It is very important as the volume of data on Internet is fast increasing.

The four aspects are:

1.

2.

3.

Privacy: The sender & receiver expect confidentiality. The transmitted message should make sense to the INTENDED recipient ONLY. To others, the message should be illegible. Authentication: The receiver is sure of senders identity. He knows an imposter has not sent the message. Integrity: The data must arrive exactly as it was sent. Message must not change because of accidental or malicious transmission. As more & more monetary transactions take place over the Internet, it is of prime importance.

4.

Non-repudiation: Receiver must be able to prove that a message has come from a specific sender. A sender may not be able to deny later a message that he has really sent. The burden of proof falls on the receiver. For ex: If a customer sends a message to a bank for transfer of money from one account to other, the bank must have the proof that the customer actually requested the transaction.

To carry sensitive information (military/financial), a system MUST assure PRIVACY. How to prevent unauthorized access is a major question. A practical way is to alter data so that only the intended recipient understands it; others dont. Encryption means the sender transforms the original information to some other form & ends the resulting unintelligible message out over the network. Decryption reverses the encryption process to transform the changed information to the original one.

Encryp

Decryption Algo

sender

tion Algo networ k

Receiver

There are two methods of encryption & decryption. 1. Conventional or secret/private key method. 2. Public key method Conventional Method. The encryption key & decryption key are same & secret. Two types: A) Character level encryption (CLE): Encryption is done at the character level. It is of two types substitutional & transpositional. Substitutional: Simplest form of CLE. (i) Mono-alphabetic (ii) Poly-alphabetic

In mono alphabetic substitution also called Caesar Cipher, each character is replaced by another single character of the set. It simply adds a number to the ASCII code of the character; the decryption algo simply deducts that number from the ASCII code. Ke & Kd are the same & defined the added/subtracted value. If Ke = 3, it means each character will be replaced by a character that is 3 ahead- D replaced G, E by K & so on. If the substituted character is beyond the last character in the set, it is wrapped around. Mono alphabetic substitution is very simple but can be broken by snoopers very easily. This is because each character used in a language has certain natural frequencies which can be detected by intruders. They can crack the code. In English, the letters E, T, O & A are most frequently used. (ii)Poly-alphabetic substitution: Each occurrence of a character can have different substitutes. One of the techniques is to find the position of the character in the text & to use that value as key. In this technique it is bit difficult to break the code but still the Ciphertext is not very secure.

B)

Transpositional: It is more secure method. The characters retain their plain text form but change their positions to create the cipher text. The characters are transposed /reordered. If a key = 4, complete message can be divided to set of 4 character groups. Msg : This is a lovely day (Plain text). 4key s o y y

1 2 3 t h i i s a l v e l d a Ciphertext: t-av-hi-edisllas-oyy.

Bit Level Encryption (BLE). In this technique, data as text, graphics, audio /video are first divided to blocks of bits, then altered by encoding/decoding, permutation, substitution, XOR, rotation & so on. 1. Encoding/decoding: A decoder changes an input of n bits to 2n bits.

The output should have only one single 1 at the output located at the position determined by the input. An encoder has 2n inputs & n outputs. The output should have a single 1. Fig. below shows a 2-bit decoder/encoder.
Input 0001 0010 0100 1000 Output 00 01 10 11 Input
4X2 Encoder

Input 00 01 10 11 Input

Output 0001 0010 0100 1000

2X4 decoder

output

output

Permutation: Transposition at bit level. In straight permutation, number of bits at input & output level are preserved, in compressed permutation, number of bits at output are reduced by dropping out some bits & in expanded permutation, some bits are added at the output. A permutation circuit can be made easily as a hardware circuit with internal wiring. These are called P-Boxes.

Straight permutation

1 1

0 0

1 1

0 0

compressed permutation

expanded permutation

Substitution: Substitution of n bits by another n bits can be achieved using a combination of Pboxes, encoders & decoders. Fig. below shows 2-bit S-Box that replaces every 00 by 01, 01 by 00, 10 by 11 & 11 by 10. The decoder changes 2-bits to 4 bits. P-box changes the position of the 1. The encoder then changes the 4 bits to 2 bit pattern.

2X4 Decoder P Box

4X2 Encoder

Fig: S-Box

Product: P & S boxes can be combined & called Product. Exclusive OR: The result of XOR on 2 bit is 0 if the 2 bits are same, otherwise, it is 1. The input & the key are XOR-ed to create the output. This operation is reciprocal as the same key can be used with the Ciphertext at the receiver to recreate the original plaintext. Sender: 01100111 8 bit Plaintext 11011001 Key 10111110 8 bit Ciphertext | V Receiver: 10111110 8 bit cipher-text 11011001 Key 01100111 8 bit plaintext Rotation: Another way to encrypt a bit pattern is to rotate the bits to right or left. The key is the number of bits to be rotated. Plaintext: 01100011 Before rotation (key=3) 10110001 After one rotation 11011000 After two rotations Ciphertext 01101100 After three rotations

It is example of BIT LEVEL encryption (Private Key algorithm). 2. It is designed by IBM. 3. Algorithm encrypts a 64 bit plaintext using 56 bit key. 4. The text is put thru 19 different & complex procedures to create 64 bit Ciphertext. 5. It is a BLOCK CIPHER i.e. it works on fixed size blocks of data.
1.

Key (56 bit) Sub-key generator (each s.k. 48 bits) K1

T R A N S P O S I T I O N

K2

K16 T R A N S P O S I T I O N 19

Plain text

C O M P L E X

C O M P L E X

C O M P L E X

S W A P P I N G

CI P H E R T E X T

17

18

Sub key generation in DES. 56 bits Divide 28 bits Rotate 28 bits Combine 56 bits Compressed permutation 48 bit sub-key 28 bits Rotate 28 bits

The Schematic diagram shows that 1. Step 1 & 19 are relatively simple. 2. Steps 2 thru 17 are complex, each requiring sub-steps that are combinations of transposition, substitution, swapping, XOR, rotation. 3. Steps 2 thru 17 are same BUT EACH STEP USES A DIFFERENT KEY (48-bit sub-key derived from the original key). 4. Additional complexity is achieved by having each step use the output of the previous step as input.

From previous step 64-bit data Divide 32 bits

32 bits Exp. permutation 48-bit XOR 48-bit compressed permutation 32-bit

Sub-key Kn

Permutation 32-bit XOR

32-bit combine
32-bit

64-bit

To next step

Fig: One of the 16 steps in DES IDEA (International Algorithm)

1.

data

Encryption

It is a BLOCK CIPHER method similar to DES. 2. It operates on 64 bit blocks of plaintext. It needs 128-bit Key & sophisticated processing during each phase of encryption operation. 3. Each 64-bit block of plaintext passes through a series of eight iterations followed by a final transposition. 4. At each of eight iterations, each of 64 output bits is a function of all 64 input bits. 5. The 128 bit key is first used to generate 52 sub-keys each 16 bit. 6. Six sub-keys are used at each iteration & remaining 4 sub-keys are used in final transposition stage. 7. Decryption uses same algo but with modified set of keys. 8. Each 64 bit is first divided to 4 numbers16 bit words each & then goes thru a series of multiplication, addition, XOR operations. (All lines in the figure are 16 bits & all multiplication operations involve first the 32 bit product of the two 16 bit inputs being computed & then divided by (216+1). The

output is then 16-bit remained. In case of addition, two 16 bit inputs are added together & any carry generated is ignored. s
64 bit plain text 128 bit key Iteration 1
KEY GENE RATOR

K1-K6

Iteration 2

K7-K12

Iteration 8

K43-K48

52 subkeys each 16 bit

Transformation

K49-K52

Encryption Schematic of IDEA.

Public key methods In conventional methods, the decryption algo is always the inverse of encryption algo & uses the same key. So, it is also called Symmetric encryption algo. Anyone who knows the encryption algo & key can deduce the decryption algo. Security can be assured only if the entire process is kept secret. It has the advantage of (1) Being very efficient, (2) taking less time to encrypt a message & hence used to encrypt long messages. It has two major disadvantages. (1) Each pair of users must have a secret key. So, N people in the world need N(N-1)/2 secret keys which is very huge to create & maintain. (2) The distribution of the keys are very difficult. SECRET KEY ALGOS ARE USEFUL IF USED ONCE.

The solution of the problem is public key encryption. Every user has the same encryption key & algo. The decryption key is kept secret. The decryption key is not the inverse of encryption key. The encryption & decryption algo use different functions & knowing one does not enable the user to know the other. In addition, the keys are different. Public keys are encryption algo & key are publicly announced. The decryption algo & key are kept secret & used only by the bank. Advantages: 1. Removes the restriction of shared key between TWO entities. The key shared by two parties cannot be shared with a third party, if one of them wants to communicate with another party. In public key, this is possible. Each entity can create a pair of keys & is independent, keep the private key & distribute the public key. 2. The number of keys is reduced drastically. For N users, 2N keys & not N(N-1) as in secret key is needed.

Disadvantage : Very complex algorithm. For the method tobe effective, large numbers are needed. Calculating Ciphertext from plaintext using long keys take long time. PUBLIC KEY ALGOS ARE USEFUL IF USED ONCE. Public key encryption.
Customer 1 Public key

Customer 2

Public key

Private key

Bank

Customer n

Public key

RSA Encryption. It is public key encryption. Rivest, Shamir, Adleman created this key. One party say bank customer uses public key Kp. The other party uses secret key. Ks. Both use a number N. The encryption algo uses the following steps: 1. Encode the data to be encrypted as a no. to create the plaintext P. K 2. Calculate the Ciphertext C as C = P p modulo N (modulo means divide PKp by N & keep only the remainder). 3. Send C as Ciphertext. The decryption algo follows these steps: 1. Receive Cs the Ciphertext K 2. Calculate plain text P = C smodulo N. 3. Decode P to the original data.

customer Kp & N P Plaintext Encryption Decryption C = PKp modulo N C=Ciphertext C Ks & N P modulo N

Bank

P = CKs

Plaintext

Example with Kp= 5, Ks= 77 & N=119. The whole idea behind RSA is the way in which Kp, Ks & N are chosen using number theory.
1.

2. 3.

Choose 2 prime nos. p & q. (We choose 7 & 17). Calculate N = p X q (N = 7X17 =119). Select Kp such that it is not a factor of (p-1) X (q-1) = 96. The factors of 96 are 2,

2, 2, 2, 2, 3.We choose 5, not a factor of 96. 4. Select Ks such that (KpXKs) modulo (p-1) X (q-1) = 1. We choose 77. If checked, 5X77 = 385 & 385 = 4X96 +1.

Security of RSA: Pair of nos. Kp & N are publicly announced. The bank keeps Ks as the secret key. If a bank can calculate Ks why not a snooper? The answer lies in the complexity of the process. The bank starts with two prime numbers p & q to calculate N, Kp, Ks. The snooper does not know p or q. He uses N first to calculate p & q & then GUESS Ks. If p & q are chosen to eb few hundred digits long, it is extremely difficult to factorize it to its prime numbers. Reciprocity of RSA: RSA algo is reciprocal. The bank can use the same secret key Ks to send a reply to the customer & the customer can decrypt the message using his own private key.

Authentication
It means verifying the identity of the sender; i.e. message is coming from an authentic sender & not an imposter. Among several methods, we shall discuss Digital Signature method based on encryption/decryption.

Concept is same as signing physically documents in a business transaction for example say signing documents in a bank. The bank gives a form to be signed by customer & keeps the signed form on record when the customer needs to withdraw large amount of money from the bank. If the customer later denies withdrawal of money, the bank may show the signature to prove that bank have given money to the person with valid signature. The EQUIVALENT SIGNATURE is created in electronic media called digital signature. DIGITAL SIGNATURE Security has four aspects: Privacy, Authentication, Integrity, & Non-repudiation. Privacy has been discussed. The other three can be achieved using digital signature. In signing of a document, the roles of the public & private key are different. The sender uses private key to encrypt (sign) the message just as one uses her signature (which is private & difficult to forge) to sign a paper document. The receiver uses public key of

sender to decrypt the message just as one verifies from memory other peoples signature. Fig: Signing the whole document.

As public key

As private key

A
P L A I N T E X T

encryption

Net wor k Ciphertext

decryption

P L A I N T E X T

Ciphertext

Digital signature can provide integrity, authentication, and non-repudiation. It does not provide privacy. If the latter is required, another layer of encryption/ decryption is required. Digital Signature CANNOT be achieved using secret key encryption. How digital signature provides integrity, authentication, and non-repudiation? Integrity: The integrity of the message is preserved because if an intruder intercepts it, and partially changes it, the decrypted message would be illegible. Authentication: If an intruder say X sends a message pretending that it has come from someone else, say G, she must use her own private key (private X) for encryption. The message is then decrypted Non-repudiation: If the sender denies sending a message, her private key corresponding to her public key can be tested on the original plaintext. If the result of decryption matches the original

message, then we know that the sender has sent the message. Signing the digest Public encryption is efficient if the message is short. Using public key to sign the whole document is inefficient. So, the sender creates a miniature of the document called the digest & signs on the digest. The receiver checks the signature on the miniature. To create the digest, a hash function is used which creates fixed size digest from a variable length message. Fig: Creating a digest.
Variable length message Hash function Fixed length message digest

Two most common hash functions are MD5 (Message Digest 5) & SHA-1 (Secure Hash Algorithm1). Two properties of hash function are needed to guarantee success. 1. Hashing is one way. The digest can be created from a message not vice versa.

2.

It is a one-to-one function. There is little probability that two messages will create the same digest.

After the digest is created, it is encrypted (signed) using the senders private key. The encrypted digest is attached to the original message & sent to the receiver. Fig: Sender site.
A Message

Message Message + signed digest

To B

Hash As private key Digest Encrypt

Signed Digest

The receiver receives the original message and the encrypted digest & separates the two. The receiver applies the same hash function the message to create a second digest. The receiver also decrypts the received digest using public key of the sender. If the two digests are

same, all preserved.

three

aspects

of

security

are

B
From A
Message

As public key

Decrypt

Hash

Digest

Digest

Compare

Fig: Receiver site.