Vtu network security(10 ec832) unit 3 notes.

NETWORK SECURITY (10EC832)
8th SEM E&C
JAYANTHDWIJESH H P M.tech (DECS)
Assistant Professor – Dept of E&CE
B.G.S INSTITUTE OF TECHNOLOGY (B.G.S.I.T)
B.G Nagara, Nagamangala Tq, Mandya District- 571448

NETWORK SECURITY 10EC832
Dept. of ECE, BGSIT, BG Nagara, Mandya Page 1
UNIT - 3
Principles of Public-Key Cryptosystems, The RSA algorithm, Key Management, Diffie -
Hellman Key Exchange, Elliptic Curve Arithmetic, Authentication functions, Hash
Functions.
1 PRINCIPLES OF PUBLIC KEY CRYPTOSYSTEM
1.1 Public-Key Cryptosystems
 Public key cryptography is a cryptographic system that uses two separate keys, one of
which is secret and the other one is public.
Figure1 Public-Key Cryptography

 The algorithms used for public key cryptography are based on mathematical functions.
 A public-key encryption scheme has six parts: Public Key Cryptography
 Plaintext: This is the readable message or data that is fed into the algorithm as input.
 Encryption algorithm: The encryption algorithm performs various transformations
on the plaintext.
 Public and private keys: This is a pair of keys that have been selected so that if one
is used for encryption, the other is used for decryption.
 Cipher text: This is the scrambled message produced as output. It depends on the
plaintext and the key
 Decryption algorithm: This algorithm accepts the cipher text and the matching key
and produces the original plaintext.
 Any cryptosystem is designed to meet the following goal
1. Secrecy (Encryption)
2. Authentication
1.2 Public Key Cryptosystem: Secrecy: Public Key Cryptography
Figure 2 Public-Key Cryptosystem: Secrecy

 The essential steps are the following: Public Key Cryptography
 Each user generates a pair of keys to be used for the encryption and decryption of
messages.
 Each user places one of the two keys in a public register or other accessible files. This
is the public key. The other key is kept private.
 If A wishes to send a confidential message to B, A encrypts the message using B’s
public key.
 When B receives the message, it decrypts it using the private key. No other recipient
can decrypt the message because only B knows B’s private key.
 As long as a user’s private key remains protected and secret, the incoming
communication is secure.
 At any time, a system can change its private key and publish the companion public
key to replace its old public key.
 Suppose there is some source A that produces a message in plaintext, X = [X1, X2, . . . ,
XM] and sends it to
 B generates a related pair of keys: a public key, PUb, and a private key, PRb. PUb is
publicly available and therefore accessible by A.
 With the message X and the encryption key PUb as input, A forms the cipher text Y = [Y1,
Y2…. YN]:
Y = E (PUb, X)
 The intended receiver, having the matching private key, is able to decrypt the message:
X = D (PRb, Y)
 An adversary, observing Y and having access to Pub only, may attempt to recover X
and/or PRb. If the adversary interested only in this particular message, then the focus of
effort is to recover X by generating a plaintext estimate.
 Whereas if the adversary interested in being able to read future messages as well, then he
attempts to recover PRb by generating an estimate.

1.3 Public Key Cryptosystem: Authentication: Public Key Cryptography
Figure 3 Public-Key Cryptosystem: Authentication
 However, the above scheme does not provide authentication of the sender as anyone
having access to the public key can encrypt the message.
 Public-key encryption can use to provide authentication in the following manner:
 When A wishes to send a message to B where confidentiality not needed but
authentication required, A encrypts the message using PRa.
 Anyone having access to PUa can decrypt the message. However, one thing is sure
that the message originated from A since no one except A could have encrypted the
message using PRa.
 A prepares a message to B and encrypts it using A’s private key before transmitting it.
Y = E (PRa, X)
 B can decrypt the message using A’s public key.
X = D (PUa, Y)
 Because the message encrypted using A’s private key, only A could have prepared the
message. Therefore, the entire encrypted message serves as a digital signature.

 In addition, it impossible to alter the message without access to A’s private key, so the
message authenticated both in terms of source and in terms of data integrity.
 However, the entire message needs to store to bring up in case of dispute.
 A more efficient way of achieving the same results is to encrypt a small block of bits that
is a function of the document.
 Such a block called an authenticator.
 It must have the property that it is infeasible to change the document without changing
the authenticator.
 If the authenticator encrypted with the sender’s private key, it serves as a signature.
1.4 Conventional and Public-Key Encryption [DEC-2010(5M)], [DEC-2014/JAN-2015(5M)]
Table1: Conventional and Public-Key Encryption
1.5 Public-Key Cryptosystem: Authentication and Secrecy:
It is possible to provide both the authentication function and confidentiality by a double use
of the public-key scheme (Figure 4):

In this case, we begin as before by encrypting a message, using the sender’s private key. This
provides the digital signature. Next, we encrypt again, using the receiver’s public key. The
final cipher text can be decrypted only by the intended receiver, who alone has the matching
private key. Thus, confidentiality is provided. The disadvantage of this approach is that the
public-key algorithm, which is complex, must be exercised four times rather than two in each
communication.
Figure 4 Public-Key Cryptosystem: Authentication and Secrecy
1.6 Applications for Public-Key Cryptosystems
Before proceeding, we need to clarify one aspect of public-key cryptosystems that is
otherwise likely to lead to confusion. Public-key systems are characterized by the use of a
cryptographic algorithm with two keys, one held private and one available publicly.
Depending on the application, the sender uses either the sender’s private key or the receiver’s
public key, or both, to perform some type of cryptographic function. In broad terms, we can
classify the use of public-key cryptosystems into three categories
 Encryption/decryption: The sender encrypts a message with the recipient’s public key.
 Digital signature: The sender “signs” a message with its private key. Signing is achieved
by a cryptographic algorithm applied to the message or to a small block of data that is a
function of the message.
 Key exchange: Two sides cooperate to exchange a session key. Several different
approaches are possible, involving the private key(s) of one or both parties.

2 THE RSA ALGORITHM DEC-2011[8M], DEC-2012[6M], DEC 2013/JAN 2014[10M], DEC-
2014/JAN-2015[4M], JUNE/JULY 2011[8M], MAY/JUNE 2010[4M].
 RSA algorithm processes plaintext blocks, with each block having a binary value less
than some number n.
 The block size must be less than or equal to log2 (n) + 1.
 Steps for RSA:
Select two large prime numbers p and q
 Calculate n = pq.
 Calculate (n) = (p – 1) (q – 1).
 Select e such that e is relatively prime to ϕ (n).
 Compute d such that d*e ≡ 1 (mod ϕ (n)).
 Moreover, RSA is a public key algorithm with public key PU = {e, n} and private key PR
= {d, n}.
 Encryption and decryption are of the following form, for some plaintext block M and
cipher text block C:
C = Me
mod n
M = Cd
mod n
M= (Me
) d
mod n
 For the above equation to be true, d must be an inverse of e.
 D can be calculated from e using extended Euclid’s algorithm.
 Both sender and receiver must know the value of n.
 The sender knows the value of e, and only the receiver knows the value of d.
 RSA can also be subjected to various attacks like brute-force attack, various mathematical
attacks, timing attacks and chosen cipher text attacks.
 Some of these attacks exploit the mathematical characteristics of RSA.
RSA Example
1. Select two prime numbers, p = 17 and q = 11.
2. Calculate n = pq = 17 * 11 = 187.
3. Calculate f(n) = (p - 1)(q - 1) = 16 * 10 = 160.
4. Select e such that e is relatively prime to f(n) = 160 and less than f(n); we
5. Choose e = 7.
6. d = e-1
mod 160 = 23 (can be calculated by extended Euclid’s algorithm).

7. Now, PU = { 7, 187 } and PR = { 23, 187 }
8. If M = 88, then by RSA
Encryption: RSA Algorithm
C = 887
mod 187
= [88 X 882
X 884
] mod 187
= 11
Decryption: RSA Algorithm
Here, C = 11. M = 1123
mod 187
= [11 X 112
X 114
X 118
X 118
] mod 187 = 88
Computational Aspects of RSA
Exponentiation in Modular Arithmetic
 Both encryption and decryption in RSA involve calculating huge exponents, mod n.
 If the exponentiation is done over the integers and then reduced modulo n, the
intermediate values would be extremely large.
 However, the following property of modular arithmetic makes the calculation practical:
[(a mod n) x (b mod n)] mod n = (a x b) mod n]
The efficiency of exponentiation:
 Moreover, RSA deals with very large exponents.
 But this operation can implement efficiently.
 Consider x16
. A straightforward approach requires multiplying x 16 times.
 But, the same can be achieved by only four multiplications – x2
,( x2
)2
= x4
,
 And (x4)2
= x8
, (x8)2
=x16
.
Efficient operation using the public key:
 To speed up the operation of the RSA algorithm using the public key, a specific choice of
“e” usually made.
 The most common choice is 65537 (216
+ 1) two other popular choices are 3 and 17.
The Security of RSA
Five possible approaches to attacking the RSA algorithm are
 Brute force: This involves trying all possible private keys.

 Mathematical attacks: There are several approaches, all equivalent in effort to Factoring
the product of two primes.
 Timing attacks: These depend on the running time of the decryption algorithm.
 Hardware fault-based attack: This involves inducing hardware faults in the Processor
that is generating digital signatures.
 Chosen cipher text attacks: This type of attack exploits properties of the RSA
Algorithm.
The Factoring Problem
We can identify three approaches to attacking RSA mathematically.
1. Factor n into its two prime factors. This enables calculation of (n) = (p - 1) x (q - 1),
which in turn enables determination of d  𝑒−1
(mod (n)).
2. Determine (n) directly, without first determining p and q. Again, this enables
Determination of d  𝑒−1
(mod (n)).
3. Determine d directly, without first determining (n).
3 DIFFIE-HELLMAN KEY EXCHANGE. DEC-2012[10M], JUNE/JULY-2013, DEC -
2014/JAN-2015, DEC-2012[6M], JAN-2016[10], JUNE/JULY 2017[5M], JUNE 2012[8M]
 The Diffie-Hellman algorithm depends for its effectiveness on the difficulty of computing
discrete logarithms.
 a primitive root of a prime number p is one whose powers modulo p generate all the
integers from 1 to p - 1. That is, if a is a primitive root of the prime number p, then the
numbers
are distinct and consist of the integers from 1 through p - 1 in some permutation.
 For any integer b and a primitive root a of prime number p, we can find a unique
exponent i such that
 The exponent i is referred to as the discrete logarithm of b for the base a, mod p. We
express this value as d log 𝑎. 𝑝(b).

Table 2: the Diffie Hellman key exchange algorithm
The Algorithm
 Figure 5 summarizes the Diffie-Hellman key exchange algorithm. For this scheme,
there are two publicly known numbers: a prime number q and an integer a that is a
primitive root of q. Suppose the users A and B wish to create a shared key.

 Similarly, user B independently selects a random integer 𝑋 𝐵 < q and computes
 Each side keeps the X value private and makes the Y value available publicly to the
other side. Thus, 𝑋𝐴 is A’s private key and 𝑌𝐴 is A’s corresponding public key, and
similarly for B.
 User A computes the key as K = 𝑌𝐴
𝑋𝐴
mod q and user B computes the key as K =
𝑌𝐴
𝑋𝐵
mod q. These two calculations produce identical results:

 The result is that the two sides have exchanged a secret value. Typically, this secret
value is used as shared symmetric secret key.
Fig (a)

Fig (b)
Figure 5(a &b) the Diffie-Hellman Key Exchange
 Now consider an adversary who can observe the key exchange and wishes to
determine the secret key K. Because 𝑋𝐴 and 𝑋 𝐵 are private, an adversary only has
the following ingredients to work with: q, , 𝑌𝐴 and 𝑌𝐵. Thus, the adversary is forced
to take a discrete logarithm to determine the key. For example, to determine the
private key of user B, an adversary must compute
 The adversary can then calculate the key K in the same manner as user B calculates it.
That is, the adversary can calculate K as
 The security of the Diffie-Hellman key exchange lies in the fact that, while it is
relatively easy to calculate exponentials modulo a prime, it is very difficult to
calculate discrete logarithms. For large primes, the latter task is considered infeasible.

In this simple example, it would be possible by brute force to determine the secret key 160. In
particular, an attacker E can determine the common key by discovering a solution to the
equation 3 𝑎
mod 353 = 40 or the equation 3 𝑏
mod 353 = 248. The brute-force approach is to
calculate powers of 3 modulo 353, stopping when the result equals either 40 or 248. The
desired answer is reached with the exponent value of 97, which provides 397
mod 353 = 40.
With larger numbers, the problem becomes impractical.
4 ELLIPTICAL CURVES ARITHMETIC
 The principal attraction of ECC, compared to RSA, is that it appears to offer equal
security for a far smaller key size, thereby reducing processing overhead.
 ECC is fundamentally more difficult to explain than either RSA or Diffie- Hellman.
Elliptic Curves over Real Numbers
Elliptic curves are not ellipses. They are so named because they are described by cubic
equations, similar to those used for calculating the circumference of an ellipse. In general,
cubic equations for elliptic curves take the following form, known as a Weierstrass
equation:
where a, b, c, d, e are real numbers and x and y take on values in the real numbers. For our
purpose, it is sufficient to limit ourselves to equations of the form
- - - - - (1)
Such equations are said to be cubic, or of degree 3, because the highest Exponent they
contain is a 3. Also included in the definition of an elliptic curve is a single element denoted
O and called the point at infinity or the zero point, which we discuss subsequently. To plot
such a curve, we need to compute
For given values of a and b, the plot consists of positive and negative values of y for each
value of x. Thus, each curve is symmetric about y = 0. Figure 6 shows two examples of
elliptic curves. As you can see, the formula sometimes produces weird looking curves.
Now, consider the set of points E (a, b) consisting of all of the points (x, y) that satisfy
Equation (1) together with the element O. Using a different value of the pair (a, b) results in a

different set E (a, b). Using this terminology, the two curves in Figure 6 depict the sets E (-1,
0) and E (1, 1), respectively.
Geometric Description of Addition
It can be shown that a group can be defined based on the set E (a, b) for specific values of a
and b in Equation (1) provided the following condition is met:
- - - - - - - - - (2)
To define the group, we must define an operation, called addition and denoted by +, for the
set E (a, b), where a and b satisfy Equation (2). In geometric terms, the rules for addition can
be stated as follows: If three points on an elliptic curve lie on a straight line, their sum is O.
From this definition, we can define the rules of addition over an elliptic curve.
1. O serves as the additive identity. Thus O = -O; for any point P on the elliptic curve, P
+ O = P. In what follows, we assume P ≠ O and Q ≠ O.
2. The negative of a point P is the point with the same x coordinate but the negative of
the y coordinate; that is, if P = (x, y), then -P = (x, -y). Note that these two points can
be joined by a vertical line. Note that P + (-P) = P - P = O.
3. To add two points P and Q with different x coordinates, draw a straight line between
them and find the third point of intersection R. It is easily seen that there is a unique
point R that is the point of intersection (unless the line is tangent to the curve at either
P or Q, in which case we take R = P or R = Q, respectively). To form a group
structure, we need to define addition on these three points: P + Q = -R. That is, we
define P + Q to be the mirror image (with respect to the x axis) of the third point of
intersection. Figure 6 illustrates this construction.
4. The geometric interpretation of the preceding item also applies to two points, P and -
P, with the same x coordinate. The points are joined by a vertical line, which can be
viewed as also intersecting the curve at the infinity point. We therefore have P + (-P)
= O, which is consistent with item (2).
5. To double a point Q, draw the tangent line and find the other point of intersection S.
Then Q + Q = 2Q = -S.

Figure 6 Examples of Elliptic Curves
Algebraic description of addition:
 In this subsection, we present some results that enable calculation of additions over
elliptic curves.
 For two distinct points, P = (𝑥 𝑝, 𝑦 𝑄) and Q = (𝑥 𝑄, 𝑦 𝑄), that are not negatives of each
other, the slope of the line l that joins them is Δ = (𝑦 𝑄 - 𝑦𝑝) /(𝑥 𝑞 - 𝑥 𝑝 ) .
 There is exactly one other point where l intersects the elliptic curve, and that is the
negative of the sum of P and Q. After some algebraic manipulation, we can express
the sum R = P + Q as

We also need to be able to add a point to itself: P + P = 2P = R. When 𝑦𝑝≠ 0, the expressions
are
5 MESSAGE AUTHENTICATIONS JUNE/JULY-2011[6M]
Message Authentication is a mechanism or service used to verify the integrity of a
message. Message authentication assures that data received are exactly as sent by (i.e.,
contain no modification, insertion, deletion, or replay) and that the purported identity of the
sender is valid.
5.1 MESSAGE AUTHENTICATION REQUIREMENTS OR NEED FOR MESSAGE
AUTHENTICATION
In the context of communications across a network, the following attacks can be identified.
1. Disclosure: Release of message contents to any person or process not possessing the
appropriate cryptographic key.
2. Traffic analysis: Discovery of the pattern of traffic between parties. Traffic analysis
reveals information like the frequency and length of messages between parties and the
communicating parties could determine.
3. Masquerade: Impersonating other person and sending messages.
4. Content modification: Changes to the contents of a message, including insertion,
deletion, transposition, and modification.
5. Sequence modification: Any modification to a sequence of messages between
parties, including insertion, deletion, and reordering.
6. Timing modification: Delay or replay of messages.
7. Source repudiation: Denial of transmission of message by source.
8. Destination repudiation: Denial of receipt of message by destination.

5.2 MESSAGE AUTHENTICATION FUNCTIONS
Any message authentication or digital signature mechanism has two levels of functionality.
At the lower level, there must be some sort of function that produces an authenticator: a value
to be used to authenticate a message. This lower-level function is then used as a primitive in a
higher-level authentication protocol that enables a receiver to verify the authenticity of a
message.
This section is concerned with the types of functions that may be used to produce an
authenticator. These may be grouped into three classes.
1. Hash function: A function that maps a message of any length into a fixed length hash
value, which serves as the authenticator
2. Message encryption: The cipher text of the entire message serves as its authenticator
3. Message authentication code (MAC): A function of the message and a secret key
that produces a fixed-length value that serves as the authenticator.
5.2.1 Message Encryption:-
Message encryption by itself can provide a measure of authentication. The analysis differs for
symmetric and public-key encryption schemes.
A. Symmetric Encryption
Fig 7(a)
 Consider the straightforward use of symmetric encryption (Figure 7(a)). A message M
transmitted from source A to destination B is encrypted using a secret key K shared
by A and B. If no other party knows the key, then confidentiality is provided: No
other party can recover the plaintext of the message.
Figure8 (a) and Figure8 (b)
 The plaintext to have some structure that is easily recognized but that cannot be
replicated without recourse to the encryption function. We could, for example, append
an error-detecting code, also known as a frame check sequence (FCS) or checksum, to
each message before encryption, as illustrated in Figure8(a). A prepares a plaintext
message M and then provides this as input to a function F that produces an FCS. The
FCS is appended to M and the entire block is then encrypted. At the destination, B
decrypts the incoming block and treats the results as a message with an appended
FCS. B applies the same function F to attempt to reproduce the FCS. If the calculated
FCS is equal to the incoming FCS, then the message is considered authentic. It is
unlikely that any random sequence of bits would exhibit the desired relationship.

 The sequence illustrated in Figure 8(a) is referred to in [DIFF79] as Internal error
control, which the authors contrast with external error control Figure 8(b).
Figure 7 Basic Uses of Message Encryption

Table 3 Confidentiality and authentication implications of message encryption (see
figure 7)
Figure 8 Internal and External Error Control

Public-Key Encryption
Figure 7(b)
The straightforward use of public-key encryption (Figure 7 b) provides confidentiality but not
authentication. The source (A) uses the public key K𝑈𝑏of the destination (B) to encrypt M.
Because only B has the corresponding private key K𝑅 𝑏, only B can decrypt the message. This
scheme provides no authentication, because any opponent could also use B’s public key to
encrypt a message and claim to be A.
Figure7(c)
To provide authentication, A uses its private key to encrypt the message, and B uses A’s
public key to decrypt (Figure7(c)). This provides authentication using the same type of
reasoning as in the symmetric encryption case: The message must have come from A because
A is the only party that possesses K𝑅 𝑎 and therefore the only party with the information
necessary to construct cipher text that can be decrypted with K𝑈𝑎.
Figure (d)
To provide both confidentiality and authentication, A can encrypt M first using its private
key, which provides the digital signature, and then using B’s public key, which provides
confidentiality (Figure 7(d)). The disadvantage of this approach is that the public-key
algorithm, which is complex, must be exercised four Times rather than two in each
communication.
5.3 MESSAGE AUTHENTICATION CODE JUNE/JULY -2015[8M]
An alternative authentication technique involves the use of a secret key to generate a small
fixed-size block of data known as cryptographic checksum or MAC that is appended to the
message.
This technique assumes that two communicating parties, say A and B share a common secret
key K. When A has a message to send to B, it calculates the MAC as a function of the
message and the key: MAC = 𝐶 𝐾(M)
Where
M= input message
C = MAC function
K = shared secrete key
MAC = message authentication code.


Figure 9 Basic uses of message authentication (MAC)
Table 4: Basic user of message authentication code C (see figure9)

6. HASH FUNCTION DEC-2010[10M], DEC-2014/JAN-2015[6M], DEC-2012[8M], MAY/JUNE-
2010[6M]
 A variation on the message authentication code is the one way hash function. As with the
message authentication code, a hash function accepts a variable size message M as input
and produces a fixed size output, referred to as a hash code H (M).
 Unlike a MAC, a hash code does not use a key but is a function only of the input
message.
 The hash code is also referred to as a message digest or hash value.
 The hash code is a function of all the bits of message and provides an error detection
capability.
Below figure 10 illustrate a variety of ways in which a hash code can be used to provide
message authentication, as follows:
a. The message plus concatenated hash code is encrypted using symmetric encryption. This
is identical in structure to the internal error control strategy shown in figure 8(a) the same
line of reasoning applies: because A and B share the secret key, the message must have
come from A and hash not been altered. The hash code provides the structure or
redundancy required to achieve authentication. Because encryption is applied to the entire
message plus hash code. Confidentiality is also provided.
b. Only the hash code is encrypted, using symmetric encryption. This reduces the processing
burden for those applications that do not require confidentiality. Note that the
combination of hashing and encryption result in an overall function that is , in fact, a
MAC (figure 9 a). that is 𝐸𝑘 [H(M)] is a function of a variable length message M and a
secret key K, and it produces a fixed size output that is secure against an opponent who
does not know the secret key.
c. Only the hash code is encrypted, using public key encryption and using the senders
private key. As with (b), this provides authentication. It also provides a digital signature,
because only the sender could have produced the encrypted hash code. In fact, this is the
essence of the digital signature technique.
d. If confidentiality as well as a digital signature is desired, then the message plus the public
key encrypted hash code can be encrypted using a symmetric secret key. This is a
common technique.
e. This technique uses a hash function but no encryption for message authentication. The
technique assumes that the two communicating parties share a common of M and S and

appends the resulting hash value to M. Because the secret value it self is not sent, an
opponent cannot modify an intercepted message and cannot generate d false message.
f. Confidentiality can be added to the approach of (e) by encrypting the entire message plus
the hash code.
When confidentiality is not required methods (b) and (c) have an advantage over those
that encrypt the entire message in that less computation is required. Nevertheless, there has
been growing interest in techniques that avoid encryption figure (10 e).
Table 5 basic uses of Hash function H ( see figures below)

Figure 10 Basic uses of hash function

6.1 REQUIREMENTS FOR A HASH FUNCTION JUNE/JULY-2011[6M], JUNE/JULY-
2017[5M]
 Purpose of the HASH function is to produce a “fingerprint.
 Properties of a HASH function H :
1. H can be applied to a block of data at any size.
2. H produces a fixed length output.
3. H(x) is easy to compute for any given x. making both hardware and software
implementations’ practical.
4. For any given value h, it is computationally infeasible to find x such that H(x) = h.
this is sometimes referred to in the literature as the one way property.
5. For any given block x, it is computationally infeasible to find with H(y) = H(x). This
is sometimes referred to as weak collision resistance.
6. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y). This is
sometimes referred to as strong collision resistance.
7 KEY MANAGEMENT
One of the major roles of public-key encryption has been to address the problem of
key distribution. There are actually two distinct aspects to the use of public-key cryptography
in this regard:
 The distribution of public keys
 The use of public-key encryption to distribute secret keys
We examine each of these areas in turn.
7.1 Distribution of Public Keys DEC-2011[8M], JUNE/JULY-2014[8M]
Several techniques have been proposed for the distribution of public keys. Virtually
all these proposals can be grouped into the following general schemes:
1. Public announcement
2. Publicly available directory
3. Public-key authority
4. Public-key certificates

7.1.1 Public Announcement of Public Keys
 On the face of it, the point of public-key encryption is that the public key is public.
 Thus, if there is some broadly accepted public-key algorithm, such as RSA, any
participant can send his or her public key to any other participant or broadcast the key
to the community at large (Figure 10.1).
 For example, Because of the growing popularity of PGP (pretty good privacy) which
makes use of RSA, many PGP users have adopted the practice of appending their
public key to messages that they send to public forums, such as USENET newsgroups
and Internet mailing lists.
Figure 11. Uncontrolled Public-Key Distribution
 Although this approach is convenient, it has a major weakness.
 Anyone can forge such a public announcement. That is, some user could pretend to
be user A and send a public key to another participant or broadcast such a public key.
 Until such time as user A discovers the forgery and alerts other participants, the forger
is able to read all encrypted messages intended for A and can use the forged keys for
authentication.
7.1.2 Publicly Available Directory
 A greater degree of security can be achieved by maintaining a publicly available dynamic
directory of public keys.

 Maintenance and distribution of the public directory would have to be the responsibility
of some trusted entity or organization (Figure 12). Such a scheme would include the
following elements:
1. The authority maintains a directory with a {name, public key} entry for each
participant.
2. Each participant registers a public key with the directory authority. Registration
would have to be in person or by some form of secure authenticated communication.
3. A participant may replace the existing key with a new one at any time, either because
of the desire to replace a public key that has already been used for a large amount of
data, or because the corresponding private key has been compromised in some way.
4. Participants could also access the directory electronically. For this purpose, secure,
authenticated communication from the authority to the participant is mandatory.
Figure 12. Public-Key Publication
 This scheme is clearly more secure than individual public announcements but still has
vulnerabilities.
 If an adversary succeeds in obtaining or computing the private key of the directory
authority, the adversary could authoritatively pass out counterfeit public keys and
subsequently impersonate any participant and eavesdrop on messages sent to any
participant.

 Another way to achieve the same end is for the adversary to tamper with the records kept
by the authority.
7.1.3 Public-Key Authority DEC-2012[6M]
 Stronger security for public-key distribution can be achieved by providing tighter control
over the distribution of public keys from the directory.
 A typical scenario is illustrated in Figure 13, which is based on a figure in [POPE79].
 As before, the scenario assumes that a central authority maintains a dynamic directory of
public keys of all participants.
 In addition, each participant reliably knows a public key for the authority, with only the
authority knowing the corresponding private key.
 The following steps (matched by number to Figure 13) occur:
1. A sends a time stamped message to the public-key authority containing a request for
the current public key of B.
2. The authority responds with a message that is encrypted using the authority's private
key, KRauth Thus, A is able to decrypt the message using the authority's public key.
Therefore, A is assured that the message originated with the authority. The message
includes the following:
 B's public key, KUb which A can use to encrypt messages destined for B.
 The original request, to enable A to match this response with the corresponding
earlier request and to verify that the original request was not altered before reception
by the authority.
 The original timestamp, so A can determine that this is not an old message from the
authority containing a key other than B's current public key.
3. A stores B's public key and also uses it to encrypt a message to B containing an
identifier of A (I𝐷𝐴) and a nonce (N1), which is used to identify this transaction
uniquely.
4&5. B retrieves A's public key from the authority in the same manner as A retrieved B's
public key.
At this point, public keys have been securely delivered to A and B, and they may begin
their protected exchange. However, two additional steps are desirable:

6. B sends a message to A encrypted with KUa and containing A's nonce (N1) as well as a
new nonce generated by B (N2) Because only B could have decrypted message (3), the
presence of N1 in message (6) assures A that the correspondent is B.
7. A returns N2, encrypted using B's public key, to assure B that its correspondent is A.
Figure 13. Public-Key Distribution Scenario
Thus, a total of seven messages are required. However, the initial four messages need
be used only infrequently because both A and B can save the other's public key for future use,
a technique known as caching.
7.1.4 Public-Key Certificates
 The scenario of figure 13 is attractive, yet it has some drawbacks.
 The public-key authority could be somewhat of a bottleneck in the system, for a user
must appeal to the authority for a public key for every other user that it wishes to
contact.
 As before, the directory of names and public keys maintained by the authority is
vulnerable to tampering.
 An alternative approach, first suggested by Kohnfelder [KOHN78], is to use
certificates that can be used by participants to exchange keys without contacting a

public-key authority, in a way that is as reliable as if the keys were obtained directly
from a public-key authority.
 In essence, a certificate consists of a public key plus an identifier of the key owner,
with the whole block signed by a trusted third party.
 Typically, the third party is a certificate authority, such as a government agency or a
financial institution, that is trusted by the user community.
 A user can present his or her public key to the authority in a secure manner, and
obtain a certificate.
 The user can then publish the certificate. Anyone needed this user's public key can
obtain the certificate and verify that it is valid by way of the attached trusted
signature.
 A participant can also convey its key information to another by transmitting its
certificate. Other participants can verify that the certificate was created by the
authority.
 We can place the following requirements on this scheme:
1. Any participant can read a certificate to determine the name and public key of the
certificate's owner.
2. Any participant can verify that the certificate originated from the certificate
authority and is not counterfeit.
3. Only the certificate authority can create and update certificates.
These requirements are satisfied by the original proposal in [KOHN78]. Denning [DENN83]
added the following additional requirement:
4. Any participant can verify the currency of the certificate.
 A certificate scheme is illustrated in Figure 14. Each participant applies to the certificate
authority, supplying a public key and requesting a certificate.
 Application must be in person or by some form of secure authenticated communication.
For participant A, the authority provides a certificate of the form
𝐶𝐴 = 𝐸 𝐾𝑅 𝑎𝑢𝑡 ℎ
[T, I𝐷𝐴,𝐾𝑈𝑎 ]
 Where 𝐾𝑅 𝑎𝑢𝑡 ℎis the private key used by the authority and T is a timestamp. A may then
pass this certificate on to any other participant, who reads and verifies the certificate as
follows:
DKU auth
[CA] = DKU auth
[EKRauth
[ T, IDA,KUa]] = (T, IDA , KUa )

Figure 14. Exchange of Public-Key Certificates
 The recipient uses the authority's public key, KUauth to decrypt the certificate.
 Because the certificate is readable only using the authority's public key, this verifies
that the certificate came from the certificate authority.
 The elements IDA and KUa provide the recipient with the name and public key of the
certificate's holder.
 The timestamp T validates the currency of the certificate.
7.2 Public – key distribution of secret keys OR Distribution of Secret Keys Using Public-
Key Cryptography
 Once public keys have been distributed or have become accessible, secure
communication that thwarts eavesdropping, tampering, or both is possible.
 However, few users will wish to make exclusive use of public-key encryption for
communication because of the relatively slow data rates that can be achieved.
 Accordingly, public-key encryption provides for the distribution of secret keys to be
used for conventional encryption.

7.2.1 Simple Secret Key Distribution
 An extremely simple scheme was put forward by Merkle [MERK79], as illustrated in
Figure 15.
 If A wishes to communicate with B, the following procedure is employed:
1. A generates a public/private key pair {KUa, KRa} and transmits a message to B
consisting of KUa and an identifier of A, IDA.
2. B generates a secret key, Ks, and transmits it to A, encrypted with A's public key.
3. A computes DKRa
[EKU a
[ KS]] to recover the secret key. Because only A can
decrypt the message, only A and B will know the identity of Ks.
4. A discards KUa and KRa and B discards KUa.
Figure 15. Simple Use of Public-Key Encryption to Establish a Session Key
 A and B can now securely communicate using conventional encryption and the
session key Ks. At the completion of the exchange, both A and B discard Ks.
 No keys exist before the start of the communication and none exist after the
completion of communication. Thus, the risk of compromise of the keys is minimal.
At the same time, the communication is secure from eavesdropping.
 The protocol depicted in Figure 15 is insecure against an adversary who can intercept
messages and then either relay the intercepted message or substitute another message.
Such an attack is known as a man-in-the-middle attack [RIVE84].
 In this case, if an adversary, E, has control of the intervening communication channel,
then E can compromise the communication in the following fashion without being
detected:
1. A generates a public/private key pair {KUa, KRa} and transmits a message intended for B
consisting of KUa and an identifier of A, IDA.
2. E intercepts the message, creates its own public/private key pair {KUe, KRe} and
transmits KUe || IDA to B.
3. B generates a secret key, Ks, and transmits EKU e
(Ks).

4. E intercepts the message, and learns Ks by computing DKRe
[EKU e
[Ks]).
5. E transmits EKU a
[ Ks] to A.
 The result is that both A and B know Ks and are unaware that Ks has also been
revealed to E.
 A and B can now exchange messages using Ks E no longer actively interferes with the
communications channel but simply eavesdrops. Knowing Ks, E can decrypt all
messages, and both A and B are unaware of the problem.
7.2.2 Secret Key Distribution with Confidentiality and Authentication
 Figure 16, based on an approach suggested in [NEED78], provides protection against
both active and passive attacks.
 We begin at a point when it is assumed that A and B have exchanged public keys by one
of the schemes described earlier in this section. Then the following steps occur:
1. A uses B's public key to encrypt a message to B containing an identifier of A (IDA)
and a nonce (N1), which is used to identify this transaction uniquely.
2. B sends a message to A encrypted with KUa and containing A's nonce (N1) as well as
a new nonce generated by B (N2) Because only B could have decrypted message (1), the
presence ofN1 in message (2) assures A that the correspondent is B.
Figure 16. Public-Key Distribution of Secret Keys
3. A returns N2encrypted using B's public key, to assure B that its correspondent is A.

4. A selects a secret key Ks and sends M = EKUb
[EKRa
[Ks]).to B. Encryption of this
message with B's public key ensures that only B can read it; encryption with A's private
key ensures that only A could have sent it.
5. B computes DKU a
[DKRb
[M]).to recover the secret key.
7.2.3 A Hybrid Scheme
 Yet another way to use public-key encryption to distribute secret keys is a hybrid
approach in use on IBM mainframes [LE93].
 This scheme retains the use of a key distribution center (KDC) that shares a secret
master key with each user and distributes secret session keys encrypted with the
master key.
 A public key scheme is used to distribute the master keys. The following rationale is
provided for using this three-level approach:
 Performance: There are many applications, especially transaction-oriented
applications, in which the session keys change frequently. Distribution of session keys
by public-key encryption could degrade overall system performance because of the
relatively high computational load of public-key encryption and decryption. With a
three-level hierarchy, public-key encryption is used only occasionally to update the
master key between a user and the KDC.
 Backward compatibility: The hybrid scheme is easily overlaid on an existing KDC
scheme, with minimal disruption or software changes.
 The addition of a public-key layer provides a secure, efficient means of distributing
master keys. This is an advantage in a configuration in which a single KDC serves a
widely distributed set of users.

QUESTION BANK –NETWORK SECURITY
UNIT-3
DEC-2010
1. Distinguish b/w conventional and public key encryption methods. [05]
2. In a public key system using RSA, the cipher text received is C=10. With a public key
{e=5, n=35}, deduce the plain text. Verify the answer by encryption process.[10M]
3. With the help of a block diagram, explain the process of public key exchange with the
help of certificate authority.[5M]
4. What is a hash function? What are the basic uses of a hash function? [10M]
DEC-2011
1. Describe RSA algorithm and discuss the security of RSA.[8M]
2. Explain the different techniques proposed for distribution of public keys.[8M]
3. In RSA system it is given p=7, q=11, e=17, m=8. Find the cipher text C. Also find M
from decryption. [4M]
DEC-2012
1. Explain any three communication methods, using Hash function with neat diagram.[8M]
2. Explain Diffie – Hellman key exchange algorithm.[6M]
3. Compare RSA and DSS approach.[6M]
JUNE/JULY-2013
1. Explain Diffie – Hellman key exchange algorithm.[10M]
2. Perform encryption and decryption using RSA algorithm for n=3, q=11, e=07 and m=5.
[10M]
DEC 2013/JAN 2014
1. Explain RSA algorithm. In a public key system using RSA, intercept the cipher text C=
10 sent to user, whose public key is e=5, n=35. What is the plain text M? [10M]
2. Explain the mechanism proposed for distribution of public keys. [10M]
DEC-2014/JAN-2015
1. Distinguish b/w conventional and public key encryption methods.[04M]
2. Write RSA algorithm.[06M]
3. Explain Diffie – Hellman key exchange algorithm. [04M]

4. With neat diagram, describe any three communication methods using hash function.
[06M]
DEC-2012
1. Explain any three communication methods using Hash function with neat diagram. [08M]
2. Explain Diffie – Hellman key exchange algorithm. [06M]
3. Illustrate how key are distributed b/w the user. Using public key authority service. [06M]
JAN-2016
1. Write a short note on hash function. [5M]
2. In a RSA algorithm system, the cipher text received is C=10 with a public key pu= {5,
35}, deduce the plain text. Verify the answer by encryption process. [10M]
3. Explain Diffie-Hellman key exchange algorithm. Also calculate the YA, YB and secret
key (k) for q=23, alpha = 07, X a = 3 and X b =6. [10M]
JUNE/JULY 2011
1) Explain the RSA algorithm in detail. [8M]
2) Define the classes of message authentication functions. [6M]
3) Describe the requirement for a Hash function. [6M]
JUNE/JULY 2017
1) Describe the requirement for a hash function. [5M]
2) Explain Diffie Hellman key exchange algorithm with example. [5M]
3) Explain the RSA algorithm. In a RSA algorithm system it is given that p=7, q=11, c=17
and M=8. Find the cipher text “c” and decrypt “c” to set plain text M.[10M]
MAY/JUNE 2010
1. Write the RSA algorithm. [4M]
2. Define the elliptic curve over Zp. Also write the corresponding addition formula.[4M]
3. In Diffie – Hellman key exchange, q=71, its primitive root alpha=7. A’s private key is 5,
B’s private key is 12. Find 1) A’s public key 2) B’s public key 3) Shared secret key.[6M]
4. With neat diagrams. Describe any three ways in which hash functions can be used.[6M]
JUNE 2012
1) Discuss Deffie Hellman key exchange algorithm. Explain how deffie – Hellman algorithm
is used to exchange secret key. [10M]

Vtu network security(10 ec832) unit 3 notes.

Vtu network security(10 ec832) unit 3 notes.

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Vtu network security(10 ec832) unit 3 notes.

Similar to Vtu network security(10 ec832) unit 3 notes. (20)

More from Jayanth Dwijesh H P

More from Jayanth Dwijesh H P (16)

Recently uploaded

Recently uploaded (20)

Vtu network security(10 ec832) unit 3 notes.