Cryptography and Security

A Comprehensive Guide

March 2025
Cryptography and Security

2
Contents

1 RSA Algorithm 9
1.1 Introduction to RSA Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.1 Key Setup in RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.2 Encryption and Decryption Process . . . . . . . . . . . . . . . . . . . 9
1.1.3 RSA Example - Key Generation and Usage . . . . . . . . . . . . . . . 10
1.1.4 Mathematical Foundation of RSA . . . . . . . . . . . . . . . . . . . . 10
1.2 Introduction to ElGamal Cryptosystem . . . . . . . . . . . . . . . . . . . . . 11
1.2.1 Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2.2 Encryption Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2.3 Decryption Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2.4 Why ElGamal Works . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.2.5 Example of ElGamal Cryptosystem . . . . . . . . . . . . . . . . . . . 12
1.2.6 Security of ElGamal Cryptosystem . . . . . . . . . . . . . . . . . . . 13
1.2.7 Restating the ElGamal Process . . . . . . . . . . . . . . . . . . . . . 13
1.3 Introduction to Key Management and Distribution . . . . . . . . . . . . . . 13
1.3.1 Key Management in Symmetric and Public-Key Cryptography . . . . 13
1.4 Key Distribution in Symmetric Cryptography . . . . . . . . . . . . . . . . . 14
1.4.1 Key Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.5 Key Distribution Scenario Using KDC . . . . . . . . . . . . . . . . . . . . . 14
1.6 Key Distribution Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.7 Distribution of Public Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.7.1 Public Announcement . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.7.2 Publicly Available Directory . . . . . . . . . . . . . . . . . . . . . . . 15
1.7.3 Public-Key Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.7.4 Public-Key Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.8 Security of Public-Key Certificates . . . . . . . . . . . . . . . . . . . . . . . 16
1.9 Introduction to Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . 16
1.9.1 Key Features of Diffie-Hellman . . . . . . . . . . . . . . . . . . . . . 16
1.10 Overview of Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . . . 16
1.11 Example of Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . . . . 17
1.12 Security of Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . . . . 17
1.12.1 Vulnerabilities and Mitigation . . . . . . . . . . . . . . . . . . . . . . 17
1.13 Applications of Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . . 18
1.14 Mathematical Explanation of Shared Key Computation . . . . . . . . . . . . 18

3
Cryptography and Security

1.15 Key Exchange Protocol Variants . . . . . . . . . . . . . . . . . . . . . . . . . 18

1.16 Introduction to Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.16.1 Key Features of Hash Functions . . . . . . . . . . . . . . . . . . . . . 19
1.17 Cryptographic Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.17.1 Requirements for Cryptographic Hash Functions . . . . . . . . . . . . 19
1.18 Internals of a Hash Function . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.18.1 Merkle-Damgård Construction . . . . . . . . . . . . . . . . . . . . . . 20
1.19 Uses of Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.20 Hash Functions and Message Authentication . . . . . . . . . . . . . . . . . . 20
1.21 Digital Signatures Using Hash Functions . . . . . . . . . . . . . . . . . . . . 21
1.22 Other Applications of Hash Functions . . . . . . . . . . . . . . . . . . . . . . 21
1.23 Performance Comparisons of Hash Algorithms . . . . . . . . . . . . . . . . . 21
1.24 Conclusion on Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.25 Introduction to Secure Hash Algorithm . . . . . . . . . . . . . . . . . . . . . 22
1.25.1 Evolution of SHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.26 Overview of SHA-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.26.1 Key Features of SHA-2 . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.27 Overview of SHA-512 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.27.1 Steps in SHA-512 Algorithm . . . . . . . . . . . . . . . . . . . . . . . 23
1.27.2 Structure of SHA-512 Compression Function . . . . . . . . . . . . . . 23
1.28 Security Concerns with SHA Algorithms . . . . . . . . . . . . . . . . . . . . 24
1.29 Applications of Secure Hash Algorithms . . . . . . . . . . . . . . . . . . . . 24
1.30 Conclusion on Secure Hash Algorithms . . . . . . . . . . . . . . . . . . . . . 24
1.31 Introduction to Message Authentication Codes . . . . . . . . . . . . . . . . . 25
1.31.1 Key Features of MACs . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.32 How MAC Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.33 Types of MAC Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.34 Applications of MACs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.35 Security Requirements for MACs . . . . . . . . . . . . . . . . . . . . . . . . 26
1.36 HMAC Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1.36.1 HMAC Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1.36.2 HMAC Security Properties . . . . . . . . . . . . . . . . . . . . . . . . 27
1.37 Conclusion on Message Authentication Codes . . . . . . . . . . . . . . . . . 27
1.38 Data Authentication Algorithm (DAA) . . . . . . . . . . . . . . . . . . . . . 27
1.38.1 Working of DAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.38.2 Limitations of DAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.39 Cipher-Based Message Authentication Code (CMAC) . . . . . . . . . . . . . 28
1.39.1 Working of CMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.39.2 Advantages of CMAC . . . . . . . . . . . . . . . . . . . . . . . . . . 29
1.40 Introduction to Key Wrapping . . . . . . . . . . . . . . . . . . . . . . . . . . 29
1.40.1 Purpose of Key Wrapping . . . . . . . . . . . . . . . . . . . . . . . . 29
1.41 Key Wrapping Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
1.41.1 Key Wrapping for 256-Bit Keys . . . . . . . . . . . . . . . . . . . . . 29
1.42 Introduction to PRNGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
1.42.1 Essential Elements of PRNGs . . . . . . . . . . . . . . . . . . . . . . 30

4
 Cryptography and Security

1.43 Data Authentication Algorithm (DAA) . . . . . . . . . . . . . . . . . . . . . 30

1.43.1 Working of DAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
1.43.2 Limitations of DAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
1.44 Cipher-Based Message Authentication Code (CMAC) . . . . . . . . . . . . . 31
1.44.1 Working of CMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
1.44.2 Advantages of CMAC . . . . . . . . . . . . . . . . . . . . . . . . . . 31
1.45 Introduction to Key Wrapping . . . . . . . . . . . . . . . . . . . . . . . . . . 31
1.45.1 Purpose of Key Wrapping . . . . . . . . . . . . . . . . . . . . . . . . 32
1.46 Key Wrapping Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
1.47 Introduction to PRNGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
1.47.1 Essential Elements of PRNGs . . . . . . . . . . . . . . . . . . . . . . 32
1.47.2 Security of Hash-Based PRNGs . . . . . . . . . . . . . . . . . . . . . 33
1.47.3 Working of MAC-Based PRNGs . . . . . . . . . . . . . . . . . . . . . 33
1.47.4 Advantages of MAC-Based PRNGs . . . . . . . . . . . . . . . . . . . 34
1.48 Applications of PRNGs in Cryptography . . . . . . . . . . . . . . . . . . . . 34
1.49 Conclusion on Pseudorandom Number Generation . . . . . . . . . . . . . . . 34

2 Digital Signature Algorithm (DSA) 35

2.1 Introduction to Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . 35
2.2 Digital Signature Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.3 Attacks and Forgeries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.4 Requirements for Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . 36
2.5 Direct Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.6 Digital Signature Standard (DSS) . . . . . . . . . . . . . . . . . . . . . . . . 37
2.7 Comparison: DSS vs RSA Signatures . . . . . . . . . . . . . . . . . . . . . . 37
2.8 Digital Signature Algorithm (DSA) . . . . . . . . . . . . . . . . . . . . . . . 37
2.8.1 DSA Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.8.2 DSA Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.8.3 DSA Signature Creation . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.8.4 DSA Signature Verification . . . . . . . . . . . . . . . . . . . . . . . . 39
2.8.5 DSA Signature Verification . . . . . . . . . . . . . . . . . . . . . . . . 39
2.9 DSA Example Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.10 DSA Example Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.10.1 Global Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.10.2 Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.10.3 Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.10.4 Signature Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.10.5 Signature Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.11 Comparison: DSA vs RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2.12 Conclusion on DSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5
Cryptography and Security

6
Index

1. Public Key Cryptosystems

(a) Symmetric vs Public-Key Cryptosystems

(b) Public-Key Applications
i. Encryption/Decryption (Secrecy)
ii. Digital Signatures (Authentication)
iii. Key Exchange (Session Keys)
(c) Suitability of Algorithms for Specific Uses

2. RSA Algorithm

(a) Key Setup

(b) Encryption/Decryption Process
(c) Examples of RSA Key Generation and Usage
(d) Mathematical Foundation of RSA

3. El Gamal Cryptographic System

4. Elliptic Curve Cryptography (ECC)

5. Public Key Distribution and Management

6. Diffie-Hellman Key Exchange

7. Cryptographic Hash Functions

(a) Applications of Cryptographic Hash Functions

(b) Security Requirements for Hash Functions
(c) Hash Functions Based on Cipher Block Chaining
(d) Secure Hash Algorithm (SHA) – SHA3

8. MAC and Digital Signatures

(a) Message Authentication Requirements

(b) Security of MACs

7
Cryptography and Security

(c) MACs Based on Hash Functions: HMAC

(d) MACs Based on Block Ciphers: DAA and CMAC
(e) Authenticated Encryption: Key Wrapping
(f) Pseudorandom Number Generation using Hash Functions and MACs
(g) Digital Signatures

8
Chapter 1

RSA Algorithm

1.1 Introduction to RSA Algorithm

The RSA algorithm, developed by Rivest, Shamir, and Adleman in 1977, is one of the most
widely used public-key cryptosystems. It is based on exponentiation in a finite field over
integers modulo a prime. The security of RSA relies on the computational difficulty of
factoring large integers.

1.1.1 Key Setup in RSA

Each user generates a public/private key pair as follows:
1. Select two large random prime numbers p and q.

2. Compute the system modulus n = p · q and ϕ(n) = (p − 1)(q − 1).

3. Choose an encryption key e such that 1 < e < ϕ(n) and gcd(e, ϕ(n)) = 1.0.Computethedecryptionkeyd
Computethedecryptionkeyd, which satisfies:

e·d≡1 (mod ϕ(n)) and 0 < d < n.

5.
4. Publish the public key KU = (e, n).

6. Keep the private key secret: KR = (d, p, q).

1.1.2 Encryption and Decryption Process

The RSA encryption and decryption process involves:
1. **Encryption**: To encrypt a message M < n, compute:

C = Me (mod n).

The sender uses the recipient’s public key KU = (e, n).

9
 Cryptography and Security

2. **Decryption**: To decrypt ciphertext C < n, compute:

M = Cd (mod n).

The recipient uses their private key KR = (d, p, q).

1.1.3 RSA Example - Key Generation and Usage

Here is an example to illustrate RSA:

1. **Example 1**: Choose primes p = 17, q = 11.

n = p · q = 17 × 11 = 187.
ϕ(n) = (p − 1)(q − 1) = 16 × 10 = 160.
Choosee = 7(satisfies gcd(e, ϕ(n)) = 1).
Computed : e · d ≡ 1(mod ϕ(n)).
d = 23.
P ublicKey(KU ) = (7, 187).
P rivateKey(KR) = (23, 17, 11).
Encryption : GivenmessageM = 88(< 187),
C = M e (mod n) = 887 (mod 187) = 11.
Decryption : CiphertextC = 11,
M = C d (mod n) = 1123 (mod 187) = 88.“‘

2. **Example 2**: Choose primes p = 3, q = 11.

n = p · q = 3 × 11 = 33.
ϕ(n) = (p − 1)(q − 1) = 2 × 10 = 20.
Choosee = 7(satisfies gcd(e, ϕ(n)) = 1).
Computed : e · d ≡ 1(mod ϕ(n)).
d = 3.
P ublicKey(KU ) = (7, 33).
P rivateKey(KR) = (3, 33).
Encryption : GivenmessageM = 2(< 33),
C = M e (mod n) = 27 (mod 33) = 29.
Decryption : CiphertextC = 29,
M = C d (mod n) = 293 (mod 33) = 2.

1.1.4 Mathematical Foundation of RSA

The RSA algorithm is based on fundamental principles of number theory:
• **Euler’s Theorem**: If a and n are coprime, then:

aϕ(n) ≡ 1 (mod n).

• **Fermat’s Little Theorem**: If p is prime and a is not divisible by p, then:

ap−1 ≡ 1 (mod p).

10
 Cryptography and Security

• Carefully chosen values of e and d ensure that:

e · d = 1 + k · ϕ(n), k > 0.
Using these properties, RSA guarantees that:
C d = (M e )d = M 1+k·ϕ(n) = M 1 (M ϕ(n) )k .
Since M ϕ(n) ≡ 1(mod n), RSAensures : C d ≡ M (mod n).

1.2 Introduction to ElGamal Cryptosystem

The ElGamal cryptosystem, proposed by Taher ElGamal in 1985, is a public-key encryption
algorithm based on the Diffie–Hellman key exchange. It provides secure communication by
leveraging the difficulty of solving the discrete logarithm problem. The scheme consists of
three main steps: key generation, encryption, and decryption.

1.2.1 Key Generation

The key generation process involves the following steps:
1. Select a large prime number q and a primitive root g modulo q.
2. Choose a private key x, where x ∈ {1, 2, . . . , q − 1}.
3. Compute the public key component h = g x (mod q).
4. The public key is (q, g, h), and the private key is x.

1.2.2 Encryption Process

To encrypt a plaintext message M , the sender performs the following steps:
1. Choose a random integer k, where k ∈ {1, 2, . . . , q − 1}.
2. Compute the ciphertext components:
C1 = g k (mod q), C2 = M · hk (mod q).

3. The ciphertext is (C1 , C2 ).

1.2.3 Decryption Process

To decrypt the ciphertext (C1 , C2 ), the receiver uses their private key x as follows:
1. Compute the shared secret:
K = C1x (mod q).
2. Recover the plaintext message:
M = C2 · K −1 (mod q),
where K −1 is the modular inverse of K modulo q.

11
 Cryptography and Security

1.2.4 Why ElGamal Works

The ElGamal cryptosystem works due to its reliance on modular arithmetic and the prop-
erties of discrete logarithms:

• During encryption, the sender computes hk = (g x )k = g xk (mod q), which is used to

mask the plaintext.

• During decryption, the receiver computes K = g xk (mod q) = C1x (mod q), allowing
them to recover the plaintext using modular inversion.

1.2.5 Example of ElGamal Cryptosystem

Here is an example to illustrate how ElGamal works:

1. **Key Generation**: Let q = 11, g = 2, x = 5.

h = g x (mod q) = 25 (mod 11) = 32(mod 11) = 10.
P ublicKey : (11, 2, 10).
P rivateKey : x = 5.

2. **Encryption**: Let the plaintext message M = 7. Choose a random k = 3.

(a) Compute C1 = g k (mod q) = 23 (mod 11) = 8.

(b) Compute C2 = M · hk (mod q) = 7 · 103 (mod 11) = 7 · 1000 (mod 11) = 7 · 10
(mod 11) = 70 (mod 11) = 4.

The ciphertext is (C1 , C2 ) = (8, 4).

3. **Decryption**: To decrypt the ciphertext (C1 , C2 ) = (8, 4), the receiver computes:

(a) Compute the shared secret K = C1x (mod q) = 85 (mod 11) = 32768 (mod 11) =
10.
(b) Compute the modular inverse of K(mod q), which is K −1 = 10−1 (mod 11) = 10
(since 10 · 10 = 100 ≡ 1(mod 11)).
(c) Recover the plaintext:

M = C2 · K −1 (mod q) = 4 · 10 (mod 11) = 40 (mod 11) = 7.

The recovered plaintext is M = 7.

12
 Cryptography and Security

1.2.6 Security of ElGamal Cryptosystem

The security of the ElGamal cryptosystem is based on the computational difficulty of solving
discrete logarithm problems. Specifically:
• To recover the private key x, an adversary would need to compute the discrete loga-
rithm of h = g x (mod q), which is computationally infeasible for large values of q.
• To recover the one-time key K = g xk (mod q), an adversary would need to determine
the random number k, which also requires solving a discrete logarithm problem.
For strong security, it is recommended that:
• The prime number q should be at least 300 decimal digits long.
• The primitive root g should be chosen carefully to ensure it has a large order modulo
q.

1.2.7 Restating the ElGamal Process

The ElGamal encryption and decryption process can be summarized as follows:
1. **Encryption**: Given public key (q, g, h), plaintext message M < q, and random
integer k < q: Compute:

C1 = g k (mod q), C2 = M · hk (mod q).

Ciphertext: (C1 , C2 ).
2. **Decryption**: Given ciphertext (C1 , C2 ) and private key x < q: Compute:

K = C1x (mod q), M = C2 /K(mod q).

1.3 Introduction to Key Management and Distribution

Key management and distribution are critical aspects of cryptographic systems. They involve
generating, distributing, storing, and managing cryptographic keys securely to ensure the
confidentiality, integrity, and authenticity of data. The complexity arises from the need to
address cryptographic, protocol, and management issues.

1.3.1 Key Management in Symmetric and Public-Key Cryptogra-

phy
• **Symmetric Key Cryptography**: Requires both parties to share a common secret
key. The challenge lies in securely distributing this key without exposing it to unau-
thorized parties.
• **Public-Key Cryptography**: Requires parties to acquire valid public keys. This
involves concerns about verifying the authenticity of public keys and preventing forgery.

13
Cryptography and Security

1.4 Key Distribution in Symmetric Cryptography

Key distribution is a process of securely delivering cryptographic keys to parties who wish
to exchange encrypted data. For symmetric encryption, both parties must share a common
secret key. Key distribution can be achieved in several ways:

1. One party selects the key and physically delivers it to the other party.

2. A trusted third party selects the key and delivers it securely to both parties.

3. If the parties have previously communicated, they can use an old key to encrypt a new
key.

4. If both parties have secure communication with a trusted third party (e.g., a Key
Distribution Center or KDC), the third party can relay the key between them.

1.4.1 Key Hierarchy

Cryptographic systems often use a hierarchy of keys for better security:

• **Session Key**: A temporary key used for encrypting data during a single session.
It is discarded after the session ends.

• **Master Key**: A long-term key shared between a user and a KDC. It is used to
encrypt session keys for secure distribution.

1.5 Key Distribution Scenario Using KDC

A typical key distribution scenario using a Key Distribution Center (KDC) involves the
following steps:

1. User A requests a session key from the KDC to establish a connection with user B.
The request includes A’s identity, B’s identity, and a unique nonce N1 .

2. The KDC generates a one-time session key Ks and responds with:

• Ks , encrypted with A’s master key Ka .

• Information for B, including Ks and A’s identity, encrypted with B’s master key
Kb .

3. User A stores Ks for use during the session and forwards the information for B to user
B.

4. Using Ks , user B sends a nonce N2 to user A.

5. User A responds with a function of N2 , such as f (N2 ) = N2 + 1, encrypted with Ks .

This step ensures that the original message was not replayed.

14
 Cryptography and Security

1.6 Key Distribution Issues

Key distribution involves several challenges:

• Hierarchies of KDCs are required for large networks but must trust each other.

• Session keys should have limited lifetimes for enhanced security.

• Automated key distribution requires trust in the system managing it.

• Decentralized key distribution avoids reliance on central authorities but can be chal-
lenging to implement.

• Controlling key usage is critical to prevent misuse or unauthorized access.

1.7 Distribution of Public Keys

Public-key cryptography requires secure distribution of public keys. Several methods are
used:

1.7.1 Public Announcement

Users broadcast their public keys or append them to messages (e.g., PGP keys). However,
this method is vulnerable to forgery since anyone can claim another’s identity.

1.7.2 Publicly Available Directory

A trusted directory registers users’ public keys along with their identities. The directory
must be secure against tampering or forgery.

1.7.3 Public-Key Authority

A public-key authority improves security by requiring users to interact with it in real-time
to obtain desired public keys securely. However, real-time access may be inconvenient or
vulnerable to tampering.

1.7.4 Public-Key Certificates

Certificates bind an identity to a public key and are signed by a trusted Certificate Authority
(CA). Certificates include additional information such as validity periods and usage rights.
They allow secure key exchange without real-time access to an authority.

15
Cryptography and Security

1.8 Security of Public-Key Certificates

The security of public-key certificates relies on:

1. The CA’s ability to verify identities before issuing certificates.

2. The integrity of certificates through digital signatures signed by the CA’s private key.

3. Users’ ability to validate certificates using the CA’s public key.

Public-key certificates prevent man-in-the-middle attacks by ensuring that only autho-

rized entities can decrypt messages encrypted with their corresponding private keys.

1.9 Introduction to Diffie-Hellman Key Exchange

The Diffie-Hellman (DH) key exchange, proposed by Whitfield Diffie and Martin Hellman
in 1976, was the first practical public-key cryptographic protocol. It allows two parties
to securely establish a shared secret key over an insecure communication channel without
transmitting the key directly. The shared key can then be used for symmetric encryption to
secure further communication.

1.9.1 Key Features of Diffie-Hellman

• **Public-Key Distribution Scheme**: Diffie-Hellman is not used for exchanging arbi-
trary messages but for establishing a common secret key.

• **Mathematical Basis**: The protocol relies on exponentiation in a finite field (modulo

a prime) and the difficulty of solving discrete logarithms.

• **Applications**: Widely used in protocols such as Secure Sockets Layer (SSL), Trans-
port Layer Security (TLS), Secure Shell (SSH), and Internet Protocol Security (IPSec).

1.10 Overview of Diffie-Hellman Key Exchange

The Diffie-Hellman key exchange involves the following steps:

1. Agree on global parameters:

• A large prime number q.

• A primitive root g modulo q, which serves as the base.

2. Each user generates their keys:

• Choose a private key x, where x < q.

• Compute the public key y = g x (mod q).

3. Exchange public keys: Each user shares their public key with the other party.

16
 Cryptography and Security

4. Compute the shared secret key: Using their private key and the other party’s public
key, each user computes:
xself
K = yother (mod q).
Both users arrive at the same shared secret K = g xA xB (mod q).

1.11 Example of Diffie-Hellman Key Exchange

Let us consider an example where Alice and Bob wish to establish a shared secret key:
1. **Global Parameters**: Alice and Bob agree on:
q = 353, g = 3.

2. **Private Keys**: Alice chooses her private key xA = 97, and Bob chooses his private
key xB = 233.
3. **Public Keys**: Alice computes her public key:
y A = g xA (mod q) = 397 (mod 353) = 40.
Bob computes his public key:
yB = g xB (mod q) = 3233 (mod 353) = 248.

4. **Shared Secret Key**: After exchanging public keys, both compute the shared secret
key: Alice computes:
K = yBxA (mod q) = 24897 (mod 353) = 160.
Bob computes:
K = yAxB (mod q) = 40233 (mod 353) = 160.
Thus, both arrive at the same shared secret K = 160.

1.12 Security of Diffie-Hellman Key Exchange

The security of the Diffie-Hellman protocol is based on the difficulty of solving discrete
logarithm problems. An attacker attempting to derive the shared secret would need to
compute either xA or xB from their corresponding public keys, which is computationally
infeasible for large primes.

1.12.1 Vulnerabilities and Mitigation

• **Man-in-the-Middle Attack**: Without authentication, an attacker can intercept
public keys and impersonate both parties. This can be mitigated by using digital
signatures or certificates to authenticate keys.
• **Ephemeral Keys**: Using ephemeral (temporary) keys for each session provides
forward secrecy, ensuring that past communications remain secure even if long-term
keys are compromised.

17
Cryptography and Security

1.13 Applications of Diffie-Hellman Key Exchange

Diffie-Hellman is widely used in various cryptographic protocols and systems, including:

• **Secure Sockets Layer (SSL)/Transport Layer Security (TLS)**: For establishing

secure connections over the internet.

• **Secure Shell (SSH)**: For secure remote login and file transfer.

• **Internet Protocol Security (IPSec)**: For encrypting network traffic in VPNs.

• **Public Key Infrastructure (PKI)**: For secure distribution of cryptographic keys.

1.14 Mathematical Explanation of Shared Key Com-

putation
The shared secret key KAB = g xA xB (mod q) is derived as follows:

KAB = yBxA (mod q)

= (g xB )xA (mod q)
= g xA xB (mod q).

Similarly, Bob computes:

KAB = yAxB (mod q)

= (g xA )xB (mod q)
= g xA xB (mod q).

Thus, both parties independently compute the same shared secret using modular arith-
metic.

1.15 Key Exchange Protocol Variants

There are two common approaches to using Diffie-Hellman in practice:

1. **Ephemeral Keys**: Generate new private-public key pairs for every session to ensure
forward secrecy.

2. **Static Keys**: Use long-term private-public key pairs published in directories. While
convenient, this method is more vulnerable to attacks unless combined with authenti-
cation mechanisms.

Authentication mechanisms are essential to prevent man-in-the-middle attacks during

the exchange process.

18
 Cryptography and Security

1.16 Introduction to Hash Functions

Hashing is a cryptographic method that transforms data of any size or type into a fixed-
length unique string called a hash value or message digest. Hash functions play a crucial
role in ensuring data integrity, authentication, and security in various applications.

1.16.1 Key Features of Hash Functions

• **Fixed Output Size**: Regardless of the input size, the output of a hash function is
always of fixed length.
• **Collision Resistance**: It is computationally infeasible to find two different inputs
that produce the same hash value.
• **One-Way Property**: It is computationally infeasible to reverse-engineer the input
from its hash value.
• **Change Detection**: Any alteration in the input data results in a significantly
different hash value.

1.17 Cryptographic Hash Functions

Cryptographic hash functions are enhanced versions of typical hash functions, designed to
meet stringent security requirements. These functions are widely used in cryptography for
purposes such as password storage, digital signatures, and message authentication.

1.17.1 Requirements for Cryptographic Hash Functions

A cryptographic hash function must satisfy the following properties:
1. **Preimage Resistance**: It should be infeasible to find an input that maps to a given
hash value.
2. **Second Preimage Resistance**: It should be infeasible to find another input that
produces the same hash as a given input.
3. **Collision Resistance**: It should be infeasible to find any two distinct inputs that
produce the same hash value.
4. **Deterministic Output**: For the same input, the function must always produce the
same hash value.

1.18 Internals of a Hash Function

Many cryptographic hash functions use the Merkle-Damgård construction. This construction
ensures collision resistance by iteratively applying a compression function to blocks of input
data.

19
Cryptography and Security

1.18.1 Merkle-Damgård Construction

The Merkle-Damgård paradigm operates as follows:

1. **Padding**: The input message is padded to ensure its length is a multiple of the
block size. Padding involves appending a ’1’ bit followed by ’0’ bits and then appending
the length of the original message.

2. **Initialization**: A predefined initial value (IV) serves as the starting point for hash
computation.

3. **Processing Blocks**: The padded message is divided into fixed-size blocks. Each
block is processed iteratively using a compression function. The output of one iteration
becomes the input for the next iteration.

4. **Finalization**: After all blocks are processed, the final output is the hash value.

1.19 Uses of Hash Functions

Hash functions are employed in various cryptographic applications:

1. **Message Integrity Check (MIC)**:

• Send only the hash (digest) of a message for integrity verification.

• MIC can be encrypted while optionally encrypting the message itself.

2. **Message Authentication Code (MAC)**:

• Send a keyed hash of the message for authentication.

• MAC ensures authenticity even if confidentiality is not required.

3. **Digital Signatures**:

• Encrypt the hash with a private key to create a digital signature.

• Verify authenticity using the sender’s public key.

1.20 Hash Functions and Message Authentication

Hash functions are integral to message authentication mechanisms:

1. **Unkeyed Hash with Symmetric Encryption**: Encrypt both the message and its
concatenated hash code using symmetric encryption. This ensures both authenticity
and confidentiality.

2. **Unkeyed Hash without Message Encryption**: Encrypt only the hash code using
symmetric encryption. This reduces processing overhead when confidentiality is not
required.

20
 Cryptography and Security

3. **Keyed Hash with Symmetric Encryption**: Share a secret key between parties and
compute hashes over concatenated messages and keys. Confidentiality can be added
by encrypting both message and hash code.

1.21 Digital Signatures Using Hash Functions

Digital signatures combine hashing with public-key cryptography:
1. Compute the hash value of the message.
2. Encrypt this hash with the sender’s private key to create a digital signature.
3. Recipients verify authenticity using the sender’s public key. This ensures both authen-
tication and non-repudiation.
For additional confidentiality, encrypt both the message and its private-key-encrypted
hash using symmetric encryption.

1.22 Other Applications of Hash Functions

Hash functions have versatile applications beyond authentication:
1. **Password Storage**: Store hashed passwords instead of plaintext passwords. Use
techniques like salting to deter precomputation attacks (e.g., rainbow tables).
2. **Intrusion Detection and Virus Detection**: Maintain hashes of system files and
periodically verify their integrity (e.g., Tripwire).
3. **Pseudorandom Function (PRF) and Pseudorandom Number Generator (PRNG)**:
Construct PRFs or PRNGs using cryptographic hashes for generating session keys,
nonces, or random numbers securely.
4. **One-Way Password Files**: Create secure password files by hashing passwords with
salt values (e.g., Unix systems).

1.23 Performance Comparisons of Hash Algorithms

The speed performance of popular cryptographic hash algorithms is as follows:
Algorithm Speed(MiByte/s)
AES − 128/CT R 198
M D5 335
SHA − 1 192
SHA − 256 139
SHA − 3 SHA − 256
NIST anticipates SHA-2 to remain widely used for years, with SHA-3 serving as its compan-
ion algorithm.

21
Cryptography and Security

1.24 Conclusion on Hash Functions

Hash functions are indispensable tools in cryptography for ensuring data integrity, authenti-
cation, confidentiality, and non-repudiation. Their versatility extends across password stor-
age, intrusion detection, pseudorandom number generation, digital signatures, and more.

1.25 Introduction to Secure Hash Algorithm

The Secure Hash Algorithm (SHA) family is a set of cryptographic hash functions designed
to ensure data integrity, authentication, and security. Developed by the National Institute of
Standards and Technology (NIST) and the National Security Agency (NSA), SHA algorithms
are widely used in digital signatures, certificates, and secure communication protocols.

1.25.1 Evolution of SHA

• **SHA-0**: Introduced in 1993 but quickly withdrawn due to undisclosed flaws.

• **SHA-1**: Released in 1995 as an improvement over SHA-0, producing a 160-bit

hash value. However, vulnerabilities to collision attacks led to its deprecation for most
cryptographic uses by 2010.

• **SHA-2**: Published in 2001, SHA-2 includes multiple variants—SHA-224, SHA-256,

SHA-384, and SHA-512—offering enhanced security through longer hash lengths.

• **SHA-3**: Standardized in 2015 as a next-generation hash function based on the

Keccak algorithm. It complements SHA-2 with a different internal structure for added
security.

1.26 Overview of SHA-2

SHA-2 is a family of cryptographic hash functions designed for superior security compared
to its predecessor, SHA-1. It includes six variants:

• **SHA-224**: Produces a 224-bit hash, suitable for constrained environments.

• **SHA-256**: Generates a 256-bit hash and is widely used for secure applications.

• **SHA-384**: Produces a 384-bit hash for high-security use cases.

• **SHA-512**: Generates a 512-bit hash for applications requiring robust security.

• **SHA-512/224** and **SHA-512/256**: Truncated versions of SHA-512 with differ-

ent initial values.

22
 Cryptography and Security

1.26.1 Key Features of SHA-2

1. **Collision Resistance**: Minimizes the risk of two inputs producing the same hash
value.

2. **Preimage Resistance**: Makes it computationally infeasible to reverse-engineer the

original input from its hash value.

3. **Fixed Output Size**: Ensures uniformity regardless of input size.

4. **Wide Compatibility**: Supported across modern systems and applications like

SSL/TLS encryption and digital certificates.

1.27 Overview of SHA-512

SHA-512 is one of the most robust variants in the SHA-2 family. It generates a 512-bit hash
value and processes data in 1024-bit blocks using advanced techniques like modular addition,
bitwise operations, and rotations.

1.27.1 Steps in SHA-512 Algorithm

The SHA-512 algorithm follows these steps:

1. **Padding**: Append a single ’1’ bit followed by ’0’ bits until the message length is
congruent to 896 modulo 1024. Append the length of the original message as a 128-bit
integer.

2. **Initialization**: Use predefined constants derived from fractional parts of square

roots of prime numbers to initialize eight 64-bit registers (a, b, c, d, e, f, g, h).

3. **Processing Blocks**: Divide the padded message into 1024-bit blocks. Each block
undergoes:

(a) Compression using logical functions like ANDs, XORs, ROTates.

(b) Updating intermediate values using round constants Kt derived from cube roots
of prime numbers.

4. **Finalization**: After processing all blocks, output the final state value as the result-
ing hash.

1.27.2 Structure of SHA-512 Compression Function

The compression function processes each block in 80 rounds:

1. Each round updates an intermediate buffer using:

• Majority Function M aj(a, b, c) = (a ∧ b) ⊕ (a ∧ c) ⊕ (b ∧ c).

23
Cryptography and Security

• Conditional Function Ch(e, f, g) = (e ∧ f ) ⊕ (¬e ∧ g).

• Rotation Functions ROT R(x, n) = x >> n(circular shift).

2. Round constants Kt are based on cube roots of prime numbers.

3. Intermediate values are shuffled using logical operations to ensure avalanche effect and
completeness properties.

1.28 Security Concerns with SHA Algorithms

While SHA algorithms are considered secure:

1. **SHA-1 Vulnerabilities**: Collision attacks make it unsuitable for modern crypto-

graphic applications. Researchers demonstrated practical collisions in 2017 (”SHA-1
Shattered”).

2. **SHA-2 Strengths**: Resistant to collision attacks due to longer hash lengths and
improved mathematical structure.

3. **Future-Proofing with SHA-3**: Designed to resist quantum computing attacks using

sponge construction and Keccak algorithm.

1.29 Applications of Secure Hash Algorithms

Secure Hash Algorithms are widely used in various domains:

1. **Digital Signatures**: Ensure authenticity and non-repudiation by hashing messages

before signing them with private keys.

2. **Data Integrity Checks**: Verify that data has not been tampered with during trans-
mission or storage.

3. **Blockchain Technology**: Maintain immutability and integrity in distributed ledgers

by hashing transaction data.

4. **Cryptographic Protocols**: Enhance secure communication through integration

with SSL/TLS encryption standards.

1.30 Conclusion on Secure Hash Algorithms

Secure Hash Algorithms are indispensable tools for ensuring data integrity, authentication,
and security. The evolution from vulnerable algorithms like SHA-1 to robust ones like SHA-
2 and quantum-resistant ones like SHA-3 demonstrates ongoing efforts to address emerging
threats.

24
 Cryptography and Security

Table 1.1: Comparison of SHA Variants

Algorithm Output Size (bits) Block Size (bits) Rounds Security Level
SHA-1 160 512 80 Vulnerable
SHA-256 256 512 64 Strong
SHA-384 384 1024 80 Strong
SHA-512 512 1024 80 Very Strong
SHA-3 Variable Variable Variable Quantum Resistant

1.31 Introduction to Message Authentication Codes

A Message Authentication Code (MAC) is a cryptographic technique used to ensure both
the integrity and authenticity of a message. It combines a secret key and the message to
generate a small fixed-size block of data, often referred to as a ”tag” or ”checksum.” The
MAC is appended to the message and verified by the recipient using the same secret key.

1.31.1 Key Features of MACs

• **Data Integrity**: Ensures that the message has not been altered during transmission.

• **Authentication**: Confirms that the message originated from the stated sender.

• **Efficiency**: Generates a fixed-size output regardless of the input size.

• **Symmetry**: Both sender and receiver use the same secret key.

1.32 How MAC Works

The process of generating and verifying a MAC involves:

1. **Message Input**: The sender inputs the message M and a shared secret key K into
a MAC algorithm.

2. **MAC Generation**: The algorithm produces a fixed-size tag C(K, M ), which is

appended to the message.

3. **Message Transmission**: The message and MAC are sent to the recipient over an
unsecured channel.

4. **MAC Verification**: The recipient computes the MAC using M and K. If it matches
the received MAC, the message is authenticated.

25
Cryptography and Security

1.33 Types of MAC Algorithms

Several types of MAC algorithms exist, including:
1. **Hash-Based Message Authentication Code (HMAC)**:
• Uses a cryptographic hash function (e.g., SHA-256) combined with a secret key.
• Defined as:
HM AC(K, M ) = H((K + ⊕ opad)||H((K + ⊕ ipad)||M )),
where K + is the padded key, and opad, ipad are constants.
• Widely used in SSL/TLS, IPsec, and JSON Web Tokens.
2. **Cipher-Based Message Authentication Code (CMAC)**:
• Based on symmetric block ciphers like AES.
• Suitable for messages of any length.
3. **Keccak Message Authentication Code (KMAC)**:
• Based on the Keccak algorithm (used in SHA-3).
• Offers variable-length output sizes (e.g., KMAC128, KMAC256).

1.34 Applications of MACs

MACs are widely used in various scenarios:
1. **Message Integrity**: Ensures that messages are not tampered with during transmis-
sion.
2. **Authentication Protocols**: Verifies that messages originate from authorized senders.
3. **Encrypted Communications**: Used alongside encryption for authenticated encryp-
tion schemes like AES-GCM or ChaCha20-Poly1305.
4. **Password Management**: Generates secure hashes for storing passwords or session
tokens.

1.35 Security Requirements for MACs

To ensure security, MACs must satisfy the following properties:
1. **Collision Resistance**: It should be infeasible to find two different messages with
the same MAC value.
2. **Key Security**: The secret key must remain confidential to prevent unauthorized
MAC generation or verification.
3. **Uniform Distribution**: The generated MAC values should be uniformly distributed
across all possible outputs.

26
 Cryptography and Security

1.36 HMAC Overview

HMAC (Hash-Based Message Authentication Code) is one of the most widely used MAC
algorithms. It provides enhanced security by combining a cryptographic hash function with
a secret key.

1.36.1 HMAC Construction

The HMAC construction involves two passes of hashing:
1. Derive two keys from K + = K||0n , where n = blocksize − |K|: - Inner Key: Kin =
K + ⊕ ipad, - Outer Key: Kout = K + ⊕ opad.
2. Compute:
HM AC(K, M ) = H(Kout ||H(Kin ||M )).

1.36.2 HMAC Security Properties

HMAC’s security relies on:
1. The cryptographic strength of the underlying hash function (e.g., SHA-256).
2. Resistance to extension attacks due to its two-pass construction.
3. Immunity to birthday attacks when using sufficiently long hash outputs (e.g., 256 bits).

Table 1.2: Comparison of Common MAC Algorithms

Algorithm Underlying Function Strengths Use Cases
HMAC Hash functions (SHA-2) Strong security; widely supported TLS, IPsec, JSON Web
CMAC Symmetric block ciphers Efficient for fixed-length messages AES-based encryption pr
KMAC Keccak algorithm Flexible output sizes; secure SHA-3-based application

1.37 Conclusion on Message Authentication Codes

Message Authentication Codes are essential tools for ensuring data integrity and authenticity
in modern cryptographic systems. Their versatility across various protocols and applications
makes them indispensable in securing digital communications.

1.38 Data Authentication Algorithm (DAA)

The Data Authentication Algorithm (DAA) is a Message Authentication Code (MAC) based
on the Cipher Block Chaining (CBC) mode of operation of the DES encryption algorithm.
Although widely used in the past, DAA is now considered obsolete due to its limitations.

27
Cryptography and Security

1.38.1 Working of DAA

1. The data to be authenticated (e.g., message, file, or program) is divided into 64-bit
blocks: D1 , D2 , . . . , DN .

2. If necessary, the final block is padded with zeroes to form a full 64-bit block.

3. Using DES encryption E and a secret key K, a Data Authentication Code (DAC) is
computed as:
DAC = EK (DN ),
where DN is the final block after CBC processing.

1.38.2 Limitations of DAA

• DAA can only handle fixed-length messages.

• Vulnerable to certain cryptographic attacks due to its reliance on DES.

• Replaced by more secure algorithms like CMAC.

1.39 Cipher-Based Message Authentication Code (CMAC)

CMAC (Cipher-Based Message Authentication Code) was introduced to overcome the lim-
itations of DAA. It is based on block ciphers like AES or Triple DES and provides strong
security for message authentication.

1.39.1 Working of CMAC

1. The message is divided into n-bit blocks M1 , M2 , . . . , Mn . If necessary, the final block
is padded.

2. Two subkeys K1 and K2 are derived from the main key K using encryption of a zero
block and multiplication in GF (2n ).

3. The MAC value T is computed as:

T = M SBTlen (EK (Mn ⊕ K1 )),

where M SBTlen (X) denotes the most significant bits of X.

4. Intermediate blocks are processed iteratively using XOR and encryption:

Ci = EK (Mi ⊕ Ci−1 ),

where C0 = 0n .

28
 Cryptography and Security

1.39.2 Advantages of CMAC

• Supports variable-length messages.
• Provides strong resistance against forgery attacks.
• Compatible with modern block ciphers like AES with key sizes of 128, 192, or 256 bits.
—

1.40 Introduction to Key Wrapping

Key wrapping is a cryptographic technique used to securely encrypt one key using another
key. It ensures both confidentiality and integrity during storage or transmission over un-
trusted channels.

1.40.1 Purpose of Key Wrapping

Key wrapping serves the following purposes:
• Securely exchange symmetric keys between parties using a shared symmetric key called
the Key Encryption Key (KEK).
• Protect cryptographic keys from unauthorized access in untrusted environments.
• Enable frequent rotation of lower-level keys while keeping higher-level keys secure.

1.41 Key Wrapping Algorithm

The key wrapping algorithm operates as follows:
1. Input consists of: - A 64-bit constant Initialization Vector (IV). - A plaintext key
divided into 64-bit blocks.
2. Ciphertext output is one block longer than the plaintext to accommodate the IV.
3. During decryption (unwrapping), both the plaintext key and IV are recovered. If the
recovered IV differs from its original value (e.g., hexadecimal A6A6...A6A6), an error
or alteration is detected.

1.41.1 Key Wrapping for 256-Bit Keys

For a 256-bit key (n = 4):
• Each encryption stage processes one block using AES or Triple DES.
• The output of each stage feeds into subsequent stages using a sliding buffer mechanism.
- For example: - R(t, 1) = R(t − 1, 2), - R(t, 2) = R(t − 1, 3), ...R(t, n).
Key wrapping provides both confidentiality and integrity for cryptographic keys.
—

29
Cryptography and Security

1.42 Introduction to PRNGs

A Pseudorandom Number Generator (PRNG) produces sequences of numbers that approx-
imate true randomness. In cryptography, PRNGs are essential for generating session keys,
nonces, and other random values.

1.42.1 Essential Elements of PRNGs

PRNGs consist of:
1. **Seed Value**: A truly random initial value that determines the sequence.

2. **Deterministic Algorithm**: Generates pseudorandom bits based on the seed. - The

seed acts as a secret key in cryptographic applications.
—
[PRNG Using Hash Functions](pplx://action/followup) The hash-based PRNG works as
follows:
1. Start with an initial seed value V0 . - Example: SHA-256-based PRNG from ISO18031/NIST
SP800-90. - Add counters repeatedly hashed.

1.43 Data Authentication Algorithm (DAA)

The Data Authentication Algorithm (DAA) is a Message Authentication Code (MAC)
based on the Cipher Block Chaining (CBC) mode of operation of DES. Although widely
used in the past, DAA is now considered obsolete due to its limitations.

1.43.1 Working of DAA

(a) The data to be authenticated (e.g., message, file, or program) is divided into
64-bit blocks: D1 , D2 , . . . , DN .
(b) If necessary, the final block is padded with zeroes to form a full 64-bit block.
(c) Using DES encryption E and a secret key K, a Data Authentication Code (DAC)
is computed as:
DAC = EK (DN ),
where DN is the final block after CBC processing.

1.43.2 Limitations of DAA

• Handles only fixed-length messages.
• Vulnerable to cryptographic attacks due to reliance on DES.
• Replaced by stronger algorithms like CMAC.

30
 Cryptography and Security

1.44 Cipher-Based Message Authentication Code

(CMAC)
CMAC (Cipher-Based Message Authentication Code) was introduced to overcome the
deficiencies of DAA. It is based on block ciphers like AES or Triple DES and provides
strong security for message authentication.

1.44.1 Working of CMAC

(a) The message is divided into n-bit blocks M1 , M2 , . . . , Mn . If necessary, the final
block is padded.
(b) Two subkeys K1 and K2 are derived from the main key K using encryption of a
zero block and multiplication in GF (2n ).
(c) The MAC value T is computed as:

T = M SBTlen (EK (Mn ⊕ K1 )),

where M SBTlen (X) denotes the most significant bits of X.

(d) Intermediate blocks are processed iteratively using XOR and encryption:

Ci = EK (Mi ⊕ Ci−1 ),

where C0 = 0n .

1.44.2 Advantages of CMAC

• Supports variable-length messages.
• Provides strong resistance against forgery attacks.
• Compatible with modern block ciphers like AES with key sizes of 128, 192, or 256
bits.

1.45 Introduction to Key Wrapping

Key wrapping is a cryptographic technique used to securely encrypt one key using
another key. It ensures both confidentiality and integrity during storage or transmission
over untrusted channels.

31
Cryptography and Security

1.45.1 Purpose of Key Wrapping

Key wrapping serves the following purposes:

• Securely exchange symmetric keys between parties using a shared symmetric key
called the Key Encryption Key (KEK).
• Protect cryptographic keys from unauthorized access in untrusted environments.
• Enable frequent rotation of lower-level keys while keeping higher-level keys secure.

1.46 Key Wrapping Algorithm

The key wrapping algorithm operates as follows:

(a) Input consists of: - A 64-bit constant Initialization Vector (IV). - A plaintext key
divided into 64-bit blocks.
(b) Ciphertext output is one block longer than the plaintext to accommodate the IV.
(c) During decryption (unwrapping), both the plaintext key and IV are recovered. If
the recovered IV differs from its original value (e.g., hexadecimal A6A6...A6A6),
an error or alteration is detected.

1.47 Introduction to PRNGs

A Pseudorandom Number Generator (PRNG) produces sequences of numbers that
approximate true randomness. In cryptography, PRNGs are essential for generating
session keys, nonces, and other random values.

1.47.1 Essential Elements of PRNGs

PRNGs consist of:

(a) **Seed Value**: A truly random initial value that determines the sequence.
(b) **Deterministic Algorithm**: Generates pseudorandom bits based on the seed.
The seed acts as a secret key in cryptographic applications.

—
PRNG Using Hash Functions The hash-based PRNG works as follows:

(a) Start with an initial seed value V0 . - Example: SHA-256-based PRNG from
ISO18031/NIST SP800-90. - Add counters repeatedly hashed.

32
 Cryptography and Security

(b) Compute the hash of the seed value:

V1 = H(V0 + 1),

where H is a cryptographic hash function (e.g., SHA-256).

(c) Extract n-bits from the hash output as the pseudorandom value:

R = M SBn (V1 ),

where M SBn (X) denotes the most significant n-bits of X.

(d) Repeat the process to generate subsequent pseudorandom values:

Vi+1 = H(Vi + 1).

1.47.2 Security of Hash-Based PRNGs

Hash-based PRNGs are secure if:

• A strong cryptographic hash function is used (e.g., SHA-256 or SHA-512).

• The seed value remains secret and unpredictable.
• The hash function resists preimage and collision attacks.

—
PRNG Using MACs MAC-based PRNGs generate pseudorandom values using a secret
key and a deterministic algorithm. They are widely used in cryptographic protocols
like IEEE 802.11i, TLS, and NIST SP800-90.

1.47.3 Working of MAC-Based PRNGs

(a) Start with an initial seed value S0 and a secret key K.
(b) Compute the MAC of the seed value:

S1 = M AC(K, S0 ),

where M AC(K, M ) is a keyed hash function (e.g., HMAC).

(c) Extract n-bits from the MAC output as the pseudorandom value:

R = M SBn (S1 ).

(d) Repeat the process to generate subsequent pseudorandom values:

Si+1 = M AC(K, Si ).

33
Cryptography and Security

1.47.4 Advantages of MAC-Based PRNGs

• Provides strong security due to the use of a secret key.
• Resistant to attacks that target unkeyed hash-based PRNGs.
• Suitable for applications requiring high levels of randomness and security.
—

1.48 Applications of PRNGs in Cryptography

PRNGs are essential for various cryptographic applications:
(a) **Session Key Generation**: Generate unique keys for secure communication
sessions.
(b) **Nonce Generation**: Create random nonces for authentication protocols.
(c) **Password Derivation**: Derive secure passwords from user input or master
keys.
(d) **Random Number Generation for Protocols**: Provide randomness in encryp-
tion schemes like RSA or ECC.
—

Comparison of PRNG Approaches

Table 1.3: Comparison of PRNG Approaches

PRNG Type Algorithm Used Strengths
Hash-Based PRNG Cryptographic Hash Functions (SHA-256, SHA-512) Secure if strong hash
MAC-Based PRNG Keyed Hash Functions (HMAC) Strong security due
Encryption-Based PRNG Block Ciphers (AES, Triple DES) High performance; fl

1.49 Conclusion on Pseudorandom Number Gen-

eration
Pseudorandom Number Generators are vital components in cryptographic systems.
By leveraging cryptographic hash functions, MACs, or encryption algorithms, PRNGs
ensure secure generation of random values for various applications such as session keys,
nonces, and password derivation.
—

34
Chapter 2

Digital Signature Algorithm (DSA)

2.1 Introduction to Digital Signatures

Digital signatures provide a mechanism for ensuring the authenticity, integrity, and
non-repudiation of digital messages. They allow:

• Verification of the author, date, and time of the signature.

• Authentication of message contents.
• Resolution of disputes by enabling third-party verification.

Digital signatures combine authentication functions with additional capabilities to pro-

vide robust security in communication.
—

2.2 Digital Signature Model

The digital signature model involves:

(a) **Signing**: The sender signs the message using their private key or a hash of
the message.
(b) **Verification**: The recipient verifies the signature using the sender’s public key.
(c) **Authentication**: Ensures that only the sender could have produced the sig-
nature.
(d) **Integrity**: Confirms that the message has not been altered during transmis-
sion.

35
Cryptography and Security

2.3 Attacks and Forgeries

Digital signatures are vulnerable to various attacks:
• **Types of Attacks**:
(a) Key-only attack.
(b) Known message attack.
(c) Generic chosen message attack.
(d) Directed chosen message attack.
(e) Adaptive chosen message attack.
• **Break Success Levels**:
(a) Total break: Recovering the private key.
(b) Selective forgery: Creating a valid signature for a specific message.
(c) Existential forgery: Creating a valid signature for any arbitrary message with-
out knowing its content.
—

2.4 Requirements for Digital Signatures

A digital signature must satisfy the following requirements:
(a) Depend on the message being signed.
(b) Use information unique to the sender to prevent forgery and denial.
(c) Be relatively easy to produce and verify.
(d) Be computationally infeasible to forge: - Create a new message with an existing
signature. - Create a fraudulent signature for a given message.
(e) Be practical for storage and retrieval.
—

2.5 Direct Digital Signatures

Direct digital signatures involve only the sender and receiver. Key features include:
(a) The receiver must have access to the sender’s public key.
(b) The sender signs either the entire message or its hash using their private key.
(c) For confidentiality, messages can be encrypted using the receiver’s public key after
signing them. - It is important to sign first and then encrypt both the message
and signature to ensure security.
—

36
 Cryptography and Security

2.6 Digital Signature Standard (DSS)

The Digital Signature Standard (DSS) is a U.S. government-approved standard for

digital signatures. Key features include:

• Designed by NIST and NSA in the early 1990s; published as FIPS-186 in 1991
with revisions in 1993, 1996, and 2000.
• Uses SHA (Secure Hash Algorithm) as its hash function.
• DSS specifies DSA (Digital Signature Algorithm) as its core algorithm, which is
used exclusively for digital signatures (unlike RSA).
• FIPS 186-2 includes alternative RSA and elliptic curve signature variants for
flexibility in implementation.

2.7 Comparison: DSS vs RSA Signatures

The differences between DSS (DSA) and RSA are as follows:

— Feature — DSS (DSA) — RSA — ———————–—————————————-
—————————————-— — **[Functionality](pplx://action/followup)** — Signature-
only algorithm — Signature and encryption algorithm — — **[Performance](pplx://action/followup)*
— Faster and simpler — Slower and more complex — — **[Security](pplx://action/followup)**
— More secure; resistant to attacks — Vulnerable to chosen ciphertext attacks — —
**[Use Cases](pplx://action/followup)** — Message integrity; non-repudiation — En-
cryption; digital signatures —
—

2.8 Digital Signature Algorithm (DSA)

DSA is a public-key cryptographic algorithm designed specifically for digital signatures.

Key features include:

(a) Creates a 320-bit signature with security ranging from 512 to 1024 bits.
(b) Smaller and faster than RSA due to its optimized structure.
(c) Security depends on the difficulty of computing discrete logarithms in finite fields.

37
Cryptography and Security

2.8.1 DSA Key Generation

Key generation involves shared global public values p, q, g:

(a) Choose a 160-bit prime number q.

(b) Select a large prime p, where p − 1 = kq (q divides p − 1)). − Lengthof p: Between
512 to 1024 bits (multiple of 64).
(c) Compute g = h(p−1)/q (mod p), where h > 1 < p−1; g > 1).−U serschooseprivatekeysx <
q; y = g x (mod p).“

2.8.2 DSA Key Generation

Key generation involves shared global public values p, q, g:
i. Choose a 160-bit prime number q.
ii. Select a large prime p, where p − 1 = kq (q divides p − 1). - Length of p:
Between 512 to 1024 bits (multiple of 64).
iii. Compute g = h(p−1)/q mod p, where h > 1 < p − 1; g > 1.
iv. Users choose private keys: - Random private key x < q. - Compute public
key y = g x mod p.
Note: Given the public key y, it is computationally infeasible to determine x, which is the
discrete logarithm of y to base g mod p.
—

2.8.3 DSA Signature Creation

To sign a message M , the sender performs the following steps:
i. Generate a random signature key k < q: - k must be generated randomly or
pseudo-randomly and must be unique for each signing.
ii. Compute the signature pair: - r = (g k mod p) mod q, - s = [k −1 (H(M ) +
xr)] mod q, where H(M ) is the hash of the message.
iii. Send the signature pair (r, s) along with the message M .
Additional Information:
• The signature pair (r, s) depends on the public key components (p, q, g), the
user’s private key (x), and the hash code of the message (H(M )).
• The integer k: - Must be destroyed after use and never reused. - Calculations
are performed first modulo p, then modulo q, to reduce result size.
—

38
 Cryptography and Security

2.8.4 DSA Signature Verification

To verify a signature, the recipient performs the following steps:
i. Compute: - w = s−1 mod q,
u1 = [H(M )w] mod q,
u2 = (rw) mod q.
v = [(g u1 y u2 ) mod p] mod q.
If v = r,
thenthesignatureisverif ied.“‘

2.8.5 DSA Signature Verification

To verify a signature, the recipient performs the following steps:
A. Compute:
w = s−1 mod q,
where s−1 is the modular inverse of s.
B. Compute:
u1 = [H(M )w] mod q,
where H(M ) is the hash of the received message.
C. Compute:
u2 = (rw) mod q,
where r is the first component of the signature.
D. Compute:
v = [(g u1 y u2 ) mod p] mod q,
where g, p, q, y are public parameters and y = g x mod p (sender’s public
key).
E. Verify: If v = r, then the signature is valid.
—

2.9 DSA Example Problem

Let us consider an example to illustrate DSA:
• **Global Parameters**: - q = 11, p = 23, g = 4.
q divides p − 1 : (p − 1) mod q = 0.
g = h(p−1)/q (mod p) : 411 (mod 23) = 1.
“‘

2.10 DSA Example Problem

Let us consider an example to illustrate DSA:

39
 Cryptography and Security

2.10.1 Global Parameters

The global public parameters are:
– q = 11: A 160-bit prime divisor of p − 1.
– p = 23: A large prime modulus such that p − 1 is divisible by q.
– g = 4: Computed as g = h(p−1)/q mod p, where h > 1 < p − 1, g > 1. - Verify: g q
mod p = 411 mod 23 = 1.
g = h(p−1)/q (mod p) : 411 (mod 23) = 1.
—

2.10.2 Key Generation

The sender generates their private and public keys:
– **Private Key**: x = 7, where x < q.
“‘

2.10.3 Key Generation

The sender generates their private and public keys:
∗ **Private Key**: x = 7, where x < q.
∗ **Public Key**:
y = gx mod p = 47 mod 23 = 16384 mod 23 = 8.
The public key is {p, q, g, y} = {23, 11, 4, 8}, and the private key is x = 7.
—

2.10.4 Signature Creation

To sign a message with hash value h = H(M ) = 3:
A. Choose a random signature key k = 5, where k < q.
B. Compute:
r = (g k mod p) mod q = (45 mod 23) mod 11.
- First, compute g k mod p = 45 = 1024 mod 23 = 1.
T hen, r = (1) mod 11 = 1.
“‘Compute : s = k −1 (h + xr) mod q, where k −1 is the modular inverse of k mod q. - First,
compute k −1 :
k · i mod q = 1, i = k −1 .
For k = 5, q = 11, find i:
5 · i mod 11 = 1, i = 9.
- Then, compute s:
s = 9(3 + 7 · 1) mod 11 = 9(3 + 7) mod 11 = 9(10) mod 11 = 90 mod 11 = 2.

40
 Cryptography and Security

C.
– The signature pair is:
(r, s) = (1, 2).
The sender sends the message M along with the signature (r, s) = (1, 2).
—

2.10.5 Signature Verification

To verify the signature, the recipient performs the following steps:
A. Compute:
w = s−1 mod q.
For s = 2, q = 11:
w = 6, (2w) mod 11 = 1.
B. Compute:
u1 = [H(M )w] mod q.
For H(M ) = 3, w = 6, q = 11:
u1 = (3)(6) mod 11 = 18 mod 11 = 7.
C. Compute:
u2 = (rw) mod q.
For r = 1, w = 6, q = 11:
u2 = (1)(6) mod 11 = 6.
D. Compute:
v = [(g u1 y u2 ) mod p] mod q.
For g = 4, y = 8, p = 23, q = 11, u1 = 7, u2 = 6 : −F irstcomputeg u1 y u2 (mod p) :

g u1 (mod p) :
“‘ − F irstcomputeg u1 mod p:
g u1 = 47 mod 23 = 16384 mod 23 = 9.
- Then compute y u2 mod p:
y u2 = 86 mod 23 = 262144 mod 23 = 12.
- Multiply g u1 and y u2 , then compute modulo p:
(g u1 y u2 ) mod p = (9 · 12) mod 23 = 108 mod 23 = 16.
- Finally, compute modulo q:
v = (16) mod 11 = 5.
E. Verify: If v = r, the signature is valid. In this case:
v = r = 1.
Therefore, the signature is verified successfully.
—

41
Cryptography and Security

2.11 Comparison: DSA vs RSA

The differences between DSA and RSA are summarized below:

Table 2.1: Comparison of DSA and RSA

Feature DSA (Digital Signature Algorithm) RSA (Rivest-Sh
Functionality Signature-only algorithm Signature and enc
Performance Faster and simpler Slower and more c
Security Resistant to discrete logarithm attacks; provides message integrity Vulnerable to chos
Key Size Smaller key sizes; efficient computation Larger key sizes; h
Use Cases Digital signatures; non-repudiation Encryption; digita

2.12 Conclusion on DSA

The Digital Signature Algorithm (DSA) is a robust cryptographic algorithm designed specif-
ically for digital signatures. It offers faster performance and smaller key sizes compared to
RSA while maintaining strong security through its reliance on discrete logarithms. DSA
ensures message integrity, authenticity, and non-repudiation, making it a preferred choice
for secure communication.
—

42