Dept.

of Information
Technology

Cryptography & Network Security

Model
Paper 1

MODEL PAPER (SOLVED)

Q1 a) Differentiate between the following:
(i)
Block Cipher and Stream Cipher
(ii)
Authentication and Authorization
(iii)
Active Attack and Passive Attack
Ans.
(i) Block Cipher: A block of input bits are encrypted at the same time. Key used for encryption
for all blocks remains the same. However, different modes of encryption (like ECB, CBC, CFB,
OFB) can be applied to a number of blocks.
Stream Cipher: Encryption takes place bit by bit or a very small number of bits are encrypted at
a time. Key used for encryption will vary for each bit or sets of bits encrypted at same time. Key
is discarded after encryption / decryption by the sender / receiver.
(ii) Authentication means confirming that sender or receiver of message is same entity as
claimed in the message and that the message has not been altered on the way.
Authorization means whether permission can be granted for acquiring a particular service (or
getting access to a file or its record or permission to write or delete or modify or execute etc. ).
(iii) In Active Attack, data transmitted is either manipulated (in the form of addition of more
bits, or modification of some bits or deletion of some bits) or it may be replayed at a later time or
sender may deny later on having sent that message or receiver may deny having received the
message. Modifying some of the bits of original data will include spoofing attacks.
In Passive attacks, no change of data takes place, nor data is replayed at a later time. But the
eavesdropper continues to listen to the data and then may analyze it in off-line mode, or may
perform the traffic analysis (as to pair of communicating nodes, the frequency of sending
messages, the size of packets exchanged and so on).
Q1 b) . Justify whether following statement are true or false in context of DES cipher.
a. Is it possible that a plaintext P encrypted with key K1 can be decrypted with a
different key K2, (K2 K1)
b. If key K1 is complement of key K2 then ciphertext produced with K1 will be
complement of ciphertext produced with K2.
Ans.
a. If a plaintext is encrypted with key K1, then it can be decrypted with key K1 only.
Encryption is a mapping of given 64-bit plaintext to another 64-bit value by a key K1. If
this ciphertext is decrypted with same key K1, then the same plaintext is obtained.
However, decrypting ciphertext C, which was obtained by encrypting a plaintext with key
K1, with another key K2, will map to another value of plaintext, which will not be a
meaningful message.
b. If a plaintext P, encrypted with key K1 produces a ciphertext C1, then encrypting same
plaintext with K2 will not yield a ciphertext which is a complement of C1. This is so
because after performing XOR with key, the intermediate result is fed to S-boxes, which
are non-linear in nature. In other words, if inputs to S-Boxes are complemented, then the
output of any of eight S-boxes is not complement of the original output. It is the nonRaju RanjanPage 1

Dept. of Information
Technology

Model
Paper 1

Cryptography & Network Security

linear function of S-boxes which ensures that if 64-bit data or 56-bit key are
complemented, then the output is not complement of the output obtained with uncomplemented data or key.
Q1 c) Show that DES decryption is the inverse of DES encryption.
Ans. During encryption phase, a 64-bit plaintext is divided into two equal parts of 32-bit
and denoted as Li and Ri. After XOR operation with key of that round followed by eight Sboxes and further followed by a P-box, we obtain Li+1 and Ri+1 as output of round i.
During decryption phase, inputs are Li+1 and Ri+1, and we are required to produce Li and
Ri with the same key Ki of that round. Operation is shown below:
Since the non-linear S-boxes and bit shuffling P-boxes remain the same along with the key of
that round, we require the same mangler (also known as non-linear or F) function for
decryption which was used while encrypting the message.
Thus DES decryption is inverse of DES encryption except that same key has to used in a
round.
c.
d.

64-bit Input

32-bit Ln

64-bit output

32-bit Rn

32-bit Ln

32-bit Rn

Kn

Kn

Mangler
Function

32-bit Ln+1

32-bit Rn+1

64-bit Output

Mangler
Function

32-bit Ln+1

32-bit Rn+1
64-bit Input

While decryption mangler function (F-function) used is the same as mangle function used
during encryption. Since it is not required to compute inverse of mangler function for
decryption, this is why decryption of DES is called as the same as that of encryption. The key
used for encryption during any round is the key to be used for decryption in that round.
Raju RanjanPage 2

Dept. of Information
Technology

Cryptography & Network Security

Model
Paper 1

Q1 d) Answer whether the following statement is true or not?

DES produces ciphertext C for plaintext block M using key K. If complement of M is given
as input plaintext and complement of K is used as key then DES will produce complement of
C as ciphertext
Ans.
If K is a 56-bit key and M is a 64-bit plaintext, then let us say a value 48-bit value Y is
produced and fed to 8 S-boxes in round 1. If both K and M are complemented, then 48-bit
value Y is still the same. For example, result of XOR operation for two 4-bit numbers, and
result of XOR operation on the complement of same 4-bit numbers remains the same as
shown below:
Normal Complemented
Value
Value
Number A0011
1100 (Complement of A)
Number B
0101
1010 (Complement of B)
XOR (A, B) 0110
0110 {XOR (A, B)}
We find that by complementing both numbers, the result after XOR operation does not
change.
The 48-bit value Y is obtained after some permutation(s) will yield a complemented value if
either key or plaintext M is complemented, and will be same if both key and M are
complemented. Since the value input to non-linear S-boxes is the output of XOR operation,
which does not change if K and M are normal or both are complemented, therefore, output of
S-boxes will not change if both K and M are complemented.
Thus if both K and M are complemented then the ciphertext produced is not complement of
ciphertext C.
Q1 e) Describe various approaches which can be used for distributing secret symmetric keys
between two communicating parties.
Ans.
For proper authentication of nodes who wish to communicate with each other, a central
authority known as Key Distribution Center is used. Key Distribution Center can
communicate with each node independently with the help of a symmetric key. (Symmetric
key means same key is used for encryption and decryption). There is a separate (symmetric)
key for communication between KDC and every node, and these keys are not known to other
nodes. Since separate key is used for every node, so KDC can interact with any node (say
node A) and none of other nodes can decipher the message.
Whenever node A wants to communicate with node B in the form of encrypted messages, A
will have to ensure that the messages are deciphered only by node B only and no other node.
Raju RanjanPage 3

Dept. of Information
Technology

Cryptography & Network Security

Model
Paper 1

Different symmetric key is used for every session between A and B. This symmetric key is
provided by KDC on request made by a node.
Let us assume that a node A wishes to communicate with node B. Node A will make a
request to KDC with following information: (i) identification of node A, (ii) the node B with
which it wants to communicate, (iii) along with a random number for verification of the
request.
KDC replies back to node A by using the secret (symmetric) key between KDC and A. This
encrypted data contains (i) session key to be used between A and B, (ii) request made by A,
(iii) random number sent by A to KDC, (iv) session key being issued by KDC along with the
identification of node A encrypted with secret key between B and KDC. Since all the four
elements of the data sent by KDC to node A are encrypted with the master key between KDC
and A, so only node A will be in a position to decipher it, and any other node posing as node
A will not be able to decipher this communication (unless the master key between KDC and
A has been broken or stolen). Since KDC provides the session key.
Q1. f) Encrypt HARERAMA by using Playfair ciper with key CIPHER.
Ans.
With key CIPHER, Playfair table becomes
C I P H E
R A B D F
G K L MN
O Q S T U
V WX YZ
Encryption of HARERAMA takes place by finding substitution for two alphabets at a time.
HA are replaced by ID respectively. (It is forming a rectangle, so move in the row of H till
we reach the column of A, and the alphabet in the row of H and column of A is I.
Similarly move in the row of A till the column of H is reached, and replace it by the
alphabet D). Next two alphabets RE are replaced by FC respectively. (It is forming a
rectangle, so move in the row of R till we reach the column of E). Next two alphabets
RA are in the same row. These are substituted by the next alphabet on their right side
respactively. Thus R of plaintext is substituted by A, and A of plaintext is substituted
by B. Next two alphabets of plaintext MA are substituted by KD as these two
alphabets form a rectangle.
Thus HARERAMA is encrypted as IDFCABKD in Playfair by using key CIPHER.
Q2. a) Why random numbers are required? Describe Lehmers Method.
Ans.
A random number generator must be having following properties:
1. Uniform Distribution: Frequency of occurrence of numbers in the sequence of random
numbers must be same for all numbers. In other words, all numbers appearing in random
numbers sequence must be repeated equal number of times.
2. Independence: No value in the sequence should be inferred from others.
Raju RanjanPage 4

Dept. of Information
Technology

Cryptography & Network Security

Model
Paper 1

Linear Congruential Method (Lehmers Method)

Random numbers in this method are generated by the following linear equation
Xn+1 = (a Xn + c) mod m
Where m = the modulus
a = the multiplier
c = the increment
X0 = the starting value (seed)
For example, if X0 = 1, a = 6, c = 0, m = 13 then the sequence of random number generated by
the above formula are:
First number is the seed = X0 = 1
Second number of the sequence is (a = 6 * X0 = 1) mod 13 = 6 = X1.
Third number of the sequence is (a = 6 * X1 = 6) mod 13 = 36 mod 13 = 10 = X2.
Fourth number of the sequence is (a = 6 * X2 = 10) mod 13 = 60 mod 13 = 8 = X3.
Fifth number of the sequence is (a = 6 * X3 = 8) mod 13 = 48 mod 13 = 9 = X4.
Sixth number of the sequence is (a = 6 * X4 = 9) mod 13 = 54 mod 13 = 2 = X5.
Seventh number of the sequence is (a = 6 * X5 = 2) mod 12 = 12 mod 13 = 12 = X6.
Eighth number of the sequence is (a = 6 * X6 = 12) mod 13 = 72 mod 13 = 7 = X7.
Ninth number of the sequence is (a = 6 * X7 = 7) mod 13 = 42 mod 13 = 3 = X8.
Tenth number of the sequence is (a = 6 * X8 = 3) mod 13 = 18 mod 13 = 5 = X9.
Eleventh number of the sequence is (a = 6 * X9 = 5) mod 13 = 30 mod 13 = 4 = X10.
Twelveth number of the sequence is (a = 6 * X10 = 4) mod 13 = 24 mod 13 = 11 = X11.
In the above example, sequence generated is having all values between 1 and 12 (both inclusive).
In the example given below all values between 1 and (m-1) are not part of the sequence. Such a
sequence is suitable.
Let X0 = 1, m = 14, a = 5, c = 0
First number is the seed = X0 = 1
Second number of the sequence is (a = 5 * X0 = 1) mod 14 = 5 = X1.
Third number of the sequence is (a = 5 * X1 = 5) mod 14 = 25 mod 14 = 11 = X2.
Fourth number of the sequence is (a = 5 * X2 = 11) mod 14 = 55 mod 14 = 13 = X3.
Fifth number of the sequence is (a = 5 * X3 = 13) mod 14 = 65 mod 14 = 9 = X4.
Sixth number of the sequence is (a = 5 * X4 = 9) mod 14 = 45 mod 14 = 3 = X5.
Seventh number of the sequence is (a = 5 * X5 = 3) mod 14 = 15 mod 14 = 1 = X0.
and the sequence repeats itself after the sixth number.
Here values 2, 4, 6, 7, 8, 10, 12 are not part of the sequence of numbers generated, and only
numbers 1, 5, 11, 13, 9, 3 are repeated.
Q2. B) Determine gcd(1970, 1066)
Ans.
Gcd(1970, 1066) can be computed as
1970 = 1 * 1066 + 904
gcd(1066,904)
1066 = 1 * 904 + 162
gcd(904,162)
904 = 5 * 162 + 94
gcd(162,94)
162 = 1 * 94 + 68
gcd(94, 68)
94 = 1 * 68 + 26
gcd(68,26)
Raju RanjanPage 5

Dept. of Information
Technology

Cryptography & Network Security

68 = 2 * 26 + 16
26 = 1 * 16 + 10
16 = 1 * 10 + 6
10 = 1 * 6 + 4
6=1* 4 + 2
4= 2* 2 + 0
Hence, gcd(1970, 1066) = 2

gcd(26,16)
gcd(16,10)
gcd(10,6)
gcd(6,4)
gcd(4,2)
gcd(2,0)

EXTENDED EUCLID(m, b)
Algorithm
1. (A1, A2, A3) (1, 0, m); (B1, B2, B3) (0, 1, b)
2. If B3 = 0
return A3 = gcd(m ,b); no inverse
3. If B3 = 1
return B3 = gcd(m, b); B2 = b-1 mod m
4. Q = int(A3/B3)
5. (T1, T2, T3) (A1 Q B1, A2 QB2, A3 QB3)
6. (A1, A2, A3) (B1, B2, B3)
7. (B1, B2, B3) (T1, T2, T3)
8. goto step 2
Q2. C) Find the multiplicative inverse of 16 mod 83.
Ans. Steps for finding multiplicative inverse of 16 mod 83 are
Q
5
5

A1
1
0
1

A2
0
1
-5

A3
83
16
3

B1
0
1
-5

B2
1
-5
26

B3
16
3
1

Thus multiplicative inverse of 16 mod 83 is 26.

Q2. D) Find the multiplicative inverse of 15 mod 79.
Ans. Steps for finding multiplicative inverse of 16 mod 83 are
Q
5
3
1
3

A1
1
0
1
-3
4

A2
0
1
-5
16
-21

A3
79
15
4
3
1

B1
0
1
-3
4
-15

B2
1
-5
16
-21
79

B3
15
4
3
1
0

The computations were continued at line number 4 where B3 was 1, but B2 was negative.
In the next step, since B3 is zero, so multiplicative inverse of 15 mod 79 does not exist.

Raju RanjanPage 6

Model
Paper 1

Dept. of Information
Technology

Cryptography & Network Security

Model
Paper 1

Q2. e) Prove Fermats Little Theorem.

Ans. If p is prime and a is a positive integer not divisible by p, then
ap-1 1 mod p
For example, if a = 7, p = 13, then a12 mod 13 = 712 mod 13
For computing (712 mod 13), we need to compute (74 mod 13) & (78 mod 13)
72 mod 13 = 49 mod 13 = 10
74 mod 13 = (72 mod 13) * (72 mod 13) mod 13 = 10 * 10 mod 13 = 9
78 mod 13 = (74 mod 13) * (74 mod 13) mod 13 = 9 * 9 mod 13 = 3
712 mod 13 = (74 mod 13) * (78 mod 13) mod 13 = 3 * 9 mod 13 = 1
Proof: If each number from 1 to (p 1) is multiplied by a, then we obtain numbers
a mod p, 2a mod p, 3a mod p, . (p 1)a mod p.
{ Numbers 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 are mod 11.
If we multiply each number by 3 mod 11, we get 3, 6, 9, 1, 4, 7, 10, 2, 5, 8.
If we multiply each number by 4 mod 11, we get 4, 8, 1, 5, 9, 2, 6, 10, 3, 7.
If we multiply each number by 5 mod 11, we get 5, 10, 4, 9, 3, 8, 2, 7, 1, 6.
We can observe that in all three cases only the sequence of numbers has changed, but all
numbers between 1 and 10 (both inclusive) are there.}
Therefore, numbers {a mod p, 2a mod p, 3a mod p, 4a mod p . (p-1)a mod p} are still {1, 2, 3,
4, (p 1)} except their order has changed.
Multiplying all these numbers, we get
{a * 2a * 3a * 4a * .(p 1)a} (a mod p) * (2a mod p) * a(p 1) mod p
Left hand side is a * 2a * 3a * 4a * (p 1)a = (p 1)! a(p 1)
Right hand side is (a mod p) * (2a mod p) * a(p 1) mod p
= { 1 * 2 * 3 * (p 1)} mod p
= (p 1)! mod p
(p 1)
(p 1)! a
(p 1)! mod p
a(p 1) 1 mod p

Q3 a) What types of attacks are addressed by message authentication?

Ans. Message Authentication checks attacks like (1) masquerading (sending message in the
name of some other person, or replaying a message at a later date/time which was earlier
sent by a genuine sender to a receiver), and (2) modification of data which comprises of (a)
insertion of information, (b) replacing existing data completely or in parts with some other
value, (c) deleting a part of data, (d) reordering the data.
Thus the types of attacks addresses are
(1) IP address spoofing, that is sending the messages in the form that it should like that
message has come from some other persons IP address and not from our own IP address.
In other words, the source IP address specified in the packet (at network layer) is changed
to the IP address of some other person.
Raju RanjanPage 7

Dept. of Information
Technology

Cryptography & Network Security

Model
Paper 1

(2) Change of sequence number of TCP segment, which amounts to reordering the message.
(A message may be fitted in more than one TCP segments. Changing the order of these
segments by changing the sequence numbers of more than one segment, may give a new
meaning to the message reaching the recipient.)
(3) Delay or replay of messages is also addressed to by message authentication. For
connectionless applications, an individual message (that is datagram) can be replayed or
delayed. For connection-oriented applications, a valid sequence of messages, or a part of
such messages, which were exchanged in an earlier session could be replayed.
(4) Modification of data field of the segment, which includes addition, deletion or replacing
existing contents with some other value. However, addition of some bytes or deletion of
some bytes from TCP data field would involve modifying the TCP header as well, as the
length of TCP segment (which depends upon the number of bytes in data field of a TCP
segment) is specified in a field of TCP header.
Approaches to message authentication can be classified in two ways:
First, by the pattern of generating a value used by receiver to authenticate a message. There
are three different of generating a value for authentication. (1) Message encryption, either (a)
by symmetric key encryption used between a pair of parties, or (b) by encrypting using
private key of the sender while using public key encryption (2) Hash function, that is
mapping a message of any length to a fixed length hash value, (3) message authentication
code.
Second, the type of relationship that exists between a sender and a receiver, in the form of
direct authentication or brokered authentication.
When both the client and server participate in a trust relationship that allows them to
exchange and validate credentials including passwords, direct authentication can be
performed.
Another form trust relationship can be through a mutual trusted third party, which will
authenticate both sender and receiver.

Raju RanjanPage 8

Dept. of Information
Technology

Model
Paper 1

Cryptography & Network Security

Q3 b) Describe various ways of achieving message authentication by using encryption only.

Ans.

EK(M)

K
K
Symmetric Encryption: Confidentiality & authentication

EKUb(M)

Public-Key Encryption: Confidentiality

M

EKRa(M)

KRa
KUa
Public-Key Encryption: Authentication and Signature

EKRa(M)

EKUb[EKRa(M)]

EKRa(M)

Public-Key Encryption: Confidentiality, Authentication and Signature

A Message Authentication Code (MAC), also called keyed hashes, is a piece of information,
which is used to authenticate a message by the recipient of message. A MAC algorithm accepts
as input a message of arbitrary length and a secret key between the sender and the receiver, and
produces a MAC as output. A sender generates MAC for the message and transmittes MAC
along with the message. If an attacker does not have the secret key, and is able to modify the
message, he cannot produce the matching MAC. The recipient of message generates the MAC at
his end and compares the MAC sent by sender with its own generated MAC; if any difference is
Raju RanjanPage 9

Dept. of Information
Technology

Cryptography & Network Security

Model
Paper 1

found between these two MACs, then it is assumed that message has been altered over the
network.
MAC value protects both a message's integrity as well as its authenticity (as secret keyis between
sender and receiver only, and hence person sending the message must be the one who has the
key).
MACs do not provide any secrecy, message can still be read by anyone unless encrypted with
another key (different from secret key for MAC). For providing secrecy of message, the message
must be encrypted.
Though MAC is encrypted with the help of a secret key, it does not require decryption (as
required by DES, IDEA, BLOWFISH and many other encryption/decryption algorithms).
MAC function is a many-to-one function. The domain of the function consists of messages of
any length, whereas range consists of all possible MACs (determined by the number of bits in
MAC code) and all possible keys (depends on the number of bits in key used for MAC). See the
example given below in requirements of MAC Function.
MACs differ from digital signatures, as MAC values are both generated and verified using the
same secret key. This implies that the sender and receiver of a message must agree on keys
before initiating communications, as is the case with symmetric encryption. For the same reason,
MACs do not provide the property of non-repudiation offered by signatures: any user who can
verify a MAC is also capable of generating MACs for other messages.
Q3 c) Differentiate between following:
(A) Hash code and Message authentication code (MAC).
(B) Weak collision resistance and strong collision resistance.
Ans.
(A) Difference between a Hash code and MAC.
Parameters
MAC Function
Key
MAC code is a function of
input message and the
secret key used between a
pair of sender and receiver.
Security aspects
A MAC function must resist
existential forgery under
chosen-plaintext attacks.
This means attacker will not
be able to find any two
messages M and M which
produce the same MAC
Raju RanjanPage 10

HASH Function
No secret key is required,
and hash code only depends
on the input message.

Dept. of Information
Technology

Similarity
Signatures

to

Cryptography & Network Security

under some unknown secret

key, even when the attacker
has access to an oracle
which possess the secret
key and generates MACs
for messages of attackers
choosing.
A MAC may be considered
secure even if the keyholder can efficiently find
collisions.
MAC is not Public
Digital MAC values are both
generated and verified using
the same secret key, but for
Digital Signatures different
set of keys are used for
signature generation and
verification.

Hash Function is Public

Hash values are generated
and verified at the receiving
end for Digital signatures.
But Digital Signatures make
use of keys as well which
are not used in hash
functions.

B) Collision-resistant property. This property is used against birthday attacks.

Strong Collision Resistance
It should not be feasible to
compute set of two messages
m1 & m2 having same hash code.
(It may be possible to find a pair
of messages by coincidence, but it
should not be possible to compute
a pair of messages having same
hash code.)

Raju RanjanPage 11

Weak Collision Resistance

It should not be feasible to
compute another message(m2) which
has the same hash code as that of
a given message (m1). That is, gievn m1
message, then it is not possible to
compute m2 having the same hash code.

Model
Paper 1

Dept. of Information
Technology

Cryptography & Network Security

Model
Paper 1

Q4 a) List the various services supported by PGP. Explain how PGP supports these services.
What is the purpose of owner trust field and key legitimacy field in Public Key Ring. How the
value of these fields decided?
Ans.
PGP is a free ware electronic mail security program, designed by Philip Zimmermann. It
performs encryption and integrity protection on files.
Services supported by PGP are:
1.Authentication
2.Confidentiality
3.Compression
4.E-mail compatibility
5.Segmentation.
A brief description of how these services are provided by PGP is given in the table below:
Function
Algorithm
Description
1. Authentication (Digital 1. DSS (Digital Signature Hash code encrypted with
Signature, if required)
Standard) & SHA (Secure private key of sender is
Hash Algorithm)
included in the message.
OR
2. RSA & SHA
2. Confidentiality (Message 1. CAST-128 OR IDEA OR Message is encrypted with
Encryption)
3-key Triple DES algorithm session key generated by
for symmetric encryption
sender and session key in
2. Diffie-Hellman OR RSA encrypted form (with public
for asymmetric encryption
key of receiver) is sent to
receiver.
3. Compression
ZIP algorithm
Zipped message is used for
transmission and storage.
4. E-mail compatibility
Radix 64 conversion
Radix 64 algorithm converts
input to Radix 64 format
even for ASCII data.
5. Segmentation
When data size is more than
the limitations imposed by
internet facilities, then it
automatically
forms
segments of the entire data
and
assembles
these
segments at receiving end
without letting the user
know about it.
Raju RanjanPage 12

Dept. of Information
Technology

Cryptography & Network Security

Model
Paper 1

A PGP message has the three major parts as shown in figure 4.4.1. These parts are (i)Session Key
Component, (ii)Signature (authentication), and (iii) Message.

{
{
Session Key{
Component {
{
{
{
{
{
{
{
{
{
{
Signature {
{
{
{
{
{
{
{
{
{
{
{
Message {
{
{

(i) Key ID of recipients

public key (KUb)
(ii) Encrypted session key
with public key of receiver,
whose ID is given just
above
(i) Timestamp2, when
signatures have been affixed
Key ID of senders public
key (KUa) with which Hash
code has been encrypted
(iii) Leading two bytes (16bits) of 160 bit message
digest (hash code)
(iv) Encrypted message
digest (hash code) with
private key of sender. This
private key of sender is
paired with public key
whose ID is given above
(i) File Name
(ii) Timestamp1, when
message was created
(iii) Data

^
||
||
||
||
||
||
||
ZIP
&
EncryPtion
||
||
||
||
||
||
||
||
||
V

^
||
||
||
||
||
||
||
||
||
||
||
R
A
D
I
X
6
4
||
||
||
||
||
||
||
||
||
||
V

Message contents of PGP

Two parts, namely signature and message, of the information sent by PGP are compressed and
then encrypted. Both these parts after compression and encryption are combined with first part,
namely session key component, and converted to Radix 64 format for compatibility with other email messages.
Raju RanjanPage 13

Dept. of Information
Technology

Cryptography & Network Security

Model
Paper 1

Message part contains three sub-parts: (i) Filename, (ii)Timestamp1, which is date and time
when the data was created, and (iii) Data.
Signature part has four fields: (i) Timestamp2, that is date and time when the signatures are
affixed on the document, (ii) Hash code for the data is encrypted with private key of the sender.
Since every sender may have more than one set of public key and private keys, so a number is
given to every public/private key pair. This number has been referred to as (public) Key ID. Hash
code is encrypted with a private key of the sender, which can be decrypted at the receiving end
by the matching public key of the sender (available with receiver); public key number by which
hash code has to be decrypted is mentioned in this field. Thus, this field contains the public key
number and not the actual public key (of the sender), which is to be used for decryption by
receiver. It is assumed that the various public keys used by a sender are known in advance. (iii)
First two bytes, that is, first 16 bits of the hash code (of the data) are placed without encryption
in this field. Hash is computed by the receiver as well at its end and this hash is compared with
the hash sent by the sender. Since the hash sent by sender is in encrypted form, so it has to
decrypted first by specified public key of sender, and then compared with the has generated by
receiver. In order to be sure that right public key (of the sender) has been used for decryption,
first 16 bits of hash code are not encrypted and are available in this field. (iv) This field contains
the encrypted hash code as sent by the sender. Encryption with private key of the sender ensures
that mail was sent by the sender only (for non-repudiation feature).
Q4 b) What is the structure of the public key ring and private key ring of PGP? Why is the value
of owner trust field of a public key not enough to permit PGP to use the public key?
Ans.
As mentioned above, every user may have more than one public/private key pairs. These keys
are maintained by PGP in the form of key rings described below:

Key ring: A key ring for a user has two parts

Public key ring

Private key ring

Format of private key ring

Time Stamp: Date/time when this key pair was generated
Key ID: 64 bit number for the public/private key pair. A user may be using many pairs
of public (& private) keys. It remains a problem that which key should be used for
sending the session key after encryption with public key of receiver. So every
public/private key pair is given an identification number, which is 64-Bit long.
Public key: for the said private key
Private key: Private key is not stored in open. Instead it is encrypted by a key
generated out of hash code of pass phrase, a password, given by user. In other words,
hash code (160 bit long) of pass phrase supplied by user, is computed. Out of 160-bit
hash code, 128 bits are used as symmetric key for Cast-128 for encrypting private key.
User id: It is user e-mail address or a name given by user.
Raju RanjanPage 14

Dept. of Information
Technology

Cryptography & Network Security

Model
Paper 1

Format of public key ring

Time stamp: Date/ time when entry was made.
Key ID: 64 bit number for the public/private key pair. A user may be using many pairs
of public (& private) keys. It remains a problem that which key should be used for
sending the session key after encryption with public key of receiver. So every
public/private key pair is given an identification number, which is 64-Bit long.
Public key:
User id: Identifies users of the key. Multiple user ids may be associated with one
public key.

Owner trust
Key legitimacy:
Signature trust:
Signatures:

Session Key Generation

Session key is computed for every message and used once only. It is used for encrypting &
decrypting the compressed PGP message.
Random numbers are generated (say by CAST-128 symmetric encryption algorithm). The 128bit random numbers can be generated by using cipher text feedback mode CFB. The 128-bit
random number generated above is encrypted (by CAST-128) to give session key as its output.
Specification of algorithm for generating random numbers is given in ANSI X 12.17.

Segmentation & Reassembly

If message after 4 operations, namely signature, Compression, confidentiality and conversion to
Radix 64, is longer than the limit posed on Internet or other facilities, then PGP splits up the
message to suitable size (on the sending end) segments.
At receiving end, these segments are reassembled.
Thus the session key and signature components of the message appear once only.

TRUST

Raju RanjanPage 15

Dept. of Information
Technology

Cryptography & Network Security

Model
Paper 1

PGP allows every user to keep different values of trust for different people. There are three level
of trust: None
Partial
Complete
PGP computes trust that should be placed on certificates and public key in your ring based on the
info you asserted on the people.
Owner trust field: It is the degree to which this public key is trusted to sign other public key
certificates.
Signature trust field: Trust shown by the user to certification given by others.
Key legitimacy key: Computed by PGP.
Q4 c) What is Kerberos? Discuss Kerberos version 4 in detail.
Ans.
Kerberos is an authentication service developed as part of Project Athena at MIT, U.S.A. In a
distributed environment where many servers giving same or different services are physically
placed apart and may be working under different operating systems, any user may ask for some
service. In such a situation any of following undesirable events can take place:
1. A user may impersonate another user operating from a workstation.
2. A user may manipulate the address of the workstation.
3. A user may eavesdrop and try to gain entrance to a server or disrupt operations/services.
Requirements of Kerberos:
(1) Secure: An eavesdropper must not be able to get necessary information to impersonate a
user.
(2) Reliable: In a distributed architecture, services should be available inspite of a failure of
a particular server.
(3) Transparent: Working of entire authentication system should not be known to the user
except that the user has to type in his login and necessary password(s) for the same.
(4) Scalable: A system is said to be scalable if it is possible to add more users and/or servers
to the system without disturbing the existing structure of the system.
Scheme of operation: User keys in his/her login and password for logging on to the system (see
message 1 of figure 4.1.1 below), and the same are verified by the Authentication Server (AS).
Once login and password are found to be correct, AS issues a ticket (t1) to the user (message 2 in
figure 4.1.1) so that by producing this ticket the user can contact a Ticket Granting Server (TGS)
for grant of a valid ticket for the desired server. A ticket is an encrypted message with the secret
key between AS and TGS. More details of the ticket and messages exchanged between User and
Kerberos system are given below in figure 4.1.2. It must be noted that there is only one
Authentication Server (AS) in the system for one realm.
A TGS after getting the ticket from user along with a request specifying the server for which
services are required (message 3 in figure 4.1.1), verifies its contents, and if found correct, issues
Raju RanjanPage 16

Dept. of Information
Technology

Cryptography & Network Security

Model
Paper 1

another ticket (t2) to user so that user can contact the desired server for its services (message 4 in
figure 4.1.1). It must be noted that there can be more than one ticket granting servers (TGS)
whereas there is only one AS.
Client after getting ticket2 from a ticket granting server sends it to the desired server for its
services. This ticket is encrypted with the secret key between ticket granting server and the
desired server. Every server which is providing some service is having a different secret key with
a ticket granting server. Thus the contents of ticket2 provided by ticket granting server to a client
can be seen and properly interpreted by the desired server only.
The ticket2 contains the ID and network address of the client. This ensures that the services are
available to the right client only.
(1) Request

User

(2) Ticket 1
(3) Request
(4) Ticket 2 + Session Keys

Authentication
Server (AS)

Ticket Granting
Server (TGS)

(5) Request Server +

Ticket2
(6) Client/server Exchange

Server 1

Secret Keys

Server i

Server n

Messages exchanged in Kerberos System

Raju RanjanPage 17

Databas
e

Dept. of Information
Technology

Cryptography & Network Security

Model
Paper 1

Q5 a) What is SSL and SET? What is the difference between SSL connection and SSL session?
Discuss SSL protocol architecture. How does SET work? Describe dual signature for SET and its
purpose.
Ans.
SSL Connection:
These are peer-to-peer relationships that provide a suitable service.
SSL connections are transient.
Every connection is associated with one session.
SSL Session:
It defines a set of cryptographic security parameters, which may be shared among multiple
connections. These are created by SSL Handshake protocol.
SSL Architecture

Client Hello

Raju RanjanPage 18

Phase I
1. Protocol Version,
2. Security capabilities
3. Session ID
4. Compression method
5. Random numbers
6. Cipher

Dept. of Information
Technology

Cryptography & Network Security

SECURE ELECTRONIC TRANSACTIONS

Cookie of A + List of Crypto Algos

Parameter
Negotiation

Cookie of B + Selected Crypto Algo

Xa = g^a mod p
A

Ya = g^b mod p

g^(ab) mod p + IDA + relevant secret

g^(ab) mod p + IDB

Messages of Main Mode

Raju RanjanPage 19

DiffieHellman
Exchanges

Send IDs and

authenticate

Model
Paper 1

Dept. of Information
Technology

Cryptography & Network Security

Model
Paper 1

Crypto Algo proposal + IDA + g^a mod p

Crypto Algo Choice + IDB + g^b mod p

Proof of IDA
Messages of Aggressive Mode

Q5 b) Justify whether following statement are true or false in context of DES cipher.
a. Is it possible that a plaintext P encrypted with key K1 can be decrypted with a
different key K2, (K2 K1)
b. If key K1 is complement of key K2 then ciphertext produced with K1 will be
complement of ciphertext produced with K2.
Ans.
a. If a plaintext is encrypted with key K1, then it can be decrypted with key K1 only.
Encryption is a mapping of given 64-bit plaintext to another 64-bit value by a key K1. If
this ciphertext is decrypted with same key K1, then the same plaintext is obtained.
However, decrypting ciphertext C, which was obtained by encrypting a plaintext with key
K1, with another key K2, will map to another value of plaintext, which will not be a
meaningful message.
b. If a plaintext P, encrypted with key K1 produces a ciphertext C1, then encrypting same
plaintext with K2 will not yield a ciphertext which is a complement of C1. This is so
because after performing XOR with key, the intermediate result is fed to S-boxes, which
are non-linear in nature. In other words, if inputs to S-Boxes are complemented, then the
output of any of eight S-boxes is not complement of the original output. It is the nonlinear function of S-boxes which ensures that if 64-bit data or 56-bit key are
complemented, then the output is not complement of the output obtained with uncomplemented data or key.

Raju RanjanPage 20

Dept. of Information
Technology

Cryptography & Network Security

Model
Paper 1

Q5 c) Describe in brief idea encryption and decryption.

The cipher named IDEA (International Data Encryption Algorithm) encrypts 64-bit
plaintext to 64-bit ciphertext blocks, using a 128-bit input key K. Based in part on a novel
generalization of the Feistel structure, it consists of 8 computationally identical rounds followed
by an output transformation (see Figure below). Round r uses six 16-bit sub keys K(r).
1- To transform a 64-bit input X into an output of four 16-bit blocks, which are input to the
next round. The round 8 output enters the output transformation, employing four
additional sub keys K(9)
2- To produce the final ciphertext Y = (Y1; Y2; Y3; Y4). All sub keys are derived from K. A
dominant design concept in IDEA is mixing operations from three different algebraic
groups of 2n elements.
The corresponding group operations on sub-blocks a and b of bit length n = 16 are bitwise
XOR: a_b; additionmod 2n: (a+b) AND 0xFFFF, denoted a_b; and (modified) multiplication
mod 2n+1.

Raju RanjanPage 21

Dept. of Information
Technology

Raju RanjanPage 22

Cryptography & Network Security

Model
Paper 1