cns
TRANSCRIPT
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
SEMESTER -VI
LECTURE NOTES
CS1355 – CRYPTOGRAPHY AND NETWORK SECURITY
PREPARED BY
S.SUBHASINI
AP/CSE
CS1355 CRYPTOGRAPHY AND NETWORK SECURITY 3 1 0 100
UNIT I INTRODUCTION 10
OSI Security Architecture - Classical Encryption techniques – Cipher Principles – Data
Encryption Standard – Block Cipher Design Principles and Modes of Operation -
Evaluation criteria for AES – AES Cipher – Triple DES – Placement of Encryption
Function – Traffic Confidentiality
UNIT II PUBLIC KEY CRYPTOGRAPHY 10
Key Management - Diffie-Hellman key Exchange – Elliptic Curve Architecture and
Cryptography - Introduction to Number Theory – Confidentiality using Symmetric
Encryption – Public Key Cryptography and RSA.
UNIT III AUTHENTICATION AND HASH FUNCTION 9
Authentication requirements – Authentication functions – Message Authentication Codes
– Hash Functions – Security of Hash Functions and MACs – MD5 message Digest
algorithm - Secure Hash Algorithm – RIPEMD – HMAC Digital Signatures –
Authentication Protocols – Digital Signature Standard
UNIT IV NETWORK SECURITY 8
Authentication Applications: Kerberos – X.509 Authentication Service – Electronic Mail
Security – PGP – S/MIME - IP Security – Web Security.
UNIT V SYSTEM LEVEL SECURITY 8
Intrusion detection – password management – Viruses and related Threats – Virus
Counter measures – Firewall Design Principles – Trusted Systems.
TUTORIAL 15 TOTAL : 60
TEXT BOOK
1. William Stallings, “Cryptography And Network Security – Principles and
Practices”, Prentice Hall of India, Third Edition, 2003.
REFERENCES
1. Atul Kahate, “Cryptography and Network Security”, Tata McGraw-Hill, 2003.
2. Bruce Schneier, “Applied Cryptography”, John Wiley & Sons Inc, 2001.
3. Charles B. Pfleeger, Shari Lawrence Pfleeger, “Security in Computing”, Third
Edition, Pearson Education, 2003.
UNIT I
Introduction UNIT I INTRODUCTION 10
OSI Security Architecture - Classical Encryption techniques – Cipher Principles – Data
Encryption Standard – Block Cipher Design Principles and Modes of Operation -
Evaluation criteria for AES – AES Cipher – Triple DES – Placement of Encryption
Function – Traffic Confidentiality
1.1 OSI Security Architecture
1.2 Classical Encryption techniques
1.3 Cipher Principles
1.4 Data Encryption Standard
1.5 Block Cipher Design Principles and Modes of
Operation
1.6 Evaluation criteria for AES
1.7 AES Cipher
1.8 Triple DES
1.9 Placement of Encryption Function
1.10 Traffic Confidentiality
Introduction
• Information Security requirements have changed in recent times
• traditionally provided by physical and administrative mechanisms
• computer use requires automated tools to protect files and other stored
information
• use of networks and communications links requires measures to protect data
during transmission
• Computer Security - generic name for the collection of tools designed to protect
data and to thwart hackers
• Network Security - measures to protect data during their transmission
• Internet Security - measures to protect data during their transmission over a
collection of interconnected networks
• our focus is on Internet Security
• consists of measures to deter, prevent, detect, and correct security violations that
involve the transmission of information
• Services, Mechanisms, Attacks
• need systematic way to define requirements
• consider three aspects of information security:
• security attack
• security mechanism
• security service • consider in reverse order
• Security Service
• is something that enhances the security of the data processing systems and
the information transfers of an organization
• intended to counter security attacks
• make use of one or more security mechanisms to provide the service
• replicate functions normally associated with physical documents
• eg. have signatures, dates; need protection from disclosure, tampering, or
destruction; be notarized or witnessed; be recorded or licensed
• Security Mechanism
• a mechanism that is designed to detect, prevent, or recover from a security
attack
• no single mechanism that will support all functions required
• however one particular element underlies many of the security
mechanisms in use: cryptographic techniques
• hence our focus on this area
• Security Attack
• any action that compromises the security of information owned by an
organization
• information security is about how to prevent attacks, or failing that, to
detect attacks on information-based systems
• have a wide range of attacks
• can focus of generic types of attacks
• note: often threat & attack mean same
1.1 OSI Security Architecture
• ITU-T X.800 Security Architecture for OSI
• defines a systematic way of defining and providing security requirements
• for us it provides a useful, if abstract, overview of concepts we will study
• Security Services
X.800 defines it as: a service provided by a protocol layer of communicating
open systems, which ensures adequate security of the systems or of data
transfers
RFC 2828 defines it as: a processing or communication service provided by a
system to give a specific kind of protection to system resources
X.800 defines it in 5 major categories
Authentication - assurance that the communicating entity is the one claimed
Access Control - prevention of the unauthorized use of a resource
Data Confidentiality –protection of data from unauthorized disclosure
Data Integrity - assurance that data received is as sent by an authorized entity
Non-Repudiation - protection against denial by one of the parties in a
communication
• Security Mechanisms
specific security mechanisms:
encipherment, digital signatures, access controls, data integrity,
authentication exchange, traffic padding, routing control, notarization
pervasive security mechanisms:
trusted functionality, security labels, event detection, security audit trails,
security recovery
• Classify Security Attacks as
passive attacks - eavesdropping on, or monitoring of, transmissions to:
obtain message contents, or
monitor traffic flows
active attacks – modification of data stream to:
masquerade of one entity as some other
replay previous messages
modify messages in transit
denial of service
• Model for Network Security
• using this model requires us to:
• design a suitable algorithm for the security transformation
• generate the secret information (keys) used by the algorithm
• develop methods to distribute and share the secret information
• specify a protocol enabling the principals to use the transformation and
secret information for a security service
• Model for Network Access Security
• using this model requires us to:
– select appropriate gatekeeper functions to identify users
– implement security controls to ensure only authorised users
access designated information or resources
• trusted computer systems can be used to implement this model
1.2 Classical Encryption Techniques
1.2.1 Symmetric Cipher Model
1.2.2 Substitution Techniques
1.2.3 Transposition Techniques
1.2.4 Rotor Machines
1.2.5 Steganography
1.2.1 Symmetric Cipher Model
Symmetric Encryption
or conventional / private-key / single-key
sender and recipient share a common key
all classical encryption algorithms are private-key
was only type prior to invention of public-key in 1970‟s
plaintext - the original message
ciphertext - the coded message
cipher - algorithm for transforming plaintext to ciphertext
key - info used in cipher known only to sender/receiver
encipher (encrypt) - converting plaintext to ciphertext
decipher (decrypt) - recovering ciphertext from plaintext
cryptography - study of encryption principles/methods
cryptanalysis (codebreaking) - the study of principles/ methods of deciphering
ciphertext without knowing key
cryptology - the field of both cryptography and cryptanalysis
Symmetric Cipher Model
Requirements
o two requirements for secure use of symmetric encryption:
o a strong encryption algorithm
o a secret key known only to sender / receiver
o Y = EK(X)
o X = DK(Y)
o assume encryption algorithm is known
o implies a secure channel to distribute key
Types of Cryptanalytic Attacks
o ciphertext only o only know algorithm / ciphertext, statistical, can identify plaintext
o known plaintext o know/suspect plaintext & ciphertext to attack cipher
o chosen plaintext o select plaintext and obtain ciphertext to attack cipher
o chosen ciphertext o select ciphertext and obtain plaintext to attack cipher
o chosen text o select either plaintext or ciphertext to en/decrypt to attack cipher
Brute Force Search
o always possible to simply try every key
o most basic attack, proportional to key size
o assume either know / recognise plaintext
unconditional security o no matter how much computer power is available, the cipher cannot be
broken since the ciphertext provides insufficient information to uniquely
determine the corresponding plaintext
computational security o given limited computing resources (eg time needed for calculations is
greater than age of universe), the cipher cannot be broken
1.2.2 Substitution Techniques
Caesar Cipher
Monoalphabetic Cipher
Playfair Cipher
Polyalphabetic Ciphers
Vigenère Cipher
Kasiski Method
Autokey Cipher
One-Time Pad
Classical Substitution Ciphers
o where letters of plaintext are replaced by other letters or by numbers or
symbols
o or if plaintext is viewed as a sequence of bits, then substitution involves
replacing plaintext bit patterns with ciphertext bit patterns
Caesar Cipher
o earliest known substitution cipher
o by Julius Caesar
o first attested use in military affairs
o replaces each letter by 3rd letter on
o example:
o meet me after the toga party
o PHHW PH DIWHU WKH WRJD SDUWB
o can define transformation as:
o a b c d e f g h i j k l m n o p q r s t u v w x y z
o D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
o mathematically give each letter a number
o a b c d e f g h i j k l m
o 0 1 2 3 4 5 6 7 8 9 10 11 12
o n o p q r s t u v w x y z
o 13 14 15 16 17 18 19 20 21 22 23 24 25
o then have Caesar cipher as:
C = E(p) = (p + k) mod (26)
p = D(C) = (C – k) mod (26)
Cryptanalysis of Caesar Cipher
o only have 26 possible ciphers
o A maps to A,B,..Z
o could simply try each in turn
o a brute force search
o given ciphertext, just try all shifts of letters
o do need to recognize when have plaintext
o eg. break ciphertext "GCUA VQ DTGCM"
Monoalphabetic Cipher
o rather than just shifting the alphabet
o could shuffle (jumble) the letters arbitrarily
o each plaintext letter maps to a different random ciphertext letter
o hence key is 26 letters long
o Plain: a b c d ef g h i j k l mn o pq r s t u vwx y z
o Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN
o Plaintext: i fwew i s ht o r e pl a c e l e t t e r s
o Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
Monoalphabetic Cipher Security
o now have a total of 26! = 4 x 1026 keys
o with so many keys, might think is secure
o but would be !!!WRONG!!!
o problem is language characteristics
Language Redundancy and Cryptanalysis
o human languages are redundant
o eg "th lrd s m shphrd shll nt wnt"
o letters are not equally commonly used
o in English e is by far the most common letter
o then T,R,N,I,O,A,S
o other letters are fairly rare
o cf. Z,J,K,Q,X
o have tables of single, double & triple letter frequencies
English Letter Frequencies
Use in Cryptanalysis
o key concept - monoalphabetic substitution ciphers do not change relative
letter frequencies
o discovered by Arabian scientists in 9th
century
o calculate letter frequencies for ciphertext
o compare counts/plots against known values
o if Caesar cipher look for common peaks/troughs
o peaks at: A-E-I triple, NO pair, RST triple
o troughs at: JK, X-Z
o for monoalphabetic must identify each letter
o tables of common double/triple letters help
Example Cryptanalysis
o given ciphertext:
o UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
o VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
o EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
o count relative letter frequencies (see text)
o guess P & Z are e and t
o guess ZW is th and hence ZWP is the
o proceeding with trial and error fially get:
it was disclosed yesterday that several informal but
direct contacts have been made with political
representatives of the viet cong in moscow
Playfair Cipher
o not even the large number of keys in a monoalphabetic cipher provides
security
o one approach to improving security was to encrypt multiple letters
o the Playfair Cipher is an example
o invented by Charles Wheatstone in 1854, but named after his friend Baron
Playfair
Playfair Key Matrix
o a 5X5 matrix of letters based on a keyword
o fill in letters of keyword (sans duplicates)
o fill rest of matrix with other letters
o eg. using the keyword MONARCHY
MONAR
CHYBD
EFGIK
LPQST
UVWXZ
Encrypting and Decrypting
o plaintext encrypted two letters at a time:
o 1. if a pair is a repeated letter, insert a filler like 'X',
eg. "balloon" encrypts as "ba lx lo on"
o 2. if both letters fall in the same row, replace each with letter to right
(wrapping back to start from end),
eg. “ar" encrypts as "RM"
o 3. if both letters fall in the same column, replace each with the letter below
it (again wrapping to top from bottom),
eg. “mu" encrypts to "CM"
o 4. otherwise each letter is replaced by the one in its row in the column of
the other letter of the pair, eg. “hs" encrypts to "BP", and “ea" to "IM" or
"JM" (as desired)
Security of the Playfair Cipher
o security much improved over monoalphabetic
o since have 26 x 26 = 676 digrams
o would need a 676 entry frequency table to analyse (verses 26 for a
monoalphabetic)
o and correspondingly more ciphertext
o was widely used for many years (eg. US & British military in WW1)
o it can be broken, given a few hundred letters
o since still has much of plaintext structure
Polyalphabetic Ciphers
o another approach to improving security is to use multiple cipher alphabets
o called polyalphabetic substitution ciphers
o makes cryptanalysis harder with more alphabets to guess and flatter
frequency distribution
o use a key to select which alphabet is used for each letter of the message
o use each alphabet in turn
o repeat from start after end of key is reached
Vigenère Cipher
o simplest polyalphabetic substitution cipher is the Vigenère Cipher
o effectively multiple caesar ciphers
o key is multiple letters long K = k1 k2 ... kd
o ith
letter specifies ith
alphabet to use
o use each alphabet in turn
o repeat from start after d letters in message
o decryption simply works in reverse
Example
o write the plaintext out
o write the keyword repeated above it
o use each key letter as a caesar cipher key
o encrypt the corresponding plaintext letter
o eg using keyword deceptive
key: deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ
Aids
o simple aids can assist with en/decryption
o a Saint-Cyr Slide is a simple manual aid
o a slide with repeated alphabet
o line up plaintext 'A' with key letter, eg 'C'
o then read off any mapping for key letter
o can bend round into a cipher disk
o or expand into a Vigenère Tableau (see text Table 2.3)
Security of Vigenère Ciphers
o have multiple ciphertext letters for each plaintext letter
o hence letter frequencies are obscured
o but not totally lost
o start with letter frequencies
o see if look monoalphabetic or not
o if not, then need to determine number of alphabets, since then can attach
each
Kasiski Method
o method developed by Babbage / Kasiski
o repetitions in ciphertext give clues to period
o so find same plaintext an exact period apart
o which results in the same ciphertext
o of course, could also be random fluke
o eg repeated “VTW” in previous example
o suggests size of 3 or 9
o then attack each monoalphabetic cipher individually using same
techniques as before
Autokey Cipher
o ideally want a key as long as the message
o Vigenère proposed the autokey cipher
o with keyword is prefixed to message as key
o knowing keyword can recover the first few letters
o use these in turn on the rest of the message
o but still have frequency characteristics to attack
o eg. given key deceptive
key: deceptivewearediscoveredsav
plaintext: wearediscoveredsaveyourself
ciphertext:ZICVTWQNGKZEIIGASXSTSLVVWLA
One-Time Pad
o if a truly random key as long as the message is used, the cipher will be
secure
o called a One-Time pad
o is unbreakable since ciphertext bears no statistical relationship to the
plaintext
o since for any plaintext & any ciphertext there exists a key mapping one
to other
o can only use the key once though
o have problem of safe distribution of key
1.2.3 Transposition Techniques
Rail Fence cipher
Row Transposition Ciphers
Product Ciphers
now consider classical transposition or permutation ciphers
these hide the message by rearranging the letter order
without altering the actual letters used
can recognise these since have the same frequency distribution as the original text
Rail Fence cipher
o write message letters out diagonally over a number of rows
o then read off cipher row by row
o eg. write message out as:
m e m a t r h t g p r y
e t e f e t e o a a t
o giving ciphertext
MEMATRHTGPRYETEFETEOAAT
Row Transposition Ciphers
o a more complex scheme
o write letters of message out in rows over a specified number of columns
o then reorder the columns according to some key before reading off the
rows
o Key: 4 3 1 2 5 6 7
o Plaintext: a t t a c k p
o o s t p o n e
o d u n t i l t
o w o a m x y z
o Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ
Product Ciphers
o ciphers using substitutions or transpositions are not secure because of
language characteristics
o hence consider using several ciphers in succession to make harder, but:
two substitutions make a more complex substitution
two transpositions make more complex transposition
but a substitution followed by a transposition makes a new much
harder cipher
o this is bridge from classical to modern ciphers
1.2.4 Rotor Machines
before modern ciphers, rotor machines were most common product cipher
were widely used in WW2
German Enigma, Allied Hagelin, Japanese Purple
implemented a very complex, varying substitution cipher
used a series of cylinders, each giving one substitution, which rotated and
changed after each letter was encrypted
with 3 cylinders have 263=17576 alphabets
1.2.5 Steganography
an alternative to encryption
hides existence of message
o using only a subset of letters/words in a longer message marked in some
way
o using invisible ink
o hiding in LSB in graphic image or sound file
has drawbacks
high overhead to hide relatively few info bits
Character marking – selected letters of printed or typewritten text are overwritten
in pencil. The marks are ordinarily not visible unless the paper is held at an angle
to bright light.
Invisible ink – a number of substances can be used for writing but leave no visible
trace until heat or some chemical is applied to the paper.
Pin punctures – small pin punctures on selected letters are ordinarily not visible
unless the paper is held up in front of a light.
Typewriter correction ribbon – used between lines typed with a black ribbon, the
results of typing with the correction tape are visible only under a strong light.
1.3 Cipher Principles
Modern Block Ciphers
o will now look at modern block ciphers
o one of the most widely used types of cryptographic algorithms
o provide secrecy and/or authentication services
o in particular will introduce DES (Data Encryption Standard)
Block vs Stream Ciphers
o block ciphers process messages in into blocks, each of which is then
en/decrypted
o like a substitution on very big characters
64-bits or more
o stream ciphers process messages a bit or byte at a time when en/decrypting
o many current ciphers are block ciphers
o hence are focus of course
Block Cipher Principles
o most symmetric block ciphers are based on a Feistel Cipher Structure
o needed since must be able to decrypt ciphertext to recover messages
efficiently
o block ciphers look like an extremely large substitution
o would need table of 264
entries for a 64-bit block
o instead create from smaller building blocks
o using idea of a product cipher
Claude Shannon and Substitution-Permutation Ciphers
o in 1949 Claude Shannon introduced idea of substitution-permutation (S-P)
networks
o modern substitution-transposition product cipher
o these form the basis of modern block ciphers
o S-P networks are based on the two primitive cryptographic operations we
have seen before:
o substitution (S-box)
o permutation (P-box)
o provide confusion and diffusion of message
Confusion and Diffusion
o cipher needs to completely obscure statistical properties of original
message
o a one-time pad does this
o more practically Shannon suggested combining elements to obtain:
o diffusion – dissipates statistical structure of plaintext over bulk of
ciphertext
o confusion – makes relationship between ciphertext and key as complex as
possible
Feistel Cipher Structure
o Horst Feistel devised the feistel cipher
o based on concept of invertible product cipher
o partitions input block into two halves
o process through multiple rounds which
o perform a substitution on left data half
o based on round function of right half & subkey
o then have permutation swapping halves
o implements Shannon‟s substitution-permutation network concept
Feistel Cipher Design Principles
block size o increasing size improves security, but slows cipher
key size o increasing size improves security, makes exhaustive key searching harder,
but may slow cipher
number of rounds o increasing number improves security, but slows cipher
subkey generation o greater complexity can make analysis harder, but slows cipher
round function o greater complexity can make analysis harder, but slows cipher
fast software en/decryption & ease of analysis o are more recent concerns for practical use and testing
Feistel Cipher Decryption
1.4 Data Encryption Standard (DES)
most widely used block cipher in world
adopted in 1977 by NBS (now NIST)
as FIPS PUB 46
encrypts 64-bit data using 56-bit key
has widespread use
has been considerable controversy over its security
DES History
o IBM developed Lucifer cipher
o by team led by Feistel
o used 64-bit data blocks with 128-bit key
o then redeveloped as a commercial cipher with input from NSA and others
o in 1973 NBS issued request for proposals for a national cipher standard
o IBM submitted their revised Lucifer which was eventually accepted as the
DES
DES Design Controversy
o although DES standard is public
o was considerable controversy over design
o in choice of 56-bit key (vs Lucifer 128-bit)
o and because design criteria were classified
o subsequent events and public analysis show in fact design was appropriate
o DES has become widely used, especially in financial applications
DES Encryption
Initial Permutation IP
o first step of the data computation
o IP reorders the input data bits
o even bits to LH half, odd bits to RH half
o quite regular in structure (easy in h/w)
o see text Table 3.2
o example:
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
DES Round Structure
o uses two 32-bit L & R halves
o as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 xor F(Ri–1, Ki)
o takes 32-bit R half and 48-bit subkey and:
expands R to 48-bits using perm E
adds to subkey
passes through 8 S-boxes to get 32-bit result
finally permutes this using 32-bit perm P
Substitution Boxes S
o have eight S-boxes which map 6 to 4 bits
o each S-box is actually 4 little 4 bit boxes
o outer bits 1 & 6 (row bits) select one rows
o inner bits 2-5 (col bits) are substituted
o result is 8 lots of 4 bits, or 32 bits
o row selection depends on both data & key
o feature known as autoclaving (autokeying)
o example:
S(18 09 12 3d 11 17 38 39) = 5fd25e03
DES Key Schedule
o forms subkeys used in each round
o consists of:
initial permutation of the key (PC1) which selects 56-bits in two
28-bit halves
16 stages consisting of:
selecting 24-bits from each half
permuting them by PC2 for use in function f,
rotating each half separately either 1 or 2 places depending
on the key rotation schedule K
DES Decryption
o decrypt must unwind steps of data computation
o with Feistel design, do encryption steps again
o using subkeys in reverse order (SK16 … SK1)
o note that IP undoes final FP step of encryption
o 1st round with SK16 undoes 16th encrypt round
o ….
o 16th round with SK1 undoes 1st encrypt round
o then final FP undoes initial encryption IP
o thus recovering original data value
Avalanche Effect
o key desirable property of encryption alg
o where a change of one input or key bit results in changing approx half
output bits
o making attempts to “home-in” by guessing keys impossible
o DES exhibits strong avalanche
Strength of DES – Key Size
o 56-bit keys have 256
= 7.2 x 1016
values
o brute force search looks hard
o recent advances have shown is possible
o in 1997 on Internet in a few months
o in 1998 on dedicated h/w (EFF) in a few days
o in 1999 above combined in 22hrs!
o still must be able to recognize plaintext
o now considering alternatives to DES
Strength of DES – Timing Attacks
o attacks actual implementation of cipher
o use knowledge of consequences of implementation to derive knowledge of
some/all subkey bits
o specifically use fact that calculations can take varying times depending on
the value of the inputs to it
o particularly problematic on smartcards
Strength of DES – Analytic Attacks
o now have several analytic attacks on DES
o these utilise some deep structure of the cipher
by gathering information about encryptions
can eventually recover some/all of the sub-key bits
if necessary then exhaustively search for the rest
o generally these are statistical attacks
o include
differential cryptanalysis
linear cryptanalysis
related key attacks
Differential Cryptanalysis
o one of the most significant recent (public) advances in cryptanalysis
o known by NSA in 70's cf DES design
o Murphy, Biham & Shamir published 1990
o powerful method to analyse block ciphers
o used to analyse most current block ciphers with varying degrees of success
o DES reasonably resistant to it, cf Lucifer
Differential Cryptanalysis Compares Pairs of Encryptions
o with a known difference in the input
o searching for a known difference in output
o when same subkeys are used
o have some input difference giving some output difference with probability
p
o if find instances of some higher probability input / output difference pairs
occurring
o can infer subkey that was used in round
o then must iterate process over many rounds (with decreasing probabilities)
o perform attack by repeatedly encrypting plaintext pairs with known input
XOR until obtain desired output XOR
o when found
o if intermediate rounds match required XOR have a right pair
o if not then have a wrong pair, relative ratio is S/N for attack
o can then deduce keys values for the rounds
o right pairs suggest same key bits
o wrong pairs give random values
o for large numbers of rounds, probability is so low that more pairs are required
than exist with 64-bit inputs
o Biham and Shamir have shown how a 13-round iterated characteristic can
break the full 16-round DES
Linear Cryptanalysis
o another recent development
o also a statistical method
o must be iterated over rounds, with decreasing probabilities
o developed by Matsui et al in early 90's
o based on finding linear approximations
o can attack DES with 247
known plaintexts, still in practise infeasible
o find linear approximations with prob p != ½
o P[i1,i2,...,ia](+)C[j1,j2,...,jb] = K[k1,k2,...,kc]
o where ia,jb,kc are bit locations in P,C,K
o gives linear equation for key bits
o get one key bit using max likelihood alg
o using a large number of trial encryptions
o effectiveness given by: |p–½|
1.5 Block Cipher Design Principles and Modes of Operation
basic principles still like Feistel in 1970‟s
number of rounds
o more is better, exhaustive search best attack
function f:
o provides “confusion”, is nonlinear, avalanche
key schedule
o complex subkey creation, key avalanche
Modes of Operation
o block ciphers encrypt fixed size blocks
o eg. DES encrypts 64-bit blocks, with 56-bit key
o need way to use in practise, given usually have arbitrary amount of
information to encrypt
o four were defined for DES in ANSI standard ANSI X3.106-1983 Modes
of Use
o subsequently now have 5 for DES and AES
o have block and stream modes
Electronic Codebook Book (ECB)
o message is broken into independent blocks which are encrypted
o each block is a value which is substituted, like a codebook, hence name
o each block is encoded independently of the other blocks
Ci = DESK1 (Pi)
o uses: secure transmission of single values
Advantages and Limitations of ECB
o repetitions in message may show in ciphertext
o if aligned with message block
o particularly with data such graphics
o or with messages that change very little, which become a code-book
analysis problem
o weakness due to encrypted message blocks being independent
o main use is sending a few blocks of data
Cipher Block Chaining (CBC)
o message is broken into blocks
o but these are linked together in the encryption operation
o each previous cipher blocks is chained with current plaintext block, hence
name
o use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
o uses: bulk data encryption, authentication
Advantages and Limitations of CBC
o each ciphertext block depends on all message blocks
o thus a change in the message affects all ciphertext blocks after the change
as well as the original block
o need Initial Value (IV) known to sender & receiver
however if IV is sent in the clear, an attacker can change bits of the
first block, and change IV to compensate
hence either IV must be a fixed value (as in EFTPOS) or it must be
sent encrypted in ECB mode before rest of message
o at end of message, handle possible last short block
by padding either with known non-data value (eg nulls)
or pad last block with count of pad size
eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes
pad+count
Cipher FeedBack (CFB)
o message is treated as a stream of bits
o added to the output of the block cipher
o result is feed back for next stage (hence name)
o standard allows any number of bit (1,8 or 64 or whatever) to be feed back
o denoted CFB-1, CFB-8, CFB-64 etc
o is most efficient to use all 64 bits (CFB-64)
Ci = Pi XOR DESK1(Ci-1)
C-1 = IV
o uses: stream data encryption, authentication
Advantages and Limitations of CFB
o appropriate when data arrives in bits/bytes
o most common stream mode
o limitation is need to stall while do block encryption after every n-bits
o note that the block cipher is used in encryption mode at both ends
o errors propagate for several blocks after the error
Output FeedBack (OFB)
o message is treated as a stream of bits
o output of cipher is added to message
o output is then feed back (hence name)
o feedback is independent of message
o can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
o uses: stream encryption over noisy channels
Advantages and Limitations of OFB
o used when error feedback a problem or where need to encryptions before
message is available
o superficially similar to CFB
o but feedback is from the output of cipher and is independent of message
o a variation of a Vernam cipher
o hence must never reuse the same sequence (key+IV)
o sender and receiver must remain in sync, and some recovery method is
needed to ensure this occurs
o originally specified with m-bit feedback in the standards
o subsequent research has shown that only OFB-64 should ever be used
Counter (CTR)
o a “new” mode, though proposed early on
o similar to OFB but encrypts counter value rather than any feedback value
o must have a different key & counter value for every plaintext block (never
reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
o uses: high-speed network encryptions
Advantages and Limitations of CTR
o efficiency
can do parallel encryptions
in advance of need
good for bursty high speed links
o random access to encrypted data blocks
o provable security (good as other modes)
o but must ensure never reuse key/counter values, otherwise could break (cf
OFB)
1.6 Advanced Encryption Standard (AES) Evaluation Criteria
AES Requirements
o private key symmetric block cipher
o 128-bit data, 128/192/256-bit keys
o stronger & faster than Triple-DES
o active life of 20-30 years (+ archival use)
o provide full specification & design details
o both C & Java implementations
o NIST have released all submissions & unclassified analyses
AES Evaluation Criteria
o initial criteria:
security – effort to practically cryptanalyse
cost – computational
algorithm & implementation characteristics
o final criteria
general security
software & hardware implementation ease
implementation attacks
flexibility (in en/decrypt, keying, other factors)
1.7 AES Cipher - Rijendael
designed by Rijmen-Daemen in Belgium
has 128/192/256 bit keys, 128 bit data
an iterative rather than feistel cipher
o treats data in 4 groups of 4 bytes
o operates an entire block in every round
designed to be:
o resistant against known attacks
o speed and code compactness on many CPUs
o design simplicity
processes data as 4 groups of 4 bytes (state)
has 9/11/13 rounds in which state undergoes:
o byte substitution (1 S-box used on every byte)
o shift rows (permute bytes between groups/columns)
o mix columns (subs using matrix multipy of groups)
o add round key (XOR state with key material)
initial XOR key material & incomplete last round
all operations can be combined into XOR and table lookups - hence very fast &
efficient
Byte Substitution
o a simple substitution of each byte
o uses one table of 16x16 bytes containing a permutation of all 256 8-bit
values
o each byte of state is replaced by byte in row (left 4-bits) & column (right
4-bits)
o eg. byte {95} is replaced by row 9 col 5 byte
o which is the value {2A}
o S-box is constructed using a defined transformation of the values in
GF(28)
o designed to be resistant to all known attacks
Shift Rows
o a circular byte shift in each
1st row is unchanged
2nd
row does 1 byte circular shift to left
3rd row does 2 byte circular shift to left
4th row does 3 byte circular shift to left
o decrypt does shifts to right
o since state is processed by columns, this step permutes bytes between the
columns
Mix Columns
o each column is processed separately
o each byte is replaced by a value dependent on all 4 bytes in the column
o effectively a matrix multiplication in GF(28) using prime poly m(x)
=x8+x
4+x
3+x+1
Add Round Key
o XOR state with 128-bits of the round key
o again processed by column (though effectively a series of byte operations)
o inverse for decryption is identical since XOR is own inverse, just with
correct round key
o designed to be as simple as possible
AES Round
AES Key Expansion
o takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit
words
o start by copying key into first 4 words
o then loop creating words that depend on values in previous & 4 places
back
in 3 of 4 cases just XOR these together
every 4th
has S-box + rotate + XOR constant of previous before
XOR together
o designed to resist known attacks
AES Decryption
o AES decryption is not identical to encryption since steps done in reverse
o but can define an equivalent inverse cipher with steps as for encryption
o but using inverses of each step
o with a different key schedule
o works since result is unchanged when
o swap byte substitution & shift rows
o swap mix columns & add (tweaked) round key
1.8 Triple DES
clear a replacement for DES was needed
theoretical attacks that can break it
demonstrated exhaustive key search attacks
AES is a new cipher alternative
prior to this alternative was to use multiple encryption with DES implementations
Triple-DES is the chosen form
Why Triple-DES?
o why not Double-DES?
NOT same as some other single-DES use, but have
o meet-in-the-middle attack
works whenever use a cipher twice
since X = EK1[P] = DK2[C]
attack by encrypting P with all keys and store
then decrypt C with keys and match X value
can show takes O(256
) steps
Triple-DES with Two-Keys
o hence must use 3 encryptions
would seem to need 3 distinct keys
o but can use 2 keys with E-D-E sequence
C = EK1[DK2[EK1[P]]]
nb encrypt & decrypt equivalent in security
if K1=K2 then can work with single DES
o standardized in ANSI X9.17 & ISO8732
o no current known practical attacks
Triple-DES with Three-Keys
o although are no practical attacks on two-key Triple-DES have some
indications
o can use Triple-DES with Three-Keys to avoid even these
C = EK3[DK2[EK1[P]]]
o has been adopted by some Internet applications, eg PGP, S/MIME
1.9 Placement of Encryption Function
can place encryption function at various layers in OSI Reference Model
o link encryption occurs at layers 1 or 2
o end-to-end can occur at layers 3, 4, 6, 7
o as move higher less information is encrypted but it is more secure though
more complex with more entities and keys
1.10 Traffic Confidentiality
is monitoring of communications flows between parties
o useful both in military & commercial spheres
o can also be used to create a covert channel
link encryption obscures header details
o but overall traffic volumes in networks and at end-points is still visible
traffic padding can further obscure flows
o but at cost of continuous traffic
Questions:
1. What is information security?
2. What is computer security?
3. What is network security?
4. What is internet security?
5. Why internetwork security is is both fascinating and complex?
6. What is a security service?
7. What is security mechanism?
8. What is security attack?
9. List any four attacks in network communication.
10. What are the three aspects of information security?
11. What is the difference between threat and attack?
12. What is authentication?
13. What is peer entity authentication?
14. What is data origin authentication?
15. What is access control?
16. What is data confidentiality?
17. What is data integrity?
18. What is nonrepudiation?
19. What is passive attack? Give example.
20. What is active attack? Give example.
21. How will you classify security attacks?
22. List some security mechanism.
23. What are the types of threats?
24. What is meant by information access threats?
25. What is meant by service threats?
26. What are plain text and cipher text?
27. What is enciphering or encryption?
28. What is deciphering or decryption?
29. What is cryptography?
30. What is crypt-analysis?
31. What is cryptology?
32. What is symmetric encryption or conventional encryption or single key
encryption?
33. What are the ingredients of symmetric encryption?
34. List the disadvantages of symmetric ciphers.
35. What are the two requirements for secure use of conventional encryption?
36. What are the characteristic of cryptographic systems?
37. What is a block cipher?
38. What is a stream cipher?
39. What are the two general approaches to attacking a conventional encryption
scheme?
40. What is Brute-force attack?
41. When an encryption scheme is said to be unconditionally secure?
42. When an encryption scheme is said to be computationally secure?
43. What are the criteria for an encryption scheme?
44. What are the various substitution techniques used for encryption?
45. What is Caesar cipher?
46. What is monoalphabetic cipher?
47. What is playfair cipher?
48. What is Hill cipher?
49. What is polyalphabetic cipher?
50. What is vigenere cipher?
51. What is one-time pad?
52. What are the difficulties of one-time pad?
53. What are the cryptanalysis of Caesar cipher?
54. What are the cryptoanalysis of monoalphabetic cipher?
55. What are the transposition techniques used for encryption?
56. What is steganography?
57. What are the various techniques used in steganography?
58. Define the term confusion.
59. Define the term diffusion.
60. What is avalanche effect?
61. What is timing attacks?
62. What is electronic codebook mode (ECB)?
63. What are the advantage and limitations of ECB?
64. What is cipher block chaining mode (CBC)?
65. What are the advantage and limitations of CBC?
66. What is cipher feedback mode (CFB)?
67. What are the advantage and limitations of CFB?
68. What is output feedback mode (OFB)?
69. What are the advantage and limitations of OFB?
70. What is counter mode (CTR)?
71. What are the advantage and limitations of CTR?
72. Compare DES and AES.
73. Compare simplified DES and DES.
74. What are the characteristic of AES?
75. What is GF(28)?
76. Write the pseudo code for AES key expansion algorithm.
77. Why triple DES? Why not double DES?
78. What are the disadvantages of double DES?
79. What is meet-in-the middle attack?
80. What are the two approaches to encryption placement?
81. What are the differences between link and end-to-end encryption?
82. What is eavesdropping?
83. What is point of vulnerability?
84. What is traffic confidentiality?
85. What are the types of information that can be derived from a traffic analysis
attack?
86. What is covert channel?
87. What is traffic padding?
Big Questions
88. Explain triple DES with two keys. (10 marks)
89. Explain triple DES with three keys. (6 marks)
90. Explain link and end-to-end encryption. (12 marks)
91. Compare link vs end-to-end encryption in detail. (10 marks)
92. Explain traffic confidentiality for link and end-to-end encryption approach? (8
marks)
93. Explain in detail about linear and differential cryptanalysis. (10 marks)
94. Explain the design principles of block cipher. (10 marks)
95. Explain the block cipher modes of operation. (16 marks)
96. Explain the strength of DES. (8 marks)
97. Describe the operation of AES with an example. (16 marks)
98. Explain the AES evaluation. (10 marks)
99. Explain DES in detail. (16 marks)
100. Explain simplified DES in detail with an example. (12 marks)
101. Explain block cipher principles in detail. (16 marks)
102. Explain Feistal cipher in detail. (16 marks)
103. Explain symmetric cipher model. (10 marks)
104. Explain various transposition ciphers in detail. (8 marks)
105. Explain the basic principles of rotor machine. (8 marks)
106. Explain steganography in detail. (6 marks)
107. Explain network security model. (8 marks)
108. Explain the OSI security architecture. (10 marks)
109. Explain in detail about various substitution techniques or classical
encryption techniques. (16 marks)
UNIT II
Public-key Cryptography Key Management - Diffie-Hellman key Exchange – Elliptic Curve Architecture and
Cryptography - Introduction to Number Theory – Confidentiality using Symmetric
Encryption – Public Key Cryptography and RSA.
2.1 Key Management
2.2 Diffie-Hellman key Exchange
2.3 Elliptic Curve Architecture and Cryptography
2.4 Introduction to Number Theory
2.5 Confidentiality using Symmetric Encryption
2.6 Public Key Cryptography and RSA
2.1 Key Management
2.1.1 Distribution of Public Keys
2.1.2 Public-Key Distribution of Secret keys
public-key encryption helps address key distribution problems
have two aspects of this:
distribution of public keys
use of public-key encryption to distribute secret keys
2.1.1 Distribution of Public Keys
o can be considered as using one of:
Public announcement
Publicly available directory
Public-key authority
Public-key certificates
o Public Announcement
users distribute public keys to recipients or broadcast to
community at large
eg. append PGP keys to email messages or post to news groups or
email list
major weakness is forgery
anyone can create a key claiming to be someone else and broadcast
it
until forgery is discovered can masquerade as claimed user
o Publicly Available Directory
can obtain greater security by registering keys with a public
directory
directory must be trusted with properties:
contains {name,public-key} entries
participants register securely with directory
participants can replace key at any time
directory is periodically published
directory can be accessed electronically
still vulnerable to tampering or forgery
o Public-Key Authority
improve security by tightening control over distribution of keys
from directory
has properties of directory
and requires users to know public key for the directory
then users interact with directory to obtain any desired public key
securely
does require real-time access to directory when keys are needed
o Public-Key Certificates
certificates allow key exchange without real-time access to
public-key authority
a certificate binds identity to public key
usually with other info such as period of validity, rights of use
etc
with all contents signed by a trusted Public-Key or Certificate
Authority (CA)
can be verified by anyone who knows the public-key
authorities public-key
2.1.2 Public-Key Distribution of Secret Keys
o use previous methods to obtain public-key
o can use for secrecy or authentication
o but public-key algorithms are slow
o so usually want to use private-key encryption to protect message
contents
o hence need a session key
o have several alternatives for negotiating a suitable session
o Simple Secret Key Distribution
proposed by Merkle in 1979
A generates a new temporary public key pair
A sends B the public key and their identity
B generates a session key K sends it to A encrypted using the
supplied public key
A decrypts the session key and both use
problem is that an opponent can intercept and impersonate both
halves of protocol
o if have securely exchanged public-keys:
2.2 Diffie-Hellman Key Exchange
o first public-key type scheme proposed
o by Diffie & Hellman in 1976 along with the exposition of public key
concepts
o note: now know that James Ellis (UK CESG) secretly proposed the
concept in 1970
o is a practical method for public exchange of a secret key
o used in a number of commercial products
o a public-key distribution scheme
o cannot be used to exchange an arbitrary message
o rather it can establish a common key
o known only to the two participants
o value of key depends on the participants (and their private and public key
information)
o based on exponentiation in a finite (Galois) field (modulo a prime or a
polynomial) - easy
o security relies on the difficulty of computing discrete logarithms (similar
to factoring) – hard
o Diffie-Hellman Setup
all users agree on global parameters:
large prime integer or polynomial q
α a primitive root mod q
each user (eg. A) generates their key
chooses a secret key (number): xA < q
compute their public key: yA = αxA
mod q
each user makes public that key yA
o shared session key for users A & B is KAB:
o KAB = αxA.xB
mod q
o = yAxB
mod q (which B can compute)
o = yBxA
mod q (which A can compute)
o KAB is used as session key in private-key encryption scheme between
Alice and Bob
o if Alice and Bob subsequently communicate, they will have the same key
as before, unless they choose new public-keys
o attacker needs an x, must solve discrete log
o Diffie-Hellman Example
users Alice & Bob who wish to swap keys:
agree on prime q=353 and α=3
select random secret keys:
A chooses xA=97, B chooses xB=233
compute public keys:
yA=397
mod 353 = 40 (Alice)
yB=3233
mod 353 = 248 (Bob)
compute shared session key as:
KAB= yBxA
mod 353 = 24897
= 160 (Alice)
KAB= yAxB
mod 353 = 40233
= 160 (Bob)
2.3 Elliptic Curve Cryptography
majority of public-key crypto (RSA, D-H) use either integer or polynomial
arithmetic with very large numbers/polynomials
imposes a significant load in storing and processing keys and messages
an alternative is to use elliptic curves
offers same security with smaller bit sizes
Real Elliptic Curves
o an elliptic curve is defined by an equation in two variables x & y, with
coefficients
o consider a cubic elliptic curve of form
o y2 = x
3 + ax + b
o where x,y,a,b are all real numbers
o also define zero point O
o have addition operation for elliptic curve
o geometrically sum of Q+R is reflection of intersection R
Finite Elliptic Curves
o Elliptic curve cryptography uses curves whose variables & coefficients are
finite
o have two families commonly used:
o prime curves Ep(a,b) defined over Zp
o use integers modulo a prime
o best in software
o binary curves E2m(a,b) defined over GF(2n)
o use polynomials with binary coefficients
o best in hardware
Elliptic Curve Cryptography
o ECC addition is analog of modulo multiply
o ECC repeated addition is analog of modulo exponentiation
o need “hard” problem equiv to discrete log
o Q=kP, where Q,P belong to a prime curve
o is “easy” to compute Q given k,P
o but “hard” to find k given Q,P
o known as the elliptic curve logarithm problem
o Certicom example: E23(9,17)
ECC Diffie-Hellman
o can do key exchange analogous to D-H
o users select a suitable curve Ep(a,b)
o select base point G=(x1,y1) with large order n s.t. nG=O
o A & B select private keys nA<n, nB<n
o compute public keys: PA=nA×G, PB=nB×G
o compute shared key: K=nA×PB, K=nB×PA
o same since K=nA×nB×G
ECC Encryption/Decryption
o several alternatives, will consider simplest
o must first encode any message M as a point on the elliptic curve Pm
o select suitable curve & point G as in D-H
o each user chooses private key nA<n
o and computes public key PA=nA×G
o to encrypt Pm : Cm={kG, Pm+k Pb}, k random
o decrypt Cm compute:
o Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
ECC Security
o relies on elliptic curve logarithm problem
o fastest method is “Pollard rho method”
o compared to factoring, can use much smaller key sizes than with RSA etc
o for equivalent key lengths computations are roughly equivalent
o hence for similar security ECC offers significant computational
advantages
2.4 Introduction to Number Theory
Prime Numbers
o prime numbers only have divisors of 1 and self
o they cannot be written as a product of other numbers
o note: 1 is prime, but is generally not of interest
o eg. 2,3,5,7 are prime, 4,6,8,9,10 are not
o prime numbers are central to number theory
o list of prime number less than 200 is:
o 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83
89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173
179 181 191 193 197 199
Prime Factorisation
o to factor a number n is to write it as a product of other numbers: n=a × b ×
c
o note that factoring a number is relatively hard compared to multiplying the
factors together to generate the number
o the prime factorisation of a number n is when its written as a product of
primes
o eg. 91=7×13 ; 3600=24×3
2×5
2
Relatively Prime Numbers & GCD
o two numbers a, b are relatively prime if have no common divisors apart
from 1
o eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8 and of 15 are
1,3,5,15 and 1 is the only common factor
o conversely can determine the greatest common divisor by comparing their
prime factorizations and using least powers
o eg. 300=21×3
1×5
2 18=2
1×3
2 hence GCD(18,300)=2
1×3
1×5
0=6
Fermat's Theorem
o ap-1
mod p = 1
o where p is prime and gcd(a,p)=1
o also known as Fermat‟s Little Theorem
o useful in public key and primality testing
Euler Totient Function ø(n)
o when doing arithmetic modulo n
o complete set of residues is: 0..n-1
o reduced set of residues is those numbers (residues) which are relatively
prime to n
o eg for n=10,
o complete set of residues is {0,1,2,3,4,5,6,7,8,9}
o reduced set of residues is {1,3,7,9}
o number of elements in reduced set of residues is called the Euler Totient
Function ø(n)
o to compute ø(n) need to count number of elements to be excluded
o in general need prime factorization, but
o for p (p prime) ø(p) = p-1
o for p.q (p,q prime) ø(p.q) = (p-1)(q-1)
o eg.
o ø(37) = 36
o ø(21) = (3–1)×(7–1) = 2×6 = 12
Euler's Theorem
o a generalisation of Fermat's Theorem
o aø(n)
mod N = 1
o where gcd(a,N)=1
o eg.
o a=3;n=10; ø(10)=4;
o hence 34
= 81 = 1 mod 10
o a=2;n=11; ø(11)=10;
o hence 210
= 1024 = 1 mod 11
Primality Testing
o often need to find large prime numbers
o traditionally sieve using trial division
o ie. divide by all numbers (primes) in turn less than the square root of the
number
o only works for small numbers
o alternatively can use statistical primality tests based on properties of
primes
o for which all primes numbers satisfy property
o but some composite numbers, called pseudo-primes, also satisfy the
property
Miller Rabin Algorithm
o a test based on Fermat‟s Theorem
o algorithm is:
o TEST (n) is:
1. Find integers k, q, k > 0, q odd, so that (n–1)=2kq
2. Select a random integer a, 1<a<n–1
3. if aq mod n = 1 then return (“maybe prime");
4. for j = 0 to k – 1 do
5. if (a2jq
mod n = n-1)
then return(" maybe prime ")
6. return ("composite")
Probabilistic Considerations
o if Miller-Rabin returns “composite” the number is definitely not prime
o otherwise is a prime or a pseudo-prime
o chance it detects a pseudo-prime is < ¼
o hence if repeat test with different random a then chance n is prime after t
tests is:
o Pr(n prime after t tests) = 1-4-t
o eg. for t=10 this probability is > 0.99999
Prime Distribution
o prime number theorem states that primes occur roughly every (ln n)
integers
o since can immediately ignore evens and multiples of 5, in practice only
need test 0.4 ln(n) numbers of size n before locate a prime
o note this is only the “average” sometimes primes are close together, at
other times are quite far apart
Chinese Remainder Theorem
o used to speed up modulo computations
o working modulo a product of numbers
o eg. mod M = m1m2..mk
o Chinese Remainder theorem lets us work in each moduli mi separately
o since computational cost is proportional to size, this is faster than working
in the full modulus M
o can implement CRT in several ways
o to compute (A mod M) can firstly compute all (ai mod mi) separately and
then combine results to get answer using:
Primitive Roots
o from Euler‟s theorem have aø(n)
mod n=1
o consider am
mod n=1, GCD(a,n)=1
o must exist for m= ø(n) but may be smaller
o once powers reach m, cycle will repeat
o if smallest is m= ø(n) then a is called a primitive root
o if p is prime, then successive powers of a "generate" the group mod p
o these are useful but relatively hard to find
Discrete Logarithms or Indices
o the inverse problem to exponentiation is to find the discrete logarithm of a
number modulo p
o that is to find x where ax = b mod p
o written as x=loga b mod p or x=inda,p(b)
o if a is a primitive root then always exists, otherwise may not
o x = log3 4 mod 13 (x st 3x = 4 mod 13) has no answer
o x = log2 3 mod 13 = 4 by trying successive powers
o whilst exponentiation is relatively easy, finding discrete logarithms is
generally a hard problem
2.5 Confidentiality Using Symmetric Encryption
traditionally symmetric encryption is used to provide message confidentiality
consider typical scenario
o workstations on LANs access other workstations & servers on LAN
o LANs interconnected using switches/routers
o with external lines or radio/satellite links
consider attacks and placement in this scenario
o snooping from another workstation
o use dial-in to LAN or server to snoop
o use external router link to enter & snoop
monitor and/or modify traffic one external links
have two major placement alternatives
o link encryption encryption occurs independently on every link
implies must decrypt traffic between links
requires many devices, but paired keys
o end-to-end encryption encryption occurs between original source and final destination
need devices at each end with shared keys
Traffic Confidentiality
o when using end-to-end encryption must leave headers in clear
so network can correctly route information
o hence although contents protected, traffic pattern flows are not
o ideally want both at once
end-to-end protects data contents over entire path and provides
authentication
link protects traffic flows from monitoring
Placement of Encryption
o can place encryption function at various layers in OSI Reference Model
o link encryption occurs at layers 1 or 2
o end-to-end can occur at layers 3, 4, 6, 7
o as move higher less information is encrypted but it is more secure though
more complex with more entities and keys
Traffic Analysis
o is monitoring of communications flows between parties
o useful both in military & commercial spheres
o can also be used to create a covert channel
o link encryption obscures header details
o but overall traffic volumes in networks and at end-points is still visible
o traffic padding can further obscure flows
o but at cost of continuous traffic
Key Distribution
o symmetric schemes require both parties to share a common secret key
o issue is how to securely distribute this key
o often secure system failure due to a break in the key distribution scheme
o given parties A and B have various key distribution alternatives:
1. A can select key and physically deliver to B
2. third party can select & deliver key to A & B
3. if A & B have communicated previously can use previous key to
encrypt a new key
4. if A & B have secure communications with a third party C, C can
relay key between A & B
Key Distribution Scenario
Key Distribution Issues
o hierarchies of KDC‟s required for large networks, but must trust each
other
o session key lifetimes should be limited for greater security
o use of automatic key distribution on behalf of users, but must trust system
o use of decentralized key distribution
o controlling purposes keys are used for
Random Numbers
o many uses of random numbers in cryptography
nonces in authentication protocols to prevent replay
session keys
public key generation
keystream for a one-time pad
o in all cases its critical that these values be
statistically random
with uniform distribution, independent
unpredictable cannot infer future sequence on previous values
Natural Random Noise
o best source is natural randomness in real world
o find a regular but random event and monitor
o do generally need special h/w to do this
eg. radiation counters, radio noise, audio noise, thermal noise in
diodes, leaky capacitors, mercury discharge tubes etc
o starting to see such h/w in new CPU's
o problems of bias or uneven distribution in signal
have to compensate for this when sample and use
best to only use a few noisiest bits from each sample
Published Sources
o a few published collections of random numbers
o Rand Co, in 1955, published 1 million numbers
generated using an electronic roulette wheel
has been used in some cipher designs cf Khafre
o earlier Tippett in 1927 published a collection
o issues are that:
these are limited
too well-known for most uses
Pseudorandom Number Generators (PRNGs)
o algorithmic technique to create “random numbers”
o although not truly random
o can pass many tests of “randomness”
Linear Congruential Generator
o common iterative technique using:
Xn+1 = (aXn + c) mod m
o given suitable values of parameters can produce a long random-like
sequence
o suitable criteria to have are:
function generates a full-period
generated sequence should appear random
efficient implementation with 32-bit arithmetic
o note that an attacker can reconstruct sequence given a small number of
values
Using Block Ciphers as Stream Ciphers
o can use block cipher to generate numbers
o use Counter Mode
Xi = EKm[i]
o use Output Feedback Mode
Xi = EKm[Xi-1]
o ANSI X9.17 PRNG
uses date-time + seed inputs and 3 triple-DES encryptions to
generate new seed & random
Blum Blum Shub Generator
o based on public key algorithms
o use least significant bit from iterative equation:
xi+1 = xi2 mod n
where n=p.q, and primes p,q=3 mod 4
o unpredictable, passes next-bit test
o security rests on difficulty of factoring N
o is unpredictable given any run of bits
o slow, since very large numbers must be used
o too slow for cipher use, good for key generation
2.6 Public Key Cryptography and RSA
Private-Key Cryptography
o traditional private/secret/single key cryptography uses one key
o shared by both sender and receiver
o if this key is disclosed communications are compromised
o also is symmetric, parties are equal
o hence does not protect sender from receiver forging a message & claiming
is sent by sender
Public-Key Cryptography
o probably most significant advance in the 3000 year history of
cryptography
o uses two keys – a public & a private key
o asymmetric since parties are not equal
o uses clever application of number theoretic concepts to function
o complements rather than replaces private key crypto
o public-key/two-key/asymmetric cryptography involves the use of two
keys:
a public-key, which may be known by anybody, and can be used to
encrypt messages, and verify signatures
a private-key, known only to the recipient, used to decrypt
messages, and sign (create) signatures
o is asymmetric because
those who encrypt messages or verify signatures cannot decrypt
messages or create signatures
Why Public-Key Cryptography?
o developed to address two key issues:
key distribution – how to have secure communications in general
without having to trust a KDC with your key
digital signatures – how to verify a message comes intact from the
claimed sender
o public invention due to Whitfield Diffie & Martin Hellman at Stanford
University in 1976
known earlier in classified community
Public-Key Characteristics
o Public-Key algorithms rely on two keys with the characteristics that it is:
computationally infeasible to find decryption key knowing only
algorithm & encryption key
computationally easy to en/decrypt messages when the relevant
(en/decrypt) key is known
either of the two related keys can be used for encryption, with the
other used for decryption (in some schemes)
Public-Key Cryptosystems
Public-Key Applications
o can classify uses into 3 categories:
encryption/decryption (provide secrecy)
digital signatures (provide authentication)
key exchange (of session keys)
o some algorithms are suitable for all uses, others are specific to one
Security of Public Key Schemes
o like private key schemes brute force exhaustive search attack is always
theoretically possible
o but keys used are too large (>512bits)
o security relies on a large enough difference in difficulty between easy
(en/decrypt) and hard (cryptanalyse) problems
o more generally the hard problem is known, its just made too hard to do in
practise
o requires the use of very large numbers
o hence is slow compared to private key schemes
RSA
o by Rivest, Shamir & Adleman of MIT in 1977
o best known & widely used public-key scheme
o based on exponentiation in a finite (Galois) field over integers modulo a
prime
nb. exponentiation takes O((log n)3) operations (easy)
o uses large integers (eg. 1024 bits)
o security due to cost of factoring large numbers
nb. factorization takes O(e log n log log n
) operations (hard)
RSA Key Setup
o each user generates a public/private key pair by:
o selecting two large primes at random - p, q
o computing their system modulus N=p.q
note ø(N)=(p-1)(q-1)
o selecting at random the encryption key e
where 1<e<ø(N), gcd(e,ø(N))=1
o solve following equation to find decryption key d
e.d=1 mod ø(N) and 0≤d≤N
o publish their public encryption key: KU={e,N}
o keep secret private decryption key: KR={d,p,q}
RSA Use
o to encrypt a message M the sender:
obtains public key of recipient KU={e,N}
computes: C=Me mod N, where 0≤M<N
o to decrypt the ciphertext C the owner:
uses their private key KR={d,p,q}
computes: M=Cd mod N
o note that the message M must be smaller than the modulus N (block if
needed)
How RSA Works?
o because of Euler's Theorem:
o aø(n)
mod N = 1
where gcd(a,N)=1
o in RSA have:
N=p.q
ø(N)=(p-1)(q-1)
carefully chosen e & d to be inverses mod ø(N)
hence e.d=1+k.ø(N) for some k
o hence :
Cd = (M
e)d
= M1+k.ø(N)
= M1.(M
ø(N))q = M
1.(1)
q = M
1 = M mod N
RSA Example
1. Select primes: p=17 & q=11
2. Compute n = pq =17×11=187
3. Compute ø(n)=(p–1)(q-1)=16×10=160
4. Select e : gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23×7=161=
10×160+1
6. Publish public key KU={7,187}
7. Keep secret private key KR={23,17,11}
o sample RSA encryption/decryption is:
o given message M = 88 (nb. 88<187)
o encryption:
C = 887 mod 187 = 11
o decryption:
M = 1123
mod 187 = 88
Exponentiation
o can use the Square and Multiply Algorithm
o a fast, efficient algorithm for exponentiation
o concept is based on repeatedly squaring base
o and multiplying in the ones that are needed to compute the result
o look at binary representation of exponent
o only takes O(log2 n) multiples for number n
eg. 75 = 7
4.7
1 = 3.7 = 10 mod 11
eg. 3129
= 3128
.31 = 5.3 = 4 mod 11
RSA Key Generation
o users of RSA must:
determine two primes at random - p, q
select either e or d and compute the other
o primes p,q must not be easily derived from modulus N=p.q
means must be sufficiently large
typically guess and use probabilistic test
o exponents e, d are inverses, so use Inverse algorithm to compute the other
RSA Security
o three approaches to attacking RSA:
brute force key search (infeasible given size of numbers)
mathematical attacks (based on difficulty of computing ø(N), by
factoring modulus N)
timing attacks (on running of decryption)
Factoring Problem
o mathematical approach takes 3 forms:
factor N=p.q, hence find ø(N) and then d
determine ø(N) directly and find d
find d directly
o currently believe all equivalent to factoring
have seen slow improvements over the years
as of Aug-99 best is 130 decimal digits (512) bit with
GNFS
biggest improvement comes from improved algorithm
cf “Quadratic Sieve” to “Generalized Number Field Sieve”
barring dramatic breakthrough 1024+ bit RSA secure
ensure p, q of similar size and matching other constraints
Timing Attacks
o developed in mid-1990‟s
o exploit timing variations in operations
eg. multiplying by small vs large number
or IF's varying which instructions executed
o infer operand size based on time taken
o RSA exploits time taken in exponentiation
o countermeasures
use constant exponentiation time
add random delays
blind values used in calculations
Two Marks:
1. What are the two distinct aspects to the use of public-key cryptography related to
key distribution?
2. What are the techniques used for distribution of public keys?
3. What are the essential ingredients of a public key directory?
4. What is public announcement?
5. What is the weakness of public announcement?
6. What is publicly available directory?
7. What is public authority?
8. What is public key certificate?
9. What are the requirements for the use of a public-key certificate scheme?
10. What are the various scheme used for public-key distribution of secret keys?
11. What is an elliptic curve?
12. What is zero point of an elliptic curve?
13. Explain one method of key distribution.
14. State Fermat‟s theorem.
15. State Euler‟s theorem.
16. What is Euler‟s Totient function?
17. How will you test for primality?
18. State the Chinese remainder theorem.
19. Where the discrete logarithm is used?
20. How the miller-rabin test is used to test for primality?
21. What is primitive root of a number?
22. What is the difference between an index and discrete logarithms?
23. What are the two approaches to encryption placement?
24. What are the differences between link and end-to-end encryption?
25. What is eavesdropping?
26. What is point of vulnerability?
27. What is traffic confidentiality?
28. What are the types of information that can be derived from a traffic analysis
attack?
29. What is covert channel?
30. What is traffic padding?
31. What is a session key and a master key?
32. What is PRNGs?
33. What is pseudorandom number?
34. What is public key cryptography or asymmetric cryptography?
35. What are the misconceptions concerned with public-key encryption?
36. What are the problems of symmetric encryption?
37. Differentiate between symmetric encryption or conventional encryption and
asymmetric or public-key encryption.
38. What are the applications of public-key cryptosystems?
39. What are various public-key cryptanalysis?
40. What are three possible attacks for RSA?
41. What are the principle elements of a public-key cryptosystem?
42. What are roles of public key and private key?
43. What is one-way function?
Big Questions:
44. Explain the various techniques used for distribution of public keys. (12 marks)
45. Explain various scheme used to distribute secret keys. (10 marks)
46. Explain simple secret key distribution and secret key distribution with
confidentiality and authentication. (8 marks)
47. Explain in detail about diffie-hellman key exchange. (12 marks)
48. Explain elliptic curve arithmetic in detail. (12 marks)
49. Explain elliptic curve cryptography in detail. (12 marks)
50. Explain elliptic curve encryption/decryption. (10 marks)
51. State and prove Fermat‟s theorem. (8 marks)
52. State and prove Euler‟s theorem. (8 marks)
53. Explain the Chinese remainder theorem. (8 marks)
54. Explain discrete logarithms. (8 marks)
55. Explain link and end-to-end encryption. (12 marks)
56. Compare link vs end-to-end encryption in detail. (10 marks)
57. Explain traffic confidentiality for link and end-to-end encryption approach? (8
marks)
58. Explain the key distribution scenario with neat diagram. (8 marks)
59. Explain key distribution in detail. (16 marks)
60. Explain the various methods for generating random numbers. (12 marks)
61. Explain blum blum shub generator. (4 marks)
62. Explain the principles of public-key encryption. (16 marks)
63. Explain public-key cryptosystems. (12 marks)
64. Explain the requirements for public-key cryptography. (8 marks)
65. Explain the RSA algorithm in detail with an example. (12 marks)
66. Explain the security of RSA. (12 marks)
UNIT – III
Authentication and Hash Function
Authentication requirements – Authentication functions – Message Authentication Codes
– Hash Functions – Security of Hash Functions and MACs – MD5 message Digest
algorithm - Secure Hash Algorithm – RIPEMD – HMAC Digital Signatures –
Authentication Protocols – Digital Signature Standard
3.1 Authentication requirements
3.2 Authentication functions
3.3 Message Authentication Codes
3.4 Hash Functions
3.5 Security of Hash Functions and MACs
3.6 MD5 message Digest algorithm
3.7 Secure Hash Algorithm
3.8 RIPEMD
3.9 HMAC
3.10 Digital Signatures
3.11 Authentication Protocols
3.12 Digital Signature Standard
Message Authentication and Hash Functions
Message Authentication
o message authentication is concerned with:
protecting the integrity of a message
validating identity of originator
non-repudiation of origin (dispute resolution)
o will consider the security requirements
o then three alternative functions used:
message encryption
message authentication code (MAC)
hash function
3.1 Authentication Requirements
Communication across the network, the following attacks can be identified.
o Disclosure – release of message contents to any person or process not
possessing the appropriate cryptographic key.
o Traffic analysis – discovery of the pattern of traffic between parties.
In a connection oriented application, the frequency and duration of
connections could be determined.
In either a connection oriented or connectionless environment, the
number and length of messages between parties could be
determined.
o Masquerade – insertion of messages into the network from fraudulent
acknowledgements of message receipt or nonreceipt by someone other
than the message recipient.
o Content modification – changes to the contents of a message, including
insertion, deletion, transposition, and modification.
o Sequence modification – any modification to a sequence of messages
between parties, including insertion, deletion, and reordering.
o Timing modification – delay or replay of messages.
In a connection oriented application, an entire session or sequence
of messages could be replay of some previous valid session, or
individual messages in the sequence could be delayed or replayed.
In a connectionless application, an individual message (e.g.,
datagram) could be delayed or replayed.
o Source repudiation – denial of transmission of message by source.
o Destination repudiation – denial of receipt of message by destination.
3.2 Authentication Function
Any message authentication or digital signature mechanism can be viewed as
having fundamentally two levels.
At the lower level, there must be some sort of function that produces an
authenticator: a value to be used to authenticate a message.
This low-level function is then used as primitive in a higher-level authentication
protocol that enables a receiver to verify the authenticity of a message.
The types of function that may be used to produce an authenticator are grouped
into three classes.
Message Encryption – the ciphertext of the entire message serves as its
authenticator.
Message Authentication Code (MAC) – a public function of the message and a
secret key that produces a fixed length value that serves as the authenticator.
Hash Function – a public function that maps a message of any length into a
fixed-length hash value, which serves as the authenticator.
Message Encryption
o message encryption by itself also provides a measure of authentication
o if symmetric encryption is used then:
receiver know sender must have created it
since only sender and receiver now key used
know content cannot of been altered
if message has suitable structure, redundancy or a checksum to
detect any changes
o if public-key encryption is used:
encryption provides no confidence of sender
since anyone potentially knows public-key
however if
sender signs message using their private-key
then encrypts with recipients public key
have both secrecy and authentication
again need to recognize corrupted messages
but at cost of two public-key uses on message
3.3 Message Authentication Code (MAC)
generated by an algorithm that creates a small fixed-sized block
depending on both message and some key
like encryption though need not be reversible
appended to message as a signature
receiver performs same computation on message and checks it matches the MAC
provides assurance that message is unaltered and comes from sender
as shown the MAC provides confidentiality
can also use encryption for secrecy
o generally use separate keys for each
o can compute MAC either before or after encryption
o is generally regarded as better done before
why use a MAC?
o sometimes only authentication is needed
o sometimes need authentication to persist longer than the encryption (eg.
archival use)
note that a MAC is not a digital signature
MAC Properties
o a MAC is a cryptographic checksum
MAC = CK(M)
condenses a variable-length message M
using a secret key K
to a fixed-sized authenticator
o is a many-to-one function
potentially many messages have same MAC
but finding these needs to be very difficult
Requirements for MACs
o taking into account the types of attacks
o need the MAC to satisfy the following:
1. knowing a message and MAC, is infeasible to find another message
with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the message
Using Symmetric Ciphers for MACs
o can use any block cipher chaining mode and use final block as a MAC
o Data Authentication Algorithm (DAA) is a widely used MAC based on
DES-CBC
using IV=0 and zero-pad of final block
encrypt message using DES in CBC mode
and send just the final block as the MAC
or the leftmost M bits (16≤M≤64) of final block
o but final MAC is now too small for security
3.4 Hash Functions
condenses arbitrary message to fixed size
usually assume that the hash function is public and not keyed
o cf. MAC which is keyed
hash used to detect changes to message
can use in various ways with message
most often to create a digital signature
Hash Functions & Digital Signatures
Hash Function Properties
o a Hash Function produces a fingerprint of some file/message/data
h = H(M)
condenses a variable-length message M
to a fixed-sized fingerprint
o assumed to be public
Requirements for Hash Functions
1. can be applied to any sized message M
2. produces fixed-length output h
3. is easy to compute h=H(M) for any message M
4. given h is infeasible to find x s.t. H(x)=h
one-way property
5. given x is infeasible to find y s.t. H(y)=H(x)
weak collision resistance
6. is infeasible to find any x,y s.t. H(y)=H(x)
strong collision resistance
Simple Hash Functions
o are several proposals for simple functions
o based on XOR of message blocks
o not secure since can manipulate any message and either not change hash
or change hash also
o need a stronger cryptographic function
Birthday Attacks
o might think a 64-bit hash is secure
o but by Birthday Paradox is not
o birthday attack works thus:
opponent generates 2m/2
variations of a valid message all with
essentially the same meaning
opponent also generates 2m/2
variations of a desired fraudulent
message
two sets of messages are compared to find pair with same hash
(probability > 0.5 by birthday paradox)
have user sign the valid message, then substitute the forgery which
will have a valid signature
o conclusion is that need to use larger MACs
Block Ciphers as Hash Functions
o can use block ciphers as hash functions
using H0=0 and zero-pad of final block
compute: Hi = EMi [Hi-1]
and use final block as the hash value
similar to CBC but without a key
o resulting hash is too small (64-bit)
both due to direct birthday attack
and to “meet-in-the-middle” attack
o other variants also susceptible to attack
3.5 Security of Hash Functions & MACs
like block ciphers have:
brute-force attacks exploiting
o strong collision resistance hash have cost 2m/2
have proposal for h/w MD5 cracker
128-bit hash looks vulnerable, 160-bits better
o MACs with known message-MAC pairs
can either attack keyspace (cf key search) or MAC
at least 128-bit MAC is needed for security
cryptanalytic attacks exploit structure
o like block ciphers want brute-force attacks to be the best alternative
have a number of analytic attacks on iterated hash functions
o CVi = f[CVi-1, Mi]; H(M)=CVN
o typically focus on collisions in function f
o like block ciphers is often composed of rounds
o attacks exploit properties of round functions
cryptanalytic attacks exploit structure
o like block ciphers want brute-force attacks to be the best alternative
have a number of analytic attacks on iterated hash functions
o CVi = f[CVi-1, Mi]; H(M)=CVN
o typically focus on collisions in function f
o like block ciphers is often composed of rounds
o attacks exploit properties of round functions.
3.6 MD5 message Digest algorithm
Hash Algorithms
o see similarities in the evolution of hash functions & block ciphers
increasing power of brute-force attacks
leading to evolution in algorithms
from DES to AES in block ciphers
from MD4 & MD5 to SHA-1 & RIPEMD-160 in hash algorithms
o likewise tend to use common iterative structure as do block ciphers
MD5
o designed by Ronald Rivest (the R in RSA)
o latest in a series of MD2, MD4
o produces a 128-bit hash value
o until recently was the most widely used hash algorithm
in recent times have both brute-force & cryptanalytic concerns
o specified as Internet standard RFC1321
MD5 Overview
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 4-word (128-bit) MD buffer (A,B,C,D)
4. process message in 16-word (512-bit) blocks:
using 4 rounds of 16 bit operations on message block & buffer
add output to buffer input to form new buffer value
5. output hash value is the final buffer value
MD5 Compression Function
o each round has 16 steps of the form:
a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
o a,b,c,d refer to the 4 words of the buffer, but used in varying permutations
note this updates 1 word only of the buffer
after 16 steps each word is updated 4 times
o where g(b,c,d) is a different nonlinear function in each round (F,G,H,I)
o T[i] is a constant value derived from sin
MD4
o precursor to MD5
o also produces a 128-bit hash of message
o has 3 rounds of 16 steps vs 4 in MD5
o design goals:
collision resistant (hard to find collisions)
direct security (no dependence on "hard" problems)
fast, simple, compact
favours little-endian systems (eg PCs)
Strength of MD5
o MD5 hash is dependent on all message bits
o Rivest claims security is good as can be
o known attacks are:
Berson 92 attacked any 1 round using differential cryptanalysis
(but can‟t extend)
Boer & Bosselaers 93 found a pseudo collision (again unable to
extend)
Dobbertin 96 created collisions on MD compression function (but
initial constants prevent exploit)
o conclusion is that MD5 looks vulnerable soon
3.7 Secure Hash Algorithm (SHA-1)
SHA was designed by NIST & NSA in 1993, revised 1995 as SHA-1
US standard for use with DSA signature scheme
o standard is FIPS 180-1 1995, also Internet RFC3174
o nb. the algorithm is SHA, the standard is SHS
produces 160-bit hash values
now the generally preferred hash algorithm
based on design of MD4 with key differences
SHA Overview
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 5-word (160-bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
4. process message in 16-word (512-bit) chunks:
expand 16 words into 80 words by mixing & shifting
use 4 rounds of 20 bit operations on message block & buffer
add output to input to form new buffer value
5. output hash value is the final buffer value
SHA-1 Compression Function
o each round has 20 steps which replaces the 5 buffer words thus:
(A,B,C,D,E) <-
(E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,(B<<30),C,D)
o a,b,c,d refer to the 4 words of the buffer
o t is the step number
o f(t,B,C,D) is nonlinear function for round
o Wt is derived from the message block
o Kt is a constant value derived from sin
SHA-1 verses MD5
o brute force attack is harder (160 vs 128 bits for MD5)
o not vulnerable to any known attacks (compared to MD4/5)
o a little slower than MD5 (80 vs 64 steps)
o both designed as simple and compact
o optimised for big endian CPU's (vs MD5 which is optimised for little
endian CPU‟s)
Revised Secure Hash Standard
o NIST have issued a revision FIPS 180-2
o adds 3 additional hash algorithms
o SHA-256, SHA-384, SHA-512
o designed for compatibility with increased security provided by the AES
cipher
o structure & detail is similar to SHA-1
o hence analysis should be similar
3.8 RIPEMD - 160
RIPEMD-160 was developed in Europe as part of RIPE project in 96
by researchers involved in attacks on MD4/5
initial proposal strengthen following analysis to become RIPEMD-160
somewhat similar to MD5/SHA
uses 2 parallel lines of 5 rounds of 16 steps
creates a 160-bit hash value
slower, but probably more secure, than SHA
RIPEMD-160 Overview
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 5-word (160-bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
4. process message in 16-word (512-bit) chunks:
use 10 rounds of 16 bit operations on message block & buffer – in
2 parallel lines of 5
add output to input to form new buffer value
5. output hash value is the final buffer value
RIPEMD-160 Compression Function
RIPEMD-160 Design Criteria
o use 2 parallel lines of 5 rounds for increased complexity
o for simplicity the 2 lines are very similar
o step operation very close to MD5
o permutation varies parts of message used
o circular shifts designed for best results
RIPEMD-160 verses MD5 & SHA-1
o brute force attack harder (160 like SHA-1 vs 128 bits for MD5)
o not vulnerable to known attacks, like SHA-1 though stronger (compared to
MD4/5)
o slower than MD5 (more steps)
o all designed as simple and compact
o SHA-1 optimised for big endian CPU's vs RIPEMD-160 & MD5
optimised for little endian CPU‟s
Keyed Hash Functions as MACs
o have desire to create a MAC using a hash function rather than a block
cipher
because hash functions are generally faster
not limited by export controls unlike block ciphers
o hash includes a key along with the message
o original proposal:
KeyedHash = Hash(Key|Message)
some weaknesses were found with this
o eventually led to development of HMAC
3.9 HMAC
specified as Internet standard RFC2104
uses hash function on the message:
HMACK = Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad)||M)]]
where K+ is the key padded out to size
and opad, ipad are specified padding constants
overhead is just 3 more hash calculations than the message needs alone
any of MD5, SHA-1, RIPEMD-160 can be used
HMAC Overview
HMAC Security
o know that the security of HMAC relates to that of the underlying hash
algorithm
o attacking HMAC requires either:
brute force attack on key used
birthday attack (but since keyed would need to observe a very
large number of messages)
o choose hash function used based on speed verses security constraints
3.10 Digital Signatures
have looked at message authentication
o but does not address issues of lack of trust
digital signatures provide the ability to:
o verify author, date & time of signature
o authenticate message contents
o be verified by third parties to resolve disputes
hence include authentication function with additional capabilities
Digital Signature Properties
o must depend on the message signed
o must use information unique to sender
to prevent both forgery and denial
o must be relatively easy to produce
o must be relatively easy to recognize & verify
o be computationally infeasible to forge
with new message for existing digital signature
with fraudulent digital signature for given message
o be practical save digital signature in storage
Direct Digital Signatures
o involve only sender & receiver
o assumed receiver has sender‟s public-key
o digital signature made by sender signing entire message or hash with
private-key
o can encrypt using receivers public-key
o important that sign first then encrypt message & signature
o security depends on sender‟s private-key
Arbitrated Digital Signatures
o involves use of arbiter A
validates any signed message
then dated and sent to recipient
o requires suitable level of trust in arbiter
o can be implemented with either private or public-key algorithms
o arbiter may or may not see message
3.11 Authentication Protocols
used to convince parties of each others identity and to exchange session keys
may be one-way or mutual
key issues are
o confidentiality – to protect session keys
o timeliness – to prevent replay attacks
Replay Attacks
o where a valid signed message is copied and later resent
simple replay
repetition that can be logged
repetition that cannot be detected
backward replay without modification
o countermeasures include
use of sequence numbers (generally impractical)
timestamps (needs synchronized clocks)
challenge/response (using unique nonce)
Using Symmetric Encryption
o as discussed previously can use a two-level hierarchy of keys
o usually with a trusted Key Distribution Center (KDC)
each party shares own master key with KDC
KDC generates session keys used for connections between parties
master keys used to distribute these to them
Needham-Schroeder Protocol
o original third-party key distribution protocol
o for session between A B mediated by KDC
o protocol overview is:
1. A→KDC: IDA || IDB || N1
2. KDC→A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]
3. A→B: EKb[Ks||IDA]
4. B→A: EKs[N2]
5. A→B: EKs[f(N2)]
o used to securely distribute a new session key for communications between
A & B
o but is vulnerable to a replay attack if an old session key has been
compromised
then message 3 can be resent convincing B that is communicating
with A
o modifications to address this require:
timestamps (Denning 81)
using an extra nonce (Neuman 93)
Using Public-Key Encryption
o have a range of approaches based on the use of public-key encryption
o need to ensure have correct public keys for other parties
o using a central Authentication Server (AS)
o various protocols exist using timestamps or nonces
Denning AS Protocol
o Denning 81 presented the following:
1. A→AS: IDA || IDB
2. AS→A: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T]
3. A→B: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] ||
EKUb[EKRas[Ks||T]]
o note session key is chosen by A, hence AS need not be trusted to protect it
o timestamps prevent replay but require synchronized clocks
One-Way Authentication
o required when sender & receiver are not in communications at same time
(eg. email)
o have header in clear so can be delivered by email system
o may want contents of body protected & sender authenticated
Using Symmetric Encryption
o can refine use of KDC but can‟t have final exchange of nonces, vis:
1. A→KDC: IDA || IDB || N1
2. KDC→A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ]
3. A→B: EKb[Ks||IDA] || EKs[M]
o does not protect against replays
could rely on timestamp in message, though email delays make
this problematic
Public-Key Approaches
o have seen some public-key approaches
o if confidentiality is major concern, can use:
A→B: EKUb[Ks] || EKs[M]
has encrypted session key, encrypted message
o if authentication needed use a digital signature with a digital certificate:
A→B: M || EKRa[H(M)] || EKRas[T||IDA||KUa]
with message, signature, certificate
3.12 Digital Signature Standard (DSS)
US Govt approved signature scheme FIPS 186
uses the SHA hash algorithm
designed by NIST & NSA in early 90's
DSS is the standard, DSA is the algorithm
a variant on ElGamal and Schnorr schemes
creates a 320 bit signature, but with 512-1024 bit security
security depends on difficulty of computing discrete logarithms
DSA Key Generation
o have shared global public key values (p,q,g):
a large prime p = 2L
where L= 512 to 1024 bits and is a multiple of 64
choose q, a 160 bit prime factor of p-1
choose g = h(p-1)/q
where h<p-1, h(p-1)/q
(mod p) > 1
o users choose private & compute public key:
choose x<q
compute y = gx (mod p)
DSA Signature Creation
o to sign a message M the sender:
generates a random signature key k, k<q
nb. k must be random, be destroyed after use, and never be reused
o then computes signature pair:
r = (gk(mod p))(mod q)
s = (k-1
.SHA(M)+ x.r)(mod q)
o sends signature (r,s) with message M
DSA Signature Verification
o having received M & signature (r,s)
o to verify a signature, recipient computes:
w = s-1
(mod q)
u1= (SHA(M).w)(mod q)
u2= (r.w)(mod q)
v = (gu1
.yu2
(mod p)) (mod q)
o if v=r then signature is verified
o see book web site for details of proof why
Two Marks:
1. what are the attacks that can be identified across a network during
communication?
2. What do you mean by disclosure?
3. What is traffic analysis?
4. What is masquerade?
5. What is content modification?
6. What is sequence modification?
7. What is timing modification?
8. What is source repudiation?
9. What is destination repudiation?
10. What is repudiation?
11. What are the measures of authentication?
12. What are the measures of message authentication?
13. What is message authentication?
14. What is digital signature?
15. What are the various classes of authentication function?
16. What is message authentication code (MAC) or cryptographic checksum?
17. What is hash function?
18. Give the simple way to perform a one-it circular shift or rotation on the hash
value after each block is processed.
19. What is birthday attack?
20. What is meet-in-the-middle attack?
21. What are the properties of hash functions?
22. What is a role of compression function in a hash function?
23. What are the characteristics of secure hash fuctions?
24. Give the general structure of secure hash code.
25. What is MD5?
26. What are the goals of MD4?
27. What are the differences between MD4 and MD5?
28. What is SHA?
29. What are the properties of SHA?
30. Compare the properties of SHAs.
31. What is RIPEMD?
32. What is HMAC?
33. What are the design objectives of HMAC?
34. What is digital signature?
35. What are the requirements of digital signature?
36. What are the properties of digital signature?
37. What are the various approaches of digital signature function?
38. What is direct digital signature?
39. What is arbitrated digital signature?
40. What is mutual authentication protocols?
41. What are the two issues that central to the problem authenticated key exchange?
42. What are replays?
43. List the examples of replay attacs.
44. What is the difficulty of using repalay attack?
45. What is timestamps?
46. What is challenge/response?
47. What is KDC?
48. What is suppress-replay attacks?
49. What is DSS?
50. List two disputes that can arise in the context of message authentication.
51. What is the difference between direct and arbitrated digital signature?
52. In what order should the signature function and the confidentiality function be
applied to a message, and why?
53. What are some threats associated with a direct digital signature scheme?
54. List three general approaches to dealing with replay attacks.
55. Give the principle of operation behind MD5 algorithm.
Big Questions:
56. Explain in detail about the authentication functions. (16 marks)
57. Explain Message Encryption in detail. (10 marks)
58. Explain the measures of authentication for message encryption for symmetric and
public-key encryption schemes. (10 marks)
59. Explain message authentication code in detail. (10 marks)
60. What are the ways in which a hash code can be used to provide message
authentication? (4 marks)
61. Explain hash function. (10 marks)
62. Explain the requirements of MACs. (10 marks)
63. Explain the requirements of hash functions. (10 marks)
64. Explain the attacks that can be performed by hash function and MACs. (12 marks)
65. Explain the process of MD5 with neat sketch. (10 marks)
66. Explain MD5 compression function. (8 marks)
67. Explain the strength of MD5. (6 marks)
68. Explain SHA-1 logic with neat sketch. (10 marks)
69. Explain SHA-1 compression function. (8 marks)
70. Compare SHA-1 and MD5. (6 marks)
71. Explain RIPEMD logic with neat sketch. (10 marks)
72. Explain RIPEMD compression function. (8 marks)
73. Compare RIPEMD with MD5 and SHA-1. (6 marks)
74. Explain HMAC algorithm. (12 marks)
75. Explain the security of HMAC. (6 marks)
76. Explain the various approaches proposed for digital signature function. (12
marks)
77. Explain direct digital signature. (6 marks)
78. Explain arbitrated digital signature. (8 marks)
79. Explain authentication protocol in detail. (16 marks)
80. Explain mutual authentication as symmetric encryption approach and public-key
encryption approach. (12 marks)
81. Explain one-way authentication as symmetric encryption approach and public-key
encryption approach. (10 marks)
82. Explain the DSS approach. (12 marks)
83. Explain digital signature algorithm for signing and verifying. (12 marks)
84. What are authentication requirements? Explain. (6 marks)
UNIT – IV
Network Security
Authentication Applications: Kerberos – X.509 Authentication Service – Electronic Mail
Security – PGP – S/MIME - IP Security – Web Security.
4.1 Authentication Applications
4.2 Kerberos
4.3 X.509 Authentication Service
4.4 Electronic Mail Security
4.5 PGP
4.6 S/MIME
4.7 IP Security
4.8 Web Security
4.1 Authentication Applications
will consider authentication functions
developed to support application-level authentication & digital signatures
will consider Kerberos – a private-key authentication service
then X.509 directory authentication service
4.2 Kerberos
trusted key server system from MIT
provides centralised private-key third-party authentication in a distributed
network
o allows users access to services distributed through network
o without needing to trust all workstations
o rather all trust a central authentication server
two versions in use: 4 & 5
Kerberos Requirements
o first published report identified its requirements as:
security
reliability
transparency
scalability
o implemented using an authentication protocol based on Needham-
Schroeder
Kerberos 4 Overview
o a basic third-party authentication scheme
o have an Authentication Server (AS)
users initially negotiate with AS to identify self
AS provides a non-corruptible authentication credential (ticket
granting ticket TGT)
o have a Ticket Granting server (TGS)
users subsequently request access to other services from TGS on
basis of users TGT
Kerberos Realms
o a Kerberos environment consists of:
a Kerberos server
a number of clients, all registered with server
application servers, sharing keys with server
o this is termed a realm
typically a single administrative domain
o if have multiple realms, their Kerberos servers must share keys and trust
Kerberos Version 5
o developed in mid 1990‟s
o provides improvements over v4
addresses environmental shortcomings
encryption alg, network protocol, byte order, ticket
lifetime, authentication forwarding, interrealm auth
and technical deficiencies
double encryption, non-std mode of use, session keys,
password attacks
o specified as Internet standard RFC 1510
4.3 X.509 Authentication Service
part of CCITT X.500 directory service standards
o distributed servers maintaining some info database
defines framework for authentication services
o directory may store public-key certificates
o with public key of user
o signed by certification authority
also defines authentication protocols
uses public-key crypto & digital signatures
o algorithms not standardised, but RSA recommended
X.509 Certificates
o issued by a Certification Authority (CA), containing:
version (1, 2, or 3)
serial number (unique within CA) identifying certificate
signature algorithm identifier
issuer X.500 name (CA)
period of validity (from - to dates)
subject X.500 name (name of owner)
subject public-key info (algorithm, parameters, key)
issuer unique identifier (v2+)
subject unique identifier (v2+)
extension fields (v3)
signature (of hash of all fields in certificate)
o notation CA<<A>> denotes certificate for A signed by CA
Obtaining a Certificate
o any user with access to CA can get any certificate from it
o only the CA can modify a certificate
o because cannot be forged, certificates can be placed in a public directory
CA Hierarchy
o if both users share a common CA then they are assumed to know its public
key
o otherwise CA's must form a hierarchy
o use certificates linking members of hierarchy to validate other CA's
each CA has certificates for clients (forward) and parent
(backward)
o each client trusts parents certificates
o enable verification of any certificate from one CA by users of all other
CAs in hierarchy
CA Hierarchy Use
Certificate Revocation
o certificates have a period of validity
o may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
o CA‟s maintain list of revoked certificates
the Certificate Revocation List (CRL)
o users should check certs with CA‟s CRL
Authentication Procedures
o X.509 includes three alternative authentication procedures:
o One-Way Authentication
o Two-Way Authentication
o Three-Way Authentication
o all use public-key signatures
One-Way Authentication
o 1 message ( A->B) used to establish
the identity of A and that message is from A
message was intended for B
integrity & originality of message
o message must include timestamp, nonce, B's identity and is signed by A
Two-Way Authentication
o 2 messages (A->B, B->A) which also establishes in addition:
the identity of B and that reply is from B
that reply is intended for A
integrity & originality of reply
o reply includes original nonce from A, also timestamp and nonce from B
Three-Way Authentication
o 3 messages (A->B, B->A, A->B) which enables above authentication
without synchronized clocks
o has reply from A back to B containing signed copy of nonce from B
o means that timestamps need not be checked or relied upon
X.509 Version 3
o has been recognised that additional information is needed in a certificate
email/URL, policy details, usage constraints
o rather than explicitly naming new fields defined a general extension
method
o extensions consist of:
extension identifier
criticality indicator
extension value
Certificate Extensions
o key and policy information
convey info about subject & issuer keys, plus indicators of
certificate policy
o certificate subject and issuer attributes
support alternative names, in alternative formats for certificate
subject and/or issuer
o certificate path constraints
allow constraints on use of certificates by other CA‟s
4.4 Electronic Mail Security
email is one of the most widely used and regarded network services
currently message contents are not secure
o may be inspected either in transit
o or by suitably privileged users on destination system
Email Security Enhancements
o confidentiality
protection from disclosure
o authentication
of sender of message
o message integrity
protection from modification
o non-repudiation of origin
protection from denial by sender
4.5 Pretty Good Privacy (PGP)
widely used de facto secure email
developed by Phil Zimmermann
selected best available crypto algorithms to use
integrated into a single program
available on Unix, PC, Macintosh and Amiga systems
originally free, now have commercial versions available also
PGP Operation – Authentication
1. sender creates a message
2. SHA-1 used to generate 160-bit hash code of message
3. hash code is encrypted with RSA using the sender's private key, and result
is attached to message
4. receiver uses RSA or DSS with sender's public key to decrypt and recover
hash code
5. receiver generates new hash code for message and compares with
decrypted hash code, if match, message is accepted as authentic
PGP Operation – Confidentiality
1. sender generates message and random 128-bit number to be used as
session key for this message only
2. message is encrypted, using CAST-128 / IDEA/3DES with session key
3. session key is encrypted using RSA with recipient's public key, then
attached to message
4. receiver uses RSA with its private key to decrypt and recover session key
5. session key is used to decrypt message
PGP Operation – Confidentiality & Authentication
o uses both services on same message
create signature & attach to message
encrypt both message & signature
attach RSA encrypted session key
PGP Operation – Compression
o by default PGP compresses message after signing but before encrypting
so can store uncompressed message & signature for later
verification
& because compression is non deterministic
o uses ZIP compression algorithm
PGP Operation – Email Compatibility
o when using PGP will have binary data to send (encrypted message etc)
o however email was designed only for text
o hence PGP must encode raw binary data into printable ASCII characters
o uses radix-64 algorithm
maps 3 bytes to 4 printable chars
also appends a CRC
o PGP also segments messages if too big
PGP Operation – Summary
PGP Session Keys
o need a session key for each message
of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit
Triple-DES
o generated using ANSI X12.17 mode
o uses random inputs taken from previous uses and from keystroke timing of
user
PGP Public & Private Keys
o since many public/private keys may be in use, need to identify which is
actually used to encrypt session key in a message
could send full public-key with every message
but this is inefficient
o rather use a key identifier based on key
is least significant 64-bits of the key
will very likely be unique
o also use key ID in signatures
PGP Key Rings
o each PGP user has a pair of keyrings:
public-key ring contains all the public-keys of other PGP users
known to this user, indexed by key ID
private-key ring contains the public/private key pair(s) for this
user, indexed by key ID & encrypted keyed from a hashed
passphrase
PGP Key Management
o rather than relying on certificate authorities
o in PGP every user is own CA
can sign keys for users they know directly
o forms a “web of trust”
trust keys have signed
can trust keys others have signed if have a chain of signatures to
them
o key ring includes trust indicators
o users can also revoke their keys
4.6 S/MIME (Secure/Multipurpose Internet Mail Extensions)
security enhancement to MIME email
original Internet RFC822 email was text only
MIME provided support for varying content types and multi-part messages
with encoding of binary data to textual form
S/MIME added security enhancements
have S/MIME support in various modern mail agents: MS Outlook, Netscape etc.,
S/MIME Functions
o enveloped data
encrypted content and associated keys
o signed data
encoded message + signed digest
o clear-signed data
cleartext message + encoded signed digest
o signed & enveloped data
nesting of signed & encrypted entities
S/MIME Cryptographic Algorithms
o hash functions: SHA-1 & MD5
o digital signatures: DSS & RSA
o session key encryption: ElGamal & RSA
o message encryption: Triple-DES, RC2/40 and others
o have a procedure to decide which algorithms to use
S/MIME Certificate Processing
o S/MIME uses X.509 v3 certificates
o managed using a hybrid of a strict X.509 CA hierarchy & PGP‟s web of
trust
o each client has a list of trusted CA‟s certificates
o and own public/private key pairs & certificates
o certificates must be signed by trusted CA‟s
Certificate Authorities
o have several well-known CA‟s
o Verisign one of most widely used
o Verisign issues several types of Digital IDs
o with increasing levels of checks & hence trust
o Class Identity Checks Usage
o 1 name/email check web browsing/email
o 2+ enroll/addr check email, subs, s/w validate
o 3+ ID documents e-banking/service access
4.7 IP Security
have considered some application specific security mechanisms
o eg. S/MIME, PGP, Kerberos, SSL/HTTPS
however there are security concerns that cut across protocol layers
would like security implemented by the network for all applications
general IP Security mechanisms
provides
o authentication
o confidentiality
o key management
applicable to use over LANs, across public & private WANs, & for the Internet
IPSec Uses
Benefits of IPSec
o in a firewall/router provides strong security to all traffic crossing the
perimeter
o is resistant to bypass
o is below transport layer, hence transparent to applications
o can be transparent to end users
o can provide security for individual users if desired
IP Security Architecture
o specification is quite complex
o defined in numerous RFC‟s
incl. RFC 2401/2402/2406/2408
many others, grouped by category
o mandatory in IPv6, optional in IPv4
IPSec Services
o Access control
o Connectionless integrity
o Data origin authentication
o Rejection of replayed packets
a form of partial sequence integrity
o Confidentiality (encryption)
o Limited traffic flow confidentiality
Security Associations
o a one-way relationship between sender & receiver that affords security for
traffic flow
o defined by 3 parameters:
Security Parameters Index (SPI)
IP Destination Address
Security Protocol Identifier
o has a number of other parameters
seq no, AH & EH info, lifetime etc
o have a database of Security Associations
Authentication Header (AH)
o provides support for data integrity & authentication of IP packets
end system/router can authenticate user/app
prevents address spoofing attacks by tracking sequence numbers
o based on use of a MAC
HMAC-MD5-96 or HMAC-SHA-1-96
o parties must share a secret key
Transport & Tunnel Modes
Encapsulating Security Payload (ESP)
o provides message content confidentiality & limited traffic flow
confidentiality
o can optionally provide the same authentication services as AH
o supports range of ciphers, modes, padding
incl. DES, Triple-DES, RC5, IDEA, CAST etc
CBC most common
pad to meet blocksize, for traffic flow
Transport vs Tunnel Mode ESP
o transport mode is used to encrypt & optionally authenticate IP data
data protected but header left in clear
can do traffic analysis but is efficient
good for ESP host to host traffic
o tunnel mode encrypts entire IP packet
add new header for next hop
good for VPNs, gateway to gateway security
Combining Security Associations
o SA‟s can implement either AH or ESP
o to implement both need to combine SA‟s
form a security bundle
o have 4 cases
Key Management
o handles key generation & distribution
o typically need 2 pairs of keys
2 per direction for AH & ESP
o manual key management
sys admin manually configures every system
o automated key management
automated system for on demand creation of keys for SA‟s in large
systems
has Oakley & ISAKMP elements
Oakley
o a key exchange protocol
o based on Diffie-Hellman key exchange
o adds features to address weaknesses
cookies, groups (global params), nonces, DH key exchange with
authentication
o can use arithmetic in prime fields or elliptic curve fields
ISAKMP
o Internet Security Association and Key Management Protocol
o provides framework for key management
o defines procedures and packet formats to establish, negotiate, modify, &
delete SAs
o independent of key exchange protocol, encryption algorithm, &
authentication method
4.8 Web Security
Web now widely used by business, government, individuals
but Internet & Web are vulnerable
have a variety of threats
o integrity
o confidentiality
o denial of service
o authentication
need added security mechanisms
SSL (Secure Socket Layer)
o transport layer security service
o originally developed by Netscape
o version 3 designed with public input
o subsequently became Internet standard known as TLS (Transport Layer
Security)
o uses TCP to provide a reliable end-to-end service
o SSL has two layers of protocols
SSL Architecture
SSL session
o an association between client & server
o created by the Handshake Protocol
o define a set of cryptographic parameters
o may be shared by multiple SSL connections
SSL connection
o a transient, peer-to-peer, communications link
o associated with 1 SSL session
SSL Record Protocol
o confidentiality using symmetric encryption with a shared secret key defined by
Handshake Protocol
IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128
message is compressed before encryption
o message integrity using a MAC with shared secret key
similar to HMAC but with different padding
SSL Change Cipher Spec Protocol
o one of 3 SSL specific protocols which use the SSL Record protocol
o a single message
o causes pending state to become current
o hence updating the cipher suite in use
SSL Alert Protocol
o conveys SSL-related alerts to peer entity
o severity
warning or fatal
o specific alert
unexpected message, bad record mac, decompression failure,
handshake
failure, illegal parameter
close notify, no certificate, bad certificate, unsupported certificate,
certificate revoked, certificate expired, certificate unknown
o compressed & encrypted like all SSL data
SSL Handshake Protocol
o allows server & client to:
authenticate each other
to negotiate encryption & MAC algorithms
to negotiate cryptographic keys to be used
o comprises a series of messages in phases
Establish Security Capabilities
Server Authentication and Key Exchange
Client Authentication and Key Exchange
Finish
TLS (Transport Layer Security)
o IETF standard RFC 2246 similar to SSLv3
o with minor differences
in record format version number
uses HMAC for MAC
a pseudo-random function expands secrets
has additional alert codes
some changes in supported ciphers
changes in certificate negotiations
changes in use of padding
Secure Electronic Transactions (SET)
o open encryption & security specification
o to protect Internet credit card transactions
o developed in 1996 by Mastercard, Visa etc
o not a payment system
o rather a set of security protocols & formats
secure communications amongst parties
trust from use of X.509v3 certificates
privacy by restricted info to those who need it
SET Components
SET Transaction
1. customer opens account
2. customer receives a certificate
3. merchants have their own certificates
4. customer places an order
5. merchant is verified
6. order and payment are sent
7. merchant requests payment authorization
8. merchant confirms order
9. merchant provides goods or service
10. merchant requests payment
Dual Signature
o customer creates dual messages
order information (OI) for merchant
payment information (PI) for bank
o neither party needs details of other
o but must know they are linked
o use a dual signature for this
signed concatenated hashes of OI & PI
Purchase Request – Customer
Purchase Request – Merchant
o verifies cardholder certificates using CA sigs
o verifies dual signature using customer's public signature key to ensure
order has not been tampered with in transit & that it was signed
using cardholder's private signature key
o processes order and forwards the payment information to the payment
gateway for authorization (described later)
o sends a purchase response to cardholder
Payment Gateway Authorization
1. verifies all certificates
2. decrypts digital envelope of authorization block to obtain symmetric key
& then decrypts authorization block
3. verifies merchant's signature on authorization block
4. decrypts digital envelope of payment block to obtain symmetric key &
then decrypts payment block
5. verifies dual signature on payment block
6. verifies that transaction ID received from merchant matches that in PI
received (indirectly) from customer
7. requests & receives an authorization from issuer
8. sends authorization response back to merchant
Payment Capture
o merchant sends payment gateway a payment capture request
o gateway checks request
o then causes funds to be transferred to merchants account
o notifies merchant using capture response
Two Marks:
1. What is Kerberos?
2. What are the three security approaches to secure user authentication in a
distributed environment?
3. List the requirements of the Kerberos version 1.
4. What is an authentication server?
5. List some problems of authentication in an open network environment.
6. What are Kerberos realms?
7. What is nonce?
8. What is X.509 Authentication Service?
9. Draw the X.509 formats.
10. List the requirements that are not satisfied by the X.509 authentication service
version 2.
11. What problem was Kerberos designed to address?
12. What are the three threats associated with user authentication over a network or
internet?
13. What is the purpose of the X.509 standard?
14. What is a chain of certificates?
15. How is an X.509 certificate revoked?
16. What is PGP?
17. What are the reasons for the growth of PGP?
18. What are the services provided by the PGP?
19. What are the four types of keys used by PGP?
20. Give the general format of PGP message.
21. What is S/MIME?
22. Why does PGP generate a signature before applying compression?
23. Why is the segmentation and reassembly function in PGP needed?
24. How PGP does use the concept of trust?
25. What are the applications of IPSec?
26. What are the benefits of IPSec?
27. What is IPSec?
28. What are the services of IPSec?
29. What are the two protocols used to provide security for IPSec?
30. What is authentication header?
31. What is encapsulating security payload?
32. What is the difference between transport and tunnel mode?
33. What is replay attack?
34. Why does ESP include a padding field?
35. What are the two types of key management supported by IPSec architecture?
36. What are the features of Oakley?
37. What is ISAKMP?
38. Draw the ISAKMP header format.
39. What are the roles of the Oakley key determination protocol and ISAKMP in
IPSec?
40. List some threats on the web.
41. What is SSL designed for?
42. What are the three higher layer protocol defined as part of SSL?
43. What are the two important SSL concepts?
44. What is SSL connection?
45. What is SSL Session?
46. What are the parameters defined for SSL session?
47. What are the parameters defined for SSL connection?
48. What are the services provided by the SSL record protocol?
49. Draw the SSL record format.
50. What is transport layer security?
51. What is SET?
52. What are the three services provided by the Set?
53. What are the requirements of SET?
54. What are the key features of SET?
55. Who are the participants of SET?
56. What is the purpose of dual signature?
Big Questions:
57. Explain in detail about Kerberos Version 4. (16 Marks).
58. Differentiate between Kerberos Version 4 and Version 5 (10 Marks).
59. Explain in detail about Kerberos Version 5 (16 Marks).
60. Explain overview of Kerberos. (12 marks).
61. What are the environmental short comings and technical deficiencies of Kerberos
Version 4? (4/6 marks).
62. Explain in detail about X.509 authentication service. (16 Marks).
63. Explain Authentication procedures. (8 marks).
64. Explain Authentication procedures. (8 marks).
65. Explain X.509 version 3 (8 marks).
66. Explain PGP in detail. (16 marks).
67. Explain the operational description of PGP. (16 marks).
68. Explain S/MIME in detail. (16 marks).
69. Explain the overview of IPSec. (8 marks).
70. Explain in detail about the IPSec Architecture. (16 Marks).
71. Explain transport and tunnel modes (8 marks).
72. Explain in detail about authentication header. (16 marks).
73. Explain in detail about ESP. (16 marks).
74. Explain the cases of basic combinations of security association. (8 marks).
75. Explain Oakley key determination protocol. (10 marks)
76. Explain ISAKMP (10 marks).
77. Explain SSL record protocol. (8 marks)
78. Explain in detail about SSL architecture. (16 marks)
79. Explain in detail about SSL record format. (12 marks)
80. Explain handshake protocol in detail. (10 marks)
81. Explain in detail about TLS. (16 marks).
82. Explain SET in detail. (16 marks).
83. Explain Secure Electronics Commerce in detail. (10 marks)
84. Explain the payment processing in detail. (16 marks).
UNIT – V
System Level Security Intrusion detection – password management – Viruses and related Threats – Virus
Counter measures – Firewall Design Principles – Trusted Systems.
5.1 Intrusion detection
5.2 Password management
5.3 Viruses and related Threats
5.4 Virus Counter measures
5.5 Firewall Design Principles
5.6 Trusted Systems
5.1 Intrusion detection
Intruders
significant issue for networked systems is hostile or unwanted access
either via network or local
can identify classes of intruders:
masquerader
misfeasor
clandestine user
varying levels of competence
clearly a growing publicized problem
from “Wily Hacker” in 1986/87
to clearly escalating CERT stats
may seem benign, but still cost resources
may use compromised system to launch other attacks
Intrusion Techniques
aim to increase privileges on system
basic attack methodology
target acquisition and information gathering
initial access
privilege escalation
covering tracks
key goal often is to acquire passwords
so then exercise access rights of owner
Password Guessing
one of the most common attacks
attacker knows a login (from email/web page etc)
then attempts to guess password for it
try default passwords shipped with systems
try all short passwords
then try by searching dictionaries of common words
intelligent searches try passwords associated with the user (variations
on names, birthday, phone, common words/interests)
before exhaustively searching all possible passwords
check by login attempt or against stolen password file
success depends on password chosen by user
surveys show many users choose poorly
Password Capture
another attack involves password capture
watching over shoulder as password is entered
using a trojan horse program to collect
monitoring an insecure network login (eg. telnet, FTP, web, email)
extracting recorded info after successful login (web history/cache, last
number dialed etc)
using valid login/password can impersonate user
users need to be educated to use suitable precautions/countermeasures
Intrusion Detection
inevitably will have security failures
so need also to detect intrusions so can
block if detected quickly
act as deterrent
collect info to improve security
assume intruder will behave differently to a legitimate user
but will have imperfect distinction between
Approaches to Intrusion Detection
statistical anomaly detection
threshold
profile based
rule-based detection
anomaly
penetration identification
Audit Records
fundamental tool for intrusion detection
native audit records
part of all common multi-user O/S
already present for use
may not have info wanted in desired form
detection-specific audit records
created specifically to collect wanted info
at cost of additional overhead on system
Statistical Anomaly Detection
threshold detection
count occurrences of specific event over time
if exceed reasonable value assume intrusion
alone is a crude & ineffective detector
profile based
characterize past behavior of users
detect significant deviations from this
profile usually multi-parameter
Audit Record Analysis
foundation of statistical approaches
analyze records to get metrics over time
counter, gauge, interval timer, resource use
use various tests on these to determine if current behavior is acceptable
mean & standard deviation, multivariate, markov process, time series,
operational
key advantage is no prior knowledge used
Rule-Based Intrusion Detection
observe events on system & apply rules to decide if activity is suspicious or
not
rule-based anomaly detection
analyze historical audit records to identify usage patterns & auto-
generate rules for them
then observe current behavior & match against rules to see if conforms
like statistical anomaly detection does not require prior knowledge of
security flaws
rule-based penetration identification
uses expert systems technology
with rules identifying known penetration, weakness patterns, or
suspicious behavior
rules usually machine & O/S specific
rules are generated by experts who interview & codify knowledge of
security admins
quality depends on how well this is done
compare audit records or states against rules
Base-Rate Fallacy
practically an intrusion detection system needs to detect a substantial
percentage of intrusions with few false alarms
if too few intrusions detected -> false security
if too many false alarms -> ignore / waste time
this is very hard to do
existing systems seem not to have a good record
Distributed Intrusion Detection
traditional focus is on single systems
but typically have networked systems
more effective defense has these working together to detect intrusions
issues
dealing with varying audit record formats
integrity & confidentiality of networked data
centralized or decentralized architecture
Distributed Intrusion Detection – Architecture
Distributed Intrusion Detection – Agent Implementation
Honeypots
o decoy systems to lure attackers
away from accessing critical systems
to collect information of their activities
to encourage attacker to stay on system so administrator can
respond
o are filled with fabricated information
o instrumented to collect detailed information on attackers activities
o may be single or multiple networked systems
5.2 Password Management
front-line defense against intruders
users supply both:
o login – determines privileges of that user
o password – to identify them
passwords often stored encrypted
o Unix uses multiple DES (variant with salt)
o more recent systems use crypto hash function
Managing Passwords
o need policies and good user education
o ensure every account has a default password
o ensure users change the default passwords to something they can
remember
o protect password file from general access
o set technical policies to enforce good passwords
minimum length (>6)
require a mix of upper & lower case letters, numbers, punctuation
block know dictionary words
o may reactively run password guessing tools
note that good dictionaries exist for almost any language/interest
group
o may enforce periodic changing of passwords
o have system monitor failed login attempts, & lockout account if see too
many in a short period
o do need to educate users and get support
o balance requirements with user acceptance
o be aware of social engineering attacks
Proactive Password Checking
o most promising approach to improving password security
o allow users to select own password
o but have system verify it is acceptable
simple rule enforcement (see previous slide)
compare against dictionary of bad passwords
use algorithmic (markov model or bloom filter) to detect poor
choices
5.3 Viruses and related threats
Malicious Software
Viruses and Other Malicious Content
o computer viruses have got a lot of publicity
o one of a family of malicious software
o effects usually obvious
o have figured in news reports, fiction, movies (often exaggerated)
o getting more attention than deserve
o are a concern though
Trapdoors
o secret entry point into a program
o allows those who know access bypassing usual security procedures
o have been commonly used by developers
o a threat when left in production programs allowing exploited by attackers
o very hard to block in O/S
o requires good s/w development & update
Logic Bomb
o one of oldest types of malicious software
o code embedded in legitimate program
o activated when specified conditions met
eg presence/absence of some file
particular date/time
particular user
o when triggered typically damage system
modify/delete files/disks
Trojan Horse
o program with hidden side-effects
o which is usually superficially attractive
eg game, s/w upgrade etc
o when run performs some additional tasks
allows attacker to indirectly gain access they do not have directly
o often used to propagate a virus/worm or install a backdoor
o or simply to destroy data
Zombie
o program which secretly takes over another networked computer
o then uses it to indirectly launch attacks
o often used to launch distributed denial of service (DDoS) attacks
o exploits known flaws in network systems
Viruses
o a piece of self-replicating code attached to some other code
cf biological virus
o both propagates itself & carries a payload
carries code to make copies of itself
as well as code to perform some covert task
Virus Operation
o virus phases:
dormant – waiting on trigger event
propagation – replicating to programs/disks
triggering – by event to execute payload
execution – of payload
o details usually machine/OS specific
exploiting features/weaknesses
Virus Structure
program V :=
{goto main;
1234567;
subroutine infect-executable := {loop:
file := get-random-executable-file;
if (first-line-of-file = 1234567) then goto loop
else prepend V to file; }
subroutine do-damage := {whatever damage is to be done}
subroutine trigger-pulled := {return true if some condition holds}
main: main-program := {infect-executable;
if trigger-pulled then do-damage;
goto next;}
next:
}
Types of Viruses
o can classify on basis of how they attack
o parasitic virus
o memory-resident virus
o boot sector virus
o stealth
o polymorphic virus
o macro virus
Macro Virus
o macro code attached to some data file
o interpreted by program using file
eg Word/Excel macros
especially using auto command & command macros
o code is now platform independent
o is a major source of new viral infections
o blurs distinction between data and program files making task of detection
much harder
o classic trade-off: "ease of use" vs "security"
Email Virus
o spread using email with attachment containing a macro virus
cf Melissa
o triggered when user opens attachment
o or worse even when mail viewed by using scripting features in mail agent
o usually targeted at Microsoft Outlook mail agent & Word/Excel
documents
Worms
o replicating but not infecting program
o typically spreads over a network
cf Morris Internet Worm in 1988
led to creation of CERTs
o using users distributed privileges or by exploiting system vulnerabilities
o widely used by hackers to create zombie PC's, subsequently used for
further attacks, especially DoS
o major issue is lack of security of permanently connected systems,
especially PC's
Worm Operation
o worm phases like those of viruses:
dormant
propagation
search for other systems to infect
establish connection to target remote system
replicate self onto remote system
o triggering
o execution
Morris Worm
o best known classic worm
o released by Robert Morris in 1988
o targeted Unix systems
o using several propagation techniques
simple password cracking of local pw file
exploit bug in finger daemon
exploit debug trapdoor in sendmail daemon
o if any attack succeeds then replicated self
Recent Worm Attacks
o new spate of attacks from mid-2001
o Code Red exploited bug in MS IIS to penetrate & spread
probes random IPs for systems running IIS
had trigger time for denial-of-service attack
2nd
wave infected 360000 servers in 14 hours
o Code Red 2
had backdoor installed to allow remote control
o Nimda used multiple infection mechanisms
email, shares, web client, IIS, Code Red 2 backdoor
5.4 Virus Counter measures
viral attacks exploit lack of integrity control on systems
to defend need to add such controls
typically by one or more of:
o prevention - block virus infection mechanism
o detection - of viruses in infected system
o reaction - restoring system to clean state
Anti-Virus Software
o first-generation • scanner uses virus signature to identify virus
• or change in length of programs
o second-generation • uses heuristic rules to spot viral infection
• or uses program checksums to spot changes
o third-generation • memory-resident programs identify virus by actions
o fourth-generation • packages with a variety of antivirus techniques
• eg scanning & activity traps, access-controls
Advanced Anti-Virus Techniques
o generic decryption
• use CPU simulator to check program signature & behavior before
actually running it
o digital immune system (IBM)
• general purpose emulation & virus detection
• any virus entering org is captured, analyzed, detection/shielding
created for it, removed
Behavior-Blocking Software
o integrated with host O/S
o monitors program behavior in real-time
• eg file access, disk format, executable mods, system settings
changes, network access
o for possibly malicious actions
• if detected can block, terminate, or seek ok
o has advantage over scanners
o but malicious code runs before detection
5.5 Firewall Design Principles
Introduction
o seen evolution of information systems
o now everyone want to be on the Internet
o and to interconnect networks
o has persistent security concerns
o can‟t easily secure every system in org
o need "harm minimisation"
o a Firewall usually part of this
What is a Firewall?
o a choke point of control and monitoring
o interconnects networks with differing trust
o imposes restrictions on network services
only authorized traffic is allowed
o auditing and controlling access
can implement alarms for abnormal behavior
o is itself immune to penetration
o provides perimeter defence
Firewall Limitations
o cannot protect from attacks bypassing it
eg sneaker net, utility modems, trusted organisations, trusted
services (eg SSL/SSH)
o cannot protect against internal threats
eg disgruntled employee
o cannot protect against transfer of all virus infected programs or files
because of huge range of O/S & file types
Firewalls – Packet Filters
o simplest of components
o foundation of any firewall system
o examine each IP packet (no context) and permit or deny according to rules
o hence restrict access to services (ports)
o possible default policies
that not expressly permitted is prohibited
that not expressly prohibited is permitted
Attacks on Packet Filters
o IP address spoofing
fake source address to be trusted
add filters on router to block
o source routing attacks
attacker sets a route other than default
block source routed packets
o tiny fragment attacks
split header info over several tiny packets
either discard or reassemble before check
Firewalls – Stateful Packet Filters
o examine each IP packet in context
keeps tracks of client-server sessions
checks each packet validly belongs to one
o better able to detect bogus packets out of context
Firewalls - Application Level Gateway (or Proxy)
o use an application specific gateway / proxy
o has full access to protocol
user requests service from proxy
proxy validates request as legal
then actions request and returns result to user
o need separate proxies for each service
some services naturally support proxying
others are more problematic
custom services generally not supported
Firewalls - Circuit Level Gateway
o relays two TCP connections
o imposes security by limiting which such connections are allowed
o once created usually relays traffic without examining contents
o typically used when trust internal users by allowing general outbound
connections
o SOCKS commonly used for this
Bastion Host
o highly secure host system
o potentially exposed to "hostile" elements
o hence is secured to withstand this
o may support 2 or more net connections
o may be trusted to enforce trusted separation between network connections
o runs circuit / application level gateways
o or provides externally accessible services
Firewall Configurations
Access Control
o given system has identified a user
o determine what resources they can access
o general model is that of access matrix with
subject - active entity (user, process)
object - passive entity (file or resource)
access right – way object can be accessed
o can decompose by
columns as access control lists
rows as capability tickets
Access Control Matrix
5.6 Trusted Computer Systems
information security is increasingly important
have varying degrees of sensitivity of information
o cf military info classifications: confidential, secret etc
subjects (people or programs) have varying rights of access to objects
(information)
want to consider ways of increasing confidence in systems to enforce these rights
known as multilevel security
o subjects have maximum & current security level
o objects have a fixed security level classification
Bell LaPadula (BLP) Model
o one of the most famous security models
o implemented as mandatory policies on system
o has two key policies:
o no read up (simple security property)
a subject can only read/write an object if the current security level
of the subject dominates (>=) the classification of the object
o no write down (*-property)
a subject can only append/write to an object if the current security
level of the subject is dominated by (<=) the classification of the
object
Reference Monitor
Evaluated Computer Systems
o governments can evaluate IT systems
o against a range of standards:
TCSEC, IPSEC and now Common Criteria
o define a number of “levels” of evaluation with increasingly stringent
checking
o have published lists of evaluated products
though aimed at government/defense use
can be useful in industry also.
Two Marks
1. What is an intruder?
2. What are the three classes of intruders?
3. What is masquerader?
4. What is misfeasor?
5. What is clandestine user?
6. How password file is is protected?
7. What are the approaches to intrusion detection?
8. What is statistical anomaly detection?
9. What is rule based detection?
10. What are audit record and its types?
11. What is native audit record?
12. What is detection specific audit record?
13. What is threshold detection?
14. What is profile based statistical anomaly detection?
15. What is rule based anomaly detection?
16. What is penetration identification?
17. List some fields that contains in the audit record.
18. What are the metrics that are useful for profile based intrusion detection?
19. What are the various tests that can be performed to determine whether the current
activity fits within acceptable limits?
20. What is the base-rate fallacy?
21. What is a honey pot?
22. What is the purpose of „salt‟?
23. What is „salt‟ value?
24. What are the basic techniques used for password selection strategies?
25. What is the difference between reactive password checking and proactive
password checking?
26. What are the two categories that a software threats or malicious programs are
divided?
27. What is trapdoor?
28. What is logic bomb?
29. What is Trojan horse?
30. What is zombie?
31. What is virus?
32. What are the four phases of virus?
33. What are the types of virus?
34. What is micro virus?
35. What is E-mail virus?
36. What are worms?
37. What is the major difference between virus and worms?
38. What are the two approaches of antivirus?
39. What are the elements of generic decryption?
40. What is generic decryption?
41. What is behavior blocking software?
42. What is a firewall?
43. What are the characteristics of firewall?
44. List four general techniques that firewalls uses to control access and enforce the
sites security policy.
45. What are the capabilities of firewall?
46. What are the limitations of firewall?
47. What is the prime disadvantage of application level gateway?
48. What is the strength of application level gateway compare to packet filter?
49. What is bastion host?
50. What is a trusted system?
51. What are the basic elements of a access matrix?
52. What is simple security property?
53. What is *-property?
54. What is multilevel security?
55. What multilevel security ensure?
56. What is reference monitor?
57. What are the properties of reference monitor?
Big Questions:
58. Explain in detail about intrusion techniques. (8 marks)
59. Explain in detail about intrusion detection. (16 marks)
60. Explain in detail about statistical anomaly detection. (8 marks).
61. Explain rule-based intrusion detection. (8 marks).
62. Explain in detail about distributed intrusion detection. (8 marks).
63. Explain honey pots in detail. (8 marks)
64. Explain password management in detail. (16 marks).
65. Explain in detail about malicious program. (10 marks).
66. Explain virus in detail. (16 marks).
67. Explain in detail about worms. (10 marks).
68. Explain in detail about the generation of antivirus. (6 marks).
69. Explain in detail about advanced antivirus techniques. (12 marks).
70. Explain in detail about digital immune system. (8 marks).
71. Explain in detail about the types of firewall. (12 marks).
72. Explain packet filtering router in detail. (10 marks)
73. What are the attacks that can be made on packet filtering router? Give also its
counter measures (4 marks).
74. What are the characteristics of bastion host? (4/6 marks)
75. Explain firewall configuration. (8 marks).
76. Explain in detail about trusted system. (16 marks).
77. Explain data access control. (8 marks)
78. Explain the concepts of trusted systems. (8 marks)
79. Explain reference monitor in detail. (8 marks).
80. Explain Trojan horse defense. (8 marks).
B.E DEGREE EXAMINATION, MAY 2008
IT1352 – CRYPTOGRAPHY AND NETWORK SECURITY
Part – A 1. What is the advantage and disadvantage of one time pad encryption algorithm.
2. If a bit error occurs in plain text block p1 , how far does the error propagate in CBC
mode of DES
3. When do we say an integer a, less than n is a primitive root of n. state the conditions
for having at least one primitive root or n.
4.What for the miller-rabin algorithm is used.
5. Draw a simple public key encryption model that provides authentication alone.
6. Identify any two applications where one way authentication is necessary.
7. Why the leading two octets of message digest are stored in PGP message along with
the encrypted message digest.
8. State any tow advantages of Oakley key determination protocol over diffie hellman
key exchange protocol.
9. How are the passwords stored in password file in UNIX operating system.
10. What is meant by polymorphic viruses.
Part –B
11. A) i. Discuss any four substitution cipher encryption methods and list their merits and
demerits .
ii. how are diffusion and confusion achieved in DES.
OR
b) i. in AES, explain how the encryption key is expanded to produce keys for the 10
rounds.
ii. Explain the types of attacks on double DES and triple DES.
12. A) i. How are arithmetic operations on integers carried out from their residues
modulo a set of pair wise relatively prime moduli. Give the procedure to reconstruct the
integers form the residue.
ii. How is discrete logarithm evaluated for a number . what is the role of discrete
logarithms in the diffie hellman key exchange in exchanging the secret key among two
users.
OR
b) i. Identify the possible threats for RSA algorithm and list their counter measures.
ii. state the requirements for the design of an elliptic curve crypto system. Using that ,
explain how secret keys are exchanged and messages are encrypted.
13. A). i. Describe digital signature algorithm and show how signing and verification is
done using DSS.
ii. Consider any message M of length 4120 bits ending with ABCDEF in hexadecimal
form. Construct the last block of message to be given as input for the MD5.
OR
b) i. Explain the processing of a message block of 512 bits using SHA1.
ii. write about the symmetric encryption approach for digital signatures.
14. a) i.Describe the authentication dialogue used by Kerberos for obtaining services
from another realm.
ii. Explain with the help of an example how a user‟s certificate is obtained from another
certification authority in x509 scheme.
OR
b). i. what are the functions included in MIME in order to enchance security how are they
done..
ii. why does PGP maintain key rings with every users. Explain how the messages are
generated and received by pgp.
15). A) i. Explain any tow approached for intrusion detection.
ii. Suggest any three password selection strategies and identify their advantages and
disadvantages if any.
OR
b). i. Identify a few malicious programs that need a host program for their existence.
ii. Describe the familiar types of firewall configurations.
B.E DEGREE EXAMINATION, NOV 2007
IT1352 – CRYPTOGRAPHY AND NETWORK SECURITY
Part – A 1. What is avalanche effect.
2. What are the types of attacks on encrypted message.
3. Find gcd(56,86) using euclid‟s algorithm.
4. Why elliptic curve cryptography is considered to be better than RSA.
5. what is masquerading.
6. Define weak collision property of a hash function.
7. what is x.509 standard.
8. Give IPSEC ESP FORMAT.
9. What are honey pots.
10. List down the four phases of virus.
Part –B 11. A) Discuss in detail encryption and decryption process of AES.
OR
b) i. Briefly explain design principles of block cipher.
ii. Discuss in detail block cipher modes of operation.
12. A) i. Discuss in detail RSA algorithm , highlighting its computational aspect and
security.
ii. Perform decryption and encryption using RSA algorithm with p=3 q=11 e=7 and N=5.
OR
b) Briefly explain Deffie Hellman key exchange with an example.
13. A). i. Explain authentication functions in detail.
ii. What is meant by message digest give example.
OR
b) i. Briefly explain digital signature algorithm.
ii. Discuss clearly secure hash algorithm.
14. a) i. What is Kerberos . Explain how it provides authenticated service.
ii. Explain the architecture of IPSEC.
OR
b). i. Explain handshake protocol actions of SSL.
ii. Discuss in detail secure electronic transaction.
15). A) i. Explain firewalls and how they prevent intrusions.
ii.Explain the concept of reference monitor.
OR
b). i. Define intrusion detection and the different types of detection mechanisms, in detail.
ii. Comment on password selection strategies and their significance.