INS Module 2 Theory
INS Module 2 Theory
CRYPTOGRAPHY
Cryptography is a technique of securing information and communications through the use of codes
so that only those persons for whom the information is intended can understand and process it. Thus
preventing unauthorized access to information. The prefix “crypt” means “hidden” and the suffix
“graphy” means “writing”. In Cryptography, the techniques that are used to protect information are
obtained from mathematical concepts and a set of rule-based calculations known as algorithms to
convert messages in ways that make it hard to decode them. These algorithms are used for
cryptographic key generation, digital signing, and verification to protect data privacy, web browsing
on the internet and to protect confidential transactions such as credit card and debit card
transactions.
Features Of Cryptography
• Confidentiality: Information can only be accessed by the person for whom it is intended and
no other person except him can access it.
• Authentication: The identities of the sender and receiver are confirmed. As well
destination/origin of the information is confirmed.
Types Of Cryptography
1. Symmetric Key Cryptography
It is an encryption system where the sender and receiver of a message use a single common key to
encrypt and decrypt messages. Symmetric Key cryptography is faster and simpler but the problem
is that the sender and receiver have to somehow exchange keys securely. The most popular
symmetric key cryptography systems are Data Encryption Systems (DES) and Advanced Encryption
Systems (AES).
Symmetric Key Cryptography
• Amount of secrecy required determines the amount of labor appropriate for the encryption
and decryption.
• The size of the enciphered text should be no larger than the text of the original message.
Confusion Diffusion
In confusion, if one bit within the secret is In diffusion, if one image within the plain text is
modified, most or all bits within the cipher modified, many or all image within the cipher
text also will be modified. text also will be modified
The relation between the cipher text and the The relation between the cipher text and the
key is masked by confusion. plain text is masked by diffusion.
Encryption Decryption
Encryption is the process that takes place at the While decryption is the process that takes
sender’s end. place at the receiver’s end.
Its major task is to convert the plain text into While its main task is to convert the cipher
cipher text. text into plain text.
Encryption is used to protect the confidentiality Decryption is used to reverse the encryption
of data by converting it into an unreadable form process and convert the ciphertext back into
that can only be read by authorized parties. plaintext.
NON REPUDIATION
Non-repudiation is the ability to prevent an electronic message or transaction that someone cannot
deny the validity of something. It is a legal concept that’s mostly used in information security and
refers to a service, which provides a reason for the origin and integrity of data. In other words, non-
repudiation makes it very challenging to strongly deny who/where a message comes from, as well as
the authenticity and integrity of that message.
It authenticates both the sender and the recipient of the information. It is irrefutable for both parties
that this was how the communication took place. This security feature is essential to preserving
dependability and confidence throughout a range of procedures.
STREAM CIPHER
In stream cipher, one byte is encrypted at a time while in block cipher ~128 bits are encrypted at a
time. Initially, a key(k) will be supplied as input to pseudorandom bit generator and then it produces
a random 8-bit output which is treated as keystream. The resulted keystream will be of size 1 byte,
i.e., 8 bits. Stream ciphers are fast because they encrypt data bit by bit or byte by byte, which makes
them efficient for encrypting large amounts of data quickly.Stream ciphers work well for real-time
communication, such as video streaming or online gaming, because they can encrypt and decrypt
data as it’s being transmitted.
3. By making the key more longer it is also safe against brute force attacks.
4. The longer the key the stronger security is achieved, preventing any attack.
5. Keystream can be designed more efficiently by including more number of 1s and 0s, for
making cryptanalysis more difficult.
6. Considerable benefit of a stream cipher is, it requires few lines of code compared to block
cipher.
Encryption
For Encryption,
• Plain Text and Keystream produces Cipher Text (Same keystream will be used for decryption.
• The Plaintext will undergo XOR operation with keystream bit-by-bit and produces the Cipher
Text.
Decryption
For Decryption,
• Cipher Text and Keystream gives the original Plain Text (Same keystream will be used for
encryption.).
• The Ciphertext will undergo XOR operation with keystream bit-by-bit and produces the actual
Plain Text.
• Decryption is just the reverse process of Encryption i.e. performing XOR with Cipher Text.
RC4
RC4 means Rivest Cipher 4 invented by Ron Rivest in 1987 for RSA Security. It is a Stream Ciphers.
Stream Ciphers operate on a stream of data byte by byte. RC4 stream cipher is one of the most
widely used stream ciphers because of its simplicity and speed of operation. It is a variable key-size
stream cipher with byte-oriented operations. It uses either 64 bit or 128-bit key sizes.
Algorithm
The algorithm operates on a user-selected variable-length key(K) of 1 to 256 bytes (8 to 2048 bits),
typically between 5 and 16 bytes. To generate a 256-byte state vector S, the master key is used.
The first step is the array initialization. It is a character array of size 256 i.e. S[256]. After that, for
every element of the array, we initialize S[i] to i.
KSA is going to use the secret key to scramble this array. KSA is a simple loop, in which we are having
two variable i and j. We are using these variables to rearrange the array. Rearranging the array is
done by using a secret key.
KSA has been scrambled, S[256] array is used to generate the PRGA(Pseudo Random Generation
Algorithm). This is the actual Keystream.
Working of RC4
Encryption Procedure
2. The encryption engine then generates the keystream by using KSA and PRGA Algorithm.
3. This keystream is now XOR with the plain text, this XORing is done byte by byte to produce
the encrypted text.
4. The encrypted text is then sent to the intended receiver, the intended receiver will then
decrypted the text and after decryption, the receiver will get the original plain text.
Decryption Procedure
Decryption is achieved by doing the same byte-wise X-OR operation on the Ciphertext.
A5/1
The A5/1 cipher is a stream cipher used for encrypting voice and data in GSM mobile
communications. It was designed to provide confidentiality for conversations and data transmitted
over cellular networks. Here's a brief overview of how it works:
2. Key Length: It uses a 64-bit secret key for encryption, which is combined with the frame
number to initialize the cipher.
3. Three LFSRs: A5/1 relies on three Linear Feedback Shift Registers (LFSRs) of lengths 19, 22,
and 23 bits. The LFSRs shift based on a "majority rule" clocking mechanism.
4. Clocking Mechanism: Only two of the three LFSRs are clocked during each iteration, based
on the majority value of a certain bit in each LFSR. This irregular clocking introduces non-
linearity into the cipher.
5. Initialization:
o A frame number (22-bit) is also used as input to vary the keystream across different
frames.
o After initialization, the LFSRs are clocked multiple times to create a new keystream
for each frame.
6. Keystream Generation: Once the initialization process is complete, the LFSRs are used to
generate a stream of bits, which are then XORed with the plaintext bits (voice or data) to
encrypt them.
BLOCK CIPHERS
Block Size
Though any size of block is acceptable, following aspects are borne in mind while selecting a size of a
block.
• Avoid very small block size − Say a block size is m bits. Then the possible plaintext bits
combinations are then 2m. If the attacker discovers the plain text blocks corresponding to
some previously sent ciphertext blocks, then the attacker can launch a type of ‘dictionary
attack’ by building up a dictionary of plaintext/ciphertext pairs sent using that encryption
key. A larger block size makes attack harder as the dictionary needs to be larger.
• Do not have very large block size − With very large block size, the cipher becomes inefficient
to operate. Such plaintexts will need to be padded before being encrypted.
Block ciphers process blocks of fixed sizes (say 64 bits). The length of plaintexts is mostly not a
multiple of the block size. For example, a 150-bit plaintext provides two blocks of 64 bits each with
third block of balance 22 bits. The last block of bits needs to be padded up with redundant
information so that the length of the final block equal to block size of the scheme. In our example,
the remaining 22 bits need to have additional 42 redundant bits added to provide a complete block.
The process of adding bits to the last block is referred to as padding.
FEISTAL STRUCTURE
Feistel Cipher model is a structure or a design used to develop many block ciphers such as DES.
Feistel cipher may have invertible, non-invertible and self invertible components in its design. Same
encryption as well as decryption algorithm is used. A separate key is used for each round. However
same round keys are used for encryption as well as decryption.
• Convert the Plain Text to Ascii and then 8-bit binary format.
• Divide the binary Plain Text string into two halves: left half (L1)and right half (R1)
• Generate a random binary keys (K1 and K2) of length equal to the half the length of the Plain
Text for the two rounds.
• b. Now the new left half(L2) and right half(R2) after round 1 are as follows:
L2=R1
• b. Now the new left half(L3) and right half(R3) after round 2 are as follows:
L3=R2
• Same algorithm is used for decryption to retrieve the Plain Text from the Cipher Text.
DES
DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure. The block size is 64-
bit. Though, key length is 64-bit, DES has an effective key length of 56 bits, since 8 of the 64 bits of
the key are not used by the encryption algorithm (function as check bits only). General Structure of
DES is depicted in the following illustration −
Since DES is based on the Feistel Cipher, all that is required to specify DES is −
• Round function
• Key schedule
The initial and final permutations are straight Permutation boxes (P-boxes) that are inverses of each
other. They have no cryptography significance in DES. The initial and final permutations are shown as
follows −
Round Function
The heart of this cipher is the DES function, f. The DES function applies a 48-bit key to the rightmost
32 bits to produce a 32-bit output.
• Expansion Permutation Box − Since right input is 32-bit and round key is a 48-bit, we first
need to expand right input to 48 bits. Permutation logic is graphically depicted in the
following illustration −
• The graphically depicted permutation logic is generally described as table in DES specification
illustrated as shown −
• XOR (Whitener). − After the expansion permutation, DES does XOR operation on the
expanded right section and the round key. The round key is used only in this operation.
• Substitution Boxes. − The S-boxes carry out the real mixing (confusion). DES uses 8 S-boxes,
each with a 6-bit input and a 4-bit output. Refer the following illustration −
• The S-box rule is illustrated below −
• There are a total of eight S-box tables. The output of all eight s-boxes is then combined in to
32 bit section.
• Straight Permutation − The 32 bit output of S-boxes is then subjected to the straight
permutation with rule shown in the following illustration:
Key Generation
The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key. The process of key
generation is depicted in the following illustration −
AES
Advanced Encryption Standard (AES) is a highly trusted encryption algorithm used to secure data by
converting it into an unreadable format without the proper key. Developed by the National Institute
of Standards and Technology (NIST), AES encryption uses various key lengths (128, 192, or 256 bits)
to provide strong protection against unauthorized access. This data security measure is efficient and
widely implemented in securing internet communication, protecting sensitive data, and encrypting
files. AES, a cornerstone of modern cryptography, is recognized globally for its ability to keep
information safe from cyber threats.
Points to Remember
That means it takes 128 bits as input and outputs 128 bits of encrypted cipher text. AES relies on the
substitution-permutation network principle, which is performed using a series of linked operations
that involve replacing and shuffling the input data.
A Key Schedule algorithm calculates all the round keys from the key. So the initial key is used to
create many different round keys which will be used in the corresponding round of the encryption.
Encryption
AES considers each block as a 16-byte (4 byte x 4 byte = 128 ) grid in a column-major arrangement.
[ b0 | b4 | b8 | b12 |
| b1 | b5 | b9 | b13 |
| b2 | b6 | b10| b14 |
| b3 | b7 | b11| b15 ]
• SubBytes
• ShiftRows
• MixColumns
Sub Bytes
In this step, each byte is substituted by another byte. It is performed using a lookup table also called
the S-box. This substitution is done in a way that a byte is never substituted by itself and also not
substituted by another byte which is a compliment of the current byte. The result of this step is a 16-
byte (4 x 4 ) matrix like before.
Shift Rows
This step is just as it sounds. Each row is shifted a particular number of times.
[ b0 | b1 | b2 | b3 ] [ b0 | b1 | b2 | b3 ]
| b4 | b5 | b6 | b7 | -> | b5 | b6 | b7 | b4 |
| b8 | b9 | b10 | b11 | | b10 | b11 | b8 | b9 |
[ b12 | b13 | b14 | b15 ] [ b15 | b12 | b13 | b14 ]
Mix Columns
This step is a matrix multiplication. Each column is multiplied with a specific matrix and thus the
position of each byte in the column is changed as a result.
[ c0 ] [ 2 3 1 1 ] [ b0 ]
| c1 | = | 1 2 3 1 | | b1 |
| c2 | | 1 1 2 3 | | b2 |
[ c3 ] [ 3 1 1 2 ] [ b3 ]
Now the resultant output of the previous stage is XOR-ed with the corresponding round key. Here,
the 16 bytes are not considered as a grid but just as 128 bits of data.
Added Round Keys (AES)
After all these rounds 128 bits of encrypted data are given back as output. This process is repeated
until all the data to be encrypted undergoes this process.
Decryption
The stages in the rounds can be easily undone as these stages have an opposite to it which when
performed reverts the changes. Each 128 blocks goes through the 10,12 or 14 rounds depending on
the key size.
• Inverse MixColumns
• ShiftRows
• Inverse SubByte
The decryption process is the encryption process done in reverse so I will explain the steps with
notable differences.
Inverse MixColumns
This step is similar to the Mix Columns step in encryption but differs in the matrix used to carry out
the operation.
Matrix multiplication is used. The output of this step is the matrix multiplication of the old values and
a constant matrix.
[b0] = [ 14 11 13 9] [ c0 ]
[b1]=[ 9 14 11 13 ] [ c1 ]
[b2] =[ 13 9 14 11] [ c2 ]
[ b3 ]=[ 11 13 9 14 ] [ c3 ]
Inverse SubBytes
Inverse S-box is used as a lookup table and using which the bytes are substituted during decryption.
Function Substitute performs a byte substitution on each byte of the input word. For this purpose,
it uses an S-box.
It only requires a single key for both encryption It requires two keys, a public key and a private
and decryption. key, one to encrypt and the other to decrypt.
The size of ciphertext is the same or smaller The size of ciphertext is the same or larger
than the original plaintext. than the original plaintext.
The length of key used is 128 or 256 bits The length of key used is 2048 or higher
Security is lower as only one key is used for Security is higher as two keys are used, one
both encryption and decryption purposes. for encryption and the other for decryption.
Symmetric Key Encryption Asymmetric Key Encryption
The Diffie-Hellman algorithm is being used to establish a shared secret that can be used for
secret communications while exchanging data over a public network using the elliptic curve to
generate points and get the secret key using the parameters.
• For the sake of simplicity and practical implementation of the algorithm, we will consider
only 4 variables, one prime P and G (a primitive root of P) and two private values a and b.
• P and G are both publicly available numbers. Users (say Alice and Bob) pick private values a
and b and they generate a key and exchange it publicly. The opposite person receives the key
and that generates a secret key, after which they have the same secret key to encrypt.
The RSA (Rivest–Shamir–Adleman) algorithm is a widely used public-key cryptographic system that
allows secure data transmission. It is based on the mathematical difficulty of factoring large prime
numbers. Here's an overview of how the RSA algorithm works:
Key Components:
1. Key Generation:
DIGITAL SIGNATURE
A digital signature is a mathematical technique used to validate the authenticity and integrity of a
message, software, or digital document.
1. Key Generation Algorithms: Digital signature is electronic signatures, which assure that the
message was sent by a particular sender. While performing digital transactions authenticity
and integrity should be assured, otherwise, the data can be altered or someone can also act
as if he was the sender and expect a reply.
2. Signing Algorithms: To create a digital signature, signing algorithms like email programs
create a one-way hash of the electronic data which is to be signed. The signing algorithm
then encrypts the hash value using the private key (signature key). This encrypted hash along
with other information like the hashing algorithm is the digital signature. This digital
signature is appended with the data and sent to the verifier. The reason for encrypting the
hash instead of the entire message or document is that a hash function converts any
arbitrary input into a much shorter fixed-length value. This saves time as now instead of
signing a long message a shorter hash value has to be signed and moreover hashing is much
faster than signing.
3. Signature Verification Algorithms : Verifier receives Digital Signature along with the data. It
then uses Verification algorithm to process on the digital signature and the public key
(verification key) and generates some value. It also applies the same hash function on the
received data and generates a hash value. If they both are equal, then the digital signature is
valid else it is invalid.
1. Message digest is computed by applying hash function on the message and then message
digest is encrypted using private key of sender to form the digital signature. (digital signature
= encryption (private key of sender, message digest) and message digest = message digest
algorithm(message)).
3. Receiver decrypts the digital signature using the public key of sender.(This assures
authenticity, as only sender has his private key so only sender can encrypt using his private
key which can thus be decrypted by sender’s public key).
5. The receiver can compute the message digest from the message (actual message is sent with
the digital signature).
6. The message digest computed by receiver and the message digest (got by decryption on
digital signature) need to be same for ensuring integrity.
Message digest is computed using one-way hash function, i.e. a hash function in which computation
of hash value of a message is easy but computation of the message from hash value of the message
is very difficult.
CRYPTOGRAPHIC HASH FUNCTION
A cryptographic hash function (CHF) is an equation that is widely used to verify the validity of data. It
has many applications, particularly in information security (e.g. user authentication). A CHF translates
data of various lengths of the message into a fixed-size numerical string the hash. A cryptographic
hash function is a single-directional work, making it extremely difficult to reverse to recreate the
information used to make it.
• The hash function accepts data of a fixed length. The data block size varies between
algorithms.
• If the blocks are too small, padding may be used to fill the space. However, regardless of the
kind of hashing used, the output, or hash value, always has the same set length.
• The hash function is then applied as many times as the number of data blocks.
A hash function in cryptography takes a plaintext input and produces a hashed value output of a
particular size that cannot be reversed. However, from a high-level viewpoint, they do more.
• Secure against unauthorized alterations: It assists you in even minor changes to a message
that will result in the generation of a whole new hash value.
• Protect passwords and operate at various speeds: Many websites allow you to save your
passwords so that you don’t have to remember them each time you log in. However, keeping
plaintext passwords on a public-facing server is risky since it exposes the information to
thieves. Websites commonly use hash passwords to create hash values, which they then
store.
AVALANCHE EFFECT
The avalanche effect means that a small change in the input of a cryptographic system causes a big
and unpredictable change in the output. For example, changing one bit in a message makes the
whole encrypted message look very different. This helps keep the data secure because it makes it
hard for anyone to figure out the original message or key.
MD5
MD5 is a cryptographic hash function algorithm that takes the message as input of any length and
changes it into a fixed-length message of 16 bytes. MD5 algorithm stands for the message-digest
algorithm. The output of MD5 (Digest size) is always 128 bits.
1. Append Padding Bits: In the first step, we add padding bits in the original message in such a way
that the total length of the message is 64 bits less than the exact multiple of 512.
Suppose we are given a message of 1000 bits. Now we have to add padding bits to the original
message. Here we will add 472 padding bits to the original message. After adding the padding bits
the size of the original message/output of the first step will be 1472 i.e. 64 bits less than an exact
multiple of 512 (i.e. 512*3 = 1536).
2. Append Length Bits: In this step, we add the length bit in the output of the first step in such a way
that the total number of the bits is the perfect multiple of 512. Simply, here we add the 64-bit as a
length bit in the output of the first step.
i.e. output of first step = 512 * n – 64
length bits = 64.
After adding both we will get 512 * n i.e. the exact multiple of 512.
3. Initialize MD buffer: Here, we use the 4 buffers i.e. A B, C, and D. The size of each buffer is 32
bits.
- A = 0x67425301
- B = 0xEDFCBA45
- C= 0x98CBADFE
- D = 0x13DCE476
F,G,H and I functions
4. Process Each 512-bit Block: This is the most important step of the MD5 algorithm. Here, a total of
64 operations are performed in 4 rounds. In the 1st round, 16 operations will be performed, 2nd
round 16 operations will be performed, 3rd round 16 operations will be performed, and in the 4th
round, 16 operations will be performed. We apply a different function on each round i.e. for the 1st
round we apply the F function, for the 2nd G function, 3rd for the H function, and 4th for the I
function.
We perform OR, AND, XOR, and NOT (basically these are logic gates) for calculating functions. We use
3 buffers for each function i.e. B, C, D.
Process P Operation
After applying the function now we perform an operation on each block. For performing operations
we need
Now take input as initialize MD buffer i.e. A, B, C, D. Output of B will be fed in C, C will be fed into D,
and D will be fed into J. After doing this now we perform some operations to find the output for A.
• In the first step, Outputs of B, C, and D are taken and then the function F is applied to them.
We will add modulo 232 bits for the output of this with A.
• In the second step, we add the M[i] bit message with the output of the first step.
• Then add 32 bits constant i.e. K[i] to the output of the second step.
• At last, we do left shift operation by n (can be any value of n) and addition modulo by 232.
After all steps, the result of A will be fed into B. Now same steps will be used for all functions G, H,
and I. After performing all 64 operations we will get our message digest.
Output:
After all, rounds have been performed, the buffer A, B, C, and D contains the MD5 output starting
with the lower bit A and ending with Higher bits D.
SHA-1
SHA-1 or Secure Hash Algorithm 1 is a cryptographic algorithm that takes an input and produces a
160-bit (20-byte) hash value. This hash value is known as a message digest. This message digest is
usually then rendered as a hexadecimal number which is 40 digits long.
1. Message (M):
2. Message Padding:
• The initial step where the message is padded to ensure its length is congruent to 448
modulo 512. This step prepares the message for processing in 512-bit blocks.
• After padding, the message is divided into blocks of 512 bits, and each block is
further divided into 16 words of 32 bits. These words are then expanded into 80 32-
bit words, which are used in the subsequent rounds.
• Initialization of five working variables (A, B, C, D, and E) with specific constant values.
These variables are used to compute the hash value iteratively.
• SHA-1 uses four constant values (K1K_1K1, K2K_2K2, K3K_3K3, K4K_4K4), each
applied in a specific range of rounds:
6. Rounds (0-79):
• The main computation loop of SHA-1, divided into four stages (each corresponding
to one of the constants K1K_1K1 to K4K_4K4). In each round, a combination of
logical functions and operations is performed on the working variables (A, B, C, D,
and E) using the words generated in the previous step.
• After all 80 rounds, the resulting values of A, B, C, D, and E are added to the original
hash values to produce the final hash.
8. MPX (Multiplexing):
• Combines the results from the final round addition to form the final message digest.
MAC
MAC stands for Message Authentication Code. Here in MAC, sender and receiver share same key
where sender generates a fixed size output called Cryptographic checksum or Message
Authentication code and appends it to the original message. On receiver’s side, receiver also
generates the code and compares it with what he/she received thus ensuring the originality of the
message. These are components:
• Message
• Key
• MAC algorithm
• MAC value
There are different types of models Of Message Authentication Code (MAC) as following below:
M' = MAC(M, k)
4. c = E(M, k')
M' = MAC(c, k)