SCHOOL OF COMPUTING

DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

Academic Year 2020-21 : Summer Semester

1152CS101 – Cryptography and Network

Security
Pre-requisites

Sl. No Course Code Course Name

1 1151CS111 Computer Networks

Mr.A.Arul Prasath,
Assistant Professor, Slot : S3
1
Department of CSE.
 Course Outcomes
Level of learning
CO
Course Outcomes domain (Based on
Nos.
revised Bloom’s)

CO1 Explain various Cryptographic Techniques. K3

CO2 Apply various public key cryptography techniques. K3

CO3 Implement Hashing and Digital Signature techniques. K3

CO4 Explain various Security Applications. K2

CO5 Implement system level security applications. K3

K2-Understand, K3-Apply

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 2

 Correlation of COs with POs and PSOs

PO PO PO PO PO PO PO PO
COs PO9 PO10 PO11 PO12 PSO 1 PSO 2 PSO 3
1 2 3 4 5 6 7 8

CO1 H M L L

CO2 M L L H L

CO3 M M M L M M M

CO4 M M M L H M H

CO5 M L M L L L M

H – High; M – Medium; L - Low

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 3

 Syllabus Content
Unit – I Foundations of Cryptography and Block Cipher
Techniques
OSI Security Architecture - Security Attacks and Services. Mathematical
Tools for Cryptography: Substitutions and Permutations, Design Principle of
Block ciphers: DES and Triple DES- AES- RC5.
Unit – II Symmetric & Asymmetric Key Cryptography
Introduction to Number Theory : Prime numbers- Chinese remainder theorem-
Fermat and Euler’s theorem - RSA- Public Key Management - Diffie-Hellman
key Exchange- Elliptic curve Cryptography.
Unit – III Authentication and Hash Function
Authentication requirements - Authentication functions - Message
Authentication Codes - Hash Functions - MD5 message Digest algorithm -
Secure Hash Algorithm -SHA 512 – HMAC- Digital Signatures -
Authentication Protocols - Digital Signature Standard.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 4

 Syllabus Content & Learning Resources
Unit – IV Network Security
Authentication Applications: Kerberos - X.509 Authentication Service -
Electronic Mail Security - PGP - S/MIME - IP Security - Web Security.
Unit – V System Level Security
Intrusion detection - password management - Viruses and related Threats -
Firewall Design Principles - Trusted Systems.
Learning Resources
i)Text Books
1. Wade Trappe, Lawrence C Washington, “ Introduction to Cryptography
with coding theory”, 2nd ed, Pearson, 2007.
2. William Stallings, “Cryptography and Network security Principles and
Practices”, Pearson/PHI, 4th ed, 2006.
3. Atul Kahate, “Cryptography and Network Security”, McGraw Hill, 3rd ed,
2003

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 5

 Learning Resources
ii) Reference Books
1.W. Mao, “Modern Cryptography – Theory and Practice”, Pearson
Education, Second Edition, 2007.
2.Charles P. Pfleeger, Shari Lawrence Pfleeger – Security in computing Third
Edition -Prentice Hall of India, 2006.
iii) Online Resources
1.williamstallings.com/Extras/Security-Notes/
2.www.cs.bilkent.edu.tr/~selcuk/teaching/cs519/
3.http://freevideolectures.com/Course/3027/Cryptography-and-Network-
Security
4.http://cs.brown.edu/courses/csci1510/2013_lectures.html

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 6

 Unit – II
Symmetric & Asymmetric Key Cryptography

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 7

 1.Introduction to Number Theory
Prime Numbers
 Prime numbers only have divisors of 1 and self they cannot be written
as a product of other numbers.
 An integer p > 1 is a prime number if and only if its only divisors are ±
1 and ±p.
 Note: 1 is prime, but is generally not of interest.
 eg. 2,3,5,7 are prime, 4,6,8,9,10 are not.
 Prime numbers are central to number theory.
 List of prime number less than 200 is:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97
101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179
181 191 193 197 199

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 8

 Prime Numbers
 Any integer a > 1 can be factored in a unique way as
 where p1 < p2 < ... < pt are prime numbers and where each is a positive
integer.
 This is known as the fundamental theorem of arithmetic; a proof can be
found in any text on number theory..

 If P is the set of all prime numbers, then any positive integer a can be
written uniquely in the following form.

 The right-hand side is the product over all possible prime numbers p; for
any particular value of a, most of the exponents ap will be 0.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 9

 Prime Factors
 Multiplication of two numbers is equivalent to adding the
corresponding exponents.

 Define k = ab. Integer k can be expressed as the product of powers

of primes.
 It follows that kp = ap + bp for all

 The prime factors of a and b, to say that a divides b? Any integer of

the form can be divided only by an integer that is of a lesser or equal
power of the same prime number, pj with j<= n.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 10

 Prime Factors

 It is easy to determine the greatest common divisor of two positive

integers if we express each integer as the product of primes.
 If k = gcd(a,b) then kp = min(ap, bp) for all p.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 11

 2.Fermat’s Theorem
 If p is a prime and a is a positive integer with p ∤ a , then ap−1≡1(mod
p).
 Consider the set of positive integers less than p:{1,2,..., p-1} and
multiply each element by a modulo p, to get the set X = {a mod p, 2a
mod p, . . . (p-1)a mod p}.
 None of the elements of X is equal to zero because p does not divide a.
 No two of the integers in X are equal.
 Assume that ja ≡ ka(mod p) where 1 <= j < k <= p-1. Because a is
relatively prime to p, we can eliminate a from both sides of the
equation resulting in: j ≡ k(mod p).
 This last equality is impossible because j and k are both positive
integers less than p.
 We know that the (p-1) elements of X are all positive integers, with no
two elements equal.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 12

 Example for Fermat’s Theorem
 Can conclude that X consists of the set of integers {1,2,..., p-1} in
some order.
 Multiplying the numbers in both sets and taking the result mod p
yields
a x 2a x ... x (p-1) ≡ [(1 x 2 x ... x (p-1)](mod p)
ap-1(p-1)! ≡ (p-1)!(mod p)
ap-1 ≡ 1 (mod p)

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 13

 Fermat’s Little Theorem
 An alternative form of Fermat's theorem is also useful: If p is prime
and a is a positive integer, then ap ≡ a(mod p).
 Note: that the first form of the theorem requires that a be relatively
prime to p, but this form does not.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 14

 3.Euler’s Theorem & Euler’s Totient Function
 Euler's totient function written (n), defined as the number of
positive integers less than n and relatively prime to n. By
convention, (1) = 1.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 15

 Euler’s Totient Function
 It should be clear that for a prime number p, f(p) = p-1
 Now suppose that we have two prime numbers p and q, with p not
equal to q. Then we can show that for n = pq,

 Consider that the set of positive integers less that n is the set {1,...,
(pq-1)}.
 The integers in this set that are not relatively prime to n are the set
{p,2 p,..., (q-1)p} and the set {q,2q,..., (p-1)q}
(n) = (pq-1)[(q-1)+(p-1)]
= pq(p+q)+1
= (p-1)(q-1)

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 16

 Euler’s Theorem
 Euler's theorem states that for every a and n that are relatively prime

 Consider the set of such integers, labeled as follows:

 Each element xi of R is a unique positive integer less than n with
gcd(xi, n) = 1.
 Multiply each element by a, modulo n.
 The set S is a permutation of R, by the following line of reasoning
 Since ‘a’ is relatively prime to n and xi is relatively prime to ‘n’, axi
must also be relatively prime to n.
 Thus, all the members of S are integers that are less than n and that
are relatively prime to n. There are no duplicates in S.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 17

 Euler’s Theorem
 If axi mod n = axj mod n then xi = xj.

 This is the same line of reasoning applied to the proof of Fermat's

theorem.
 As is the case for Fermat's theorem, an alternative form of the theorem is
also useful.

 The first form of Euler's theorem requires that a be relatively prime to n,

but this form does not.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 18

 4.Testing for Primality
 Used to test a large number for primality.
 any positive odd integer n >=3 can be expressed as follows: n-1=2kq
with k > 0, q odd.
 n-1 is an even integer. Divide (n-1) by 2 until the result is an odd
number q, for a total of k divisions.
 If n is expressed as a binary number, then the result is achieved by
shifting the number to the right until the rightmost digit is a 1, for a
total of k shifts.
Two Properties of Prime Numbers
- If p is prime and a is a positive integer less than p, then a2 mod p =1.
If and only if either a mod p = 1 or a mod p= 1 mode p = p-1.
- Let p be a prime number greater than 2. We can then write p-1 =2kq,
with k > 0 q odd. Let a be any integer in the range 1 < a < p-1.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 19

 Miller Rabin
 if n is prime. We have p-1 =2kq. Thus, we know that ap-1 mod p =
a2kq mod p = 1.

Simple algorithm based on Miller Rabin to check for prime

number
 Step:1 Perform n-1 computation. n-1=m*2k
 Step:2a if k<=1, Compute T= am mod n & check value for T.
- if T ==+-1, then n is prime, else composite/Non-prime.
 Step:2b if k >1, Compute T=T2 mod n and check T value.
if (T==1), then n is composite/Non-prime.
if (T==-1), then u is prime.
else, n is composite/Non-prime.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 20

 Miller Rabin - Example
 Apply Miller rabin test to check whether the given number n=27, a=2,
such that n is prime.
Step:1 n-1 = 27-1 = m * 2k
26 = 13 * 21
Step:2a k<=1, must be done.
Compute T = am mod n
= 213 mod 27
= 25 * 25 * 23 mod 27
= 5*5*8 mod 27
= 200 mod 27
T = 11
 Since our T not equal to +-1, then we can say that n is composite /
non-prime.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 21

 4.The Chinese Remainder Theorem
 It is possible to reconstruct integers in a certain range from their
residues modulo a set of pairwise relatively prime moduli.
Example
 Lets consider 10 integers in Z10, that is the integers 0 through 9, can be
reconstructed from their two residues modulo 3 and 5 (the relatively
prime factors of 10).
x ≡ 2 mod 3
x ≡ 3 mod 5
 The known residues of a decimal digit x are r 3 = 2 and r5 = 3; that is, x
mod 3 = 2 and x mod 5 = 3.
 x is an even integer in Z10 whose remainder, on division by 5, is 3.
 The unique solution is x = 8.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 22

 The CRT - Example-1
 For a given sequence of different linear equations.
x ≡ a1 mod m1
x ≡ a2 mod m2
x ≡ a3 mod m3
.
.
.
x ≡ an mod mn

 Solution can be obtained by applying this equation:

x = (a1M1 M1-1 + a2M2 M2-1 .........+ anMnMn-1) mod M

 With the condition that m1,m2,m3 ….mn should be relatively prime.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 23

 The CRT - Example-1
1. Solve for the following congruency using the Chinese Remainder
Theorem:
x ≡ 2 mod 3
x ≡ 3 mod 5
x ≡ 2 mod 7
Step:1 Check whether m1,m2,m3 are relatively prime. If so, proceed.
Else stop.
Step:2 Construct the below table from the given data and find missing
values.
a1 2 M1
a2 3 M2
a3 2 M3
m1 3 M1-1
m2 5 M2-1
m3 7 M3-1
06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 24
 The CRT - Example-1
Step:3 Compute M using the formula M=m1*m2*m3
M = 3*5*7 = 105
Step:4 Compute M1, M2, M3 using obtained M value and the formula
Mn=M/mn.
M1: M1 = M / m1 = 105 / 3 = 35
M2: M2 = M / m2 = 105 / 5 = 21
M3: M3 = M / m3 = 105 / 7 = 15 a1 2 M1 35
Update these values in the table we get. a2 3 M2 21
a3 2 M3 15
m1 3 M1-1
m2 5 M2-1
m3 7 M3-1
06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 25
 The CRT - Example-1
Step:5 Find respective multiplicative inverse for the values M1,M2,M3.
We know that Mn* Mn-1 ≡ 1 mod m1
By applying this we compute:
M1-1 : M1* M1-1 ≡ 1 mod m1
M2-1 : M2* M2-1 ≡ 1 mod m2
M3-1 : M3* M3-1 ≡ 1 mod m3

M1-1 : 35 * 2 ≡ 1 mod 3 => 2 a1 2 M1 35

M2-1 : 21 * 1 ≡ 1 mod 5 => 1 a2 3 M2 21
M3-1 : 15 * 1 ≡ 1 mod 7 => 1 a3 2 M3 15
m1 3 M1-1 2
Final updated table is: m2 5 M2-1 1
m3 7 M3-1 1
06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 26
 The CRT - Example-1
x = (a1M1 M1-1 + a2M2 M2-1 + a3M3M3-1) mod M
Substitute appropriate values in equation x we get:
x = (2*35*2 + 3*21*1 + 2*15*1) mod 105
= (140 + 63 + 30) mod 105
= 233 mod 105
x = 23

Now, check for the obtained result, the given congruence equations:
23 ≡ 2 mod 3
23 ≡ 3 mod 5
23 ≡ 2 mod 7

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 27

 5.Public Key Cryptography
 Most significant advance in the 3000 year history of cryptography.
 Uses two keys – a public & a private key.
 Asymmetric since parties are not equal.
 Uses clever application of number theoretic concepts to function.
 Complements rather than replaces private key cryptography.
Developed to address two key issues:
 Key Distribution – how to have secure communications in general
without having to trust a KDC with your key.
 Digital Signatures – how to verify a message comes intact from the
claimed sender.
 Public invention due to Whitfield Diffie & Martin Hellman at Stanford
University in 1976.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 28

 Public Key Cryptography
 Public-key / two-key / asymmetric cryptography involves the use of
two keys:
- A public-key, which may be known by anybody, and can be used
to encrypt messages, and verify signatures.
- A private-key, known only to the recipient, used to decrypt
messages, and sign (create) signatures.
 Asymmetric - those who encrypt messages or verify signatures
cannot decrypt messages or create signatures.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 29

 Characteristics of Public Key Cryptography
 Computationally infeasible to find decryption key knowing only
algorithm & encryption key.
 Computationally easy to en/decrypt messages when the relevant
(en/decrypt) key is known.
 Either of the two related keys can be used for encryption, with the
other used for decryption (for some algorithms).

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 30

 Public Key Applications & Security
 Encryption / Decryption (provide secrecy)
 Digital Signatures (provide authentication)
 Key Exchange (of session keys)
 Some algorithms are suitable for all uses, others are specific to one.
Security
 Brute force exhaustive search attack is always theoretically possible.
 If keys used are too large then it is difficult(>512bits).
 Security relies on a large enough difference in difficulty between easy
(en/decrypt) and hard(cryptanalyse) problems.
 The hard problem is known, but is made hard enough to be impractical to
break.
 Requires the use of very large numbers, hence is slow compared to private key
schemes

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 31

 RSA Introduction
 Rivest, Shamir & Adleman of MIT in 1977
 Best known & widely used public-key scheme
 Based on exponentiation in a finite (Galois) field over integers
modulo a prime
- nb. exponentiation takes O((log n)3) operations (easy)
 uses large integers (eg. 1024 bits)
 security due to cost of factoring large numbers
- nb. factorization takes O(e log n log log n) operations (hard)

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 32

 The RSA Public Key Cryptosystem

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 33

 RSA Key Setup & Working

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 34

 RSA Example
1. Select primes: p=17 & q=11
2. Compute n = pq =17 x 11=187
3. Compute ø(n)=(p–1)(q-1)=16 x 10=160
4. Select e: gcd(e,160)=1; choose e=7
5. Determine d: de =1 mod 160 and d < 160
Value is d=23 since 23x7=161= 10x160+1
6. Publish public key PU={7,187}
7. Keep secret private key PR={23,187}

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 35

 RSA Security
Possible approaches to attacking RSA are:
 Brute force key search (infeasible given size of numbers)
 Mathematical attacks (based on difficulty of computing ø(n), by
factoring modulus n)
 Timing attacks (on running of decryption)
 Chosen ciphertext attacks (given properties of RSA)

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 36

 Factoring Problem
Mathematical approach takes 3 forms:
 Factor n=p.q, hence compute ø(n) and then d.
 Determine ø(n) directly and compute d.
 Find d directly.
Currently believe all equivalent to factoring.
 Have seen slow improvements over the years
- as of May-05 best is 200 decimal digits (663) bit with LS
 Biggest improvement comes from improved algorithm.
 Currently assume 1024-2048 bit RSA is secure.
- ensure p, q of similar size and matching other constraints

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 37

 Timing Attacks
Developed by Paul Kocher in mid-1990’s
 Exploit timing variations in operations
- eg. multiplying by small vs large number
- IF's varying which instructions executed
 Infer operand size based on time taken
RSA exploits time taken in exponentiation , countermeasures includes:
 Use constant exponentiation time.
 Add random delays.
 Blind values used in calculations.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 38

 Chosen Ciphertext Attacks
 RSA is vulnerable to a Chosen Ciphertext Attack (CCA)
 Attackers chooses ciphertexts & gets decrypted plaintext back.
 Choose ciphertext to exploit properties of RSA to provide info to
help cryptanalysis.
 Can counter with random pad of plaintext or use Optimal
Asymmetric Encryption Padding (OASP).

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 39

 6.Key Management & Distribution
Key Management
 Public-key encryption helps address key distribution problems.
Have two aspects of this:
I. Distribution of public keys.
II. Use of public-key encryption to distribute secret keys.
I. Distribution of public keys
Can be considered as using one of the following approaches:
 Public announcement
 Publicly available directory
 Public-key authority
 Public-key certificates

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 40

 6.a.Public Announcement
 Users distribute public keys to recipients or broadcast to community
at large.
- eg. append PGP keys to email messages or post to news groups or
email list.
 Major weakness is forgery.
 Anyone can create a key claiming to be someone else and broadcast
it.
 Until forgery is discovered anyone with forged key can masquerade
as claimed user.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 41

 6.b.Publicly Available Directory
 Can obtain greater security by registering public keys with a
publicly available dynamic directory.
Directory must be trusted with properties:
 Contains {name, public-key} entries.
 Participants register securely with directory authority.
 Participants can replace key at any time.
 Directory is periodically published.
 Directory can be accessed electronically.
 Still vulnerable to tampering or forgery.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 42

 6.c.Public Key Authority
 Improves security by tightening control over distribution of keys
from directory.
 Has properties of directory.
 Requires users to know public key for the directory.
 Users interact with directory to obtain any desired public key
securely.
 Require real-time access to directory when keys are needed.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 43

 6.c.Public Key Authority

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 44

 6.d.Public Key Certificates
 Certificates allow key exchange without real-time access to public-
key authority.
 A certificate binds identity to public key.
 With information such as period of validity, rights of use etc.
 With all contents signed by a trusted Public-Key or Certificate
Authority (CA).
 Can be verified by anyone who knows the public-key authorities
public-key.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 45

 6.d.Public Key Certificates

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 46

 II.Public-Key Distribution of Secret Keys
 Use previous methods to obtain public-key.
 Can use for secrecy or authentication.
 Public-key algorithms are slow.
 So usually want to use private-key encryption to protect message
contents.
 Need a session key.
 Have several alternatives for negotiating a suitable session.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 47

 Simple Secret Key Distribution
 Proposed by Merkle in 1979.
 A generates a new temporary public key pair.
 A sends B the public key and their identity.
 B generates a session key K sends it to A encrypted using the
supplied public key.
 A decrypts the session key and both use.
 Problem is that an opponent can intercept and impersonate both
halves of protocol.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 48

 Public-Key Distribution of Secret Keys

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 49

 Hybrid Key Distribution
 Retain use of private-key KDC
 Shares secret master key with each user
 Distributes session key using master key
 Public-key used to distribute master keys especially useful with
widely distributed users
 Rationale - performance, backward compatibility

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 50

 6.e.Diffie-Hellman Key Exchange
 First public-key type scheme proposed by Diffie & Hellman in 1976
along with the exposition of public key concepts.
 Now know that Williamson (UK CESG)
 Secretly proposed the concept in 1970, is a practical method for
public exchange of a secret key.
 Used in a number of commercial products.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 51

 Diffie-Hellman Key Exchange
 A public-key distribution scheme.
 Cannot be used to exchange an arbitrary message.
 Rather it can establish a common key known only to the two
participants.
 Value of key depends on the participants (and their private and
public key information)
 Based on exponentiation in a finite (Galois) field (modulo a prime
or a polynomial) – easy.
 Security relies on the difficulty of computing discrete logarithms
(similar to factoring) – hard.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 52

 Diffie-Hellman Setup

 All users agree on global parameters:

 Large prime integer or polynomial q.
 α being a primitive root of q.
 Each user (eg. A) generates their keys (private & public).
 Chooses a secret key (number): xA < q
 Compute their public key: yA = αxA mod q
 Each user makes public that key yA

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 53

 Diffie-Hellman Key Exchange

 Shared session key for users A & B is KAB :

 KAB = axA. xB mod q
 = yAxB mod q (which B can compute)
 = yB xA mod q (which A can compute)
 KAB is used as session key in private-key encryption scheme
between Alice and Bob.
 If Alice and Bob subsequently communicate, they will have the
same key as before, unless they choose new public-keys.
 Attacker needs an x, must solve discrete log.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 54

 Diffie-Hellman Key Exchange

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 55

 Diffie-Hellman Example
 Given, q=7, Choose such that it is a primitive root of q and α<q,
Therefore α=2.
User A Key Generation User B Key Generation
i) XA = 3, XA<7 i) XB = 4, XB<7
ii) YA = αXA mod q ii) YB = αXB mod q
= 23 mod 7
= 24 mod 7
= 8 mod 7
= 16 mod 7
YA = 1
YB= 2
Secret Key Generation by A
KA = (YB)XA mod q
Secret Key Generation by B
= 23 mod 7 KB = (YA)XB mod q
= 8 mod 7 = 14 mod 7
KA = 1 = 1 mod 7
Both Values KA & KB are Equal KB = 1
06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 56
 Key Exchange Protocol
 Users could create random private/public D-H keys each time they
communicate
 Users could create a known private/public D-H key and publish in a
directory, then
 Consulted and used to securely communicate with them
 Both of these are vulnerable to a meet in the Middle Attack.
 Authentication of the keys are needed.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 57

 Elliptic Curve Cryptography
 Majority of public-key crypto (RSA, D-H) use either integer or
polynomial arithmetic with very large numbers / polynomials.
 Imposes a significant load in storing and processing keys and
messages.
 An alternative is to use elliptic curves.
 Offers same security with smaller bit sizes.
 Newer, but not as well analysed.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 58

 Real Elliptic Curves
 An elliptic curve is defined by an equation in two variables x & y,
with coefficients.
 Consider a cubic elliptic curve of form y2 = x3 + ax + b, where x, y,
a, b are all real numbers, also define zero point O.
 Have addition operation for elliptic curve.
 Geometrically sum of P+Q is reflection of intersection –(P+Q).

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 59

 Finite Elliptic Curves
 Elliptic curve cryptography uses curves whose variables &
coefficients are finite.
 Have two families commonly used:
 Prime curves Ep(a,b) defined over Zp
- use integers modulo a prime.
- best in software.
 Binary curves E2m(a,b) defined over GF(2n)
- use polynomials with binary coefficients.
- best in hardware.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 60

 Elliptic Curve Cryptography
 ECC addition is analog of modulo multiply
 ECC repeated addition is analog of modulo exponentiation
 Need “hard” problem equiv to discrete log(Trapdoor Function)
- Q=kP, where Q,P belong to a prime curve
- Is “easy” to compute Q given k,P.
- But “hard” to find k given Q,P.
- Known as the elliptic curve logarithm problem.
 Certicom example: E23(9,17)

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 61

 ECC Diffie-Hellman
 Can do key exchange analogous to D-H.
 Users select a suitable curve Ep(a,b).
 Select base point G=(x1,y1).
- with large order n such that nG=O.
 A & B select private keys nA<n, nB<n.
 Compute public keys: PA=nAG, PB=nBG.
 Compute shared key: KA=nAPB, KB=nBPA.
 Same since, K=nAnBG.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 62

 ECC Diffie-Hellman Key Exchange

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 63

 ECC Encryption & Decryption
 Several alternatives, will consider simplest
 Must first encode any message M as a point on the elliptic curve Pm.
 Select suitable curve & point G as in D-H
 Each user chooses private key nA<n.
 Computes public key PA=nAG
 To encrypt Pm Compute: Cm={kG, Pm+kPb}, k random number.
 To decrypt Cm compute:
Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 64

 ECC Security
 Relies on elliptic curve logarithm problem.
 Fastest method is “Pollard rho method”.
 Compared to factoring, can use much smaller key sizes than with
RSA etc.
 For equivalent key lengths computations are roughly equivalent.
 Similar security ECC offers significant computational advantages.

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 65

 Any Queries???

06/01/21 Mr.A.Arul Prasath, AP/CSE, Vel Tech 66