Date post: | 14-Apr-2018 |
Category: |
Documents |
Upload: | jisha-shaji |
View: | 221 times |
Download: | 0 times |
of 36
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
1/36
2
Index
1. Cryptography.12. Fiestel Networks...103. Data Encryption Standard..124. Modes of operation of DES.....205.
Public key Cryptography26
6. RSA Algorithm.....287. Diffie Hellman Key Exchange.318. MAC and HASH function..339. Digital Signature.3510.Questions..37
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
2/36
3
1. Cryptography
1.1IntroductionDefinitions
Plaintext "The original message before it is encoded."
Encoding/Encryption "The process of disguising the plaintext."
Ciphertext "The enciphered version of the plaintext."
Decoding/Decryption "The process of reverting the cipher text back to the plaintext."
Cryptography "The science of keeping messages secret and of ensuring
authentication."
Cryptanalysis "The science (and art) of deciphering encoded messages
without the knowledge of the used key."
Cryptology Greek: krypts = hidden, lgos=science. "The combination ofcryptography and cryptanalysis "The science of hidden,
disguised information."
1.2 Types of Cryptography
1.2.1 Conventional Encryption/Private-key Cryptography
In a "One-Key-Encryption" or "Conventional Encryption", the sender and the recipient
share the same key as their common secret
(source: www.PGPi.com):
At some earlier point in time the two correspondents, the sender and the recipient, musthave agreed on that key. If they are in different locations, they must trust a courier or a
phone system to transmit the secret key in a secure manner. Surely, this is not very
practical, particularly when many (new) parties are involved.
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
3/36
4
However, the major problem is the total number of keys involved. 2 correspondents use 1
key, 3 use 3 keys, 4 use 6 keys, 5 use 10 keys, 100 use 4950 keys, 1000 use 499500 keys,etc. And each key must be stored in a secure manner. Key management is enough of a
difficult task that a name was invented for it: The Key Distribution Problem. It is the
reason why One-Key-Cryptography is not appropriate for today's secure electronic data
transfers between many parties involved.Every Cipher is made up of two ingredients: an encryption method (the "algorithm") and
the set of all possible keys (the "key space"). The sender may now choose from the
number of possible keys to encode his secret message. The security of the cryptosystemshall not be based on keeping the algorithm secret, but solely keeping the key secret.
Private Key Cryptography means that the knowledge of the encoding key yields the
decoding key. Such Ciphers are therefore also called "Symmetric Ciphers". If a Cipher
only offers a small number of keys (i.e. the Caesar Cipher) it can be broken by simplytesting the possible keys. A huge number of keys assures the security of a cipher
Private Key Cryptography provides "high-security" ciphers, however, their usage is not
practical because of the key distribution problem. It describes the difficulty of
exchanging and handling a large number of keys. I.e. 1000 correspondents have to handlea total of 499500 keys. The number of keys increases with the square of the number of
correspondents.
1.2.2 Two-key/Public-key Cryptography
The "Two-Key Cryptography" or "Public-Key Cryptography" was a majorbreakthrough in 1976. It makes the inconceivable reality: A Public Key is used to encode
the plain text, its corresponding Private Key is used to decode the cipher text. The clue:
Although the encoding key available to the whole world, nobody is capable of figuringout the decoding key. The figure below shows the how "Two-Key Cryptography" is
performed.
(source: www.PGPi.com):
The primary benefit of public key cryptography is that it allows people who have nopreexisting security arrangement to exchange messages securely. The need for sender and
receiver to share secret keys via some secure channel is eliminated; all communications
involve only public keys, and no private key is ever transmitted or shared.
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
4/36
5
1.2.3 Transposition and Substitution Ciphers
Substitution and Transposition Ciphers are two categories of ciphers used in classicalcryptography. Substitution and Transposition differ in how chunks of the message are
handled by the encryption process. Substitution ciphers encrypt plaintext by changing the
plaintext one piece at a time.
The Ceasar Cipher was an early substitution cipher. In the Caesar Cipher, each characteris shifted three places up. Therefore, A becomes D and B becomes E, etc...
This table shows "VOYAGER" being encrypted with the Caesar substution cipher:
Plaintext V O Y A G E R
Key +3 +3 +3 +3 +3 +3 +3
Ciphertext Y R B D J H U
Transposition ciphers encrypt plaintext by moving small pieces of the message around.
This table shows "VOYAGER" being encrypted with a primitive transposition cipher
where every two letters are switched with each other:
V O Y A G E R
O V A Y E G R
1.2.4 Stream and Block Ciphers
Block and Stream Ciphers are two categories of ciphers used in classical cryptography.
Block and Stream Ciphers differ in how large a piece of the message is processed in each
encryption operation. Block ciphers encrypt plaintext in chunks. Common block sizes are64 and 128 bits. Stream ciphers encrypt plaintext one byte or one bit at a time. A stream
cipher can be thought of as a block cipher with a really small block size. Generally
speaking, block ciphers are more efficient for computers and stream ciphers are easier forhumans to do by hand.
1.3 Caesar Substitution
The simplest of all substitution ciphers is the one in which the cipher letters results from
shifting plain letters by the same distance. Among those, the best known is called "Caesar
Cipher", used by Julius Caesar, in which each A is encrypted as D, B as E, C as F,... etc.Here key is 3
Mathematically, the encryption and decryption functions can be described as follows:
The sender encodes each plain text letter P using the key b as follows:
C= (P+b) mod 26The recipient decodes each cipher text letter C using the key b as follows:
P=(C-b) mod 26
1.4 Playfair Cipher
The best known substitution cipher that encrypts pairs of letters is the Playfair Cipher
invented by Sir Charles Wheatstone but championed at the British Foreign Office by
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
5/36
6
Lyon Playfair, the first Baron Playfair of St. Andrews, whose name the cipher bears.
Here, a 5 x 5-square matrix containing the 26 letters of the alphabet (I and J are treated asthe same letter) is used to carry out the encryption. A key word, MONARCHY in this
example, is filled in first, and the remaining unused letters of the alphabet are entered in
their lexicographic order.
Pairs of plaintext letters are encrypted with the matrix by first locating the two plaintext
letters in the matrix. They are(1) in different rows and columns or
(2) in the same row or(3) in the same column or(4) alike.
The corresponding encryption (replacement) rules are the following:1. If the pair of letters are in different rows and columns, each letter is replaced by the
letter that is in the same row but in the other column; i.e., to encrypt WE, W is replaced
by U and E by G.
2. If two letters are in the same row simply shift both one position to the right. I.e. A andR are in the same row. A is encrypted as R and R (reading the row cyclically) as M.
3. Similarly, if two letters are in the same column shift both one position down. I.e. I and
S are in the same column. I is encrypted as S and S as X.
4. If a double letter occurs, a spurious symbol, say Q, is introduced so that the MM in
SUMMER would encrypt into NL for MQ and CL for ME.
5. An X is appended to the end of the plaintext if necessary to cause the plaintext to have
an even number of letters.
1.5 Monoalphabetic substitution
The Caesar Cipher, the Multiplication Cipher and the Linear Cipher have one property in
common. They all fall in the category of Monoalphabetic Ciphers: "Same plain letters areencoded to the same cipher letter." i.e. in the Caesar Cipher each "a" turned into "d", each
"b" turned into "e", etc.
The reason why such Ciphers can be broken is the following: Although letters are
changed the underlying letter frequencies are not! If the plain letter "a" occurs 10 times
its cipher letter will do so 10 times. Therefore, any monoalphabetic Cipher can be brokenwith the aid of letter frequency analysis.
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
6/36
7
1.6 Polyalphabetic Substitution
Polyalphabetic substitution cipher is simply a substitution cipher with an alphabet thatchanges. For example one could have two alphabets:
Plain Alphabet: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Cipher Alphabet #1: B D F H J L N P R T V X Z A C E G I K M O Q S U W YCipher Alphabet #2: Z Y X W V U T S R Q P O N M L K J I H G F E D C B A
Now to encrypt the message ``The quick brown fox jumped over the lazy dog" we would
alternate between the two cipher alphabets, using #1 for every first letter and #2 for everysecond, to get: ``Msj joxfp dicda ucu tfzkjw ceji msj xzyb hln". Polyalphabetic
substitution ciphers are useful because they cannot be broken using frequency
analysis.The number of letters encrypted before a polyalphabetic substitution cipherreturns to its first cipher alphabet is called its period. The larger the period, the stronger
the cipher.
Vigenere Cipher
The polyalphabetic substitution cipher involves the use of two or more cipher alphabets.Instead of there being a one-to-one relationship between each letter and its substitute,
there is a one-to-many relationship between each letter and its substitutes.
The Vigenere Cipher , proposed by Blaise de Vigenere is a polyalphabetic substitution
based on the following tableau:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P QS S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
7/36
8
Note that each row of the table corresponds to a Caesar Cipher. The first row is a shift of
0; the second is a shift of 1; and the last is a shift of 25.
The Vigenere cipher uses this table together with a keyword to encipher a message. For
example, enciphering the plaintext message:
TO BE OR NOT TO BE THAT IS THE QUESTION
using the keyword RELATIONS. We begin by writing the keyword, repeated as manytimes as necessary, above the plaintext message. To derive the ciphertext using the
tableau, for each letter in the plaintext, one finds the intersection of the row given by the
corresponding keyword letter and the column given by the plaintext letter itself to pickout the ciphertext letter.
Keyword: RELAT IONSR ELATI ONSRE LATIO NSREL
Plaintext: TOBEO RNOTT OBETH ATIST HEQUE STION
Ciphertext: KSMEH ZBBLK SMEMP OGAJX SEJCS FLZSY
Decipherment of an encrypted message is equally straightforward. One writes the
keyword repeatedly above the message:Keyword: RELAT IONSR ELATI ONSRE LATIO NSREL
Ciphertext: KSMEH ZBBLK SMEMP OGAJX SEJCS FLZSY
Plaintext: TOBEO RNOTT OBETH ATIST HEQUE STION
This time one uses the keyword letter to pick a column of the table and then traces down
the column to the row containing the ciphertext letter. The index of that row is theplaintext letter.
The strength of the Vigenere cipher against frequency analysis can be seen by examiningthe above ciphertext. Note that there are 7 'T's in the plaintext message and that they have
been encrypted by 'H,' 'L,' 'K,' 'M,' 'G,' 'X,' and 'L' respectively. This successfully masksthe frequency characteristics of the English 'T.' One way of looking at this is to notice
that each letter of our keyword RELATIONS picks out 1 of the 26 possible substitution
alphabets given in the Vigenere tableau. Thus, any message encrypted by a Vigenere
cipher is a collection of as many simple substitution ciphers as there are letters in thekeyword.
1.7 Cryptanalysis
Cryptanalysis (from the Greek krypts, "hidden", and analein, "to loosen" or "to untie")is the study of methods for obtaining the meaning of encrypted information, withoutaccess to the secret information which is normally required to do so. Typically, this
involves finding the secret key. In non-technical language, this is the practice of code
breaking or cracking the code, although these phrases also have a specialized technicalmeaning
Types of Cryptanalytic attacks
1 Brute force Attacks: It is a method of defeating a cryptographic scheme bytrying a large number of possibilities; for example, exhaustively working throughall possible keys in order to decrypt a message. In most schemes, the theoreticalpossibility of a brute force attack is recognized, but it is set up in such a way that
it would be computationally infeasible to carry out.
2 Ciphertext-only: the cryptanalyst has access only to a collection of ciphertexts orcodetexts.
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
8/36
9
3 Known-plaintext: the attacker has a set of ciphertexts to which he knows thecorresponding plaintext.
4 Chosen-plaintext (chosen-ciphertext): the attacker can obtain the ciphertexts(plaintexts) corresponding to an arbitrary set of plaintexts (ciphertexts) of his own
choosing.
5 Adaptive chosen-plaintext: like a chosen-plaintext attack, except the attackercan choose subsequent plaintexts based on information learned from previous
encryptions. Similarly Adaptive chosen ciphertext attack.
6 Related-key attack: Like a chosen-plaintext attack, except the attacker canobtain ciphertexts encrypted under two different keys. The keys are unknown, butthe relationship between them is known; for example, two keys that differ in the
one bit.
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
9/36
10
2. Fiestel Networks
In cryptography, a Feistel cipher is a block cipher with a particular structure, named afterIBM cryptographer Horst Feistel; it is also commonly known as a Feistel network. A
large proportion of block ciphers use the scheme, including the Data EncryptionStandard(DES). The Feistel structure has the advantage that encryption and decryptionoperations are very similar, even identical in some cases, requiring only a reversal of the
key schedule. Therefore the size of the code or circuitry required to implement such a
cipher is nearly halved.
Feistel networks and similar constructions are product ciphers, and so combine multiple
rounds of repeated operations, such as:
Bit-shuffling (often called permutation boxes or P-boxes)
Simple non-linear functions (often called substitution boxes or S-boxes)
Linear mixing (in the sense of modular algebra) using XOR
to produce a function with large amounts of what Claude Shannon described as"confusion and diffusion". Bit shuffling creates the diffusion effect, while substitution is
used for confusion. In Shannon's original definitions, confusion refers to making the
relationship between the key and the ciphertext as complex and involved as possible;diffusion refers to the property that redundancy in the statistics of the plaintext is
"dissipated" in the statistics of the ciphertext.
The basic operation is as follows:
Split the plaintext block into two equal pieces, (L0,R0)
For each round , compute
Li = Ri 1
wherefis the round function and Ki is the sub-key.
Then the ciphertext is (Ln,Rn).
Regardless of the functionf, decryption is accomplished via
Ri 1 =Li
One advantage of this model is that the function used does not have to be invertible, andcan be very complex. This diagram illustrates both encryption and decryption. Note the
reversal of the subkey order for decryption; this is the only difference between encryptionand decryption:
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
10/36
11
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
11/36
12
3. Data Encryption Standard
DES encrypts and decrypts data in 64-bit blocks, using a 64-bit key (although the
effective key strength is only 56 bits, as explained below). It takes a 64-bit block of
plaintext as input and outputs a 64-bit block of ciphertext. Since it always operates on
blocks of equal size and it uses both permutations and substitutions in the algorithm, DES
is both a block cipher and a product cipher.
DES has 16 rounds, meaning the main algorithm is repeated 16 times to produce the
ciphertext. It has been found that the number of rounds is exponentially proportional to
the amount of time required to find a key using a brute-force attack. So as the number ofrounds increases, the security of the algorithm increases exponentially.
The block diagram of DES is depicted below.
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
12/36
13
3.1 Key Scheduling
Although the input key for DES is 64 bits long, the actual key used by DES is only 56
bits in length. The bits at positions of multiples of eight are ignored, thus resulting in akey length of 56 bits.
The first step is to pass the 64-bit key through a permutation called Permuted Choice 1,
or PC-1 for short. The table for this is given below. Note that in all subsequent
descriptions of bit numbers, 1 is the left-most bit in the number, and n is the rightmost bit.
PC-1: Permuted Choice 1
Bit 0 1 2 3 4 5 6
1 57 49 41 33 25 17 9
8 1 58 50 42 34 26 18
15 10 2 59 51 43 35 27
22 19 11 3 60 52 44 36
29 63 55 47 39 31 23 15
36 7 62 54 46 38 30 22
43 14 6 61 53 45 37 2950 21 13 5 28 20 12 4
Now that we have the 56-bit key, the next step is to use this key to generate 16 48-bit
subkeys, called K[1]-K[16], which are used in the 16 rounds of DES for encryption and
decryption. The procedure for generating the subkeys - known as key scheduling - isfairly simple:
1. Set the round number R to 1.
2. Split the current 56-bit key, K, up into two 28-bit blocks, L (the left-hand half) and R
(the right-hand half).3. Rotate L left by the number of bits specified in the table below, and rotate R left by the
same number of bits as well.
4. Join L and R together to get the new K.
5. Apply Permuted Choice 2 (PC-2) to K to get the final K[R], where R is the round
number we are on.
6. Increment R by 1 and repeat the procedure until we have all 16 subkeys K[1]-K[16].
Here are the tables involved in these operations:
Subkey Rotation TableRound Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Number of bits to
rotate
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
PC-2: Permuted Choice 2
Bit 0 1 2 3 4 5
1 14 17 11 24 1 5
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
13/36
14
7 3 28 15 6 21 10
13 23 19 12 4 26 8
19 16 7 27 20 13 2
25 41 52 31 37 47 55
31 30 40 51 45 33 48
37 44 49 39 56 34 5343 46 42 50 36 29 32
3.2 Plaintext Preparation
Once the key scheduling has been performed, the next step is to prepare the plaintext for
the actual encryption. This is done by passing the plaintext through a permutation called
the Initial Permutation, or IP for short. This table also has an inverse, called the InverseInitial Permutation, or IP^(-1). Sometimes IP^(-1) is also called the Final Permutation.
Both of these tables are shown below.
IP: Initial Permutation
Bit 0 1 2 3 4 5 6 7
1 58 50 42 34 26 18 10 2
9 60 52 44 36 28 20 12 4
17 62 54 46 38 30 22 14 6
25 64 56 48 40 32 24 16 8
33 57 49 41 33 25 17 9 1
41 59 51 43 35 27 19 11 3
49 61 53 45 37 29 21 13 5
57 63 55 47 39 31 23 15 7
IP^(-1): Inverse Initial Permutation
Bit 0 1 2 3 4 5 6 71 40 8 48 16 56 24 64 32
9 39 7 47 15 55 23 63 31
17 38 6 46 14 54 22 62 30
25 37 5 45 13 53 21 61 29
33 36 4 44 12 52 20 60 28
41 35 3 43 11 51 19 59 27
49 34 2 42 10 50 18 58 26
57 33 1 41 9 49 17 57 25
These tables are used just like PC-1 and PC-2 were for the key scheduling. By looking at
the table is becomes apparent why one permutation is called the inverse of the other. Forexample, let's examine how bit 32 is transformed under IP. In the table, bit 32 is located
at the intersection of the column labeled 4 and the row labeled 25. So this bit becomes bit29 of the 64-bit block after the permutation. Now let's apply IP^(-1). In IP^(-1), bit 29 is
located at the intersection of the column labeled 7 and the row labeled 25. So this bit
becomes bit 32 after the permutation. And this is the bit position that we started withbefore the first permutation. So IP^(-1) really is the inverse of IP. It does the exact
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
14/36
15
opposite of IP. If you run a block of plaintext through IP and then pass the resulting block
through IP^(-1), you'll end up with the original block.
3.3 DES Core Function
Once the key scheduling and plaintext preparation have been completed, the actualencryption or decryption is performed by the main DES algorithm. The 64-bit block of
input data is first split into two halves, L and R. L is the left-most 32 bits, and R is the
right-most 32 bits. The following process is repeated 16 times, making up the 16 roundsof standard DES. We call the 16 sets of halves L[0]-L[15] and R[0]-R[15].
1. R[I-1] - where I is the round number, starting at 1 - is taken and fed into the E-Bit
Selection Table, which is like a permutation, except that some of the bits are used more
than once. This expands the number R[I-1] from 32 to 48 bits to prepare for the next step.
2. The 48-bit R[I-1] is XORed with K[I] and stored in a temporary buffer so that R[I-1] isnot modified.
3. The result from the previous step is now split into 8 segments of 6 bits each. The left-
most 6 bits are B[1], and the right-most 6 bits are B[8]. These blocks form the index intothe S-boxes, which are used in the next step. The Substitution boxes, known as S-boxes,
are a set of 8 two-dimensional arrays, each with 4 rows and 16 columns. The numbers in
the boxes are always 4 bits in length, so their values range from 0-15. The S-boxes are
numbered S[1]-S[8].
4. Starting with B[1], the first and last bits of the 6-bit block are taken and used as anindex into the row number of S[1], which can range from 0 to 3, and the middle four bits
are used as an index into the column number, which can range from 0 to 15. The number
from this position in the S-box is retrieved and stored away. This is repeated with B[2]and S[2], B[3] and S[3], and the others up to B[8] and S[8]. At this point, we now have 8
4-bit numbers, which when strung together one after the other in the order of retrieval,
give a 32-bit result.5. The result from the previous stage is now passed into the P Permutation.
6. This number is now XORed with L[I-1], and moved into R[I]. R[I-1] is moved into
L[I].
7. At this point we have a new L[I] and R[I]. Here, we increment I and repeat the core
function until I = 17, which means that 16 rounds have been executed and keys K[1]-K[16] have all been used.
When L[16] and R[16] have been obtained, they are joined back together in the same
fashion they were split apart (L[16] is the left-hand half, R[16] is the right-hand half),
then the two halves are swapped, R[16] becomes the left-most 32 bits and L[16] becomes
the right-most 32 bits of the pre-output block and the resultant 64-bit number is called thepre-output.
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
15/36
16
Tables used in the DES Core Function
E-Bit Selection Table
Bit 0 1 2 3 4 5
1 32 1 2 3 4 5
7 4 5 6 7 8 9
13 8 9 10 11 12 13
19 12 13 14 15 16 17
25 16 17 18 19 20 21
31 20 21 22 23 24 25
37 24 25 26 27 28 29
43 28 29 30 31 32 1
P Permutation
Bit 0 1 2 3
1 16 7 20 21
5 29 12 28 17
9 1 15 23 2613 5 18 31 10
17 2 8 24 14
21 32 27 3 9
25 19 13 30 6
29 22 11 4 25
S-Box 1: Substitution Box 1
Row /
Column0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S-Box 2: Substitution Box 2
Row /
Column0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
1 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
2 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
3 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S-Box 3: Substitution Box 3
Row /Column
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
1 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
2 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
3 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S-Box 4: Substitution Box 4
Row / Column 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
16/36
17
0 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
1 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
2 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
3 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
S-Box 5: Substitution Box 5
Row /Column
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
1 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
2 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
3 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S-Box 6: Substitution Box 6
Row /
Column0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
1 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
2 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
3 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S-Box 7: Substitution Box 7
Row /
Column
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
2 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
3 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
S-Box 8: Substitution Box 8
Row /Column
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
1 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
3 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
3.4 How to use the S-Boxes
The purpose of this example is to clarify how the S-boxes work. Suppose we have thefollowing 48-bit binary number:
011101000101110101000111101000011100101101011101
In order to pass this through steps 3 and 4 of the Core Function as outlined above, the
number is split up into 8 6-bit blocks, labeled B[1] to B[8] from left to right:
011101 000101 110101 000111 101000 011100 101101 011101
Now, eight numbers are extracted from the S-boxes - one from each box:
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
17/36
18
B[1] = S[1](01, 1110) = S[1][1][14] = 3 = 0011
B[2] = S[2](01, 0010) = S[2][1][2 ] = 4 = 0100
B[3] = S[3](11, 1010) = S[3][3][10] = 14 = 1110
B[4] = S[4](01, 0011) = S[4][1][3 ] = 5 = 0101
B[5] = S[5](10, 0100) = S[5][2][4 ] = 10 = 1010
B[6] = S[6](00, 1110) = S[6][0][14] = 5 = 0101
B[7] = S[7](11, 0110) = S[7][3][6 ] = 10 = 1010
B[8] = S[8](01, 1110) = S[8][1][14] = 9 = 1001
In each case of S[n][row][column], the first and last bits of the current B[n] are used as
the row index, and the middle four bits as the column index.
The results are now joined together to form a 32-bit number which serves as the input tostage 5 of the Core Function (the P Permutation):
00110100111001011010010110101001
3.5 Ciphertext Preparation
The final step is to apply the permutation IP^(-1) to the pre-output. The result is the
completely encrypted ciphertext.
3.6 Encryption and Decryption
The same algorithm can be used for encryption or decryption. The method described
above will encrypt a block of plaintext and return a block of ciphertext. In order to
decrypt the ciphertext and get the original plaintext again, the procedure is simplyrepeated but the subkeys are applied in reverse order, from K[16]-K[1]. That is, stage 2 of
the Core Function as outlined above changes from R[I-1] XOR K[I] to R[I-1] XOR K[17-
I]. Other than that, decryption is performed exactly the same as encryption.
3.7 Strength of DES
1 With a key length of 56 bits, a brute force attack becomes impractical2 Design algorithm of S-boxes is kept a secret3 DES is also resistant to timing attacks
3.8 Comparison of modern symmetric key algorithms
Algorithm Plaintext Ciphertext Key size Rounds Advantages
DES 64 bits 64 bits 56 bits 16 Simple and fast
Less mathematicalcalculations
Cryptanalysis isdifficult
3DES 64 bits 64 bits 168 bits 48 DES
rounds More reliable
Easy to upgrade the
software to 3DES
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
18/36
19
Longer keylength,
difficult to crytanalyse
AES 128 bits 128 bits 128/192/
256 bits
10/12/14
resp.Longer keylengths
supported
More flexible
Blowfish 64 bits 64 bits 32-448bits
16 Fast and secureCompact
RC5 32/64/128
bits
32/64/128
bits
0-2040
bits
variable Simple and fast
Adaptable to
processors of different
word length
Data dependentrotations
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
19/36
20
4 MODES OF OPERATION OF DES
4.1 ECB (Electronic Code Book)
This is the regular DES algorithm. Data is divided into 64-bit blocks and each
block is encrypted one at a time. Separate encryptions with different blocks aretotally independent of each other. This means that if data is transmitted over a
network or phone line, transmission errors will only affect the block containingthe error. It also means, however, that the blocks can be rearranged, thus
scrambling a file beyond recognition, and this action would go undetected. ECB is
the weakest of the various modes because no additional security measures areimplemented besides the basic DES algorithm. However, ECB is the fastest and
easiest to implement, making it the most common mode of DES.
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
20/36
21
4.2 CBC (Cipher Block Chaining).
In this mode of operation, each block of ECB encrypted ciphertext is XORed with
the next plaintext block to be encrypted, thus making all the blocks dependent on
all the previous blocks. This means that in order to find the plaintext of a
particular block, you need to know the ciphertext, the key, and the ciphertext forthe previous block. The first block to be encrypted has no previous ciphertext, so
the plaintext is XORed with a 64-bit number called the Initialization Vector, or IVfor short. So if data is transmitted over a network or phone line and there is a
transmission error, the error will be carried forward to all subsequent blocks since
each block is dependent upon the last. This mode of operation is more secure thanECB because the extra XOR step adds one more layer to the encryption process.
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
21/36
22
4.3 CFB (Cipher Feed Back)
In this mode, blocks of plaintext that are less than 64 bits long can be
encrypted. Normally, special processing has to be used to handle files whose size is
not a perfect multiple of 8 bytes, but this mode removes that necessity (Stealthhandles this case by adding several dummy bytes to the end of a file before
encrypting it). The plaintext itself is not actually passed through the DES algorithm,but merely XORed with an output block from it, in the following manner: A 64-bit
block called the Shift Register is used as the input plaintext to DES. This is initially
set to some arbitrary value, and encrypted with the DES algorithm. The ciphertext isthen passed through an extra component called the M-box, which simply selects the
left-most M bits of the ciphertext, where M is the number of bits in the block we wish
to encrypt. This value is XORed with the real plaintext, and the output of that is the
final ciphertext. Finally, the ciphertext is fed back into the Shift Register, and used asthe plaintext seed for the next block to be encrypted. As with CBC mode, an error in
one block affects all subsequent blocks during data transmission. This mode ofoperation is similar to CBC and is very secure, but it is slower than ECB due to theadded complexity.
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
22/36
23
4.4 OFB (Output Feed Back)
This is similar to CFB mode, except that the ciphertext output of DES is
fed back into the Shift Register, rather than the actual final ciphertext. The ShiftRegister is set to an arbitrary initial value, and passed through the DES algorithm.The output from DES is passed through the M-box and then fed back into the
Shift Register to prepare for the next block. This value is then XORed with the
real plaintext (which may be less than 64 bits in length, like CFB mode), and theresult is the final ciphertext. Note that unlike CFB and CBC, a transmission error
in one block will not affect subsequent blocks because once the recipient has the
initial Shift Register value, it will continue to generate new Shift Register
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
23/36
24
plaintext inputs without any further data input. However, this mode of operation is
less secure than CFB mode because only the real ciphertext and DES ciphertextoutput is needed to find the plaintext of the most recent block. Knowledge of the
key is not required.
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
24/36
25
4.5 CTR (Counter)
A counter, equal to the plaintext block size is used. The counter value must be
different for each plaintext block that is encrypted. The counter is initialized to somevalue and then incremented by 1 for each substitution. For encryption, the counter is
encrypted and then XORed with the plaintext block to produce the ciphertext block.
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
25/36
26
5. PUBLIC KEY CRYPTOGRAPHY
5.1 Comparison of Symmetric Key and Public Key Cryptography
With symmetric-key encryption, the encryption key can be calculated from the
decryption key and vice versa. With most symmetric algorithms, the same key is used forboth encryption and decryption, as shown in Figure
Implementations of symmetric-key encryption can be highly efficient, so that users do
not experience any significant time delay as a result of the encryption and decryption.Symmetric-key encryption is effective only if the symmetric key is kept secret by the two
parties involved. If anyone else discovers the key, it affects both confidentiality andauthentication. A person with an unauthorized symmetric key not only can decrypt
messages sent with that key, but can encrypt new messages and send them as if they
came from one of the two parties who were originally using the key.
Public-key encryption (also called asymmetric encryption) involves a pair of keys--a
public key and a private key--associated with an entity that needs to authenticate its
identity electronically or to sign or encrypt data. Each public key is published, and thecorresponding private key is kept secret. Data encrypted with the public key can be
decrypted only with the private key. The figure shows a simplified view of the waypublic-key encryption works.
The scheme lets us freely distribute a public key, and only you will be able to read data
encrypted using this key. In general, to send encrypted data to someone, we encrypt the
data with that person's public key, and the person receiving the encrypted data decrypts itwith the corresponding private key. Compared with symmetric-key encryption, public-
key encryption requires more computation and is therefore not always appropriate for
large amounts of data. However, it's possible to use public-key encryption to send asymmetric key, which can then be used to encrypt additional data.
As it happens, the reverse of the scheme shown in Figure also works: data encrypted withyour private key can be decrypted only with your public key. This would not be a
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
26/36
27
desirable way to encrypt sensitive data, however, because it means that anyone with your
public key, which is by definition published, could decrypt the data. Nevertheless,private-key encryption is useful, because it means you can use your private key to sign
data with your digital signature--an important requirement for electronic commerce and
other commercial applications of cryptography.
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
27/36
28
6. RSA Algorithm
The algorithm was described in 1977 by Ron Rivest, Adi Shamir and Len Adleman at
MIT; the letters RSA are the initials of their surnames. This is the most commonly usedalgorithm in public key cryptography
6.1 Key Generation
Suppose a user X wishes to allow Y to send a private message over an insecure
transmission medium. X takes the following steps to generate a public key and a private
key:
1. Choose two large prime numbers and such that , randomly andindependently of each other.
2. Compute .
3. Compute the totient .
4. Choose an integer e such that which is coprime to .
5. Compute dsuch that
The public key consists of
n, the modulus, and
e, the public exponent (sometimes encryption exponent).
The private key consists of
n, the modulus, which is public and appears in the public key, and d, the private exponent (sometimes decryption exponent), which must be kept
secret.
6.2 Encrypting messages
Suppose Bob wishes to send a messageMto Alice. He turnsMinto a number m < n,
using some previously agreed-upon reversible protocol known as a padding scheme.
Bob now has m, and knows n and e, which Alice has announced. He then computes the
ciphertext c corresponding to m:
Bob then transmits c to Alice
6.3 Decrypting messages
Alice receives c from Bob, and knows her private key d. She can recover m from c by thefollowing procedure:
The proof is given in Appendix
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
28/36
29
6.4 A working example
Here is an example of RSA encryption and decryption. The parameters used here are
artificially smallWe let
p = 61 - first prime number (to be kept secret or deleted securely)q = 53 - second prime number (to be kept secret or deleted securely)n =pq =
3233
- modulus (to be made public)
e = 17 - public exponent (to be made public)d= 2753 - private exponent (to be kept secret)
The public key is (e, n). The private key is d. The encryption function is:
encrypt(m) = me mod n = m17 mod 3233
where m is the plaintext. The decryption function is:
decrypt(c) = cdmod n = c2753 mod 3233
where c is the ciphertext.
To encrypt the plaintext value 123, we calculate
encrypt(123) = 12317 mod 3233 = 855
To decrypt the ciphertext value 855, we calculate
decrypt(855) = 8552753 mod 3233 = 123
6.5 Security of RSA
The security of the RSA cryptosystem is based on two mathematical problems: theproblem of factoring very large numbers, and the RSA problem. Full decryption of an
RSA ciphertext is thought to be infeasible on the assumption that both of these problemsare hard, i.e., no efficient algorithm exists for solving them.
The RSA problem is defined as the task of taking eth roots modulo a composite n:
recovering a value m such that me=c mod n, where (e, n) is an RSA public key and c is anRSA ciphertext. Currently the most promising approach to solving the RSA problem is to
factor the modulus n. With the ability to recover prime factors, an attacker can compute
the secret exponent d from a public key (e, n), then decrypt c using the standardprocedure. To accomplish this, an attacker factors n intop and q, and computes (p-1)(q-1)
which allows the determination of d from e. No polynomial-time method for factoringlarge integers on a classical computer has yet been found, but it has not been proven thatnone exists.
6.6 Practical Considerations
Speed
RSA is much slower than DES and other symmetric cryptosystems.
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
29/36
30
Key distribution
As with all ciphers, how RSA public keys are distributed is important to security. Keydistribution must be secured against a man-in-the-middle attack. In principle, neither
sender nor receiver would be able to detect an outsiders presence. Defenses against such
attacks are often based on digital certificates.
Timing attacks
6.7 Comparison of RSA and DES
Feature DES RSA
speed high low
data block length 64 bits minimum 512 bits
key length 56 bits minimum 512 bits
use of data space full, 64 bits (264), 8
bytes
variable, limited, not
defined,ciphering & deciphering
key
same different
ciphering & decipheringalgorithm
different same
algorithm contains only
XOR and branching
no no
cryptanalysis method differential method product factorization
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
30/36
31
7. Diffie Hellman Key Exchange
Diffie-Hellman key agreement was invented in 1976 during a collaboration between
Whitfield Diffie and Martin Hellman and was the first practical method for establishing a
shared secret over an unprotected communications channel.7.1 Description
The simplest, and original, implementation of the protocol uses the multiplicative group
of integers modulo p, where p is prime and g is primitive mod p. Modulo (or mod) simply
means that the integers between 1 and p 1 are used with normal multiplication,
exponentiation and division, except that after each operation the result keeps only theremainder after dividing by p. Here is an example of the protocol:
1. Alice and Bob agree to use a prime numberp=23 and base g=5.
2. Alice chooses a secret integer a=6, then sends Bob (ga modp)
o 56 mod 23 = 8.
3. Bob chooses a secret integer b=15, then sends Alice (gb mod p)
o 515 mod 23 = 19.
4. Alice computes (gb modp)a modp
o 196 mod 23 = 2.
5. Bob computes (ga modp)b modp
815 mod 23 = 2.
Both Alice and Bob have arrived at the same value, because g ab and gba are equal. Note
that only a, b, gab and gba are kept secret. All the other values are sent in the clear. Once
Alice and Bob compute the shared secret they can use it as an encryption key, knownonly to them, for sending messages across the same open communications channel. Of
course, much larger values of a,b, and p would be needed to make this example secure,since it is easy to try all the possible values of gab mod 23 (there will be, at most, 22 such
values, even if a and b are large). If p was a prime of more than 300 digits, and a and b
were at least 100 digits long, then even the best known algorithms for finding a given
only g, p, and ga mod p (known as the discrete logarithm problem) would take longerthan the lifetime of the universe to run. g need not be large at all, and in practice is
usually either 2 or 5.
Here's a more general description of the protocol:
1. Alice and Bob agree on a finite cyclic group G and a generating element g in G.(This is usually done long before the rest of the protocol; g is assumed to be known by all
attackers.) We will write the group G multiplicatively.
2. Alice picks a random natural number a and sends ga to Bob.
3. Bob picks a random natural number b and sends gb to Alice.
4. Alice computes (gb)a.
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
31/36
32
5. Bob computes (ga)b. Both Alice and Bob are now in possession of the group
element gab which can serve as the shared secret key.
7.2 Security
The protocol is considered secure against eavesdroppers if G and g are chosen properly.
The eavesdropper must solve the Diffie-Hellman problem to obtain gab. This is currently
considered difficult. An efficient algorithm to solve the discrete logarithm problem wouldmake it easy to compute a or b and solve the Diffie-Hellman problem, making this
protocol insecure.
The order of G should be prime or have a large prime factor to prevent obtaining a or b.
The secret integers a and b are discarded at the end of the session. Therefore, Diffie-Hellman key exchange by itself trivially achieves perfect forward secrecy because no
long-term private keying material exists to be disclosed.
7.3 Authentication
In the original description, the Diffie-Hellman exchange by itself does not provide
authentication of the parties, and is thus vulnerable to man in the middle attack. The man-in-the-middle may establish two distinct Diffie-Hellman keys, one with Alice and the
other with Bob, and then try to masquerade as Alice to Bob and/or vice-versa, perhaps by
decrypting and re-encrypting messages passed between them. Some method toauthenticate these parties to each other is generally needed
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
32/36
33
8. Message Authentication Code (MAC) and Hash Functions
Message authentication is concerned with
a) Protecting integrity of the message
b) Validating identity of the originator
c) Non-repudiation of origin
There are three different ways to achieve message authentication
1 Message Encryption2 MAC3 Hash functions
Message encryption can be either a symmetric key encryption or public key encryption. Ifsymmetric key encryption is used receiver and sender should communicate the secret
key, which is a hazardous task. If public key encryption is used and public key is used for
encryption, there is no confidence of sender. However if sender uses private key for
encryption, both confidentiality and authentication is provided. But still we need torecognize corrupted messages
8.1 MAC
A cryptographic message authentication code (MAC) is a short piece of information usedto authenticate a message. A MAC algorithm accepts as input a secret key and an
arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a
tag). The MAC value protects both a message's integrity as well as its authenticity, by
allowing verifiers (who also possess the secret key) to detect any changes to the messagecontent.
A MAC is a cryptographic checksum
MAC = CK(M)
MAC is a many-to-one function. Potentially many messages have same MAC. But
finding these needs to be very difficult
Requirements for MAC
1. Knowing a message and MAC, is infeasible to find another message with
same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the message
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
33/36
34
8.2 HASH Functions
A hash function H is a transformation that takes a variable-size input m and returns a
fixed-size string, which is called the hash value h (that is, h = H(m)). Hash functions with
just this property have a variety of general computational uses, but when employed incryptography the hash functions are usually chosen to have some additional properties.
The basic requirements for a cryptographic hash function are:
o the input can be of any length,o the output has a fixed length,o H(x) is relatively easy to compute for any given x ,o H(x) is one-way,o H(x) is collision-free.
A hash function H is said to be one-way if it is hard to invert, where "hard to invert"
means that given a hash value h, it is computationally infeasible to find some input x such
that H(x) = h.
If, given a message x, it is computationally infeasible to find a message y not equal to x
such that H(x) = H(y) then H is said to be a weakly collision-free hash function.
A strongly collision-free hash function H is one for which it is computationally infeasible
to find any two messages x and y such that H(x) = H(y).
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
34/36
35
9. Digital Signature
Digital signature (or public-key digital signature) is a type of method for authenticating
digital information analogous to ordinary physical signatures on paper, but implemented
using techniques from the field of public-key cryptography. A digital signature methodgenerally defines two complementary algorithms, one for signing and the other forverification, and the output of the signing process is also called a digital signature. Digital
signature has also been used as a broader term encompassing both public-key digital
signature techniques and message authentication codes.
Instead of encrypting the data itself, the signing software creates a one-way hash of the
data, then uses the private key to encrypt the hash. The encrypted hash, along with other
information, such as the hashing algorithm, is known as a digital signature. The figure
shows a simplified view of the way a digital signature can be used to validate theintegrity of signed data.
Using a digital signature to validate data integrity
The figure shows two items transferred to the recipient of some signed data: the originaldata and the digital signature, which is basically a one-way hash (of the original data) that
has been encrypted with the signer's private key. To validate the integrity of the data, the
receiving software first uses the signer's public key to decrypt the hash. It then uses thesame hashing algorithm that generated the original hash to generate a new one-way hash
of the same data. (Information about the hashing algorithm used is sent with the digital
signature, although this isn't shown in the figure.) Finally, the receiving softwarecompares the new hash against the original hash. If the two hashes match, the data has
not changed since it was signed. If they don't match, the data may have been tampered
with since it was signed, or the signature may have been created with a private key thatdoesn't correspond to the public key presented by the signer. If the two hashes match, the
recipient can be certain that the public key used to decrypt the digital signature
corresponds to the private key used to create the digital signature. Confirming the identity
of the signer, however, also requires some way of confirming that the public key reallybelongs to a particular person or other entity
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
35/36
36
The significance of a digital signature is comparable to the significance of a handwritten
signature. Once you have signed some data, it is difficult to deny doing so later--assuming that the private key has not been compromised or out of the owner's control.
This quality of digital signatures provides a high degree of non repudiation--that is,
digital signatures make it difficult for the signer to deny having signed the data. In some
situations, a digital signature may be as legally binding as a handwritten signature.
7/30/2019 B.tech CS S8 Security in Computing Notes Module 3
36/36
QUESTIONS
1. What is cryptography?2. What is a block cipher?3. What is a Fiestel cipher?4. What are weak keys?5. What is DES?6. What is triple DES?7. What are ECB and CBC modes?8. What is Blowfish?9. What is multiple encryption?10.What is stream cipher?11.What is public key cryptography?12.What are the key management issues involved in public key cryptography?13.What are certificates?14.What are the advantages of public key cryptography over symmetric keycryptography?15.What is a one-way function?16.What is the significance of one way function in cryptography?17.What is RSA?18.What are the different types of attacks on RSA?19.What is the RSA factoring challenge?20.How is RSA used for authentication in practice?21.What is Diffie Hellman key exchange?22.What is the significance of factoring in cryptography?23.What is the discrete logarithm problem?24.What are MACs?25.What is a hash function?