cryptography and network security 1 network security symmetric encryption and message...

Cryptography and Network Security 1

Network Security

Symmetric Encryption and Message Confidentiality

WenZhan Song

Some Basic Terminology Plaintext - original message Ciphertext - coded message Cipher - algorithm for transforming plaintext to ciphertext Key - info used in cipher known only to sender/receiver Encipher (encrypt) - converting plaintext to ciphertext Decipher (decrypt) - recovering ciphertext from plaintext Cryptography - study of encryption principles/methods Cryptanalysis (code breaking) - study of

principles/methods of deciphering ciphertext without knowing key

Cryptology - field of both cryptography and cryptanalysis

Requirements

There are two requirements for secure use of symmetric encryption: A strong encryption algorithm Sender and receiver must have obtained copies of the secret

key in a secure fashion and must keep the key secure The security of symmetric encryption

depends on the secrecy of the key, not the secrecy of the algorithm This makes it feasible for widespread use Manufacturers can and have developed low-cost chip

implementations of data encryption algorithms These chips are widely available and incorporated into a number

of products

Cryptography

Table 2.1 Types of Attacks on Encrypted Messages

cryptanalysis

An encryption scheme is computationally secure if the ciphertext generated by the scheme meets one or both of the following criteria: The cost of breaking the cipher exceeds the value of the

encrypted information The time required to break the cipher exceeds the

useful lifetime of the information

Brute Force attack

Involves trying every possible key until an intelligible translation of the ciphertext into plaintext is obtained

On average, half of all possible keys must be tried to achieve success

Unless known plaintext is provided, the analyst must be able to recognize plaintext as plaintext

To supplement the brute-force approach Some degree of knowledge about the expected plaintext is

needed Some means of automatically distinguishing plaintext from

garble is also needed

Network Security

Two types of symmetric ciphers

Block ciphersBreak plaintext message in equal-size blocksEncrypt each block as a unit

Stream ciphersEncrypt one bit at time


Cryptography and Network Security

Block Ciphers


Block Ciphers

The message is broken into blocks, Each of which is then encrypted (Like a substitution on very big characters - 64-bits or

more)


Substitution and Permutation

In his 1949 paper Shannon also introduced the idea of substitution-permutation (S-P) networks, which now form the basis of modern block ciphers An S-P network is the modern form of a substitution-

transposition product cipher S-P networks are based on the two primitive

cryptographic operations we have seen before


Substitution

A binary word is replaced by some other binary word

The whole substitution function forms the key

If use n bit words, The key space is 2n!

Can also think of this as a large lookup table, with n address lines (hence 2n addresses), each n bits wide being the output value

Will call them s-boxes


Cont.


Permutation

A binary word has its bits reordered (permuted)

The re-ordering forms the key If use n bit words,

The key space is n! (Less secure than substitution)

This is equivalent to a wire-crossing in practice (Though is much harder to do in software)

Will call these p-boxes


Cont.


Substitution-permutation Network Shannon combined these two primitives He called these mixing

transformations A special form of product ciphers where

S-boxes Provide confusion of input bits

P-boxes Provide diffusion across s-box inputs


Confusion and Diffusion

Confusion A technique that seeks to make the relationship

between the statistics of the ciphertext and the value of the encryption keys as complex as possible. Cipher uses key and plaintext.

Diffusion A technique that seeks to obscure the statistical

structure of the plaintext by spreading out the influence of each individual plaintext digit over many ciphertext digits.


Desired Effect

Avalanche effect A characteristic of an encryption algorithm in which a

small change in the plaintext gives rise to a large change in the ciphertext

Best: changing one input bit results in changes of approx half the output bits

Completeness effect

where each output bit is a complex function of all the input bits


Practical Substitution-permutation Networks In practice we need to be able to

decrypt messages, as well as to encrypt them, hence either: Have to define inverses for each of our S & P-boxes,

but this doubles the code/hardware needed, or Define a structure that is easy to reverse, so can use

basically the same code or hardware for both encryption and decryption


Feistel Cipher

Invented by Horst Feistel, working at IBM Thomas J Watson research labs in

early 70's,

The idea is to partition the input block into two halves, l(i-1) and r(i-1), use only r(i-1) in each round i (part) of the cipher

The function f incorporates one stage of the S-P network, controlled by part of the key k(i) known as the ith subkey


Cont.


Cont.

This can be described functionally as: L(i) = R(i-1) R(i) = L(i-1) f(k(i), R(i-1))

This can easily be reversed as seen in the above diagram, working backwards through the rounds

In practice link a number of these stages together (typically 16 rounds) to form the full cipher

Feistel Cipher Design Feistel Cipher Design ElementsElements


Data Encryption Standard

Adopted in 1977 by the National Bureau of Standards, now the National Institute of Standards and Technology

Data are encrypted in 64-bit blocks using a 56-bit key

The same algorithm is used for decryption.

Subject to much controversy


History

IBM LUCIFER 60’s Uses 128 bits key

Proposal for NBS, 1973 Adopted by NBS, 1977

Uses only 56 bits key Possible brute force attack

Design of S-boxes was classified Hidden weak points in in S-Boxes?

Wiener (93) claim to be able to build a machine at $100,00 and break DES in 1.5 days


DES

DES encrypts 64-bit blocks of data, using a 56-bit key

the basic process consists of: an initial permutation (IP) 16 rounds of a complex key dependent calculation f a final permutation, being the inverse of IP Function f can be described as L(i) = R(i-1) R(i) = L(i-1) P(S( E(R(i-1)) K(i) ))


DES


Initial and Final Permutations

Inverse Permutations

40 8 48 16 56 24 64 32

39 7 47 15 55 23 63 31

38 6 46 14 54 22 62 30

37 5 45 13 53 21 61 29

36 4 44 12 52 20 60 28

35 3 43 11 51 19 59 27

34 2 42 10 50 18 58 26

33 1 41 9 49 17 57 25


Function f


Expansion Table

Expands the 32 bit data to 48 bits Result(i)=input( array(i))

32 1 2 3 4 5

4 5 6 7 8 9

8 9 10 11 12 13

12 13 14 15 16 17

16 17 18 19 20 21

20 21 22 23 24 25

24 25 26 27 28 29

28 29 30 31 32 1


S-Boxes

S-Box is a fixed 4 by 16 array Given 6-bits B=b1b2b3b4b5b6,

Row r=b1b6

Column c=b2b3b4b5

S(B)=S(r,c) written in binary of length 4

See examples at https://en.wikipedia.org/wiki/S-box

https://en.wikipedia.org/wiki/S-box


Example

S-Box S1

14

4 13

1 2 15

11

8 3 10

6 12

5 9 0 7

0 15

7 4 14

2 13

1 10

6 12

11

9 5 3 8

4 1 14

8 13

6 2 11

15

12

9 7 3 10

5 0

15

12

8 2 4 9 1 7 5 11

3 14

10

0 6 13


Permutation Table

The permutation after each round

16 7 20 21

29 12 28 17

1 15 23 26

5 18 31 10

2 8 24 14

32 27 3 9

19 13 30 6

22 11 4 25


Subkey Generation

Given a 64 bits key (with parity-check bit) Discard the parity-check bits Permute the remaining bits using fixed table P1 Let C0D0 be the result (total 56 bits)

Let Ci =Shifti(Ci-1); Di =Shifti(Di-1) and Ki

be another permutation P2 of CiDi (total 56 bits) Where cyclic shift one position left if i=1,2,9,16 Else cyclic shift two positions left


Permutation Tables

57

49

41

33

25

17

9

1 58

50

42

34

26

18

10

2 59

51

43

35

27

19

11

3 60

52

44

36

63

55

47

39

31

23

15

7 62

54

47

38

30

22

14

6 61

53

45

37

29

21

13

5 28

20

12

4

14

17

11

24

1 5

3 28

15

6 21

10

23

19

12

4 26

8

16

7 27

20

13

2

41

52

31

37

47

55

30

40

51

45

33

48

44

49

39

56

34

53

46

42

50

36

29

32

Permutation table P1 Permutation table P2


DES in Practice

DEC (Digital Equipment Corp. 1992) built a chip with 50k transistors Encrypt at the rate of 1G/second Clock rate 250 Mhz Cost about $300

Applications ATM transactions (encrypting PIN and so on)

Animation: http://kathrynneugent.com/animation.html

http://kathrynneugent.com/animation.html


DES Weak Keys

With many block ciphers there are some keys that should be avoided, because of reduced cipher complexity

These keys are such that the same sub-key is generated in more than one round, and they include:


Cont.

Weak keys The same sub-key is generated for every round DES has 4 weak keys

Semi-weak keys Only two sub-keys are generated on alternate rounds DES has 12 of these (in 6 pairs)

Demi-semi weak keys Have four sub-keys generated


Cont.

None of these causes a problem since they are a tiny fraction of all available keys

However they MUST be avoided by any key generation program


DES Attacks

1998:The EFF's US$250,000 DES cracking machine

contained 1,536 custom chips and could brute force a DES key in a

matter of days — the photo shows a DES Cracker

circuit board fitted with several Deep Crack chips.


DES Attacks:

The COPACOBANA machine, built for US$10,000 by the Universities of Bochum and Kiel, contains 120 low-cost FPGAs and can perform an exhaustive key search on DES in 9 days on average. The photo shows the backplane of the machine with the FPGAs


Attack Faster than Brute Force

Differential cryptanalysis was discovered in the late 1980s by Eli Biham and Adi Shamir,

although it was known earlier to both IBM and the NSA and kept secret. To break the full 16 rounds, differential cryptanalysis requires 247 chosen plaintexts. DES was designed to be resistant to DC.

Linear cryptanalysis was discovered by Mitsuru Matsui, and needs 243 known plaintexts

(Matsui, 1993); the method was implemented (Matsui, 1994), and was the first experimental cryptanalysis of DES to be reported. There is no evidence that DES was tailored to be resistant to this

type of attack.


Possible Techniques for Improving DES Multiple enciphering with DES Extending DES to 128-bit data paths

and 112-bit keys Extending the key expansion calculation


Double DES?

Using two encryption stages and two keys C=Ek2(Ek1(P))

P=Dk1(Dk2(C))

It is proved that there is no key k3 such that C=Ek2(Ek1(P))=Ek3(P)

But Meet-in-the-middle attack


Meet-in-the-Middle Attack

Assume C=Ek2(Ek1(P)) Given the plaintext P and ciphertext C Encrypt P using all possible keys k1

Decrypt C using all possible keys k2

Check the result with the encrypted plaintext lists If found match, they test the found keys again for

another plaintext and ciphertext pair If it turns correct, then find the keys Otherwise keep decrypting C


Triple DES

DES variant Standardized in ANSI X9.17 & ISO 8732

and in PEM for key management Proposed for general EFT standard by

ANSI X9 Backwards compatible with many DES

schemes Uses 2 or 3 keys

3DES guidelines

FIPS 46-3 includes the following guidelines for 3DES: 3DES is the FIPS-approved symmetric encryption

algorithm of choice The original DES, which uses a single 56-bit key, is

permitted under the standard for legacy systems only; new procurements should support 3DES

Government organizations with legacy DES systems are encouraged to transition to 3DES

It is anticipated that 3DES and the Advanced Encryption Standard (AES) will coexist as FIPS-approved algorithms, allowing for a gradual transition to AES


Cont.

No known practical attacks Brute force search impossible (very

hard) Meet-in-the-middle attacks need 256

Plaintext-Ciphertext pairs per key Popular current alternative


IDEA:

Developed by James Massey & Xuejia Lai at ETH originally in Zurich in 1990, then called IPES: X Lai, J L Massey, "A Proposal for a New Block

Encryption Standard" in Advances in Cryptology - Eurocrypt '90, Lecture

Notes in Computer Science, vol 473, pp 389-404, X Lai, J L Massey, S Murphy, "Markov Ciphers and

Differential Cryptanalysis" in Advances in Cryptology - Eurocrypt '91, Lecture

Notes in Computer Science, vol 547, pp 17-38, name changed to IDEA in 1992


Basic Features

Encrypts 64-bit blocks using a 128-bit key Based on mixing operations from

different (incompatible) algebraic groups XOR, + mod 2^(16) , X mod (2^(16) +1) On 16-bit sub-blocks, with no permutations used

IDEA is patented in Europe & US, however non-commercial use is freely permitted used in the public domain PGP (with agreement) currently no attack against IDEA is known

Seem secure against differential cryptanalysis, brute force


Operations

Operations XOR, Addition mod 216, multiplication mod 216 +1

Why these special mod for addition, multiplication They do not satisfy the distributive law and the

associative law http://www.mathsisfun.com/associative-commutat

ive-distributive.html

http://www.mathsisfun.com/associative-commutative-distributive.html

http://www.mathsisfun.com/associative-commutative-distributive.html


MA: multiplication/addition

Multiplication/addition Basic block to provide diffusion Input of MA

Two sub-blocks derived from 4 input sub-blocks, 4 sub-keys

Two other sub-keys Output

Two sub-blocks Needs four operations

Four operations are the minimum to provide full diffusion


Overview


Cont.

IDEA encryption works as follows: Use 8-rounds The 64-bit data is divided into: X1 , X2 , X3 , X4

Each round The sub-blocks are added (2,3), multiplied (1,4) with

sub-keys The results are XORed [1,3] and [2,4] to 2 sub-blocks The XOR results set as input of MA structure,

It outputs two subblocks Results are then XORed with 2,4 and 1,3 subblocks respectively

The second and third sub-blocks are swapped Finally new sub-keys are combined with the sub-blocks


Sub-Keys

Total need 52=6*8+4 sub-keys First are directly from key in order Left shift of 25 bits, and then next 8 sub-keys Each sub-key is a sub-block of the original key

Decryption Much more complicated It needs the inverse of the encryption key

For addition, multiplication


Decryption

The process of decryption is essentially the same as encryption But with different selection of sub-keys Basic Operations

K1.1^(-1 ) is the multiplicative inverse mod 2^(16) +1

-K1.2 is the additive inverse mod 2^(16) The original operations are:

(+) bit-by-bit XOR + additional mod 2^(16) of 16-bit integers * multiplication mod 2^(16) +1 (where 0 means 2^(16) )


Decryption Sub-KeysRound Encryption Keys Decryption Keys 1 K1.1 K1.2 K1.3 K1.4 K1.5 K1.6 K9.1-1 -K9.2 -K9.3 K9.4-1

K8.5 K8.6 2 K2.1 K2.2 K2.3 K2.4 K2.5 K2.6 K8.1-1 -K8.3 -K8.2 K8.4-1

K7.5 K7.6 3 K3.1 K3.2 K3.3 K3.4 K3.5 K3.6 K7.1-1 -K7.3 -K7.2 K7.4-1

K6.5 K6.6 4 K4.1 K4.2 K4.3 K4.4 K4.5 K4.6 K6.1-1 -K6.3 -K6.2 K6.4-1

K5.5 K5.6 5 K5.1 K5.2 K5.3 K5.4 K5.5 K5.6 K5.1-1 -K5.3 -K5.2 K5.4-1

K4.5 K4.6 6 K6.1 K6.2 K6.3 K6.4 K6.5 K6.6 K4.1-1 -K4.3 -K4.2 K4.4-1

K3.5 K3.6 7 K7.1 K7.2 K7.3 K7.4 K7.5 K7.6 K3.1-1 -K3.3 -K3.2 K3.4-1

K2.5 K2.6 8 K8.1 K8.2 K8.3 K8.4 K8.5 K8.6 K2.1-1 -K2.3 -K2.2 K2.4-1

K1.5 K1.6 Output K9.1 K9.2 K9.3 K9.4 K1.1-1 -K1.2 -K1.3 K1.4-1


Important Feature

The size of the sub-block Need 216+1 be prime number

To compute the inverse for each possible subkey So sub-block size 8 is also possible

28+1=257 is prime number


CAST-128

By Carlisle Adams, Stafford Tavares Defined in RFC 2144 Use key size varying from 40 to 128 bits Structure of Feistel network 16 rounds on 64-bits data block Four primitive operations

Addition, subtraction (mod 232) Bitwise exclusive-OR Left-circular rotation


Skipjack and Clipper

Skipjack used in Clipper escrowed encryption scheme(US govt) Skipjack is a block cipher, 64-bit data hardware only implementation 80-bit key (escrowed in 2 halves) 32 round all design details and descriptions are classified has been very considerable debate over its use attack by Matt Blaze (ATT) on the LEAF component of

the Clipper protocol for secure phone communications


Blowfish Scheme

Developed by Bruce Schneier Fast, compact, simple and variably secure Two basic operations: addition, XOR Key ranges from 32 bits to 448 bits Similar to Feistel scheme The sub-key and s-boxes are complicated So not suitable when key changes often Function g is very simple, unlike DES


RC5

Developed by R. Rivest Suitable for hardware or software Fast, simple, low memory, data-dependent rotations Adaptable to processors of different word length

A family of algorithms determined by word length, number of rounds, size of secret key

Decryption and encryption are not the same With little variations

Primitive operations Addition, XOR, left circular rotation


Characteristics

Key features of advanced sym block cipher Variable key length Mixed operators Data dependent rotation Key dependent rotation Key dependent S-boxes Lengthy key schedule algorithm Variable function F Variable of number of rounds Operation on both halved data each round


AES

Advanced Encryption Standard (Rijndael) key size and the block size may be chosen to be any of 128, 192, or

256 bits (later only key, block fixed 128) Rijndael has a variable number of rounds. Not counting an extra round

performed at the end of encipherment with one step omitted, the number of rounds in Rijndael is:

9 if both the block and the key are 128 bits long. 11 if either the block or the key is 192 bits long, and

neither of them is longer than that. 13 if either the block or the key is 256 bits long.

Three big blocks first perform an Add Round Key step (XORing a subkey with

the block) by itself, then regular rounds noted above, the final round with the Mix Column step


Advanced Encryption Standard

Origins

clear a replacement for DES was needed have theoretical attacks that can break it have demonstrated exhaustive key search attacks

can use Triple-DES – but slow, has small blocks

US NIST issued call for ciphers in 1997 15 candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-

2000 issued as FIPS PUB 197 standard in Nov-

2001


The Finalists

MARS IBM

RC6 RSA Laboratories

Rijndael Joan Daemen (Proton World International) and Vincent Rijmen (Katholieke Universiteit Leuven)

Serpent Ross Anderson (University of Cambridge), Eli Biham (Technion), and Lars Knudsen (University of California San Diego)

Twofish Bruce Schneier, John Kelsey, and Niels Ferguson (Counterpane, Inc.), Doug Whiting (Hi/fn, Inc.), David Wagner (University of California Berkeley), and Chris Hall (Princeton University)

Wrote the book on crypto


Evaluation Criteria (in order of importance)

Security Resistance to cryptanalysis, soundness of math,

randomness of output, etc.

Cost Computational efficiency (speed) Memory requirements

Algorithm / Implementation Characteristics Flexibility, hardware and software suitability,

algorithm simplicity


Results

The AES Cipher - Rijndael

designed by Rijmen-Daemen in Belgium has 128/192/256 bit keys, 128 bit data an iterative rather than feistel cipher

processes data as block of 4 columns of 4 bytes operates on entire data block in every round

designed to be: resistant against known attacks speed and code compactness on many CPUs design simplicity

AES Encryption Process

AES Structure data block of 4 columns of 4 bytes is state key is expanded to array of words has 9/11/13 rounds in which state

undergoes: byte substitution (1 S-box used on every byte) shift rows (permute bytes between groups/columns) mix columns (subs using matrix multiply of groups) add round key (XOR state with key material) view as alternating XOR key & scramble data bytes

initial XOR key material & incomplete last round

with fast XOR & table lookup implementation


Convert to State Array

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Input block:

0 4 8 12

1 5 9 13

2 6 10 14

3 7 11 15

S0,0 S0,1 S0,2 S0,3

S1,0 S1,1 S1,2 S1,3

S2,0 S2,1 S2,2 S2,3

S3,0 S3,1 S3,2 S3,3

=

AES Structure


SubBytes

Replace each byte in the state array with its corresponding value from the S-Box

00 44 88 CC

11 55 99 DD

22 66 AA EE

33 77 BB FF

55


ShiftRows

Last three rows are cyclically shifted

S0,0 S0,1 S0,2 S0,3

S1,0 S1,1 S1,2 S1,3

S2,0 S2,1 S2,2 S2,3

S3,0 S3,1 S3,2 S3,3

S1,0

S3,0 S3,1 S3,2

S2,0 S2,1


MixColumns

Apply MixColumn transformation to each column

S0,0 S0,1 S0,2 S0,3

S1,0 S1,1 S1,2 S1,3

S2,0 S2,1 S2,2 S2,3

S3,0 S3,1 S3,2 S3,3

S’0,0 S’0,1 S’0,2 S’0,3

S’1,0 S’1,1 S’1,2 S’1,3

S’2,0 S’2,1 S’2,2 S’2,3

S’3,0 S’3,1 S’3,2 S’3,3

S0,1

S1,1

S2,1

S3,1

S’0,1

S’1,1

S’2,1

S’3,1

MixColumns()S’0,c = ({02} S0,c) ({03} S1,c) S2,c S3,c

S’1,c = S0,c ({02} S1,c) ({03} S2,c) S3,c

S’2,c = S0,c S1,c ({02} S2,c ) ({03} S3,c)

S’3,c = ({03} S0,c) S1,c S2,c ({02} S3,c


AddRoundKey

XOR each byte of the round key with its corresponding byte in the state array

S0,0 S0,1 S0,2 S0,3

S1,0 S1,1 S1,2 S1,3

S2,0 S2,1 S2,2 S2,3

S3,0 S3,1 S3,2 S3,3

S’0,0 S’0,1 S’0,2 S’0,3

S’1,0 S’1,1 S’1,2 S’1,3

S’2,0 S’2,1 S’2,2 S’2,3

S’3,0 S’3,1 S’3,2 S’3,3

S0,1

S1,1

S2,1

S3,1

S’0,1

S’1,1

S’2,1

S’3,1

R0,0 R0,1 R0,2 R0,3

R1,0 R1,1 R1,2 R1,3

R2,0 R2,1 R2,2 R2,3

R3,0 R3,1 R3,2 R3,3

R0,1

R1,1

R2,1

R3,1

XOR

Table 2.2 Average Time Required for Exhaustive Key Search



Stream Ciphers


Stream ciphers

Stream ciphers The most famous: Vernam cipher Invented by Vernam, ( AT&T, in 1917) Process the message bit by bit (as a stream) different from the one-time pad– some call same Simply add bits of message to random key bits

Examples A well-known stream cipher is RC4; others include: A5/1, A5/2, Chameleon, FISH, Helix. ISAAC, Panama, Pike, SEAL, SOBER,

SOBER-128 and WAKE. Usage

Stream ciphers are used in applications where plaintext comes in quantities of unknowable length - for example, a secure wireless connection


Simplest Stream Cipher


Pros and Cons

Drawbacks Need as many key bits as message, difficult in practice (ie distribute on a mag-tape or CDROM)

Strength Is unconditionally secure provided key is truly random

Stream Cipher design considerations The encryption sequence should have a large

period The longer the period of repeat, the more difficult it will be to do

cryptanalysis The keystream should approximate the

properties of a true random number stream as close as possible The more random-appearing the keystream is, the more

randomized the ciphertext is, making cryptanalysis more difficult The pseudorandom number generator is

conditioned on the value of the input key To guard against brute-force attacks, the key needs to be

sufficiently long With current technology, a key length of at least 128 bits is

desirable


Key Generation

Why not to generate keystream from a smaller (base) key?Use some pseudo-random function to do this Although this looks very attractive, it proves to be very

very difficult in practice to find a good pseudo-random function that is cryptographically strong

This is still an area of much research


Transposition Methods

Permutation of plaintext Example

Write in a square in row, then read in column order specified by the key

Enhance: double or triple transposition Can reapply the encryption on ciphertext

Stream Cipher Structure

Stream Cipher Properties

some design considerations are: long period with no repetitions statistically random depends on large enough key large linear complexity

properly designed, can be as secure as a block cipher with same size key

but usually simpler & faster

RC4 a proprietary cipher owned by RSA DSI another Ron Rivest design, simple but

effective variable key size, byte-oriented stream

cipher widely used (web SSL/TLS, wireless

WEP/WPA) key forms random permutation of all 8-bit

values uses that permutation to scramble input

info processed a byte at a time

RC4 Key Schedule

starts with an array S of numbers: 0..255 use key to well and truly shuffle S forms internal state of the cipher

for i = 0 to 255 doS[i] = iT[i] = K[i mod keylen])

j = 0for i = 0 to 255 do

j = (j + S[i] + T[i]) (mod 256) swap (S[i], S[j])

RC4 Encryption

encryption continues shuffling array values

sum of shuffled pair selects "stream key" value from permutation

XOR S[t] with next byte of message to en/decrypti = j = 0

for each message byte Mi

i = (i + 1) (mod 256)j = (j + S[i]) (mod 256)swap(S[i], S[j])t = (S[i] + S[j]) (mod 256)

Ci = Mi XOR S[t]

RC4 Overview

RC4 Security

claimed secure against known attacks have some analyses, none practical

result is very non-linear since RC4 is a stream cipher, must

never reuse a key have a concern with WEP, but due to

key handling rather than RC4 itself



Ciper Block Modes of Operation

Electronic Codebook Mode (ECB) Plaintext is handled b bits at a time and each

block of plaintext is encrypted using the same key

The term “codebook” is used because, for a given key, there is a unique ciphertext for every b-bit block of plaintext One can imagine a gigantic codebook in which there is an entry

for every possible b-bit plaintext pattern showing its corresponding ciphertext

With ECB, if the same b-bit block of plaintext appears more than once in the message, it always produces the same ciphertext Because of this, for lengthy messages, the ECB mode may not be

secure If the message is highly structured, it may be possible for a

cryptanalyst to exploit these regularities

Advantages of CTR mode

Hardware efficiency Encryption/decryption can be done in parallel on multiple blocks of plaintext or ciphertext Throughput is only limited by the amount of parallelism that is achieved

Software efficiency Because of the opportunities for parallel execution, processors that support parallel features

can be effectively utilized Preprocessing

The execution of the underlying encryption algorithm does not depend on input of the plaintext or ciphertext --- when the plaintext or ciphertext input is presented, the only computation is a series of XORs, greatly enhancing throughput

Random access The ith block of plaintext or ciphertext can be processed in random-access fashion

Provable security It can be shown that CTR is at least as secure as the other modes discussed in this section

Simplicity Requires only the implementation of the encryption algorithm and not the decryption algorithm



Pseudo-random Number

Random Numbers many uses of random numbers in

cryptography nonces in authentication protocols to prevent replay session keys public key generation keystream for a one-time pad or stream ciper

in all cases its critical that these values be statistically random, uniform distribution, independent unpredictability of future values from previous values

true random numbers provide this care needed with generated random numbers

Random & Pseudorandom Number Generators

Pseudorandom Number Generators (PRNGs) often use deterministic algorithmic

techniques to create “random numbers” although are not truly random can pass many tests of “randomness”

known as “pseudorandom numbers” created by “Pseudorandom Number

Generators (PRNGs)”


Randomness Definition

Chaitin-Kolmogorov randomness (also called algorithmic randomness) a string of bits is random if and only if it is shorter than

any computer program that can produce that string this basically means that random strings are

those that cannot be compressed.

Statistical Randomness A numeric sequence is said to be statistically random

when it contains no recognizable patterns or regularities; sequences such as the results of an ideal die roll,

or the digits of Pi (as far as we can tell) exhibit statistical randomness.


Inherent non-randomness

Because any PRNG run on a deterministic computer (contrast quantum computer) is deterministic, its output will inevitably have certain properties that a true random sequence would not exhibit. guaranteed periodicity—it is certain that if the generator uses only

a fixed amount of memory then, given a sufficient number of iterations, the generator will revisit the same internal state twice, after which it will repeat forever. A generator that isn't periodic can be designed, but its memory requirements would grow as it ran. In addition, a PRNG can be started from an arbitrary starting point, or seed state, and will always produce an identical sequence from that point on.


cont

In practice, many PRNGs exhibit artifacts which can cause them to fail statistically significant tests. These include, but are certainly not limited to: Shorter than expected periods for some seed

states (not full period) Poor dimensional distribution Successive values are not independent Some bits may be 'more random' than others Lack of uniformity


Pseudo-random Bit Generator

Several applications Key generation Some encryption algorithms, or one-time pad

Let l>k be integers Function f: Z2

k Z2l computable in poly-time

Then f called (k,l)-pseudo-random bit generator The input s0 Z2

k is called the seed

Output f(s0) is called the pseudo-random string


Desired Properties

Three important properties: Unbiased (uniform distribution):

All values of whatever sample size is collected are equiprobable

Unpredictable (independence): It is impossible to predict what the next output

will be, given all the previous outputs, but not the internal "hidden" state.

Irreproducible: Two of the same generators, given the same

starting conditions, will produce different outputs.


Desired Properties

Usually when a person says A "good" pseudo-random number generator

they mean it is unbiased. A "true" PRNG

they usually mean it's irreproducible A "cryptographically strong" PRNG

they mean it's unpredictable Very rarely they mean it's all threes


More Properties

Long period The generator should be of long period

Fast computation The generator should be reasonably fast

Security The generator should be secure What is security level of PRNG?


Security

A PRNG suitable for cryptographic applications is called a cryptographically secure PRNG (CSPRNG). Its output should not only pass all statistical tests for randomness but satisfy

some additional cryptographic requirements. Used in many aspects of cryptography require random numbers, for example:

Key generation Nonces Salts in certain signature schemes, (ECDSA, RSASSA-PSS). One-time pads


CSPRNG CSPRNG requirements fall into two groups:

their statistical properties are good (passing tests of randomness), they hold up well in case of attack, even when (part of) their secrets are

revealed. A CSPRNG should satisfy the 'next-bit test'.

Given the first l bits of a random sequence there is no polynomial-time algorithm that can predict the next bit with probability of success significantly higher than 1/2.

It has been proven that a generator passing the next-bit test will pass all other polynomial-time statistical tests for randomness.

should withstand state compromise extensions. That is, in the unfortunate case that part or all of the state has been revealed

(or guessed correctly), it should be impossible to reconstruct the stream of random numbers prior to the incident. Also if there is an input of entropy, it should be infeasible to use knowledge of the state to predict future conditions of the state.


Example

the CSPRNG being considered produces output by computing some function of the next digit of pi (ie, 3.1415...),

it may well be random as pi appears to be a random sequence.

However, this does not satisfy the next-bit test, and thus is not cryptographically secure. There exists an algorithm that will predict the next bit.


Design

divide designs of CSPRNGs into classes: those based on block ciphers; those based upon hard mathematical problems, and special-purpose designs.


Designs based on cryptographic primitives Designs based on cryptographic primitives

A secure block cipher can also be converted into a CSPRNG by running it in counter mode.

This is done by choosing an arbitrary key and encrypting a zero, then encrypting a 1, then encrypting a 2, etc. The counter can also be started at an arbitrary number other than zero. Obviously, the period will be 2n for an n-bit block cipher; equally obviously, the initial values (i.e. key and 'plaintext') must not become known to an attacker lest, however good this CSPRNG construction might be otherwise, all security be lost.

A cryptographically secure hash of a counter might also act as a good CSPRNG in some cases. it is necessary that the initial value of this counter is random and secret.

If the counter is a bignum, then CSPRNG could have an infinite period.


DES Based Generator

ANSI X9.17 PRNG (used by PGP,..) Inputs: two pseudo-random inputs

one is a 64-bit representation of date and time The other is 64-bit seed values

Keys: three 3DES encryptions using same keys Output:

a 64-bit pseudorandom number and A 64-bit seed value for next-round use


ANSI X9.17

EDE

EDE

EDE

DT

Si

Ri

Si+1

K1,K2


Linear Congruential Generator

Protocol Let M be an integer and a, b less than M Let k be number of bits of M Integer l is between k+1 and M-1 Let s0 be a seed less than M

Define si=asi-1+b mod M

Then the ith random bit is si mod 2

It is not proved to be secure


Parameter Setting

Not all a, b are good and m should be large

For example, m is a large prime number For fast computation, usually m=231-1

And b is set to 0 often

For this m, there are less than 100 integers a It generates all numbers less than m The generated sequences appear to be random

One such a=7516807

Used in IBM 360 family of computers


RSA Generator

Protocol Let p, q be two k/2 bits primes and define n=pq Integer b: gcd(b, (n))=1 Public: n, b; Private p,q A seed s0 with k bits

Sequence si+1=sib mod n

Then the ith random bit is si mod 2

It is proved to be secure!


BBS Generator

Blum-Blum-Shub Generator Let p, q be two k/2 bits primes and define n=pq Here p=q=3 mod 4

this guarantees that each quadratic residue has one square root which is also a quadratic residue

gcd(φ(p-1), φ(q-1)) should be small this makes the cycle length large.

Let QR(n) be all quadratic residues modulo n Public: n; Private p,q A seed s0 with k bits from QR(n) Sequence si+1=si

2 mod n Then the ith random bit is si mod 2


Cont on BBS

Provably “secure” When the primes are chosen appropriately, and O(log log n) bits of each Si are output,

then in the limit as n grows large, distinguishing the output bits from random will be at least as difficult as factoring n.

However, it's theoretically possible that a fast algorithm for

factoring will someday be found, so BBS is not yet guaranteed to be secure.


Discrete Logarithm Generator

Protocol Let p be a k-bit prime, Let be primitive element modulo p A seed s0 is any non-zero integer less than p

Define si+1 = si mod p

Then the ith random bit is 1 if si is larger than p/2

0 if si is less than p/2


Standards

A number of designs of CSPRNGs have been standardized. They can be found in: FIPS 186-2 ANSI X9.17-1985 Appendix C ANSI X9.31-1998 Appendix A.2.4 ANSI X9.62-1998 Annex A.4

cryptography and network security 1 network security symmetric encryption and message...

Documents

network security cryptography

network securitytable

time cryptography

information cryptography

cryptanalysis cryptography

expected plaintext

distinguishing plaintext

ciphertext key info