SYMBIOSIS INTERNATIONAL

(DEEMED UNIVERSITY)

Cryptography
Ms. Sonal Kulkarni
SYMBIOSIS INTERNATIONAL
(DEEMED UNIVERSITY)
 Dr. Niket P. Tajne

Ms. Sonal Kulkarni

Dr. Priti Kulkarni

978-81-968345-0-0

Gurukrupa Mudranalaya, Pune 411011

 CONTENT

MODULE 1 CRYPTOGRAPHY AND INFORMATION SECURITY 01

MODULE 2 DES – THE DATA ENCRYPTION STANDARD 11

MODULE 3 INTERNATIONAL DATA ENCRYPTION ALGORITHM (IDEA) 23

MODULE 4 BlOWFISH/AES 32

MODULE 5 MESSAGE DIGEST 43

MODULE 6 DIGITAL SIGNATURES AND CERTIFICATES 53

MODULE 7 RSA 64

MODULE 8 SSL 71

MODULE 9 SET 82

MODULE 10 KERBEROS 88

MODULE 11 AUTHENTICATION TECHNIQUES 93

MODULE 12 EMAIL SECURITY 100

MODULE 13 FIREWALLS 108

MODULE 14 VPN 114

MODULE 15 JAVA CRYPTOGRAPHY 119

 CRYPTOGRAPHY AND
MODULE - 1
INFROMATION SECURITY

TABLE OF CONTENTS
1.1 Learning Objectives
1.2 Origin of Cryptography
1.3 What Is Cryptography?
1.4 Core principles of Cryptography
1.5 Terminologies
1.5.1 Plain Text, Cipher Text,Encryption,Decryption
1.5.2 Caesar Cipher
1.6 Types Of Cryptography
1.7 Summary
1.8 Key terms
1.9 Self-assessment questions
1.10 References

1.1. LEARNING OBJECTIVES

After completing this module, the learner will be able to
1. Understand the need of cryptography and its use.
2. Distinguish between core principles of cryptography.
3. Understand the various terms involved in the process of cryptography.
4. Acquire an overview of the types of cryptography.
5. Distinguish between Symmetric Key Cryptography and Asymmetric Key Cryptography.

1.2 ORIGIN OF CRYPTOGRAPHY

To communicate is the basic need of any human being. We communicate to exchange
information. This information may be intended for either only one person or more than one
person. If information is intended only for one person then obviously we want to keep it secret
from all others. So the information to be communicated is sent in some coded form instead of
sending it in its original form. This is the concept of ‘cryptography’ . The Greek words,
‘Krypto’ meaning hidden and ‘graphene’ meaning writing form the word ‘cryptography’.
(History of Cryptography, 2022)

1
1.3 WHAT IS CRYPTOGRAPHY?
In the history, Roman and Egyptian civilizations, kings were sending letters written in a special
language known to only sender and receiver.
Definition: :Cryptography is a method of protecting information and communications through
the use of codes, so that only those for whom the information is intended can read and process
it.[2]. [6]In simple words,”Cryptography is the art and science of making "secret codes".[6]
There are two more terms that are associated with cryptography. Cryptanalysis and Cryptology
.Let us see their simple definitions here.
[6] ”Cryptanalysis is the art and science of breaking "secret codes". [6]
From above definitions we can state,
Cryptology = Cryptography + Cryptanalysis.
[6] So “Cryptology is the art and science of making and breaking "secret codes".[6]

1.4 CORE PRINCIPLES OF CRYPTOGRAPHY

To maintain the secrecy, some other dimensions related to it have to be studied.This is because
when we consider today’s world, we, humans, communicate information in many ways
using Core principles of Cryptography are:Data Confidentiality,Data Integrity, Non-
repudiation and Authentication are core principles of modern-day cryptography.Let us see
what they mean.
1. Confidentiality: Information can only be accessed by the intended receiver and not by
any other person .Keep it secret from all others.
2. Integrity: Information cannot be modified in storage or transition between sender and
intended receiver without any addition to information being detected.
3. Non-repudiation: The sender of information cannot deny later that he had sent it.
4. Authentication: Checking sender and receiver’s identity for confirming source and
destination of information.

1.5 TERMINOLOGIES
1.5.1 Plain Text, Cipher Text, Encryption, Decryption
1. Plaintext: The information to be communicated in its original form. It is an unencrypted
message.
2. Cipher text: The communicated information in its coded form. It is an encrypted form
of message.

2
 3. Encryption: It is the process of transforming plain text into cipher text in order to
ensure secrecy using an algorithm.
4. Decryption: It is the process of transforming back cipher text into plain text using an
algorithm.

1.5.2 Caesar Cipher

The encryption method or algorithm is based on mathematical concepts and a set of rule-based
calculations. Let us study an earlier Roman method of cryptography called “Caesar Cipher”.It
is the simplest method of substitution cipher. Meaning is, this algorithm creates cipher text by
substitution method. It is also known as the “Caesar Shift Cipher”, as here ciphertext is
generated by shifting the letters in the plaintext message by a certain number of positions,(3
was a common choice as was used by king Julius Caesar ) known as the “shift” or “key”.To
convert this ciphertext back to plaintext, the receiver used to shift back the same number of
positions of letters.[5]If you have noticed carefully, after ‘z’(last alphabet), it circularly starts
from ‘a’(first alphabet) again.
Following figure describes the whole process of encryption, decryption for the “caesar cipher”
with key=3 (shift 3 characters left) to encrypt the message and (shift 3 characters to the right)
to decrypt the message at the receiver.

Figure 1.1: Cryptography model illustrating Caesar cipher an example of substitution cipher

If we see the broad picture, the Caesar cipher is one of the examples of “Substitution ciphers”.
Based on substitution, different methods are devised.The other type of ciphers are
“Transposition ciphers”.Transposition ciphers involve transferring the positions of the
characters.

3
1.6 TYPES OF CRYPTOGRAPHY:
There are mainly three ways how we can apply encryption algorithm or method with the key
on the message to be sent and decrypt at the receiving side in the cryptography.These can be
elaborated as follows:
1. Symmetric Key Cryptography:The sender and the receiver will use the same key to lock
and unlock, this is called symmetric key operation.In the context of cryptography, this
operation is called symmetric key cryptography. Thus, we observe
that the key distribution problem is inherently linked with the symmetric key operation
(Kahate, 2013, 54) . This key is also referred as secret key.
Advantage of this method is it is faster. So when we have a large amount of data to transfer
to the receiver, we can use this method. The size of the ciphertext generated after applying
encryption algorithm has the size same or less than size of plaintext.The disadvantage of
this method is, how this single common key will be exchanged between sender and
receiver if they are physically far apart from each other.Out of the core principles of
modern-day cryptography,this method only provides confidentiality.
Eg. Caesar cipher, Data Encryption System(DES) and Advanced Encryption
System(AES).
2. Hash Functions: As the name describes no key is used, instead a function is used.This
function is applied on the plain text resulting into a hash value with fixed length. Thus,
contents of plain text are hidden.
Eg: Many operating systems use hash functions to encrypt passwords. (While using your
Online net banking, the password set by you, associated with your user-id is hidden in this
way.)
3. Asymmetric Key Cryptography: Unlike symmetric key operation, the encryption(locking)
key need not be guarded secretly by the sender. The other key is meant for
decrypting(unlocking), and is strictly held secret/private. Therefore, we shall call it the
private key or secret key (Kahate, 2013, 63). In this encryption system, a pair of keys -
public key and private key, is used to encrypt and decrypt information respectively or vice-
versa.
Sender: - Sender’s public key and Sender’s private key.
Receiver: -Receiver’s private key and Receiver’s public key.
That is, both sender & receiver have their own pair of public key and private key (both
different). The common implementation of Asymmetric Key Cryptography can be
explained as follows: See the following Figure 2.

4
If Bob wants to send a message to Alice, Bob(sender) encrypts the message with the
receiver's (Alice’s) public key (which is known to all).
When this cipher text is received, receiver(Alice) decrypts it with her own(Alice’s) private
key (secret & known to only the owner).
Remember, the decryption or decoding of the message can be done only by the receiver’s
private key because the algorithm is devised accordingly. Mathematically this can be
represented as,
P = D(Kd, E (Ke,P)) where Ke is the encryption key and Kd is the decryption key.

Figure 2:Use of Public key and private key pair in Asymmetric Key Cryptography

This is also referred to as “Public-key cryptography”. This method is slower but more
secure. so when we have small amount of data to transfer, this can be used.The ciphertext
generated after applying encryption algorithm has the size same or less than size of
plaintext.This is used not only to encrypt the message but also in some
algorithms(eg.Diffie-Hellman key exchange algorithm) to secretly exchange the single
common key (secret key) used in Symmetric Key Cryptography.Email communication can
be the simplest example to understand this process better.
Eg: RSA algorithm.

5
1.7 SUMMARY

To keep secrecy of communication Cryptography technique has been implemented from

historical times.Its meaning is “hidden writing”.King like Julius Caesar used to send the secret
messages to other kings using a scribe known to them only.“Cryptography is the art and
science of making "secret codes”.”Cryptanalysis is the art and science of breaking "secret
codes".
Cryptology = Cryptography + Cryptanalysis.
“Cryptology is the art and science of making and breaking "secret codes".Confidentiality,
Integrity, Non-repudiation, Authentication are the core principles of cryptography.
A cryptosystem has the components: Plaintext, ciphertex, Encryption algorithm, key used and
Decryption.algorithm.“Caesar cipher” with key=n (n=3 as used by King Caesar) shifts 3
characters left to encrypt the message and shifts 3 characters to the right to decrypt the message
at the receiver.
Ciphertext can be created using methods of substitution ciphers or transposition ciphers. Types
of cryptography are, Symmetric Key Cryptography, Hash Functions and Asymmetric Key
Cryptography.Each has its unique way to maintain the security.

6
1.8 KEYWORDS
1. Plaintext: Message in original form.As the name says “plain”.
2. Cipher text: Encrypted form of message.
3. Encryption: Transforming plain text into cipher text to ensure secrecy using an
algorithm.
4. Decryption:Transforming back cipher text into plain text using an algorithm.
5. Caesar cipher: Ancient example of Cryptography.

6. Public-key cryptography: Asymmetric Key Cryptography.

7
1.9 SELF-ASSESSMENT QUESTIONS
I. Long questions:
1. Explain the need of cryptography.
2. Discuss the relationship between Cryptology, Cryptography and Cryptanalysis.
3. Elaborate on the core principles of cryptography.
4. Distinguish between Symmetric Key Cryptography and Asymmetric
Key Cryptography.
5. Explain the Hash Functions.

II. Short questions:

1. What do you mean by Cryptanalysis?
2. Write definition of Cryptology.
2. Distinguish between plaintext and ciphertext.
3. What is authentication?
4. Distinguish between encryption and decryption.
5. What is Caesar cipher?Explain with one example.
6. Convert the plaintext: TRANSFER MONEY TODAY into ciphertext using Caesar
cipher.
7. Convert the plaintext: TRANSFER MONEY TODAY into ciphertext using Caesar
cipher. with key=5.

III. True and False:

1. Cryptanalysis is the art and science of breaking "secret codes”.
2. Authentication means checking sender and receiver’s identity for confirming source and
destination of information.
3. Cryptology is the art and science of only breaking "secret codes.”.
4. Encryption is the process of transforming plain text into cipher text in order to
ensure secrecy using an algorithm.
5. In Symmetric Key Cryptography, single common key is used by sender and receiver of
message for encryption & decryption respectively.
Ans: 1. True, 2. True, 3. False, 4. True, 5. True

8
IV. Multiple choice question
1. Caesar cipher is one of the examples of “________”.
a. Transposition ciphers
b. Substitution ciphers
c. The modern ciphers
d. Transition ciphers
2. Symmetric Key Cryptography is ________ as compared to Asymmetric Key
Cryptography
a. slower
b. zero in speed
c. faster
d. very slow
3. The Greek words, ‘Krypto’ meaning hidden and ‘graphene’ meaning writing form the
word [________
a. Void
b. cryptography
c. Cryptology
d. Cryptanalysis
4. Cryptology is the art and science of ________________ "secret codes".
a. only making of
b. making and breaking
c. only breaking of
d. Distinguishing
5. ____________ means the communicated information in its coded form.It is an encrypted
form of message
a. Executive
b. Cipher text
c. Judiciary
d. plaintext
6. P = D(Kd, E (Ke,P)) represents _____________Key Cryptography.
a. Symmetric
b. Asymmetric
c. Precedents
d. Ratio decidendi.

9
 Ans 1.b, 2.c, 3.b,4. b, 5. b, 6. b

1.10 REFERENCES
1. Caesar Cipher in Cryptography. (2023, May 11). GeeksforGeeks. Retrieved June 4,
2023, from https://www.geeksforgeeks.org/caesar-cipher-in-cryptography/
2. History of Cryptography. (2022, October 6). GeeksforGeeks. Retrieved June 4, 2023,
from https://www.geeksforgeeks.org/history-of-cryptography/
3. Introduction to Crypto-terminologies. (2023, March 22). GeeksforGeeks. Retrieved
June 4, 2023, from https://www.geeksforgeeks.org/introduction-to-crypto-
terminologies/
4. Kahn, D. (n.d.). Chapter 5: Cryptography. Department of Computer Science. Retrieved
June 4, 2023, from
http://www.cs.sjsu.edu/~stamp/CS265/SecurityEngineering/chapter5_SE/chapter5.ht
ml
5. Richards, K. (n.d.). What is Cryptography? Definition from SearchSecurity.
TechTarget. Retrieved June 4, 2023, from
https://www.techtarget.com/searchsecurity/definition/cryptography

Additional Reading:
1. Atul Kahate. (2013). Cryptography and network security. Mcgraw
Hill Education, C.
2. Shannon, C. E. (October 1949). "Communication Theory of Secrecy Systems*". Bell
System Technical Journal. 28 (4): 656–715. doi:10.1002/j.1538-7305.1949.tb00928.x
3. Stallings, W. (2011). Cryptography and network security : principles and practice.
Prentice Hall.

10
 DES – THE DATA ENCRYPTION
MODULE - 2
STANDARD

TABLE OF CONTENTS

2.1 Learning Objectives

2.2 Stream Ciphers And Block Ciphers
2.3 History of Data Encryption Standard(DES)
2.4 Terminologies
2.4.1 confusion and diffusion
2.5 DES Working
2.6 DES Decryption
2.7 Summary
2.8 Key terms
2.9 Self-assessment questions
2.10 References

2.1. LEARNING OBJECTIVES

After completing this module, the learner will be able to
1. Distinguish between the basics of Stream Ciphers and Block Ciphers.
2. Understand the background of Data Encryption Standard (DES).
3. Understand the various terms involved in the process of generating ciphertext.
4. Acquire an overview of the steps of Data Encryption Standard (DES).
5. Distinguish between Symmetric Key Cryptography and Asymmetric Key Cryptography.

2.2 STREAM CIPHERS AND BLOCK CIPHERS

How the data of plaintext can be given as input to the encryption algorithm, may vary.Why
this variation is important for us to study because accordingly the ciphertext will be generated.
For that, let us learn two commonly used ciphers:Stream Ciphers and Block Ciphers.
A Stream Cipher: Performs encryption of data stream one bit or one byte at a time.
A Block Cipher: Performs encryption of a block (of size 64 or 128 bits) of
plaintext produces a ciphertext of equal length block.

11
2.3 HISTORY OF DATA ENCRYPTION STANDARD (DES)

The Data Encryption Standard, or DES, was developed in the 1970s at IBM. DES is a block
cipher. It was adopted to keep safe, the sensitive, unclassified electronic government data.In
1976 it was made a Federal Information Processing Standard (FIPS) for the US(its algorithm
is referred to as the DEA(Data Encryption Algorithm)(Stallings, W. , 2011). It was used widely
at that time.But with the time, after the scrutiny, cryptanalysis made it clear that as the key size
was short, it was easy to break this cipher. This led to its more secure form of Triple DES(which
is widely used today). Later Advanced Encryption Standard (AES) took its place.
If it is so, why are we learning DES?Why not the recent algorithms?The answer is DES
algorithm is a landmark in cryptographic algorithms.(Atul Kahate, 2013)

2.4 TERMINOLOGIES
1.4.1 Confusion and diffusion
Shannon, C. E.(October 1949) states that in a strongly ideal cipher, all statistics of the
ciphertext are independent of the particular key used.Else the cryptanalysis will be easy. Means
if some repeating patterns are observed in ciphertext, Hence the concepts of confusion and
diffusion are implemented in DES.
1. Confusion :Confusion means each binary digit (bit) of the ciphertext should depend
on several parts of the key, obscuring the connections between the two. This is done in
order to make the statistical relationship between the ciphertext and the key as complex
as possible.(Stallings, W. ,2011).
DES uses substitution as confusion.
2. Diffusion: Diffusion means if we change a single bit of the plaintext, then about half
of the bits in the ciphertext should change, and vice-versa. This is done in order to make
complex the statistical relationship between the plaintext and ciphertext leading to figure
out the key. (Stallings, W. ,2011).
DES uses transposition as diffusion.

2.5 DES WORKING

The DES (Data Encryption Standard) algorithm is a symmetric-key block cipher. Stallings,
W. (2011) says that the DES algorithm encrypts data in blocks of size 64 bits each. It
transforms one whole block of 64-bit input data (plaintext) into a block of 64-bit output using

12
a key of 56 bits. DES consists of 16 rounds to encrypt one block of data. Each round performs
the steps of substitution and transposition.
Now we are ready to see the main steps in DES. Atul Kahate (2013) sums up the steps as
follows:
1. The Initial Permutation(IP) is performed on 64-bit plain text using Initial Permutation
(IP) function.
2. Initial Permutation (IP) produces two halves Left & Right part of the permuted block.
3. Left part & Right part is encrypted through 16 rounds .
4. After this, the Left & Right part of the permuted block are combined and a Final
Permutation (FP) is performed.
5. This leads to 64-bit cipher text.
All these steps are shown in the form of a block diagram in Figure 2.1.The plaintext
is divided as block1, block2, …, block n are all of size 64 bits each.Similarly, keys that
are applied for encryption are also shown.

Figure 2.1:Main steps of DES

13
Let us understands the steps in detail:
Step 1.Initial Permutation (IP): Initial Permutation (IP) is performed only once before the first
round. Transposition is done here.
Means, IP transfers or replaces one the bit position with the other.How this is done is shown in
the diagram.
Eg.:Contents of Bit position 1 are overwritten by bit position 58.
Contents of Bit position 40 are overwritten by bit position 1.
Let us see this in the form of a Table 2.1 and Table 2.2:
Table 2.1: Initially 64 bits in a block before Initial Permutation (IP)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64

Table 2.2: After Initial Permutation (IP) 64 bits in a block new positions
58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7

Step 2. Left and right halves: Initial Permutation (IP) produces two separate halves Left &
Right part each of 32-bit & both are treated as separate 32-bit quantities,(Stallings, W. ,2011)
Step 3. 16 Rounds : The author, Atul Kahate states in a simplified way that each round
performs a) key transformation b) Expansion permutations c) S-box substitution d) P-box
permutations e) XOR and Swap .
a) Key transformation: First the original 64 bit key is transformed into the 56 bit key by
discarding every 8,16,24,32,64th bit. This 56-bit key is available for each round.
Now as shown in Figure 2.1 The resulting 56 bit key is divided into 2 equal parts, each of 28
bit and at the end reduced (compression) to 48-bit sub .key performing (permutation) circular
shift left by 1 or 2 positions, depending on the round number.Eg.Eg., for round number 1, 2,
9 or 16, circular shift by only 1 position(for other rounds, circular shift by 2 positions).

14
 Figure 2.2: 64 bit key is transformed into a 56 bit key

a) Expansion permutation:
As we know, Initial Permutation (IP) produces two separate halves Left & Right part each
of 32-bit & both are treated as separate 32-bit quantities,(Stallings, W. ,2011).
The left part (32 bit) of plaintext :Kept as it is.
The right part (32 bit) of plaintext :The right part (32 bit) of plaintext is divided into 8
blocks (4 bits each) is then expanded to a corresponding 6-bit block by adding 2 more
bits.These 2 bits are actually the repeated first and the fourth bits of the 4-bit block. The
second and the third bits are written down as they were in the input(permutation).
This is called expansion permutation because first it performs expansion by increasing the
bit size from 32 to 48, which is then permuted.Expansion permutation of the right part (32
bit) of plaintext is shown in Figure 2.3.

So now this right part of the plaintext is of 48 bits.

48 bit sub-key
XOR
48 bit right part of the plaintext
—-----------------------------------
48 bit output is given to S-box Substitution.

Remember XOR logic: If the bits are the same, the result is 0. If the bits are different, the
result is 1.

15
 Figure 2.3: Expansion permutation of right part (32 bit) of plaintext
(Ref:https://www.c-sharpcorner.com/article/cryptography-data-encryption-standard-des/)

b) S-box substitution: Takes the 48-bit input to produces a 32-bit output .The process
is carried out as follows: 48-bit input block is divided into 8 sub-blocks(each of 6
bits),
S-box substitution: 6-bit block->S-box->select only 4 of the 6 bits.
Eight S-boxes perform substitution.Each S-box is a table of 4 rows (0 to 3) and 16
columns (numbered 0 to 15).
Bit position 1,2,3,4= input to 1st S-box, bit position 5,6,7,8 =input to the 2nd S-
box…bit position 45,46,47,48 =input to 8th S-box.
Eg: Bit position 5,6,7,8 =input to the 2nd S-box containing a value 101101 in binary.
then (b1, b6) = 11 in binary = 3 in decimal, and (b2, b3, b4, b5) = 0110 in binary = 6
in decimal). So output = Value in S-box 2 at[row number 3][ column number 6].
In this way , S-box selects only 4 of the 6 bits and from 48-bit input, produces a 32-
bit output which is given P-box permutations.
c) P-box permutation : It takes 32-bit output from S-box. This P-box Permutation
replaces a bit with another bit.
d) XOR and Swap : Left part (32 bit) of plaintext
Left part (32 bit) of plaintext
XOR
32-bit output from P-box permutation

16
 —-----------------------------------
New right part (32 bit) of plaintext

Swapping: Old right part (32 bit) of plaintext=Old left part

Step 4.Final Permutation (FP): After 16 rounds are performed, Final Permutation is done
which is simple transposition. This means the 40th input bit takes the position of the 1st
output bit and so on.This produces the ciphertext of 64-bit after encryption.

2.6 DES DECRYPTION

Same algorithm used for encryption is used to decrypt ciphertext with reversing the key
portions i.e. If the original key K was divided into K1, K2, K3, ..., K16 for the 16 encryption
rounds, then for decryption, the key should be used as K16, K15, K14, ..., K1.

17
2.7 SUMMARY

The DES (Data Encryption Standard) algorithm is a symmetric-key block cipher. The DES
algorithm encrypts data in blocks of size 64 bits each. It transforms one whole block of 64-bit
input data (plaintext) into a block of 64-bit output using a key of 56 bits. DES performs 16
rounds to encrypt one block of data. Each round performs the steps of substitution and
transposition through following steps :key transformation, Expansion permutations, S-box
substitution, P-box permutations, XOR and Swap. DES Decryption uses the same encryption
algorithm with reversing the key portions.

18
2.8 KEYWORDS

1. DES: Data Encryption Standard, a symmetric-key block cipher.

2. Confusion : Each binary digit (bit) of the ciphertext should depend on several parts
of the key, obscuring the connections between the two.
3. Diffusion: If we change a single bit of the plaintext, then about half of the bits in the
ciphertext should change, and vice-versa.

19
2.9 SELF-ASSESSMENT QUESTIONS
I. Long questions:
1. Explain what is stream cipher and Block Cipher.
2. Discuss the terms Confusion and Diffusion.
3. Elaborate on the Initial Permutation (IP) in DES.
4. Elaborate on the S-box substitution in DES.
5. Write the main steps in DES.
6. Describe the process of Expansion permutation in DES.
7. Explain following processes: a)P-box Permutation b) XOR and Swap.

II. Short questions:

1. What do you mean by confusion in DES?
2. Write in brief what is DES decryption.
3. What is expansion permutation of the right part (32bit) of the plaintext?
4. What is Final Permutation (FP) in DES?
5. What is Key transformation in DES ?
6. In each round of DES which steps are performed?

III. True and False:

1. Initial Permutation (IP) is performed only once before the first round.
2. DES Decryption uses the same encryption algorithm with reversing the key portions.
3. In DES, first the original 64 bit key is transformed into the 56 bit key by discarding every
8,16,24,32,64th bit.
4. Initial Permutation (IP) produces two separate halves Left & Right part each of 100-bit
in Data Encryption Standard.
5. In 1976 DES was made a Federal Information Processing Standard (FIPS) for the US.
Ans: 1. True, 2. True, 3.True, 4. False , 5. True

IV. Multiple choice question

1. DES means ________ ________ ________.
a. Data Encryption Standard
b. Data Encryption Substitution
c. Deemed Encryption Standard
d. Data Enlargement Standard

20
2. Cryptanalysis made it clear that in DES the key size was ________.
a. big
b. lengthy
c. short
d. very slow

3. DES was easy to break due to short key . This led to its more secure form of ________
a. Tristar DES
b. Triple DES
c. Penta DES
d. Quartz DES
4. In DES, after —- rounds are performed, Final Permutation is done which is simple.
a. 16
b. 11
c. 21
d. 31
5. DES Decryption uses the same encryption algorithm with _____________ the key
portions.
a. reversing
b. adding
c. subtracting
d. multiplying
6. DES produces _____________ of 64-bit after encryption.
a. ciphertext
b. plaintext
c. Precedents
d. Ratio decidendi.
Ans 1.a, 2.c, 3.b,4. b, 5. a, 6. a

21
2.10 REFERENCES
1. Atul Kahate. (2013). Cryptography and network security. Mcgraw Hill Education, C.
2. Shannon, C. E. (October 1949). "Communication Theory of Secrecy Systems*". Bell
System Technical Journal. 28 (4): 656–715. doi:10.1002/j.1538-7305.1949.tb00928.x
3. Stallings, W. (2011). Cryptography and network security : principles and practice.
Prentice Hall.
4. Ref:https://www.c-sharpcorner.com/article/cryptography-data-encryption-standard-
des

22
 INTERNATIONAL DATA ENCRYPTION
MODULE - 3
ALGORITHM (IDEA)

TABLE OF CONTENTS

2.1 Learning Objectives

2.2 History of International Data Encryption Algorithm (IDEA)
2.3 Basic similarities and differences between Data Encryption Algorithm (IDEA)and Data
Encryption Standard (DES)
2.5 IDEA Working
2.6 IDEA Decryption
2.7 Summary
2.8 Key terms
2.9 Self-assessment questions
2.10 References

2.1. LEARNING OBJECTIVES

After completing this module, the learner will be able to
1. Acquire an overview of the steps of International Data Encryption Algorithm
(IDEA).
2. Understand the decryption of International Data Encryption Algorithm (IDEA).
3. Distinguish between Basic similarities and differences between Data Encryption
Algorithm (IDEA)and Data Encryption Standard (DES).

2.2 HISTORY OF INTERNATIONAL DATA ENCRYPTION ALGORITHM (IDEA)

Launched in 1990, International Data Encryption Algorithm (IDEA) is a quite strong
Encryption Algorithm. As compared to earlier DES, IDEA was not popular.Then you must
be thinking where it is actually used? Pretty Good Privacy (PGP) in email security is based
on IDEA.

2.3 BASIC SIMILARITIES AND DIFFERENCES BETWEEN DATA ENCRYPTION

ALGORITHM (IDEA)AND DATA ENCRYPTION STANDARD (DES)

23
Let us see some fundamental principles of IDEA. Table 3.2 describes basic similarities and
differences between Data Encryption Algorithm (IDEA)and Data Encryption Standard
(DES).
Table 3.1: Basic similarities and differences between Data Encryption Algorithm (IDEA) and Data Encryption
Standard (DES)

International Data Encryption Data Encryption Standard (DES)

Algorithm (IDEA)
1 IDEA is a block cipher. DES is a block cipher.

2 IDEA works on 64-bit plain-text blocks. DES works on 64-bit plain-text blocks.

3 IDEA is reversible like DES, that is, the same DES is reversible ,that is, the same
algorithm is used for encryption and algorithm is used for encryption and
decryption. decryption.
4 IDEA uses both diffusion and confusion for DES uses both diffusion and confusion
encryption. for encryption.
5 IDEA uses a 128 bit key, which is longer than DES uses a 64 bit key.
DES.

3.4 WORKING OF INTERNATIONAL DATA ENCRYPTION ALGORITHM (IDEA)

IDEA used the mathematical operations addition modulo 216 (i.e. addition modulo 65536) and
multiplication modulo 216 + 1 (i.e. multiplication modulo 65537), respectively ( a mod b is
the remainder of the division a/b).
Let us see the meaning of these two operations : Addition modulo 216 of a and b is defined as
the least non-negative remainder ‘r’ when addition a+b is divided by m(that is, (a+b) / m).
Multiplication modulo m of a and b is defined as the least non-negative remainder ‘r’ when
product ab is divided by m(that is, (ab) / m).
Main steps of International Data Encryption Algorithm (IDEA) consists of following steps
1. Input plaintext of 64-bit is divided into 4 portions of 16-bit , say, Portion 1= P1 to P4,
Portion 2= P2 to P8 , Portion 3= P9 to P12 , Portion 4= P13 to P16 .
2. Original key consists of 128 bits. In each round, six subkeys are generated from the original
key. Each of the subkeys consists of 16 bits.
3.Input (Portion1,Portion2,Portion3,Portion4) to 1st round of the algorithm.There are such 8
rounds in IDEA. Each round performs operations on the four data blocks using six keys.
(Portion1,Portion2,Portion3,Portion4)

24
 |
(Round-1)<----subkeys(K1-K6)
|
|
|
(Round 8)<-----subkeys(K43-K48)
Operations performed in each round are shown stepwise. Table 3.1 shows the operator used in
the step indicating which operation.

Table 3.1 Operator used in the step indicates which operation

Operator Indicates operation

* Multiplication modulo 65537

+ Addition modulo 65536

^ XOR

Step 1: P1 *K1.
Step 2 : P2 +K2.
Step 3: P3 + K3.
Step 4 : P4 *K4.
Step 5: Results of Step 1 ^ Step 3.
Step 6 : Results of Step 2 ^ Step 4.
Step 7: Results of Step 5 * K5.
Step 8 :Step 6 + Step 7.
Step 9: Results of Step 8 * K6.
Step 10 : Step 7 + Step 9.
Step 11: Results of Step 1 ^ Step 9.
Step 12: Results of Step 3 ^ Step 9.
Step 13: Results of Step 2 ^ Step 10.
Step 14: Results of Step 4 ^ Step 10.

25
4. Subkey generation: Out of the original 128 bits, the first 96 bits (6 subkeys x 16 bits per
subkey) are used for the first round. Thus, at the end of the first round, bits 97-–128 of the
original key are unused.
For the next rounds, IDEA performs key shifting to generate the subkeys.. That is original key
is shifted left circularly by 25 bits.
5. Output of round 8 (64-bit value) is divided into four sub-blocks and is given as input to a
step called “Output transformation”. At the end of the eighth and the final round, the key is
exhausted and shifted. So, the first 64 bits make up subkeys K1 to K4, which are used as the
four subkeys for this round.
Output: Output transformation produces 64-bit cipher text, which is a combination of the four
cipher-text sub-blocks C1 to C4.
3.5 IDEA DECRYPTION
In IDEA, the decryption process is similar to the encryption process; only subkeys are actually
an inverse of the encryption subkeys.IDEA uses a 128-bit key, which is double than the key
size of DES and so more hard to break.

26
3.6 SUMMARY

IDEA is a block cipher.IDEA takes input as 64-bit plain-text blocks. IDEA performs the
mathematical operations in 8 rounds.These operations are addition modulo 216 (i.e. addition
modulo 65536) and multiplication modulo 216 + 1 and XOR .
IDEA uses a 128-bit key, which is double than the key size of DES and so more hard to
break.After first round, subkey generation through circular left shift (of original key bits) is
performed.Once the 6 subkeys per round are applied till 8th round, output transformation
produces the ciphertext sub-blocks C1 to C4.

27
3.7 KEYWORDS

1. Confusion : Each binary digit (bit) of the ciphertext should depend on several parts
of the key, obscuring the connections between the two.
2. Diffusion: If we change a single bit of the plaintext, then about half of the bits in the
ciphertext should change, and vice-versa.
3. International Data Encryption Algorithm (IDEA):A symmetric key encryption
algorithm

28
3.8 SELF-ASSESSMENT QUESTIONS
I. Long questions:
1. Explain the International Data Encryption Algorithm (IDEA).
2. Write the basic similarities and differences between Data Encryption Algorithm (IDEA)
and Data Encryption Standard (DES).
3. Elaborate on the Subkey generation and output transformation in International Data
Encryption Algorithm (IDEA).

II. Short questions:

1. What do you mean by Subkey generation in International Data Encryption Algorithm
(IDEA)?
2. How many rounds are performed in the International Data Encryption Algorithm
(IDEA).
3. What is output transformation in International Data Encryption Algorithm (IDEA)?
4.Pretty Good Privacy (PGP) in email security is based on which algorithm?
5.Explain IDEA decryption.

III. True and False:

1. IDEA uses a 552 bit key.
2. IDEA is reversible like DES, that is, the same algorithm is used for encryption and
decryption.
3. In IDEA, decryption process is similar to the encryption process
4. IDEA performs key shifting to generate the subkeys..
Ans: 1. False, 2. True, 3. True, 4. True,

IV. Multiple choice question

1. IDEA is a______ cipher.
a. block
b. stream
c. delta
d. Transitio
2. ______________ in email security is based on IDEA.
a. Post Good Privacy (PGP)
b. Pretty Good Piracy (PGP)

29
 c. Pretty Good Privacy (PGP)
d. Print Good Privacy (PGP)

3. IDEA uses a ___________ bit key, which is longer than DES.

a. 128
b. 122
c. 143
d. 144
4. In IDEA, the decryption process is similar to the encryption process; only subkeys are
actually ____________of the encryption subkeys.
a. same
b. an inverse
c. induced
d. positive
Ans 1.a, 2.c, 3.a,4. b

30
3.9 REFERENCES
1. Atul Kahate. (2013). Cryptography and network security. Mcgraw Hill Education, C.
2. Ref:https://www.c-sharpcorner.com/article/cryptography-data-encryption-standard-
des

31
 MODULE– - 4
ODULE BIOWFISH / AES

TABLE OF CONTENTS
4.1 Learning Objectives
4.2 Blowfish
4.3 Advanced Encryption Standard (AES)
4.3.1 Features of AES algorithm
4.3.2 Operation of AES algorithm
4.4 Comparison of Blowfish and AES
4.7 Summary
4.8 Key terms
4.9 Self-assessment questions
4.10 References

4.1. LEARNING OBJECTIVES

After completing this module, the learner will be able to
1. Understand the need of replacement of DES algorithm..
2. Distinguish between Blowfish and AES.
3. Understand the various terms involved in the process of Blowfish and AES.

4.2 BLOWFISH
Blowfish is the symmetric block cipher algorithm.In 1993 blowfish was designed by Bruce
Schneier. It is significantly faster than DES (Data Encryption Standard) and provides a good
encryption rate.Blowfish encrypts 64-bit blocks with a variable-length key up to a maximum
of 448 bits long, making it both flexible and secure. Following points summarize blowfish:
● blockSize: 64-bits
● keySize: 32-bits to 448-bits variable size
● number of subkeys: 18 [P-array]
● number of rounds: 16
● number of substitution boxes: 4 [each having 512 entries of 32-bits each]. (Blowfish
Algorithm With Examples, 2021)

32
Step1:Subkeys Generation:

The Blowfish cryptographic algorithm generates sub keys before encryption and decryption
occurs.The P-arrays and S-boxes are called subkeys.

● 18 subkeys{P[0]…P[17]} are needed in both encryption as well as decryption

process and the same subkeys are used for both the processes.
● These 18 subkeys are stored in a P-array with each array element being a 32-bit
entry.
● It is initialized with bits of the fractional part (in hexadecimal form) of the constant
pi.(P[0] = "243f6a88",P[1] = "85a308d3" ,...,P[17] = "8979fb1b").
● Each of the subkey is changed with respect to the input key as:

P[0] = P[0] xor 1st 32-bits of input key

P[1] = P[1] xor 2nd 32-bits of input key
.
.
.
P[i] = P[i] xor (i+1)th 32-bits of input key
(roll over to 1st 32-bits depending on the key length)
.
.
.
P[17] = P[17] xor 18th 32-bits of input key
(roll over to 1st 32-bits depending on key length)

The resultant P-array holds 18 subkeys that are used during the entire encryption process.
(Blowfish Algorithm With Examples, 2021)

Step2: Initialise Substitution Boxes:

● 4 Substitution boxes(S-boxes) are needed{S[0]…S[4]} in both encryption as well as

decryption process with each S-box having 256 entries{S[i][0]…S[i][255],}where each
entry is 32-bit.
● It is initialized with the bits of the fractional part (in hexadecimal form) of the constant
pi. after initializing the P-array. (Blowfish Algorithm With Examples, 2021)

33
 ● eg: S4,254 = 578FDFE3, S4,255 = 3AC372E6

Step 3: Data Encryption:

Blowfish is a Feistel network including 16 rounds. Each round consists of the key-dependent
permutation, and the key and data- dependent substitution. The operations in the algorithms
are XORs or additions on 32-bit words.(What Are the Operations of Blowfish Algorithm, 2022)

1.The input is a 64-bit data element, x.

2.Divide x into two 32-bit halves : xL, xR.
3.Then, for i = 1 to 16;
xL =xLXOR Pi
xR= F(xL) XOR xR
next i
4. Swap xL andxR

5. After the 16th round, Swap xL and xR again to undo the last swap.

6 Then, ciphertext = concatenation of xLxL and xR, xR =xR XOR P17 and xL =xL XOR P18.

7.Finally, recombine xLand xR to get the ciphertext. (What Are the Operations of Blowfish
Algorithm, 2022)
Where the function F is as follows:
(a) Divide the 32-bit XL block into four 8-bit sub-blocks, named a, b, c, and d.
(b) Compute F [a, b, c, d] = ((S1,a + S2,b) XOR S3,c) + S4,d

Decryption in blowfish is the same as encryption, other than P1, P2,……P18 are utilized in
the reverse order.

4.3 ADVANCED ENCRYPTION STANDARD (AES)

Drawback of DES was its key size was too small (56-bit key).With increasing computing
power, it was considered vulnerable against exhaustive key search attacks. Triple DES was
designed to overcome this drawback but it was found slow.So, AES was a good replacement
over DES.AES is a more popular and widely adopted symmetric encryption algorithm
nowadays.

34
4.3.1 Features of AES algorithm
a) Faster than Triple DES with longer key ( 128-bit blocks, with 128-bit or longer
keys.
b) Adapted to Modern Processors,Suited to Smart Cards
4.3.2 Operation of AES algorithm
Here, we restrict to description of a typical round of AES encryption.AES is based on
‘substitution–permutation network’. Means, it involves a series of linked operations,
some of which involve replacing inputs by specific outputs (substitutions) and others
involve shuffling bits around (permutations).

Point to note that, instead of bits, AES performs all its computations on bytes. That is,
AES has 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four
columns and four rows for processing as a matrix . (Advanced Encryption Standard,
n.d.)

Unlike DES, the number of rounds in AES is variable and depends on the length of the
key. Figure 4.1 shows the structure of AES and number of rounds with respect to the
length of the key. (Advanced Encryption Standard, n.d.)

How Encryption is carried out?

A typical round of AES encryption has four sub-processes. First round can be shown
as in Figure 4.2.
Byte Substitution (SubBytes)
Input of plaintext of 16 bytes are substituted by looking up a fixed table (S-box) given
in design. Produces a matrix of four rows and four columns.

35
Figure 4.1:Structure of AES and number of rounds with respect to the length of the key
Ref:https://www.tutorialspoint.com/cryptography/advanced_encryption_standard.htm
Shiftrows
Every row of the matrix is shifted to the left. Any entries that ‘fall off’ are re-inserted
on the right side of the row. Shift is performed as follows:
First row is not shifted.
Second row is shifted one (byte) position to the left.
Third row is shifted two positions to the left.
Fourth row is shifted three positions to the left.
Output is a new matrix of the same 16 bytes but shifted.
MixColumns
Each column of four bytes is applied to a special mathematical function to produce four
completely new bytes, which replace the original column. The output is another new
matrix consisting of 16 new bytes. Remember, this step is not performed in the last
round.
Addroundkey
The 16 bytes of the matrix are now considered as 128 bits and are XORed to the 128
bits of the round key. If this is the last round then the output is the ciphertext. Otherwise,
the resulting 128 bits are interpreted as 16 bytes and we begin another similar round.

Decryption Process

36
 Decryption of an AES ciphertext is the same as “encryption in the reverse order”. Four
processes carried out in each round need to be conducted in the reverse order as:

a) Add round key

b) Mix columns

c) Shift rows

d) Byte substitution

Figure 4.2 :Cryptography model illustrating Caesar cipher an example of substitution cipher
Ref:https://www.tutorialspoint.com/cryptography/advanced_encryption_standard.htm

4.4 COMPARISON OF BLOWFISH AND AES

Table 4.1 shows comparison of Blowfish and AES:

Table 4.1 Comparison Of BLOWFISH AND AES

Point BLOWFISH Advanced Encryption

Standard(AES)

37
1) About algorithm symmetric encryption symmetric encryption algorithm
algorithm

2) block size in bits 64 128

3) Key length in bits 32-448 128,192,256

4) Number of rounds 16 10,12 or 14 rounds depending on key

size

38
4.7 SUMMARY

Blowfish is the symmetric block cipher algorithm.Blowfish encrypts 64-bit blocks with
a variable-length key. Subkey Generation and Data-Encryption are the two main parts
of this algorithm.

Subkey Generation is transforming the key up to 448 bits long to subkeys adding 4168
bits. In the data encryption process, it will iterate 16 times of the network. Each round
consists of the key-dependent permutation, and the key and data- dependent
substitution.

AES is more secure than DES..AES is a more popular and widely adopted symmetric
encryption algorithm nowadays.
AES is easy for implementation due to its features. Features include symmetric
structure,faster than Triple DES with longer key ( 128-bit blocks, with 128-bit or longer
keys,Adapted to Modern Processors,Suited to Smart Cards.
A typical round of AES encryption.involves a series of linked operations, some of
which involve replacing inputs by specific outputs (substitutions) and others involve
shuffling bits around (permutations).

39
4.8 KEYWORDS
1. AES: Advanced Encryption Standard, symmetric encryption algorithm
2. Blowfish :Blowfish is the symmetric block cipher algorithm.Blowfish encrypts 64-bit
blocks with a variable-length key.
3. DES: Data Encryption Standard, a symmetric-key block cipher.

4.9 Self-assessment questions

I. Long questions:
1. Explain the advantages of Advanced Encryption Standard(AES) over Data Encryption
Standard (DES).
2. Discuss in brief the structure of AES and number of rounds with respect to the length of
the key.
3. Elaborate on the Subkey Generation in the blowfish algorithm.
4. Distinguish between Advanced Encryption Standard(AES) and Data Encryption Standard
(DES).
II. Short questions:
1. Blowfish algorithm uses what size of variable keys?
2. Write features of Advanced Encryption Standard(AES).
2. Explain the Decryption Process of Advanced Encryption
Standard(AES).
3. What is the Shiftrows process in Advanced Encryption Standard(AES).?
4. What is the MixColumns process in Advanced Encryption Standard(AES).?
5. Which is the faster algorithm, blowfish or DES( Data Encryption Standard)
III. True and False:
1. In 1993 blowfish was designed by Bruce Schneier.
2. Blowfish is significantly faster than DES (Data Encryption Standard)
3. The Blowfish cryptographic algorithm generates sub keys after encryption and decryption
occurs.
4. AES algorithm is faster than Triple DES.
5. AES is based on the ‘substitution–permutation network’.
Ans: 1. True, 2. True, 3. False, 4. True, 5. True

40
IV. Multiple choice question
1. AES performs all its computations on.________”.
a. bytes
b. nibbles
c. modern ciphers
d. Transition
2. __________of an AES ciphertext is the same as “encryption in the reverse order”.
a. Decryption
b. Cipher
c. Bibtex
d. Plaintext

3. A typical round of AES encryption has four sub-processes performed in following

sequence ________ ,________ ,________ ,________ .
a. Add round key, Mix columns, Shift rows, Byte substitution
b. Add round key, Mix columns, Shift rows, Byte substitution
c. Byte substitution,Shift rows,Mix columns,Add round key
d. Byte substitution,Shift rows,Add round key,Mix columns

4. Unlike DES, the number of rounds in AES is variable and depends on the length of
the__________.
a. key
b. transition
c. transposition
d. data
5. AES algorithm is faster than Triple _______with longer key, adapted to modern
processors and suited to Smart Cards.
a. AES
b. DES
c. Triple SHA
d. MD5
Ans 1.a, 2.a, 3.c,4. a, 5. B

41
4..10 REFERENCES

1. Advanced Encryption Standard. (n.d.). Tutorialspoint. Retrieved June 3, 2023, from

https://www.tutorialspoint.com/cryptography/advanced_encryption_standard.htm
2. Blowfish Algorithm with Examples. (2021, September 30). GeeksforGeeks. Retrieved
June 4, 2023, from https://www.geeksforgeeks.org/blowfish-algorithm-with-examples/
3. Kahate, A. (2013). Cryptography and Network Security. McGraw Hill Education.
4. What are the operations of Blowfish Algorithm. (2022, March 15). Tutorialspoint.
Retrieved June 3, 2023, from https://www.tutorialspoint.com/what-are-the-operations-
of-blowfish-algorithm

42
 MESSAGE DIGEST
EMODULE
-1 -5

TABLE OF CONTENTS

5.1 Learning Objectives

5.2 What Is Message Digest?
5.3 What Are The Requirements Of A Message Digest?
5.4 Message-Digest Algorithms

5.4.1 MD5
5.4.2 Working of The MD5 Algorithm
5.5 Secure Hash Algorithm (SHA)
5.5.1 About SHA
5.5.2 Summarized steps of working of SHA
5..6 Comparison Of MD5 And SHA
5.7 Summary
5.8 Key terms
5.9 Self-assessment questions
5.10 References
5.1. LEARNING OBJECTIVES
After completing this module, the learner will be able to
After completing this module, the learner will be able to
1. Understand the need of message digest.
2. Distinguish between MD5 and SHA algorithms.
3. Understand the nature of requirements for a message digest.
4. Acquire an overview of the message-digest algorithms.

5.2 WHAT IS A MESSAGE DIGEST?

Message digest is a fingerprint of a message. Do you remember the concepts of
Cyclic Redundancy Check (CRC)? We use CRC to detect the errors which may occur during
data transmission from sender to receiver. Message digest has the same objective. Author
Kahate States,”suppose that we have a number 4000 and we divide it by 4 to get 1000. Thus,

43
 4 becomes a fingerprint of the number 4000. Dividing 4000 by 4 will always yield 1000. If
we change either 4000 or 4, the result will not be 1000”.
Now you may wonder, how a message digest is calculated? Let us take a simple example.
Suppose the original number is 8472632. Now we perform some operations on this number
to calculate its message digest.
Step1: Multiply 8 by 4=32, discard 3 answer=2
Step 2:Multiply 2 by 7=14, discard 1 answer=4
Step 3:Multiply 4 by 2=8,answer=8
Step 4:Multiply 8 by 6=48, discard 4 answer=8
Step 5:Multiply 8 by 3 =24, discard 2 answer=4
Step 6:Multiply 4 by 2 =8, answer=8
Our Message digest is 8.

On the given original message, a hashing operation is performed. ‘Hashing operation’ means
the message-digest algorithm.Its output is “hash” or “message digest”(which has smaller
size than the original message).
(original message)01001110 11101101 00100100 …->Hashing operation->1111 01010
…(message digest).Message digests are of 128 or more bits.
5.3 WHAT ARE THE REQUIREMENTS OF A MESSAGE DIGEST

About requirements of a Message Digest, the author Atul Kahate states in simple words,”(a)
Finding message digest for a given message should be easy. And the message digest must
always remain the same for a given message. (b) Given a message digest, it should be very
difficult to find the original message for which the digest was created. (c)Given any two
messages, if we calculate their message digests, the two message digests must be different.”

Out of the above points, the first two points are very obvious.But what about the third one?
Let us see an example.
Consider following messages and their corresponding message digests.

please do you r study today->Hashing operation-> d5ffe1a72352f834e14a203f6a1ca137

( original message) (message digest)
please do your study tomorrow->Hashing operation->e604f1141655e6a8d460e96fa470f42e
( original message) (message digest)

44
That is, even if the message has slight changes, it will generate a different message digest.If
we think carefully, we can conclude that, the possibility of any two message digests being the
same(referred as a “collision”) is very rare in practice.But in theory, statistically, possible.With
respect to this possibility, a security attack called birthday attack is used to detect collisions in
message-digest algorithms.

Now we know what is a message-digest.We will now learn the message-digest algorithms
(Hashing operation) MD5 and SHA.

5.4 MESSAGE-DIGEST ALGORITHMS

5.4.1 MD5
MD5 is a message-digest algorithm developed by Ron Rivest.Md5 outputs a message
digests of 128-bits.It is fast but later it came into picture that this algorithm may create
collisions.Let us see how this Message Digest algorithm 5 works.
5.4.2 Working of The MD5 Algorithm
Following are the summarized steps of MD5 algorithm:
Step 1. Append Padding Bits:Some extra bits are added as padding at the end of the original
message, in such a way that the total length of the message is 64 bits less than the exact multiple
of 512.This means,
Length(original message + padding bits) = 512 * i – 64 where i = 1,2,3 . . .
(What Is the MD5 Algorithm?, 2022)
Eg.:Suppose The original message is = 1000 bits. then padding bits can be 448 bits or 960 bits
or1472 bits etc.Any one of these can be used.
Remember that even if the message length is already 64 bits less than a multiple of 512, padding
is a must.

Step 2. Append Length Bits: Length of the original message(without padding bits) is
calculated and written in 64 bits. To the end of the padded message, we add 64-bits as length
bits such that the total number of the bits is the perfect multiple of 512. That is,output of first
step + length of original message in 64 bits.
Message created after the above two steps is the message ,on which we will apply an algorithm
to produce a message digest.

45
Step 3: Divide the Input into 512-bit Blocks.

Step 4: Initialize 4 Chaining Variables (Buffer)to initial hexadecimal values A, B, C and D

.Each is a 32-bit number.Copy the four chaining variables into four corresponding variables, a,
b, c and d that is a = A, b = B, c = C and d = D. That is abcd =4X 32 = 128 bits, abcd as a 128-
bit single register useful for holding intermediate & final results.

Step 5: Process each 512-bit Block:Divide 512-bit block into 16 sub-blocks & give them as
input,(of 32 bits each).Perform four rounds. In each round, we have 16 input sub-blocks,
named M[0], M[1], ..., M[15], or in general, M[i], where i varies from 1 to 15. t is an array of
constants. It contains 64 elements.Mathematically a single MD5 operation can be expressed
as:

a = b + ((a + Process P (b, c, d) + M[i] + T[k]) <<< s)

where,
a, b, c, d = Chaining variables,
Process P = Process P in each round performs basic Boolean operations on b, c and d as shown
in Table 4.1.
Table 4.1 Process P in each round

Round Process P

1 (b AND c) OR ((NOT b) AND (d))

2 (b AND d) OR (c AND (NOT d))

3 B XOR c XOR d

4 C XOR (b OR (NOT d))

M[i] = 32 bit message(512 block divided into 16 input sub-blocks, named M[0], M[1], ...,
M[15], or in general, M[i],where i varies from 1 to 15)
t[k] = Array of constants, <<<s = Circular-left shift by s bits (Kahate, 2013, 171,172)
Output:The output of the algorithm is a set of four 32-bit blocks, which make up the 128-bit
message digest.

46
5.5 SECURE HASH ALGORITHM (SHA)
5.5.1 About SHA
SHA is a modified version of MD4.It is developed by National Institute of Standards and
Technology (NIST) along with NSA .Later named SHA-1. Design of SHA is close to MD5.
So initial steps of working of SHA are the same as MD5.
5.5.2. Summarized steps of working of SHA

Step 1. Append Padding Bits:Some extra bits are added as padding at the end of the original
message, in such a way that the total length of the message is 64 bits less than the exact multiple
of 512.

Step 2. Append Length Bits: Length of the original message(without padding bits) is
calculated and written in 64 bits (to the end of the padded message).
Step 3: Divide the Input into 512-bit Blocks.

Step 4: Initialize 5 Chaining Variables (Buffer) to initial hexadecimal values A, B, C ,D and

E .Each is a 32-bit number.5 X 32 = 160 bits). As SHA,outputs a message digest of length 160
bits, abcde as a 160-bit single register useful for holding intermediate & final results.

Step 5: Process each 512-bit Block:Divide 512-bit block into 16 sub-blocks & give them as
input,(of 32 bits each).SHA has four rounds, each round consisting of 20 steps. (Kahate, 2013,
177,178)

The four rounds are structurally the same as one another with the only difference that each
round needs a different Boolean function. In MD5, ‘t’ was an array of 4 constants but SHA
has only 4 constants defined for K[t] (where, Kt (0 ≤t ≤79)) , one used in each of the four
rounds and is based on the step under consideration.

If we compare the mathematical expressions of MD5 and SHA, SHA has some variations
which are induced to make SHA more complicated than MD5.

Output − The final output of the algorithm is 160-bit message digest.

5.6 COMPARISON OF MD5 AND SHA

Even though, both MD5 and SHA are simple algorithms for software implementation and
therefore does not need any large programs or complex tables there are

47
 Table 4.2 Comparison Of MD5 and SHA

Point MD5 SHA

1) About algorithm speed Faster as there are 64 Slower as there are 80

iterations, and 128-bit iterations, and 160-bit
buffer buffer
2) Outputs message digest of length in 128 160
bits
3) Collision:Attack to try and find two Requires 264 operations to Requires 280 operations
messages producing the same message break in to break in
digest
4) Attack to try and find the original Requires 2128 operations Requires 2160 operations
message given a message digest to to break in, So, more
break in secure
HMAC Similar to a message digest, HMAC also involves encryption

48
5.7 SUMMARY

Message digest is a fingerprint of a message.That is using message digest we can

check if the message sent from the sender is received intact and exactly the same as
the sender has sent.
MD5 is a message-digest algorithm developed by Ron Rivest..MD5 outputs a message
digests of 128-bits.It is faster but collision may occur.
The Secure Hash Algorithm (SHA) obtains a 160-bit message digest.MD5 is less
secure when compared to the SHA algorithm since MD5 is more vulnerable to
collision attacks.

49
5.8 KEYWORDS
1. Message digest: Fingerprint of a message, Identifies a message uniquely
2 MD5: Message digest algorithm, now seems vulnerable to attacks
3. SHA:Digest algorithm, now preferred as the standard algorithm of choice.
4.NSA: US National Security Agency (NSA)
5.9 Self-assessment questions
I. Long questions:
1. Explain the working of MD5 message digest algorithm.
2. Elaborate on the requirements of a Message Digest.
3. Distinguish between MD5 and SHA message digest algorithms.
5. Explain the working of SHA message digest algorithm.
II. Short questions:
1. What do you mean by Message digest?
2. Write definition of collision with respect to Message digest algorithm.
2. Distinguish between the chaining variables used in MD5 and SHA
message digest algorithms.
3. What is the longform of SHA which is a message digest algorithm ?
4. Which is more secure, MD5 or SHA message digest algorithm?
III. True and False:
1. Message digest is a fingerprint of a message.
2. Message digest has the same objective as CRC code has.
3. Given any two messages, if we calculate their message digests, the two message digests
must be the same.
4. Given a message digest, it should be very difficult to find the original message for which
the digest was created.
5. Even if the original message has slight changes, it will generate a different message digest.
Ans: 1. True, 2. True, 3. False, 4. True, 5. True

IV. Multiple choice question

1. The possibility of any two message digests being the same is referred as “________”.
a. collision
b. Substitution
c. modern ciphers
d. Transition

50
2. Given any two messages, if we calculate their message digests, the two message digests
must be ________.
a. same
b. zero
c. different
d. delta

3. Collision that is an attack to try and find two messages producing the same message digest in
MD5 requires ____ operations to break in.

a. 264
b. 26

c. 24
d. 284
4. MD5 produces message digest of ____________ length in bits.
a. 128
b. 122
c. 222
d. 622
5. SHA produces message digest of ____________ length in bits.
a. 128
b. 160
c. 222
d. 622

Ans 1.a, 2.a, 3.a,4. b, 5. b

51
5.10 REFERENCES

1. Kahate, A. (2013). Cryptography and Network Security. McGraw Hill Education.

2. What is the MD5 Algorithm? (2022, December 13).
3. GeeksforGeeks. Retrieved May 31, 2023, from https://www.geeksforgeeks.org/what-
is-the-md5-algorithm/

52
 DIGITAL SIGNATURES AND
MODULE - 6
CERTIFICATES

TABLE OF CONTENTS

6.1 Learning Objectives

6.2 Digital Signatures
6.2.1 What is a Digital Signature?
6.2.2 Digital Signatures can be used in
6.2.3 Drawbacks of Digital Signatures
6.3 Digital Certificates

6.3.1 What is a digital certificate?

6.3.2 Certification Authority (CA)

6.3.2 Technical details of the contents of a digital certificate

6.3.3 Digital certificate creation

6.4 Summary
6.5 Key terms
6.6 Self-assessment questions
6.7 References
6.1. LEARNING OBJECTIVES
After completing this module, the learner will be able to
1. Understand the need of digital signature.
2. Understand the various steps involved in the implementation of Digital Signatures.
3. Acquire an overview of the steps to create digital signature.its uses and drawbacks.
4. Understand where digital certificates can help.

5. Acquire an overview of contents and creation of a digital certificate.

6.2 DIGITAL SIGNATURES

6.2.1 What is a Digital Signature?

53
 A digital signature is a mathematical technique used to validate the authenticity
and integrity of a message, and non-repudiation of software, or digital
document.However digital signature does not have intention to achieve confidentiality.
Let us see the basics of digital signature. Consider the following scenario:
If A is the sender of a message and B is the receiver.
Sender: A encrypts the message with A’s private key and sends the encrypted message
to B.
Receiver: B can use A’s public key to decrypt it,to get the plain text.
If the decryption is successful, it ensures B that this message was indeed sent by A
because B can decrypt a message with A’s public key only. This is also because only
A knows her private key.Thus the sender A’s authenticity is checked.This also ensures
message was not changed during transmission and in future, B can not deny that he has
not sent this message.
Implementation of Digital Signatures has three main steps as
(a) Key Generation Algorithms
(b) Signing Algorithms
(c) Signature Verification Algorithms

Figure 6.1: Implementation of Digital Signatures

Figure 6.1 shows the implementation of Digital Signatures (Digital Signatures and
Certificates, 2023).

54
 Eg: To create a digital signature, signing algorithms like email programs create a
one-way hash of the electronic data which is to be signed. The signing algorithm then
encrypts the hash value using the private key (signature key). This encrypted hash
along with other information like the hashing algorithm is the digital signature. This
digital signature is appended with the original data and sent to the verifier.
Hash of the original message or document is encrypted instead of the entire
original message or document because a hash function converts any arbitrary input
into a much shorter fixed-length value. This saves time as now instead of signing a
long message a shorter hash value has to be signed and moreover hashing is much
faster than signing.
Verifier receives Digital Signature along with the data. It then uses a Verification
algorithm to process the digital signature and the public key (verification key) and
generates some value. It also applies the same hash function on the received data and
generates a hash value. Then the hash value and the output of the verification
algorithm are compared. If they both are equal, then the digital signature is valid else
it is invalid. (Digital Signatures and Certificates, 2023)
To create digital signature following steps are carried out:
1. Message digest is computed by applying hash function on the original message
and then message digest is encrypted using the private key of the sender to form
the digital signature. (digital signature = encryption (private key of sender,
message digest) and message digest = message digest algorithm(original
message).
2. Digital signature is then transmitted with the original message.(message + digital
signature is transmitted) along with other information like the hashing algorithm.
3. Receiver decrypts the digital signature using the public key of the sender.(To
ensure the authenticity, as only sender has his private key so only sender can
encrypt using his private key which can thus be decrypted by sender’s public
key).
4. The receiver now has the message digest.
5. The receiver can compute the message digest from the message (original
message is sent with the digital signature) using a hashing algorithm sent with
the message.

55
 6. The message digest calculated by the receiver and the message digest (got by
decryption on digital signature) if apperas same,it assures integrity and non-
repudiation. (Digital Signatures and Certificates, 2023)

6.2.2 Digital Signatures can be used in :

1. Legal documents and contracts

2. Shipping Documents
3. Patient records and research data(Health Data)
4. Financial Documents
5. Sales contracts

6.2.3 Drawbacks of Digital Signatures

1. Dependence on Key Management: senders must keep their private key safe and
secure from unauthorized access.Any failure in key management can
compromise the security of the digital signature.
2. Complexity: Digital signatures require a complex process of key generation,
signing, and verification. So it is difficult to implement and use for non-technical
users.
3. Compatibility: Different digital signature algorithms and formats may not be
compatible with each other so difficult for different systems and applications.
4. Legal Recognition: Their legal status may not be clear in all jurisdictions.
5. Revocation: In case of key compromise or other security issues, digital
signatures must be revoked to prevent their misuse. However, the revocation
process can be complex and may not be effective in all cases.
6. Cost: Digital signatures may involve additional costs for key management,
certificate issuance, and other related services, which can make them expensive
for some users or organizations.
7. Limited Scope: Digital signatures do not provide confidentiality. So vulnerable
to attacks such as denial-of-service attacks or malware. (Digital Signatures and
Certificates, 2023)

56
6.3 DIGITAL CERTIFICATES

6.3.1 What is a digital certificate?

To resolve the problem of key exchange or key agreement, digital certificates help. We can
consider digital certificates like our driving license helping in establishing our identity(eg.
Name,place & date of birth,photo,sign etc.)

A digital certificate is nothing but a small computer file, issued by some trusted entity
officially approving the association between the holder of the certificate(user) and this
particular public key.

6.3.2 Certification Authority (CA)

A Certification Authority (CA) is a trusted agency that can issue digital certificates to
individuals and organizations, to use these certificates in asymmetric-key cryptographic
applications.

6.3.2 Technical details of the contents of a digital certificate

A standard called X.509 defines the structure of a digital certificate.The contents of a digital
certificate are Version,Certificate serial number,Signature algorithm identifier,issuer
name,Validity(Date/Time values),Subject name(User or organizations),subject's public key
information.

6.3.3 Digital certificate creation

Three parties are involved to create a digital certificate.(a)End user (b)Registration

Authority(RA) (c) Certificate Authority (CA) (Digital Certificate Creation, 2020).

Figure 6.2 indicates the process of Digital certificate creation.Registration Authority(RA) acts
as an interface between End user and Certification Authority (CA). Registration Authority
(RA) can serve for:

1. Accepting and verifying the details of new user’s registration.

2. User key generation
3. Backups and recovery of key.
4. Certificate cancellation (Digital Certificate Creation, 2020).

57
Figure 6.2: Digital certificate creation

Steps in the process of Digital certificate creation can be summarized as follows:

Step-1: Key generation is done by either end user or Registration Authority (RA). The public
key which is generated is sent to the Registration Authority(RA) and the private key is kept
secret by the end user.

Step-2: Registration Authority registers the user.

Step-3: Registration Authority (RA) verifies the user’s credentials such as the evidences(eg.
for organization, their business records, etc.) provided are correct, and that they are acceptable.

Secondly,RA ensures that the user who is requesting for the certificate does indeed have the
private key corresponding to the public key that is sent as a part of the certificate request to the
RA. (Kahate, 2013, 212)

Step-4: Details are sent to Certificate Authority(CA) by the Registration Authority(RA) who
creates the digital certificate and gives it to users and also keeps a copy to itself. (Digital
Certificate Creation, 2020)

58
6.4 SUMMARY

A digital signature is a mathematical technique used to validate the authenticity and integrity
of a message, and non-repudiation of software, or digital document.
Digital signature does not have intention to achieve confidentiality.
Digital Signatures can be used in Legal documents and contracts,Shipping Documents,Patient
records and research data(Health Data), Financial Documents,Sales contracts.

A digital certificate solves the problem of key exchange in a genius way.

A digital certificate is nothing but a small computer file, issued by some trusted entity officially
approving the association between the holder of the certificate(user) and this particular public
key.

Three parties are involved to create a digital certificate.(a)End user (b)Registration

Authority(RA) (c) Certificate Authority (CA).

59
6.5 KEYWORDS
1. RA: Registration Authority (RA).
2. CA: Certificate Authority(CA).
3. Digital Signature: It is a mathematical technique used to validate the authenticity and
integrity of a message, and non-repudiation of software, or digital document.
4. Digital Certificate: It is a small computer file, issued by some trusted entity officially
approving the association between the holder of the certificate(user) and this particular
public key.

60
6.6 Self-assessment questions
I. Long questions:
1. Explain the basic concept of Digital Signature .
2. Discuss the steps to create a digital signature with a neat diagram.
3. Elaborate on where Digital Signatures can be used.
4. Discuss the drawbacks of Digital Signatures.
5. Explain the steps in the process of Digital certificate creation .
II. Short questions:
1. What do you mean by a Digital Signature?
2. Write definition of Digital Certificate.
3. What is Certificate Authority(CA)?
4. Explain the services provided by the Registration Authority (RA) in Digital Certificate .
5. What are the contents of a digital certificate
III. True and False:
1. Digital signatures may involve additional costs for key management, certificate issuance,
and other related services, which can make them expensive for some users or
organizations.
2. Authentication means checking sender and receiver’s identity for confirming source and
destination of information.
3. A Certification Authority (CA) is an untrusted agency that can issue digital certificates to
individuals and organizations.
4. In case of key compromise or other security issues, digital signatures must be revoked to
prevent their misuse.
5. Different digital signature algorithms and formats may not be compatible with each other
so difficult for different systems and applications.
Ans: 1. True, 2. True, 3. False, 4. True, 5. True

IV. Multiple choice question

1. A standard called ________ defines the structure of a digital certificate.
a. X.509
b. X.009
c. X.500
d. X.900
2. Registration Authority (RA) can serve for______________.

61
 a. Accepting and verifying the details of new user’s registration.
b. User key generation
c. Backups and recovery of key.
d. All of the above

3. Digital signatures require a complex process of key generation, signing, and______.

a. verification
b. Backups
c. recovery
d. Distinguishing
4. Digital signatures do not provide ____________.
a. confidentiality
b. integrity
c. authentication
d. Non-repudiation
5. The contents of a digital certificate are ______________,,,(Date/Time values),Subject
name(User or organizations),subject's public key information.
a. Version,Validity
b. Certificate serial number
c. Signature algorithm identifier,issuer name
d. All of the above

Ans 1.a, 2.d, 3.a,4. a, 5. D

62
6..7 REFERENCES

1. Digital Certificate Creation. (2020, January 23). GeeksforGeeks. Retrieved June 4, 2023, from
https://www.geeksforgeeks.org/digital-certificate-creation/
2. Digital Signatures and Certificates. (2023, May 17). GeeksforGeeks. Retrieved June 4, 2023,
from https://www.geeksforgeeks.org/digital-signatures-certificates/
3. Kahate, A. (2013). Cryptography and Network Security. McGraw Hill Education.

63
 RSA
MODULE - 7

TABLE OF CONTENTS

7.1 Learning Objectives

7.2 RSA
7.2.1 What is RSA? ?
7.2.2 RSA algorithm steps
7.2.3 Solving Examples using RSA algorithm
7.3 Summary
7.4 Key terms
7.5 Self-assessment questions
7.6 References
7.1. LEARNING OBJECTIVES
After completing this module, the learner will be able to
1. Understand the procedure of asymmetric-key cryptography.
2. Distinguish between private and public keys .
3. Understand the logic of using prime numbers in the process of cryptography.
7.2 RSA
6.2.1 What is a RSA?
The RSA algorithm is the most popular and proven asymmetric-key
cryptographic algorithm.It was developed and has given name as RSA from the names
Rivest, Shamir, and Adelman (RSA) who invented it.The RSA algorithm is based on
the mathematical fact that it is easy to find and multiply large prime numbers together,
but it is extremely difficult to factor their product. This logic is used in RSA to generate
the private and public keys in RSA. The private and public keys of RSA are based on
very large (made up of 100 or more digits) prime numbers. The algorithm itself is quite
simple unlike the symmetric-key cryptographic algorithms. But, selection and
generation of the public and private keys is the real challenge in RSA. (Kahate, 2013,
152)
Figure 7.1 shows encryption and decryption and generation of the public and private
keys in RSA (RSA Encryption Algorithm, n.d.).

64
 Figure 7.1:Encryption and decryption and generation of the public and private keys in RSA

7.2.2 RSA algorithm steps:

1. Select two large prime numbers P and Q.
2. Calculate N = P x Q.
3. Select the public key (i.e. the encryption key) E such that it is not a factor
of (P-1) x (Q-1).
4. Select the private key (i.e. the decryption key) D such that the following
equation is true:(D x E) mod (P-1) x (Q-1) = 1.
5. For encryption, calculate the ciphertext from the plain text as
follows: (ciphertext ) = (plain text)E mod N
6. Send ciphertext to the receiver.
7. For decryption, calculate the plain text from the ciphertext as
follows:(plain text) =(ciphertext )D mod N.

E=public key (i.e. the encryption key)

D=private key (i.e. the decryption key)
We can also use the small case letters as e,d or n,p,q etc. while solving examples.
7.2.3 Solving Examples using RSA algorithm
Let us solve an example using RSA algorithm steps:
1. Select two large prime numbers P and Q.
Let P=7, Q=17.
2. Calculate N = P x Q.
N=7X17

65
 N=119
3. Select the public key (i.e. the encryption key) E such that it is not a factor
of (P-1) x (Q-1).
(P-1) x (Q-1)=(7-1) x (17-1)
=6X16
=96
Factors of 96 are 2, 2, 2, 2, 2, and 3.
we cannot choose E as 4 or 6 (because it has 2 and 3 both as factors).
Let us choose E as 5 (We can choose any other number that does not have its factors
as 2 ,3).
So we have chosen E=5.
4. Select the private key (i.e. the decryption key) D such that the following
equation is true:(D x E) mod (P-1) x (Q-1) = 1.
that is (DX5) mod (7-1) x (17-1)=1
(DX5) mod (96)=1
After calculations and selecting different values,let D=77
that satisfies (DX5) mod (96)=1 So D=77
5. For encryption, calculate the ciphertext from the plain text as follows:
(ciphertext ) = (plain text)E mod N
Let us assume that we want to encrypt plain text =10. Then we have,
(ciphertext ) = (plain text)E mod N

(ciphertext ) = 105 mod 119

(ciphertext ) = 40
Send ciphertext to the receiver.
6. For decryption, Receiver can calculate the plain text from the ciphertext as
(plain text) =(ciphertext )D mod N

(plain text) =(40 )D mod 119

(plain text) =10 which is exactly the value of plain text.

66
 7.3 SUMMARY

The RSA algorithm is the most popular and proven asymmetric-key cryptographic
algorithm.It was developed and has been given the name RSA, from the names Rivest,
Shamir, and Adelman (RSA) who invented it.
The RSA algorithm is based on the mathematical fact that it is easy to find and
multiply large prime numbers together, but it is extremely difficult to factor their
product. This logic is used in RSA to generate the private and public keys in RSA.

7.4 KEYWORDS
1. RSA: Asymmetric-key cryptographic algorithm RSA is named from the names of
Rivest,Shamir, and Adelman (RSA) who invented it.
2. Symmetric Key Cryptography :Uses the same key for encryption and decryption.
3. Asymmetric key cryptography: Uses one key for encryption, and another, different
key for decryption.

67
7.5 SELF-ASSESSMENT QUESTIONS

I. Long questions:
1. Explain the basic concept of RSA algorithm.
2. Discuss the steps of the RSA algorithm with a neat diagram.
3. Elaborate with one example, how to generate ciphertext using RSA.
4.Use RSA algorithm to encrypt plaintext A encoded as 7.
5.Explain RSA algorithm to encrypt plaintext F encoded as 6.
II. Short questions:
1. Is RSA an example of Symmetric Key Cryptography or Asymmetric key
cryptography?
2. Write what is the role of public key in RSA.
3. What is the procedure to generate plaintext back from ciphertext using the RSA algorithm?
III. True and False:
1. The private and public keys of RSA are based on very large (made up of 100 or more
digits) prime numbers.
2. The RSA algorithm is based on the mathematical fact that it is easy to find and multiply
large prime numbers together, but it is extremely difficult to factor their product.
3.For decryption, in RSA,calculate the plain text from the ciphertext as
follows:(plain text) =(ciphertext )D mod D, where D is private key.
4. In RSA public key is kept private by the sender.
5. In RSA private key is shared with all.
Ans: 1. True, 2. True, 3. False, 4. False, 5. False

IV. Multiple choice question

1. RSA is ____________cryptographic algorithm.
a. Asymmetric-key
b. Symmetric-key
c. X.500KEY
d. X.900 key
2. In RSA for encryption, the ciphertext is calculated from the plain text as _________where
N = P x Q,(P,Q are any 2 prime numbers) and E is the public key (i.e. the encryption key).
a. (ciphertext ) = (plain text) mod N
b. (ciphertext ) = (plain text) mod E

68
 c. (ciphertext ) = (plain text)N mod E

d. (ciphertext ) = (plain text)E mod E

3. In the RSA algorithm we select the public key (i.e. the encryption key) ‘E’ such that it is
not a factor of ________ where (P,Q are any 2 prime numbers).
a. (P-1) x (Q-1)
b. (PXQ)
c. (PXQ)+P)
d. (PXQ)+P) mod P
4. Selection and generation of the _______key and private key is the real challenge in RSA.
a. public
b. integrity
c. face
d. Non-repudiation
5. The RSA algorithm is based on the mathematical fact that it is easy to find and multiply
large prime numbers together, but it is extremely difficult to _____their product.
a. decrypt
b. factor
c. Sign
d. encrypt

Ans 1.a, 2.a, 3.a,4. a, 5. B

69
7.6 REFERENCES

1. Kahate, A. (2013). Cryptography and Network Security. McGraw Hill Education.

2. RSA Encryption Algorithm. (n.d.). Javatpoint. Retrieved June 4, 2023, from
https://www.javatpoint.com/rsa-encryption-algorithm

70
 MODULE - 8 SSL

TABLE OF CONTENTS

8.1 Learning Objectives

8.2 SSL
8.2.1 What is SSL?
8.2.2 Working of SSL
8.2.3 Closing SSL Connections
8.3 Summary
8.4 Key terms
8.5 Self-assessment questions
8.6 References
8.1. LEARNING OBJECTIVES
After completing this module, the learner will be able to
1. Understand the procedure of handshake protocol in SSL.
2. Acquire an overview of the alerts in case of error in SSLcommunication.
3. Understand the process of SSL communication between a Web browser and a Web server.
8.2 SSL
8.2.1 What is a SSL?
The Secure Socket Layer (SSL) is a protocol.In 1994, Netscape Corporation
created SSL.This SSL protocol is an Internet protocol. SSL protocol is applied in order
to send & receive information on the Web in a secure manner. Let us understand this
by an example.Suppose, we are shopping online. Means, actually we are
communicating between a Web browser and a Web server. SSL makes this
communication safe by providing authentication and confidentiality. SSL is widely
used worldwide for providing this safety mechanism for information sent and received
via a Web browser and a Web server. SSL is supported by every major web browser.
Table 8.1:SSL layer in between the application layer and the transport layer

Application Layer (HTTP,FTP,...)

71
 SSL Layer

Transport Layer (TCP)

Internet Layer (IP)

Figure 8.1:SSL layer in between the application layer and the transport layer & its sub-protocols

Any communication of data or information over the internet is governed by

TCP/IP protocol suite.In TCP/IP protocol suite, the placement of SSL layer is between
the application layer and the transport layer.That is now application layer data is sent
to SSL layer.SSL layer encrypts this data, attaches SSL Header (SH) to it and then
passes this data plus header to the transport layer.This header contains encryption
information.From transport layer, it is transmitted to the next layers like the normal
TCP/IP data transfer.Let us see what happens at the receiver’s side. At the receiver,
when this data arrives from the transport layer the SSL Header (SH) is read, its
information is used to decrypt the encrypted data. After decryption, the original data is
sent to the application layer of the receiving computer.
8.2.2 Working of SSL
As shown in the figure 8.1, SSL has three sub-protocols,
a) Handshake Protocol,
b) Record Protocol, and
c) Alert Protocol.
a) The handshake protocol: The operation of handshake protocol is shown in Figure
8.2 (Secure Socket Layer (SSL), 2023). It exchanges a sequence of messages, with
associated parameters, between the client and server (which is a web browser and a web
server). Each handshake message has three fields, Type(message type), Length,
Content (parameters associated with the message, if required by the type of the
message).

72
 It has four phases as
i) Establish security capabilities: It starts a logical connection and establishes the
security capabilities associated with connection using two messages.These messages
with parameters are given below.
“client hello” Message:
Version :The highest SSLversion that the client can support,
Random :Useful for the actual communication between the client and server. Has two
subfields:current system date-time field on the client computer. And a 28-byte random
number generated by the software of the client computer.
Session id:A variable-length session identifier for the connection between the client and
the server.
Cipher suite: Contains a list of the cryptographic algorithms that the client can support
(e.g. RSA, Diffie-Hellman, etc.).
Compression method: Contains a list of the compression algorithms that the client can
support. (Kahate, 2013, 274)
“server hello” Message:
Version :The lower of the SSL versions suggested by the client and the highest
supported by the server.
Random :Same as client hello message.Remember the random number generated by
the software of the client computer is independent of the random number generated by
the software of the server.
Session id:Server creates a new session id and puts it here if the session id sent by the
client is zero else uses the same value of session id.
Cipher suite: Contains the single cipher suite that the server selects from the list sent by
the client.
Compression method: Contains a compression algorithm that the server selects from
the list sent by the client. (Kahate, 2013, 275)
ii) Server authentication and key exchange: Initiated by the server.Server is the sole
sender of all the messages and client is the sole recipient of all these messages. This phase has
four steps:Certificate, Server key exchange, Certificate request, and Server hello done.
Author Atul Kahate describes the first step as,”Certificate: The server sends its digital
certificate and the entire chain leading up to root CA to the client. This will help the client to
authenticate the server using the server’s public key from the server’s certificate. The server’s

73
certificate is mandatory in all situations, except if the key is being agreed upon by using Diffie-
Hellman.”
The second step , Server key exchange, is optional and is used only if the server fails to
provide the client its(server’s) digital certificate in step 1.
In the third step, certificate request, the digital certificate of the client may be requested
by the server. Although SSL allows for optional client authentication, the server may not
always require it.So this is optional.
In the last step, server hello done, Indicates to the client that it can now (optionally)
verify the certificates sent by the server. And also can ensure that all the parameters sent by the
server are acceptable. After this message, the server waits for the client’s response. (Kahate,
2013, 275)

Figure 8.2:SSL handshake protocol

iii) Client authentication and key exchange:In this phase, client is the sole sender of
all the messages and server is the sole recipient of all these messages.It involves three steps,
as Certificate, Client key exchange, and Certificate verify.
The first step, certificate: Optional and is performed only if the server had requested
for the client’s digital certificate. Server takes the decision if it wants to still continue or not
with the client, depending on the response sent by the client.
About the second step, author Atul Kahate states,”this second step (client key
exchange) allows the client to send information to the server, but in the opposite direction. This

74
information is related to the symmetric key that both the parties will use in this session. Here,
the client creates a 48-byte pre-master secret, and encrypts it with the server’s public key and
sends this encrypted pre-master secret to the server”.
Third step, Certificate verify:This is necessary only if the server has demanded client
authentication.The client must additionally assure the server that it is the rightful owner of the
private key associated with the certificate. To prove this, the client combines the pre-master
secret with the random numbers (exchanged by the client and the server earlier in phase1
“Establish security capabilities”) after hashing them together using MD5 and SHA-1, and signs
the result with its private key (Kahate, 2013, 276).
iv) Finish: The server ends this phase initiated by the client.Pre-master secret(created
and sent by the client in the Client key exchange message), both the client and the server create
a “master secret”.What is this “master secret”? It is a value of a 48-byte quantity known only
to the client and server. This It is calculated after computing message digests of the pre-
master secret, client random and server random,shown in Figure 8.2.

Figure 8.3:Master secret calculation

In the end, the symmetric keys are generated which will be used by the client and the
server.This concept of Symmetric key generation is shown in Figure 8.3.

Figure 8.4:Symmetric key generation

75
b) Record Protocol:
Completion of successful handshake means the client and the server have optionally
authenticated each other and decided the algorithms to implement for secure information
exchange.After that, SSL record protocol comes into picture.SSL record protocol provides two
services to SSL logical connection as :
i) Confidentiality:Confidentiality is achieved by using a secret key that is defined by
the handshake protocol.
ii) Message Integrity:This is achieved by using a shared secret key (MAC) that is
defined by the handshake protocol.
Operation of the SSL record protocol:
Application layer data is input to SSL record protocol. This data is first fragmented into smaller
blocks.Optionally compressing each block, it adds MAC, encrypts it, adds a header and gives
it to the transport layer.Here, it is handled by TCP protocol just like any other TCP block. At
the receiver’s side, the header of each block is detached; the block is decrypted, verified,
decompressed, and reassembled into application messages respectively (Kahate, 2013,
300).The operation of the record protocol of SSL is shown in Figure 8.4.
Change-cipher Spec Protocol:

Change-cipher Spec protocol uses the SSL record protocol. The SSL record Output will be in
a pending state till the handshake Protocol is completed . Once the handshake protocol
completes, the Pending state is changed into the current state.
Change-cipher protocol has a single 1-byte message. It can have only one value. The sole
purpose of this protocol is to cause the pFor fatal error, both the parties quickly close the SSL
connection ending state to be copied into the current state.

c) Alert Protocol:Whenever an error is detected(either by the client or the server), the detecting
party sends an alert message to the other party.Alert protocol message is a 2-byte message
where first byte informs the severity and second byte informs its cause.If the error is fatal, both
the parties immediately close the SSL connection (that is both sides terminate the
transmission). Both the parties also destroy the session identifiers, secrets and keys associated
with this connection before it is terminated. Fatal alerts (errors) examples are handshake failure,
illegal parameters,etc.(Kahate, 2013, 302)For other errors, which are not so severe, error is
handled & continuation is done,instead of termination of the connection. Non-fatal alerts

76
examples are certificate unknown,bad certificate, etc.

Figure 8.4:The operation of the record protocol of SSL

8.2.3 Closing SSL Connections:

The alert, “Close notify”, needs to be sent to the other party before ending their
communication,either from the client and the server.When a party gets this alert, it have to
immediately stop whatever it is doing, send its own “Close notify” alert and end the connection
from its side as well. If an SSL connection ends without a Close notify from either party, it
cannot be resumed.

8.3 SUMMARY

The Secure Socket Layer is an Internet protocol to transfer data in a secure way between a
Web browser and a Web server.
SSL has three sub-protocols, a) Handshake Protocol, b) Record Protocol, and c) Alert Protocol.
SSL encrypts the connection between client and server.It provides encryption and message
integrity services.
The SSL handshake establishes the required trust between the client and the server. After the
handshake protocol, the record protocol follows in SSL.
Alert protocol is used in SSL if one of the parties detects an error.Error can be fatal or non-
fatal.

77
8.4 KEYWORDS
1. MAC: Message Authentication Code.Similar to a message digest, MAC also involves
encryption.
2. SSL :Secure Socket Layer is an Internet protocol to transfer data in a secure way between
a Web browser and a Web server.

78
8.5 SELF-ASSESSMENT QUESTIONS

I. Long questions:
1. Explain the Server authentication and key exchange in SSL handshake protocol.
2. Discuss the steps of the Client authentication and key exchange in SSL handshake
protocol.
3. Elaborate with a neat diagram, phases of SSL handshake protocol.
4.What is a master secret? Explain in brief the concept of Master secret calculation with a
diagram.
5.Explain in brief the operation of the SSL record protocol.
II. Short questions:
1. What is the use of Change-cipher Spec Protocol?
2. In case of fatal error either by the client or the server what actions are taken in SSL alert
protocol?
3. What is an alert message?
4.Write any one example of Non-fatal error in SSL alert protocol.
5.Write any two examples of fatal errors in SSL alert protocol.
III. True and False:
1. If an SSL connection ends without a Close notify from either party, it cannot be resumed.
2. Change-cipher Spec protocol uses the SSL record protocol.
3.“Master secret” is required to generate shared secret information known only to them. This
value is used to generate keys and secrets for encryption and Message Authentication Code
(MAC) computations.
4. In SSL, Client authentication and key exchange, client is the sole sender of all the
messages and server is the sole recipient of all these messages.
5. In SSL, server key exchange, is Mandatory and is used only if the server fails to provide
the client its(server’s) digital certificate
Ans: 1. True, 2. True, 3. True, 4. False, 5. False

IV. Multiple choice question

1. For________, both the parties quickly close the SSL connection
a. fatal error
b. Symmetric-error
c. KEY ERROR

79
 d. X.900 key
2. Change-cipher Spec Protocol is to cause the_______________.
a. pending state to be copied into the current state.
b. current state to be copied into the pending state.
c. Halting state to be copied into the current state.
d. pending state to be copied into the halting state.

3. If the error is fatal in SSL communication, both the parties immediately ___________.
a. close the SSL connection
b. initiate the SSL connection
c. distinguish the SGL connection
d. establish the SGL connection
4. Completion of successful ______means the client and the server have optionally
authenticated each other and decided the algorithms to implement for secure information
exchange
a. handshake
b. derivative
c. face
d. fatal record
5. SSL works between ______ and ______.
a. Web browser, Web server
b. Web browser, application server
c. Web server, application server
d. application server, database server
6.SSL layer is located between ______ and ______.
a.transport layer, network layer
b. application layer, transport layer
c. data-link layer, physical layer
d. network layer, data-link layer
Ans 1.a, 2.a, 3.a,4. a, 5. a,6.b

80
7.6 REFERENCES

1. Kahate, A. (2013). Cryptography and Network Security. McGraw Hill Education.

2. Secure Socket Layer (SSL). (2023, February 26). GeeksforGeeks. Retrieved June 13,
2023, from https://www.geeksforgeeks.org/secure-socket-layer-ssl/

81
 MODULE - 9 SET

TABLE OF CONTENTS

9.1 Learning Objectives

9.2 SET
9.2.1 What is SET?
9.2.2 Participants in the SET system
9.2.3 Process of SET
9.3 Summary
9.4 Key terms
9.5 Self-assessment questions
9.6 References
9.1 LEARNING OBJECTIVES
After completing this module, the learner will be able to
1. Understand the Security of payment transactions over the Internet.
2. Acquire an overview of the steps in Secure Electronic Transaction.
3. Understand the summary of services provided by SET.
9.2 SET
9.2.1 What is a SET?
SET is Secure Electronic Transaction.Security of payment transactions is very
much crucial for the success of electronic commerce. SET is designed for this
purpose.Atul Kahate defines SET as,”The Secure Electronic Transaction (SET) is an
open encryption and security specification that is designed for protecting credit-card
transactions on the Internet.”
SET is not a payment system. In fact, it is a set of security protocols and formats
that enable the users to use the existing credit-card payment infrastructure on the
Internet in a secure manner. In short, SET services can be stated as follows (Kahate,
2013, 283):
1. It provides a secure communication channel among all the parties involved
in an e-commerce transaction.

82
 2. It provides authentication by the use of digital certificates.
3. It ensures confidentiality, because the information is only available to the
parties involved in a transaction, and that too only when and where necessary.
9.2.2 Participants in the SET system

(a) Cardholder : A Customer.Authorized holder of a payment card like Master-

Card or Visa that has been issued by an issuer.
(b) Merchant: Person or an organization wishing to sell goods or services to
cardholders. A merchant must have a relationship with an acquirer for accepting
payments on the Internet (Kahate, 2013, 284).
(c) Issuer: Financial institution (like a bank) providing a payment card to a
cardholder and is ultimately responsible for the payment of the cardholder’s debt.
(d) Acquirer: A financial institution having a relationship with merchants for
processing payment-card authorizations and payments.An acquirer assures the
merchant (with the help of the issuer) that a particular cardholder account is active and
the purchase amount does not exceed the credit limits, etc. The acquirer also provides
electronic funds transfer to the merchant account. Later, the issuer reimburses the
acquirer using some payment network. (Secure Electronic Transaction (SET) Protocol,
2023)
(e) Payment Gateway: Processes the payment messages on behalf of the
merchant. It acts as an interface between SET and the existing card-payment networks
for payment authorizations. The merchant exchanges SET messages with the payment
gateway over the Internet. The payment gateway, in turn, connects to the acquirer’s
systems using a dedicated network line. (Secure Electronic Transaction (SET) Protocol,
2023)
(f) Certification Authority (CA):Trusted authority to provide public key
certificates to cardholders, merchants and payment gateways.
9.2.3 Process of SET
1. The Customer Opens an Account
The customer opens a credit-card account (like MasterCard or Visa) with a bank
(issuer) supporting both the electronic payment mechanisms and the SET protocol.
2. The Customer Receives a Certificate

83
First identity verification of the customer (using passport, business documents, etc.)is
performed.After verification, customer gets a digital certificate from a CA containing
details such as the customer’s public key and its expiration date.
3. The Merchant Receives a Certificate
4. The Customer Places an Order
After scrolling through the catalog, the customer places the order. The merchant then
sends back details such as the list of items selected, their quantities, prices, total bill,
etc., back to the customer for his record, with the help of an order form.
5. The Merchant is Verified
The merchant also sends its digital certificate to the customer which guarantees the
customer that he/she is dealing with a valid merchant.
6. The Order and Payment Details are Sent
The Order and Payment details are sent by the customer to the merchant along with the
customer’s digital certificate. The order confirms the purchase transaction with
reference to the items mentioned in the order form. The payment contains credit-card
details.Now this payment information is encrypted so that the merchant cannot read it.
The customer’s certificate assures the merchant of the customer’s identity.
7. The Merchant Requests Payment Authorization
The merchant sends these payment details to the payment gateway via the acquirer (or
to the acquirer if the acquirer also acts as the payment gateway).Merchant requests the
payment gateway to authorize the payment (i.e. ensure that the credit card is valid and
that the credit limits are not breached) (Kahate, 2013, 285).
8. The Payment Gateway Authorizes the Payment
Payment gateway verifies the details of the customer’s credit card with the help of the
issuer, and either authorizes or rejects the payment.
9. The Merchant Confirms the Order
Assuming that the payment gateway authorizes the payment, the merchant sends a
confirmation of the order to the customer.
10. The Merchant Provides Goods or Services
The merchant now ships the goods or provides the services as per the customer’s order
(Kahate, 2013, 285).
11. The Merchant Requests Payment
The payment gateway receives a request from the merchant for making the payment.
The payment gateway interacts with the various financial institutions such as the issuer,

84
 acquirer, and the clearing house to effect the payment from the customer’s account to
the merchant’s account (Kahate, 2013, 286).
9.3 SUMMARY

SET is Secure Electronic Transaction.Security of payment transactions is very much crucial

for the success of electronic commerce.
SET is an open encryption and security specification that is designed for protecting credit-card
transactions on the Internet.
It is a set of security protocols and formats that enable the users to use the existing credit-card
payment infrastructure on the Internet in a secure manner.
Participants in the SET system are:Cardholder ,Merchant Issuer, Acquirer, Payment
Gateway,Certification Authority (CA).

9.4 KEYWORDS
1. SET: Secure Electronic Transaction.Protocol developed jointly by MasterCard, Visa and
many other companies for secure credit card payments on the Internet.
2. CA:Certification Authority.Authority that can issue digital certificates to users after proper
authentication checks.

9.5 SELF-ASSESSMENT QUESTIONS

I. Long questions:
1. Explain the Process of Secure Electronic Transaction(SET).
2. Write a note on Participants in the Secure Electronic Transaction.(SET) system.
3. Elaborate on services provided by Secure Electronic Transaction(SET).

II. Short questions:

1. What is the Secure Electronic Transaction(SET).
2. Lst the participants in the Secure Electronic Transaction(SET) system.
3. What is an Acquirer in the Secure Electronic Transaction(SET)?
4.What is a Payment Gateway?
5.Write the role of Certification Authority (CA) in the Secure Electronic Transaction(SET).
III. True and False:
1. Merchant in Secure Electronic Transaction(SET) is a person or an organization wishing

85
to sell goods or services to cardholders.
2. Secure Electronic Transaction(SET) provides authentication by the use of digital
certificates.
3.Secure Electronic Transaction(SET) ensures confidentiality, because the information is
only available to the parties involved in a transaction, and that too only when and where
necessary.
4. Issuer in Secure Electronic Transaction(SET) does not mean a financial institution (like
a bank).
5. The payment gateway receives a request from the merchant for making the payment.
Ans: 1. True, 2. True, 3. True, 4. False, 5. true

IV. Multiple choice question

1. The main purpose of SET is related to______.
(a) secure communication between browser and server
(b) digital signatures
(c) message digests
(d) secure credit card payments on the Internet
2. Payment Gateway acts as an interface between _______________for payment
authorizations.
a. SET and the existing card-payment networks
b. current state and the existing card-payment networks
c. Halting state and the existing card-payment networks
d. SGL and the existing card-payment networks
3. The payment gateway interacts with the various financial institutions such as
the______,______ and the clearing house to effect the payment from the customer’s account
to the merchant’s account
a. issuer, acquirer
b. initiator, SSL connection
c. distinguisher, SGL connection
d. establisher, acquirer
4. ____________is an authorized holder of a payment card like Master-Card or Visa that has
been issued by an issuer.
a. Cardholder
b. derivative

86
 c. waiver
d. recorder
5. An _______assures the merchant (with the help of the issuer) that a particular cardholder
account is active and the purchase amount does not exceed the credit limits, etc.
a. Web browser,
b. acquirer
c. Web server
d. database server
Ans 1.d, 2.a, 3.a,4. a, 5. b
9.6 REFERENCES

1. Kahate, A. (2013). Cryptography and Network Security. McGraw Hill Education.

2. Secure Socket Layer (SSL). (2023, February 26). GeeksforGeeks. Retrieved June 13,
2023, from https://www.geeksforgeeks.org/secure-socket-layer-ssl/

87
 MODULE - 10 KERBEROS

TABLE OF CONTENTS

10.1 Learning Objectives

10.2 Kerberos
10.2.1 Introduction
10.2.2 Working of Kerberos
10.3 Summary
10.4 Key terms
10.5 Self-assessment questions
10.6 References
10.1 LEARNING OBJECTIVES
After completing this module, the learner will be able to
1. Understand the Security of payment transactions over the Internet.
2. Acquire an overview of the steps in Secure Electronic Transaction.
3. Understand the summary of services provided by SET.
10.2 KERBEROS
10.2.1 Introduction
Kerberos is an authentication protocol used in many real-life systems.It is designed at
MIT.The main objective of Kerberos is to let workstations allow network resources in
a secure manner.
10.2.2 Working of Kerberos
Version 4 of Kerberos is explained here to understand its working.
There are four parties involved in the Kerberos protocol (Kahate, 2013, 374):
a) Alice: The client workstation.
b) Authentication Server (AS) :Verifies (authenticates) the user during login.It shares
a unique secret password with every user.
c) Ticket Granting Server (TGS): Issues tickets to certify proof of identity. It functions
to certify to the servers in the network that a user is really who he/she claims to be.A
ticket allows entry into a server like a ticket allows entry to a music concert.

88
d) Bob :The server offering services such as network printing, file sharing or an
application program.

Primary steps in the Kerberos protocol are:

Step 1: Login: User Alice enters her name at an arbitrary public workstation. The
workstation sends her name in plain text to the AS.AS creates a package of randomly
generated session key (KS) and user name (Alice).This package is encrypted with the
symmetric key to produce “Ticket Granting Ticket (TGT)”.This symmetric key AS
shares with the Ticket Granting Server (TGS).Means, TGT can be opened only by the
TGS, because only TGS has the corresponding symmetric key for decryption.TGT and
the session key (KS) are combined by AS and encrypted together using a symmetric
key (derived from the password of Alice (KA) ).This indicates that the final output can,
be opened only by Alice (Kahate, 2013, 375).
After this message is received, Alice’s workstation asks her for the password. Once
Alice enters the password, the workstation generates the symmetric key (KA) derived
from the password (like AS would have done earlier) and uses that key to extract the
session key (KS) and the Ticket Granting Ticket (TGT). The workstation destroys
Alice's password from its memory immediately so that the attacker can not steal it
(Kahate, 2013, 375).
Step 2: Obtaining a Service Granting Ticket (SGT)
After successfully login, suppose Alice wants to make use of the email server, to which
we refer Bob here, for some email communication,then Alice first informs her
workstation that she needs to contact Bob and so needs a ticket. Here,Alice’s
workstation creates a message intended for the Ticket Granting Server (TGS),
containing TGT ,id of the server (Bob) , current timestamp, encrypted with the same
session key (KS).TGT is encrypted with the secret key of the Ticket Granting Server
(TGS).So, only the TGS can open it, proving TGS that Alice is the sender of the
message indeed.TGS creates a session key KAB, for Alice to have secure
communication with Bob. TGS sends it twice to Alice: once combined with Bob’s id
(Bob) and encrypted with the session key (KS), and a second time, combined with
Alice’s id (Alice) and encrypted with Bob’s secret key (KB)(Kahate, 2013, 376).
Step 3: User Contacts Bob for Accessing the Server
Alice can now send KAB to Bob to enter into a session, Steps are shown in the Figure

89
Figure 10.1: Alice sends KAB securely to Bob
Alice can now send KAB to Bob to enter into a session with him. For security, Alice
can simply forward KAB encrypted with Bob’s secret key to Bob. Alice also sends the
time stamp, encrypted with KAB to Bob. Bob first gets the information (Alice + KAB)
(using his secret key) to get key KAB & decrypts the time stamp value.Now, Alice and
Bob can communicate securely with each other(Kahate, 2013, 378). .
10.3 SUMMARY

Kerberos is a widely used authentication protocol.

Kerberos allocates the job of authenticating users to a central server, and the job of allowing
users access to various systems/servers to a different server.
Kerberos uses the concept of tickets.

10.4 KEYWORDS
1. Authentication Server (AS) :Verifies (authenticates) the user during login.
2. Ticket Granting Server (TGS): Issues tickets to certify proof of identity. proper
authentication checks.

90
10.5 SELF-ASSESSMENT QUESTIONS
I. Long questions:
1. Explain the process of obtaining a Service Granting Ticket (SGT).
2. Write a note on generating Ticket Granting Ticket (TGT) in Kerberos .
3. Elaborate on primary steps in the Kerberos protocol.
II. Short questions:
1. What is Kerberos?
2. List the parties involved in the Kerberos protocol.
3. Does Kerberos use the concept of tickets?
4. What is the function of Authentication Server in the Kerberos protocol ?
5. What is the function of Ticket Granting Server (TGS) in the Kerberos protocol ?

III. True and False:

1. Authentication Server (AS) verifies (authenticates) the user during login in the Kerberos
protocol.
2. Ticket Granting Server (TGS) issues tickets to certify proof of identity in the Kerberos
protocol.
3.Kerberos is an authentication protocol.
4. Kerberos does not allocate the job of authenticating users to a central server, and the job
of allowing users access to various systems/servers to a different server.
5. Kerberos uses the concept of tickets.
Ans: 1. True, 2. True, 3. True, 4. False, 5. true

IV. Multiple choice question

1. Kerberos is an ________-protocol used in many real-life systems.
(a) authentication
(b) credit card
(c) message digest
(d) authorisation
2. The main objective of Kerberos is to let workstations allow _________in a secure manner.
a. network resources
b. current state
c. Halting state
d. initiator

91
 3. Kerberos uses the concept of_____.

a. tickets
b. rotor
c. distinguisher
d. jitter
4. Kerberos allocates the job of ___________users to a central server.
a. authenticating
b. jitter
c. waiver
d. recorder
5. In the Kerberos protocol, ____________issues tickets to certify proof of identity.
a. Web browser
b. Ticket Granting Server
c. Web server
d. database server
Ans 1.a, 2.a, 3.a,4. a, 5. b
10.6 REFERENCES

1. Kahate, A. (2013). Cryptography and Network Security. McGraw Hill Education.

92
 AUTHENTICATION TECHNIQUES
MODULE - 11

TABLE OF CONTENTS
11.1 Learning Objectives
11.2 Authentication techniques
11.2.1 Introduction to Authentication
11.2.2 Types of authentication
11.2.3 Passwords
11.2.3.1 Clear-Text Password
11.2.3.2 Something Derived from Passwords
11.2.3.3 Adding Randomness
11.2.4 Authentication token

11.2.5 Certificate-based authentication

11.2.6 Use of Smart Cards
11.2.7 Biometric authentication
11.2.7.1 Physiological biometric authentication techniques
11.2.7.2 Behavioral biometric authentication techniques
11.3 Summary
11.4 Key terms
11.5 Self-assessment questions
11.6 References
11.1. LEARNING OBJECTIVES
After completing this module, the learner will be able to
1. Understand the concept of Authentication in cryptography in Internet
security.
2. Acquire an overview of different types of authentication techniques.
3. Understand the biometric authentication techniques.

11.2 JAVA CRYPTOGRAPHY

11.2.1 Introduction to Authentication

93
 Authentication is the most important aspect of cryptography in Internet security that
helps to establish trust by identifying the particular user/system.

Author Atul Kahate defines authentication as ,”Determining an identity to the required

level of assurance.”Authentication is the first step in any cryptographic solution as it
ensures that the claimant is really who he/she claims to be. (Kahate, 2013, 342).

Eg: Our college or company identity card has our details in it.Hence, we are required
to wear and produce our identity cards & show whenever demanded. Another example
is the process of verifying the identity of a user when that user logs in to a computer
system.

11.2.2 Types of authentication:

1. Single-Factor authentication:Example is a password. A password is a 1-factor
authentication or Single-Factor authentication, because it is only something that you know.
2. Two-factor Authentication:Example is authentication tokens. You must have
something (the authentication token itself) and you must also know something (the PIN
used to protect it). For authentication we need both of them.Knowing only PIN or only
token can not complete the process (Kahate, 2013, 357).
3.Multi-factor authentication:Example is, the authentication token is generally
protected by a password or a 4-digit PIN. Only when this PIN is entered, a one-time
password can be generated. Following are the three most common factors:

● Something you know, e.g. a password or PIN

● Something you have/possess, e.g. a passport, a credit card or an identity card

● Something you are, e.g. your voice or fingerprint(Kahate, 2013, 357).

11.2.3 Passwords

A password is a string, made up of alphabets, numbers and special characters, which is

supposed to be known only to the entity (usually a person) that is being authenticated.
Even if it seems to be the simplest technique without the need of any special hardware
or software support , it is not so.

11.2.3.1 Clear-Text Password

94
Generally, every user in the system is assigned a user id and an initial password. The
user changes the password periodically for security reasons.The password is stored in
clear text in the user database against the user id on the server.When the user wants to
log in in any application, user is prompted to enter valid password.When user enters,
user id and password travel in clear text to the server.Server matches it with the
database & sends result accordingly.In this authentication process, storage and
transmission of password in clear text is an easy prey to the attackers.Storing password
in encrypted form can be a solution.

11.2.3.2 Something Derived from Passwords

If we can apply some algorithm on the password and store the result of this algorithm
as the (derived) password in the database. When the user wants to be authenticated, the
user enters the password, the user’s computer performs the same algorithm locally, and
sends the derived password to the server, where it is verified (Kahate, 2013, 346).

Algorithms like MD5 or SHA-1 can be applied on password to create message digests
of passwords can be one of the solutions.

One weakness in this solution is, this would involve the transmission of the user id and
the message digest of the password from the user’s computer to the server.So the
attacker can listen to the communication and may commit replay attack.So better
schemes are required.

11.2.3.3 Adding Randomness

This is devised to foil the replay attack.he server now creates a random challenge (a
random number, generated using a pseudo random number generation technique), and
sends it back to the user. The random challenge can travel as plain text from the server
to the user’s computer.Message digest of the password is now used to encrypt the
random challenge received from the server.The output is sent to server.Server also
performs identical operation to complete authentication.Drawback here is, storing the
user’s password in the user database.So Password Encryption can be implemented
where SSL will carry out the necessory encryption operations.

Some Password policies commonly specified by organizations are:

95
a. Length of the password must be at least 8 characters.

b. It must not contain any blanks.

c. There must be at least one lower-case alphabet, one upper-case alphabet, one digit
and one special character in the password.

d. The password must begin with an alphabet (Kahate, 2013, 355).

11.2.4 Authentication token

A Token is a computer-generated code that acts as a digitally encoded signature of a

user. They are used to authenticate the identity of a user to access any website or
application network. Eg:OTP (One Time password) used to verify the user identity to
get network entry.This OTP is valid for 30-60 seconds. During the session time, the
token gets stored in the organization’s database and vanishes when the session expires.
(How Does the Token-Based Authentication Work ?, 2023).

11.2.5 Certificate-based authentication

Here the user is expected to have something (certificate) and not know something
(password). So more strong than password authentication technique.For login, the user
is requested to send his/her certificate to the server, over the network. A copy of the
certificate exists on the server,which can be used to verify that the certificate is really
valid(Kahate, 2013, 367).

11.2.6 Use of Smart Cards

It is related to certificate-based authentication as smart cards allow the generation of

private-public key pairs within the card.They also support the storage of digital
certificates within the card. The private key always remains inside the card in a secure,
tamper- free fashion.The public key and the certificate can be exported outside. They
can carry out cryptographic functions such as encryption, decryption, message digest
creation and signing within the card (Kahate, 2013, 370).

11.2.7 Biometric authentication

96
 It includes capturing the sample of some human characteristics, such as fingerprint,
voice, or pattern of lines in the iris of the eye.For authentication, the user has to provide
another sample of the user’s biometric characteristics.If a match of both is found, user
is valid else not. Instead of an exact match of the sample ,an approximate match can be
acceptable.

Subtypes of biometric authentication techniques are:physiological and behavioral.

11.2.7.1 Physiological biometric authentication techniques

a) Face:-Various facial features such as eyes, nose, and mouth.

b)Voice:-Human voice characteristics like pitch and tone.

c)Fingerprint: The fingerprint-based authentication uses minutiae-based(graph based)

and image-based.authentication

d) Iris :Unique pattern inside the iris.

e) Retina:Retina scanning.

11.2.7.2 Behavioral biometric authentication techniques

These include keystroke,Signature, etc.

11.3 SUMMARY

Authentication is the most important aspect of cryptography in Internet security that

helps to establish trust by identifying the particular user/system.

Authentication is determining an identity to the required level of assurance.

Authentication is the first step in any cryptographic solution as it ensures that the
claimant is really who he/she claims to be.

Single-Factor authentication, Two-factor Authentication and Multi-factor

authentication are the types of authentication.
Passwords,Authentication token, Certificate-based authentication, Use of Smart
Cards,Biometric authentication are commonly used Authentication techniques.

97
11.4 KEYWORDS
1. MD5:Message digest algorithm.
2. SHA-1 :Message digest algorithm,
3.PIN:Personal Identification Number

11.5 SELF-ASSESSMENT QUESTIONS

I. Long questions:
1. Explain Use of Smart Cards for Authentication in brief.
2. Discuss Authentication token in brief.
3. Elaborate Certificate-based authentication.
4.What is Biometric authentication?
5.Write a note on types of authentication techniques.
II. Short questions:
1. What do you mean by Authentication?
2. List the Password policies commonly specified by organizations.
3. List the physiological biometric authentication techniques
4.List the Behavioral biometric authentication techniques
5.Write a note on types of authentication techniques.
III. True and False:
1. Various facial features such as eyes, nose, and mouth can be used in physiological
biometric authentication techniques.
2. Authentication is the most important aspect of cryptography in Internet security that helps
to establish trust by identifying the particular user/system.
3.A token is a computer-generated code that acts as a digitally encoded signature of a user.
4.Retina scanning checks human voice characteristics like pitch and tone for authentication
5. Subtypes of biometric authentication techniques are:physiological and behavioral..
Ans: 1. True, 2. True, 3. True, 4. False, 5. True
IV. Multiple choice question
1.Behavioral biometric authentication techniques include ______, _____.
(a) keystroke, Signature
(b) JCA, JCB
(c) public , private keys
(d) JCE, JCF

98
 2. OTP means ____________, used to verify the user identity to get network entry.
(a) One Time password
(b) Only This password
(c) On This password
(d) One test password

3.___________is related to certificate-based authentication as it allows the generation of

private-public key pairs within it..They also support the storage of digital certificates within
it..

a. Smart card
b. SSL browsers
c. SGL biometric
d. behavioral biometric
4. A ____________is a computer-generated code that acts as a digitally encoded signature
of a user. They are used to authenticate the identity of a user to access any website or
application network.
a. interface
b. Token
c. integrated fatal record
d. fatal record
5. The fingerprint-based authentication uses minutiae-based(graph based)
and___________.authentication.
a. message-based
b. paragraph based
c. facial features based
d. image-based
Ans 1.a, 2.a, 3.a,4. b, 5. d
11.6 REFERENCES

1. How does Token-Based Authentication work ? (2023, March 13). GeeksforGeeks.

Retrieved June 15, 2023, from https://www.geeksforgeeks.org/how-does-the-token-
based-authentication-work/
2. Kahate, A. (2013). Cryptography and Network Security. McGraw Hill Education.

99
 EMAIL SECURITY
MODULE - 12

TABLE OF CONTENTS

12.1 Learning Objectives

12.2 Email security
12.2.1 Pretty Good Privacy (PGP)
12.2.1.1 Introduction of Pretty Good Privacy (PGP)
12.2.1.2 Working of PGP
12.2.2 Secure Multipurpose Internet Mail Extensions (S/MIME)
12.3 Summary
12.4 Key terms
12.5 Self-assessment questions
12.6 References
12.1. LEARNING OBJECTIVES
After completing this module, the learner will be able to
1. Understand the communication in the VPN Architecture.
2. Acquire an overview why VPN is advantageous.
3. Understand the VPN protocols.

12.2 EMAIL SECURITY

In email security we will study two main protocols:Pretty Good Privacy (PGP) and Secure
Multipurpose Internet Mail Extensions (S/MIME).
12.2.1 Pretty Good Privacy (PGP)
Let us examine what a PGP offers in email security.
12.2.1.1 Introduction of Pretty Good Privacy (PGP)
In Email security Pretty Good Privacy (PGP) was designed to provide all four aspects
of security, i.e., confidentiality , integrity, authentication, and non-repudiation. How this is
achieved? Let us see.PGP uses a digital signature (a combination of hashing and public key
encryption) to provide integrity, authentication, and non-repudiation. PGP uses symmetric
block encryption to provide confidentiality (PGP - Pretty Good Privacy - Javatpoint, n.d.)
12.2.1.2 Working of PGP

100
 Let us understand the working of PGP stepwise.This working of PGP at the Sender site
(A) is shown in Figure 14.1 and Remember that the receiver performs these four steps in the
reverse direction to retrieve the original plain text email message (Kahate, 2012, 307).

Step 1: Digital Signature :The e-mail message is hashed by using a hashing function to create
a message digest.The resulting message digest is then encrypted with the sender’s private key.
The result is the sender’s digital signature.

Step 2: Compression: This is an additional step in PGP where input message and the digital
signature are compressed together.

Step 3: Encryption:Compressed output of step 2 (i.e. the compressed form of the original email
and the digital signature together) are encrypted with a symmetric key.

Step 4: Digital Enveloping :Symmetric key( used for encryption in step 3) is now encrypted
with the receiver’s public key. The output of step 3 and step 4 together form a digital envelope.

The output of step 4 is Base-64 is encoded to produce the final result.

Figure 12.1 Working of PGP at the Sender site (A)

Key Management:In PGP, session keys and passphrase-based keys are generated on the go,
used once and discarded. Public and private keys are persistent and need to be preserved and
managed. Recall that a user can have multiple public/private key pairs.Each PGP user must
manage his own private keys and the public keys of others. These are stored on separate keys
rings. Private keys are protected by encryption; public keys are stored with certificates attesting
to their trustworthiness. Keys can be revoked (University of Texas at Austin, n.d.).

101
PGP supports either digital certificates or key rings to establish trust between users.PGP has
interesting mechanisms to create trust relationships, namely introducer trust, certificate
trust, and key legitimacy.
12.2.2 Secure Multipurpose Internet Mail Extensions (S/MIME)

SMTP transfers the email message of characters represented in 7-bit ASCII format.But this 7-
bit ASCII cannot represent special characters above the ASCII value of 127. Another drawback
of SMTP is that it cannot send binary data.It cannot be used for languages that do not support
7-bit ASCII format like French, German, Russian, Chinese and Japanese, etc. so it cannot be
transmitted using SMTP. So, in order to make SMTP more broad, MIME can be used.

How is this achieved? About MIME author Atul Kahate states,”A MIME email message
contains a normal Internet text message along with some special headers and formatted sections
of text. Each such section can hold an ASCII-encoded portion of data. Each section starts with
an explanation as to how the data that follows should be interpreted/decoded at the recipient’s
end. The recipient’s email system uses this explanation to decode the data”.

MIME header in an email message is shown in Figure 12.1 with the meaning of each field.

Figure 12.1: MIME header in an email message

102
Figure 12.2: MIME content types

Content-Transfer-Encoding field in the MIME header specifies method used to encode the
messages into zeroes and ones.This is shown in Table 12.3.
Table. 12.1 Content-transfer-encoding values

Type Description

7-bit NVT ASCII characters and short lines

8-bit Non-ASCII characters and short lines

Binary Non-ASCII characters with unlimited-length lines

103
 Base-6 6-bit blocks of data encoded into 8-bit
ASCII characters

Quoted-Printable Non-ASCII characters encoded as an

equal to sign, followed by an ASCII
code

Similar to PGP, S/MIME provides for digital signatures and encryption of email messages.

S/MIME Messages
General procedures for preparing an S/MIME message.S/MIME secures a MIME entity (entire
message, or a sub-part of the whole message) with a signature, encryption, or both. .The MIME
entity is prepared as per the usual MIME rules. This is processed by S/MIME, along with
security-related data, such as identifiers of algorithms and digital certificates. This process
produces a “Public Key Cryptography Standard (PKCS)” object which is now considered as a
message content and is wrapped inside MIME, with the addition of appropriate MIME headers
(Kahate, 2013, 317).

12.3 SUMMARY

Pretty Good Privacy (PGP) is an email security protocol.

PGP supports either digital certificates or key rings to establish trust between users.
PGP has interesting mechanisms to create trust relationships, namely introducer trust,
certificate trust, and key legitimacy.
Working of PGP involves Digital Signature,Compression,Encryption, Digital Enveloping and
encoding.
S/MIME is an email security protocol called Multipurpose Internet Mail Extension (MIME).
MIME allows non-text data to be sent via email.
S/MIME secures MIME contents in the form of encryption, message digests, and digital
signatures.
S/MIME is very useful for modern communication as it is very common to send multimedia
and binary data using email.

104
12.4 KEYWORDS
1. PGP: Pretty Good Privacy is an email security protocol.
2.S/MIME: is an email security protocol called Multipurpose Internet Mail Extension
(MIME).

12.5 SELF-ASSESSMENT QUESTIONS

I. Long questions:
1. Explain how Digital Signature of an e-mail message is generated in PGP?
2. Discuss what is Key Management in PGP?
3. Elaborate with a neat diagram,working of PGP at the Sender site.
4.Write a note on Digital Enveloping in PGP.
5. What are the drawbacks of SMTP?
6. Explain the MIME header in an email message

II. Short questions:

1. What is PGP in email security?
2. Explain how compression is performed in PGP?
3. Explain how Encryption is performed in PGP?
4. What is PGP in email security?
5.. Explain MIME content types.
6.Explain Content-Transfer-Encoding field in the MIME header

III. True and False:

1. VPN uses IPSec internally.
2.Pretty Good Privacy (PGP) is an email security protocol.
3. S/MIME means Secure Multipurpose Internet Mail Extensions
4. General procedures for preparing an S/MIME message.S/MIME secures a MIME entity
(entire message, or a sub-part of the whole message) with a signature, encryption, or both.
5.7-bit ASCII can represent special characters above the ASCII value of 127.

Ans: 1. True, 2. True, 3. True, 4. True, 5. False

IV. Multiple choice question
1.PGP _______________is an email security protocol.
(a) Pretty Good Privacy

105
 (b) Pretty Good Privacy
(c) Programming Good Privacy
(d) Privacy Good programming
2. In Email security Pretty Good Privacy (PGP) was designed to provide all four aspects of
security, i.e., confidentiality , integrity,__________, and non-repudiation.
(a) permanent
(b) authentication
(c) zooming
(d) piracy
3. ____________ is an additional step in PGP where input message and the digital signature
are compressed together.

a.Intermixing
b. jitter
c. Compression
d. SGL buffer
4. PGP supports either ____________ or key rings to establish trust between users.
a. digital certificates
b. private signature
c. internal certificates
d. mail certificates
5. SMTP transfers the email message of characters represented in _________ format.

a. 7-bit ASCII

b. private ASCII
c. certificates 7-bit
d. 4-bit ASCII
6. ______________field in the MIME header specifies the method used to encode the messages
into zeroes and ones.
a. Content-Transfer-Encoding

b. PrivateTransfer-Encoding
c. certificates-Encoding
d. 4-bit certificates-Encoding

106
Ans 1.a, 2.b, 3.c,4. a,5.a.6.a
12.6 REFERENCES
1. Kahate, A. (2013). Cryptography and Network Security. McGraw Hill
Education.
2. PGP - Pretty Good Privacy - javatpoint. (n.d.). Javatpoint. Retrieved June 15,
2023, from https://www.javatpoint.com/computer-network-pgp
3. University of Texas at Austin. (n.d.). Foundations of Computer Security -
Lecture 70: PGP Key Management II. UT Computer Science. Retrieved June
15, 2023, from https://www.cs.utexas.edu/~byoung/cs361/lecture70.pdf

107
 MODULE - 13 FIREWALLS

TABLE OF CONTENTS

13.1 Learning Objectives

13.2 Firewalls
13.2.1 Introduction to Firewalls
13.2.2 Types of Firewalls
13.2.3 Firewall Configurations
13.2.4 Demilitarized Zone (DMZ).
13.2.5 Limitations of Firewall

13.3 Summary
13.4 Key terms
13.5 Self-assessment questions
13.6 References
13.1. LEARNING OBJECTIVES
After completing this module, the learner will be able to
1. Understand the need of Firewalls
2. Acquire an overview of types of Firewalls.
3. Understand the different Firewall Configurations.

13.2 FIREWALLS
13.2.1 Introduction To Firewalls
Firewalls are widely used by organizations to protect their internal networks from outside attacks.It
keeps good bits in and bad out of an internal network.Figure 13.1 shows a simple firewall..

108
Figure 13.1:Firewall

13.2.2 Types of Firewalls

There are two main Types of Firewalls (a) Packet Filters and (b) Application Gateways.
(a) Packet Filters
A packet filter, filters each packets based on a set of rules and depending on its outcome,
decides to either forward or discard the packet. It is also called a “screening router or screening
filter”.
The filtering rules are based on a number of fields in the IP and TCP/UDP headers, such as
source and destination IP addresses, IP protocol field (which identifies if the protocol in the
upper transport layer is TCP or UDP), TCP/UDP port numbers.Figure 13.2 shows a sample
screenshot of the set of rules implementation in packet filterThe filtering is applied in both
directions i.e. outgoing data packets from internal network and incoming data packets to
internal network.
A packet filter performs the following functions.
(a) Receive each packet as it arrives.
(b) Pass the packet through a set of rules, based on the contents of the IP and transport header
fields
of the packet. If there is a match with one of the set rules, decide whether to pass or drop or log
the
packet based on that rule. For example, a rule could specify: drop all incoming traffic from
an IP address say 157.29.19.16 or drop all traffic that uses UDP as the higher (transport) layer
protocol.
(c) If there is no match with any rule, take the default action(either discard all packets or accept
all packets).

109
Figure 13.2:Set of rules implementation in packet filter

(b) Application Gateways

An application gateway is also called a “proxy server”. Because it acts like a proxy (i.e. deputy
or substitute) and decides about the flow of application level traffic.
An application gateway works as follows.
(a) An internal user contacts the application gateway using a TCP/IP application, such as HTTP
or
TELNET.
(b) The application gateway asks the user about the remote host with which the user wants to
set up
a connection for actual communication (i.e. its domain name or IP address, etc.). The
application
gateway also asks for the user id and the password required to access the services of the applica-
tion gateway.
(c) The user provides this information to the application gateway.
(d) The application gateway now accesses the remote host on behalf of the user and passes the
pack-
ets of the user to the remote host (Kahate, 2013, 430).
13.2.3 Firewall Configurations

110
1. Screened Host Firewall, Single-Homed Bastion:In the Screened host firewall, Single-homed
bastion configuration, a firewall set up consists of two parts: a packet-filtering router and an
application gateway.Application gateway here performs authentication and proxy functions,
2. Screened Host Firewall, Dual-Homed Bastion:Here, direct connections between the internal
hosts and the packet filter are avoided. Instead, the packet filter connects only to the application
gateway, which, in turn, has a separate connection with the internal hosts.
3. Screened Subnet Firewall:Here, two packet filters are used, one between the Internet and the
application gateway, and another one between the application gateway and the internal
network.
13.2.4 Demilitarized Zone (DMZ).
Firewalls can be arranged to form a Demilitarized Zone (DMZ). DMZ is needed only if an
organization has servers that it needs to make available to the outside world like Web servers
or FTP servers. For this, a firewall has at least three network interfaces.
1) One interface connects to the internal private network
2) Second connects to the external public network (i.e. the Internet) and
3) Third connects to the public servers (which for the DMZ network).
The internal private network is in no way directly connected to the DMZ. Benefit of this is
access to any service on the DMZ can be restricted.And even if DMZ is hacked,the internal
private network remains safe as it is completely separate from DMZ.
13.2.5 Limitations of Firewall

(a) Insider’s Intrusion :There are chances that an inside user attacks the internal network which
a firewall is not able to prevent.

(b) Direct Internet Traffic :If a firewall is not configured carefully it may cause problem.In case
a firewall is one of the entry-exit points of an organization’s network, a user can bypass the
firewall and exchange information with the Internet via the other entry exit points.This a
firewall is not able to prevent.

(c) Virus Attacks: A firewall cannot protect the internal network from virus threats.

13.3 SUMMARY

Firewalls are widely used by organizations to protect their internal networks from outside attacks.It
keeps good bits in and bad out of an internal network.
There are two main Types of Firewalls (a) Packet Filters and (b) Application Gateways.

111
Firewall Configurations are: Screened Host Firewall, Single-Homed Bastion, Screened Host Firewall,
Dual-Homed Bastion, Screened Subnet Firewall.
Firewalls can be arranged to form a Demilitarized Zone (DMZ). DMZ is needed only if an organization
has servers that it needs to make available to the outside world like Web servers or FTP servers.
Limitations of Firewall are Insider’s Intrusion, Direct Internet Traffic, Virus Attacks.

13.4 KEYWORDS
1.DMZ: Demilitarized Zone, DMZ is needed only if an organization has servers that it needs to
make available to the outside world like Web servers or FTP servers.
2.HTTP :The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet
protocol suite model for distributed, collaborative, hypermedia information systems.
3.FTP:File transfer protocol, a standard for the exchange of program and data files across a network.

13.5 SELF-ASSESSMENT QUESTIONS

I. Long questions:
1. Explain the function of Packet Filters .
2. Discuss Application Gateways in brief.
3. Elaborate on different Firewall Configurations.
4.Write a note on Demilitarized Zone (DMZ).
II. Short questions:
1. What Is the Use of a firewall?
2. List the types of Firewalls.
3. List the different Firewall Configurations.
4. What are the Limitations of Firewall?

III. True and False:

1. Firewalls can be arranged to form a Demilitarized Zone (DMZ)..
2. One of the Limitations of Firewall is Insider’s Intrusion .
3. Laying Leased line is quite costly if two branch networks are decided to connect.
4. A firewall can protect the internal network from virus threats.
5. :If a firewall is not configured carefully it may cause problem.In case a firewall is one of the entry-
exit points of an organization’s network,
Ans: 1. True, 2. True, 3. True, 4. False, 5. True

112
 IV. Multiple choice question
1.Demilitarized Zone i.e. DMZ is needed only if an organization has servers that it needs to make
available to the outside world like __________
(a) Web servers or FTP servers.
(b) licensing servers , SST servers
(c) licensing servers, SGL servers,
(d) SGL servers, SST servers
2. A firewall cannot protect the internal network from ______threats.
(a) temporary
(b) virus
(c) zooming
(d) physical
3. Firewalls are widely used by organizations to protect their _______from outside attacks.

a.internal networks
b. jitter networks
c. buffer networks
d. SGL buffer networks
4. There are two main Types of Firewalls (a) _____________ (b) Application Gateways.
a. Packet Filters
b. private Filters
c. extranet Filters
d. small Filters
Ans 1.a, 2.b, 3.a,4. a
13.6 REFERENCES

1. Kahate, A. (2013). Cryptography and Network Security. McGraw Hill Education.

2. Virtual Private Network (VPN) | An Introduction. (2022, September 29).
GeeksforGeeks. Retrieved June 15, 2023, from https://www.geeksforgeeks.org/virtual-
private-network-vpn-introduction/

113
 MODULE - 13 VPN

TABLE OF CONTENTS

14.1 Learning Objectives

14.2 VPN
14.2.1 Introduction to VPN
14.2.2 Communication in the VPN Architecture
14.2.3 VPN protocols
14.3 Summary
14.4 Key terms
14.5 Self-assessment questions
14.6 References
14.1. LEARNING OBJECTIVES
After completing this module, the learner will be able to
1. Understand the communication in the VPN Architecture.
2. Acquire an overview why VPN is advantageous.
3. Understand the VPN protocols.

14.2 VPN
14.2.1 Introduction To VPN
About Virtual Private Networks (VPN) author Atul Kahate states,” A VPN is a
mechanism of employing encryption, authentication and integrity protection so that we can use
a public network (such as the Internet) as if it is a private network (such as a physical network
created and controlled by you).”Here virtual means that it depends on the use of virtual
connections which are temporary.
14.2.2 Communication in the VPN Architecture

To understand communication in the VPN Architecture, let us take an example of a

Company having one branch in Pune & the other in Delhi.If the branch networks of these two
branches need to connect with each other, the company can use either Internet or a leased line
between them.Laying Leased line is quite costly.Using Internet to connect these branch
networks can question the security as Internet is a public network. VPN combines the

114
advantages of a public network (cheap and easily available) with those of a private network
(secure and reliable)(Kahate, 2013,458). Here, two firewalls are set up in order to carry out
encryption and decryption. Figure 14.1 shows the simplest form of the VPN Architecture.

Figure 14.1 VPN Architecture

From host X on Network 1 a data packet is transmitted to host Y on Network 2 in
following steps.
Host X creates the packet, So it inserts source address = its own IP address and
destination address=the IP address of host Y.
Firewall 1 now adds new headers to the packet.So it inserts source address = IP
address of Firewall 1 and destination address= IP address of Firewall 2.Now,Firewall
1 carries out packet encryption and authentication, depending on the settings and sends
the modified packet over the Internet.
When this packet reaches Firewall 2 from the Internet, via routers.Firewall 2 detaches
the outer header, carries out decryption and other cryptographic functions as necessary.
This produces the original packet.
From the plain text contents of the packet, it realizes the destination address and that
the packet is intended for host Y .Hence sends it to Y .

14.2.3 VPN protocols

115
The Point to Point Tunneling Protocol (PPTP) It supports the VPN connectivity between a
single user and a LAN.
Layer 2 Tunneling Protocol (L2TP) is an improvement over PPTP.
L2TP is considered as the secure open standard for VPN connections. It works for both
combinations: user-to-LAN and LAN-to-LAN. It can include the IPSec functionality as well.
In the end, IPSec can be used in isolation (Kahate, 2013, 461).

14.3 SUMMARY

A Virtual Private Network (VPN) is both virtual (it does not exist physically as a single-wired
network) and private (provides features that make it look like a private network, although it
runs on the open Internet).
Remember following key points about VPN stated by author Atul Kahate:
● VPN is a very good facility for traveling staff, connecting offices in different cities/countries.
and linking up with other companies in an inexpensive fashion.
● VPN uses IPSec internally.
● VPN can be implemented as a Point to Point Tunneling Protocol (PPTP) on Windows or as
a Layer 2 Tunneling Protocol (L2TP) as an open standard.

Applications: VPN assures the security of data by providing an encrypted tunnel between
client and VPN server.
VPN can be used to bypass many blocked sites.
VPN has the facility to do Anonymous browsing by hiding owner’s IP address (Virtual
Private Network (VPN) | An Introduction, 2022).

14.4 KEYWORDS
1. Virtual Private Networks (VPN):Mechanism of employing encryption, authentication
and integrity protection so that we can use the Internet as if it is a private network.
2.Point to Point Tunneling Protocol (PPTP): It supports the VPN connectivity between
a single user and a LAN.
3. Local Area Network (LAN): A network of devices in a small area, like a home or
office, that can share data and resources.

116
14.5 SELF-ASSESSMENT QUESTIONS
I. Long questions:
1. Explain how VPN uses the Internet.
2. Discuss what a VPN.is?
3. Elaborate with a neat diagram,communication in VPN.
4.Write a note on VPN protocols.
II. Short questions:
1. What are applications of VPN?
2. Can we use VPN to bypass many blocked sites?
3. Define VPN.
III. True and False:
1. VPN uses IPSec internally.
2. VPN can be implemented as a Point to Point Tunneling Protocol (PPTP) on Windows or
as a Layer 2 Tunneling Protocol (L2TP) as an open standard.
3. Laying Leased line is quite costly if two branch networks are decided to connect.
4. Using the Internet to connect these branch networks can question the security as the
Internet is a private network.
5. Virtual in VPN means that it depends on the use of virtual connections which are
temporary.

Ans: 1. True, 2. True, 3. True, 4. False, 5. True

IV. Multiple choice question
1.A VPN is a mechanism of employing _________, ________and integrity protection.
(a) encryption, authentication
(b) licensing, authentication
(c) licensing, programming
(d) computing, programming
2. Virtual in VPN means that it depends on the use of virtual connections which
are____________..
(a) temporary
(b) permanent
(c) zooming
(d) physical

117
 3. To connect two distant branch networks, the company can use either ______or a leased
line between them.

a.Internet
b. jitter
c. buffer
d. SGL buffer
4. The Internet is a _________network.
a. public
b. private
c. internal
d. small
Ans 1.a, 2.b, 3.a,4. a
14.6 REFERENCES

1. Kahate, A. (2013). Cryptography and Network Security. McGraw Hill Education.

2. Virtual Private Network (VPN) | An Introduction. (2022, September 29).
GeeksforGeeks. Retrieved June 15, 2023, from https://www.geeksforgeeks.org/virtual-
private-network-vpn-introduction/

118
 JAVA CRYPTOGRAPHY
MODULE - 14

TABLE OF CONTENTS

15.1 Learning Objectives

15.2 Java cryptography
15.2.1 Introduction to Java cryptography
15.2.2 Java Cryptography Architecture (JCA)
15.2.3 Java Cryptography Extension (JCE)
15.2.4. Key Management in JCA
15.2.5. Java code to create a message digest using the SHA-1 algorithm
15.3 Summary
15.4 Key terms
15.5 Self-assessment questions
15.6 References
15.1. LEARNING OBJECTIVES
After completing this module, the learner will be able to
1. Understand how Java cryptography works.
2. Acquire an overview of the Java cryptographic framework.
3. Understand the Key Management in JCA.

15.2 JAVA CRYPTOGRAPHY

15.2.1 Introduction to Java cryptography
In modern computing, Java programming language is seen on the Web browsers ,Web
servers , application servers.It also has the Remote Method Invocation (RMI), Java
Messaging Service (JMS), Java Database Connectivity (JDBC), etc.Not only this, java
also provides cryptographic services.

Broadly seen, we can consider the Java cryptographic framework as consisting of two
main technologies, Java Cryptography Architecture (JCA) and Java Cryptography
Extension (JCE).This is shown in Figure 15.1.Let us understand these two one by one.

15.2.2 Java Cryptography Architecture (JCA): JCA is a set of classes that provide
cryptographic capabilities to Java programs. Let us see why JCA is commonly known as

119
provider architecture? The answer lies in the design. The primary goal in the design of JCA is
to separate the cryptographic concepts, meaning the interfaces, from their actual algorithmic
implementations. An interface is a set of functions or methods that present what that interface
can do but it hides the implementation details (i.e. how it is done). The JCA package contains
a number of classes, called engine classes. An engine class is a logical representation of a
cryptographic functionality (Kahate, 2013,402).
A cryptographic functionality can be anything integrating the security in the application
such as access control, permissions, key pairs, message digests, and digital signatures.
Let us understand this with the example of one of the cryptographic functionality
“digital signatures”. There are many algorithms available to create digital signatures.
Even their implementation may also greatly differ from one another.But at the end, all
provide the same abstracted functionality of a digital signature. An application
programmer just has to make appropriate calls to the engine classes. The association
between the engine classes and the provider classes is established through parameter
files, which need not be considered while developing an application using JCA.We
specify the provider classes in a properties file that has a predetermined name and
location. When the Java Virtual Machine (JVM) starts execution, it consults this
property file and loads the appropriate provider classes in the memory(Kahate,
2013,403).

Figure 15.1:Java cryptographic framework

15.2.3 Java Cryptography Extension (JCE): Encryption of data falls in the category of Java
Cryptography Extension (JCE). Unlike JCA, JCE is not a part of the core Java, but an
additional piece of software that requires special licensing. The architecture of JCE follows the
same pattern as that of JCA.Even it is also based on the concept of the engine classes and the
provider classes.

120
15.2.4. Key Management in JCA
Java 2 has a utility called “Keytool”. Keytool stores the public and private keys
separately, and keeps them safe with passwords.Where are these keys kept? In a ”Keystore ''.
Keystore is the database used by the keytool to store the keys. Usually, the keystore is a simple
computer file with a .keystore extension, in the user’s home directory.
Some of the services provided by keytool:
● Creation of key pairs and self-signed certificates
● Issue Certificate Signing Requests (CSR) to be sent to a Certification Authority (CA)
for requesting a certificate
● Import other people’s certificates for signature verification
●Export certificate (Kahate, 2013, 404)
15.2.5. Java code to create a message digest using the SHA-1 algorithm
Let us now look at an example of creating a message digest using the SHA-1
algorithm.(SHA-1 Hash, 2023).
// Java program to calculate SHA-1 hash value

import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

public class GFG {

public static String encryptThisString(String input)
{
try {
// getInstance() method is called with algorithm SHA-1
MessageDigest md = MessageDigest.getInstance("SHA-1");

// digest() method is called

// to calculate message digest of the input string
// returned as array of byte
byte[] messageDigest = md.digest(input.getBytes());

// Convert byte array into signum representation

BigInteger no = new BigInteger(1, messageDigest);

121
 // Convert message digest into hex value
String hashtext = no.toString(16);

// Add preceding 0s to make it 32 bit

while (hashtext.length() < 32) {
hashtext = "0" + hashtext;
}

// return the HashText

return hashtext;
}

// For specifying wrong message digest algorithms

catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}

// Driver code
public static void main(String args[]) throws NoSuchAlgorithmException
{

System.out.println("HashCode Generated by SHA-1 for: ");

String s1 = "Learning message digest";

System.out.println("\n" + s1 + " : " + encryptThisString(s1));

String s2 = "hello world";

System.out.println("\n" + s2 + " : " + encryptThisString(s2));
}
}

Output of above code:

122
HashCode Generated by SHA-1 for:

Learning message digest : fdab6d7b0b30cdfc3d9dde160a7295572c02a45d

hello world : 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed

15.3 SUMMARY

Java cryptographic framework consists of two main technologies, Java Cryptography

Architecture (JCA) and Java Cryptography Extension (JCE).

JCA is a set of classes that provide cryptographic capabilities to Java programs. JCA is
commonly known as provider architecture.
The JCA package contains a number of classes, called engine classes. An engine class is a
logical representation of a cryptographic functionality.

Encryption of data falls in the category of Java Cryptography Extension (JCE). Unlike JCA,
JCE is not a part of the core Java, but an additional piece of software that requires special
licensing.

15.4 KEYWORDS
1. Engine classes:An engine class is a logical representation of a cryptographic
functionality.
2.Java Cryptography Architecture (JCA) :JCA is a set of classes that provide
cryptographic capabilities to Java programs.
3. Java Cryptography Extension (JCE): Unlike JCA, JCE is not a part of the core Java,
but an additional piece of software that requires special licensing and is used for
Cryptographic functionality of Encryption of data.

15.5 Self-assessment questions

I. Long questions:
1. Explain JCA in Java Cryptography in brief.
2. Discuss JCE in Java Cryptography in brief.

123
3. Elaborate with a neat diagram, phases of SSL handshake protocol.
4.What is the meaning of the term “provider architecture” in JCA?
II. Short questions:
1. What are engine classes in JCA?
2. For which Cryptographic functionality Java Cryptography Extension (JCE) is used?
3. What is Keytool?
4. What is a Keystore?
5.Write a note on Key Management in JCA of Java Cryptography.
III. True and False:
1. When the Java Virtual Machine (JVM) starts execution, it consults the property file and
loads the appropriate provider classes in the memory.
2. JCA is commonly known as provider architecture.
3.The primary goal in the design of JCA is to separate the cryptographic concepts, meaning
the interfaces, from their actual algorithmic implementations.
4. Keytool stores the public and private keys together.
5. Creation of key pairs and self-signed certificates is one of the services provided by keytool.

Ans: 1. True, 2. True, 3. True, 4. False, 5. True

IV. Multiple choice question
1.Java cryptography mechanisms are in the form of ______ and ______.
(a) JCP, JCA
(b) JCA, JCB
(c) JCA, JCE
(d) JCE, JCF
2. Out of JCA and JCE, ______ need(s) licensing.
(a) only JCA
(b) only JCE
(c) both JCA and JCE
(d) neither JCA nor JCE

3. In modern computing, Java programming language is seen on the ___________,Web

servers , application servers.

a.Web browsers

124
 b. SSL browsers
c. SGL connection
d. SGL servers
4. An ___________is a set of functions or methods that present what that interface can do
but it hides the implementation details (i.e. how it is done).
a. interface
b. derivative
c. integrated fatal record
d. fatal record
5. Which of the following are cryptographic functionalities?
a. only access control
b. only message digests
c. only digital signatures
d. All of the above
Ans 1.c, 2.b, 3.a,4. a, 5. d
7.6 REFERENCES

1. Kahate, A. (2013). Cryptography and Network Security. McGraw Hill Education.

125