Embed Size (px)
Citation preview
CS1355 – CRYPTOGRAPHY AND NETWORK SECURITYL T P C3 1 0 4
UNIT I FUNDAMENTALS 10OSI security architecture – Classical encryption techniques – Cipher principles – Data encryption standard – Block cipher design principles and modes of operation – Evaluation criteria for AES – AES cipher – Triple DES – Placement of encryption function – Traffic confidentiality.UNIT II PUBLIC KEY CRYPTOGRAPHY 10Key management – Diffie Hellman key exchange – Elliptic curve architecture and cryptography – Introduction to number theory – Confidentiality using symmetric encryption – Public key cryptography and RSA.UNIT IIIAUTHENTICATION AND HASH FUNCTION 9Authentication requirements – Authentication functions – Message authentication codes – Hash functions – Security of hash functions and MACS – MD5 Message Digest algorithm – Secure hash algorithm – Ripend – HMAC digital signatures – Authentication protocols – Digital signature standardUNIT IV NETWORK SECURITY 8Authentication applications – Kerberos – X.509 authentication service – Electronic mail security – PGP – S/MIME – IP security – Web security.UNIT V SYSTEM LEVEL SECURITY 8Intrusion detection – Password management – Viruses and related threats – Virus counter measures – Firewall design principles – Trusted systems.
TEXT BOOKS1. William Stallings,“Cryptography and Network Security - Principles and Practices”, 3rd Edition, Prentice Hall of India, 2003.2. Atul Kahate,“Cryptography and Network Security”, Tata McGraw - Hill, 2003.
REFERENCES1. Bruce Schneier, “Applied Cryptography”, John Wiley & Sons Inc, 2001.2. Charles B. Pfleeger and Shari Lawrence Pfleeger,“Security in Computing”, 3rd Edition, Pearson Education, 2003.3. Behrouz A. Forouzan,“Cryptography and Network Security”, Tata McGraw – Hill, 2007.4. Maiwald, “Fundamentals of Network Security”, Wiley Student Edition, 2006.
UNIT IINTRODUCTION
OSI Security Architecture Classical Encryption techniques Cipher Principles Data Encryption Standard Block Cipher Design Principles and Modes of Operation Evaluation criteria for AES AES Cipher Triple DES Placement of Encryption Function Traffic Confidentiality
Introduction:• Information Security requirements have changed in recent times.• Traditionally it is provided by physical and administrative mechanisms.• Computer users require automated tools to protect files and other stored information.• Use of distributed systems, networks and communications links requires security measures to protect data during transmission.
Computer Security Generic name for the collection of tools designed to protect data and to thwart hackers.Network Security Measures to protect data during their transmission. Internet Security Measures to protect data during their transmission over a collection of interconnected networks.
Services, Mechanisms, Attacks:• To assess the security needs of an organization effectively needs systematic way to define requirements for security and characterizing the approaches to satisfying those requirements.• One approach is to consider three aspects of information security.
Security Attack:• Any action that compromises the security of information owned by an organization.Security Mechanism:• A mechanism that is designed to detect, prevent or recover from a security attack. Security Service:• A service that enhances the security of the data processing systems and the information transfers of an organization.
Threat:• A potential for violation of security, which exists when there is a circumstance, capability,
action, or event that could breach security and cause harm. • That is, a threat is a possible danger that might exploit vulnerability.Attack:• An assault on system security that derives from an intelligent threat. • That is an intelligent act that is a deliberate attempt to evade security services and violates the
security policy of a system.
OSI Security Architecture:• To assess effectively the security needs of an organization and to evaluate and choose
various security products and policies, the manager responsible for security needs some systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements.
• ITU-T Recommendation X.800, Security Architecture for OSI, defines such a systematic approach.
• The OSI security architecture is useful to managers as a way of organizing the task of providing security.
• The OSI security architecture focuses on security attacks, mechanisms, and services:
Security Services:
• X.800 defines it as A service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers.
• RFC 2828 defines it as A processing or communication service provided by a system to give a specific kind of protection to system resources.
X.800 defines it in 5 major categories Authentication It is concerned with assuring that a communication is authentic.Access Control Prevention of the unauthorized use of a resource.Data Confidentiality Protection of data from unauthorized disclosure.Data Integrity Assurance that data received are exactly as sent by an authorized entity
(i.e., contain no modification, insertion, deletion).Non-Repudiation Protection against denial by one of the parties in a communication.
Security Mechanisms: Mechanisms are divided into • Those that are implemented in a specific protocol layer • Those are not specific to any particular protocol layer or security service.
Specific security mechanisms: Encipherment – The use of mathematical algorithms to transform data into a form that is
not readily intelligible. Digital signatures – Data appended to, or a cryptographic transformation of, a data unit
that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery.
Access controls – Variety of mechanisms that enforce access rights to resources. Data integrity – Variety of mechanisms that assure the integrity of a data unit or stream
of data units. Authentication exchange – A mechanism that ensure the identity of an entity by means
of information exchange. Traffic padding – Insertion of bits into gaps in a data stream to frustrate traffic analysis
attempts. Routing control - Enables selection of particular physically secure routes for
certain data and allows routing changes, especially when a breach of security is suspected.
Notarization – Use of a trusted third party to assure certain properties of a data exchange.
Pervasive security mechanisms: Trusted functionality – That which is perceived to be correct with respect to some
criteria. Security labels – Marking bound to a resource that names or designates the security
attributes of that resource. Event detection – Detection of security relevant events. Security audit trails – Data collected and potentially used to facilitate a security audit,
which is an independent review and examination of system records and activities. Security recovery – Deals with requests from mechanisms such as event handling and
management functions and takes recovery system.
Security Attacks: Passive attacks - Attempts to learn or make use of information from the system but does
not affect system resources.o Passive attacks are very difficult to detect because they do not involve any
alteration of the data.o These are in the nature of eavesdropping on, or monitoring of, transmissions.o The goal of the opponent is to obtain information that is being transmitted.
Two types of passive attacks are1. Release of message contents2. Traffic analysis.
Active attacks – Attempts to alter system resources or affect their operation.o It involves some modification of the data stream or the creation of a false stream
and can be subdivided into four categories.1. Masquerade Takes place when one entity pretends to be a different entity.2. Replay Involves passive capture of a data unit and its subsequent retransmission to
produce an unauthorized effect.3. Modification of messages some portion of legitimate message is altered or that
messages are delayed or reordered to produce unauthorized effect.4. Denial of service Prevents or inhibits the normal use or management of
communication facilities.
Model for Network Security:• A message is to be transferred from one party to another across some sort of internet.• The two parties, who are the principals in this transaction, must cooperate for the
exchange to take place.This model shows that there are four basic tasks in designing a particular security service:
Design a suitable algorithm for the security related transformation. The algorithm should be such that an opponent cannot defeat its purpose.
Generate the secret information (keys) used by the algorithm.
Develop methods to distribute and share the secret information.
Specify a protocol enabling the principals to use the transformation and secret information for a security service.
Model for Network Access Security:This model requires:
Gatekeeper function password-based login procedures that are designed to deny access to all but authorized users and screening logic that is designed to detect and reject worms, viruses and other similar attacks.
Implement security controls Monitor activity and analyze stored information in an attempt to detect the presence of unwanted intruders.
Classical Encryption Techniques
1. Symmetric Cipher Model CryptographyCryptanalysis
2. Substitution Techniques Caesar CipherMonoalphabetic CipherPlayfair CipherHill cipherPolyalphabetic CipherOne – Time Pad
3. Transposition Techniques 4. Rotor Machines 5. Steganography
Key Points: Symmetric / conventional / Single-Key Encryption Sender and recipient share a common key Plaintext - the original message Ciphertext - the coded message Cipher - algorithm for transforming plaintext to ciphertext Key - information used in cipher known only to sender/receiver Encipher (encrypt) - converting plaintext to ciphertext Decipher (decrypt) - recovering plaintext from ciphertext Cryptography - study of encryption principles/methods
Cryptanalysis (code breaking) - the study of principles/ methods of deciphering ciphertext without knowing key
Cryptology - the field of both cryptography and cryptanalysis
1. Symmetric Cipher Model:
There are two requirements for secure use of symmetric encryption: 1. A strong encryption algorithm 2. A secret key known only to sender / receiver
Types of Cryptanalytic Attacks on encrypted messages:Type of attack Known to cryptanalyst
Ciphertext only Encryption algorithm / ciphertext. Known plaintext Encryption algorithm / ciphertext/ one or more plaintext &
ciphertext pair Chosen plaintext Encryption algorithm / ciphertext/ select plaintext and obtain
ciphertext to attack cipher Chosen ciphertext Encryption algorithm / ciphertext/ select ciphertext and obtain
plaintext to attack cipher Chosen text Encryption algorithm / ciphertext/ select either plaintext or ciphertext to
en/decrypt to attack cipher
Brute Force Search: This attacker tries every possible key on a piece of ciphertext until an intelligible
translation into plaintext is obtained.
Unconditionally secure: An encryption scheme is unconditionally secure if the ciphertext generated by the scheme
does not contain any useful information to determine the corresponding plaintext, no matter how much ciphertext is available.
Computationally secure:o Cost of breaking the cipher exceeds the value of the information.o Time required to break the cipher exceeds the useful lifetime of the information.
An encryption scheme is computationally secure if either of the two above criteria is met.2. Substitution Techniques:
1. Caesar Cipher 2. Mono alphabetic Cipher 3. Play fair Cipher 4. Hill Cipher5. Poly alphabetic Ciphers 6. One-Time Pad
Substitution Ciphers: Where letters of plaintext are replaced by other letters or by numbers or symbols. Or if plaintext is viewed as a sequence of bits, then substitution involves replacing
plaintext bit patterns with cipher text bit patterns.
1. Caesar Cipher: The Caesar cipher involves replacing each letter of the alphabet with the letter standing
three places further down the alphabet.
Example: Plain: meet me after the toga partyCipher: PHHW PH DIWHU WKH WRJD SDUWB
Can define transformation as: Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z Cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Mathematically give each letter a number a b c d e f g h i j k l m0 1 2 3 4 5 6 7 8 9 10 11 12
n o p q r s t u V w x y z13 14 15 16 17 18 19 20 21 22 23 24 25
Then have Caesar cipher algorithm can be expressed as: C = E(k , p) = (p + k) mod (26) p = D(k , C) = (C – k) mod (26) Where k takes on value in the range 1 to 25.
Three important characteristics of this problem enabled us to use a brute-force cryptanalysis: 1. The encryption and decryption algorithms are known. 2. There are only 25 keys to try. 3. The language of the plaintext is known and easily recognizable.
2. Mono alphabetic Cipher: Rather than just shifting the alphabet, shuffle (jumble) the letters arbitrarily Each plaintext letter maps to a different random ciphertext letter Hence key is 26 letters long. A single cipher alphabet is used per message.
Monoalphabetic Cipher Security Now have a total of 26! = 4 x 1026 keys With so many keys, we might think this is secure. But would be wrong. The problem is
language characteristics.
English Letter Frequencies
Relative frequencies of English letters in the ciphertext:
P – 13.33Z – 11.67S – 8.33U – 8.33O - 7.50M – 6.67
H - 5.83D – 5.00E – 5.00V – 4.17X – 4.17
F – 3.33W – 3.33Q – 2.50T -2.50A -1.67
B – 1.67G – 1.67Y – 1.67I – 0.83J -0.83
C – 0.00K – 0.00L – 0.00N – 0.00R – 0.00
Example Cryptanalysis Given ciphertext:
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETS AIZ VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies (see text) As a first step, the relative frequency of the letters can be determined and compared to a
standard frequency distribution for English.o Cipher letters P & Z are equivalents of plain letters e and t, but it is not certain
which is which.o Letters S,U,O,M & H are all of relatively high frequency and probably correspond
to plain letters from the set {a,h,i,n,o,r,s}.o Letters with the lowest frequencies A,B,G,Y,I,J are likely included in the set
{b,j,k,q,v,x,z}.
A powerful tool is to look at the frequency of two letter combinations known as digrams. The most common diagram is th. Then by the earlier hypothesis we can equate p with e.
o Guess ZW is the and hence ZWP is the.o The This is the most frequent trigram
Proceeding with trial and error finally get: It was disclosed yesterday that several informal but Direct contacts have been made with political Representatives of the Viet cong in Moscow
3. Play fair Cipher Not even the large number of keys in a monoalphabetic cipher provides security. One approach to improving security was to encrypt multiple letters of plaintext. The Playfair algorithm is based on the use of a 5 x 5 matrix of letters constructed using a
keyword. Invented by Charles Wheatstone in 1854, but named after his friend Baron Playfair
Playfair Key Matrix: A 5X5 matrix of letters based on a keyword Fill in letters of keyword Fill rest of matrix with other letters Eg. Using the keyword MONARCHY
M
O
N A R
C
H
Y B D
E F G I/J K L P Q S T U V W X Z
Encrypting and Decrypting:1. Repeating plaintext letters that are in the same pair are separated with a filler letter,
such as x, so that balloon would be treated as ba lx lo on. 2. Two plaintext letters that fall in the same row of the matrix are each replaced by the
letter to the right, with the first element of the row circularly following the last. For example, ar is encrypted as RM.
3. Two plaintext letters that fall in the same column are each replaced by the letter beneath, with the top element of the column circularly following the last. For example, mu is encrypted as CM.
4. Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its own row and the column occupied by the other plaintext letter. Thus, hs become BP and ea becomes IM (or JM, as the encipherer wishes).
Security of the Playfair Cipher: Security much improved over monoalphabetic Since have 26 x 26 = 676 digrams Would need a 676 entry frequency table to analyse
Was widely used for many years (eg. US & British military in WW1) It can be broken, given a few hundred letters
4. Hill Cipher: Another interesting multi letter cipher is the Hill cipher, developed by the mathematician
Lester Hill in 1929. This encryption algorithm takes m successive plaintext letters and substitutes for them m
ciphertext letters. This can be expressed in term of column vectors and matrices for m=3
C= KP mod 26 Where C and P are column vectors of length 3, representing the plaintext and ciphertext
and K is 3 X 3 matrix, representing the encryption key. Operations are performed mod 26. In general term, Hill system can be expressed as follows:
C= E (K, P) = KP mod 26P= D (K, P) = K-1 C mod 26 = K-1 KP = P
Example:
Encipher the plaintext GOD using Hill cipher using the key
SOL: Encryption:C= E (K, P) = KP mod 26 GOD = 6 14 3
C= = mod 26
=
C= GAX
5. Poly alphabetic Ciphers Another approach to improving security is to use multiple cipher alphabets called
polyalphabetic substitution ciphers. All these techniques have the following features in common:
A set of related monoalphabetic substitution rules is used. A key determines which particular rule is chosen for a given transformation.
Vigenère Cipher Simplest polyalphabetic substitution cipher is the Vigenère Cipher To aid in understanding the scheme and to aid in its use, a matrix known as the vigenere
table is constructed.
Each of the 26 ciphers is laid out horizontally, with key letter for each cipher to its left. A normal alphabet for the plaintext runs across the top. The process of encryption is simple:
Given a key letter x and a plaintext y, the ciphertext letter is at the intersection of the row labeled x and the column labeled y; in this case the ciphertext is V.
Example: To encrypt a message, a key is needed that is as long as the message. Usually, the key is a repeating keyword. For example, if the keyword is deceptive, the message "we are discovered save
yourself" is encrypted as follows: key: deceptivedeceptivedeceptive plaintext: wearediscoveredsaveyourself ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
6. One-Time Pad: If a truly random key as long as the message is used without repetition is known as One-
Time pad. Each new message requires a new key of the same length as the new message. Such a
scheme is known as one time pad and it is unbreakable. It produces random output that bears no statistical relationship to the plaintext. Because, the ciphertext contains no information whatsoever about the plaintext, there is
simply no way to break the code.One time pad has two fundamental difficulties:
1. Problem of making large quantities of random keys.2. Problem of key distribution and protection.
3. Transposition Techniques All the techniques examine so far involve the substitution of a ciphertext symbol for a
plaintext symbol. A very different kind of mapping is achieved by performing some sort of permutation on
the plaintext letters. This technique is referred to as a transposition cipher.Rail Fence cipher Row Transposition Ciphers
Rail Fence cipher: In which the plaintext is written down as a sequence of diagonals and then read off as a
sequence of rows. For example, to encipher the message "meet me after the toga party" with a rail fence of
depth 2, we write the following:m e m a t r h t g p r y e t e f e t e o a a t
The encrypted message is MEMATRHTGPRYETEFETEOAAT
Row Transposition Cipher: Write the message in a rectangle, row by row and read the message off, column by
column. But permute the order of the columns. The order of the columns then becomes the key to the algorithm.
Example:
Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ 4. Rotor Machines
Before the introduction of DES, the most important application of the principle of multiple stages of encryption was a class of systems known as rotor machines.
The rotor machine consists of a set of independently rotating cylinders through which electrical pulses can flow.
Each cylinder has 26 input pins and 2 output pins with integral wiring that connects each input pin to a unique output pin.
Used a series of cylinders, each giving one substitution, which rotated and changed after each letter was encrypted.
With 3 cylinders, have 26*26*26 =17576 different substitution alphabets used before the system repeats.
Key 4 3 1 2 5 6 7
Plaintexta t t a c k po s t p o n ed u n t i l tw o a m x y z
5. Steganography An alternative to encryption that hides existence of message. A simple form of Steganography is one in which an arrangement of words or letters
within an apparently innocuous text spells out the real message. Various other techniques of Steganography are as follows:
1. Character marking – selected letters of printed or typewritten text are overwritten in pencil. The marks are ordinarily not visible unless the paper is held at an angle to bright light.
2. Invisible ink – a number of substances can be used for writing but leave no visible trace until heat or some chemical is applied to the paper.
3. Pin punctures – small pin punctures on selected letters are ordinarily not visible unless the paper is held up in front of a light.
4. Typewriter correction ribbon – used between lines typed with a black ribbon, the results of typing with the correction tape are visible only under a strong light.
Advantage: It can be employed by parties who have something to lose should the fact of their secret
communication be discovered.Drawback:
High overhead to hide relatively few info bits
Cipher PrinciplesBlock Cipher vs Stream Cipher:
Block Cipher Stream CipherA block of plaintext is treated as a whole and used to produce a ciphertext block of equal length.Block size of 64 or 128 bits is used.
Encrypts a data stream one bit or one byte at a time.
Block Cipher Principles Most symmetric block ciphers are based on a Feistel Cipher Structure Using idea of a product cipher performing of two or more basic ciphers in sequence in
such a way that the final result or product is cryptographically strong.
Claude Shannon and Substitution-Permutation Ciphers Claude Shannon introduced idea of substitution-permutation (S-P) networks S-P networks are based on the two primitive cryptographic operations we have seen
before: Substitution (S-box)
A binary word is replaced by some other binary word Whole substitution function forms the key If use n bit words,
The key space is 2n! Permutation (P-box)
A binary word has its bits reordered (permuted)
The re-ordering forms the key If we use n bit words,
The key space is n! (Less secure than substitution)
Substitution-permutation Network: Shannon combined these two primitives He called these mixing transformations A special form of product ciphers where
o S-boxes Provide confusion of input bits o P-boxes Provide diffusion across s-box inputs
Confusion and Diffusion: More practically Shannon suggested combining elements to obtain:
Diffusion – The statistical structure of plaintext is dissipated into long range statistics of ciphertext. Confusion – Makes relationship between ciphertext and key as
complex as possible.Feistel Cipher Structure Horst Feistel devised the Feistel cipher
Concept: Input to the encryption algo.: Plaintext block of length 2w bits and key K.
o Plaintext is divided into two halves L0 and R0
o The two halves of the data pass through n rounds of processing o Then combine to produce the ciphertext block.o Each round i has as inputs Li-1 and Ri-1, derived from the previous rounds, as
well as a subkey Ki derived from the overall K. Substitution : is performed on the left half of the data
o By applying round function F to the right half of the data o Then taking the XOR of the output of that function and the left half of the
data. Permutation: is performed that consists of interchange of the two halves of the data.Feistel Cipher Design Principles Block size Increasing size improves security, but slows cipher Key size Increasing size improves security, makes exhaustive key searching harder,
but may slow cipher Number of rounds Increasing number improves security, but slows cipher Subkey generation Greater complexity can make analysis harder Round function Greater complexity can make analysis harder Fast software en/decryption & ease of analysis Are more recent concerns for
execution speed, practical use and testingFeistel Cipher Encryption & Decryption:For ith iteration of the encryption algorithm,
LE0 = REi-1 REi = LEi-1XOR F(REi-1, Ki)
Data Encryption Standard (DES) The most widely used encryption scheme is based on the Data Encryption Standard
(DES) adopted in 1977 by the National Bureau of Standards, now the National Institute of Standards and Technology (NIST), as Federal Information Processing Standard 46 (FIPS PUB 46).
The algorithm itself is referred to as the Data Encryption Algorithm (DEA). For DES, data are encrypted in 64-bit blocks using a 56-bit key. The same steps, with the same key, are used to reverse the encryption.
DES Encryption:The basic process consists of:
An initial permutation (IP) 16 rounds of a complex key dependent calculation f A final permutation, being the inverse of IP
DES key schedule: (Operation on key) The bits are numbered from 1 to 64, every 8 bit is ignored. 64 bit key is used as an input to the algorithm.
Forms sub keys used in each round Consists of:
Initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves C0 and D0
16 stages consisting of: At each round, the two halves are separately subjected to circular shift or rotation
of 1 or 2 bits. These shifted values serve as input to the next round. They also serve as input to permuted choice 2 (PC2), which produces a 48 bit
output that serves as input to the function F (Ri-1 , Ki )General DES encryption Algorithm:
Explanation of the phases:Initial Permutation:
Inverse IP:
40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31 38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29 36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27 34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25
Expansion Permutation (E):32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1
Permutation Function (P):
Initial Permutation IP: This is the first step of the data computation IP reorders the input data bits& it changes the even bits to LH half, odd bits to RH half
DES Round Structure: Input is divided into 2 halves Li–1 and Ri–1
Li = Ri–1 Ri = Li–1 xor F(Ri–1, Ki)
F takes 32-bit R half and 48-bit roundkey and: Expands R to 48-bits using Expansion permutation (E) The resulting 48 bits are XORed with Ki
48 bit result passes through 8 Subtitution function (S-boxes) to get 32-bit result Finally permutes this using 32-bit perm P and produces 32 bit output.
Substitution Boxes S: Substitution has eight S-boxes, each of which accepts 6 bits as input and produces 4 bits
as output. Outer bits 1 & 6 (row bits) select one row of 4. The first and last bits of the input box
Si form a 2 bit binary number to select one of four substitutions defined by the four rows in the table Si.
Inner bits 2-5 (column bits) are substituted. The middle four bits select one of the 16 columns.
The decimal value in the cell selected by the row and column is then converted to its 4 bits representation to produce the output.
Row selection depends on both data & key.
Single Round of DES Algorithm:
Calculation of F(R,K):
DES Decryption: With Feistel design, decryption uses the same algorithm as encryption, except that the
application of sub keys is reversed (SK16 … SK1)
Avalanche Effect: DES exhibits strong avalanche effect.
Key desirable property of encryption algorithm is that a change in either the plaintext or key should produce a significant change in the ciphertext.
In particular, a change in one bit of the plaintext or one bit of the key should produce a change in many bits of the ciphertext.
If the change were small, this might produce a way to reduce the size of the plaintext or key space to be searched.
Strength of DES – Key Size: 56-bit key length have 256 key values Brute force search looks hard
Strength of DES – Analytic Attacks: Now have several analytic attacks on DES These utilize some deep structure of the cipher
By gathering information about encryptions Can eventually recover some/all of the sub-key bits If necessary then exhaustively search for the rest
Generally these are statistical attacks includes Differential cryptanalysis – It is capable of breaking DES in less than 255chosen
plaintext.o This scheme can cryptanalyze DES with an effort on the order of 247,
requiring 247chosen plaintext. Linear cryptanalysis – This method can find a DES key given 247known
plaintext, as compared to 247chosen plaintexts for differential cryptanalysis.o It may be easier to acquire known plaintext rather than chosen plaintext.
Block Cipher Design Principles and Modes of OperationBlock cipher design principles:
The cryptographic strength of Feistel cipher derives from three aspects of cipher design. They are
1. Number of rounds2. Design of the function F3. Key scheduling
1. Number of rounds:The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F.
2. Design of the function F: The heart of the Feistel cipher is the function F. In DES, the function relies on the
use of S box. One obvious criterion is that F should be non linear. The more non linear, the
more difficult any type of cryptanalysis will be. Other criteria’s should be considered while designing F is:
SAC: (Strict Avalanche Effect) States that any output bit j of an S box should change with probability ½ when any single input change i is inverted for all i, j.
BIC: (Bit Independence Control)States that output bits j, and k should change independently when any single input bit I is inverted for i, j and k.
S box design: GA: (Guaranteed Avalanche)
An S box satisfies GA of the order γ if, for 1 bit input change, at least γ output bit changes.
S box design suggests the following approaches:1. Random: Use some pseudorandom number generation or some table of
random digits to generate the entries in the S boxes.2. Random with testing: Choose S box entries randomly, then test the results
against various criteria, and throw away those that do not pass.3. Human made: This is a manual approach with only simple mathematics to
support it. This is difficult to carry through for large S boxes.4. Math made: Generate S boxes according to mathematical principles.
3. Key Scheduling: Has less attention than S box design. No general principles for this key scheduling.
Modes of Operation: Block ciphers encrypt fixed size blocks
Eg. DES encrypts 64-bit blocks, with 56-bit key Need way to use in practice, given usually have arbitrary amount of information to
encrypt Four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use Have block and stream modes
Electronic Codebook Book (ECB): Message is broken into independent blocks which are encrypted Each block is a value which is substituted, like a codebook (hence name) Each block is encoded independently of the other blocks Ci = DESK1 (Pi) Uses: secure transmission of single values
Advantages and Limitations of ECB Repetitions in message may show in ciphertext
If aligned with message block Particularly with data such graphics Or with messages that change very little, which become a code-book analysis
problem Weakness due to encrypted message blocks being independent Main use is sending a few blocks of data
Cipher Block Chaining (CBC) Message is broken into blocks But these are linked together in the encryption operation Each previous cipher blocks is chained with current plaintext block (hence name) Use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1) C-1 = IV
Uses: bulk data encryption, authentication
Advantages and Limitations of CBC Each ciphertext block depends on all message blocks before it Thus a change in the message affects all ciphertext blocks Need Initial Value (IV)
Which must be known to sender & receiver If IV is sent in the clear, an attacker can change bits of the first block, and change
IV to compensate Hence either IV must be a fixed value (as in EFTPOS) or it must be sent
encrypted in ECB mode before rest of message
Message Padding: At end of message, handle possible last short block which is not as large as block size of
cipher. Pad either with known non-data value (eg nulls) Or pad last block with count of pad size
Eg. [ b1 b2 b3 0 0 0 0 5] Means have 3 data bytes, then 5 bytes pad + count
Cipher Feed Back (CFB) Message is treated as a stream of bits Added to the output of the block cipher Result is feedback for next stage (hence name) Standard allows any number of bit (1,8 or 64 or whatever) to be feed back
Denoted CFB-1, CFB-8, CFB-64, CFB-128 etc Is most efficient to use all 64 bits in block
Ci = Pi XOR DESK1(Ci-1) C-1 = IV
Uses: stream data encryption, authentication
Advantages and Limitations of CFB Appropriate when data arrives in bits/bytes Most common stream mode Limitation is need to stall while do block encryption after every n-bits Note that the block cipher is used in encryption mode at both ends Errors propagate for several blocks after the error
Output Feed Back (OFB) Message is treated as a stream of bits Output of cipher is added to message Output is then feedback (hence name) Feedback is independent of message Can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1) O-1 = IV
Uses: stream encryption on noisy channels
Advantages and Limitations of OFB Used when error feedback a problem or where need to encryptions before message is
available More vulnerable to message stream modification But feedback is from the output of cipher and is independent of message A variation of a vernam cipher
Hence must never reuse the same sequence (key + IV) Sender and receiver must remain in sync, and some recovery method is needed to ensure
this occurs Originally specified with m-bit feedback in the standards Subsequent research has shown that only full block feedback (i.e., CFB-64 or CFB-128)
should ever be used
Counter (CTR) A “new” mode, though proposed early on Similar to OFB but encrypts counter value rather than any feedback value Must have a different key & counter value for every plaintext block (never reused)
Ci = Pi XOR Oi Oi = DESK1(i)
Uses: high-speed network encryptions
Advantages and Limitations of CTR Efficiency
Can do parallel encryptions in hardware or software Can preprocess in advance of need Good for bursty high speed links Random access to encrypted data blocks Provable security (good as other modes) But must ensure never reuse key/counter values, otherwise could break (cf OFB)
Advanced Encryption Standard (AES) Evaluation CriteriaOrigins:
Clear a replacement for DES was needed Have theoretical attacks that can break it Have demonstrated exhaustive key search attacks
Can use Triple-DES – but slow, has small blocks
AES Evaluation Criteria Initial criteria:
Security – Effort required for practical cryptanalysis Cost – AES must have high computational efficiency Algorithm & implementation characteristics – Includes flexibility, suitability for a
variety of h/w and s/w implementations and simplicity. Final criteria
General security Software & hardware implementation ease Implementation attacks and Flexibility (in en/decrypt, keying, other factors)
AES Cipher - Rijendael Designed by Rijmen - Daemen in Belgium Has 128/192/256 bit keys, 128 bit data An iterative rather than Feistel cipher
Processes data as block of 4 columns of 4 bytes Operates on entire data block in every round
Designed to be: Resistant against known attacks Speed and code compactness on wide range of platforms
Rijndael: Data block of 4 columns of 4 bytes (state) Key is expanded to array of forty four 32 bit words Four different stages are used, one of permutation and three of substitution
Byte substitution Uses an S-box to perform a byt-by-byte substitution of the block
Shift rows A simple permutation Mix columns A substitution that makes use of arithmetic over GF(28)
Add round key A simple bitwise XOR of the current block with a portion of the expanded key
All operations can be combined into XOR and table lookups - hence very fast & efficient
AES encryption and decryption:
Byte Substitution: A simple substitution of each byte AES defines 16x16 matrix of byte values containing a permutation of all 256 8-bit values Each individual byte of state is mapped into a new byte in the following way: row (left most 4-bits) & column (right most 4-bits)
Eg. Byte {95} is replaced by row 9 col 5 byte which has the value {2A}
Shift Rows: A circular byte shift in each
1st row is unchanged 2nd row does 1 byte circular shift to left 3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left
Decrypt does shifts to right
Mix Columns: Each column is processed separately Each byte is mapped into a new value that is a function of all 4 bytes in the column. Effectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1 Can express each col as 4 equations
To derive each new byte in col In GF(28) addition is bitwise XOR operation and that multiplication can be performed
according to the rule.
Decryption requires use of inverse matrix With larger coefficients, hence a little harder
Add Round Key: Lastly is the Add Round Key stage, in which the 128 bits of state are bitwise XORed with
the 128 bits of the round key. The first matrix is state and the 2nd matrix is the round key. Inverse for decryption is identical since XOR is own inverse, just with correct round key.
AES Round
AES Key Expansion Takes 4 word (16-byte) key and expands into array of 44 words (156 bytes) Key expansion algorithm:
KeyExpansion (byte key[16], word w[44]){ Word temp
For(i=0;i<4;i++)W[i]= (key[4*i],key[4*i+1], key[4*i+2], key [4*i+3]);For (i=4;i<44;i++)
{ Temp =w[i-1];If(i mod 4=0) Temp =SubWord (RotWord (temp) XOR Rcon[i/4];W[i]=w[i-4] XOR temp
}} Start by copying key into first 4 words Remainder of the expanded key is filled in four words at a time. Each word w[i] depends on the immediately preceding word w[i-1] and the word four
positions back, w[i-4]. Symbol g represents the complex function. It contains the following sub function.
1. Rotword performs a one byte circular left shift on a word.2. Subword performs a byte substitution on each byte of its i/p word using S box.3. Result of steps 1 and 2 is XORed with a round constant, Rcon[j].
Triple DES Clear a replacement for DES was needed due to brute force attack Demonstrated exhaustive key search attacks AES is a new cipher alternative Prior to this alternative was to use multiple encryption with DES implementations
Double DES: Using two encryption stages and two keys
C=Ek2(Ek1(P)) P=Dk1(Dk2(C))
It is proved that there is no key k3by such that C=Ek2(Ek1(P))=Ek3(P)
But there is a possibility for meet-in-the-middle attack Thus 2DES is NOT secure (if DES is broken)
Meet-in-the-Middle Attack:
Assume C=Ek2(Ek1(P)) Given the plaintext P and ciphertext C Encrypt P using all possible keys k1 Decrypt C using all possible keys k2
o Check the result with the encrypted plaintext lists o If found match, then test the two resulting keys against a new known plaintext and
ciphertext pair o If it turns correct, accept them as keys o Otherwise keep decrypting C
Why Triple-DES? Why not Double-DES?
NOT same as some other single-DES use, but have Meet-in-the-middle attack Works whenever use a cipher twice
Triple-DES with Two-Keys Counter to the meet in the middle attack is to use 3 encryptions with 3 different keys. Has the drawback of requiring a key length of 56*3 =168 bits. But can use 2 keys with E-D-E sequence
C = EK1[DK2[EK1[P]]] If K1=K2 then can work with single DES
Standardized in ANSI X9.17 & ISO 8732 Brute force attack is impossible in 3DES and it is very hard.
Triple-DES with Three-Keys Although are no practical attacks on two-key Triple-DES have some indications Can use Triple-DES with Three-Keys to avoid even these
o C = EK3[DK2[EK1[P]]] Has been adopted by some Internet applications, eg PGP, S/MIME.
Placement of Encryption Function Can place encryption function at various layers in OSI Reference Model If encryption is to be used to counter attack on confidentiality, we need to decide what to
encrypt and where the encryption function should be located. There are two major approaches to encryption placement:
1. Link encryption2. End to end encryption
Link encryption With link encryption, each communication link is devised on both ends with an
encryption device. Thus traffic over all communication links is secured. One of the disadvantages is that the message must be decrypted each time it enters
the switch.
End-to-end encryption Encryption process is carried out at the two end systems. The data in encrypted form are then transmitted unaltered across the network to
the destination terminal or host. The destination shares the key with the source and so is able to decrypt the data.
Characteristics of link and end to end encryption function:Link encryption End to end encryption
1. Applied by sending host 1. Applied by sending process2. Transparent to user 2. User applies encryption3. One facility for all users 3. User selects encryption scheme4. Can be done in hardware 4. Software implementation5. All or no messages encrypted 5. User chooses to encrypt or not each
message.6. Provides host authentication 6. Provides user authentication7. Message exposed in sending host 7. Message encrypted in sending host8. Message exposed in intermediate
nodes8. Message encrypted in intermediate nodes
To achieve greater security: Both link and end to end encryption are needed. When both forms of encryption are employed, the host encrypts the user date
portion of a packed using end to end encryption key. The entire packet is then encrypted using a link encryption key. As the packed traverses the network, each switch decrypts the packet, using a link
encryption key to read the header, and then encrypts the entire packet again for sending it out on the next link.
Traffic Confidentiality It is monitoring of communications flows between parties The following types of information that can be derived from a traffic analysis attack:
o Identities of partnerso How frequently the partners are communicatingo Message pattern, length, or quantity of messages that is being exchanged.
Another concern related to traffic is the use of traffic patterns to create a covert channel. Covert channel is a means of communication in a fashion unintended by the designers of
the communication facility. Typically, the channel is used to transfer information in a way that violates a security
policy. With the use of link encryption, network-layer headers are encrypted, reducing the
opportunity for traffic analysis. An effective countermeasure to this attack is traffic padding.
o Traffic padding produces ciphertext output continuously, even in the absence of plaintext.
o A continuous random data stream is generated and when the plaintext is available, it is encrypted and transmitted.
o When the plaintext is not available, the random data are encrypted and transmitted.
If only end-to-end encryption is employed, then the measures available to the defender are more limited since various protocol headers are visible.
o Padding of data units to a uniform length & null messages can be inserted randomly into the stream.
