Network SecurityBy : B A PatelNarmada College Of computer ApplicationZadeshwar, Bharuch

Outline

CryptographySymmetric-Key AlgorithmsPublic-Key AlgorithmsDigital Signatures

Why To have Computer Network?

Why To have Computer Network?For Communication For resource sharing

The OSI model

Why To have Security?

The world before computers was in some ways much simplerSigning, legalizing a paper would authenticate itPhotocopying easily detectedErasing, inserting, modifying words on a paper document easily detectableSecure transmission of a document: seal it and use a reasonable mail carrier (hoping the mail train does not get robbed)One can recognize each others face, voice, hand signature, etc.

Electronic world: the ability to copy and alter information has changed dramaticallyNo difference between an original file and copies of itRemoving a word from a file or inserting others is undetectableAdding a signature to the end of a file/email: one can impersonate it add it to other files as well, modify it, etc.Electronic traffic can be (and is!) monitored, altered, often without noticingHow to authenticate the person electronically communicating with you

Some people who cause security problem and whyStudent: to have fun snooping on other peoples emailCracker: to test out someones security system, to steal dataBusinessman: to discover a competitors strategic marketing planEx-employee: to get revenge for being firedAccountant: to embezzle money from a companyStockbroker: to deny a promise made to a customer by emailConvict: to steal credit card numbers for saleSpy: to learn an enemys military or industrial secrets

Some people who cause security problem and whyTerrorist: to steal germ warfare secrets

Point to make: making a network or a communication secure involves more than just keeping it free of programming errorsIt involves outsmarting often intelligent, dedicated and often well-funded adversaries

Security issues: some practical situationsA sends a file to B: E intercepts it and reads itHow to send a file that looks garbage to all but the intended receiver?A send a file to B: E intercepts it, modifies it, and then forwards it to BHow to make sure that the document has been received in exactly the form it has been sentE sends a file to B pretending it is from AHow to make sure your communication partner is really who (s) he claims to be

Security issues: some practical situationsA sends a message to B: E is able to delay the message for a whileHow to detect old messagesA sends a message to B. Later A (or B) denies having sent (received) the messageHow to deal with electronic contractsE learns which user accesses which information although the information itself remains secureE prevents communication between A and B: B will reject any message from A because they look unauthentic

Security Attackgeneric types of attackspassiveactive

Passive Attacks

Active Attacks

Classes of network security problemsSecrecy (or confidentiality)Keep the information out of the hands of unauthorized users, even if it has to travel over insecure linksAuthenticationDetermine whom you are talking to before revealing sensitive information

Classes of network security problemsNon-repudiation (or signatures)Prove that the order was to buy X liters of alcohol at the price before the taxes fell down and not the price after. Prove also that the order indeed existedData integrity (or message authentication)Make sure that the message received was exactly the message you sent (not necessarily interested here in the confidentiality of the document)

CryptographyCryptography

Cryptography comes from the Greek words for ''secret writing.'Cryptography is the study of secret (crypto) writing (graphy) concerned with developing algorithms which may be used toConceal the context of some message from all except the sender and recipient (privacy of secrecy), and /orVerify the correctness of a message to the recipient (authentication)Form the basis of many technological solutions to computer and communications security problems Cryptography

HistoryCryptography was already used in ancient times, essentially in three kinds of contexts:private communicationsart and religionmilitary and diplomatic useCryptology could be considered as one of humanity's oldest professions.It have a history of at least 4000 yearsAncient Egyptians enciphered some of their hieroglyphic writing on monuments.Cryptography

CryptographySTEGANOGRAPHYMethods of concealing text.Character marking: Selected letters of text are overwitten in pencil. The marks are not visible unless the paper is held at an angle to bright light.Invisible ink: Substances can be used that leave no visible trace until heat or some chemical is applied.Pin punctures : Small pin punctures on selected letters are not ordinarily visible unless paper is held in front of light.

Some Basic TerminologyCryptographyCryptography : The art or science encompassing the principles and methods of transforming an intelligible message into one that is unintelligible, and the retransforming that message back to its original form.plaintext the original message ciphertext the coded/transformed message cipher an algorithm for transforming an intelligible (plain) message into one that is unintelligible (ciphertext) by transposition and/or substitution methodskey some information used in cipher known only to sender/receiver

Some Basic TerminologyCryptographyencipher (encrypt) - the process of converting plaintext to ciphertext using cipher and a key. decipher (decrypt) the process of converting ciphertext to plaintext using cipher and a key. cryptanalysis (codebreaking) the study of principles and methods of transforming (deciphering) an ciphertext back into plaintext without knowing key. Also called codebreaking.cryptology - field of both cryptography and cryptanalysis

Some Basic TerminologyCryptographyCode - an algorithm for transforming an intelligible message into an unintelligible one using a code-bookKeyspace Total number of possible values of keys in a crypto algorithmCryptosystem The combination of algorithm, key, and key management functions used to perform cryptographic operations

Symmetric Cipher Model

Requirementstwo requirements for secure use of symmetric encryption:a strong encryption algorithma secret key known only to sender / receivermathematically have:Y = EK(X)X = DK(Y) DK(EK(X)) = Xassume encryption algorithm is knownimplies a secure channel to distribute key

The encryption model (for a symmetric-key cipher).

A fundamental rule of cryptography is that one must assume that the cryptanalyst knows the methods used for encryption and decryption.The idea that the cryptanalyst knows the algorithms and that the secrecy lies exclusively in the keys is called Kerckhoff's principle.Kerckhoff's principle: All algorithms must be public; only the keys are secret.

Types of Cryptanalytic Attacksciphertext only only know algorithm / ciphertext, statistical, can identify plaintext known plaintext know/suspect plaintext & ciphertext to attack cipher chosen plaintext select plaintext and obtain ciphertext to attack cipherchosen ciphertext select ciphertext and obtain plaintext to attack cipherchosen text select either plaintext or ciphertext to en/decrypt to attack cipher

can be characterized by:type of encryption operations usedsubstitution / transposition / productnumber of keys usedsingle-key or private / two-key or publicway in which plaintext is processedblock / stream

Cryptography

Types of CryptographyStream-based CiphersOne at a time, pleaseMixes plaintext with key streamGood for real-time servicesBlock CiphersAmusement Park RideSubstitution and transposition*

Encryption SystemsSubstitution CipherConvert one letter to anotherCryptoquipTransposition CipherChange position of letter in textWord JumbleMonoalphabetic CipherCaesar*

Encryption SystemsPolyalphabetic CipherVigenreModular MathematicsRunning Key CipherOne-time PadsRandomly generated keys*

SteganographyHiding a message within another medium, such as an imageNo key is requiredExampleModify color map of JPEG image

*

Cryptographic MethodsSymmetricSame key for encryption and decryptionKey distribution problemAsymmetricMathematically related key pairs for encryption and decryptionPublic and private keys*

Cryptographic MethodsHybridCombines strengths of both methodsAsymmetric distributes symmetric keyAlso known as a session keySymmetric provides bulk encryptionExample:SSL negotiates a hybrid method*

A little knowledge is a dangerous thingVery true in cryptography

Classical Substitution Cipherswhere letters of plaintext are replaced by other letters or by numbers or symbolsor if plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns

CryptographySecrecyScenario: Alice wants to send a message (plaintext p) to Bob. The communication channel is insecure and can be eavesdropped by Trudy. If Alice and Bob have previously agreed on an encryption scheme (cipher), the message can be sent encrypted (ciphertext c)Issues:What is a good cipher?What is the complexity of encrypting/decrypting?What is the size of the ciphertext, relative to the plaintext?If Alice and Bob have never interacted before, how can they agree on a cipher?

CryptographyTraditional CryptographyCiphers were already studied in ancient timesCaesars cipher: replace a with d replace b with e ... replace z with cA more general monoalphabetic substitution cipher maps each letter to some other letter.

Caesar Cipherearliest known substitution cipherby Julius Caesar first attested use in military affairsreplaces each letter by 3rd letter onexample:meet me after the partyPHHW PH DIWHU WKH SDUWB

More formally:Encrypt(Letter, Key) = (Letter + Key) (mod 26)Decrypt(Letter, Key) = (Letter - Key) (mod 26)Encrypt(NIKITA, 3) = QLNLWDDecrypt(QLNLWD, 3) = NIKITACaesar Cipher

Cryptanalysis of Caesar Cipheronly have 26 possible ciphers A maps to A,B,..Z could simply try each in turn a brute force search given ciphertext, just try all shifts of lettersdo need to recognize when have plaintext

CryptographyBreaking Traditional CryptographyArmed with simple statistcal knowledge, Trudy can easily break a monalphabetic substitution cyphermost frequent letters in English: e, t, o, a, n, i, ... most frequent digrams: th, in, er, re, an, ... most frequent trigrams: the, ing, and, ion, ...The first description of the frequency analysis attack appears in a book written in the 9th century by the Arab philosopher al-Kindi

CryptographyCiphertextPCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD KBXBJYUXJ LBJOO KCPK. CP LBO LBCMKXPV XPV IYJKL PYDBL, QBOP KBO BXV OPVOV LBO LXRO CI SX'XJMI, KBO JCKO XPV EYKKOV LBO DJCMPV ZOICJO BYS, KXUYPD: 'DJOXL EYPD, ICJ X LBCMKXPV XPV CPO PYDBLK Y BXNO ZOOP JOACMPLYPD LC UCM LBO IXZROK CI FXKL XDOK XPV LBO RODOPVK CI XPAYOPL EYPDK. SXU Y SXEO KC ZCRV XK LC AJXNO X IXNCMJ CI UCMJ SXGOKLU?' OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO PYDBLK

Any Guesses???

CryptographyFrequency AnalysisIdentyfying comon letters, digrams and trigrams...PCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD KBXBJYUXJ LBJOO KCPK. CP LBO LBCMKXPV XPV IYJKL PYDBL, QBOP KBO BXV OPVOV LBO LXRO CI SX'XJMI, KBO JCKO XPV EYKKOV LBO DJCMPV ZOICJO BYS, KXUYPD: 'DJOXL EYPD, X LBCMKXPV XPV CPO PYDBLK Y BXNO ZOOP JOACMPLYPD LC UCM LBO IXZROK CI FXKL XDOK XPV LBO RODOPVK CI XPAYOPL EYPDK. SXU Y SXEO KC ZCRV XK LC AJXNO X IXNCMJ CI UCMJ SXGOKLU?' OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO PYDBLKFirst guess: LBO is THE

CryptographyFrequency AnalysisAssuming LBO represents THE we replace L with T, B with H, and O with E and getPCQ VMJYPD THYK TYSE KHXHJXWXV HXV ZCJPE EYPD KHXHJYUXJ THJEE KCPK. CP THE THCMKXPV XPV IYJKT PYDHT, QHEP KHO HXV EPVEV THE LXRE CI SX'XJMI, KHE JCKE XPV EYKKOV THE DJCMPV ZEICJE HYS, KXUYPD: 'DJEXT EYPD, ICJ X LHCMKXPV XPV CPE PYDHLK Y HXNE ZEEP JEACMPTYPD TC UCM THE IXZREK CI FXKL XDEK XPV THE REDEPVK CI XPAYEPT EYPDK. SXU Y SXEE KC ZCRV XK TC AJXNE X IXNCMJ CI UCMJ SXGEKTU?' EFYRCDME, TXREK IJCS THE LHCMKXPV XPV CPE PYDBTKMore guesses?

Cryptography

CodeX Z A V O I D B Y G E R S P C F H J K L M N Q T U WA B C D E F G H I J K L M N O P Q R S T U V W X Y Z

PlaintextNow during this time Shahrazad had borne King Shahriyar three sons. On the thousand and first night, when she had ended the tale of Ma'aruf, she rose and kissed the ground before him, saying: 'Great King, for a thousand and one nights I have been recounting to you the fables of past ages and the legends of ancient kings. May I make so bold as to crave a favour of your majesty? Epilogue, Tales from the Thousand and One Nights

Substitution cipherEach letter gets mapped to another letterE.g. A -> E, B -> R, C -> Q, ...

Whats the key space?26!Cryptogram puzzles in newspapersHow do you solve them?

Polyalphabetic Ciphersanother approach to improving security is to use multiple cipher alphabets called polyalphabetic substitution ciphers makes cryptanalysis harder with more alphabets to guess and flatter frequency distribution use a key to select which alphabet is used for each letter of the message use each alphabet in turn repeat from start after end of key is reached

Vigenre Ciphersimplest polyalphabetic substitution ciphereffectively multiple caesar ciphers key is multiple letters long K = k1 k2 ... kd ith letter specifies ith alphabet to use use each alphabet in turn repeat from start after d letters in messagedecryption simply works in reverse

Example of Vigenre Cipherwrite the plaintext out write the keyword repeated above ituse each key letter as a caesar cipher key encrypt the corresponding plaintext lettereg using keyword deceptivekey: deceptivedeceptivedeceptiveplaintext: wearediscoveredsaveyourselfciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ

Transposition Ciphersnow consider classical transposition or permutation ciphers these hide the message by rearranging the letter order without altering the actual letters usedcan recognise these since have the same frequency distribution as the original text

Permutation CipherRearrange letters instead of substituting themE.g.Plaintext = HELLO WORLD H W E O L R L L O DCiphertext = HWEOLRLLOD

Row Transposition Ciphersa more complex schemewrite letters of message out in rows over a specified number of columnsthen reorder the columns according to some key before reading off the rowsKey: 3 4 2 1 5 6 7Plaintext: a t t a c k p o s t p o n e d u n t i l t w o a m x y zCiphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ

Transposition CiphersA transposition cipher.

Product Ciphersciphers using substitutions or transpositions are not secure because of language characteristicshence consider using several ciphers in succession to make harder, but: two substitutions make a more complex substitution two transpositions make more complex transposition but a substitution followed by a transposition makes a new much harder cipher this is bridge from classical to modern ciphers

One-Time Padif a truly random key as long as the message is used, the cipher will be secure called a One-Time padis unbreakable since ciphertext bears no statistical relationship to the plaintextsince for any plaintext & any ciphertext there exists a key mapping one to othercan only use the key once thoughhave problem of safe distribution of key

One-Time PadsThe use of a one-time pad for encryption and the possibility of getting any possible plaintext from the ciphertext by the use of some other pad.

Quantum CryptographyQuantum cryptography is based on the fact that light comes in little packets called photons.Light can be polarized by being passed through a polarizing filter.If a beam of light (photons) is passed through a polarizing filter, all the photons emerging from it will be polarized in the direction of the filter's axis (e.g., vertical). If the beam is now passed through a second polarizing filter, the intensity of the light emerging from the second filter is proportional to the square of the cosine of the angle between the axes. Cryptography

Quantum CryptographyIf the two axes are perpendicular, no photons get through. The absolute orientation of the two filters does not matter; only the angle between their axes counts.To generate a one-time pad, one needs two sets of polarizing filters. Set one consists of a vertical filter and a horizontal filter. This choice is called a rectilinear basis. The second set of filters is the same, except rotated 45 degrees, so one filter runs from the lower left to the upper right and the other filter runs from the upper left to the lower right. This choice is called a diagonal basis. Cryptography

Cryptography

CryptographySecret-Key CiphersA secret-key cipher uses a key to encrypt and decryptCaesars generalized cypher uses modular addition of each character (viewed as an integer) with the key: ci = pi + k mod mpi = ci-k mod mA more secure scheme is to use modular exponentiation to encrypt blocks of characters (viewed as integers):c [i,j] = p [i,j]k mod mwhere m is a large prime.

CryptographySecret-Key Ciphersmade more secureUnlike modular addition, modular exponentiation is considered computationally infeasible (exponential) to invert. Thus, even if Trudy guesses a pair:(c [i,j] ,p [i,j]), (for example, she knows the plaintext starts with the words Dear Bob) she still cannot compute the key k.

Alice and Bob need to share only key k. Bob decrypts using Eulers Theorem from number theory:p[i,j] = c [i,j] d mod mwhere d can be easily computed from k and m using Euclids gcd algorithm.

CryptographyHow to Establish a Shared Key?What if Alice and Bob have never met and did not agree on a key?The Diffie-Hellman key exchange protocol (1976) allows strangers to establish a secret shared key while communicating over an insecure channel

CryptographyThe Diffie-Hellman key exchangeAlice picks her secret half-key x (a large integer) and two large primes m and g. She sends to Bob: (n, g, gx mod m)Even if Trudy intercepts (n, g, gx mod m), she cannot figure out x because modular logarithms are hard to compute.Bob picks his secret half-key y and sends to Alice:(gy mod m)Again, Trudy cannot figure out y.The shared key is: gxy mod mBob computes it as (gx mod n)y mod mAlice computes it as (gy mod m)x mod m

Two Fundamental Cryptographic PrinciplesRedundancyThe first principle is that all encrypted messages must contain some redundancy, that is, information not needed to understand the message. Cryptographic principle 1: Messages must contain some redundancyIn other words, upon decrypting a message, the recipient must be able to tell whether it is valid by simply inspecting it and perhaps performing a simple computation. This redundancy is needed to prevent active intruders from sending garbage and tricking the receiver into decrypting the garbage and acting on the ''plaintext.'' Cryptography

Two Fundamental Cryptographic PrinciplesFreshnessThe second cryptographic principle is that some measures must be taken to ensure that each message received can be verified as being fresh, that is, sent very recently. This measure is needed to prevent active intruders from playing back old messages.Cryptographic principle 2: Some method is needed to foil replay attacksOne such measure is including in every message a timestamp valid only for, say, 10 seconds. The receiver can then just keep messages around for 10 seconds, to compare newly arrived messages to previous ones to filter out duplicates. Messages older than 10 seconds can be thrown out, since any replays sent more than 10 seconds later will be rejected as too old.Cryptography

Symmetric-Key AlgorithmsDES The Data Encryption StandardAES The Advanced Encryption StandardCipher ModesOther CiphersCryptanalysis

Symmetric & Public Key Algorithms

Symmetric Key Algorithms

Encryption and decryption keys are known to both communicating parties (Alice and Bob). They are usually related and it is easy to derive the decryption key once one knows the encryption key.In most cases, they are identical.All of the classical (pre-1970) cryptosystems are symmetric.Examples : DES and AES (Rijndael)

A Secret should be shared (or agreed) btw the communicatingparties.

Cryptographic algorithms can be implemented in either hardware (for speed) or in software (for flexibility). Transpositions and substitutions can be implemented with simple electrical circuits.CryptographyBasic elements of product ciphers. (a) P-box. (b) S-box. (c) Product.

If the 8 bits are designated from top to bottom as 01234567, the output of this particular P-box is 36071245.Substitutions are performed by S-boxes. A 3-bit plaintext is entered and a 3-bit ciphertext is output. The 3-bit input selects one of the eight lines exiting from the first stage and sets it to 1; all the other lines are 0. The second stage is a P-box. The third stage encodes the selected input line in binary again.We cascade a whole series of boxes to form a product cipher. Theoretically, it would be possible to have the second stage be an S-box that mapped a 12-bit number onto another 12-bit number. However, such a device would need 212 = 4096 crossed wires in its middle stage.Cryptography

Instead, the input is broken up into four groups of 3 bits, each of which is substituted independently of the others.Product ciphers that operate on k-bit inputs to produce k-bit outputs are very common. Typically, k is 64 to 256.Cryptography

DES HistoryIBM developed Lucifer cipherby team led by Feistel in late 60sused 64-bit data blocks with 128-bit keythen redeveloped as a commercial cipher with input from NSA and othersin 1973 NBS issued request for proposals for a national cipher standardIBM submitted their revised Lucifer which was eventually accepted as the DES

DES Design Controversyalthough DES standard is publicwas considerable controversy over design in choice of 56-bit key (vs Lucifer 128-bit)and because design criteria were classified subsequent events and public analysis show in fact design was appropriateuse of DES has flourishedespecially in financial applicationsstill standardised for legacy application use

DES Encryption Overview

DESThe Data Encryption StandardDES encryption schemeThe plaintext (64 bits) passes through an initial permutation IP(on 64 bits)Then follow 16 identical rounds in each round a different subkey is used; each subkey is generated from the keyAfter round 16, swap the left half with the right halfApply the inverse of the initial permutation IP-1(on 64 bits)Cryptography

Details of a single round of DESConsider L the left half of the input to the round and R its right half each of them have 32 bitsAs in any Feistelcipher the overall processing isLi=Ri-1, Ri=Li-1F(Ri-1,Ki)The round subkey Ki has 48 bitsR is expanded from 32 to 48 bits using an expansion permutation E this is a table that defines a permutation, duplicating in the same time 16 of the bits in RThese 48 bits are XORED with the subkey KiThe 48-bit result passes through a substitution function that produces a 32-bit outputApply then a permutation PCryptography

Details of a single round of DES

The substitutions in the DES rounds: S-boxesThere are 8 S-boxes, each of them accepting a 6-bit input and producing 4-bit outputThe S-boxes are 4 x 16 tables (shown on the next slide) and are used as follows:The first and the last bit of the input to the S-box form a 2-bit binary number that selects the row of the S-box (rows are from 0 to 3)The middle four bits select the column of the S-box (columns are from 0 to 15)The decimal value in the selected entry of the S-box is converted to its 4-bit binary representation to produce the output

Definition of S-boxesExample: consider the input 011001to S-box S1The row is 011001:01(i.e. 1)The column is 011001: 1100 (i.e. 12)The value in the selected cell is 9Output is 1001Note that each row of each S-box is in fact an invertible substitution on 4 bits (permutation of numbers from 0 to 15)Note also that the output of the S-box is immediately permuted in DES so that it spreads in the ciphertext

Data Encryption StandardThe data encryption standard. (a) General outline. (b) Detail of one iteration. The circled + means exclusive OR.

Triple DESAs early as 1979, IBM realized that the DES key length was too short and devised a way to effectively increase it, using triple encryption.The method chosen, here two keys and three stages are used. In the first stage, the plaintext is encrypted using DES in the usual way with K1. In the second stage, DES is run in decryption mode, using K2 as the key. Finally, another DES encryption is done with K1.Cryptography(a) Triple encryption using DES. (b) Decryption.

Analysis of DESAvalanche effect: this is a desirable property of any encryption algorithmA small change (even 1 bit) in the plaintext should produce significant change in the ciphertextExample: consider two blocks of 64 zeros and in the second blockrewrite 1 on the first position. Encrypt them both with DES: depending on the key, the result may have 34 different bits!A small change (even 1 bit) in the key should produce significant change in the ciphertextExample: a change of one bit in the DES key may produce 35 different bits in the encryption of the same plaintext

Strength of DESTwo main concerns with DES: the length of the keyand the nature of the algorithmThe key is rather short: 56 bits there are 256possible keys, around 7.2 x 1016In average, only half of the keys have to be tried to break the systemIn principle it should take long time to break the systemThings are quicker with dedicated hardware: 1998 a special machine was built for less than 250 000 $ breaking DES in less than 3 days, 2006 estimates are that a hardware costing around 20.000$ may break DES within a day

Strength of DESDES has no export restrictions from NSA!40-bit RC4 key is also insecure128-but keys seem to be secureImportant difficulty in breaking any system: unless the plaintext is known, we have to recognize when we have broken the system: we have to recognize the plaintext when we find itThis is not trivial if the file is binary, compressed, etc.Automated procedures to do that are needed (and indeed some exist)

AES The Advanced Encryption StandardRules for AES proposalsThe algorithm must be a symmetric block cipher.The full design must be public.Key lengths of 128, 192, and 256 bits supported.Both software and hardware implementations requiredThe algorithm must be public or licensed on nondiscriminatory terms.

AES Evaluation CriteriaInitial criteria:security effort to practically cryptanalyzecost computational efficiency, so as to be used in high-speed applications, such as broadband linksalgorithm and implementation characteristics: should be suitablefor a variety of soft/hard implementations, simple enough to make analysis straightforwardFinal criteriageneral security: this was conducted by the public (academic) cryptographic community: people published various attacks and weaknesses of the candidates

AES Evaluation CriteriaFinal criteriasoftware and hardware implementation ease: execution speed, performance on various platforms, variation of speed with key sizeAttacks on implementation: timing attacks and power analysisMultiplication consumes more power and takes more time than additionWriting 1s consumes more power and takes more time than writing 0sFlexibility (in encryption/decryption, key change, other factors)

AES ShortlistAfter testing and evaluation, shortlist in Aug-99:MARS (IBM) -complex, fast, high security marginRC6 (USA) -v. simple, v. fast, low security marginRijndael(Belgium) -clean, fast, good security marginSerpent (Euro) -slow, clean, v. high security marginTwofish(USA) -complex, v. fast, high security marginThen subject to further analysis & commentAnalysed contrast between algorithms withfew complex rounds vs. many simple roundswhich refined existing ciphers vs. new proposalsCryptography

The AES Cipher RijndaelDesigned by Rijmen-Daemenin Belgium128/192/256-bit keys, 128 bit dataDoes not have the structure of a classical feistelciphertreats data in 4 groups of 4 bytesoperates an entire block in every roundDesigned to be:resistant against known attacksspeed and code compactness on many platformsdesign simplicityDecryption algorithm different than the encryptionCryptography

RijndaelProcesses data as 4 groups of 4 bytes 128-bit blockInput block copied into Statearray, modified at each stage of encryption or decryption and copied to the output matrix after the final roundhas 9/11/13 rounds (depending on which variant is used) in whichStateundergoes:byte substitution (one S-box used on every byte)shift rows: a simple permutationmix columns: substitution using arithmetic in GF(28)add round key (XOR Statewith the round key)Cryptography

Rijndaelinitial XOR of the plaintext with a round keyThere is an incomplete last round (the 10th/12th/14th)Note: all operations can be combined into XOR and table lookups -hence very fast and efficientCryptography

AES (2)An outline of Rijndael.

AES (3)Creating of the state and rk arrays.

Cipher ModesDespite all this complexity, AES (or DES or any block cipher ) is basically a monoalphabetic substitution cipher using big characters (128-bit characters for AES and 64-bit characters for DES). Whenever the same plaintext block goes in the front end, the same ciphertext block comes out the back end. If you encrypt the plaintext abcdefgh 100 times with the same DES key, you get the same ciphertext 100 times. An intruder can exploit this property to help subvert the cipher.

Cryptography

Electronic Code Book ModeTo see how this monoalphabetic substitution cipher property can be used to partially defeat the cipher, we will use (triple) DES because it is easier to depict 64-bit blocks than 128-bit blocks, but AES has exactly the same problem. The straightforward way to use DES to encrypt a long piece of plaintext is to break it up into consecutive 8-byte (64-bit) blocks and encrypt them one after another with the same key. The last piece of plaintext is padded out to 64 bits, if need be. This technique is known as ECB mode (Electronic Code Book mode) in analogy with old-fashioned code books where each plaintext word was listed, followed by its ciphertext (usually a five-digit decimal number).Cryptography

Electronic Code Book ModeThe plaintext of a file encrypted as 16 DES blocks.

Cipher Block Chaining ModeEach plaintext block is XORed with the previous ciphertext block before being encrypted. Consequently, the same plaintext block no longer maps onto the same ciphertext block, and the encryption is no longer a big monoalphabetic substitution cipher. The first block is XORed with a randomly chosen IV (Initialization Vector), which is transmitted (in plaintext) along with the ciphertext.

Cryptography

Cipher Block Chaining ModeCipher block chaining. (a) Encryption. (b) Decryption.

Cipher Feedback ModeCipher block chaining has the disadvantage of requiring an entire 64-bit block to arrive before decryption can begin.For byte-by-byte encryption, cipher feedback mode, using (triple) DES is used, as shown in Fig. 8-13. For AES the idea is exactly the same, only a 128-bit shift register is used. In this figure, the state of the encryption machine is shown after bytes 0 through 9 have been encrypted and sent. When plaintext byte 10 arrives, as illustrated in Fig. 8-13(a), the DES algorithm operates on the 64-bit shift register to generate a 64-bit ciphertext. The leftmost byte of that ciphertext is extracted and XORed with P10. That byte is transmitted on the transmission line. In addition, the shift register is shifted left 8 bits, causing C2 to fall off the left end, and C10 is inserted in the position just vacated at the right end by C9. Cryptography

Cipher Feedback Mode(a) Encryption. (c) Decryption.

Stream Cipher ModeNevertheless, applications exist in which having a 1-bit transmission error mess up 64 bits of plaintext is too large an effect. It works by encrypting an initialization vector, using a key to get an output block. The output block is then encrypted, using the key to get a second output block. This block is then encrypted to get a third block, and so on. The (arbitrarily large) sequence of output blocks, called the keystream, is treated like a one-time pad and XORed with the plaintext to get the ciphertext, as shown in Fig.

Cryptography

Stream Cipher ModeA stream cipher. (a) Encryption. (b) Decryption.

Stream Cipher ModeDecryption occurs by generating the same keystream at the receiving side. Since the keystream depends only on the IV and the key, it is not affected by transmission errors in the ciphertext. Thus, a 1-bit error in the transmitted ciphertext generates only a 1-bit error in the decrypted plaintext.

Cryptography

Counter ModeOne problem that all the modes except electronic code book mode have is that random access to encrypted data is impossible.For example, suppose a file is transmitted over a network and then stored on disk in encrypted form. This might be a reasonable way to operate if the receiving computer is a notebook computer that might be stolen. Storing all critical files in encrypted form greatly reduces the damage due to secret information leaking out in the event that the computer falls into the wrong hands.Cryptography

Counter ModeHowever, disk files are often accessed in nonsequential order, especially files in databases. With a file encrypted using cipher block chaining, accessing a random block requires first decrypting all the blocks ahead of it, an expensive proposition.For this reason, yet another mode has been invented, counter mode,as illustrated in Fig. 8-15. Here the plaintext is not encrypted directly. Instead, the initialization vector plus a constant is encrypted, and the resulting ciphertext XORed with the plaintext. By stepping the initialization vector by 1 for each new block, it is easy to decrypt a block anywhere in the file without first having to decrypt all of its predecessors.

Cryptography

Counter ModeEncryption using counter mode.

Suppose that the same key, K, is used again in the future (with a different plaintext but the same IV) and an attacker acquires all the ciphertext from both runs. The keystreams are the same in both cases, exposing the cipher to a keystream reuse attack of the same kind we saw with stream ciphers. All the cryptanalyst has to do is to XOR the two ciphertexts together to eliminate all the cryptographic protection and just get the XOR of the plaintexts. This weakness does not mean counter mode is a bad idea. It just means that both keys and initialization vectors should be chosen independently and at random. Even if the same key is accidentally used twice, if the IV is different each time, the plaintext is safe.

Public-Key AlgorithmsHistorically, distributing the keys has always been the weakest link in most cryptosystems. No matter how strong a cryptosystem was, if an intruder could steal the key, the system was worthless. Cryptologists always took for granted that the encryption key and decryption key were the same (or easily derived from one another). But the key had to be distributed to all users of the system. Thus, it seemed as if there was an inherent built-in problem. Keys had to be protected from theft, but they also had to be distributed, so they could not just be locked up in a bank vault.

Public-Key AlgorithmsIn 1976, two researchers at Stanford University, Diffie and Hellman (1976), proposed a radically new kind of cryptosystem, one in which the encryption and decryption keys were different, and the decryption key could not feasibly be derived from the encryption key. In their proposal, the (keyed) encryption algorithm, E, and the (keyed) decryption algorithm, D, had to meet three requirements. These requirements can be stated simply as follows:D(E(P)) = P.It is exceedingly difficult to deduce D from E.E cannot be broken by a chosen plaintext attack.

Public-Key AlgorithmsThe method works like this. A person, say, Alice, wanting to receive secret messages, first devises two algorithms meeting the above requirements. The encryption algorithm and Alice's key are then made public, hence the name public-key cryptography. Now let us see if we can solve the problem of establishing a secure channel between Alice and Bob, who have never had any previous contact. Both Alice's encryption key, EA, and Bob's encryption key, EB, are assumed to be in publicly readable files. Now Alice takes her first message, P, computes EB(P), and sends it to Bob. Bob then decrypts it by applying his secret key DB [i.e., he computes DB(EB(P)) = P].

Public Key Ciphers: how toA pair of keys is used (e,d)Key e is made public and is used to encryptKey d is kept private and is used to decryptRSA, by Rivest, Shamir, Adleman (1978) is the most popular pubkic key cipherselect a pair of large primes, p and qlet e = pq be the public keydefine (e ) = (p-1)(q-1) let d be the private key, where 3dmod (e) = 1d is the inverse of 3 mod (e ) encrypt x with c = x3mod edecrypt c with x = cdmod ewe have x = x3d mod e

RSAThe only catch is that we need to find algorithms that indeed satisfy all three requirements. One good method was discovered by a group at M.I.T. It is known by the initials of the three discoverers (Rivest, Shamir, Adleman): RSA. It has survived all attempts to break it for more than a quarter of a century and is considered very strong. Much practical security is based on it. Its major disadvantage is that it requires keys of at least 1024 bits for good security (versus 128 bits for symmetric-key algorithms), which makes it quite slow.The RSA method is based on some principles from number theory. Cryptography

RSAChoose two large primes, p and q (typically 1024 bits).Compute n = p x q and z = (p - 1) x (q - 1).Choose a number relatively prime to z and call it d.Find e such that e x d = 1 mod z.With these parameters computed in advance, we are ready to begin encryption. Divide the plaintext (regarded as a bit string) into blocks, so that each plaintext message, P, falls in the interval 0 P < n. Do that by grouping the plaintext into blocks of k bits, where k is the largest integer for which 2k < n is true.To encrypt a message, P, compute C = Pe (mod n). To decrypt C, compute P = Cd (mod n). Cryptography

RSAIt can be proven that for all P in the specified range, the encryption and decryption functions are inverses. To perform the encryption, you need e and n. To perform the decryption, you need d and n. Therefore, the public key consists of the pair (e, n), and the private key consists of (d, n).According to Rivest and colleagues, factoring a 500-digit number requires 1025 years using brute force. In both cases, they assume the best known algorithm and a computer with a 1-sec instruction time. Even if computers continue to get faster by an order of magnitude per decade, it will be centuries before factoring a 500-digit number becomes feasible, at which time our descendants can simply choose p and q still larger.

Cryptography

RSAAn example of the RSA algorithm.

Public Key Ciphers: ConclusionsRSA is considered secure because the only known way to find d from e is to factor e into p and q, a problem believed to be computationally hard

Digital SignaturesAlice sends a message to Bob encrypting it with Bobs public key.Bob decrypts the message using his private key.How can Bob determine that the message received was indeed sent by Alice? After all, Trudy also knows Bobs public key.

Basically, what is needed is a system by which one party can send a signed message to another party in such a way that the following conditions hold:The receiver can verify the claimed identity of the sender.The sender cannot later repudiate the contents of the message.The receiver cannot possibly have concocted the message himself.The first requirement is needed, for example, in financial systems. When a customer's computer orders a bank's computer to buy a ton of gold, the bank's computer needs to be able to make sure that the computer giving the order really belongs to the company whose account is to be debited. In other words, the bank has to authenticate the customer (and the customer has to authenticate the bank).Cryptography

The second requirement is needed to protect the bank against fraud. Suppose that the bank buys the ton of gold, and immediately thereafter the price of gold drops sharply. A dishonest customer might sue the bank, claiming that he never issued any order to buy gold. When the bank produces the message in court, the customer denies having sent it. The third requirement is needed to protect the customer in the event that the price of gold shoots up and the bank tries to construct a signed message in which the customer asked for one bar of gold instead of one ton.

Cryptography

Digital SignaturesAlice can provide a digital signature for the message: s = xd mod eIf Bob receives both x and s, he computes:y = s3 mod e = xd3 mod e = xThus, if y = x, Bob knows that Alice indeed sent x, since she is the only person who can compute s from x.Also, Alice cannot cheat and deny to have sent message x (nonrepudiation).Using digital signatures, Alice and Bob can authenticate each other and prevent Trudys woman-in-the-middle attacksValidating a signed message requires knowledge of the other partys public key.

Digital SignaturesSymmetric-Key SignaturesPublic-Key SignaturesMessage DigestsThe Birthday Attack

Symmetric-Key SignaturesOne approach to digital signatures is to have a central authority that knows everything and whom everyone trusts, say Big Brother (BB).Each user then chooses a secret key and carries it by hand to BB's office. Thus, only Alice and BB know Alice's secret key, KA, and so on.When Alice wants to send a signed plaintext message, P, to her banker, Bob, she generates KA(B, RA, t, P), where B is Bob's identity, RA is a random number chosen by Alice, t is a timestamp to ensure freshness, and KA(B, RA, t, P) is the message encrypted with her key, KA. Cryptography

Symmetric-Key SignaturesThen she sends it as depicted in Fig.CryptographyDigital signatures with Big Brother.

Public-Key SignaturesDigital signatures using public-key cryptography.

Message DigestsDigital signatures using message digests.

SHA-1Use of SHA-1 and RSA for signing nonsecret messages.

AESThe Advanced Encryption Standard

Cryptography

AESThe Advanced Encryption Standard

Cryptography

This is test

This is test

SHA-1 (2)(a) A message padded out to a multiple of 512 bits. (b) The output variables. (c) The word array.

This is test

This is test

This is test

This is test

This is test

This is test

This is test

This is test

This is test

This is test

This is test

This is test

This is test

This is test

This is test

This is test

This is test

This is test

This is test

This is test

Have passive attacks which attempt to learn or make use of information from the system but does not affect system resources.By eavesdropping on, or monitoring of, transmissions to:+ obtain message contents (as shown above in Stallings Figure 1.3a), or+ monitor traffic flowsAre difficult to detect because they do not involve any alteration of the data.

Also have active attacks which attempt to alter system resources or affect their operation.By modification of data stream to:+ masquerade of one entity as some other+ replay previous messages (as shown above in Stallings Figure 1.4b)+ modify messages in transit+ denial of serviceActive attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely, because of the wide variety of potential physical,software,and network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them.

Detail the five ingredients of the symmetric cipher model, shown in Stallings Figure 2.1:plaintext - original messageencryption algorithm performs substitutions/transformations on plaintextsecret key control exact substitutions/transformations used in encryption algorithmciphertext - scrambled messagedecryption algorithm inverse of encryption algorithmWe assume that it is impractical to decrypt a message on the basis of the cipher- text plus knowledge of the encryption/decryption algorithm, and do not need to keep the algorithm secret; rather we only need to keep the key secret. This feature of symmetric encryption is what makes it feasible for widespread use. It allows easy distribution of s/w and h/w implementations.Can take a closer look at the essential elements of a symmetric encryption scheme: mathematically it can be considered a pair of functions with: plaintext X, ciphertext Y, key K, encryption algorithm EK, decryption algorithm DK.

Stream Ciphers are fast and easy to implement in hardware.Block ciphers are stronger, but slower and often implemented in hardware.*Substitution Cipher: Replacing one letter with anotherTransposition Cipher: World Jumble. Rearranging or reordering the letters within a messageMonoalphabetic Cipher: Algorithm that substitutes one letter in the ciphertext alphabet for one in the plaintext alphabet

*Polyalphabetic Cipher: Algorithm that substitutes a letter from two or more ciphertext alphabets for each plaintext alphabet letter based on position in the message.Modular Mathemaitcs: Sometimes referred to as clock arithmetic, computes operations over a given range of values from 0 to N. Referred to as modulo N.One-time Pads: Offer perfect secrecy if a true source of randomness is used, but is very difficult to use in practice.*Invisible ink, hidden tattoos, and microdots are all examples of steganography.

By taking a color digital image and slightly altering the color of each pixel, you can hide a message in the image without noticeably altering the appearance. The receiver can then extract the message if they have the original, unaltered image.*Cryptographic Algorithms generally fall into one of two different categories, or are a combination of both.

SymmetricFastOnly provide confidentialityNeed secure channel for key distributionKey management headaches from large number of key pairs to maintain N(N-1)/2Thats over 6.3 million key pairs to let all 3556 Purdue A/P staff members exchange encrypted messagesTo do the same for all students would require over half a billion key pairs!Examples: DES, AES, Blowfish, RC4, RC5

AsymmetricLarge mathematical operations make it slower than symmetric algorithmsNo need for out of band key distribution (public keys are public!)Scales better since only a single key pair needed per individualCan provide authentication and nonrepudiationExamples: RSA, El Gamal, ECC, Diffie-Hellman*A hybrid cryptosystem is the best of both worlds. In this case, an asymmetric encryption scheme is used to transmit a generated symmetric key to the other party, then that key is used for all further communications.

This combines the scalability and key management features of the asymmetric algorithms with the speed of symmetric ones. The Secure Sockets Layer (SSL) protocol negotiates which asymmetric and symmetric algorithms to use in a hybrid system to protect TCP connections, such as an HTTP connection between a web browser and web server.*In this section and the next, we examine a sampling of what might be called classical encryption techniques. A study of these techniques enables us to illustrate the basic approaches to symmetric encryption used today and the types of cryptanalytic attacks that must be anticipated. The two basic building blocks of all encryption technique are substitution and transposition. We examine these in the next two sections. Finally, we discuss a system that combine both substitution and transposition.

The best known, and one of the simplest, such algorithms is referred to as the Vigenre cipher, where the set of related monoalphabetic substitution rules consists of the 26 Caesar ciphers, with shifts of 0 through 25. Each cipher is denoted by a key letter, which is the ciphertext letter that substitutes for the plaintext letter a, and which are each used in turn, as shown next. Discuss this simple example from text Stallings section 2.2.Have seen that ciphers based on just substitutions or transpositions are not secure, and can be attacked because they do not sufficient obscure the underlying language structureSo consider using several ciphers in succession to make harder.A substitution followed by a transposition is known as a Product Cipher, and makes a new much more secure cipher, and forms the bridge to modern ciphers.In the late 1960s, IBM set up a research project in computer cryptography led by Horst Feistel. The project concluded in 1971 with the development of the LUCIFER algorithm. LUCIFER is a Feistel block cipher that operates on blocks of 64 bits, using a key size of 128 bits.Because of the promising results produced by the LUCIFER project, IBM embarked on an effort, headed by Walter Tuchman and Carl Meyer, to develop a marketable commercial encryption product that ideally could be implemented on a single chip. It involved not only IBM researchers but also outside consultants and technical advice from NSA. The outcome of this effort was a refined version of LUCIFER that was more resistant to cryptanalysis but that had a reduced key size of 56 bits, to fit on a single chip. In 1973, the National Bureau of Standards (NBS) issued a request for proposals for a national cipher standard. IBM submitted the modified LUCIFER. It was by far the best algorithm proposed and was adopted in 1977 as the Data Encryption Standard.

Before its adoption as a standard, the proposed DES was subjected to intense & continuing criticism over the size of its key & the classified design criteria.Recent analysis has shown despite this controversy, that DES is well designed. DES is theoretically broken using Differential or Linear Cryptanalysis but in practise is unlikely to be a problem yet. Also rapid advances in computing speed though have rendered the 56 bit key susceptible to exhaustive key search, as predicted by Diffie & Hellman. DES has flourished and is widely used, especially in financial applications. It is still standardized for legacy systems, with either AES or triple DES for new applications.The overall scheme for DES encryption is illustrated in Stallings Figure3.4, which takes as input 64-bits of data and of key.The left side shows the basic process for enciphering a 64-bit data block which consists of: - an initial permutation (IP) which shuffles the 64-bit input block- 16 rounds of a complex key dependent round function involving substitutions & permutations- a final permutation, being the inverse of IP The right side shows the handling of the 56-bit key and consists of:- an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves - 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves