryptography is very much slower than secret key cryptography and
needs timeswhich are some orders of magnitude over those of Rijndael.
Due to this public key encryption is normally only used in hybrid encryption systems.
Thereby the entities use the public key systems to exchange a secret key. This
exchanged key is then used to encrypt the actual message with a symmetric
encryption system. In opposite to symmetric systems the encryption performance of
asymmetric systems may significantly differ from its decryption performance. The
first invented public key encryption system RSA is still the most used one. It is
based on the factorization problem. According to Lenstra RSA currently needs a
modulus size somewhere between 2790bit and 3390bit to meet the security of a
128bit Rijndael encryption. Rijndael–192 security is reached by a modulus size
somewhere between 7160bit and 8200bit. Rijndael–256 security implies an RSA
modulus between 14200bit and 15800bit. ECRYPT [16] estimates RSA keys with the
length of 3072, 7680 and 15360 offer equivalent security to Rijndael 128, 192 and
256.The most prominent alternative to RSA is elliptic curve cryptography (ECC). It is
based on the discrete logarithm problem and is faster than RSA because it manages
with shorter keys. Due to the table form Lenstra and Verheul the security of 1024bit
RSA is met by an ECC key between 138bit and 147bit. ECRYPT estimates a 160bit
ECC key provides RSA–1024 security. All widely used public key cryptosystems are
broken by efficient algorithms for sufficiently large quantum computers. There is
some research on quantum–safe public key cryptosystems in order to meet this
threat.
11.2 Key Management
As the entire operation is dependent upon the security of the keys, it is sometimes
appropriate to devise a fairly complex mechanism to manage them.
Where a single individual is involved, often direct input of a value or string will
suffice. The 'memorised' value will then be re-input to retrieve the data, similar to
password usage. Sometimes, many individuals are involved, with a requirement for
unique keys to be sent to each for retrieval/decryption of transmitted data. In this
case, the keys themselves may be encrypted. A number of comprehensive and
proven key management systems are available for these situations.
CRYPTOGRAPHY KEY BASICS
The two components required to encrypt data are an algorithm and a key. The
algorithm generally known and the key are kept secret. The key is a very large
number that should be impossible to guess, and of a size that makes exhaustive
search impractical.
In a symmetric cryptosystem, the ‗same key is used for encryption and decryption‘.
In an asymmetriccryptosystem, the ‗key used for decryption is different from the key
used for encryption‘.
THE KEY PAIR:
In an asymmetric system the encryption and decryption keys are different but
related. The encryption key is known as the public key and the decryption key is
known as the private key. The public and private keys are known as a key pair.
Where a certification authority is used, remember that it is the public key that is
certified and not the private key.

20. KEY COMPONENT:
Keys should whenever possible be distributed by electronic means, enciphered
under previously established higher-level keys. There comes a point, of course when
no higher-level key exists and it is necessary to establish the key manually. A
common way of doing this is to split the key into several parts (components) and
entrust the parts to a number of key management personnel. The idea is that none of
the key parts should contain enough information to reveal anything about the key
itself. Usually; the key is combined by means of the exclusive-OR operation within a
secure environment.
In the case of DES keys, there should be an odd number of components, each
component having odd parity. Odd parity is preserved when all the components are
combined. Further, each component should be accompanied by a key check value to
guard against keying errors when the component is entered into the system.
A key check value for the combined components should also be available as a final
check when the last component is entered. A problem that occurs with depressing
regularity in the real world is when it is necessary to re-enter a key from its
components. This is always an emergency situation, and it is usually found that one
or more of the key component holders cannot be found. For this reason it is prudent
to arrange matters so that the components are distributed among the key holders in
such a way that not all of them need to be present.
For example, if there are three components (C1, C2, and C3) and three key holders
(H1, H2, H3) then H1 could have (C2, C3), H2 could have (C1, C3) and H3 could
have (C1, C2). In this arrangement any two out of the three key holders would be
sufficient.
In more sophisticated systems the components may be held on smart cards.
11.2.1Finite Field Discrete logarithm problem
Let Fq be a finite field. Let g generate F_ q . Let b 2 F_ q . Then gi = b for some positive
integeri _ q − 1. Determining i given Fq, g and b is the finite field discrete logarithm
problem(FFDLP), which is (to our current knowledge) as hard as factoring.
Example. 2 generates F_ 101. So we know 2i = 3 (i.e. 2i _ 3(mod 101)) has a solution.
Itis i = 69. Similarly, we know 2i = 5 has a solution; it is i = 24. How could you solve
suchproblems faster than brute force? In Sections 30.1 and 30.3.3 we present
solutions fasterthan brute force. But they are nonetheless not fast. End example.
For cryptographic purposes we take 10300 < q <10600 where q is a (large) prime or of
the form 2d. Notation, if gi = b then we write logg(b) = i. Recall the logarithms you
have already learned: log10(1000) = 3 since 103 = 1000 and ln(e2) = loge(e2) = 2. In
the above example, for q = 101 we have log2(3) = 69 (since 269 _ 3(mod 101)).
The best known algorithms for solving the FFLDP take as long as those for factoring,
and so are sub-exponential.
11.2.3 Diffie-Hellman key agreement
Diffie-Hellman key agreement over a finite field (FFDH) is commonly used. For a
bunch of users A, B, C, etc. we fix q and g (a generator of F_q . The numbers q and g
are used for the whole system. Each user has a private key a (aA, aB, aC, . . .) with 1
< a < q−1 and a public key, which is the reduction of ga in the field Fq. Each user
publishes (the reductions of) gaA, gaB, . . . in a directory or on their websites.
Note, often you create a new aA, gaA for each transaction. Alice would then need to
send gaA to Bob at the beginning and vice versa.

21. If Alice and Bob want to agree on a key for AES, they use the reduction of gaAaB. Alice
can compute this since she looks up gaB and raises it to aA. Bob can compute this
since he looks up gaA and raises it to aB. Eve has q, g, gaA, gaB but cannot seem to find
gaAaB without solving the FFDLP. This often seems amazing. She can find gaAgaB = gaA
+ aB, but that‘s useless. To get gaAaB, she needs to raise gaA, for example, to aB. To
get aB she could try to use g and gaB. But determining aB from g and gaB is the FFDLP,
for which there is no known fast solution.
11.2.4Elliptic curve cryptography
Elliptic curves
An elliptic curve is a curve described by an equation of the form y2 + a1xy + a3y = x3 +
a2x2 + a4x + a6 and an extra 0-point.
12Hash Functions and Message Authentication Codes
Hash Functions take a block of data as input, and produce a hash or message digest
as output. The usual intent is that the hash can act as a signature for the original
data, without revealing its contents. Therefore, it's important that the hash function
be irreversible - not only should it be nearly impossible to retrieve the original data, it
must also be unfeasible to construct a data block that matches some given hash
value. Randomness, however, has no place in a hash function, which should be
completely deterministic.
Given the exact same input twice, the hash function should always produce the
same output. Even a single bit changed in the input, though, should produce a
different hash value. The hash value should be small enough to be manageable in
further manipulations, yet large enough to prevent an attacker from randomly finding
a block of data that produces the same hash .In cryptography, a cryptographic
hash function is a hash function with certain additional security properties to make it
suitable for use as a primitive in various information security applications, such as
authentication and message integrity. A hash function takes a long string (or
message) of any length as input and produces a fixed length string as output,
sometimes termed a message digest or a digital fingerprint.
A typical use of a cryptographic hash would be as follows: Alice poses to Bob a
tough math problem and claims she has solved it. Bob would like to try it himself, but
would yet like to be sure that Alice is not bluffing. Therefore, Alice writes down her
solution, appends a random nonce, computes its hash and tells Bob the hash value
(whilst keeping the solution secret). This way, when Bob comes up with the solution
himself a few days later; Alice can verify his solution but still be able to prove that
she had the solution earlier. In actual practice, Alice and Bob will often be computer
programs, and the secret would be something less easily spoofed than a claimed
puzzle solution. The above application is called a commitment scheme. Another
important application of secure hashes is verification of message integrity.
Determination of whether or not any changes have been made to a message (or a
file), forexample, can be accomplished by comparing message digests calculated
before, and after, transmission (or any other event) (for example, see Tripwire , a
system using this property as a defence against malware and malfeasance). A
message digest can also serve as a means of reliably identifying a file. A related
application is password verification. Passwords are usually not stored in clear text,

22. for obvious reasons, but instead in digest form. To authenticate a user, the password
presented by the user is hashed and compared with the stored hash. Hashes are
also used to identify files on peer-to-peer file sharing networks. For example, in an
ed2k link the hash is combined with the file size, providing sufficient information for
locating file sources, downloading the file and verifying its contents. Magnet links are
another example. Such file hashes are often the top hash of a hash list or a hash
tree which allows for additional benefits. For both security and performance reasons,
most digital signature algorithms specify that only the digest of the message be
"signed", not the entire message. Hash functions can also be used in the generation
of pseudorandom bits.
The most widely used hash functions (and their modifications) are:
_ MD5 of R. Rivest (RFC 1321)
_ SHA-1 SHA-224, SHA-256, SHA-384, SHA-512 of NIST ( FIPS PUB 180-1)
_ RIPEMD, RIPEMD-128, RIPEMD-160 H. Dobbertin, A. Bosselaers, B. Preneel
_ WHIRLPOOL-0, WHIRLPOOL-T, WHIRLPOOL P. Barreto, V. Rijmen (NESSIE
project ISO/IEC 10118-3:2004)
SHA-1, MD5, and RIPEMD-160 are among the most commonly-used message
digest algorithms as of 2005. In August 2004, researchers found weaknesses in a
number of hash functions, including MD5, SHA-0 and RIPEMD. This has called into
question the long-term security of later algorithms which are derived from these hash
functions. In particular, SHA-1 (a strengthened version of SHA-0), RIPEMD-128, and
RIPEMD-160 (both strengthened versions of RIPEMD). Neither SHA-0 nor RIPEMD
are widely used since they were replaced by their strengthened versions.
A. SHA-0,SHA-1
SHA-0 and SHA-1 produce a 160-bit digest from a message with a maximum size of
264 bits, and is based on principles similar to those used by Professor Ronald L.
Rivest of MIT in the design of the MD4 and MD5 message digest algorithms. The
original specification of the algorithm was published in 1993 as the Secure Hash
Standard, FIPS PUB 180, by US government standards agency NIST (National
Institute of Standards and Technology). This version is now often referred to as
"SHA-0". It was withdrawn by the NSA shortly after publication and was superseded
by the revised version, published in 1995 in FIPS PUB 180-1 and commonly referred
to as "SHA-1". SHA-1 differs from SHA-0 only by a single bitwise rotation in the
message schedule of its compression function. This was done, according to the
NSA, to correct a flaw in the original algorithm which reduced its cryptographic
security. This function takes as input a 160-bit state and a 512-bit data word and
outputs a new 160-bit state. The hash function works by repeatedly calling this
compression function with successive 512-bit data blocks and each time updating
the state accordingly. This compression function is easily invertible if the data block
is known,- given the data block on which it acted and the output of the compression
function, one can compute that state that went in. Weaknesses have subsequently
been reported in both SHA-0 and SHA-1. SHA-1 appears to provide greater
resistance to attacks, supporting the NSA's assertion that the change increased the
security. In February 2005, an attack on SHA-1 was reported, finding collisions in
about 269 hashing operations, rather than the 280 expected for a 160-bit hash
function. In August 2005, another attack on SHA-1 was reported, finding collisions in
263 operations.

23. B. MD5 (Message-Digest algorithm 5) is a widely-used cryptographic hash function
with a 128-bit hash value. As an Internet standard (RFC 1321), MD5 has been
employed in a wide variety of security applications, and is also commonly used to
check the integrity of files.
MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function,
MD4. In 1996, a flaw was found with the design of MD5; while it was not a clearly
fatal weakness, cryptographers began to recommend using other algorithms, such
as SHA-1 (recent claims suggest thatSHA-1 has been broken, however). In 2004,
more serious flaws were discovered making further use of the algorithm for security
purposes questionable.
MD5 processes a variable length message into a fixedlength output of 128 bits. The
input message is broken up into chunks of 512-bit blocks; the message is padded so
that its length is divisible by 512. The padding works as follows: first a single bit, 1, is
appended to the end of the message. This is followed by as many zeros as are
required to bring the length of the message up to 64 bits less than a multiple of 512.
The remaining bits are filled up with a 64-bit integer representing the length of the
original message.
The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words,
denoted A, B, C and D.
These are initialized to certain fixed constants. The main algorithm then operates on
each 512-bit message block in turn, each block modifying the state. The processing
of a message block consists of four similar stages, termed rounds; each round is
composed of 16 similar operations based on a non-linear function F, modular
addition, and left rotation. There are four possible functions F; a different one
is used in each round: denote the XOR, AND, OR and NOT operations respectively.
C. WHIRLPOOL
WHIRLPOOL is a cryptographic hash function designed by Vincent Rijmen and
Paulo S. L. M. Barreto. The hash has been recommended by the NESSIE project. It
has also been adopted by the International Organization for Standardization (ISO)
and the International Electro technicalCommission (IEC) as part of the joint ISO/IEC
10118-3 international standard.
WHIRLPOOL is a hash designed after the Square block cipher. WHIRLPOOL is a
Miyaguchi-Preneel construction based on a substantially modified Advanced
Encryption Standard (AES). Given a message less than 2256 bits in length, it returns
a 512-bit message digest. The authors have declared that "WHIRLPOOL is not (and
will never be) patented.It may be used free of charge for any purpose. The reference
implementations are in the public domain."
D. RIPEMD
RIPEMD-160 (RACE Integrity Primitives Evaluation Message Digest) is a 160-bit
message digest algorithm (and cryptographic hash function) developed in Europe by
Hans Dobbertin, Antoon Bosselaers and Bart Preneel, and first published in 1996. It
is an improved version of RIPEMD, which in turn was based upon the design
principles used in MD4, and is similar in performance to the more popular
SHA-1.There also exist 128, 256 and 320-bit versions of thisalgorithm, called
RIPEMD-128, RIPEMD-256, and RIPEMD-320, respectively. The 128-bit version
was intended only as a drop-in replacement for the original RIPEMD, which was also
128-bit, and which had been found to have questionable security. The 256 and 320bit versions diminish only the chance of accidental collision, and don't have higher
levels of security as compared to, respectively, RIPEMD-128 and RIPEMD-160.

24. RIPEMD-160 was designed in the open academic community, in contrast to the
NSA-designed algorithm, SHA-1. On the other hand, RIPEMD-160 is a less popular
and correspondingly less well-studied design. RIPEMD-160 is not constrained by
any patents.
E. SHACAL
SHACAL-1 and SHACAL-2 are block ciphers based on cryptographic hash function
from the SHA family. It was designed by Helena Handschuh and David Naccache,
both cryptographers from the smart card manufacturer Gemplus. It is a 160-bit block
cipher based on SHA-1, and supports keys from 128-bit to 512-bit. SHACAL-2 is a
256-bit block cipher based upon the larger hash function SHA-256. SHACAL turns
the SHA-1 compression function into a block cipher by using the state input as the
data block and using the data input as the key input. In other words SHACAL views
the SHA-1 compression function as 160-bit block cipher with a 512-bit key. Keys
shorter than 512 bits are supported by padding them with zero up to 512. SHACAL is
not intended to be used with keys shorter than128 bit. In 2003, SHACAL-2 was
selected by the NESSIE project as one of their 17 recommended algorithms.
SECURITY OF HASH FUNCTIONS
In order to attack a hash function, the intruder must replace the initial message in
such a way, by putting his own message, so as to produce the same output of the
hash function. This is called collision and it‘s very difficult to happen.
13Signatures and authentication
Making oneself sure that a message came from the proper sender is called
authentication. The solution is signatures and certificates. Signatures connect a
message with a public key. Certificates connect a public key with an entity. You can
use public-key cryptography for signatures.
Authentication, nonrepudiation, and integrity checks can be supported witha digital
signature. A digital signature is similar to a written signature, however,it is stronger.
For example, detection will result from any attemptto change the message content or
to forge the signature. We note that aMessage Authentication Code (MAC), as
defined in ANSI X 9.9, providesintegrity protection against alteration, but does not
provide nonrepudiationbecause of the sharing of the conventional secret DES key.
(Anotherterm for a MAC is a manipulation detection code, or MDC.)A digital
signature must be a function of the entire document. Changingeven a single bit
should produce a different signature. A signed messagecannot be changed without
detection
Public key digital signatures:The use of public key digital signatures
and supporting hash functions can provide both authentication and verification
of message integrity. Hash functions, which have been briefly introduced,
will be discussed further. They can also serve as cryptographic checksums used for
validating the contents of a message. Public key schemes supporting authentication
permit generation of digital signatures algorithmically from the same key repeatedly,
although the actual signatures are different. Digital signatures are a function of the
message and a long-term key. Therefore, key material can be reused many times
before replacement. Hash functions also reduce the impact of the computationally
intensive nature of public key algorithms.

25. Public key digital signatures are generally preferred for electronic commerce
because:
1. Private keys can be used repeatedly for generating digital signatures
algorithmically, and
2. Nonrepudiation of the sender (Alice) is inherently a part of the system design.
Therefore, public key implementation of digital signatures is effective and versatile.
Nonrepudiation:Nonrepudiation is the system capability that prevents a sender
(Alice) from denying that she has sent a message. The integrity of nonrepudiation is
a function of the degree of security maintained for the sender‘s (Alice‘s) private key
(DA).For example, Alicecould repudiate or deny sending a message if DA is
compromised. Depending on the applicable legislation, Alice may still be held liable
for messages signed before the compromise was reported to a central authority.
Certain administrative approaches have been proposed for incorporation into
protocols. Most of these involve use of some form of arbitrator. However, certain
disputes may require litigation, because nonrepudiation is a critical business issue.
One method of supporting nonrepudiation is to use a central authority. For example,
the receiver of a message (Bob) sends a copy to the central authority. The central
authority can verify sender‘s (Alice‘s) signature. This verification provides assurance
that there is no report that Alice‘s private key (DA) was compromised at the time of
sending. In this case, Alice would have to rapidly report the compromise of her
private key. We must also consider the impact of the increased workload of the
central authority on the throughput of the network. An alternate approach is to use
time stamps. Although a network of automated arbitrators may still be required, the
system overhead is modest because the arbitrators only have time stamp messages.
A receiver (Bob) may check the validity of the sender‘s(Alice‘s) private key by
checking with a central authority. Bob has a degree of assurance of nonrepudiation if
the received message is time stamped before the validity check. He still has to
determine if a compromise is discovered and reported later. Legal requirements for
nonrepudiation may include a requirement that the sender (Alice) is responsible for
signing until a compromise of her private key is reported to the central authority.
Implementation of this approach could require an on-line central authority and realtime validity checks and time stamps. In addition to peak load concentrations that
may occur at the central authority, certain requirements for a network-wide clock
should be considered. A network-wide clock has other security vulnerabilities, such
as vulnerability to forgery of time stamps. If users, such as Alice, are permitted to
change their private keys, a central authority should archive past keys to assist in
resolving disputes. Each industry should have a set of legal and administrative
safeguards to maintain continuity of operations in the event of a compromise or
change of keys. For example, credit card systems have effective legal and
administrative provisions for cases of lost or stolen credit cards.

26. private key
Original text
public key
signing
signed text
verifying
verified text
Figure . Simple digital signatures
Message Authentication Code (MAC): Standard ANSI X9.9-1982,
1986. The Message Authentication Code (MAC) (ANSI X9.9), not to be confused
with Mandatory Access Control (MAC), is a cryptographic checksum appended to a
message. It seals the message against modification. All fields such as time, date,
sources, and so on included in the checksum are rendered unalterable. Either the
entire message or selected fields are processed through the algorithm using the
Cipher Block Chaining Mode (CBC). As mentioned, the last block is the only output
of the process that is used in the MAC. MAC requires a key management protocol,
such as ANSI Standard X9.17.
14. Applications of Cryptographyin Network Security:
1. E-mail Security
2. IP Security
3. Web security

27. E-mail Security:
14.1. Pretty Good Privacy:
PGP is a remarkable phenomenon.PGP started as a free secure e-mail program. Largely the
effort of a single person, Phil Zimmermann, PGP provides a confidentiality and
authentication service that can be used for electronic mail and file storage applications. In
essence, Zimmermann has done the following:
1. Selected the best available cryptographic algorithms as building blocks
2. Integrated these algorithms into a general-purpose application that is independent of
operating system and processor and that is based on a small set of easy-to-use
commands
3. Made the package and its documentation, including the source code, freely available
via the Internet, bulletin boards, and commercial networks such as AOL (America On
Line)
4. Entered into an agreement with a company (Via crypt, now Network Associates) to
provide a fully compatible, low-cost commercial version of PGP
PGP has grown explosively and is now widely used. A number of reasons can be cited for
this growth:
1. It is available free worldwide in versions that run on a variety of platforms, including
Windows, UNIX, Macintosh, and many more. In addition, the commercial version
satisfies users who want a product that comes with vendor support.
2. It is based on algorithms that have survived extensive public review and are
considered extremely secure. Specifically, the package includes RSA, DSS, and
Diffie-Hellman for public-key encryption; CAST-128, IDEA, and 3DES for
symmetric encryption; and SHA-1 for hash coding.
3. It has a wide range of applicability, from corporations that wish to select and enforce
a standardized scheme for encrypting files and messages to individuals who wish to
communicate securely with others worldwide over the Internet and other networks.
4. It was not developed by, nor is it controlled by, any governmental or standards
organization. For those with an instinctive distrust of "the establishment," this makes
PGP attractive.
5. PGP is now on an Internet standards track (RFC 3156). Nevertheless, PGP still has an
aura of an anti-establishment endeavour.
How PGP works:
PGP combines some of the best features of both conventional and public key cryptography.
PGP is a hybrid cryptosystem. When a user encrypts plaintext with PGP, PGP first
compresses the plaintext. Data compression saves modem transmission time and disk
space and, more importantly, strengthens cryptographic security. Compression reduces
these patterns in the plaintext, thereby greatly enhancing resistance to cryptanalysis. PGP
then creates a session key, which is a one-time-only secret key. This key is a random
number generated from the random movements of your mouse and the keystrokes you type.
This session key works with a very secure, fast conventional encryption algorithm to encrypt
the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then
encrypted to the Recipient‘s public key. This public key-encrypted session key is transmitted
along with the ciphertext to the recipient.

28. Plaintext is
encrypted with
session key.
Session key is
encrypted with
public key.
Cipher text + encrypted session
key
Figure 1-1: How PGP encryption works
Decryption works in the reverse. The recipient‘s copy of PGP uses his or her private
key to recover the temporary session key, which PGP then uses to decrypt the
conventionally-encrypted ciphertext.
Encrypted message
Encrypted session key
Cipher text
recipient’s private key used
To decrypt session key
session key used
To decrypt cipher text
original
plaintext
Figure 1-2. How PGP decryption works
14.2.S/MIME:
S/MIME (Secure/Multipurpose Internet Mail Extension) is a security enhancement to
the MIME Internet e-mail format standard, based on technology from RSA Data
Security. Although both PGP and S/MIME are on an IETF standards track, it appears
likely that S/MIME will emerge as the industry standard for commercial and
organizational use, while PGP will remain the choice for personal e-mail security for
many users. S/MIME is defined in a number of documents, most importantly RFCs
3369, 3370, 3850 and 3851.

29. IP Security:
Internet Protocol Security (IPsec) is a competitor of TLS. It works at a different level
than TLS which gives it more flexibility. I do not understand different levels on a
computer - it is a concept from computer engineering. IPsec is, however, less
efficient than TLS. Its primary use is in Virtual Private Networks (VPN). A VPN is a
private communications network. That means it is used within one company or
among a small network of companies. TLS is used by everyone on the internet .
IPsec encompasses three functional areas: “authentication, confidentiality, and key
management”.
Authentication makes use of the HMAC message authentication code. Authentication
can be applied to the entire original IP packet (tunnel mode) or to the entire packet
except for the IP header (transport mode).
Confidentiality is provided by an encryption format known as encapsulating security
payload. Both tunnel and transport modes can be accommodated.
IPsec defines a number of techniques for key management.
Web Security:
14.1. Web Security Considerations
The World Wide Web is fundamentally a client/server application running over the Internet
and TCP/IP intranets. But, the Web presents new challenges not generally appreciated in the
context of computer and network security:
The Internet is two way. Unlike traditional publishing environments, even electronic
publishing systems involving teletext, voice response, or fax-back, the Web is
vulnerable to attacks on the Web servers over the Internet.
The Web is increasingly serving as a highly visible outlet for corporate and product
information and as the platform for business transactions. Reputations can be
damaged and money can be lost if the Web servers are subverted.
Although Web browsers are very easy to use, Web servers are relatively easy to
configure and manage, and Web content is increasingly easy to develop, the
underlying software is extraordinarily complex. This complex software may hide
many potential security flaws. The short history of the Web is filled with examples of
new and upgraded systems, properly installed, that are vulnerable to a variety of
security attacks.
A Web server can be exploited as a launching pad into the corporation's or agency's
entire computer complex. Once the Web server is subverted, an attacker may be able
to gain access to data and systems not part of the Web itself but connected to the
server at the local site.
Casual and untrained (in security matters) users are common clients for Web-based
services. Such users are not necessarily aware of the security risks that exist and do
not have the tools or knowledge to take effective countermeasures.
Web Security Threats
This table provides a summary of the types of security threats faced in using the Web. One
way to group these threats is in terms of passive and active attacks. Passive attacks include
eavesdropping on network traffic between browser and server and gaining access to
information on a Web site that is supposed to be restricted. Active attacks include

30. impersonating another user, altering messages in transit between client and server, and
altering information on a Web site.
A Comparison of Threats on the Web
Threats
Consequences
Countermeasures
Integrity
Modification of
user data
Trojan horse
browser
Modification of
memory
Modification of
message traffic in
transit
Loss of information Cryptographic
Compromise of
checksums
machine
Vulnerability to all
other threats
Confidentiality
Eavesdropping on
the Net
Theft of info from
server
Theft of data from
client
Info about
network
configuration
Info about which
client talks to
server
Loss of information Encryption, web
Loss of privacy
proxies
Denial of
Service
Killing of user
threads
Flooding machine
with bogus
requests
Filling up disk or
memory
Isolating machine
by DNS attacks
Disruptive
Annoying
Prevent user from
getting work done
Difficult to
prevent
Authentication
Impersonation of
legitimate users
Data forgery
Misrepresentation
of user
Belief that false
information is valid
Cryptographic
techniques

31. 15Timestamping
If you have a printed document and want to prove that it existed on a certain date,
you can get it notarized. This is important for copyrighting a document to prove you
originated it. This is more difficult with digital data. If there is a date on it, then the
date can be easily replaced by another. The solution is a time stamping service.
Here is a second scenario. If Alice signs a message, and later decides that she does
not want that message to be signed (this is a kind of cheating) then she can
anonymously publishher private key and say that anyone could have done the
signing. This is called repudiation.So if someone receives a signature from Alice,he
or she can demand that Alice use a digitaltimestamping service. That lessens Alice‘s
ability to repudiate the signature.
16KERBEROS
A protocol is a sequence of steps involving at least two parties that accomplishes a
task. KERBEROS is a third-party authentication protocol for insecure, closed
systems. Between systems people use fire walls. Note most problems come from
people within a system. KERBEROS is used to prove someone‘s identity
(authentication) in a secure manner without using public key cryptography. At SCU,
KERBEROS is probably used for access to e-campus, OSCAR, People-soft, Novell,
etc. It was developed by MIT and can be obtained free. KERBEROS requires a
trusted third party. It enables a person to use a password to gain access to some
service. Let C be the client, KDC be the key distribution centre, S be the service that
C wants access to and TGS be S‘sticket granting service.
Summary:
i) KDC authenticates C‘s identity to TGS.
ii) TGS gives permission to C to use S.
17. Key Management and Salting
A common hacker attack is exploiting sloppy key management. Often bribe or steal
to get a key.
Scenario 1. Web: You pick your own password, usually. Uses SSL/TLS so use RSA
to agree on AES key which is used to encrypt password (first time and later visits).
They store passwords in (hopefully hidden) file with userids. Your password is not
hashed.
Scenario 2. Non-web systems. The system has a file (may or may not be public) with
pairs: userid, hash(password). The system administrator has access to this file.
Maybesomeday, the password cracker can get access to this file. He cannot use the
hashed passwords to get access to your account because access requires entering
a password and then having it hashed.
In Scenario 2, from the hashes, Cracker may be able to determine the original
password. Most people‘s passwords are not random. As another example, it would
take about 11 seconds on a single computer using brute force to determine
someone‘s key if you knew it consisted of 7 lowercase letters (that is 7 bytes). But if
it consisted of 7 bytes from a pseudo-random number generator, then it would take
11 thousand years to brute force it. (This is basically like brute-forcing DES since
DES has a 7 byte key and running a hash is like running DES. In fact, DES used to
be used as a hash where the key was the 0 string and the password was used as
the plaintext.). But most people have trouble remembering a password like 8 _ &u!M}

32. and so don‘t want to use it. They could write it down and put it in their wallet/purse,
but that can get stolen. So instead, most passwords are easy to remember. So
attacker can do a dictionary attack. Attacker can hash all entries of a dictionary. Online we can find dictionaries containing all common English words, common proper
names and then all of the above entries with i‘s and l‘s replaced by 1‘s and o‘s
replaced by 0‘s, etc. Attacker can even brute force all alpha-numeric strings up to a
certain length. Then Attacker looks in the password file and finds many matches.
This has been used to get tens of thousands of different passwords. The Password
Recovery Toolkit can test 200000 passwords per second.
In 1998, there was an incident where 186000 account names collected and hashed
passwords collected. It was discovered, 1/4 of them using dictionary attack.
Salt is a string that is concatenated to a password. It should be different for each
user-id. It is public for non-SSL/TLS applications like KERBEROS and UNIX. It might
seem like the salt should be hidden. But then the user would need to know the salt
and keep it secret. But then the salt may as well just be appended to the password. If
the salt were stored on the user‘s machine instead (so it‘s secret and the user would
not need to memorize it) then the user could not log in from a different machine.
For KERBEROS and UNIX, the system administrator usually gives you your
password off-line in a secure way. The system creates your salt.
Scenario 3. (Old UNIX) This is the same as Scenario 2, but the public password file
has triples: username, user-id, expiration of password, location information, salt,
hash(salt,password). The salt is a random string in plaintext, unique for this user-id.
Now the dictionary attack won‘t get lots of passwords. But we can attack a single
user as in Scenario 2.
Scenario 4.UNIX. For reasons of backward-compatibility, new Unix-like operating
systems need a non-encrypted password file. It has to be similar to the old password
file or certain utilities don‘t work. For example, several utilities need the username to
userid map available and look in password file for it. In the password file, where
there was once the salt and the hash of a salted password, there is now a *. Unix
has a second hidden file called the shadow password file. It is encrypted using a
password only known to the system administrator. The shadow file contains user-id,
salt, hash (salt, password). The user doesn‘t need to look up the salt. If the user
connects to UNIX with SSH (Secure Shell), then the password goes, un-hashed,
through SSH‘s encryption. The server decrypts the password, appends the salt,
hashes and checks against hash (salt, password) in shadow file.
Scenario 5. KERBEROS uses a non-secret salt which is related to the user-id and
domain names. If two people have the same password, they won‘t have the same
hash and if one person has two accounts with the same password, they won‘t have
the same hash. The authentication server (for KERBEROS this is called the key
distribution centre) keeps the hash secret, protected by a password known only to
the authentication server.
A single key or password should not be used forever. The longer it is used, the more
Documents there are encrypted with it and so the more damage is done if it is
compromised. The longer it is used, the more tempting it is to break it and the more
time an attacker has to break it. Good way to generate key, easy to remember, hard
to crack.

33. 18.Quantum Cryptography
There are two ways of agreeing on a symmetric key that do not involve co-presence.
The first is public key cryptography, which is based on mathematics. The second is
quantum cryptography. It currently (2008) works up to 100 miles and is on the
market but is not widely used.
A photon has a polarization. A polarization is like a direction. The polarization can be
measured on any basis in two-space: rectilinear (horizontal and vertical), diagonal
(slope 1 and slope -1), etc. If you measure a photon in the wrong basis then you get
a random result and you disturb all future measurements.
Here is how it works. Alice and Bob need to agree on a symmetric key. Alice sends
Bob a stream of photons. Each photon is randomly assigned a polarization in one of
the four directions: |, −, , /. We will have | = 1, − = 0, = 1, / = 0. Let‘s say that Alice
sends: / | | / | − − − | /.
Bob has a polarization detector. For each photon, he randomly chooses a basis:
rectilinear or diagonal. Say his choices are × + + × × + + + × × × + + Each time he
chooses the right basis, he measures the polarization correctly. If he measures it
wrong, then he will get a random measurement. His detector might output − | / / | −
/ | |.Alice sends / | | / | − − − | /
Bob sets × + + × × + + + × × × + +
Correct ~ ~ ~ ~ ~ ~ ~
Bob gets − | / − | − / | |
Notice that when Bob correctly sets the basis, Alice and Bob have the same
polarization, which can be turned into a 0 or 1. Looking at the second and last
photons, we see an example of the randomness of Bob‘s measurement if the basis
is chosen incorrectly. Now Bob contacts Alice, in the clear, and tells her the basis
settings he made. Alice tells him which were correct. The others are thrown out.
Alice sends | / | − |
Bob gets | / | − |
Those are turned into 0‘s and 1‘s
Alice sends 1 1 0 1 0 1 1
Bob gets 1 1 0 1 0 1 1
On average, if Alice sends Bob 2n bits, they will end up with n bits after throwing out
those from the wrong basis settings. So to agree on a 128 bit key, on average Alice
must send 256 bits.
What if Eve measures the photons along the way. We will focus on the photons for
which Bob correctly guessed the basis. For half of those, Eve will guess the wrong
basis. Whenever Eve measures in the wrong basis, she makes Bob‘s measurement
random, instead of accurate.
Alice sends | / | − |
Eve sets × × × × + + +
Bob sets × + × + + × +
Bob gets − / | − / |
Alice sends 1 1 0 1 0 1 1
Bob gets 1 0 0 1 0 0 1
Notefor the second and fourth photon, since Eve set the basis incorrectly, Bob gets a
random (and half the time wrong) bit. So if Eve is eavesdropping then we expect her
to get the wrong basis sometimes and some of those times Bob will get the wrong
polarization.
To detect eavesdropping, Alice and Bob agree to check on some of the bits, which
are randomly chosen by Alice. For example, in the above, they could both agree to
tell, in the clear, what the first three bits are. Alice would say 110 and Bob would say
100 and they would know that they had been tampered with. They would then have

34. to start the whole process again and try to prevent Eve from eavesdropping
somehow. ((Ed, what if Eve gets in between and just reflects back the answer to
each one? There are identity issues.)) If those check-bits agreed, then they would
use the remaining four bits for their key. Of course there is a possibility that Alice and
Bob would get the same three bits even though Eve was eavesdropping. So in real
life, Alice and Bob would tell each other a lot more bits to detect eavesdropping. The
probability that a lot of bits would all agree, given that Eve was eavesdropping, would
then be very small. If they disagreed, then they would know there was
eavesdropping. If those all agreed, then with very high probability, there was no
eavesdropping. So they would throw the check-bits away and use as many bits as
necessary for the keyNotice that Alice needs to be sure that it is actually Bob with
whom she is communicating. In 2007, they had gotten quantum cryptography
working over 150 kilometers. Quantum cryptography is considered safer than public
key cryptography and has a built-in eavesdropping detection. However, it is difficult
to transmit a lot of information this way, which is why it would be used for agreeing
on a symmetric key (like for AES). At the moment, there are physics implementation
issues that have been discovered so that the current implementation of quantum
cryptography is insecure.
19Exposures To System Security :
19.1 Intruders:One of the two most publicized threats to security is the intruder (the
other is viruses), generally referred to as a hacker or cracker. In an important early
study of intrusion, Anderson identified three classes of intruders:
Masquerader: An individual who is not authorized to use the computer and who
penetrates a system's access controls to exploit a legitimate user's account
Misfeasor: A legitimate user who accesses data, programs, or resources for which
such access is not authorized, or who is authorized for such access but misuses his or
her privileges
Clandestine user: An individual who seizes supervisory control of the system and uses
this control to evade auditing and access controls or to suppress audit collection
The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the
clandestine user can be either an outsider or an insider.
19.2 Intrusion Detection
Inevitably, the best intrusion prevention system will fail. A system's second line of defence is
intrusion detection. This interest is motivated by a number of considerations, including the
following:
1. If an intrusion is detected quickly enough, the intruder can be identified and ejected
from the system before any damage is done or any data are compromised. Even if the
detection is not sufficiently timely to pre-empt the intruder, the sooner that the
intrusion is detected, the less the amount of damage and the more quickly that
recovery can be achieved.
2. An effective intrusion detection system can serve as a deterrent, so acting to prevent
intrusions.
3. Intrusion detection enables the collection of information about intrusion techniques
that can be used to strengthen the intrusion prevention facility.

35. 20. Password Management:
Password Protection:
The front line of defence against intruders is the password system. Virtually all
multiuser systems require that a user provide not only a name or identifier (ID) but
also a password. The password serves to authenticate the ID of the individual
logging on to the system. In turn, the ID provides security in the following ways:
The ID determines whether the user is authorized to gain access to a system. In some
systems, only those who already have an ID filed on the system are allowed to gain
access.
The ID determines the privileges accorded to the user. A few users may have
supervisory or "super user" status that enables them to read files and perform
functions that are especially protected by the operating system. Some systems have
guest or anonymous accounts, and users of these accounts have more limited
privileges than others.
The ID is used in what is referred to as discretionary access control. For example, by
listing the IDs of the other users, a user may grant permission to them to read files
owned by that user.
The Vulnerability of Passwords:
To understand the nature of the threat to password-based systems, let us consider a scheme
that is widely used on UNIX, in which passwords are never stored in the clear. Rather, the
following procedure is employed .Each user selects a password of up to eight printable
characters in length. This is converted into a 56-bit value (using 7-bit ASCII) that serves as
the key input to an encryption routine. The encryption routine, known as crypt, is based on
DES. The DES algorithm is modified using a 12-bit "salt" value. Typically, this value is
related to the time at which the password is assigned to the user. The modified DES
algorithm is exercised with a data input consisting of a 64-bit block of zeros. The output of
the algorithm then serves as input for a second encryption. This process is repeated for a total
of 25 encryptions. The resulting 64-bit output is then translated into an 11-character
sequence. The hashed password is then stored, together with a plaintext copy of the salt, in
the password file for the corresponding user ID. This method has been shown to be secure
against a variety of cryptanalytic attacks.
21. Firewalls :
Firewall characteristics:
The following capabilities are within the scope of a firewall:
1. A firewall defines a single choke point that keeps unauthorized users out of the
protected network, prohibits potentially vulnerable services from entering or leaving
the network, and provides protection from various kinds of IP spoofing and routing
attacks. The use of a single choke point simplifies security management because
security capabilities are consolidated on a single system or set of systems.
2. A firewall provides a location for monitoring security-related events. Audits and
alarms can be implemented on the firewall system.

36. 3. A firewall is a convenient platform for several Internet functions that are not security
related. These include a network address translator, which maps local addresses to
Internet addresses, and a network management function that audits or logs Internet
usage.
4. A firewall can serve as the platform for IPsec. Using the tunnel mode capability
described in, the firewall can be used to implement virtual private networks.
Firewalls have their limitations, including the following:
1. The firewall cannot protect against attacks that bypass the firewall. Internal systems
may have dial-out capability to connect to an ISP. An internal LAN may support a
modem pool that provides dial-in capability for traveling employees and
telecommuters.
2. The firewall does not protect against internal threats, such as a disgruntled employee
or an employee who unwittingly cooperates with an external attacker.
3. The firewall cannot protect against the transfer of virus-infected programs or files.
Because of the variety of operating systems and applications supported inside the
perimeter, it would be impractical and perhaps impossible for the firewall to scan all
incoming files, e-mail, and messages for viruses.
22. Cryptography Failures:
Designers of cryptographic systems have suffered from a lackof information about
how their products fail in practice,as opposed to how they might fail in theory. This
lack offeedback has led to a false threat model being accepted.Designers focussed
on what could possibly go wrong, ratherthan on what was likely to; and many of their
productsare so complex and tricky to use that they are rarely usedproperly.As a
result, most security failures are due to implementation and management errors.
One special consequencehas been a spate of ATM fraud, which has not just caused
financial losses, but has also caused at least one miscarriage of justice and has
eroded confidence in the UK banking system. There has also been a military cost;
the details remain classified, but its existence has at last been admitted.
Part IV: Cryptanalysis
23Basic Concepts of Cryptanalysis
Cryptosystems come in 3 kinds:
1. Those that have been broken (most).
2. Those that have not yet been analysed (because they are new and not yet widely
used).
3. Those that have been analysed but not broken. (RSA, Discrete log cryptosystems,
AES).
3 most common ways to turn cipher text into plaintext:
1. Steal/purchase/bribe to get key
2. Exploit sloppy implementation/protocol problems (hacking/cracking). Examples:
someone used spouse‘s name as key, someone sent key along with message
3. Cryptanalysis