KESHAV MEMORIAL INSTITUTE OF

TECHNOLOGY
NARAYANAGUDA, HYDERABAD

A Compendium
of
Cryptography and Network Security

Name:-----------------------------------------------------

Roll No:-------------------Year:-----------------------

Branch:-----------------------Sec:-----------------------

Department
of
Computer Science And
Engineering

INDEX
Week-1 .Introduction
2.The need for security
3..Principles of security
4.Types of Security attacks
5.Security Services
6.Security Mechanisms
7.A Model for Network Security

Week-2 2.Introduction to plain text and cipher text

Unit-1 Substitution techniques
Ceaser Cipher
Hill Cipher
Playfair Cipher

Week-3 3.Transposition Techniques

Rail-Fence Technique
Simple Columnar Technique. ( Cont..)
Simple Columnar Technique
One time pad( Vernam Cipher)

Week-4 1.Introduction to symmetric Cryptography

2. Feistel cipher
3.DES
4.Blowfish
Week-5 1.AES
2. modes of operation

Unit-2
Week-6 1.RC4
2.Rc5
3.IDEA

Week-7 1.RSA
2.DiffieHellman
3.Knapsack Problem
Unit-3 Week-8 1.Message authentication
2.SHA

Week-9 1.Authentication Requirements

2.HMAC
3.CMAC
Week-10 1.Kerberos v4
2.kerberos v5
3.X.509
4.Public key infrastructure
 Unit-I Week-1

Basic terminology

Security attacks
An assault on system security that derives from an intelligent threat; that is, an intelligent act that
is a deliberate attempt (especially in the sense of a method or technique) to evade security
services and violate the security policy of a system.

Security mechanisms
It is a feature designed to detect, prevent, or recover from a security attack.

Security services
A processing or communication service that enhances the security of the data processing systems
and the information transfers of an organization. The services are intended to counter security
attacks, and they make use of one or more security mechanisms to provide the service.

Vulnerability
It is a weakness which can be exploited by an attacker, to perform unauthorized actions within a
system.

Threats
A potential for violation of security, which exists when there is a circumstance, capability, action,
or event that could breach security and cause harm. That is, a threat is a possible danger that
might exploit vulnerability.

Cipher - Algorithm for transforming plaintext to cipher text

Key – Information used in cipher known only to sender/receiver

Cryptography - study of encryption principles/methods

Cryptanalysis (Code breaking) - study of principles/ methods of deciphering cipher text without
knowing key

Encipher (encryption) - converting plaintext to cipher text .

Decipher (decryption) - converting cipher text to plaintext Encryption.

Plain text – It is a original message.

Cipher text – It is a coded message Secret key -It is a key is shared by the two communicating
parties.

Symmetric key cryptography

In this type of key cryptography the sender and recipient share a common key.
This cryptography also called as conventional / private-key / single-key. All classical encryption
algorithms are private-key

Asymmetric key cryptography

It uses different keys for encryption and decryption. It is also called as public key cryptography.

Public Key -One key in the pair of keys can be shared with everyone is called public key
Private Key -The other key in the pair is kept secret is called as private key.

Stream cipher – it encrypts plain text one byte at a time.

Block cipher- it encrypts one block at a time.

Substitution technique -it Substitutes the letters of the plain text from other letters, numbers and
symbols.

Transposition technique- it do not replace the letters instead it changes the position of
letters/symbols.

Steganography
It is an alternative to encryption, it hides existence of message.
– Using only a subset of letters/words in a longer message marked in some way
– Using invisible ink
– Hiding in LSB in graphic image or sound file.

Digital Signature
Data appended to, or a cryptographic transformation of, a data unit that allows a recipient
of the data unit to prove the source and integrity of the data unit and protect against
forgery (e.g., by the recipient).
UNIT-1
1. INTRODUCTION

• Information Security requirements have changed in the last several decades

• Traditionally provided by physical and administrative mechanisms

• Computer use requires automated tools to protect files and other stored information

• Use of networks and communications links require measures to protect data during
transmission

Definitions:
Computer Security – Generic name for the collection of tools designed to protect data and to
thwart hackers.

Network Security – Measures to protect data during their transmission

Internet Security - Measures to protect data during their transmission over a collection of
interconnected networks

2. NEED FOR SECURITY

• Information relating to the internal affairs of an organization may be leaked which may
cause severe damage to the organization

• Such information may include decision to implement a new type of cost cutting system,
financial information of an organization, research and development information, places
where weapons are stored etc.

• All these kinds of information must be protected

3. SECURITY APPROACHES
Security Model

 No security
• Simplest case
 Security through obscurity
 Host Security
• Security for each host is enforced
• Cannot scale well
 Network security
• Control network access to various hosts and their services
Very efficient and Scalable
Security Management Practices
• A good security policy in place
• Key aspects of good security policy
– Affordability
– Functionality
– Cultural issues
– Legality
• Once a security policy is in place, following points should be ensured
– Explanation of the policy to all concerned.
– Outline everybody's responsibilities
– Use simple language in all communications
– Accountability should be maintained
– Provide for expectations and periodic reviews

4. PRINCIPLES OF SECURITY

 Data Confidentiality –protection of data from unauthorized disclosure.

 Data Integrity - assurance that data received is as sent by an authorized entity.
 Authentication - assurance that communicating entity is the one claimed
- have both peer-entity & data origin authentication
 Access Control - prevention of the unauthorized use of a resource
 Non-Repudiation - protection against denial by one of the parties in a communication

5. SECURITY ATTACKS

Two types based on nature of attack

 Passive Attacks
 Active attacks
Passive Attacks: It attempts to learn or make use of information from system but does not affect
the system.
They are in nature of eavesdropping on or monitoring of transmissions two types,
 Release of Message Contents: Opponent reads contents of the message
 Traffic Analysis: Opponent can’t understand message. So, observes the traffic pattern

Active attacks: Try to alter system resources or affect their operation.Modification of data, or
creation of false data.
• Four categories
– Masquerade
– Replay
– Modification of messages
– Denial of service: preventing normal use
• A specific target or entire network
• Difficult to prevent
-The goal is to detect and recover

6. SECURITY SERVICES
• Enhance security of data processing systems and information transfers of an
organization

• X.800: “a service provided by a protocol layer of communicating open systems, which

ensures adequate security of the systems or of data transfers”

Security Services (X.800)

• Authentication - assurance that communicating entity is the one claimed

– have both peer-entity & data origin authentication
• Access Control - prevention of the unauthorized use of a resource
• Data Confidentiality –protection of data from unauthorized disclosure
• Data Integrity - assurance that data received is as sent by an authorized entity
• Non-Repudiation - protection against denial by one of the parties in a
communication

AUTHENTICATION: The assurance that the communicating entity is the one that it claims
to be:
 – Peer Entity Authentication: Used in association with a logical connection to
provide confidence in the identity of the entities connected.

– Data-Origin Authentication: In a connectionless transfer, provides assurance

that the source of received data is as claimed.

ACCESS CONTROL: The prevention of unauthorized use of a resource.

DATA CONFIDENTIALITY: The protection of data from unauthorized disclosure.

– Connection Confidentiality: The protection of all user data on a connection.
– Connectionless Confidentiality: The protection of all user data in a single data
block.
– Selective-Field Confidentiality: The confidentiality of selected fields within the
user data on a connection or in a single data block.
– Traffic-Flow Confidentiality: The protection of the information that might be
derived from observation of traffic flows.

DATA INTEGRITY: The assurance that data received are exactly as sent by an
authorized entity (i.e., contain no modification, insertion, deletion, or replay).
Connection Integrity with Recovery
Provides for the integrity of all user data on a connection and detects any modification,
insertion, deletion, or replay of any data within an entire data sequence, with recovery
attempted.

Connection Integrity without Recovery

As above, but provides only detection without recovery.
Selective-Field Connection Integrity
Provides for the integrity of selected fields within the user data of a data block transferred
over a connection and takes the form of determination of whether the selected fields
have been modified, inserted, deleted, or replayed.
Connectionless Integrity
Provides for the integrity of a single connectionless data block and may take the form of
detection of data modification. Additionally, a limited form of replay detection may be
provided.
Selective-Field Connectionless Integrity
 Provides for the integrity of selected fields within a single connectionless data block; takes
the form of determination of whether the selected fields have been modified.

NONREPUDIATION
Provides protection against denial by one of the entities involved in a communication of
having participated in all or part of the communication.
Nonrepudiation, Origin - Proof that the message was sent by the specified party.
Nonrepudiation, Destination - Proof that the message was received by the specified.
7. SECURITY MECHANISMS:
• Designed to detect, prevent, or recover from a security attack.
• No single mechanism that will support all services required.
• However one particular element underlies many of the security mechanisms in use:
– cryptographic techniques
• specific security mechanisms:
– Encipherment, digital signatures, access controls, data integrity, authentication
exchange, traffic padding, routing control, notarization
• pervasive security mechanisms:
– trusted functionality, security labels, event detection, security audit trails,
security recovery

Specific security mechanisms: May be incorporated into the appropriate protocol

layer in order to provide some of the OSI security services.

• Encipherment - The use of mathematical algorithms to transform data into a form that
is not readily intelligible.
- The transformation and subsequent recovery of the data depend on an
algorithm and zero or more encryption keys.
• Access Control - A variety of mechanisms that enforce access rights to resources.
• Digital Signature - Data appended to, or a cryptographic transformation of, a data
unit that allows a recipient of the data unit to prove the source and integrity of the
data unit and protect against forgery (e.g., by the recipient).
• Data Integrity -A variety of mechanisms used to assure the integrity of a data unit or
stream of data units.
• Authentication Exchange A mechanism intended to ensure the identity of an entity by
means of information exchange.
• Traffic Padding - The insertion of bits into gaps in a data stream to frustrate traffic
analysis attempts.
• Routing Control -Enables selection of particular physically secure routes for certain
data and allows routing changes, especially when a breach of security is suspected.
• Notarization -The use of a trusted third party to assure certain properties of a data
exchange.

Pervasive security mechanisms: Mechanisms that is not specific to any particular OSI
security service or protocol layer.

• Trusted Functionality -That which is perceived to be correct with respect to some

criteria (e.g., as established by a security policy).
• Security Label -The marking bound to a resource (which may be a data unit) that
names or designates the security attributes of that resource.
• Event Detection - Detection of security-relevant events.
• Security Audit Trail - Data collected and potentially used to facilitate a security audit,
which is an independent review and examination of system records and activities.
• Security Recovery- Deals with requests from mechanisms, such as event handling and
management functions, and takes recovery actions.

8. A MODEL FOR NETWORK SECURITY

• Message transmission through internet from one party to another by establishing a

route.
• Providing security is desirable to protect the information from an opponent.
• Trusted third party may be needed to securely distribute key to both parties.
 Week-1 Assignment

1. Draw the diagram to show an asset of the system is destroyed or becomes unavailable or
unusable.

2. Draw the diagram to show an unauthorized party inserts a counterfeit object into the system.

3. Draw the diagram to represent Replay attack

Multiple Choice Questions

1. A cryptanalyst is a person who [Interview]

a) Devises cryptography solutions
b) Attempts to break cryptography solutions
c) None of these
d) Both of these
Answer:

2.__________ monitors user activity on internet and transmit that information in the
background to someone else [Interview]
a) Malware
b) Spyware
c) Adware
d) None of these
Answer:

3.___________ could breach security and cause harm [interview]

a) Security Service
b) Security Attack
c) Security Mechanism
d) All
Answer:

4. The attack that focuses on capturing small packets from the network transmitted by
other computers and reading the data content in search of any type of information is
____[Interview]
a) Phishing
b) Eavesdropping
c) Scams
d) DOS
Answer:

5. Which security measures are needed to protect data during their transmission?
[Interview]
a) Computer
b) Network
c) Internet
d) All
Answer:
Answer the following questions

1) Discuss in detail about various types of security attacks with neat diagrams?
[May 2017/May 2016]

2) Explain the network security model with neat diagram

[Oct 2016/ May 2016/May 2017]
 Lab Exercise

1. Write a C program that contains a string (Char pointer) with a value “Hello World”. The
program should XOR each character in this string with 0 and displays the result
2. Write a C program that contains a string (Char pointer) with a value “Hello World”. The
program should AND or and XOR each character in this string with 127 and displays the
result
 Week-2

CLASSICAL ENCRYPTION TECHNIQUES

There are two basic building blocks of all encryption techniques: substitution and transposition.
Substitution techniques
A substitution technique is one in which the letters of plaintext are replaced by other letters or by
numbers or symbols. If the plaintext is viewed as a sequence of bits, then substitution involves
replacing plaintext bit patterns with cipher text bit patterns.

Caesar cipher (or) shift cipher

The earliest known use of a substitution cipher and the simplest was by Julius Caesar. The
Caesar cipher involves replacing each letter of the alphabet with the letter standing 3 places
further down the alphabet.
e.g., Plain text: pay more money
Cipher text: SDB PRUH PRQHB

Note that the alphabet is wrapped around, so that letter following "z" is "a".
For each plaintext letter p, substitute the cipher text letter c such that
C = E(p) = (p+3) mod 26
A shift may be any amount, so that general Caesar algorithm is
C = E (p) = (p+k) mod 26
Where k takes on a value in the range 1 to 25. The decryption algorithm is simply
P = D(C) = (C-k) mod 26
Monoalphabetic Cipher
Rather than just shifting the alphabet could shuffle (jumble) the letters arbitrarily each plaintext
letter maps to a different random cipher text letter.
Plain text: abcdefghijklmnopqrstuvwxyz
Cipher text: DKVQFIBJWPESCXHTMYAUOLRGZN
Plain text: ifwewishtoreplaceletters
Cipher text: WIRFRWAJUHYFTSDVFSFUUFYA
Now have a total of 26! = 4 x 10 26 keys with so many keys might think is secure but would be !!!
WRONG!!! Problem is language characteristics.

Playfair cipher
The best known multiple letter encryption cipher is the playfair, which treats di-grams in the
plaintext as single units and translates these units into cipher text di-grams. The playfair algorithm
is based on the use of 5x5 matrix of letters constructed using a keyword. Let the keyword be
"monarchy".

The matrix is constructed by filling in the letters of the keyword (minus duplicates) from
left to right and from top to bottom, and then filling in the remainder of the matrix with the
remaining letters in alphabetical order.

The letter "i" and "j" count as one letter. Plaintext is encrypted two letters at a time
According to the following rules:
 Repeating plaintext letters that would fall in the same pair are separated with a Filler letter
such as "x/z".
 Plaintext letters that fall in the same row of the matrix are each replaced by the letter to
the right, with the first element of the row following the last.
 Plaintext letters that fall in the same column are replaced by the letter beneath, with the
top element of the column following the last.
Otherwise, each plaintext letter is replaced by the letter that lies in its own row
And the column occupied by the other plaintext letter.
M O N A R
C H Y B D
 E F G I/J K
L P Q S T
U V W X Z

Plaintext = meet me at the school house

Splitting two letters as a unit => me et me at th es ch ox ol ho us ex
Corresponding cipher text => CL KL CL RS PD IL HY AV MP HF XL IU
Strength of playfair cipher
Playfair cipher is a great advance over simple mono alphabetic ciphers.
Since there are 26 letters, 26x26 = 676 diagrams are possible, so identification of individual
diagram is more difficult.

Polyalphabetic ciphers
 Another way to improve on the simple monoalphabetic technique is to use different
 Monoalphabetic substitutions as one proceeds through the plaintext message.
 The general name for this approach is polyalphabetic cipher.
 All the techniques have the following features in common.
 A set of related monoalphabetic substitution rules are used
 A key determines which particular rule is chosen for a given transformation.

Monoalphabetic Cipher

In this technique rather than just shifting the alphabet it could shuffle (jumble) the letters
arbitrarily.

Each plaintext letter maps to a different random cipher text letter, hence key is 26 letters long .

we can use any permutation of alphabets as a key we have 26! keys = 4 ×1026 keys.

In this method, one letter is substituted for another, hence the name mono alphabetic cipher.

For example, the key table represented as below,

Plain: abcdefghijklmnopqrstuvwxyz

Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN

By using above key table we converted the plain text to cipher text as below,
Plaintext: ifwewishtoreplaceletters

Cipher text: WIRFRWAJUHYFTSDVFSFUUFYA

Breaking the Monoalphabetic Cipher

We break monoalphabetic cipher using frequency analysis

For example,Given ciphertext:

UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ

VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX

EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ

 All English letters are not equally commonly used. In English E is by far the most common
letter followed by T,R,N,I,O,A,S . Other letters like Z,J,K,Q,X are fairly rare.

 Have tables of single, double & triple letter frequencies for various languages

The relative frequencies of each letter given below,

 Key concept - monoalphabetic substitution ciphers do not change relative letter

frequencies

 Discovered by Arabian scientists in 9th century

  Calculate letter frequencies for ciphertext

 Compare counts/plots against known values

 For monoalphabetic must identify each letter

 tables of common double/triple letters help

Given ciphertext:

UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ

VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX

EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ

 Count relative letter frequencies from the given cipher text as below,

 From the cipher text letter frequency table P & Z are having higher value so we will replace
these letters with highest value in relative frequency table i.e, e and t and so on.

 Do the same for double, triple letters, for example, ZW is “th” and hence ZWP is “the”.
Frequency of two-letter combinations is known as digrams and three-letter combinations
known as trigrams.

 Proceeding with trial and error finally get plain test as,

it was disclosed yesterday that several informal but direct contacts have been made with
political representatives of the viet cong in moscow
 Caeser cipher Example:
Problem: Plain text message: attackatdawn Encrypt the message to generate
cipher text with key =3

Solution: To do encryption

1. Write down the alphabets a TO z and number it from 0 to 25 as shown below

0 1 2 3 4 5 6 7 8 9 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Encryption of

2. Encryption is represted as: C= E[P+K] mod 26

Cipher text key

Plain text

3. Take the values of the characters from the table.

3.1 Perform addition to all characters of plain text with key and replace the character for
the associated value from the table to get cipher text as follows:
4. Plain text : "attack at dawn", key: 3
P+k value cipher text
a+3= 0+3=3 = d
t+3= 9 + 3 = 22 = w
t+3= 19 + 3 = 22 = w
a+3= 0+3=3 = d
c+3= 2+3=5 = f
k+3= 10 + 3 = 13 = n
a+3= 0+3=3 = d
t+3= 19 + 3 = 22 = w
d+3= 3+3=6 = g
a+3= 0+3=3 = d
w + 3 = 22 + 3 = 25 = z
n + 3 = 13 + 3 = 16 = q

cipher text: "dwwdfndwgdzq"

perform mod operation only when value > 26

2. Solution: To decrypt the cipher text to generate plain text

Cipher text: "dwwdfndwgdzq"

1. Build the same table as said above Decryption of key

2 . . Formula to perform decryption is P=

: D[C -K]mod 26

Plain text 262626 cipher text

3.1 perform subtraction to all characters of cipher text with key and replace the
character for the associated value from the table to get plaintext as follows:

C–k value plain text .

d-3= 3-3=0= a
w-3= 22 - 3 = 19 = t
w-3= 22 - 3 = 19 = t
d-3= 3-3=0= a
f-3= 5-3=2= c
n-3= 13 - 3 = 10 = k
d-3= 3-3=0= a
w-3= 22 - 3 = 19 = t
g-3= 6-3=3= d
d-3= 3-3=0= a
z-3= 25 - 3 = 22 = w
q-3= 16 - 3 = 13 = n

Plain text: "attackatdawn"

check the value is positive or negative

 if value is negative then do this 26-value

Example if Cipher text is 7 and key is 11 therefore 7-11= -4(do 26-4=22 ie for 22 w is PlainText)

 Breaking the shift cipher

Example: Let us say we have a cipher text "KRZ DUH BRX" generated by a shift cipher.

Solution: We carry out the brute force attack (try with the key value k from 0 to 25) as follows:

For k=0:
Cipher text: K R Z D U H B R X
Plain text: k r z d u h b r x

For k=1:
Cipher text: K R Z D U H B R X
Plain text: j q y c t g a q w

For k=2:
Cipher text: K R Z D U H B R X
Plain text: l p x b s f z p v

For k=3:
Cipher text: K R Z D U H B R X
Plain text: h o w a r e y o u

For k=3, we obtain a meaningful plain text namely how are youand hence we are done.
 Hill Cipher Encryption

1. Assign each letter in alphabet a number between 0 and 25.

2. Change message into 2 x 1 letter vectors and numeric vectors.
3. Multiply each numeric vector by encryption matrix.
4. Convert product vectors to letters.
5. In general terms hill cipher can be expressed as:
C =E (K, P) =P*K mod 26
P= D (K, C) =C*K-1 mod 26

Problem: Encrypt the plaintext message "HELLO WORLD" with keyword bcde a 2 x 2 matrix

2 1

3 4

Solution:

 Letter to Number Substitution table

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

 Message to encrypt = HELLO WORLD

 Change message into 2 x 1 letter vectors and numeric vectors.

 Multiply each numeric vector by key matrix.

 Convert the result to mod 26

 Convert the result(numbers ) to letters

 Final step HELLO WORLD has been encrypted to SLHZY ATGZT

 Hill cipher Decryption:
 First calculate inverse of key
 Change cipher text message into 2 x 1 letter vectors
 Change each vector into 2 x 1 numeric vectors
 Multiply each numeric vector by decryption matrix
 Convert new vectors to letters

 First calculate inverse of key as follows

2 1

3 4

 Change cipher text to vectors

 Message to decrypt = SLHZYATGZT
 Multiply vectors with key matrix

 Convert the result to Mod 26

 Convert new vectors to letters

 Final step SLHZYATGZT has been decrypted to HELLO WORLD

Playfair Cipher

 In Playfair cipher, initially a 5x5 table is created.

 First fill the table with the given key(without any repeating characters) and remaining
table is filled with remaining alphabets in a sequence manner excluding characters of
keyword I/J must be filled in the same cell.

 Plain text message is split into pairs of two letters (digraphs). If there is an odd number of
letters, Z is added to the last letter.

 The rules of encryption are

1) If both the letters are in the same column, take the letter below each one (going back
to the top if at the bottom)

2) If both letters are in the same row, take the letter to the right of each one (going back
to the left if at the farthest right)

3) Neither of the preceding two rules are true, form a rectangle with the two letters and
take the letters on the horizontal opposite corner of the rectangle.

Example

Problem: encrypt the message hide money with key tutorials

Solution:

Step 1:

First fill the table with key

Step 2:
 Next, a plaintext message is split into pairs of two letters (digraphs). If there is an odd
number of letters, a Z is added to the last letter. Let us say we want to encrypt the
message “hide money”. It will be written as −

HI DE MO NE YZ

 If both the letters are in the same column, take the letter below each one (going back to
the top if at the bottom)

T U O R I

A L S B C
‘H’ and ‘I’ are in same column, hence take letter below them to
D E F G H
replace. HI → QC
K M N P Q

V W X Y Z

 If both letters are in the same row, take the letter to the right of each one (going back to
the left if at the farthest right)

T U O R I ‘D’ and ‘E’ are in same row, hence take letter to the right of
them to replace. DE → EF
A L S B C

D E F G H

K M N P Q
 V W X Y Z

 If neither of the preceding two rules are true, form a rectangle with the two letters and
take the letters on the horizontal opposite corner of the rectangle.

Using these rules, the result of the encryption of ‘hide money’ with the key of ‘tutorials’ would
be − QC EF NU MF ZV

Decrypting the Playfair cipher

It is as simple as doing the same process in reverse. Receiver has the same key and can create the
same key table, and then decrypt any messages made using that key.

Step 1: Given cipher text is QC EF NU MF ZV

If both the letters are in the same column, take the letter above each one (going back to the top if
at the bottom)

T U O R I

A L S B C ‘Q’ and ‘C’ are in same column, hence take letter above them
to replace. QC→ HI
 D E F G H

K M N P Q

V W X Y Z

Step 2:

T U O R I

A L S B C ‘E’ and ‘F’ are in same row, hence take letter to the left of them
to replace. EF → DE

D E F G H

K M N P Q

V W X Y Z

Step 3:

T U O R I

A L S B C ‘N’ and ‘U’ are nor in same row or column, hence form a rectangle
and replace with opposite corner letters. N-> M and U->O

D E F G H

K M N P Q

V W X Y Z
Using these rules, the result of the Decryption of ‘QC EF NU MF ZV’ with the key of ‘tutorials’
would be – hide money

Week-2 Assignment

Solve the following using caeser cipher

1. Encrypt the following plain text using key k = 7.

Plain Text : Welcome to the toga party

2. Given a cipher text, find out the corresponding plain text using brute force attack.
Cipher text : HAAHJR HA KHDU
3. Generate the cipher text using hill cipher for the plaintext FAIR with key hill.
4. Decrypt the cipher text SLHZY ATGZT with hill cipher by using the key 2 1

3 4
5. Draw the 5*5 matrix of playfair cipher with keyword hello world.

6. Using playfair cipher with key monarchy decrypt the cipher text YIEAESVKEZ
 Multiple Choice Questions

1. Monoalphabetic and Polyalphabeticare two broad categories of[NPTEL]

(A) Substitution cipher (B) Transposition cipher (C) Stream cipher (D) Block cipher

ANS:

2. Consider the PlayFaircipher which has “playfair example” as key. The cipher
correspondingto the plain text “Hidethe goldi” will be [NPTEL]
(A) BMOIZBXDNABX (B) BNODZBXDNABE (C) BHODZRXDNABE (D)
BMODZBXDNABE

ANS:

3. The matrix theory is used in the ______ technique [self]

a) Hill Cipher
b) Monoalphabetic cipher
c) Playfair cipher
d) Vigenere Cipher

Answer:

4. A substitution cipher the following happens [self]

a) Characters are replaced by other characters

b) Rows are replaced by columns
c) Columns are replaced by rows
d) None

Answer:

5. Shift cipher is sometimes referred to as the [self]

 a) Caesar cipher
b) Play fair cipher
c) Hill cipher
d) Vigenere Cipher

Answer:

Answer the following questions

1) Explain various substitution techniques with suitable examples.

[May 2017]
2) Consider the following
Plaintext: “PROTOCOL”
Secret key : “NETWORK”
What is the corresponding cipher text using play fair cipher method?
[May 2016 ]
Lab Exercise

1. Write a java program to perform encryption and decryption by using ceaser cipher
algorithm
2. Write a java program to perform encryption and decryption by using Substitution cipher
algorithm
3. Write a java program to perform encryption and decryption by using Hill cipher algorithm
 Week-3

Transposition Techniques:

A very different kind of mapping is achieved by performing some sort of permutation on the
plaintext letters. This technique is referred to as a transposition cipher. The following are the
transposition techniques.

1.Rail Fence

2.Simple Columnar

3.Vernam Cipher/ One time Pad

1. Rail Fence Transposition Technique

It uses a simple technique

• Writing down the plaintext message into a sequence of diagonals.

• Row-wise writing the plain-text written from above step.
Example :
Let’s say, we take an example of “INCLUDEHELP IS AWESOME”.

• So the Cipher-text is, ICUEEPSWSMNLDHLIAEOW.

Decryption:
Steps :

1.Divide the cipher text into parts based on the no. of rails.

2.Write down the parts in row wise.

Example :

Given Cipher text is “ICUEEPSWSMNLDHLIAEOW.”

No. of rails =2

1. ICUEEPSWSM NLDHLIAEOW.
row 1 row 2

Obtained plain text is : INCLUDESHIP IS AWESOME

2. Simple Columnar Transposition Technique

In a columnar transposition, the message is written out in rows of a fixed length, and then read out
again column by column, and the columns are chosen in some scrambled order(based on key).
Both the width of the rows and the permutation of the columns are usually defined by a keyword

Plain text REPEAT ATTACK TONIGHT

Keyword HACK. The length of key is 4.
Alphabetical order of keyword= 3 1 2 4

Let’s Encrypt
1. Write the string in grid with 4 columns(keyword length)
H A C K
3 1 2 4
R E P E
A T A T
T A C K
 T O N I
G H T
2. Pad them with letter ‘x’ in the empty space
3 1 2 4
R E P E
A T A T
T A C K
T O N I
G H TX
3. Arrange the strings in one column by alphabetically order then we will get cipher text
ETAOHPACNTRATTGETKIX
Let’s Decrypt,
Cipher text = ETAOHPACNTRATTGETKIX

Key = HACK
1. Identify key length and the row length
HACK=length is 4
Encrypted string length=20
20/4=5 it must be 5 rows
Grid is having 5 rows and 4 columns.

2. Arrange the string into grid (fill the string in column wise) Arrange the columns
according to the key word alphabetical order

3 1 2 4
R E P E
A T A T
T A C K
T O N I
G H T X
3. Read row wise omit extra padding
Plain text=REPEAT ATTACK TONIGHT
One Time Pad(Vernam Cipher)

The One Time Pad encryption method is a binary additive stream cipher, where a stream of truly
random keys is generated and then combined with the plain text for encryption or with the
ciphertext for decryption by an ‘exclusive OR’ (XOR) addition. It is possible to prove that a stream
cipher encryption scheme is unbreakable if the following preconditions are met.

OTP Rules:

1.The key must be as long as the plain text.

2. The key must be truly random.

3.The key must only be used once.

How does it work?

One Time Pad keys are used in pairs.

One copy of the key is kept by each user and the keys are distributed securely prior to encryption.

The encryption process

To encrypt plain text data, the sender uses a key string equal in length to the plain text.

The key is used by mixing (XOR-ing) bit by bit, always a bit of the key with a bit of the plain text to
create a bit of cipher text. „

This cipher text is then sent to the recipient.

At the recipient’s end, the encoded message is mixed (XOR-ed) with the duplicate copy of the One
Time Key and the plain text is restored.

Both sender’s and recipient’s keys are automatically destroyed after use, to ensure re-application
of the same key is not possible.
Encryption is defined as : ci = pi XOR ki

decryption is defined as : pi = ci XOR ki

XOR TABLE
Decryption :

1. Write the relative numbers for the given cipher text and keyword.
2. Convert those numbers to the binary format of each character in the cipher text and cipher
text.
3. Perform XOR operation on binary values of both cipher text and keyword to generate
binary values of plain text.
4. Convert binary format to decimal and then represent each decimal as a character in the
plain text.
5. Decryption is defined as : pi = ci XOR ki

• Given cipher text is : “RKGGEFE” and keyword is : “HONESTY”

 Week - 3

Multiple Choice Questions

1. In Cryptography, original message, before being transformed, is called [self]

a) Simple Text
b) Plain Text
c) Empty Text
d) Filled Text
 Ans:

2. In which cryptosystem, the order of the letters in a message is rearranged

(A) Transposition Cipher (B) Substitution Cipher (B) (C) Both (A) and (B) (D) None of the
mentioned

Ans:

3. The process of writing the text as diagonals and reading it as a sequence of rows is called [self]

a) Rail fence
b) Caesar cipher
c) Mono-alphabetic cipher
d) Homophonic substitution cipher

Ans:

4. Vernam cipher is also called [self]

a) Rail fence technique

b) One-time pad
c) Book cipher
d) Running-key cipher

Ans:

Week-3 Assignment

1. What would be the transformation of a message “happy birthday to you” using rail fence
technique?
2. The following message was received by Bob : ttnaaptmtsuoaodwcoixknlypetz if the message is
encrypted by using simple transposition method with the key 4312567

3.encrypt the plain text pattern using XOR operation to generate cipher text “ how are you”
Answer the following Questions

1) What is Steganography? Explain its features.

[May 2016 / Nov 2016]
2) Compare symmetric and asymmetric key cryptography.
[Nov 2016 / Dec 2017]
 Unit-II Week-4
Feistel Cipher structure:
Feistel Cipher is not a specific scheme of block cipher. It is a design model from which
many different block ciphers are derived. DES is just one example of a Feistel Cipher. A
cryptographic system based on Feistel cipher structure uses the same algorithm for both
encryption and decryption.

Encryption Process: The encryption process uses the Feistel structure

 consisting multiple rounds of processing of the plaintext, each round consisting
of a “substitution” step followed by a permutation step.

Feistel Structure is shown in the following illustration −

● The input block to each round is divided into two halves that can be denoted as L and

R for the left half and the right half.

● In each round, the right half of the block, R, goes through unchanged. But the left half,

L, goes through an operation that depends on R and the encryption key. First, we

apply an encrypting function ‘f’ that takes two input − the key K and R. The function

produces the output f(R,K). Then, we XOR the output of the mathematical function

with L.
 ● In real implementation of the Feistel Cipher, such as DES, instead of using the whole

encryption key during each round, a round-dependent key (a subkey) is derived from

the encryption key. This means that each round uses a different key, although all these

subkeys are related to the original key.

● The permutation step at the end of each round swaps the modified L and unmodified

R. Therefore, the L for the next round would be R of the current round. And R for the

next round be the output L of the current round.

● Above substitution and permutation steps form a ‘round’. The number of rounds are

specified by the algorithm design.

● Once the last round is completed then the two sub blocks, ‘R’ and ‘L’ are concatenated

in this order to form the ciphertext block.

The difficult part of designing a Feistel Cipher is selection of round function ‘f’. In order to be
unbreakable scheme,

Decryption Process:

The process of decryption in Feistel cipher is almost similar. Instead of starting with a block
of plaintext, the ciphertext block is fed into the start of the Feistel structure and then the
process thereafter is exactly the same as described in the given illustration.

The process is said to be almost similar and not exactly same. In the case of decryption, the
only difference is that the subkeys used in encryption are used in the reverse order.

The final swapping of ‘L’ and ‘R’ in last step of the Feistel Cipher is essential. If these are not
swapped then the resulting ciphertext could not be decrypted using the same algorithm.

Number of Rounds:
The number of rounds used in a Feistel Cipher depends on desired security from the system.
More number of rounds provide more secure system. But at the same time, more rounds
mean the inefficient slow encryption and decryption processes. Number of rounds in the
systems thus depend upon efficiency–security tradeoff.

DATA ENCRYPTION ALGORITHM

DES ENCRYPTION:

● Plainext is broken into blocks of length 64 bits.Encryption is blockwise.

● A message block is first gone through an initial permutation IP,then divided into two
parts L0,where L0 is the left part of 32 bits and R0 is the right part of the 32 bits
● Round i has input Li-1,Ri-1 and output Li,Ri

Li = Ri-1,Ri = Li-1 ⊕ f(Ri-1,Ki)

and Ki is the subkey for the 'i'th where 1 ≤ i ≤ 16
L1 = R0, R1 = L0 ⊕ f(R0,K1)
L2 = R1, R2 = L1 ⊕ f(R1,K2)
................ ..........................
L16 = R15, R16 = L15 ⊕ f(R15,K16)
 ● After round 16,L16 and R16 are swapped,so that the decryption algorithm has the same
structure as the encrption algorithm.
● Finally,the block is gone through the inverse the permutation IP-1 and then output
● One round of DES in very simple way during encryption

DES DECRYPTION:

● Observation:In encryption,we have

Li = Ri-1,Ri = Ri = Li-1 ⊕ f(Ri-1,Ki)

● and Ki is the subkey for the 'i'th round.Hence

Ri-1 = Li,Li-1 = Ri ⊕ f(Li,Ki) for each 'i'

● Due to swap operation after the 16th round encryption,the output of encryption is IP -
1
(R16,L16)
 ● Equation(1) as follows:

R15 = L16, L15 = R16 ⊕ f(L16,K16)

R14 = L15, L14 = R15 ⊕ f(L15,K15)

................ ..........................
................ ..........................
R1 = L2, L1 = R2 ⊕ f(L2,K2)

● If we give IP-1(R16,L16) as the input for the same algorithm with round
subkeys(K16,K15,......K1),then the output is IP-1(L0,R0),the original message block
● Decryption is performed using the same algorithm,except the K 16 is used as the first
round,K15 in the second,and so on,with K1used in the 16th round
● One round of DES in very simple way during decryption

Initial permutations

● DES has an initial permutation and final permutation after 16 rounds

● these permutations are inverse of each other and operate on 64 bits.
● They have no cryptographic significance.

● The initial permutation will look like this

 ●
(X1,X2,......,X64)------->(XIP(1),XIP(2),--------

>,XIP(64))

● The final permutation will look like this

(X1,X2,......,X64)------->(XIP(1)-1,XIP(2)-1,-------->,XIP(64)-1)

One round of the DES:

DES Expansion

● Input 32 bits
 ● Output 48 bits

DES S-Box(substitution box):

● 8 "SUbstitution boxes" or S-boxes

● Each S-box maps 6 bits to 4 bits

S-Box(1)

● Row Index:The combination of first and last bit gives the row number
● Column Index:Remaining 4 bits gives the column number
● What is the output if input is 101000?

Row = 10 = 2 ,Column = 0100 = 4

● we have to look at 2nd row and 4th column,then Output is 13

● here you can feel the importance of S-box.It takes 6 bits as input and gives 4 bits as
output

Properties of the S-box

-The outputs are a non-linear combination of the inputs
 -Change one bit of the input,and half of the output bits change(Avalanche Effect)
-Each output bit is dependent on all the input bits

The Function f(x,k):

● This is called fiestal function or round function

● Function f is nothing but mixing of X and K

DES p-box(Permutation Box):

● Input 32 bits

● Output 32 bits
● The output bits are just Transposition of bits
DES subkey:

● Input Key size:64 bits,of which 8 are parity bits

● 56 bit DES key,0,1,2,........55

Permuted choice 1:
PC-1:The permutation PC-1(permuted choice 1)discards the parity bits and transposes
the remaining 56 bits as below:
Key Permutation PC-1:

● with out positions 8,16,24,32,40,48,56,64 marked with "F"

● Simply given as PC-1 is a permutation of {1,2,3......,64}-{8,16,24,32,40,48,56,64}

Left shift operation

LSi:Each LSi is a circular shift of some positions.The number of shifted positions is given below
 ● For rounds 1,2,9 and 16 the shifts is 1,and for the remaining all the rounds shifts are 2
● PC-2:Permuted choice 2 selects 48 bits from the 56 bit input

PC-2

● final 48 bits obtained after the permuted choice is the Key

BlowFish :
Block cipher: 64-bit block
Variable key length: 32 bits to 448 bits
Designed by Bruce Schneier
Much faster than DES and IDEA
Unpatented and royalty-free
No license required

Blowfish is a symmetric encryption algorithm developed by Bruce Schneier to replace Data

Encryption Standard (DES). Blowfish in the public domain making it freely available for
anyone to use.

Blowfish is a 16-round Feistel cipher. It's block size is 64-bit and key sizes range from 32 to 448
bits. In this article, Encryption with Blowfish

Encryption with Blowfish has two main stages: sixteen iterations of the round function and an
output operation.
Blowfish round function:
The round function in Blowfish encryption has four stages (see diagram above):

1.Key whitening of the left side of the input with the rth round key
2.Application of the S-Boxes and combination of their results
3.Exclusive-or of the right side of the input with the output of the F function (key whitening, S-
Boxes and combination of S-Box output)
4.Swapping the sides of the output

In the key-whitening stage, the left side of the input is exclusive-ored with the round key for the
given round.

The S-Boxes perform an 8-bit to 32-bit mapping. The S-Boxes are set as part of the key generation
algorithm. The output of an S-Box for an input of n is the nth value in the S-Box.

The outputs of the S-Boxes are combined through a mixture of addition and exclusive-or. The
outputs of the first two S-Boxes are added together modulo 232. The result is exclusive-ored
to the output of the third S-Box and the result of that is added modulo 232 to the output of the
fourth S-Box. More formally, the result, R, of applying this sequence to input, I, is reached
through the following equation (where a[0:5] refers to the first 5 bits of a):

A = S0(I[0:8]) + S1(I[8:16]) mod 2**32

B = A ^ S2(I[16:24]))
R = B + S3(I[24:32]) mod 2**32
Like other Feistel functions, the output of this is exclusive-ored with the other side of the input
(the right side in this case) and the two sides of the input are swapped before entering the
next round.

Blowfish output function:

The final stage of the Blowfish cipher involves two steps: reversing the final swap and performing
output whitening. In output whitening, the right side of the output (after being swapped) is
exclusive-ored with the seventeenth round key and the left side is exclusive-ored with the
eighteenth round key. The result of this is the Blowfish ciphertext.

Blowfish Key Schedule (and S-box generation):

Generating Round Keys and S-box:

Generation of the round key is performed in rounds where each round generates two round key
values. The process is as follows:

1. Initialize P and S-Boxes as described above

2. Exclusive-or P1 with the first 32 key bits, P2 with the next 32 bits and so on until all of
the key has been exclusive-ored (since the key is shorter than P, parts of it will be used
multiple times to cover all of P)
 3. Set the initial input to zero
4. Encrypt the input using the current version of P as the round keys
5. Set the first two unreplaced values of P to the value of the ciphertext from step 4
6. Set the input to the ciphertext from step 4
7. Repeat steps 4 through 6 until all of P has been replaced
8. Use the resulting value of P as the round keys in encryption
9. Repeat steps 4 through 6, replacing values of the S-Boxes two at a time until all S-Box
values have been replaced.
Since P contains 18 words and the S-Boxes each contain 256 words, there is a total of 18 + 4*256
= 1042 values to replace, which will take 521 iterations of steps 4 through 6 of the above
algorithm to complete.

The Blowfish key schedule: The encryption operation is same as the one described in the
previous section. Output splitting and entering into two boxes indicates updating the next two
values of P or the relevant S-Box. Lines that loop back and join with a previous line indicate
that on the next iteration, the updated value is used.

Since the S-Box values are used in all rounds of encryption and are set last, it is necessary to
complete the key schedule before performing encryption

Decryption with Blowfish:

Because Blowfish is a Feistel cipher, the same structure can be used for encryption and
decryption as long as the round keys are used in reverse order.

Advantages of Blowfish:
1. Blowfish is in the public domain, allowing it to be freely used for any purpose.
2. After the key schedule has completed, Blowfish is a relatively fast block cipher due to the small
number of rounds (sixteen) and the simplicity of the round operation (a few modular
additions and exclusive-ors).

Disadvantages of Blowfish:
1. The key schedule in Blowfish is rather time-consuming (equivalent to encryption of about 4 KB
of data). However, this can be an advantage in some circumstances as protection against
brute-force attacks.
2. The small block size of Blowfish (64 bits) is more vulnerable to birthday attacks than the 128
bits used by AES.
 Multiple choice questions

1. Which operation is used in the Fiestel cipher?[nptel]

(A) AND (B) OR (C) XOR (D) NOR

ANS:

2. Which cipher is commonly used in network-based symmetric cryptographic

applications? [nptel]

(A) Linear cipher (B) Block cipher (C) Permutation cipher (D) Stream

cipher

ANS:

3. How many rounds a Data Encryption Standard (DES) system has with an
initial [nptel]
and final permutation block?

(A) 14 rounds (B) 15 rounds (C) 16 rounds (D) none of these

ANS:
Answere the following Questions

Questions:

1.explain the strength of DES?

2.Explain one round function in DES?

3.write about blow fish algorithm in detail?

Lab Exercise
1.Write a program to implement DES
2. Write a program to implement Blowfish
 Week-5

The AES Cipher – Rijndael

• Designed by Rijmen-Daemen in Belgium

• It has 128/192/256 bit keys, 128 bit data
• It is iterative rather than feistel cipher
– processes data as block of 4 columns of 4 bytes
– operates on entire data block in every round
• Designed to be:
– resistant against known attacks
– speed and code compactness on many CPUs
– design simplicity

AES Encryption Process

AES Structure
 Data block of 4 columns of 4 bytes is state
 Key is expanded to array of words
 It has 9/11/13 rounds in which state undergoes:
 byte substitution (1 S-box used on every byte)
 shift rows (permute bytes between groups/columns)
 mix columns (subs using matrix multiply of groups)
 add round key (XOR state with key material)
 view as alternating XOR key & scramble data bytes
 Initial XOR key material & incomplete last round
 With fast XOR & table lookup implementation

AES Structure
AES Round

Substitute Bytes

 a simple substitution of each byte

 uses one table of 16x16 bytes containing a permutation of all 256 8-bit values
 each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits)
 eg. byte {95} is replaced by byte in row 9 column 5
 which has value {2A}
 S-box constructed using defined transformation of values in GF(28)
 designed to be resistant to all known attacks
 Substitute Bytes Example

Shift Rows

 a circular byte shift in each each

 1st row is unchanged
 2nd row does 1 byte circular shift to left
 3rd row does 2 byte circular shift to left
 4th row does 3 byte circular shift to left
 decrypt inverts using shifts to right
 since state is processed by columns, this step permutes bytes between the columns

 Mix Columns

 each column is processed separately

 each byte is replaced by a value dependent on all 4 bytes in the column

 effectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1

AES Arithmetic

 uses arithmetic in the finite field GF(28)

 with irreducible polynomial
m(x) = x8 + x4 + x3 + x + 1
which is (100011011) or {11b}
 e.g.
{02} • {87} mod {11b} = (1 0000 1110) mod {11b}
= (1 0000 1110) xor (1 0001 1011) = (0001 0101)
Add Round Key
 XOR state with 128-bits of the round key

 again processed by column (though effectively a series of byte operations)

 inverse for decryption identical

 since XOR own inverse, with reversed keys

 designed to be as simple as possible

 a form of Vernam cipher on expanded key

 requires other stages for complexity / security

AES Key Expansion

 Asnwer the following Questions
1. Explain AES Encryption Process with help of a neat diagram
2. Convert Plaintext “ Two One Nine Two” into Hex (hint: 16 ASCII characters, 1 byte each)
 Lab Exercise

1.Write a C/JAVA program to implement the Rijndael algorithm logic

 Week-6

RC4

• A symmetric key encryption algo. Invented by Ron Rivest.

• Normally uses 64 bit and 128 bit key sizes.
• Most popular implementation is in WEP for 802.11 wireless networks and in SSL.
RC4 Block Diagram
  RC4 Consists of 2 parts:

 Key Scheduling Algorithm (KSA)

 Pseudo-Random Generation Algorithm (PRGA)
 KSA
 Generate State array

 PRGA on the KSA

 Generate key stream

 XOR key stream with the data to generated encrypted stream
Encryption using RC4
• Choose a secret key
• Run the KSA and PRGA using the key to generate a keystream.
• XOR key stream with the data to generated encrypted stream.
• Transmit Encrypted stream.
Decryption using RC4
• Use the same secret key as during the encryption phase.
• Generate key stream by running the KSA and PRGA.
• XOR key stream with the encrypted text to generate the plain text.
• Logic is simple :
(A xor B) xor B = A

A = Plain Text or Data

B = Key Stream
The KSA
The PRGA

RC4 Encryption working model

Overall Encryption Operation of RC4
RC4 Example problem

Let’s consider the stream cipher RC4, but instead of the full 256 bytes, we will use 8 x 3-bits. That is, the
state vector S is 8 x 3-bits. We will operate on 3-bits of plaintext at a time since S can take the values 0 to
7, which can be represented as 3 bits.

Assume we use a 4 x 3-bit key of K = [1 2 3 6]. And a plaintext P = [1 2 2 2]

Encryption

The first step is to generate the stream.

Initialize the state vector S and temporary vector T.
S is initialized so the S[i] = i, and T is initialized so it is the key K (repeated as necessary).
S = [0 1 2 3 4 5 6 7] ---state vector
T = [1 2 3 6 1 2 3 6] ---temporary array

Now perform the initial permutation on S.

j = 0;

for i = 0 to 7 do

j = (j + S[i] + T[i]) mod 8

Swap(S[i],S[j]);

End

For i = 0:

j = (0 + 0 + 1) mod 8

=1

Swap(S[0],S[1]);

S = [1 0 2 3 4 5 6 7]

For i = 1:

j=3

Swap(S[1],S[3])

S = [1 3 2 0 4 5 6 7];
For i = 2:

j=0

Swap(S[2],S[0]);

S = [2 3 1 0 4 5 6 7];

For i = 3:

j = 6;

Swap(S[3],S[6])

S = [2 3 1 6 4 5 0 7];

For i = 4:

j = 3 Swap(S[4],S[3])

S = [2 3 1 4 6 5 0 7];

For i = 5:

j=2

Swap(S[5],S[2]);

S = [2 3 5 4 6 1 0 7];

For i = 6:

j = 5;

Swap(S[6],S[4])

S = [2 3 5 4 0 1 6 7];

For i = 7:

j = 2;

Swap(S[7],S[2])

S = [2 3 7 4 0 1 6 5];

Hence, our initial permutation of S = [2 3 7 4 0 1 6 5];

Now we generate 3-bits at a time, k, that we XOR with each 3-bits of plaintext to produce the cipher text.

The 3-bits k is generated by:

i, j = 0;

while (true) {

i = (i + 1) mod 8;

j = (j + S[i]) mod 8;

Swap (S[i], S[j]);

t = (S[i] + S[j]) mod 8;

k = S[t]; }

The first iteration:

S = [2 3 7 4 0 1 6 5]

i = (0 + 1) mod 8

=1

j = (0 + S[1]) mod 8

=3

Swap(S[1],S[3])

S = [2 4 7 3 0 1 6 5]

t = (S[1] + S[3]) mod 8

=7

k = S[7] = 5

Remember, P = [1 2 2 2]

So our first 3-bits of cipher text is obtained by: k XOR P

5 XOR 1 = 101 XOR 001 = 100 = 4

The second iteration:

S = [2 4 7 3 0 1 6 5]
i = (1 + 1 ) mod 8

=2

j = (2 + S[2]) mod 8

=1

Swap(S[2],S[1])

S = [2 7 4 3 0 1 6 5]

t = (S[2] + S[1]) mod 8

=3

k = S[3] = 3

Second 3-bits of cipher rtext are:

3 XOR 2 = 011 XOR 010 = 001 = 1

The third iteration:

S = [2 7 4 3 0 1 6 5]

i = (2 + 1 ) mod 8

=3

j = (1 + S[3]) mod 8

= 4 Swap(S[3],S[4])

S = [2 7 4 0 3 1 6 5]

t = (S[3] + S[4]) mod 8

=3

k = S[3] = 0

Third 3-bits of cipher text are:

0 XOR 2 = 000 XOR 010 = 010 = 2

The final iteration:

S = [2 7 4 0 3 1 6 5]
i = (1 + 3 ) mod 8

=4

j = (4 + S[4]) mod 8

=7

Swap(S[4],S[7])

S = [2 7 4 0 5 1 6 3]

t = (S[4] + S[7]) mod 8 = 0

k = S[0] = 2

Last 3-bits of cipher text are:

2 XOR 2 = 010 XOR 010 = 000 = 0

So to encrypt the plaintext stream P = [1 2 2 2] with key K = [1 2 3 6] using our simplified RC4 stream cipher
we get C = [4 1 2 0].

(or in binary: P = 001010010010, K = 001010011110 and C = 100001010000)

Decryption

From the formula given above,

(P XOR K) XOR K=P

P XOR K = (001010010010 XOR 001010011110)

= 000000001100

(P XOR K) XOR K= 000000001100 XOR 001010011110

=001010010010
RC5:
 In cryptography, RC5 is a symmetric-key block cipher notable for its simplicity. Designed by Ronald
Rivest in 1994 .
 RC5 has a variable block size (32, 64 or 128 bits), key size (0 to 2040 bits) and number of rounds (0 to
255).
 The original suggested choices of parameters were a block size of 64 bits, a 128-bit key and 12 rounds.
PRINCIPAL:

 The Plain text block size can be of 32,64 or 128 bits

 The Key length can be 0 to 2040 bits
 The output resulting from RC5 is the cipher Text, which has the same size as the input plain text.
 RC5 is represented by three parameters as
RC5 – w / r / b

Where w = word size in bits,

r = No of Rounds
 b=no of 8 bit bytes in the key.

Eg: RC5 – 32 /12/16

RC5 WORKING:

The following figure shows the RC5 working procedure:

DETAILED EXPLANATION OF ROUNDS:
Step 1: Intial one time Operation, Here the input plain text is divided in to 2equal sized blocks A and B
i.e.the first subkey is added to s[0] is added to A and subkey s[1] is added to B.

Step 2: XOR C and D

Step 3: Circular –left shift E ,E is circular left shifted by D positions as shown in fig :

Step 4: Add E and Next Subkey,

Step 5: XOR D and F,

Step 6 : Circular –left shift G,

Step 7 : Add G and Next Subkey,

Step 8: Miscellinious Tasks,we will check whether all rounds are completed or not

Mathematical Representation of RC5 Encryption:

Mathematical Representation of RC5 Decryption:

INTERNATIONAL DATA ENCRYPTION ALGORITHM (IDEA)

International Data Encryption Algorithm is one of the strongest cryptographic algorithms.

Although it is quite strong, IDEA is not as popular as DES for two primary reasons:

1) It is patented unlike DES and therefore must be licensed before it can be used in
commercial applications.
 2) DES has a long history as compared to IDEA.

One popular e-mail privacy technology known as pretty good privacy (PGP) is based on IDEA.

PRINCIPLE:

Technically IDEA is block cipher. Like DES, it also works on 64 bit plain text block. The key is
longer and consists of 128 bits. IDEA is reversible like DES, that is, same algorithm is used for
encryption and decryption. IDEA uses both diffusion and confusion for encryption.

WORKING:

 The 64-bit input plaintext block P is divided into 4 portions, each of 16 bits, i.e. (P1 to P4).
 Thus, P1 to P4 are the inputs to the first round of the algorithm. There are eight such rounds.
 The key consist of 128 bits.
 In each round, six sub keys are generated from the original key. Each of the sub-keys is of 16
bits.
 These six sub-keys are applied to the four input blocks P1 to P4.
 Thus for the first round we will have the six keys K1 to K6. Similarly for the eighth round we
will have keys K43 to K48.
 The final steps consist of an output transformation, which uses just four sub-keys (K49 to
K52).
 The final output produced is the output produced by the output transformation step, which
is four blocks of cipher text named C1 to C4 (each of 16 bits). These are combined to form
the final 64 bit cipher text block.
 The general working is shown in Figure 1:
Figure 1: Broad level steps in IDEA encryption
 Detailed Explanation of ROUNDS:

 There are eight rounds in IDEA and each round involves a series of operations on the four data
blocks using six keys.
 There are several steps as shown in below which includes multiplications, addition and XOR
operations:

Step-1: Multiply* P1 and K1. Step-

2: Add* P2 and K2.

Step-3: Add* P3 and K3. Step-4:

Multiply* P4 andK4.

Step-5: XOR the results of step-1 and step-3. Step-6:

XOR the results of step-2 and step-4. Step-7:

Multiply* the results of step-5 with K5. Step-8: Add*

the results of step-6 and step-7.

Step-9: Multiply* the results of step-8 with K6. Step-

10: Add* the results of step-7 and step-9. Step-11:

XOR the results of step-1 and step-9. Step-12: XOR

the results of step-3 and step-9. Step-13: XOR the

results of step-2 and step-10. Step-14: XOR the

results of step-4 and step-10.

The asterisk (*) sign in the above mentioned steps indicates that the addition and multiplication is not
simple addition and multiplication but it is addition modulo 2^16 (i.e. addition modulo 65536) and
multiplication modulo 2^16 + 1 (i.e. multiplication modulo 65537).

(Example: 5 mod 2 is 1 because remainder of 5/2 is 1)

Modulo arithmetic is required in IDEA because it simply ensures that even if the result of addition and
multiplication of two 16-bit numbers contains more than 16-bits, we bring back to 16-bits.
Figure 2 shows the details of one round in a symbolic fashion:

Figure 2: Single round of IDEA

The input block are shown as P1 to P4, the sub keys are denoted by K1 to K6 and the output of
this step is denoted by R1 to R4 (and not C1 to C4, because this is not the final cipher text but it
is an intermediate output, which will be processed in further rounds as well as in output
transformation).
 Sub key generation for a round:

As mentioned earlier, each of the eight rounds make use of six sub-keys (so, 8*6 = 48 sub-keys
are required for the round) and the final output transformation uses four sub-keys (making a
total of 48 + 4= 52 sub-keys overall). These 52 sub-keys are generated from an input key of 128
bits. The explanation below is based on the understanding of sub-key generation process for the
first two rounds, whereas the sub-key generation for all the rounds is tabulated later:

First round:

 The initial key consists of 128 bits, from which 6 sub-keys K1 to K6 are generated for the first
round.
 Since K1 to K6 consists of 16 bit each, out of original 128 bits, the first 96 bits are used for the
first round.

 Thus at the end of the first round, bits 97 -128 of the original key are unused Second round:

 In the second round, firstly, the 32 unused bits (i.e. bits 97-128) of the first round are used.
 As each round requires 6 sub-keys K1 to K6, each of 16 bits, making a total of 96 bits.
 Thus, for the second round we still require (96-32 = 64) more bits.
 However, all the 128 bit of the original key are exhausted.
 For remaining 64 bits IDEA employs the technique of key shifting.
 At this stage, the original key is shifted left circularly by 25 bits.
 That is, the 26th bit of the original key moves to the first position and becomes the 128 th bit
after the shift.
 The whole process is shown in the Figure 4:
 Figure 4: Circular-left shift and its use in sub-key generation for round 2

Thus the same process goes on up to the last (8th) round. At the end of the last round, we have
no unused bits. They are used in the output transformation.
Output Transformation:

The Output Transformation is the one time operation. It takes place at the end of the 8th round.

Step-1: Multiply* R1 and K1.

Step-2: Add* R2 and K2.

Step-3: Add* R3 and K3.

Step-4: Multiply* R4 and K4.

Figure 5: Details of the output transformation

 As shown in Figure 6, a 64-bit value is divided into four sub-blocks (R1 to R4 each of 16 bits).
Also, four sub-keys are applied here instead of six. Assume that these four 16 bits sub-keys (K1
to K4) are available to output transformation. The output of this process is the final 64-bit
cipher text, which is the combination of the four cipher text blocks C1 to C4.

Sub-Key Generation for the Output Transformation:

The process for the sub-key generation for the output transformation is exactly similar to sub-
key generation process for the eight rounds. At the end of the eighth round, the key was
exhausted. Hence, the key is again shifted by 25 bits. Post this shift operation, the first 64 bit of
the key are taken, and are called as sub-keys K1 to K4 for the final output transformation.
Sample Example for IDEA Encryption :

Input Plain Text: 1001110010101100

Key: 1101110001101111
 IDEA Decryption:

The decryption process is exactly the same as encryption process. There are some alterations
in the generation and pattern of sub-keys. The decryption sub-keys are actually inverse of
encryption sub-keys.

Sample Example for IDEA Decryption :

Input Plain Text: 1011101101001011

Key: 1000001110100101
MCQ’S

1. IDEA stands for ___________________________________________________________

2. One Popular Email Technology is based on IDEA algorithm [ ]

(a) MIME (b) PGP (c)SSl (d) SET

3. The Input plain text is divided in to 4 portions in __________________ algorithm [ ]

 (a) Blowfish (b) RC4 (c)RC5 (d) IDEA

4. The key size of IDEA is _______ [ ]

(a)128 bytes (b) 128 bits (c) 256 bits (d) 256 bytes

5. RC5 is represented as 3 Parameters denoted as : [ ]

(a) RC5 – w/r/b (b) RC5 –r/a/c

(c)RC5-e/l/r (d) RC5 – r/l/b

6. RC5 Block Cipher is also called as ______Mode. [ ]

(a) ECB (b)RC5-CBC (c)RC5-CBC-Pad (d)RC5-CTS

7. The input Plain text is divided in to 2 blocks of plain text in _______algorithm. [ ]

8. In IDEA for Output Transformation, how many keys are generated? [ ]

(a) 4 (b)6 (c)8 (d) 2

Exercise problems:

1) Consider plain text array P=[1 2 2 2],use 2 bit key array K=[1 3] and state vector array S=[1 2
3 4] find the cipher text using RC4 algorithm.
2) Explain one round of IDEA algorithm for the Following input
Input : 0111101110001001
Key : 0101100100011011
 3. Draw the Diagram of RC5 working step by step procedure?

4)Explain one round of IDEA algorithm for the Following input

Input : 0111101110001001
Key : 0101100100011011

5) Draw the Diagram of RC5 working step by step procedure?

Lab Exercise

1.Write the RC4 logic in Java Using Java cryptography; encrypt the text “Hello world” using Blowfish.
Create your own key using Java key tool.
 Week-7

Public Key Cryptography:

Here, each communicating party uses two keys to form a key pair-one key (private key) remains with the
party and the other(public key) is shared with everybody.

Public key is used for encryption and is general for public and private key is used for decryption purpose.

Suppose A wants to communicate with B, then A and B should have a private and public key.

1.A should keep his private key secret

2.A should inform B about his public key.

3.B should keep his private key secret.

4.B should inform A about his public key.

Diagram of Public Key Cryptography:

Working:

1.When A wants to send a message to B, A encrypts the message using B’s public key. This is because A
knows B’s public key.

2.A sends the encrypted message to B.

3.B decrypts A’s message using B’s private key.

Similarly, when B want to send a message to A, exactly reverse steps takes place.

The RSA Algorithm:

• It was developed by Ron Rivest , Adi Shamir and Len Adleman at MIT in 1977.
• The algorithm is based on the fact that finding the factors of a large composite number is difficult:
when the integers are prime numbers, the problem is called prime factorization.
• It is also a key pair (public and private key) generator.
• Encryption strength totally lies on the key size and if we double or triple the key size, the strength
of encryption increases exponentially.
• RSA keys can be typically 1024 or 2048 bits long, but experts believe that 1024 bit keys could be
broken in the near future.
Steps:

Step 1: Choose two large prime numbers P and Q.

Step 2: Calculate N= P x Q. Here N is the size of the block.

Step 3: Calculate φ(N)=(P-1)(Q-1).

Step 4: Select the public key i.e Encryption key E such that it is not a factor of φ(N).

Step 5: Select the private key i.e Decryption key D such that

(DxE) mod φ(N)=1.

Step 6: For encryption, calculate the cipher text C from plain text M as

C = M E mod N

Step 7: send cipher text C to receiver.

Step 8: For decryption, calculate plain text M from cipher text C as

M=C D mod N

Example:
1. Choose two large prime numbers P and Q .

Let P=5 and Q=11

2. Calculate N = P x Q i.e N = 5 x 11 =55.

3. Calculate φ(N)=(P-1)(Q-1) =4 x 10 = 40.

4. Select the public key E such that it is not a factor of φ(N).

Factors of 40 are 2 and 5.

Let us choose E as 3

5. Select the private key D such that (DxE) mod φ(N)=1.

We have,

(Dx3) mod 40 =1

Let us choose D as 27 because, (27x3) mod 40 =1. i.e 81 mod 40 =1

6. For encryption, C = M E mod N , let M = 5

 C = 53 mod 55 i.e 125 mod 55 =15

7. Send cipher text 15 to the receiver.

8. For decryption, M = C D mod N

M = 1527 mod 55 =5

Security of RSA:

For possible approaches to attacking RSA algorithm are as follows:

1. Brute force: This involves trying all possible private keys

2. Mathematical Methods: There are several approaches, which are equivalent in effort to factoring the
product of two primes.

3. Timing attacks: They depend upon the running time of the decryption algorithm.

4. Chosen cipher text attacks: This attack exploits properties of RSA algorithm.

Diffie-Hellman Key Exchange Algorithm:

It was the first published public key algorithm appeared in seminal paper by Diffie and Hellman that
defined public key cryptography and is generally referred to as Diffie-Hellman Key Exchange.

The purpose of this algorithm is to enable two users to securely exchange a key that can be used for
subsequent symmetric encryption of messages.

The Diffie-Hellman algorithm depends on Discrete Logaritrhms.

Discrete Logarithms:

 A primitive root of a prime number p is one whose powers modulo p generate all the integers
from 1 to p-1.
 That is, if a is a primitive root of the prime number p, then the numbers
a mod p, a2 mod p,……………….ap-1 mod p
 are distinct and consists of the integers from 1 through p-1 in some permutation.
 For any integer b and a primitive root a of prime number p, we can find a unique exponent i ,such
that
b ≡ ai ( mod p ) where 0≤i≤(p-1)
 The exponent i is referred to as discrete logarithm of b for the base a , mod p.
 We express this value as
d log a , p (b)

Diffie-Hellman Algorithm:

Example:

Step 1: Alice and Bob get public numbers P = 23, G = 9

Step 2: Alice selected a private key a = 4 and
Bob selected a private key b = 3
Step 3: Alice and Bob compute public values
Alice: x =(9^4 mod 23) = (6561 mod 23) = 6
Bob: y = (9^3 mod 23) = (729 mod 23) = 16
Step 4: Alice and Bob exchange public numbers
Step 5: Alice receives public key y =16 and
Bob receives public key x = 6
Step 6: Alice and Bob compute symmetric keys
Alice: ka = y^a mod p = 65536 mod 23 = 9
Bob: kb = x^b mod p = 216 mod 23 = 9
Step 7: 9 is the shared secret.

Knapsack algorithm:

This algorithm developed by Merkle–Hellman for public key cryptography.

Given n items of different values vi and weights wi, find the most valuable subset of the items while the
overall weight does not exceed a given capacity W.

The knapsack problem defines a problem where we have a number of weights and then must pack our
knapsack with the minimum number of weights that will make it a given weight. In general the problem
is:

 Given a set of numbers A and a number b.

 Find a subset of A which sums to b (or gets nearest to it).

The subset sum problem is stated as follows: given a set of positive integers (a1,a2 . . . , an) and positive
integer S.

Whether there is a subset of the ai’ s that sums to S. This is equivalent to determine whether there are
variables (x1 , . . . , xn) such that
n
S=∑ aixi xi € {0,1}, 1≤i≤n.
i=1

Key generation
Here, keys are two knapsacks.
The public key is a 'hard' knapsack A, and the private key is an 'easy', or super increasing, knapsack B,
combined with two additional numbers, a multiplier and a modulus. The multiplier and modulus can be
used to convert the super increasing knapsack into the hard knapsack. These same numbers are used to
transform the sum of the subset of the hard knapsack into the sum of the subset of the easy knapsack,
which is a problem that is solvable in polynomial time.
Encryption
To encrypt a message, a subset of the hard knapsack A is chosen by comparing it with a set of bits (the
plaintext) equal in length to the key. Each term in the public key that corresponds to a 1 in the plaintext
is an element of the subset A_m, while terms that corresponding to 0 in the plaintext are ignored when
constructing A_m – they are not elements of the key. The elements of this subset are added together
and the resulting sum is the cipher text.
Decryption
Decryption is possible because the multiplier and modulus used to transform the easy knapsack into the
public key can also be used to transform the number representing the cipher text into the sum of the
corresponding elements of the super increasing knapsack.

Knapsack example problem

Problem: Given set of weights as {1, 2, 4, 9, 20, 38} and maximum weight knapsack can hold the weight
54.solve this problem using knapsack public key cryptography.
Solution:
Step-1: select the objects which satisfy the basic knapsack constraint.
If the current element is feasible to put in to the knapsack, we make as “1”
Otherwise, “0”as follows,.
Check 54 for 38? Yes (smaller than 54). [1] We now have a balance of 16.
Check 16 for 20? No. [0].
Check 16 for 9? Yes. [1]. We now have a balance of 5.
Check 5 for 4? Yes. [1]. We now have a balance of 1.
Check 1 for 2? No. [0].
Check 1 for 1? Yes [1].
Our result is 101101
Step-2: find out the super increasing sequence .
Step-3: making the public key
our super-increasing sequence, such as {1,2,4,10,20,40} and take the values and multiply by a number
n, and take a modulus (m) of a value which is greater than the total (m - such as 120).
For n we make sure that there are no common factors with any of the numbers.
Let's select an n value of 53, so we get:
1×53 mod(120) = 53
2×53 mod(120) = 106
4×53 mod(120) = 92
10×53 mod(120) = 50
20×53 mod(120) = 100
40×53 mod(120) = 80
So the public key is: {53,106,92,50,100,80} and the private key is {1, 2, 4, 10, 20,40}. The public key will
be difficult to factor while the private key will be easy.
Step-4: Encryption
Let's try to send a message that is in binary code:
111010 101101 111001
We have six weights so we split into three groups of six weights:
111010 = 53 + 106 + 92 + 100 = 351
101101 = 53+ 92 + 50 + 80 = 275
111001 = 53 + 106 + 92 + 80 = 331
Our cipher text is thus 351 275 331.

Step-5: Decryption
The two numbers known by the receiver is thus 120 (m - modulus) and 53 (n multiplier).
We need n-1, which is a multiplicative inverse of n mod m, i.e. n(n−1) = 1 mod m. For this we find the
inverse of n:

n-1 = 53-1 mod 120

(53 x _n) mod 120 = 1
So we try values of n-1 in (53 x n-1 mod 120) in order to get a result of 1:
n-1 Result
1 53
2 106
3 39
...
75 15
76 68
77 1
So the inverse is 77.
The coded message is 351 275 331 and is now easy to calculate the plain text:

351×77 mod(120) = 27 = 111010 (1+2+4+20)

275×77 mod(120) = 55 = 101101

 331×77 mod(120) = 47 = 111001

The decoded message is thus:

111010 101101 110001

which is the same as our original message:

111010 101101 111001

The ElGamal Public Key Encryption Algorithm

The ElGamal Algorithm provides an alternative to the RSA for public key encryption.

Security of the RSA depends on the (presumed) difficulty of factoring large

integers.

Security of the ElGamal algorithm depends on the (presumed) difficulty of computing

discrete logs in a large prime modulus.

ElGamal has the disadvantage that the ciphertext is twice as long as the plaintext.

It has the advantage the same plaintext gives a different ciphertext (with near
certainty) each time it is encrypted.

Alice chooses

i) A large prime pA (say 200 to 300 digits),

ii) ii) A primitive element αA modulo pA,

iii) A (possibly random) integer dA with 2 ≤ dA ≤ pA –2.

ElGamal Cryptography
Each user (eg. A) generates their key – chooses a secret key (number): 1 < xA < q - 1 – compute their public key: yA
= axA mod q.

ElGamal Message Exchange

Bob encrypt a message to send to Alice

– Bob represents message M in range 0 <= M <= q - 1

• longer messages must be sent as blocks

– Bob chooses random integer k with 1 <= k <= q – 1

– Bob computes one-time key K =( yA )k mod q

– Bob encrypts M as a pair of integers (C1,C2) where

• C1 = a k mod q ;

C2 = KM mod q

• Alice then recovers message by – recovering key K as K = C1*A mod q

– computing M as M = C2*K-1 mod q

• a unique secret k must be used each time – otherwise result is insecure

Exercise problem:
Problems

1. Apply RSA algorithm for encryption and decryption for the values p=7, q=5 and m= 3. Calculate n, φ (n),
e, d, c and m.

2. In a public key system using RSA, you intercept the cipher text c=10 sent to a user whose public key is
e=5, n=35. What is the plain text M?

3. Given set of weights as {1, 6, 8, 15, 24} and maximum weight knapsack can hold the weight 30.solve this
problem using knapsack public key cryptography
Lab Program:

1. Write a Java program to implement RSA algorithm.

2. Implement the Diffie-Helmen key exchange mechanism using HTML and JAVA Script
Unit-III Week-8

Message Authentication:

Message authentication is a procedure to verify that received messages come from the alleged
source and have not been altered. Message authentication may also verify sequencing and timeliness. It
is intended against the attacks like content modification, sequence modification, timing modification and
repudiation. For repudiation, concept of digital signatures is used to counter it.
There are three classes by which different types of functions that may be used to produce an
authenticator. They are:
Message encryption–the ciphertext serves as authenticator

Message authentication code (MAC)–a public function of the message and a secret key producing a fixed-
length value to serve as authenticator. This does not provide a digital signature because A and B share
the same key.

Hash function–a public function mapping an arbitrary length message into a fixed-length hash value to
serve as authenticator. This does not provide a digital signature because there is no key.
Message Encryption:

Message encryption by itself can provide a measure of authentication. The analysis differs for
conventional and public-key encryption schemes. The message must have come from the sender itself,
because the ciphertext can be decrypted using his (secret or public) key. Also, none of the bits in the
message have been altered because an opponent does not know how to manipulate the bits of the
ciphertext to induce meaningful changes to the plaintext. Often one needs alternative authentication
schemes than just encrypting the message.
1. Sometimes one needs to avoid encryption of full messages due to legal requirements.

2. Encryption and authentication may be separated in the system architecture.

The different ways in which message encryption can provide authentication, confidentiality in both
symmetric and asymmetric encryption techniques is explained with the table below:

Message Authentication Code :

An alternative authentication technique involves the use of a secret key to generate a small fixed-size
block of data, known as cryptographic checksum or MAC, which is appended to the message. This
technique assumes that both the communicating parties say A and B share a common secret key K. When
A has a message to send to B, it calculates MAC as a function C of key and message given as: MAC=Ck(M)
The message and the MAC are transmitted to the intended recipient, who upon receiving performs the
same calculation on the received message, using the same secret key to generate a new MAC. The
received MAC is compared to the calculated MAC and only if they match, then:
1. The receiver is assured that the message has not been altered: Any alternations been done the MAC’s
do not match.

2. The receiver is assured that the message is from the alleged sender: No one except the sender has the
secret key and could prepare a message with a proper MAC.
3. If the message includes a sequence number, then receiver is assured of proper sequence as an attacker
cannot successfully alter the sequence number.
Basic uses of Message Authentication Code (MAC) are shown in the figure:

There are three different situations where use of a MAC is desirable:

1.If a message is broadcast to several destinations in a network (such as a military control center), then it
is cheaper and more reliable to have just one node responsible to evaluate the authenticity –message will
be sent in plain with an attached authenticator.
2.If one side has a heavy load, it cannot afford to decrypt all messages –it will just check the authenticity
of some randomly selected messages.
3.Authentication of computer programs in plaintext is very attractive service as they need not be
decrypted every time wasting of processor resources. Integrity of the program can always be checked by
MAC.
SHA :

The secure hash algorithm (SHA) was developed by the National Institute of Standards and Technology
(NIST). SHA-1 is the best established of the existing SHA hash functions, and is employed in several widely
used security applications and protocols. The algorithm takes as input a message with a maximum length
of less than 264 bits and produces as output a 160-bit message digest.

The input is processed in 512-bit blocks. The overall processing of a message follows the structure of
MD5 with block length of 512 bits and a hash length and chaining variable length of 160 bits. The
processing consists of following steps:

1.) Append Padding Bits: The message is padded so that length is congruent to 448 modulo 512; padding
always added –one bit 1 followed by the necessary number of 0 bits.

2.) Append Length: a block of 64 bits containing the length of the original message is added.

3.) Initialize MD buffer: A 160-bit buffer is used to hold intermediate and final results on the hash
function. This is formed by 32-bit registers A,B,C,D,E. Initial values: A=0x67452301, B=0xEFCDAB89,
C=0x98BADCFE, D=0x10325476, E=C3D2E1F0. Stores in big-endian format i.e. the most significant bit in
low address.
4.) Process message in blocks 512-bit (16-word) blocks: The processing of a single 512-bit block is shown
above. It consists of four rounds of processing of 20 steps each. These four rounds have similar structure,
but uses a different primitive logical function, which we refer to as f1, f2, f3 and f4. Each round takes as
input the current 512-bit block being processed and the 160-bit buffer value ABCDE and updates the
contents of the buffer. Each round also makes use of four distinct additive constants Kt. The output of the
fourth round i.e. eightieth step is added to the input to the first round to produce CVq+1.

5.) Output: After all L 512-bit blocks have been processed, the output from the Lth stage is the 160-bit
message digest.

The behavior of SHA-1 is as follows: CV0 = IV CVq+1 = SUM32(CVq, ABCDEq) MD = CVL Where, IV = initial
value of ABCDE buffer ABCDEq = output of last round of processing of qth message block L = number of
blocks in the message SUM32 = Addition modulo 232 MD = final message digest value.

SHA-1 Compression Function:

Each round has 20 steps which replaces the 5 buffer words. The logic present in each one of the 80
rounds present is given as (A,B,C,D,E) <- (E + f(t,B,C,D) + S5(A)+ Wt+ Kt),A,S30(B),C,D Where, A, B, C, D, E
= the five words of the buffer t = step number; 0< t
79 f(t,B,C,D) = primitive logical function for step t Sk = circular left shift of the 32-bit argument by k bits
Wt = a 32-bit word derived from current 512-bit input block. Kt = an additive constant; four distinct
values are used + = modulo addition.

SHA shares much in common with MD4/5, but with 20 instead of 16 steps in each of the 4 rounds. Note
the 4 constants are based on sqrt(2,3,5,10). Note also that instead of just splitting the input block into 32-
bit words and using them directly, SHA-1 shuffles and mixes them using rotates & XOR’s to form a more
complex input, and greatly increases the difficulty of finding collisions. A sequence of logical functions f0,
f1,..., f79 is used in the SHA-1. Each ft, 0<=t<=79, operates on three 32-bit words B, C, D and produces a
32-bit word as output. ft(B,C,D) is defined as follows: for words B, C, D, ft(B,C,D) = (B AND C) OR ((NOT B)
AND D) ( 0 <= t <= 19) ft(B,C,D) = B XOR C XOR D (20 <= t <= 39) ft(B,C,D) = (B AND C) OR (B AND D) OR
(C AND D) (40 <= t <= 59) ft(B,C,D) = B XOR C XOR D (60 <= t <= 79).

Authentication requirements:

In the context of communications across a network, the following attacks can be identified: 1. Disclosure:

Disclosure
 Release of message contents to any person or process not possessing the appropriate
cryptographic key

Traffic analysis
 Discovery of the pattern of traffic between parties.
 In a connection-oriented application, the frequency and duration of connections could be
determined.
 The number and length of messages between parties could be determined on both environments

Masquerade
  Insertion of messages into the network from a fraudulent source.
 Includes the creation of messages by an opponent that are purported to come from an authorized
entity.
 Also included are fraudulent acknowledgments of message receipt or no receipt by someone else

Content modification
 Changes to the contents of a message, including insertion, deletion, transposition, and
modification

Sequence modification
 Any modification to a sequence of messages between parties, including insertion, deletion, and
reordering

Timing modification
 Delay or replay of messages.
 In a connection-oriented application, an entire session or sequence of messages could be a replay
of some
 Previous valid session or individual messages in the sequence could be delayed or replayed. In a
connectionless application, an individual message (e.g., datagram) could be delayed or replayed

Source repudiation
 Denial of transmission of message by source.

Destination repudiation
 Denial of receipt of message by destination

HMAC

HMAC algorithm stands for Hashed or Hash based Message Authentication Code. It is a result of work
done on developing a MAC derived from cryptographic hash functions. HMAC is a great resistant towards
cryptanalysis attacks as it uses the Hashing concept twice. HMAC consists of twin benefits of Hashing and
MAC, and thus is more secure than any other authentication codes. RFC 2104 has issued HMAC, and
HMAC has been made compulsory to implement in IP security. The FIPS 198 NIST standard has also issued
HMAC.

Objectives –
 As the Hash Function, HMAC is also aimed to be one way, i.e, easy to generate output from input
but complex the other way round.
 It aims at being less effected by collisions than the hash functions.
 HMAC reuses the algorithms like MD5 and SHA-1 and checks to replace the embedded hash
functions with more secure hash functions, in case found.
 HMAC tries to handle the Keys in more simple manner.
HMAC algorithm –
The working of HMAC starts with taking a message M containing blocks of length b bits. An input
signature is padded to the left of the message and the whole is given as input to a hash function which
gives us a temporary message digest MD’. MD’ again is appended to an output signature and the whole is
applied a hash function again, the result is our final message digest MD.
Here is a simple structure of HMAC:

Here,
H stands for Hashing function,
M is original message
Si and So are input and output signatures respectively,
Yi is the ith block in original message M, where i ranges from [1, L)
L = the count of blocks in M
K is the secret key used for hashing
IV is an initial vector (some constant)
The generation of input signature and output signature Si and So respectively.
To a normal hash function HMAC adds a compression instance to the processing. This structural
implementation holds efficiency for shorter MAC values.

CMAC
In cryptography, CMAC (Cipher-based Message Authentication Code) is a block cipherbased message
authentication code algorithm. It may be used to provide assurance of the authenticity and, hence, the
integrity of binary data. This mode of operation fixes security deficiencies of CBC-MAC (CBC-MAC is
secure only for fixed-length messages). The core of the CMAC algorithm is a variation of CBCMAC that
Black and Rogaway proposed and analyzed under the name XCBC and submitted to NIST. The XCBC
algorithm efficiently addresses the security deficiencies of CBC-MAC, but requires three keys. Iwata and
Kurosawa proposed an improvement of XCBC and named the resulting algorithm One-Key CBC-MAC
(OMAC) in their papers. They later submitted OMAC1, a refinement of OMAC, and additional security
analysis. The OMAC algorithm reduces the amount of key material required for XCBC. CMAC is equivalent
to OMAC1
To generate an ℓ-bit CMAC tag (t) of a message (m) using a b-bit block cipher (E) and a secret key (k), one
first generates two b-bit sub-keys (k 1 and k2) using the following algorithm (this is equivalent to

Let ≪ denote the standard left-shift operator and ⊕ denote exclusive or:
multiplication by x and x2 in a finite field GF(2b)).

2. If msb(k0) = 0, then k1 = k0 ≪ 1, else k1 = (k0 ≪ 1) ⊕ C; where C is a certain constant that depends

1. Calculate a temporary value k0 = Ek(0).

only on b. (Specifically, C is the non-leading coefficients of the lexicographically first irreducible

3. If msb(k1) = 0, then k2 = k1 ≪ 1, else k2 = (k1 ≪ 1) ⊕ C.

degree-b binary polynomial with the minimal number of ones.)

As a small example, suppose b = 4, C = 00112, and k 0 = Ek(0) = 01012. Then k1 = 10102 and k2 = 0100 ⊕
4. Return keys (k1, k2) for the MAC generation process.

0011 = 01112.

1. Divide message into b-bit blocks m = m1 ∥ ... ∥ mn−1 ∥ mn where m1, ..., mn−1 are complete
The CMAC tag generation process is as follows:

2. If mn is a complete block then mn′ = k1 ⊕ mn else mn′ = k2 ⊕ (mn∥ 10...02).

blocks. (The empty message is treated as 1 incomplete block.)

4. For i = 1, ..., n-1, calculate ci = Ek(ci−1 ⊕ mi).

3. Let c0 = 00…02.

5. cn = Ek(cn−1 ⊕ mn′)
6. Output t = msbℓ(cn).

The verification process is as follows:

1. Use the above algorithm to generate the tag.
2. Check that the generated tag is equal to the received tag.
MCQS :

1. Authentication means ______________________ [NPTEL]

A)Verification of user's identification B) Verification of the data C) Both (A) or (B)

D) None of the above

ANSWER: (A)

2. To authenticate the data origin, one needs a _________[NPTEL]

A) Message Detection Code (MDC) B) Message Authentication Code (MAC)
 C) Both (A) or (B) D) Neither (A) nor (B)

ANSWER: (B)
Hints: In MAC, the receiver validate the code by using the secret key shared between them
(sender and receiver). In MDC, there is no such shared secret key is used.

3. Hash function is a function which usually takes an arbitrary size of data and ____[NPTEL]
A) creates a small flexible size of data. B) creates a small, fixed size of data.

C) creates a permutation on input data. D) none of the mentioned

ANSWER: (B)

Hints: See the definition of Hash function

4. MACs are also called ________[self]

A) Test word B) Check word C) Test bits D)Tags or Checksum

ANSWER: (B)

5. When a hash function is used to provide message authentication, the hash function value is
referred to as _________[self]
A) Message Field B) Message Digest C) Message Score D) Message Leap

ANSWER: (B)

6. SHA-1 produces a hash value of _________[self]

A) 256 bits B) 180 bits C) 160 bits D) 128 bits

ANSWER: (C)

Assignment any three of the following Questions

1. Explain HMAC algorithm? May-2016(R13)

2. Discuss HMAC and CMAC? May-2017(R13)
3. What are the requirements of authentication? October/November-2016(R13)
4. define Message Authentication Code.?List three approaches to Message Authentication.
5. What are the requirements of Authentication
6. Give a neat sketch to explain the concept of Secured Hash Algorithm (SHA).
 Week-9

DIGITAL SIGNATURE
A digital signature is a digital code (generated and authenticated by public key encryption) which is
attached to an electronically transmitted document to verify its contents and the sender's identity.

 In the above figure, represented the generic model of Digital signature process.
 Bob can sign a message using a digital signature generation algorithm.
 The inputs to the algorithm are the message and Bob’s private key.
 Any other user, say Alice, can verify the signature using a verification algorithm, whose inputs are
the message, the signature, and Bob’s public key.
In simplified terms, the essence of the digital signature mechanism is shown in Figure,

Properties

Message authentication protects two parties who exchange messages from any third party. However, it
does not protect the two parties against each other.

The digital signature must have the following properties:

• It must verify the author and the date and time of the signature.
• It must authenticate the contents at the time of the signature.
• It must be verifiable by third parties, to resolve disputes.

Thus, the digital signature function includes the authentication function.

Attacks and Forgeries

Following are the types of attacks, here A denotes the user whose signature method is being attacked,
and C denotes the attacker.

• Key-only attack: C only knows A’s public key.

• Known message attack: C is given access to a set of messages and their signatures.
• Generic chosen message attack: C chooses a list of messages before attempting to breaks A’s
signature scheme, independent of A’s public key. C then obtains from A valid signatures for the
chosen messages. The attack is generic, because it does not depend on A’s public key; the same
attack is used against everyone.
• Directed chosen message attack: Similar to the generic attack, except that the list of messages to
be signed is chosen after C knows A’s public key but before any signatures are seen.
• Adaptive chosen message attack: C is allowed to use A as an “oracle.” This means that C may
request from A signatures of messages that depend on previously obtained message-signature
pairs.] then defines success at breaking a signature scheme as an outcome in which C can do any
of the following with a non-negligible probability:
• Total break: C determines A’s private key.
• Universal forgery: C finds an efficient signing algorithm that provides an equivalent way of
constructing signatures on arbitrary messages.
• Selective forgery: C forges a signature for a particular message chosen by C.
• Existential forgery: C forges a signature for at least one message. C has no control over the
message. Consequently, this forgery may only be a minor nuisance to A.

Digital Signature Requirements

Following are the requirements for a digital signature.
• The signature must use some information unique to the sender to prevent both forgery and
denial.
• It must be relatively easy to produce the digital signature.
• It must be relatively easy to recognize and verify the digital signature.
• It must be computationally infeasible to forge a digital signature, either by constructing a new
message for an existing digital signature or by constructing a fraudulent digital signature for a
given message.
• It must be practical to retain a copy.
• Be practical to save digital signature in storage
• A secure hash function, embedded in a scheme, provides a basis for satisfying these
requirements. However, care must be taken in the design of the details of the scheme.

Direct Digital Signature

• involves only sender and receiver

• assumed receiver has sender’s public-key
• digital signature made by sender signing entire message or hash with private-key
 • can encrypt using receivers public-key
• important that sign first then encrypt message and signature
• security depends on sender’s private-key

Digital Signature Characteristics

• A public key scheme …

Two key pairs: a (long-time, permanent) durable private/public key pair
a (nonce-like, one-time, per-message) disposable private/public key pair
• Both key pairs generated by SENDER
• Signature is two numbers, depending on message hash and secret info
• A verification calculation succeeds iff the two numbers correctly depend on the secret info
• Disposable private/public key pair makes a collection of signatures of the sender uncorrelated, so
hard to break, analytically or statistically.

ELGAMAL DIGITAL SIGNATURE SCHEME

The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of
computing discrete logarithms. It was described by Taher Elgamal in 1984.

 use private key for encryption (signing)

 uses public key for decryption (verification)
 each user generates their keys, for example: user A generates their key
 chooses a secret key (number): 1 < xA < q-1
 compute their public key: yA = a xA mod q
 Alice signs a message M to Bob by computing , the hash m = H(M), 0 <= m <= (q-1)
 chose random integer K with 1 <= K <= (q-1) and gcd(K,q-1)=1
 compute temporary key: S1 = ak mod q
 compute K-1 the inverse of K mod (q-1)
 compute the value: S2 = K-1(m-xAS1) mod (q-1)
 signature is:(S1,S2)

 any user B can verify the signature by computing

 V1 = am mod q

 V2 = yAS1 S1S2 mod q

 signature is valid if V1 = V2

 Example problem:
For example, let us start with the prime field GF (19); that is, q = 19.

It has primitive roots {2, 3, 10, 13, 14, 15}, as shown in the table,

We choose a = 10.

Alice generates a key pair as follows:

1. Alice chooses XA = 16.

2. Then YA = aXA mod q = a16 mod 19 = 4.

3. Alice’s private key is 16; Alice’s pubic key is {q, a, YA} = {19, 10, 4}.

Suppose Alice wants to sign a message with hash value m = 14.

1. Alice chooses K = 5, which is relatively prime to q - 1 = 18.

2. S1 = aK mod q = 105 mod 19 = 3 (see Table).

3. K-1 mod (q - 1) = 5-1 mod 18 = 11.

4. S2 = K-1 (m - XA S1) mod (q - 1) = 11 (14 - (16) (3) )mod 18 = -374 mod 18 = 4.

Bob can verify the signature as follows.

1. V1 = am mod q = 1014 mod 19 = 16.

2. V2 = (YA) S1 (S1) S2 mod q = (43 ) (34 ) mod 19 = 5184 mod 19 = 16.

As, V1=V2, thus, the signature is valid.

DIGITAL SIGNATURE ALGORITHM (DSA)

DSA (Digital Signature Algorithm) , consists of 2 parts:

Generation of a pair of public key and private key;

Generation and verification of digital signature.

DSA

 creates a 320 bit signature with 512-1024 bit security

 smaller and faster than RSA

 a digital signature scheme only

 security depends on difficulty of computing discrete logarithms

 variant of ElGamal & Schnorr schemes

Generation of a pair of public key and private key

Generation and verification of digital signature

Key management and Distribution

Symmetric Key Distribution Using Symmetric Encryption

For symmetric encryption to work, the two parties to an exchange must share the same key, and
that key must be protected from access by others. Therefore, the term that refers to the means of
delivering a key to two parties who wish to exchange data, without allowing others to see the key.
For two parties A and B, key distribution can be achieved in a number of ways, as follows:

1. A can select a key and physically deliver it to B.

 2. A third party can select the key and physically deliver it to A and B.
3. If A and B have previously and recently used a key, one party can transmit the new key to
the other, encrypted using the old key.
4. If A and B each has an encrypted connection to a third party C, C can deliver a key on the
encrypted links to A and B.

Physical delivery (1 & 2) is simplest - but only applicable when there is personal contact
between recipient and key issuer. This is fine for link encryption where devices & keys occur in pairs,
but does not scale as number of parties who wish to communicate grows. 3 is mostly based on 1 or
2 occurring first.

A third party, whom all parties trust, can be used as a trusted intermediary to mediate the
establishment of secure communications between them (4). Must trust intermediary not to abuse
the knowledge of all session keys. As number of parties grow, some variant of 4 is only practical
solution to the huge growth in number of keys potentially needed.
Key distribution centre:

 The use of a key distribution center is based on the use of a hierarchy of keys. At a minimum,
two levels of keys are used.
 Communication between end systems is encrypted using a temporary key, often referred to as
a Session key.
 Typically, the session key is used for the duration of a logical connection and then discarded
 Master key is shared by the key distribution center and an end system or user and used to
encrypt the session key.

Key Distribution Scenario:

Let us assume that user A wishes to establish a logical connection with B and requires a one-
time session key to protect the data transmitted over the connection. A has a master key, K a, known
only to itself and the KDC; similarly, B shares the master key K b with the KDC. The following steps
occur:
1 A issues a request to the KDC for a session key to protect a logical connection to B. The message
includes the identity of A and B and a unique identifier, N 1, for this transaction, which we refer
to as a nonce. The nonce may be a timestamp, a counter, or a random number; the minimum
requirement is that it differs with each request. Also, to prevent masquerade, it should be
difficult for an opponent to guess the nonce. Thus, a random number is a good choice for a
nonce.

2. The KDC responds with a message encrypted using Ka Thus, A is the only one who can
successfully read the message, and A knows that it originated at the KDC. The message includes
two items intended for A:

 The one-time session key, Ks, to be used for the session

 The original request message, including the nonce, to enable A to match this response
with the appropriate request
Thus, A can verify that its original request was not altered before reception by the KDC and,
because of the nonce, that this is not a replay of some previous request. In addition,
the message includes two items intended for B:

 The one-time session key, Ks to be used for the session

 An identifier of A (e.g., its network address), IDA

These last two items are encrypted with Kb (the master key that the KDC shares with B). They
are to be sent to B to establish the connection and prove A's identity.

3. A stores the session key for use in the upcoming session and forwards to B the information that
originated at the KDC for B, namely, E(K b, [Ks || IDA]). Because this information is encrypted with
Kb, it is protected from eavesdropping. B now knows the session key (K s), knows that the other
party is A (from IDA), and knows that the information originated at the KDC (because it
is encrypted using K b). At this point, a session key has been securely delivered to A and
B, and they may begin their protected exchange. However, two additional steps are desirable:
 4. Using the newly minted session key for encryption, B sends a nonce, N2, to A.

5. Also using Ks, A responds with f(N2), where f is a function that performs some transformation on
N2 (e.g., adding one).

These steps assure B that the original message it received (step 3) was not a replay.

Note that the actual key distribution involves only steps 1 through 3 but that steps 4 and 5, as well
as 3, perform an authentication function.

Major Issues with KDC:

Hierarchical Key Control

 It is not necessary to limit the key distribution function to a single KDC.Indeed,for very large
networks,it may not be practical to do so.As an alternative,a hierarchy of KDCs can be
established.
 For example, there can be local KDCs, each responsible for a small domain of the overall
internetwork, such as a single LAN or a single building.
 If two entities in different domains desire a shared key, then the corresponding local
KDCs can communicate through a global KDC.
 The hierarchical concept can be extended to three or even more layers, depending on the size
of the user population and the geographic scope of the internetwork.
 A hierarchical scheme minimizes the effort involved in master key distribution, because most
master keys are those shared by a local KDC with its local entities.

Session Key Lifetime

 The distribution of session keys delays the start of any exchange and places a burden on
network capacity. A security manager must try to balance these competing considerations in
determining the lifetime of a particular session key.
  For connection-oriented protocols, one obvious choice is to use the same session key for the
length of time that the connection is open, using a new session key for each new session.
 If a logical connection has a very long lifetime, then it would be prudent to change the
session key periodically, perhaps every time the PDU (protocol data unit) sequence number
cycles.
 For a connectionless protocol, such as a transaction-oriented protocol, there is no explicit
connection initiation or termination.
 Thus, it is not obvious how often one needs to change the session key. The most secure
approach is to use a new session key for each exchange.
 A better strategy is to use a given session key for a certain fixed period only or for a certain
number of transactions.

A Transparent Key Control Scheme

 The approach suggested in Figure 14.3is useful for providing end-to-end encryption at a
network or transport level in a way that is transparent to the end users.
 The approach assumes that communication makes use of a connection-oriented end-to- end
protocol, such as TCP.
 The noteworthy element of this approach is a session security module (SSM), which may consist
of functionality at one protocol layer,that performs end-to-end encryption and obtains session
keys on behalf of its host or terminal.

The steps involved in establishing a connection are shown in Figure 14.4.

1. When one host wishes to set up a connection to another host, it transmits a

connection-request packet.
2. The SSM saves that packet and applies to the KDC for permission to establish the
connection.
3. The communication between the SSM and the KDC is encrypted using a master
key shared only by this SSM and the KDC.If the KDC approves the

connection request,it generates the session key and delivers it to the two
 appropriate SSMs,using a unique permanent key for each SSM.

4. The requesting SSM can now release the connection request packet, and a
connection is set up between the two end systems.
5. All user data exchanged between the two end systems are encrypted by their
respective SSMs using the onetime session key.

 The automated key distribution approach provides the flexibility and dynamic
characteristics needed to allow a number of terminal users to access a number of hosts and
for the hosts to exchange data with each other.

Decentralized Key Control

 The use of a key distribution center imposes the requirement that the KDC be trusted and
be protected from subversion. This requirement can be avoided if key distribution is fully
decentralized.
  Although full decentralization is not practical for larger networks using symmetric
encryption only, it may be useful within a local context.
 A decentralized approach requires that each end system be able to communicate in a
secure manner with all potential partner end systems for purposes of session key
distribution.
 Thus, there may need to be as many as n (n − 1)/2master keys for a configuration with n
end systems.
 A session key may be established with the following sequence of steps (Figure 14.5).
1. A issues a request to B for a session key and includes a nonce, .
2. B responds with a message that is encrypted using the shared master key. The response
includes the session key selected by B,an identifier of B,the value f(N 1), and another nonce
N 2.
3. Using the new session key,A returns f(N2) to B.

Controlling Key Usage

The concept of a key hierarchy and the use of automated key distribution techniques greatly
reduce the number of keys that must be manually managed and distributed. It also may be
desirable to impose some control on the way in which automatically distributed keys are used. For
example, in addition to separating master keys from session keys, we may wish to define different
types of session keys on the basis of use, such as
  Data-encrypting key, for general communication across a network
 PIN-encrypting key, for personal identification numbers (PINs) used in
electronic funds transfer and point-of-sale applications
 File-encrypting key, for encrypting files stored in publicly accessible locations

To illustrate the value of separating keys by type, consider the risk that a master key is
imported as a data-encrypting key into a device. Normally, the master key is physically secured
within the cryptographic hardware of the key distribution center and of the end systems. Session
keys encrypted with this master key are available to application programs, as are the data encrypted
with such session keys.

However, if a master key is treated as a session key, it may be possible for an unauthorized
application to obtain plaintext of session keys encrypted with that master key.

The proposed technique is for use with DES and makes use of the extra 8 bits in each 64-bit
DES key. That is, the eight non-key bits ordinarily reserved for parity checking form the key tag. The
bits have the following interpretation:

• One bit indicates whether the key is a session key or a master key.
• One bit indicates whether the key can be used for encryption.
• One bit indicates whether the key can be used for decryption.
• The remaining bits are spares for future use.

Because the tag is embedded in the key, it is encrypted along with the key when that key is
distributed, thus providing protection. The drawbacks of this scheme are

1. The tag length is limited to 8 bits, limiting its flexibility and functionality.
2. Because the tag is not transmitted in clear form, it can be used only at the
point of decryption, limiting the ways in which key use can be controlled.

A more flexible scheme, referred to as the control vector, is described here. In this scheme,
each session key has an associated control vector consisting of a number of fields
that specify the uses and restrictions for that session key. The length of the control vector may
vary.The control vector is cryptographically coupled with the key at the time of key generation at
the KDC.

As a first step, the control vector is passed through a hash function that produces a value
whose length is equal to the encryption key length. In essence, a hash function maps values from a
larger range into a smaller range with a reasonably uniform spread. Thus, for example, if numbers in
the range 1 to 100 are hashed into numbers in the range 1 to 10, approximately 10% of the source
values should map into each of the target values. The hash value is then XORed with the master key
to produce an output that

is used as the key input for encrypting the session key. Thus,

Hash value = H = h(CV) Key

input = Km ⊕H

Ciphertext = E([Km ⊕H], Ks)

where is the master key and is the session key. The session key is recovered in plaintext by
the reverse operation:

D([Km⊕H], E([Km ⊕H], Ks))

 When a session key is delivered to a user from the KDC, it is accompanied by the
control vector in clear form. The session key can be recovered only by using both the
master key that the user shares with the KDC and the control vector. Thus, the linkage
between the session key and its control vector is maintained.

Use of the control vector has two advantages over use of an 8-bit tag. First, there is
no restriction on length of the control vector, which enables arbitrarily complex controls to
be imposed on key use. Second, the control vector is available in clear form at all stages of
operation. Thus, control of key use can be exercised in multiple locations.

SYMMETRIC KEY DISTRIBUTION USING ASYMMETRIC ENCRYPTION

 Once public keys have been distributed or have become accessible, secure
communication that thwarts eavesdropping, tampering, or both, is possible.
 Public-key encryption provides for the distribution of secret keys to be used for
conventional encryption.
Simple Secret Key Distribution

 A generates a public/private key pair {PUa, PRa} and transmits a message to B

consisting of PUa and an identifier of A, IDA
 B generates a secret key, Ks, and transmits it to A, encrypted with A's public key.
 A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can
decrypt the message, only A and B will know the identity of Ks.
 A discards PUa and PRa and B discards PUa.

Here third party can intercept messages and then either relay the intercepted message or
substitute another message Such an attack is known as a man-in-the-middle attack.

Secret Key Distribution with Confidentiality and Authentication:

  A uses B's public key to encrypt a message to B containing an identifier of A (ID A) and a nonce
(N1), which is used to identify this transaction uniquely
 B sends a message to A encrypted with PU a and containing A's nonce (N1) as well as a new
nonce generated by B (N 2) Because only B could have decrypted message (1), the presence
of N1 in message (2) assures A that the correspondent is B
 A returns N2 encrypted using B's public key, to assure B that its correspondent is A.
 A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message with
B's public key ensures that only B can read it; encryption with A's private key ensures that
only A could have sent it.
 B computes D(PUa, D(PRb, M)) to recover the secret key.

A Hybrid Scheme:
Yet another way to use public-key encryption to distribute secret keys is a hybrid approach.

 This scheme retains the use of a key distribution center (KDC) that shares a secret
master key with each user and distributes secret session keys encrypted with the
master key.
 A public key scheme is used to distribute the master keys.
 The addition of a public-key layer provides a secure, efficient means of distributing
master keys.
Distribution of Public Keys:

Several techniques have been proposed for the distribution of public keys, which can mostly be
grouped into the categories shown.

 Public announcement
 Publicly available directory
 Public-key authority
 Public-key certificates

Public Announcement of Public Keys

The point of public-key encryption is that the public key is public, hence any participant can
send his or her public key to any other participant, or broadcast the key to the community at large.
eg. append PGP keys to email messages or post to news groups or email list

Its major weakness is forgery, anyone could pretend to be user A and send a public key to
another participant or broadcast such a public key. Until the forgery is discovered they can
masquerade as the claimed user.
Publicly Available Directory

 can obtain greater security by registering keys with a public directory

 directory must be trusted with properties:

 The authority maintains a directory with a {name, public key} entry for each
participant.
 Each participant registers a public key with the directory authority.
 A participant may replace the existing key with a new one at any time because the
corresponding private key has been compromised in some way.
 Participants could also access the directory electronically. For this purpose, secure,
authenticated communication from the authority to the participant is mandatory.

This scheme is clearly more secure than individual public announcements but still has
vulnerabilities.
 If an adversary succeeds in obtaining or computing the private key of the directory
authority, the adversary could authoritatively pass out counterfeit public keys and subsequently
impersonate any participant and eavesdrop on messages sent to any participant. Another way to
achieve the same end is for the adversary to tamper with the records kept by the authority.

Public-Key Authority:

 Stronger security for public-key distribution can be achieved by providing tighter control over
the distribution of public keys from the directory.
 It requires users to know the public key for the directory, and that they interact with
directory in real-time to obtain any desired public key securely.
 Totally seven messages are required.
1. A sends a timestamped message to the public-key authority containing a request for the
current public key of B.

2. The authority responds with a message that is encrypted using the authority's private key,
PRauth Thus, A is able to decrypt the message using the authority's public key. Therefore, A is
assured that the message originated with the authority. The message includes the following:

 B's public key, PUb which A can use to encrypt messages destined for B

 The original request, to enable A to match this response with the corresponding earlier
request and to verify that the original request was not altered before reception by the
authority.
 The original timestamp, so A can determine that this is not an old message from the
authority containing a key other than B's current public key.

3. A stores B's public key and also uses it to encrypt a message to B containing an identifier
of A (IDA) and a nonce (N1), which is used to identify this transaction uniquely.

4. B retrieves A's public key from the authority in the same manner as A retrieved B's
public key.
5. At this point, public keys have been securely delivered to A and B, and they may begin
their protected exchange. However, two additional steps are desirable:

6. B sends a message to A encrypted with PU a and containing A's nonce (N 1) as well as a new
nonce generated by B (N 2) Because only B could have decrypted message (3), the
presence of N1 in message (6) assures A that the correspondent is B.

7. A returns N2, encrypted using B's public key, to assure B that its correspondent is A.
Public-Key Certificates
 A user must appeal to the authority for a public key for every other user that it
wishes to contact and it is vulnerable to tampering too.
 Public key certificates can be used to exchange keys without contacting a public-
key authority.
 A certificate binds an identity to public key, with all contents signed by a trusted
Public- Key or Certificate Authority (CA).
 This can be verified by anyone who knows the public-key authorities public-key.

A participant can also convey its key information to another by transmitting its
certificate.Other participants can verify that the certificate was created by the authority.
We can place the following requirements on this scheme:

1. Any participant can read a certificate to determine the name and public key
of the certificate's owner.
2. Any participant can verify that the certificate originated from the certificate
authority and is not counterfeit.
3. Only the certificate authority can create and update certificates.

4. Any participant can verify the currency of the certificate.

One scheme has become universally accepted for formatting public-key

certificates: the X.509 standard. X.509 certificates are used in most network security
applications, including IP security, secure sockets layer (SSL), secure electronic
transactions (SET), and S/MIME.
Multiple choice questions

1. Key distribution center plays a role [NPTEL]

A) to distribute ciphertexts among users. B) to reduce the risk in exchanging keys.

C) Both A) and B) D) none of the above

ANSWER:

2. Authentication means ______________________ [NPTEL]

A) Verification of user's identification B) Verification of the data

C) Both (A) or (B) D) None of the above

ANSWER:

1. Digital signature is applicable for which cryptosystem?

A) Symmetric-key B) Asymmetric-key C) Both (A) or (B) D) Neither (A) nor (B)

ANSWER:

2. Digital signature provides

A) Authentication B) Non repudiation C) Both (A) and (B) D) Neither (A) nor (B)

ANSWER:

3. Authentication means ______________________

A) Verification of user's identification B) Verification of the data

C) Both (A) or (B) D) None of the above

ANSWER:
4. Certification authority issues the digital certificate which must include

A) The signer’s private key and identity B) The signer’s public key and identity

C) The certificate authority’s private key D) A certificate revocation list

ANSWER:
Exercise problem

Suppose that the message to be signed is numerically encoded so that m = 15. Alice chooses
the prime p = 71 with primitive root α = 7. Her secret integer is z = 16. Verify the signature valid
or not using Elgamal Digital signature scheme.
Previous JNTU Questions

Short answer questions

1) What are the properties that a digital signature should have?

2) Write short note on Elgamal encryption.

Long answer questions

1) Write down the steps involved in Elgamal Digital Signature Scheme used for authenticating a
person.
2) Differentiate digital signature from digital certificate.
3) Describe the attacks on digital signatures.
4) Write short notes on DSA.
5) Write a short notes on key distribution ? [ R15-Dec 2018]
 Week-10

Kerberos

 Kerberos is a network authentication protocol from MIT.

 It is designed to provide strong authentication for client/server applications

 provides centralised third-party authentication in a distributed network

 allows users access to services distributed through network

 without needing to trust all workstations

 rather all trust a central authentication server

 two versions in use: 4 & 5

How does Kerberos work?

• Instead of client sending password to application server:

– Request Ticket from authentication server

– Ticket and encrypted request sent to application server

• How to request tickets without repeatedly sending credentials?

– Ticket granting ticket (TGT)

To accomplish secure authentication, Kerberos uses a trusted third party known as a key
distribution center (KDC).

Kerberos v4 Overview

 a basic third-party authentication scheme

 have an Authentication Server (AS)

 users initially negotiate with AS to identify self

 AS provides a non-corruptible authentication credential (ticket granting ticket

TGT)

 have a Ticket Granting server (TGS)

  users subsequently request access to other services from TGS on basis of users
TGT

 using a complex protocol using DES

Kerberos Advantages

The Kerberos protocol is designed to be secure even when performed over an insecure
network.
• Since each transmission is encrypted using an appropriate secret key, an attacker cannot
forge a valid ticket to gain unauthorized access to a service without compromising an
encryption key or breaking the underlying encryption algorithm, which is assumed to be secure.

• Kerberos is also designed to protect against replay attacks, where an attacker eavesdrops
legitimate Kerberos communications and retransmits messages from an authenticated party to
perform unauthorized actions.

– The inclusion of time stamps in Kerberos messages restricts the window in which an attacker
can retransmit messages.

– Tickets may contain the IP addresses associated with the authenticated party to prevent
replaying messages from a different IP address.

– Kerberized services make use of a “replay cache,” which stores previous authentication
tokens and detects their reuse.

• Kerberos makes use of symmetric encryption instead of public-key encryption, which makes
Kerberos computationally efficient

• The availability of an open-source implementation has facilitated the adoption of Kerberos.

Kerberos Disadvantages

• Kerberos has a single point of failure: if the Key Distribution Center becomes unavailable, the
authentication scheme for an entire network may cease to function.

– Larger networks sometimes prevent such a scenario by having multiple KDCs, or having
backup KDCs available in case of emergency.

• If an attacker compromises the KDC, the authentication information of every client and server
on the network would be revealed.

• Kerberos requires that all participating parties have synchronized clocks, since time stamps
are used.
 Kerberos v4 Dialogue

Kerberos Realms

• a Kerberos environment consists of:

– a Kerberos server

– a number of clients, all registered with server

– application servers, sharing keys with server

• this is termed a realm

– typically a single administrative domain

• if have multiple realms, their Kerberos servers must share keys and trust
• Kerberos version 5 supports inter realm authentication
Kerberos version 5Version 4 was really intended to be used in a somewhat closed environment.
Several environmental improvements are introduced in version 5 to make Kerberos a general
purpose authentication service. Also several technical deficiencies are corrected.

Environmental shortcomings:

Encryption system: Version 4 required the use of DES, in version 5 any encryption algorithm
can be used.

Internet protocol dependence: Version 4 required the use of Internet Protocol, in version 5 any
type of networking can be used.

Authentication forwarding: in version 5 a server can access other servers on behalf of the user
by forwarding tickets.

Inter-realm authentication: In version 4 interoperability between N realms requires N2

Kerberos-to-Kerberos relationships. Version 5 supports a mechanism to reduce this number.

An important feature of Kerberos 5 is the use of ticket flags that are used to control many new
supported features of version 5.

Double encryption: in version 4 there is double encryption on ticket provided to client, first
with a server's secrete key and subsequently with a key known to the client which is
unnecessary and is computational wasteful and as such Kerberos version V eliminates this.
Ticket lifetime: The 8 bit length encoding of lifetime values in Kerberos IV in bits of 5 minutes
allows a little over 21 hours lifetime [7]. This fixed life time may be inadequate for some
applications (e.g., a long-running simulation that requires valid Kerberos credentials throughout
execution). The fixed life time in Kerberos IV makes it vulnerable to brute-force and replay
attacks since a user has enough time to guess passwords. In version 5, tickets include an explicit
start time and end time, allowing tickets with arbitrary lifetimes.

Session keys: In version IV tickets are issued with a session key used for the encryption of the
authenticator by the client. This session key could be use subsequently by both the client and
server for message protection. This however poses a replay type security risk especially with a
long life time of 21 hours. Kerberos version 5 offers a modification to this by providing avenue
for a negotiated sub session key by the client and server for only a single connection and a new
one for any other subsequent connections.
 1. Draw architecture of Kerberos v4

2. Write Kerberos v4 Dialogue

3. For a client-server authentication, the client requests from the KDC a ________ for access to
a specific asset.
 a) ticket

b) local

c) token

d) user

ANS:

4. Which version of Kerberos uses Data Encryption Standard? (nptel)

a) 1

b)2

c) 4

d) 5

Ans :

5. Kerberos provides ___________ service

a) Encipherment

B) Decipherment

c) Authentication

d)All

Ans:

6. TGT is given to the user by

a) Authentication Server

b) Ticket Granting Server

c) Both

d) Non

X.509 Authentication Service

• X.509 is part of the X.500 series of recommendations that define a directory service.
i.e, It is a Distributed set of servers that maintains a database about users.
• The information includes a mapping from user name to network address with
certificate
• These user certificates are assumed to be created by some trusted certification
authority (CA) and placed in the directory by the CA or by the user.
• The directory server itself is not responsible for the creation of public keys or for the
certification function; it merely provides an easily accessible location for users to
obtain certificates.
• Each certificate contains the public key of a user and is signed with the private key of a
CA.
• Is used in S/MIME, IP Security, SSL/TLS and SET.
• RSA is recommended to use.

X.509 Formats:

 Certificates are digital documents that are used for secure authentication of
communicating parties.
 A certificate binds identity information about an entity to the entity’s public
key for a certain validity period.
 A certificate is digitally signed by a trusted third party (TTP) who has verified
that the key pair actually belongs to the entity.
 Certificates can be thought of as analogous to passport that guarantee the
identity of their bearers.
 Authorities: The trusted party who issues certificates to the identified end
entities is called a Certification Authority (CA).
 Certification authorities can be thought of as being analogous to governments
issuing passports for their citizens.
 Certification authorities can be managed by an external certification service
provider or the CA can belong to the same organization as the end entities.
 CA’s can also issue certificates to other (sub) CA’s. This leads to a tree-like
Certification Hierarchy.
 The highest trusted CA in the tree is called a root CA.
The general format of a certificate is shown above, which includes the following elements:

 Version: Different versions are available 1, 2, or 3,plz refer the diagram for
differentiation

 Serial number: An integer value, unique within the issuing CA,that is unambiguously
associated with certificate signature algorithm identifier

 Signature Algorithm Identifier : The algorithm used to sign the certificate together with any
associated paramaeters.i,e,this information is repeated in the signature field at the end of the
certificate.


 Issuer name : X.500 name of the CA that created and signed this certificate.

 Period of validity : Consiste sof two dates : the first and last on which the certificate is
valid.

 Subject name: The name of the user to whom the certificate refers.i.e.,X.500 name
(name of owner)

 Subject public-key info : The public key of the subject plus an identifier of the algorithm
for which this key is to be used together with any associated parameters.
  Issuer unique identifier: An optional nit string field used to identify uniquely the issuing
CA in the event of x.500 name has been reused for different entities.

 Subject unique identifier : An optional nit string field used to identify uniquely the
subject in the event of x.500 name has been reused for different entities.

 Extension fields : A set of one or more extension fields.Extensions were added in

version 3 .

 signature :Covers all the other fields of the certificatemIt contains Hash codemCA’s
Private key and signature algorithm identifier.

The standard uses the following notation to define a certificate:

CA<<A>> = CA {V, SN, AI, CA, TA, A, Ap}

Where, Y <<X>> = the certificate of user X issued by certification authority Y

Y {I} = the signing of I by Y. It consists of I with an encrypted hash code

appended

Revocation of Certificates

Typically, a new certificate is issued just before the expiration of the old one. In addition, it may
be desirable on occasion to revoke a certificate before it expires, for one of the following
reasons:

 The user's private key is assumed to be compromised.

 The user is no longer certified by this CA.

 The CA's certificate is assumed to be compromised.

Each CA must maintain a list consisting of all revoked but not expired certificates issued by that
CA, including both those issued to users and to other CAs. These lists should also be posted on
the directory.

Each certificate revocation list (CRL) posted to the directory is signed by the issuer and includes
the issuer's name, the date the list was created, the date the next CRL is scheduled to be issued,
and an entry for each revoked certificate. Each entry consists of the serial number of a
certificate and revocation date for that certificate. Because serial numbers are unique within a
CA, the serial number is sufficient to identify the certificate.

Authentication Procedures:

X.509 also includes three alternative authentication procedures that are intended for use
across a variety of applications. All these procedures make use of public-key signatures. It is
assumed that the two parties know each other's public key, either by obtaining each other's
certificates from the directory or because the certificate is included in the initial message from
each side.

1.One-Way Authentication: One way authentication involves a single transfer of information

from one user (A) to another (B), and establishes the details shown above. Note that only the
identity of the initiating entity is verified in this process, not that of the responding entity. At a
minimum, the message includes a timestamp ,a nonce, and the identity of B and is signed with
A’s private key. The message may also include information to be conveyed, such as a session
key for B.

2.Two-Way Authentication: Two-way authentication thus permits both parties in a

communication to verify the identity of the other, thus additionally establishing the above
details. The reply message includes the nonce from A, to validate the reply. It also includes a
timestamp and nonce generated by B, and possible additional information for A.
3.Three-Way Authentication: Three-Way Authentication includes a final message from A to B,
which contains a signed copy of the nonce, so that timestamps need not be checked, for use
when synchronized clocks are not available.

X.509 Version 3

The X.509 version 2 format does not convey all of the information that recent design and
implementation experience has shown to be needed.

 The Subject field is inadequate to convey the identity of a key owner to a public-key
user. X.509 names may be relatively short and lacking in obvious identification details
that may be needed by the user.

 The Subject field is also inadequate for many applications, which typically recognize
entities by an Internet e-mail address, a URL, or some other Internet-related
identification.

 There is a need to indicate security policy information. This enables a security

application or function, such as IPSec, to relate an X.509 certificate to a given policy.

 There is a need to limit the damage that can result from a faulty or malicious CA by
setting constraints on the applicability of a particular certificate.

 It is important to be able to identify different keys used by the same owner at different

 times.
 This feature supports key life cycle management, in particular the ability to update key
pairs for users and CAs on a regular basis or under exceptional circumstances.
 Rather than continue to add fields to a fixed format, standards developers felt
that a more flexible approach was needed. X.509 version 3 includes a number of optional
extensions that may be added to the version 2 format. Each extension consists of an extension
identifier, a criticality indicator, and an extension value. The criticality indicator indicates
whether an extension can be safely ignored or not.

Public Key Infrastructure (PKI)

 RFC 2822(Internet Security Glossary) defines a Public Key Infrastructure (PKI).

 Public Key Infrastructure (PKI) is a system of facilities, policies, and services that
supports the use of public key cryptography for authenticating the parties involved in a
transaction.
 There is no single standard that defines the components of a Public Key Infrastructure,
but a PKI typically comprises certificate authorities (CAs) and Registration Authorities
(RAs).
 CAs provide the following services::

 Issuing digital certificates

 Validating digital certificates
 Revoking digital certificates
 Distributing public keys

 The X.509 standards provide the basis for the industry standard Public Key
Infrastructure.

PKIX Architecture Model:

 End entity: A generic term used to denote end users, devices (e.g., servers, routers), or
any other entity that can be identified in the subject field of a public-key certificate. End
entities typically consume and/or support PKI-related services.
 Certification authority (CA): The issuer of certificates and (usually) certificate revocation
lists (CRLs). It may also support a variety of administrative functions, although these are
often delegated to one or more Registration Authorities.
 Registration authority (RA): An optional component that can assume a number of
administrative functions from the CA. The RA is often associated with the end entity
registration process
 CRL issuer: An optional component that a CA can delegate to publish CRLs.
 Repository: A generic term used to denote any method for storing certificates and CRLs
so that they can be retrieved by end entities.

PRIX Mangaement Functions :

 PKIX identifies a number of management functions that potentially need to be supported
by management protocols. These are indicated in Figure 14.17 and include the following:

 Registration: This is the process whereby a user first makes itself known to a CA
(directly or through an RA), prior to that CA issuing a certificate or certificates for that
user. Registration begins the process of enrolling in a PKI. Registration usually involves
some offline or online procedure for mutual authentication. Typically, the end entity is
issued one or more shared secret keys used for subsequent authentication.
 Initialization: Before a client system can operate securely, it is necessary to install key
materials that have the appropriate relationship with keys stored elsewhere in the
infrastructure. For example, the client needs to be securely initialized with the public
key and other assured information of the trusted CA(s), to be used in validating
certificate paths.
 Certification: This is the process in which a CA issues a certificate for a user’s public key,
returns that certificate to the user’s client system, and/or posts that certificate in a
repository.
 Key pair recovery: Key pairs can be used to support digital signature creation and
verification, encryption and decryption, or both. When a key pair is used for
encryption/decryption, it is important to provide a mechanism to recover the necessary
decryption keys when normal access to the keying material is no longer possible,
otherwise it will not be possible to recover the encrypted data. Loss of access to the
decryption key can result from forgotten passwords/ PINs, corrupted disk drives,
damage to hardware tokens, and so on. Key pair recovery allows end entities to restore
their encryption/decryption key pair from an authorized key backup facility (typically,
the CA that issued the end entity’s certificate)
 Key pair update: All key pairs need to be updated regularly (i.e., replaced with a new
key pair) and new certificates issued. Update is required when the certificate lifetime
expires and as a result of certificate revocation
 Revocation request: An authorized person advises a CA of an abnormal situation
requiring certificate revocation. Reasons for revocation include privatekey compromise,
change in affiliation, and name change.
 Cross certification: Two CAs exchange information used in establishing a cross-
certificate. A cross-certificate is a certificate issued by one CA to another CA that
contains a CA signature key used for issuing certificates.
MCQ’S
1. The subject unique identifier of the X.509 certificates was added in which version? [GATE]

a) 1
b) 2
c) 3
d) 4 [ ]

2 . Which of the following is not an element/field of the X.509 certificates? [GATE]

a) Issuer Name
b) Serial Modifier
c) Issuer unique Identifier
d) Signature [ ]

3. Certificates generated by X that are the certificates of other CAs are Reverse Certificates.
[GATE]

a) True
b) False [ ]

4. It is desirable to revoke a certificate before it expires because [GATE]

a) the user is no longer certified by this CA

b) the CA’s certificate is assumed to be compromised
c) the user’s private key is assumed to be compromised
d) all of the mentioned [ ]

5. CRL stands for

a) Cipher Reusable List

b) Certificate Revocation Language
c) Certificate Revocation List
d) Certificate Resolution Language [ ]
6. “Conveys any desired X.500 directory attribute values for the subject of this certificate.”
[GATE]
Which Extension among the following does this refer to?

a) Subject alternative name

b) Issuer Alternative name
c) Subject directory attributes
d) None of the mentioned [ ]

7.In public key infrastructure the end entity is used to denote _________________________.

8. __________________ defines a Public Key Infrastructure (PKI) as a system of facilities,

policies, and services
Diagrams

1) Draw the Diagram for x.509 Authentication protocol.

2)Draw the architecture for PRIX
Previous JNTU Questions

1. Explain Kerberosv4 in detail.

2. Explain X.509 in detail.