B.tech CS S8 Security in Computing Notes Module 3

7/30/2019 B.tech CS S8 Security in Computing Notes Module 3

1/36

2

Index

1. Cryptography.12. Fiestel Networks...103. Data Encryption Standard..124. Modes of operation of DES.....205.

Public key Cryptography26

6. RSA Algorithm.....287. Diffie Hellman Key Exchange.318. MAC and HASH function..339. Digital Signature.3510.Questions..37


2/36

3

1. Cryptography

1.1IntroductionDefinitions

Plaintext "The original message before it is encoded."

Encoding/Encryption "The process of disguising the plaintext."

Ciphertext "The enciphered version of the plaintext."

Decoding/Decryption "The process of reverting the cipher text back to the plaintext."

Cryptography "The science of keeping messages secret and of ensuring

authentication."

Cryptanalysis "The science (and art) of deciphering encoded messages

without the knowledge of the used key."

Cryptology Greek: krypts = hidden, lgos=science. "The combination ofcryptography and cryptanalysis "The science of hidden,

disguised information."

1.2 Types of Cryptography

1.2.1 Conventional Encryption/Private-key Cryptography

In a "One-Key-Encryption" or "Conventional Encryption", the sender and the recipient

share the same key as their common secret

(source: www.PGPi.com):

At some earlier point in time the two correspondents, the sender and the recipient, musthave agreed on that key. If they are in different locations, they must trust a courier or a

phone system to transmit the secret key in a secure manner. Surely, this is not very

practical, particularly when many (new) parties are involved.


3/36

4

However, the major problem is the total number of keys involved. 2 correspondents use 1

key, 3 use 3 keys, 4 use 6 keys, 5 use 10 keys, 100 use 4950 keys, 1000 use 499500 keys,etc. And each key must be stored in a secure manner. Key management is enough of a

difficult task that a name was invented for it: The Key Distribution Problem. It is the

reason why One-Key-Cryptography is not appropriate for today's secure electronic data

transfers between many parties involved.Every Cipher is made up of two ingredients: an encryption method (the "algorithm") and

the set of all possible keys (the "key space"). The sender may now choose from the

number of possible keys to encode his secret message. The security of the cryptosystemshall not be based on keeping the algorithm secret, but solely keeping the key secret.

Private Key Cryptography means that the knowledge of the encoding key yields the

decoding key. Such Ciphers are therefore also called "Symmetric Ciphers". If a Cipher

only offers a small number of keys (i.e. the Caesar Cipher) it can be broken by simplytesting the possible keys. A huge number of keys assures the security of a cipher

Private Key Cryptography provides "high-security" ciphers, however, their usage is not

practical because of the key distribution problem. It describes the difficulty of

exchanging and handling a large number of keys. I.e. 1000 correspondents have to handlea total of 499500 keys. The number of keys increases with the square of the number of

correspondents.

1.2.2 Two-key/Public-key Cryptography

The "Two-Key Cryptography" or "Public-Key Cryptography" was a majorbreakthrough in 1976. It makes the inconceivable reality: A Public Key is used to encode

the plain text, its corresponding Private Key is used to decode the cipher text. The clue:

Although the encoding key available to the whole world, nobody is capable of figuringout the decoding key. The figure below shows the how "Two-Key Cryptography" is

performed.

(source: www.PGPi.com):

The primary benefit of public key cryptography is that it allows people who have nopreexisting security arrangement to exchange messages securely. The need for sender and

receiver to share secret keys via some secure channel is eliminated; all communications

involve only public keys, and no private key is ever transmitted or shared.


4/36

5

1.2.3 Transposition and Substitution Ciphers

Substitution and Transposition Ciphers are two categories of ciphers used in classicalcryptography. Substitution and Transposition differ in how chunks of the message are

handled by the encryption process. Substitution ciphers encrypt plaintext by changing the

plaintext one piece at a time.

The Ceasar Cipher was an early substitution cipher. In the Caesar Cipher, each characteris shifted three places up. Therefore, A becomes D and B becomes E, etc...

This table shows "VOYAGER" being encrypted with the Caesar substution cipher:

Plaintext V O Y A G E R

Key +3 +3 +3 +3 +3 +3 +3

Ciphertext Y R B D J H U

Transposition ciphers encrypt plaintext by moving small pieces of the message around.

This table shows "VOYAGER" being encrypted with a primitive transposition cipher

where every two letters are switched with each other:

V O Y A G E R

O V A Y E G R

1.2.4 Stream and Block Ciphers

Block and Stream Ciphers are two categories of ciphers used in classical cryptography.

Block and Stream Ciphers differ in how large a piece of the message is processed in each

encryption operation. Block ciphers encrypt plaintext in chunks. Common block sizes are64 and 128 bits. Stream ciphers encrypt plaintext one byte or one bit at a time. A stream

cipher can be thought of as a block cipher with a really small block size. Generally

speaking, block ciphers are more efficient for computers and stream ciphers are easier forhumans to do by hand.

1.3 Caesar Substitution

The simplest of all substitution ciphers is the one in which the cipher letters results from

shifting plain letters by the same distance. Among those, the best known is called "Caesar

Cipher", used by Julius Caesar, in which each A is encrypted as D, B as E, C as F,... etc.Here key is 3

Mathematically, the encryption and decryption functions can be described as follows:

The sender encodes each plain text letter P using the key b as follows:

C= (P+b) mod 26The recipient decodes each cipher text letter C using the key b as follows:

P=(C-b) mod 26

1.4 Playfair Cipher

The best known substitution cipher that encrypts pairs of letters is the Playfair Cipher

invented by Sir Charles Wheatstone but championed at the British Foreign Office by


5/36

6

Lyon Playfair, the first Baron Playfair of St. Andrews, whose name the cipher bears.

Here, a 5 x 5-square matrix containing the 26 letters of the alphabet (I and J are treated asthe same letter) is used to carry out the encryption. A key word, MONARCHY in this

example, is filled in first, and the remaining unused letters of the alphabet are entered in

their lexicographic order.

Pairs of plaintext letters are encrypted with the matrix by first locating the two plaintext

letters in the matrix. They are(1) in different rows and columns or

(2) in the same row or(3) in the same column or(4) alike.

The corresponding encryption (replacement) rules are the following:1. If the pair of letters are in different rows and columns, each letter is replaced by the

letter that is in the same row but in the other column; i.e., to encrypt WE, W is replaced

by U and E by G.

2. If two letters are in the same row simply shift both one position to the right. I.e. A andR are in the same row. A is encrypted as R and R (reading the row cyclically) as M.

3. Similarly, if two letters are in the same column shift both one position down. I.e. I and

S are in the same column. I is encrypted as S and S as X.

4. If a double letter occurs, a spurious symbol, say Q, is introduced so that the MM in

SUMMER would encrypt into NL for MQ and CL for ME.

5. An X is appended to the end of the plaintext if necessary to cause the plaintext to have

an even number of letters.

1.5 Monoalphabetic substitution

The Caesar Cipher, the Multiplication Cipher and the Linear Cipher have one property in

common. They all fall in the category of Monoalphabetic Ciphers: "Same plain letters areencoded to the same cipher letter." i.e. in the Caesar Cipher each "a" turned into "d", each

"b" turned into "e", etc.

The reason why such Ciphers can be broken is the following: Although letters are

changed the underlying letter frequencies are not! If the plain letter "a" occurs 10 times

its cipher letter will do so 10 times. Therefore, any monoalphabetic Cipher can be brokenwith the aid of letter frequency analysis.


6/36

7

1.6 Polyalphabetic Substitution

Polyalphabetic substitution cipher is simply a substitution cipher with an alphabet thatchanges. For example one could have two alphabets:

Plain Alphabet: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Cipher Alphabet #1: B D F H J L N P R T V X Z A C E G I K M O Q S U W YCipher Alphabet #2: Z Y X W V U T S R Q P O N M L K J I H G F E D C B A

Now to encrypt the message ``The quick brown fox jumped over the lazy dog" we would

alternate between the two cipher alphabets, using #1 for every first letter and #2 for everysecond, to get: ``Msj joxfp dicda ucu tfzkjw ceji msj xzyb hln". Polyalphabetic

substitution ciphers are useful because they cannot be broken using frequency

analysis.The number of letters encrypted before a polyalphabetic substitution cipherreturns to its first cipher alphabet is called its period. The larger the period, the stronger

the cipher.

Vigenere Cipher

The polyalphabetic substitution cipher involves the use of two or more cipher alphabets.Instead of there being a one-to-one relationship between each letter and its substitute,

there is a one-to-many relationship between each letter and its substitutes.

The Vigenere Cipher , proposed by Blaise de Vigenere is a polyalphabetic substitution

based on the following tableau:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A

C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B

D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D

F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E

G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F

H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G

I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H

J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I

K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J

L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K

M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L

N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M

O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N

P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O

Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P

R R S T U V W X Y Z A B C D E F G H I J K L M N O P QS S T U V W X Y Z A B C D E F G H I J K L M N O P Q R

T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S

U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T

V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U

W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V

X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W

Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X

Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y


7/36

8

Note that each row of the table corresponds to a Caesar Cipher. The first row is a shift of

0; the second is a shift of 1; and the last is a shift of 25.

The Vigenere cipher uses this table together with a keyword to encipher a message. For

example, enciphering the plaintext message:

TO BE OR NOT TO BE THAT IS THE QUESTION

using the keyword RELATIONS. We begin by writing the keyword, repeated as manytimes as necessary, above the plaintext message. To derive the ciphertext using the

tableau, for each letter in the plaintext, one finds the intersection of the row given by the

corresponding keyword letter and the column given by the plaintext letter itself to pickout the ciphertext letter.

Keyword: RELAT IONSR ELATI ONSRE LATIO NSREL

Plaintext: TOBEO RNOTT OBETH ATIST HEQUE STION

Ciphertext: KSMEH ZBBLK SMEMP OGAJX SEJCS FLZSY

Decipherment of an encrypted message is equally straightforward. One writes the

keyword repeatedly above the message:Keyword: RELAT IONSR ELATI ONSRE LATIO NSREL

Ciphertext: KSMEH ZBBLK SMEMP OGAJX SEJCS FLZSY

Plaintext: TOBEO RNOTT OBETH ATIST HEQUE STION

This time one uses the keyword letter to pick a column of the table and then traces down

the column to the row containing the ciphertext letter. The index of that row is theplaintext letter.

The strength of the Vigenere cipher against frequency analysis can be seen by examiningthe above ciphertext. Note that there are 7 'T's in the plaintext message and that they have

been encrypted by 'H,' 'L,' 'K,' 'M,' 'G,' 'X,' and 'L' respectively. This successfully masksthe frequency characteristics of the English 'T.' One way of looking at this is to notice

that each letter of our keyword RELATIONS picks out 1 of the 26 possible substitution

alphabets given in the Vigenere tableau. Thus, any message encrypted by a Vigenere

cipher is a collection of as many simple substitution ciphers as there are letters in thekeyword.

1.7 Cryptanalysis

Cryptanalysis (from the Greek krypts, "hidden", and analein, "to loosen" or "to untie")is the study of methods for obtaining the meaning of encrypted information, withoutaccess to the secret information which is normally required to do so. Typically, this

involves finding the secret key. In non-technical language, this is the practice of code

breaking or cracking the code, although these phrases also have a specialized technicalmeaning

Types of Cryptanalytic attacks

1 Brute force Attacks: It is a method of defeating a cryptographic scheme bytrying a large number of possibilities; for example, exhaustively working throughall possible keys in order to decrypt a message. In most schemes, the theoreticalpossibility of a brute force attack is recognized, but it is set up in such a way that

it would be computationally infeasible to carry out.

2 Ciphertext-only: the cryptanalyst has access only to a collection of ciphertexts orcodetexts.


8/36

9

3 Known-plaintext: the attacker has a set of ciphertexts to which he knows thecorresponding plaintext.

4 Chosen-plaintext (chosen-ciphertext): the attacker can obtain the ciphertexts(plaintexts) corresponding to an arbitrary set of plaintexts (ciphertexts) of his own

choosing.

5 Adaptive chosen-plaintext: like a chosen-plaintext attack, except the attackercan choose subsequent plaintexts based on information learned from previous

encryptions. Similarly Adaptive chosen ciphertext attack.

6 Related-key attack: Like a chosen-plaintext attack, except the attacker canobtain ciphertexts encrypted under two different keys. The keys are unknown, butthe relationship between them is known; for example, two keys that differ in the

one bit.


9/36

10

2. Fiestel Networks

In cryptography, a Feistel cipher is a block cipher with a particular structure, named afterIBM cryptographer Horst Feistel; it is also commonly known as a Feistel network. A

large proportion of block ciphers use the scheme, including the Data EncryptionStandard(DES). The Feistel structure has the advantage that encryption and decryptionoperations are very similar, even identical in some cases, requiring only a reversal of the

key schedule. Therefore the size of the code or circuitry required to implement such a

cipher is nearly halved.

Feistel networks and similar constructions are product ciphers, and so combine multiple

rounds of repeated operations, such as:

Bit-shuffling (often called permutation boxes or P-boxes)

Simple non-linear functions (often called substitution boxes or S-boxes)

Linear mixing (in the sense of modular algebra) using XOR

to produce a function with large amounts of what Claude Shannon described as"confusion and diffusion". Bit shuffling creates the diffusion effect, while substitution is

used for confusion. In Shannon's original definitions, confusion refers to making the

relationship between the key and the ciphertext as complex and involved as possible;diffusion refers to the property that redundancy in the statistics of the plaintext is

"dissipated" in the statistics of the ciphertext.

The basic operation is as follows:

Split the plaintext block into two equal pieces, (L0,R0)

For each round , compute

Li = Ri 1

wherefis the round function and Ki is the sub-key.

Then the ciphertext is (Ln,Rn).

Regardless of the functionf, decryption is accomplished via

Ri 1 =Li

One advantage of this model is that the function used does not have to be invertible, andcan be very complex. This diagram illustrates both encryption and decryption. Note the

reversal of the subkey order for decryption; this is the only difference between encryptionand decryption:


10/36

11


11/36

12

3. Data Encryption Standard

DES encrypts and decrypts data in 64-bit blocks, using a 64-bit key (although the

effective key strength is only 56 bits, as explained below). It takes a 64-bit block of

plaintext as input and outputs a 64-bit block of ciphertext. Since it always operates on

blocks of equal size and it uses both permutations and substitutions in the algorithm, DES

is both a block cipher and a product cipher.

DES has 16 rounds, meaning the main algorithm is repeated 16 times to produce the

ciphertext. It has been found that the number of rounds is exponentially proportional to

the amount of time required to find a key using a brute-force attack. So as the number ofrounds increases, the security of the algorithm increases exponentially.

The block diagram of DES is depicted below.


12/36

13

3.1 Key Scheduling

Although the input key for DES is 64 bits long, the actual key used by DES is only 56

bits in length. The bits at positions of multiples of eight are ignored, thus resulting in akey length of 56 bits.

The first step is to pass the 64-bit key through a permutation called Permuted Choice 1,

or PC-1 for short. The table for this is given below. Note that in all subsequent

descriptions of bit numbers, 1 is the left-most bit in the number, and n is the rightmost bit.

PC-1: Permuted Choice 1

Bit 0 1 2 3 4 5 6

1 57 49 41 33 25 17 9

8 1 58 50 42 34 26 18

15 10 2 59 51 43 35 27

22 19 11 3 60 52 44 36

29 63 55 47 39 31 23 15

36 7 62 54 46 38 30 22

43 14 6 61 53 45 37 2950 21 13 5 28 20 12 4

Now that we have the 56-bit key, the next step is to use this key to generate 16 48-bit

subkeys, called K[1]-K[16], which are used in the 16 rounds of DES for encryption and

decryption. The procedure for generating the subkeys - known as key scheduling - isfairly simple:

1. Set the round number R to 1.

2. Split the current 56-bit key, K, up into two 28-bit blocks, L (the left-hand half) and R

(the right-hand half).3. Rotate L left by the number of bits specified in the table below, and rotate R left by the

same number of bits as well.

4. Join L and R together to get the new K.

5. Apply Permuted Choice 2 (PC-2) to K to get the final K[R], where R is the round

number we are on.

6. Increment R by 1 and repeat the procedure until we have all 16 subkeys K[1]-K[16].

Here are the tables involved in these operations:

Subkey Rotation TableRound Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Number of bits to

rotate

1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

PC-2: Permuted Choice 2

Bit 0 1 2 3 4 5

1 14 17 11 24 1 5


13/36

14

7 3 28 15 6 21 10

13 23 19 12 4 26 8

19 16 7 27 20 13 2

25 41 52 31 37 47 55

31 30 40 51 45 33 48

37 44 49 39 56 34 5343 46 42 50 36 29 32

3.2 Plaintext Preparation

Once the key scheduling has been performed, the next step is to prepare the plaintext for

the actual encryption. This is done by passing the plaintext through a permutation called

the Initial Permutation, or IP for short. This table also has an inverse, called the InverseInitial Permutation, or IP^(-1). Sometimes IP^(-1) is also called the Final Permutation.

Both of these tables are shown below.

IP: Initial Permutation

Bit 0 1 2 3 4 5 6 7

1 58 50 42 34 26 18 10 2

9 60 52 44 36 28 20 12 4

17 62 54 46 38 30 22 14 6

25 64 56 48 40 32 24 16 8

33 57 49 41 33 25 17 9 1

41 59 51 43 35 27 19 11 3

49 61 53 45 37 29 21 13 5

57 63 55 47 39 31 23 15 7

IP^(-1): Inverse Initial Permutation

Bit 0 1 2 3 4 5 6 71 40 8 48 16 56 24 64 32

9 39 7 47 15 55 23 63 31

17 38 6 46 14 54 22 62 30

25 37 5 45 13 53 21 61 29

33 36 4 44 12 52 20 60 28

41 35 3 43 11 51 19 59 27

49 34 2 42 10 50 18 58 26

57 33 1 41 9 49 17 57 25

These tables are used just like PC-1 and PC-2 were for the key scheduling. By looking at

the table is becomes apparent why one permutation is called the inverse of the other. Forexample, let's examine how bit 32 is transformed under IP. In the table, bit 32 is located

at the intersection of the column labeled 4 and the row labeled 25. So this bit becomes bit29 of the 64-bit block after the permutation. Now let's apply IP^(-1). In IP^(-1), bit 29 is

located at the intersection of the column labeled 7 and the row labeled 25. So this bit

becomes bit 32 after the permutation. And this is the bit position that we started withbefore the first permutation. So IP^(-1) really is the inverse of IP. It does the exact


14/36

15

opposite of IP. If you run a block of plaintext through IP and then pass the resulting block

through IP^(-1), you'll end up with the original block.

3.3 DES Core Function

Once the key scheduling and plaintext preparation have been completed, the actualencryption or decryption is performed by the main DES algorithm. The 64-bit block of

input data is first split into two halves, L and R. L is the left-most 32 bits, and R is the

right-most 32 bits. The following process is repeated 16 times, making up the 16 roundsof standard DES. We call the 16 sets of halves L[0]-L[15] and R[0]-R[15].

1. R[I-1] - where I is the round number, starting at 1 - is taken and fed into the E-Bit

Selection Table, which is like a permutation, except that some of the bits are used more

than once. This expands the number R[I-1] from 32 to 48 bits to prepare for the next step.

2. The 48-bit R[I-1] is XORed with K[I] and stored in a temporary buffer so that R[I-1] isnot modified.

3. The result from the previous step is now split into 8 segments of 6 bits each. The left-

most 6 bits are B[1], and the right-most 6 bits are B[8]. These blocks form the index intothe S-boxes, which are used in the next step. The Substitution boxes, known as S-boxes,

are a set of 8 two-dimensional arrays, each with 4 rows and 16 columns. The numbers in

the boxes are always 4 bits in length, so their values range from 0-15. The S-boxes are

numbered S[1]-S[8].

4. Starting with B[1], the first and last bits of the 6-bit block are taken and used as anindex into the row number of S[1], which can range from 0 to 3, and the middle four bits

are used as an index into the column number, which can range from 0 to 15. The number

from this position in the S-box is retrieved and stored away. This is repeated with B[2]and S[2], B[3] and S[3], and the others up to B[8] and S[8]. At this point, we now have 8

4-bit numbers, which when strung together one after the other in the order of retrieval,

give a 32-bit result.5. The result from the previous stage is now passed into the P Permutation.

6. This number is now XORed with L[I-1], and moved into R[I]. R[I-1] is moved into

L[I].

7. At this point we have a new L[I] and R[I]. Here, we increment I and repeat the core

function until I = 17, which means that 16 rounds have been executed and keys K[1]-K[16] have all been used.

When L[16] and R[16] have been obtained, they are joined back together in the same

fashion they were split apart (L[16] is the left-hand half, R[16] is the right-hand half),

then the two halves are swapped, R[16] becomes the left-most 32 bits and L[16] becomes

the right-most 32 bits of the pre-output block and the resultant 64-bit number is called thepre-output.


15/36

16

Tables used in the DES Core Function

E-Bit Selection Table

Bit 0 1 2 3 4 5

1 32 1 2 3 4 5

7 4 5 6 7 8 9

13 8 9 10 11 12 13

19 12 13 14 15 16 17

25 16 17 18 19 20 21

31 20 21 22 23 24 25

37 24 25 26 27 28 29

43 28 29 30 31 32 1

P Permutation

Bit 0 1 2 3

1 16 7 20 21

5 29 12 28 17

9 1 15 23 2613 5 18 31 10

17 2 8 24 14

21 32 27 3 9

25 19 13 30 6

29 22 11 4 25

S-Box 1: Substitution Box 1

Row /

Column0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7

1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8

2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0

3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13


Row /

Column0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10

1 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5

2 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15

3 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9


Row /Column

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8

1 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1

2 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7

3 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12


Row / Column 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15


16/36

17

0 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15

1 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9

2 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4

3 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14


Row /Column

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9

1 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6

2 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14

3 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3


Row /

Column0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11

1 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8

2 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6

3 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13


Row /

Column

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1

1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6

2 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2

3 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12


Row /Column

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7

1 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2

2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8

3 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11

3.4 How to use the S-Boxes

The purpose of this example is to clarify how the S-boxes work. Suppose we have thefollowing 48-bit binary number:

011101000101110101000111101000011100101101011101

In order to pass this through steps 3 and 4 of the Core Function as outlined above, the

number is split up into 8 6-bit blocks, labeled B[1] to B[8] from left to right:

011101 000101 110101 000111 101000 011100 101101 011101

Now, eight numbers are extracted from the S-boxes - one from each box:


17/36

18

B[1] = S[1](01, 1110) = S[1][1][14] = 3 = 0011

B[2] = S[2](01, 0010) = S[2][1][2 ] = 4 = 0100

B[3] = S[3](11, 1010) = S[3][3][10] = 14 = 1110

B[4] = S[4](01, 0011) = S[4][1][3 ] = 5 = 0101

B[5] = S[5](10, 0100) = S[5][2][4 ] = 10 = 1010

B[6] = S[6](00, 1110) = S[6][0][14] = 5 = 0101

B[7] = S[7](11, 0110) = S[7][3][6 ] = 10 = 1010

B[8] = S[8](01, 1110) = S[8][1][14] = 9 = 1001

In each case of S[n][row][column], the first and last bits of the current B[n] are used as

the row index, and the middle four bits as the column index.

The results are now joined together to form a 32-bit number which serves as the input tostage 5 of the Core Function (the P Permutation):

00110100111001011010010110101001

3.5 Ciphertext Preparation

The final step is to apply the permutation IP^(-1) to the pre-output. The result is the

completely encrypted ciphertext.

3.6 Encryption and Decryption

The same algorithm can be used for encryption or decryption. The method described

above will encrypt a block of plaintext and return a block of ciphertext. In order to

decrypt the ciphertext and get the original plaintext again, the procedure is simplyrepeated but the subkeys are applied in reverse order, from K[16]-K[1]. That is, stage 2 of

the Core Function as outlined above changes from R[I-1] XOR K[I] to R[I-1] XOR K[17-

I]. Other than that, decryption is performed exactly the same as encryption.

3.7 Strength of DES

1 With a key length of 56 bits, a brute force attack becomes impractical2 Design algorithm of S-boxes is kept a secret3 DES is also resistant to timing attacks

3.8 Comparison of modern symmetric key algorithms

Algorithm Plaintext Ciphertext Key size Rounds Advantages

DES 64 bits 64 bits 56 bits 16 Simple and fast

Less mathematicalcalculations

Cryptanalysis isdifficult

3DES 64 bits 64 bits 168 bits 48 DES

rounds More reliable

Easy to upgrade the

software to 3DES


18/36

19

Longer keylength,

difficult to crytanalyse

AES 128 bits 128 bits 128/192/

256 bits

10/12/14

resp.Longer keylengths

supported

More flexible

Blowfish 64 bits 64 bits 32-448bits

16 Fast and secureCompact

RC5 32/64/128

bits

32/64/128

bits

0-2040

bits

variable Simple and fast

Adaptable to

processors of different

word length

Data dependentrotations


19/36

20

4 MODES OF OPERATION OF DES

4.1 ECB (Electronic Code Book)

This is the regular DES algorithm. Data is divided into 64-bit blocks and each

block is encrypted one at a time. Separate encryptions with different blocks aretotally independent of each other. This means that if data is transmitted over a

network or phone line, transmission errors will only affect the block containingthe error. It also means, however, that the blocks can be rearranged, thus

scrambling a file beyond recognition, and this action would go undetected. ECB is

the weakest of the various modes because no additional security measures areimplemented besides the basic DES algorithm. However, ECB is the fastest and

easiest to implement, making it the most common mode of DES.


20/36

21

4.2 CBC (Cipher Block Chaining).

In this mode of operation, each block of ECB encrypted ciphertext is XORed with

the next plaintext block to be encrypted, thus making all the blocks dependent on

all the previous blocks. This means that in order to find the plaintext of a

particular block, you need to know the ciphertext, the key, and the ciphertext forthe previous block. The first block to be encrypted has no previous ciphertext, so

the plaintext is XORed with a 64-bit number called the Initialization Vector, or IVfor short. So if data is transmitted over a network or phone line and there is a

transmission error, the error will be carried forward to all subsequent blocks since

each block is dependent upon the last. This mode of operation is more secure thanECB because the extra XOR step adds one more layer to the encryption process.


21/36

22

4.3 CFB (Cipher Feed Back)

In this mode, blocks of plaintext that are less than 64 bits long can be

encrypted. Normally, special processing has to be used to handle files whose size is

not a perfect multiple of 8 bytes, but this mode removes that necessity (Stealthhandles this case by adding several dummy bytes to the end of a file before

encrypting it). The plaintext itself is not actually passed through the DES algorithm,but merely XORed with an output block from it, in the following manner: A 64-bit

block called the Shift Register is used as the input plaintext to DES. This is initially

set to some arbitrary value, and encrypted with the DES algorithm. The ciphertext isthen passed through an extra component called the M-box, which simply selects the

left-most M bits of the ciphertext, where M is the number of bits in the block we wish

to encrypt. This value is XORed with the real plaintext, and the output of that is the

final ciphertext. Finally, the ciphertext is fed back into the Shift Register, and used asthe plaintext seed for the next block to be encrypted. As with CBC mode, an error in

one block affects all subsequent blocks during data transmission. This mode ofoperation is similar to CBC and is very secure, but it is slower than ECB due to theadded complexity.


22/36

23

4.4 OFB (Output Feed Back)

This is similar to CFB mode, except that the ciphertext output of DES is

fed back into the Shift Register, rather than the actual final ciphertext. The ShiftRegister is set to an arbitrary initial value, and passed through the DES algorithm.The output from DES is passed through the M-box and then fed back into the

Shift Register to prepare for the next block. This value is then XORed with the

real plaintext (which may be less than 64 bits in length, like CFB mode), and theresult is the final ciphertext. Note that unlike CFB and CBC, a transmission error

in one block will not affect subsequent blocks because once the recipient has the

initial Shift Register value, it will continue to generate new Shift Register


23/36

24

plaintext inputs without any further data input. However, this mode of operation is

less secure than CFB mode because only the real ciphertext and DES ciphertextoutput is needed to find the plaintext of the most recent block. Knowledge of the

key is not required.


24/36

25

4.5 CTR (Counter)

A counter, equal to the plaintext block size is used. The counter value must be

different for each plaintext block that is encrypted. The counter is initialized to somevalue and then incremented by 1 for each substitution. For encryption, the counter is

encrypted and then XORed with the plaintext block to produce the ciphertext block.


25/36

26

5. PUBLIC KEY CRYPTOGRAPHY

5.1 Comparison of Symmetric Key and Public Key Cryptography

With symmetric-key encryption, the encryption key can be calculated from the

decryption key and vice versa. With most symmetric algorithms, the same key is used forboth encryption and decryption, as shown in Figure

Implementations of symmetric-key encryption can be highly efficient, so that users do

not experience any significant time delay as a result of the encryption and decryption.Symmetric-key encryption is effective only if the symmetric key is kept secret by the two

parties involved. If anyone else discovers the key, it affects both confidentiality andauthentication. A person with an unauthorized symmetric key not only can decrypt

messages sent with that key, but can encrypt new messages and send them as if they

came from one of the two parties who were originally using the key.

Public-key encryption (also called asymmetric encryption) involves a pair of keys--a

public key and a private key--associated with an entity that needs to authenticate its

identity electronically or to sign or encrypt data. Each public key is published, and thecorresponding private key is kept secret. Data encrypted with the public key can be

decrypted only with the private key. The figure shows a simplified view of the waypublic-key encryption works.

The scheme lets us freely distribute a public key, and only you will be able to read data

encrypted using this key. In general, to send encrypted data to someone, we encrypt the

data with that person's public key, and the person receiving the encrypted data decrypts itwith the corresponding private key. Compared with symmetric-key encryption, public-

key encryption requires more computation and is therefore not always appropriate for

large amounts of data. However, it's possible to use public-key encryption to send asymmetric key, which can then be used to encrypt additional data.

As it happens, the reverse of the scheme shown in Figure also works: data encrypted withyour private key can be decrypted only with your public key. This would not be a


26/36

27

desirable way to encrypt sensitive data, however, because it means that anyone with your

public key, which is by definition published, could decrypt the data. Nevertheless,private-key encryption is useful, because it means you can use your private key to sign

data with your digital signature--an important requirement for electronic commerce and

other commercial applications of cryptography.


27/36

28

6. RSA Algorithm

The algorithm was described in 1977 by Ron Rivest, Adi Shamir and Len Adleman at

MIT; the letters RSA are the initials of their surnames. This is the most commonly usedalgorithm in public key cryptography

6.1 Key Generation

Suppose a user X wishes to allow Y to send a private message over an insecure

transmission medium. X takes the following steps to generate a public key and a private

key:

1. Choose two large prime numbers and such that , randomly andindependently of each other.

2. Compute .

3. Compute the totient .

4. Choose an integer e such that which is coprime to .

5. Compute dsuch that

The public key consists of

n, the modulus, and

e, the public exponent (sometimes encryption exponent).

The private key consists of

n, the modulus, which is public and appears in the public key, and d, the private exponent (sometimes decryption exponent), which must be kept

secret.

6.2 Encrypting messages

Suppose Bob wishes to send a messageMto Alice. He turnsMinto a number m < n,

using some previously agreed-upon reversible protocol known as a padding scheme.

Bob now has m, and knows n and e, which Alice has announced. He then computes the

ciphertext c corresponding to m:

Bob then transmits c to Alice

6.3 Decrypting messages

Alice receives c from Bob, and knows her private key d. She can recover m from c by thefollowing procedure:

The proof is given in Appendix


28/36

29

6.4 A working example

Here is an example of RSA encryption and decryption. The parameters used here are

artificially smallWe let

p = 61 - first prime number (to be kept secret or deleted securely)q = 53 - second prime number (to be kept secret or deleted securely)n =pq =

3233

- modulus (to be made public)

e = 17 - public exponent (to be made public)d= 2753 - private exponent (to be kept secret)

The public key is (e, n). The private key is d. The encryption function is:

encrypt(m) = me mod n = m17 mod 3233

where m is the plaintext. The decryption function is:

decrypt(c) = cdmod n = c2753 mod 3233

where c is the ciphertext.

To encrypt the plaintext value 123, we calculate

encrypt(123) = 12317 mod 3233 = 855

To decrypt the ciphertext value 855, we calculate

decrypt(855) = 8552753 mod 3233 = 123

6.5 Security of RSA

The security of the RSA cryptosystem is based on two mathematical problems: theproblem of factoring very large numbers, and the RSA problem. Full decryption of an

RSA ciphertext is thought to be infeasible on the assumption that both of these problemsare hard, i.e., no efficient algorithm exists for solving them.

The RSA problem is defined as the task of taking eth roots modulo a composite n:

recovering a value m such that me=c mod n, where (e, n) is an RSA public key and c is anRSA ciphertext. Currently the most promising approach to solving the RSA problem is to

factor the modulus n. With the ability to recover prime factors, an attacker can compute

the secret exponent d from a public key (e, n), then decrypt c using the standardprocedure. To accomplish this, an attacker factors n intop and q, and computes (p-1)(q-1)

which allows the determination of d from e. No polynomial-time method for factoringlarge integers on a classical computer has yet been found, but it has not been proven thatnone exists.

6.6 Practical Considerations

Speed

RSA is much slower than DES and other symmetric cryptosystems.


29/36

30

Key distribution

As with all ciphers, how RSA public keys are distributed is important to security. Keydistribution must be secured against a man-in-the-middle attack. In principle, neither

sender nor receiver would be able to detect an outsiders presence. Defenses against such

attacks are often based on digital certificates.

Timing attacks

6.7 Comparison of RSA and DES

Feature DES RSA

speed high low

data block length 64 bits minimum 512 bits

key length 56 bits minimum 512 bits

use of data space full, 64 bits (264), 8

bytes

variable, limited, not

defined,ciphering & deciphering

key

same different

ciphering & decipheringalgorithm

different same

algorithm contains only

XOR and branching

no no

cryptanalysis method differential method product factorization


30/36

31

7. Diffie Hellman Key Exchange

Diffie-Hellman key agreement was invented in 1976 during a collaboration between

Whitfield Diffie and Martin Hellman and was the first practical method for establishing a

shared secret over an unprotected communications channel.7.1 Description

The simplest, and original, implementation of the protocol uses the multiplicative group

of integers modulo p, where p is prime and g is primitive mod p. Modulo (or mod) simply

means that the integers between 1 and p 1 are used with normal multiplication,

exponentiation and division, except that after each operation the result keeps only theremainder after dividing by p. Here is an example of the protocol:

1. Alice and Bob agree to use a prime numberp=23 and base g=5.

2. Alice chooses a secret integer a=6, then sends Bob (ga modp)

o 56 mod 23 = 8.

3. Bob chooses a secret integer b=15, then sends Alice (gb mod p)

o 515 mod 23 = 19.

4. Alice computes (gb modp)a modp

o 196 mod 23 = 2.

5. Bob computes (ga modp)b modp

815 mod 23 = 2.

Both Alice and Bob have arrived at the same value, because g ab and gba are equal. Note

that only a, b, gab and gba are kept secret. All the other values are sent in the clear. Once

Alice and Bob compute the shared secret they can use it as an encryption key, knownonly to them, for sending messages across the same open communications channel. Of

course, much larger values of a,b, and p would be needed to make this example secure,since it is easy to try all the possible values of gab mod 23 (there will be, at most, 22 such

values, even if a and b are large). If p was a prime of more than 300 digits, and a and b

were at least 100 digits long, then even the best known algorithms for finding a given

only g, p, and ga mod p (known as the discrete logarithm problem) would take longerthan the lifetime of the universe to run. g need not be large at all, and in practice is

usually either 2 or 5.

Here's a more general description of the protocol:

1. Alice and Bob agree on a finite cyclic group G and a generating element g in G.(This is usually done long before the rest of the protocol; g is assumed to be known by all

attackers.) We will write the group G multiplicatively.

2. Alice picks a random natural number a and sends ga to Bob.

3. Bob picks a random natural number b and sends gb to Alice.

4. Alice computes (gb)a.


31/36

32

5. Bob computes (ga)b. Both Alice and Bob are now in possession of the group

element gab which can serve as the shared secret key.

7.2 Security

The protocol is considered secure against eavesdroppers if G and g are chosen properly.

The eavesdropper must solve the Diffie-Hellman problem to obtain gab. This is currently

considered difficult. An efficient algorithm to solve the discrete logarithm problem wouldmake it easy to compute a or b and solve the Diffie-Hellman problem, making this

protocol insecure.

The order of G should be prime or have a large prime factor to prevent obtaining a or b.

The secret integers a and b are discarded at the end of the session. Therefore, Diffie-Hellman key exchange by itself trivially achieves perfect forward secrecy because no

long-term private keying material exists to be disclosed.

7.3 Authentication

In the original description, the Diffie-Hellman exchange by itself does not provide

authentication of the parties, and is thus vulnerable to man in the middle attack. The man-in-the-middle may establish two distinct Diffie-Hellman keys, one with Alice and the

other with Bob, and then try to masquerade as Alice to Bob and/or vice-versa, perhaps by

decrypting and re-encrypting messages passed between them. Some method toauthenticate these parties to each other is generally needed


32/36

33

8. Message Authentication Code (MAC) and Hash Functions

Message authentication is concerned with

a) Protecting integrity of the message

b) Validating identity of the originator

c) Non-repudiation of origin

There are three different ways to achieve message authentication

1 Message Encryption2 MAC3 Hash functions

Message encryption can be either a symmetric key encryption or public key encryption. Ifsymmetric key encryption is used receiver and sender should communicate the secret

key, which is a hazardous task. If public key encryption is used and public key is used for

encryption, there is no confidence of sender. However if sender uses private key for

encryption, both confidentiality and authentication is provided. But still we need torecognize corrupted messages

8.1 MAC

A cryptographic message authentication code (MAC) is a short piece of information usedto authenticate a message. A MAC algorithm accepts as input a secret key and an

arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a

tag). The MAC value protects both a message's integrity as well as its authenticity, by

allowing verifiers (who also possess the secret key) to detect any changes to the messagecontent.

A MAC is a cryptographic checksum

MAC = CK(M)

MAC is a many-to-one function. Potentially many messages have same MAC. But

finding these needs to be very difficult

Requirements for MAC

1. Knowing a message and MAC, is infeasible to find another message with

same MAC

2. MACs should be uniformly distributed

3. MAC should depend equally on all bits of the message


33/36

34

8.2 HASH Functions

A hash function H is a transformation that takes a variable-size input m and returns a

fixed-size string, which is called the hash value h (that is, h = H(m)). Hash functions with

just this property have a variety of general computational uses, but when employed incryptography the hash functions are usually chosen to have some additional properties.

The basic requirements for a cryptographic hash function are:

o the input can be of any length,o the output has a fixed length,o H(x) is relatively easy to compute for any given x ,o H(x) is one-way,o H(x) is collision-free.

A hash function H is said to be one-way if it is hard to invert, where "hard to invert"

means that given a hash value h, it is computationally infeasible to find some input x such

that H(x) = h.

If, given a message x, it is computationally infeasible to find a message y not equal to x

such that H(x) = H(y) then H is said to be a weakly collision-free hash function.

A strongly collision-free hash function H is one for which it is computationally infeasible

to find any two messages x and y such that H(x) = H(y).


34/36

35

9. Digital Signature

Digital signature (or public-key digital signature) is a type of method for authenticating

digital information analogous to ordinary physical signatures on paper, but implemented

using techniques from the field of public-key cryptography. A digital signature methodgenerally defines two complementary algorithms, one for signing and the other forverification, and the output of the signing process is also called a digital signature. Digital

signature has also been used as a broader term encompassing both public-key digital

signature techniques and message authentication codes.

Instead of encrypting the data itself, the signing software creates a one-way hash of the

data, then uses the private key to encrypt the hash. The encrypted hash, along with other

information, such as the hashing algorithm, is known as a digital signature. The figure

shows a simplified view of the way a digital signature can be used to validate theintegrity of signed data.

Using a digital signature to validate data integrity

The figure shows two items transferred to the recipient of some signed data: the originaldata and the digital signature, which is basically a one-way hash (of the original data) that

has been encrypted with the signer's private key. To validate the integrity of the data, the

receiving software first uses the signer's public key to decrypt the hash. It then uses thesame hashing algorithm that generated the original hash to generate a new one-way hash

of the same data. (Information about the hashing algorithm used is sent with the digital

signature, although this isn't shown in the figure.) Finally, the receiving softwarecompares the new hash against the original hash. If the two hashes match, the data has

not changed since it was signed. If they don't match, the data may have been tampered

with since it was signed, or the signature may have been created with a private key thatdoesn't correspond to the public key presented by the signer. If the two hashes match, the

recipient can be certain that the public key used to decrypt the digital signature

corresponds to the private key used to create the digital signature. Confirming the identity

of the signer, however, also requires some way of confirming that the public key reallybelongs to a particular person or other entity


35/36

36

The significance of a digital signature is comparable to the significance of a handwritten

signature. Once you have signed some data, it is difficult to deny doing so later--assuming that the private key has not been compromised or out of the owner's control.

This quality of digital signatures provides a high degree of non repudiation--that is,

digital signatures make it difficult for the signer to deny having signed the data. In some

situations, a digital signature may be as legally binding as a handwritten signature.


36/36

QUESTIONS

1. What is cryptography?2. What is a block cipher?3. What is a Fiestel cipher?4. What are weak keys?5. What is DES?6. What is triple DES?7. What are ECB and CBC modes?8. What is Blowfish?9. What is multiple encryption?10.What is stream cipher?11.What is public key cryptography?12.What are the key management issues involved in public key cryptography?13.What are certificates?14.What are the advantages of public key cryptography over symmetric keycryptography?15.What is a one-way function?16.What is the significance of one way function in cryptography?17.What is RSA?18.What are the different types of attacks on RSA?19.What is the RSA factoring challenge?20.How is RSA used for authentication in practice?21.What is Diffie Hellman key exchange?22.What is the significance of factoring in cryptography?23.What is the discrete logarithm problem?24.What are MACs?25.What is a hash function?

Documents

B.tech CS S8 Security in Computing Notes Module 3