UNIT -8 NETWORK SECURITY. Need of Security For the first few decades computer networks were primarily used by university researchers for sending e-mail

UNIT -8NETWORK SECURITY

Need of Security For the first few decades computer networks were primarily

used by university researchers for sending e-mail and by corporate employees for sharing printers.

In these conditions, security did not get a lot of attention. As we know that presently, millions of ordinary citizens are

using networks for banking, shopping, and filing their tax returns, so that network security potentially considerable (huge/gigantic) problem.

Security is a broad topic and covers a large amount of commitment:

1) It is concerned with making sure that nosy people cannot read, or secretly modify messages intended for other recipients.

2) It is concerned with people trying to access remote services that they are not authorized to use.

3) Security also deals with the problems of legitimate (legal) messages being captured and replayed, and with people trying to deny that they sent certain messages.

Need for Security

Some people who cause security problems and why.

Most security problems are intentionally caused by malicious people trying to gain some benefit, get attention, or to harm someone. A few of the most common harmful/illegal are listed in below table:

Network security problems can be divided roughly into four closely intertwined (twist) areas:

1) Secrecy (Message Confidentiality): It is also known as confidentiality. Message confidentiality or privacy means that the sender

and the receiver expect confidentiality. The transmitted message must make sense to only the

intended receiver. To all others, the message must be garbage. When a customer communicates with her/his bank, she

expects that the communication is totally confidential. It means that keeping information out of the hands of

unauthorized users.2) Authentication (Message Authentication): In message authentication the receiver needs to be sure of

the sender's identity and that an imposter (fraud) has not sent the message.

It deals with determining whom we are talking to before revealing sensitive information or entering into a business deal.

Message authentication is a service beyond message integrity.

3) Nonrepudiation (Message Nonrepudiation): Message nonrepudiation means that a sender must not be able to

deny sending a message that he or she did send. The burden of proof falls on the receiver. For example, when a customer sends a message to transfer

money from one account to another, the bank must have proof (in terms of signatures) that the customer actually requested this transaction. Another example is how we prove that our customer really placed an electronic order?

4)Integrity Control (Message integrity): Integrity means that the data must arrive at the receiver exactly

as they were sent. It means that how can we sure that a message we received was really the one which is sent by actual recipient and not modified during the transit or concocted by malicious challenger.

There must be no changes during the transmission, neither accidentally nor maliciously.

As more and more monetary exchanges occur over the Internet, integrity is crucial.

For example, it would be disastrous if a request for transferring $100 changed to a request for $10,000 or $100,000.

The integrity of the message must be preserved in a secure communication.

Integrity and secrecy are achieved by using registered mail and locking documents up.

People authenticate other people by recognizing their faces, voices, and handwriting.

Proof of signing is handled by signatures on letterhead paper, raised seals, and so on.

Tampering can usually be detected by handwriting, ink, and paper experts.

For the electronically devices none of the above options are available. Clearly, other solutions are needed.

There is probably no one single place considering where in the protocol stack network security belong.

Every layer has something to contribute. In the physical layer, wiretapping can be foiled (blocked) by

enclosing transmission lines in sealed tubes containing gas at high pressure. Any attempt to drill into a tube will release some gas, reducing the pressure and triggering an alarm. Some military systems use this technique.

In the data link layer, packets on a point-to-point line can be encrypted as they leave one machine and decrypted as they enter another. All the details can be handled in the data link layer, with higher layers unaware to what is going on. This solution breaks down when packets have to traverse multiple routers, because packets have to be decrypted at each router, leaving them vulnerable to attacks from within the router. Also, it does not allow some sessions to be protected (e.g., those involving on-line purchases by credit card) and others not. However, link encryption can be added to any network easily and is often useful.

In the network layer, firewalls can be installed to keep good packets and bad packets out. IP security also functions in this layer.

In the transport layer, entire connections can be encrypted, end to end, that is, process to process. For maximum security, end-to-end security is required.

Finally, issues such as user authentication and nonrepudiation can only be handled in the application layer.

Cryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process. It is a science of protecting information by encoding it into an unreadable format. Cryptography is an effective way of protecting sensitive information as it is stored on media or transmitted through network communication paths.

Some Terms1) Cryptography Cryptography comes from the Greek words, it means that

''secret writing”. It refers to the science and art of transforming messages to make them secure and protected to attacks.

2)Plaintext and CiphertextThe original message, before being transformed, is called plaintext. After the message is transformed, it is called ciphertext. An encryption algorithm transforms the plaintext into ciphertext; a decryption algorithm transforms the ciphertext back into plaintext. The sender uses an encryption algorithm, and the receiver uses a decryption algorithm.

3) Cipher A cipher is a character-for-character or bit-for-bit transformation,

without regard to the linguistic structure of the message. We refer to encryption and decryption algorithms as ciphers. The term cipher is also used to refer to different categories of

algorithms in cryptography. A code replaces one word with another word or symbol. The most successful code ever devised was used by the U.S.

armed forces during World War II in the Pacific. 4) Key A key is a number (or a set of numbers) that the cipher as an

algorithm operates on. To encrypt a message, we need an encryption algorithm, an

encryption key, and the plaintext. These create the ciphertext. To decrypt a message, we need a decryption algorithm, a

decryption key, and the ciphertext. These reveal the original plaintext.

1. Algorithm Set of mathematical rules used in encryption and decryption

2. Cryptography Science of secret writing that enables you to store and transmit data in a form that is available only to the intended individuals

3. Cryptosystem Hardware or software implementation of cryptography that transforms a message to ciphertext and back to plaintext

4. Cryptanalysis Practice of obtaining plaintext from ciphertext without a key or breaking the encryption

5. Cryptology The study of both cryptography and cryptanalysis6. Ciphertext Data in encrypted or unreadable format7. Encipher Act of transforming data into an unreadable format8. Decipher Act of transforming data into a readable format9. Key Secret sequence of bits and instructions that governs the

act of encryption and decryption10.Key clustering Instance when two different keys generate the

same ciphertext from the same plaintext11.Keyspace Possible values used to construct keys12.Plaintext Data in readable format, also referred to as cleartext 13.Work factor Estimated time, effort, and resources necessary to

break a cryptosystem

An Introduction to Cryptography

The encryption model (for a symmetric-key cipher).Dk(Ek(P))=P

The messages to be encrypted, known as the plaintext, are transformed by a function that is parameterized by a key.

The output of the encryption process, known as the ciphertext, is then transmitted, often by messenger or radio.

We assume that the enemy, or intruder, hears and accurately copies down the complete ciphertext.

However, unlike the intended recipient, he does not know what the decryption key is and so cannot decrypt the ciphertext easily.

Sometimes the intruder can not only listen to the communication channel (passive intruder) but can also record messages and play them back later, inject his own messages, or modify legitimate messages before they get to the receiver (active intruder).

The art of breaking ciphers called cryptanalysis, and the art devising them (cryptography) is collectively known as cryptology.

It will often be useful to have a notation for relating plaintext, ciphertext, and keys.

We will use C = EK(P) to mean that the encryption of the plaintext P using key K gives the ciphertext C.

Similarly, P = DK(C) represents the decryption of C to get the plaintext again.

It then follows that

This notation suggests that E and D are just mathematical functions, which they are.

The only tricky part is that both are functions of two parameters, and we have written one of the parameters (the key) as a subscript, rather than as an argument, to distinguish it from the message.

A fundamental rule of cryptography is that one must assume that the cryptanalyst knows the methods used for encryption and decryption.

In other words, the cryptanalyst knows how the encryption method, E, and decryption, D, as shown in diagram.

The amount of effort necessary to invent, test, and install a new algorithm every time the old method is compromised (or thought to be compromised) has always made it impractical to keep the encryption algorithm secret.

Thinking it is secret when it is not does more harm than good. This is where the key enters. The key consists of a (relatively) short string that selects one of

many potential encryptions. In contrast to the general method, which may only be changed

every few years, the key can be changed as often as required. Thus, our basic model is a stable and publicly-known general

method parameterized by a secret and easily changed key.

The idea that the cryptanalyst knows the algorithms and that the secrecy lies completely in the keys is called Kerckhoff's principle, named after the Flemish military cryptographer Auguste Kerckhoff who first stated it in 1883.

Thus, we have: Kerckhoff's principle: All algorithms must be public; only

the keys are secret The nonsecrecy of the algorithm cannot be emphasized enough. Trying to keep the algorithm secret, known in the trade as

security by obscurity, never works. Also, by publicizing the algorithm, the cryptographer gets free

consulting from a large number of academic cryptologists eager to break the system so they can publish papers demonstrating how smart they are.

If many experts have tried to break the algorithm for 5 years after its publication and no one has succeeded, it is probably pretty solid.

Since the real secrecy is in the key, its length is a major design issue.

Consider a simple combination lock. The general principle is that we enter digits in sequence.

Everyone knows this, but the key is secret. A key length of two digits means that there are 100 possibilities.

A key length of three digits means 1000 possibilities, and a key length of six digits means a million.

The longer the key, the higher the work factor the cryptanalyst has to deal with.

The work factor for breaking the system by exhaustive search of the key space is exponential in the key length.

Secrecy comes from having a strong (but public) algorithm and a long key.

To prevent our kid brother from reading our e-mail, 64-bit keys will do.

For routine commercial use, at least 128 bits should be used. To keep major governments at bay, keys of at least 256 bits,

preferably more, are needed. From the cryptanalyst's point of view, the cryptanalysis

problem has three principal variations. When he has a quantity of ciphertext and no plaintext, he is

confronted with the ciphertext-only problem. The cryptograms that appear in the puzzle section of newspapers pose this kind of problem.

When the cryptanalyst has some matched ciphertext and plaintext, the problem is called the known plaintext problem.

when the cryptanalyst has the ability to encrypt pieces of plaintext of his own choosing, we have the chosen plaintext problem.

Newspaper cryptograms could be broken trivially if the cryptanalyst were allowed to ask such questions as: What is the encryption of ABCDEFGHIJKL?

Novices in the cryptography business often assume that if a cipher can withstand a ciphertext-only attack, it is secure.

This assumption is very inexperienced. In many cases the cryptanalyst can make a good guess at

parts of the plaintext. For example, the first thing many computers say when we

call them up is login: . Equipped with some matched plaintext-ciphertext pairs, the cryptanalyst's job becomes much easier.

To achieve security, the cryptographer should be conservative and make sure that the system is unbreakable even if his opponent can encrypt arbitrary amounts of chosen plaintext.

Categories of Cryptography

We can divide all the cryptography algorithms (ciphers) into two groups:

symmetric key (also called secret-key) cryptography algorithms and

asymmetric (also called public-key) cryptography algorithms.

Symmetric-Key Cryptography

In symmetric-key cryptography, the same key is used by both parties.

The sender uses this key and an encryption algorithm to encrypt data; the receiver uses the same key and the corresponding decryption algorithm to decrypt the data.

Asymmetric-Key Cryptography

In asymmetric or public-key cryptography, there are two keys: a private key and a public key.

The private key is kept by the receiver. The public key is announced to the public.

In public-key encryption/decryption, the public key that is used for encryption is different from the private key that is used for decryption.

The public key is available to the public; the private key is available only to an individual.

Three Types of Keys The three types of keys in cryptography:1. The secret key: The secret key is the shared key used in

symmetric-key cryptography. 2. The public key: used in asymmetric-key cryptography.3. The private key: used in asymmetric-key cryptography. We will use three different icons for these keys to

distinguish one from the others, as shown in below diagram:

Comparison Let us compare symmetric-key and asymmetric-key

cryptography. Encryption can be thought of as electronic locking;

decryption as electronic unlocking. The sender puts the message in a box and locks the box by

using a key; the receiver unlocks the box with a key and takes out the message.

The difference lies in the mechanism of the locking and unlocking and the type of keys used.

In symmetric-key cryptography, the same key locks and unlocks the box.

In asymmetric-key cryptography, one key locks the box, but another key is needed to unlock it.

Given below diagram shows the difference.

Traditional Ciphers We can divide traditional symmetric-key ciphers into two

broad categories: substitution ciphers and transposition ciphers.

OR Encryption methods have been divided into two categories:

substitution ciphers and transposition ciphers.

Substitution Ciphers In a substitution cipher each letter (character) or group of

letters is replaced by another letter (character) or group of letters to disguise it.

One of the oldest known ciphers is the Caesar cipher, attributed to Julius Caesar. This is referred to as a shift alphabet cipher.

In this method, a becomes D, b becomes E, c becomes F, ... , and z becomes C.

If the symbols are digits (0 to 9), we can replace 3 with 7, and 2 with 6.

For example, attack becomes DWWDFN. In examples, plaintext will be given in lower case letters, and

ciphertext in upper case letters. A slight generalization of the Caesar cipher allows the

ciphertext alphabet to be shifted by k letters, instead of always 3. In this case k becomes a key to the general method of circularly shifted alphabets.

If we use 4 as a key then attack becomes the EXXEGO.

monoalphabetic substitution: The next improvement is to have each of the symbols in the

plaintext map onto some other letter. For example,plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y zciphertext: Q W E R T Y U I O P A S D F G H J K L Z X C V B N M In a monoalphabetic cipher, a character (or a symbol) in the

plaintext is always changed to the same character (or symbol) in the ciphertext regardless of its position in the text. (i.e. The general system of symbol-for-symbol substitution is called a monoalphabetic substitution, with the key being the 26-letter string corresponding to the full alphabet.)

For example, if the algorithm says that character A in the plaintext is changed to character D, every character A is changed to character D.

In other words, the relationship between characters in the plaintext and the ciphertext is a one-to-one relationship.

For the key above, the plaintext attack would be transformed into the ciphertext QZZQEA.

At first glance this might appear to be a safe system because though the cryptanalyst knows the general system (letter-for-letter substitution), he does not know which of the 26! 4 x 1026 possible keys is in use.

In contrast with the Caesar cipher, trying all of them is not a promising approach.

Even at 1 nsec per solution, a computer would take 1010 years to try all the keys.

However, given a surprisingly small amount of ciphertext, the cipher can be broken easily.

The basic attack takes advantage of the statistical properties of natural languages.

In English, for example, e is the most common letter, followed by t, o, a, n, i, etc.

The most common two-letter combinations, or digrams, are th, in, er, re, and an.

The most common three-letter combinations, or trigrams, are the, ing, and, and ion.

A cryptanalyst trying to break a monoalphabetic cipher would start out by counting the relative frequencies of all letters in the ciphertext.

Then he might tentatively assign the most common one to e and the next most common one to t.

He would then look at trigrams to find a common one of the form tXe, which strongly suggests that X is h.

Similarly, if the pattern thYt occurs frequently, the Y probably stands for a.

With this information, he can look for a frequently occurring trigram of the form aZW, which is most likely and.

By making guesses at common letters, digrams, and trigrams and knowing about likely patterns of vowels and consonants, the cryptanalyst builds up a tentative plaintext, letter by letter.

Another approach is to guess a probable word or phrase. For example, consider the following ciphertext from an

accounting firm (blocked into groups of five characters):

CTBMN BYCTC BTJDS QXBNS GSTJC BTSWX CTQTZ CQVUJ QJSGS TJQZZ MNQJS VLNSX VSZJU JDSTS JQUUS JUBXJ DSKSU JSNTK BGAQJ ZBGYQ TLCTZ BNYBN QJSW

A likely word in a message from an accounting firm is financial. Using our knowledge that financial has a repeated letter (i),

with four other letters between their occurrences, we look for repeated letters in the ciphertext at this spacing.

We find 12 hits, at positions 6, 15, 27, 31, 42, 48, 56, 66, 70, 71, 76, and 82.

However, only two of these, 31 and 42, have the next letter (corresponding to n in the plaintext) repeated in the proper place.

Of these two, only 31 also has the a correctly positioned, so we know that financial begins at position 30.

From this point on, deducing the key is easy by using the frequency statistics for English text.

The simplest monoalphabetic cipher is probably the shift cipher.

We assume that the plaintext and ciphertext consist of uppercase letters (A to Z) only.

In this cipher, the encryption algorithm is "shift key characters down," with key equal to some number.

The decryption algorithm is "shift key characters up." For example, if the key is 5, the encryption algorithm is

"shift 5 characters down" (toward the end of the alphabet). The decryption algorithm is "shift 5 characters up" (toward

the beginning of the alphabet). Of course, if we reach the end or beginning of the alphabet,

we wrap around.

Example: Use the shift cipher with key = 15 to encrypt the message "HELLO."

Solution: We encrypt one character at a time. Each character is shifted 15 characters down. Letter H is encrypted to W. Letter E is encrypted to T. The first L is encrypted to A. The second L is also encrypted to A. And 0 is encrypted to D. The cipher text is WTAAD.

Example: Use the shift cipher with key =15 to decrypt the message "WTAAD."

Solution: We decrypt one character at a time. Each character is shifted 15 characters up. Letter W is decrypted to H. Letter T is decrypted to E. The first A is decrypted to L. The second A is decrypted to L. And, finally, D is decrypted to O. The plaintext is HELLO.

Transposition Ciphers A transposition cipher is a rearrangement of the letters in the

plaintext according to some specific system & key (i.e. a permutation of the plaintext).

In a transposition cipher, there is no substitution of characters; instead, their locations change.

A character in the first position of the plaintext may appear in the tenth position of the ciphertext.

A character in the eighth position may appear in the first position.

In other words, a transposition cipher reorders the symbols in a block of symbols.

In this example, MEGABUCK is the key. The purpose of the key is to number the columns, column 1

being under the key letter closest to the start of the alphabet, and so on.

The plaintext is written horizontally, in rows. The ciphertext is read out by columns, starting with the column

whose key letter is the lowest.

Transposition Ciphers

A transposition cipher.

Key In a transposition cipher, the key is a mapping between the position of the symbols in the plaintext and cipher text. For example, the following shows the key using a block of four characters:Plaintext: 2 4 1 3Ciphertext: 1 2 3 4In encryption, we move the character at position 2 to position 1, the character at position 4 to position 2, and so on. In decryption, we do the reverse. For the more effective security provide, the key should be long which means encryption and decryption of long blocks of data.

Simple example:A route cipher: we arrange the plaintext in a geometrical figure, then copy it out following a different route.e.g. P/T: Now is the time for all good men . . .We arrange this in a rectangle of K columns and extract the ciphertext by the columns:

N O W I ST H E T IM E F O RA L L G OO D M E N

Ciphertext: NTMAO OHELD WEFLM ITOGE SIRONHow do we detect this? Well, the character frequency should

be the same as English.More generally, we deal with:Rectangular Columnar Transposition:1) Arrange horizontally in a rectangle.2) Use a key to generate a permutation of the columns3) Read vertically.

Key: SCHMID 613542

Plaintext: sell all stock on Monday6 1 3 5 4 2s e l l a ll s t o c ko n M o n da yCiphertext: ESNYL KDLTM ACNLO OSLOA

To break a transposition cipher, the cryptanalyst must first be aware that he is dealing with a transposition cipher.

By looking at the frequency of E, T, A, O, I, N, etc., it is easy to see if they fit the normal pattern for plaintext.

If so, the cipher is clearly a transposition cipher, because in such a cipher every letter represents itself, keeping the frequency distribution intact.

The next step is to make a guess at the number of columns. In many cases a probable word or phrase may be guessed at

from the context. For example, suppose that our cryptanalyst suspects that the

plaintext phrase million dollars occurs somewhere in the message.

Observe that digrams MO, IL, LL, LA, IR and OS occur in the ciphertext as a result of this phrase wrapping around.

The ciphertext letter O follows the ciphertext letter M (i.e., they are vertically adjacent in column 4) because they are separated in the probable phrase by a distance equal to the key length.

If a key of length seven had been used, the digrams MD, IO, LL, LL, IA, OR, and NS would have occurred instead.

In fact, for each key length, a different set of digrams is produced in the ciphertext. By hunting for the various possibilities, the cryptanalyst can often easily determine the key length.

The remaining step is to order the columns. When the number of columns, k, is small, each of the k *(k - 1)

column pairs can be examined to see if its digram frequencies match those for English plaintext.

The pair with the best match is assumed to be correctly positioned.

Now each remaining column is tentatively tried as the successor to this pair.

The column whose digram and trigram frequencies give the best match is tentatively assumed to be correct.

The predecessor column is found in the same way. The entire process is continued until a potential ordering is found. Chances are that the plaintext will be recognizable at this point

(e.g., if milloin occurs, it is clear what the error is). Some transposition ciphers accept a fixed-length block of input

and produce a fixed-length block of output. These ciphers can be completely described by giving a list telling

the order in which the characters are to be output. For example, the cipher of shown in diagram can be seen as a 64

character block cipher. Its output is 4, 12, 20, 28, 36, 44, 52, 60, 5, 13 , ... , 62. In other words, the fourth input character, a, is the first to be

output, followed by the twelfth, f, and so on.

One-Time Pads Constructing an unbreakable cipher is actually quite easy. First choose a random bit string as the key. Then convert the plaintext into a bit string, for example by using

its ASCII representation. Finally, compute the XOR of these two strings, bit by bit. This method, known as the one-time pad, is protected to all

present and future attacks no matter how much computational power the intruder has.

The reason derives from information theory: there is simply no information in the message because all possible plaintexts of the given length are equally likely.

An example of how one-time pads are used is given in diagram. First, message 1, ''I like you.'' is converted to 7-bit ASCII. Then a one-time pad, pad 1, is chosen and XORed with the

message to get the ciphertext. A cryptanalyst could try all possible one-time pads to see what

plaintext came out for each one. For example, the one-time pad listed as pad 2 in the figure

could be tried, resulting in plaintext 2, ''Elvis lives'', which may or may not be probable.

In fact, for every 11-character ASCII plaintext, there is a one-time pad that generates it.

That is what we mean by saying there is no information in the ciphertext: we can get any message of the correct length out of it.

Disadvantage of One-Time Pad One-time pads are great in theory but have a number of

disadvantages in practice. The key cannot be memorized, so both sender and receiver

must carry a written copy with them. If either one is subject to capture, written keys are clearly undesirable.

Additionally, the total amount of data that can be transmitted is limited by the amount of key available.

Another problem is the sensitivity of the method to lost or inserted characters. If the sender and receiver get out of synchronization, all data from then on will appear garbled.

With the advent of computers, the one-time pad might potentially become practical for some applications.

The source of the key could be a special DVD that contains several gigabytes of information and if transported in a DVD movie box and prefixed by a few minutes of video, would not even be suspicious.

Of course, at gigabit network speeds, having to insert a new DVD every 30 sec could become tedious.

And the DVDs must be personally carried from the sender to the receiver before any messages can be sent, which greatly reduces their practical utility.

Solution to the One Time Pad is

Quantum Cryptography

Quantum Cryptography Alice and Bob wants to communicate who is also known as

the Principals. Trudy (Jealous) is intruder. This algorithm is called BB84 (Bennet & Brassard, 1984) Quantum cryptography is based on fact that light comes in

little packets called Photons. Photons can be polarized using polarizing filters. After passing through second filter, intensity of light is

proportional to square of cosine of angle between axes. To generate one-time pad, Alice needs two sets of

polarizing filters. Two filters, vertical and horizontal is called rectilinear basis. Two filters running 45 degrees is called diagonal basis. To transform original one time pad to different one for

Trudy’s misinterpretation is called privacy amplification. See bit 7, 10, 11, 14. Observe next figure.

Two Fundamental Cryptography Principles

1. Redundancy Cryptographic principle 1: “Messages must contain some redundancy”

User large size of message Use CRC, Cryptographic Hash, Hamming Code

for error detection and correction.

2. Freshness Cryptographic principle 2: “Some method is needed to foil replay attacks”

Include timestamp in every message. Suppose after 10 sec, message must be thrown

out of the network.

SYMMETRIC-KEY ALGORITHMS

1. DES –The Data Encryption Standard 2. AES –The Advanced Encryption Standard 3. Cipher Modes 4. Other Ciphers 5. Cryptanalysis

Symmetric Key Algorithms They use same key for encryption and

decryption, that’s why called symmetric key algorithms.

Block Ciphers: which take an n-bit block of plaintext as input and transform it using the key into n-bit block of ciphertext.

P (Permutation) Box Cipher A P-box (permutation box) cryptographic

algorithms can be implemented in either hardware (for speed) or in software (for flexibility), but hardware is faster.

It can performs a transposition at the bit level; it transposes bits.

Transpositions and substitutions can be implemented with simple electrical circuits.

P-boxes are normally keyless (the number of rotations is fixed) .

Given diagram shows a device which is known as a P-box (P stands for permutation), used to effect a transposition on an 8-bit input.

If the 8 bits are designated from top to bottom as 01234567, the output of this particular P-box is 36071245.

By appropriate internal wiring, a P-box can be made to perform any transposition and do it at practically the speed of light since no computation is involved, just signal propagation.

The attacker knows that the general method is permuting the bits.

But it does not known to attackers that which bit goes where it means which is the key.

There are three types of permutations in P-boxes (shown in diagram):

1. straight permutation2. expansion permutation3. compression permutation A straight permutation cipher

or a straight P-box has the same number of inputs as outputs. In other words, if the number of inputs is N, the number of outputs is also N.

In an expansion permutation cipher, the number of output ports is greater than the number of input ports.

In a compression permutation cipher, the number of output ports is less than the number of input ports.

S (substitutions) Box Cipher The input to an S-box is a stream of bits with length N; the result is another stream of bits with length M. It is not necessarily that the N and M are same. Given below diagram shows an S-box.

The S-box is normally keyless (the number of rotations is fixed) and is used as an intermediate stage of encryption or decryption. The function that matches the input to the output may be defined mathematically or by a table.

Substitutions are performed by S-boxes, as shown in diagram.

In this example a 3-bit plaintext is entered and a 3-bit cipher text is output.

The 3-bit input selects one of the eight lines exiting from the first stage and sets it to 1; all the other lines are 0. The second stage is a P-box. The third stage encodes the selected input line in binary again.

With the wiring shown, if the eight octal numbers 01234567 were input one after another, the output sequence would be 24506713.

In other words, 0 has been replaced by 2, 1 has been replaced by 4, etc.

Again, by appropriate wiring of the P-box inside the S-box, any substitution can be accomplished.

A device can be built in hardware and can achieve great speed since encoders and decoders have only one or two (subnanosecond) gate delays and the propagation time across the P-box may well be less than 1 picosecond.

Product Cipher Shannon proposed to design strong ciphers by mixing different

kinds of transformations. This can be achieved by alternating substitutions and

transpositions. The earliest block ciphers were based on this principle and so

were called SP-networks.

Three things need to be done to make the algorithm design secure:1. The cipher needs to be “wide” enough.2. The cipher needs to have enough rounds.3. The S-boxes need to be suitably chosen.

Product Cipher

The real power of these basic elements only becomes apparent when we cascade a whole series of boxes to form a product cipher, as shown in diagram.

In this example, 12 input lines are transposed (i.e., permuted) by the first stage (P1). Theoretically, it would be possible to have the second stage be an S-box that mapped a 12-bit number onto another 12-bit number. However, such a device would need 212 = 4096 crossed wires in its middle stage. Instead, the input is broken up into four groups of 3 bits, each of which is substituted independently of the others.

Product ciphers that operate on k-bit inputs to produce k-bit outputs are very common. Typically, k is 64 to 256.

A software implementation is programmed as a loop with at least 8 iterations, each one performing S-box-type substitutions on sub blocks of the 64- to 256-bit data block, followed by a permutation that mixes the outputs of the S-boxes.

Often there is a special initial permutation and one at the end as well. In the literature, the iterations are called rounds.

Data Encryption Standard One example of a complex block cipher is the Data Encryption

Standard (DES). This cipher, DES (Data Encryption Standard). DES was designed by IBM and adopted by the U.S. government

in January 1977, as the standard encryption method for nonmilitary and non classified use (i.e. unclassified information).

The algorithm encrypts a 64-bit plaintext block using a 64-bit key.

DES has two transposition blocks (P-boxes) and 16 complex round ciphers (they are repeated). Although the 16 iteration round ciphers are conceptually the same, each uses a different key derived from the original key.

The initial and final permutations are keyless straight permutations that are the inverse of each other.

The permutation takes a 64-bit input and permutes them according to predefined values.

Plaintext is encrypted in blocks of 64 bits, yielding 64 bits of ciphertext.

The key length is 56 bits. (The key is usually written as a 64-bit number, but every eight bit is used for parity checking and is discarded when the key is loaded into the DES algorithm. It has 19 distinct stages.

The first stage is a key-independent transposition on the 64-bit plaintext.

The last stage is the exact inverse of this transposition. The stage prior to the last one exchanges the leftmost 32 bits with the rightmost 32 bits.

The remaining 16 stages are functionally identical but are parameterized by different functions of the key.

The algorithm has been designed to allow decryption to be done with the same key as encryption, a property needed in any symmetric-key algorithm.

The steps are just run in the reverse order.

Data Encryption Standard

Each stage takes two 32-bit inputs and produces two 32-bit outputs.

The left output is simply a copy of the right input.

The right output is the bitwise XOR of the left input and a function of the right input and the key for this stage, Ki.

DES Function The function consists of four steps,

carried out in sequence. First, a 48-bit key (number), E, is

constructed by expanding the 32-bit Ri – 1 according to a fixed transposition and duplication rule.

Second, E and Ki are XORed together.

This output is then partitioned into eight groups of 6 bits each, each of which is fed into a different S-box.

Each of the 64 possible inputs to an S-box is mapped onto a 4-bit output.

Finally, these 8 x 4 bits are passed through a P-box.

In each of the 16 iterations, a different key is used. Before the algorithm starts, a 56-bit transposition is applied to

the key. Just before each iteration, the key is partitioned into two 28-bit

units, each of which is rotated left by a number of bits dependent on the iteration number.

Ki is derived from this rotated key by applying yet another 56-bit transposition to it.

A different 48-bit subset of the 56 bits is extracted and permuted on each round.

A technique that is sometimes used to make DES stronger is called whitening.

It consists of XORing a random 64-bit key with each plaintext block before feeding it into DES and then XORing a second 64-bit key with the resulting cipher text before transmitting it.

Whitening can easily be removed by running the reverse operations (if the receiver has the two whitening keys).

Since this technique effectively adds more bits to the key length, it makes exhaustive search of the key space much more time consuming.

Note that the same whitening key is used for each block (i.e., there is only one whitening key).

DES has been enveloped in controversy since the day it was launched.

It was based on a cipher developed and patented by IBM, called Lucifer, except that IBM's cipher used a 128-bit key instead of a 56-bit key.

When the U.S. Federal Government wanted to standardize on one cipher for unclassified use, it ''invited'' IBM to ''discuss'' the matter with NSA, the U.S. Government's code-breaking arm, which is the world's largest employer of mathematicians and cryptologists.

NSA is so secret that an industry joke goes: Q.1 What does NSA stand for?A1: No Such Agency. Actually, NSA stands for National Security Agency. IBM reduced the key from 128 bits to 56 bits and decided to

keep secret the process by which DES was designed. Many people suspected that the key length was reduced to

make sure that NSA could just break DES, but no organization with a smaller budget could.

The point of the secret design was supposedly to hide a back door that could make it even easier for NSA to break DES.

When an NSA employee discreetly told IEEE to cancel a planned conference on cryptography, that did not make people any more comfortable.

NSA denied everything. In 1977, two Stanford cryptography researchers, Diffie and

Hellman (1977), designed a machine to break DES and estimated that it could be built for 20 million dollars.

Given a small piece of plaintext and matched ciphertext, this machine could find the key by exhaustive search of the 256-entry key space in under 1 day.

Nowadays, such a machine would cost well under 1 million dollars.

Triple DES

As early as 1979, IBM realized that the DES key length was too short (i.e. the key is too short.).

To lengthen the key (i.e. to effectively increase it), Triple DES or 3DES has been proposed and implemented.

This uses three DES blocks, as shown in diagram. In this mechanism, two keys and three stages are used. The encrypting block uses an encryption-decryption-

encryption combination of DESs, while the decryption block uses a decryption-encryption-decryption combination.

OR In the first stage, the plaintext is encrypted using DES in the

usual way with K1. In the second stage, DES is run in decryption mode, using K2 as the key. Finally, another DES encryption is done with K1.

Two different versions of 3DES are in use: 3DES with two keys and 3DES with three keys.

This design immediately gives rise to two questions. First, why are only two keys used, instead of three? Second, why is EDE (Encrypt Decrypt Encrypt) used, instead of

EEE (Encrypt Encrypt Encrypt)? To make the key size 112 bits (i.e. the most paranoid

cryptographers believer that 112 bits is adequate for routine commercial applications for the time being) and at the same time protect DES from attacks such as the man-in-the-middle attack, 3DES with two keys was designed.

And among cryptographers, paranoia is considered a feature, not a bug.

In this version, the first and the third keys are the same (KeY1 = KeY3)'

This has the advantage in that a text encrypted by a single DES block can be decrypted by the new 3DES.

We just set all keys equal to KeY1‘ Many algorithms use a 3DES cipher with three keys.

This increases the size of the key to 168.It adds the unnecessary overhead of managing and transporting another key for little real gain.

The reason for encrypting, decrypting, and then encrypting again is backward compatibility with existing single-key DES systems.

Both the encryption and decryption functions are mappings between sets of 64-bit numbers.

From a cryptographic point of view, the two mappings are equally strong.

By using EDE instead of EEE, a computer using triple encryption can speak to one using single encryption by just setting K1 = K2.

This property allows triple encryption to be phased in gradually, something of no concern to academic cryptographers, but of considerable importance to IBM and its customers.

AES – The Advanced Encryption Standard

The Advanced Encryption Standard (AES) was designed because DES's key was too small.

Although Triple DES (3DES) increased the key size, the process was too slow.

AES is a very complex round cipher. Rules for AES proposals1. The algorithm must be a symmetric block cipher.2. The full design must be public.3. Key lengths of 128, 192, and 256 bits supported.4. Both software and hardware implementations required5. The algorithm must be public or licensed on equal terms.

In August 1998, NIST selected five finalists primarily on the basis of their security, efficiency, simplicity, flexibility, and memory requirements (important for embedded systems).

The finalists and their scores were as follows:1. Rijndael (from Joan Daemen and Vincent Rijmen, 86 votes).2. Serpent (from Ross Anderson, Eli Biham, and Lars Knudsen, 59

votes).3. Twofish (from a team headed by Bruce Schneier, 31 votes).4. RC6 (from RSA Laboratories, 23 votes).5. MARS (from IBM, 13 votes).

In October 2000, The National Institute of Standards and Technology (NIST) chose the Rijndael algorithm, named after its two Belgian inventors, Vincent Rijmen and Joan Daemen, as the basis of AES.

The name Rijndael, pronounced Rhine-doll (more or less), is derived from the last names of the authors: Rijmen + Daemen.

In November 2001 Rijndael became a U.S. Government standard published as Federal Information Processing Standard FIPS 197.

Rijndael supports key lengths and block sizes from 128 bits to 256 bits in steps of 32 bits.

The key length and block length may be chosen independently. However, AES specifies that the block size must be 128 bits and

the key length must be 128, 192, or 256 bits. It is doubtful that anyone will ever use 192-bit keys, so de facto,

AES has two variants: a 128-bit block with 128-bit key and a 128-bit block with a 256-bit key.

In our treatment of the algorithm below, we will examine only the 128/128 case because this is likely to become the commercial norm.

A 128-bit key gives a key space of 2128 3 x 1038 keys. Even if NSA manages to build a machine with 1 billion parallel

processors, each being able to evaluate one key per picosecond, it would take such a machine about 1010 years to search the key space.

By then the sun will have burned out, so the folks then present will have to read the results by candlelight.

AES (2) AES is designed with three key sizes: 128, 192, or 256 bits.

Rijndael Like DES, Rijndael uses substitution and permutations, and it

also uses multiple rounds. The number of rounds depends on the key size and block size,

being 10 for 128-bit keys with 128-bit blocks and moving up to 14 for the largest key or the largest block.

However, unlike DES, all operations involve entire bytes, to allow for efficient implementations in both hardware and software.

An outline of the code is given in the next slide (program). The function rijndael has three parameters. They are: plaintext, an array of 16 bytes containing the input

data. A ciphertext, an array of 16 bytes where the enciphered

output will be returned And key, the 16-byte key. During the calculation, the current state of the data is

maintained in a byte array, state, whose size is NROWS x NCOLS.

For 128-bit blocks, this array is 4 x 4 bytes. With 16 bytes, the full 128-bit data block can be stored.

Creating of the state and rk arrays.

The state array is initialized to the plaintext and modified by every step in the computation.

In some steps, byte-for-byte substitution is performed. In others, the bytes are permuted within the array. Other transformations are also used. At the end, the contents of the state are returned as the cipher

text. The code starts out by expanding the key into 11 arrays of the

same size as the state. They are stored in rk, which is an array of structs, each

containing a state array. One of these will be used at the start of the calculation and the

other 10 will be used during the 10 rounds, one per round. The calculation of the round keys from the encryption key is too

complicated for us to get into here. Suffice it to say that the round keys are produced by repeated

rotation and XORing of various groups of key bits.

The next step is to copy the plaintext into the state array so it can be processed during the rounds. It is copied in column order, with the first four bytes going into column 0, the next four bytes going into column 1, and so on. Both the columns and the rows are numbered starting at 0, although the rounds are numbered starting at 1. This initial setup of the 12 byte arrays of size 4 x 4 is illustrated in given diagram:

There is one more step before the main computation begins: rk[0] is XORed into state byte for byte.

In other words each of the 16 bytes in state is replaced by the XOR of itself and the corresponding byte in rk[0].

1) Step 1 does a byte-for-byte substitution on state. This step is a straight monoalphabetic substitution cipher.

2) Step 2 rotates each of the four rows to the left. Row 0 is rotated 0 bytes (i.e., not changed), row 1 is rotated 1 byte, row 2 is rotated 2 bytes, and row 3 is rotated 3 bytes.

3) Step 3 mixes up each column independently of the other ones. The mixing is done using matrix multiplication in which the new column is the product of the old column and a constant matrix.

4) step 4 XORs the key for this round into the state array.

The algorithm has been designed not only for great security, but also for great speed. A good software implementation on a 2-GHz machine should be able to achieve an encryption rate of 700 Mbps, which is fast enough to encrypt over 100 MPEG-2 videos in real time. Hardware implementations are faster still.

The general structure is shown in given diagram. There is an initial XOR operation followed by 10 round ciphers. The last round is slightly different from the preceding rounds; it

is missing one operation. Although the 10 iteration blocks are almost identical, each uses

a different key derived from the original key.

1) IDEA The International Data Encryption Algorithm (IDEA) was developed by Xuejia Lai and James Massey. The block size is 64 and the key size is 128. It can be implemented in both hardware and software.

2) Blowfish Blowfish was developed by Bruce Schneier. The block size is 64 and the key size between 32 and 448.

3) CAST-128 CAST-128 was developed by Carlisle Adams and Stafford Tavares. It is a Feistel cipher with 16 rounds and a block size of 64 bits; the key size is 128 bits.

4) RC5 RC5 was designed by Ron Rivest. It is a family of ciphers with different block sizes, key sizes, and numbers of rounds.

Algorithm (Cipher) Mode

An algorithm mode is a combination of a series of the basic steps carried out on block cipher and some kind of feedback from the previous step.

1. ECB – Electronic Code Book Mode2. CBC - Cipher Block Chaining Mode3. CFB – Cipher Feedback Mode4. OFB – Output Feedback Mode

Electronic Code Book Mode The electronic code book (ECB) mode is a purely block cipher technique. It is the simplest mode of

operation. In which, incoming plain text is divided into block of 64 bit each. Each block is then encrypted independently of other block. At receiver’s end all incoming cipher text is divided into 64 bit block and same key used for decryption to

retrieve plain text. In general we can say that, The plaintext is divided into blocks of N bits. The ciphertext is made of blocks of

N bits. The value of N depends on the type of cipher used.

Plain text

KEY1

Encrypt

Cipher Text

Plain text

KEY2

Encrypt

Cipher Text

Plain text

KEYn

Encrypt

Cipher Text

If plain text repeat same block then cipher text also repeats the same block because of same key used for encrypt.

So it suitable for encrypt and decrypt small message where scope for the repeating text is quite less

Cipher text

KEY1

Decrypt

Plain Text

Cipher text

KEY1

Decrypt

Plain Text

Cipher text

KEY1

Decrypt

Plain Text

• We mention four characteristics of this mode:1. Because the key and the encryption/decryption algorithm are the

same, equal blocks in the plaintext become equal blocks in the ciphertext. For example, if plaintext blocks 1, 5, and 9 are the same, ciphertext blocks 1, 5, and 9 are also the same.This can be a security problem; the adversary can guess that the plaintext blocks are the same if the corresponding ciphertext blocks are the same.

2. If we reorder the plaintext block, the ciphertext is also reordered.3. Blocks are independent of each other. Each block is encrypted or

decrypted independently. A problem in encryption or decryption of a block does not affect other blocks.

4. An error in one block is not propagated to other blocks. If one or more bits are corrupted during transmission, it only affects the bits in the corresponding plaintext after decryption. Other plaintext blocks are not affected. This is a real advantage if the channel is not noise-free.

Cipher Block Chaining Mode The cipher block chaining (CBC) mode tries to improve some

of the problems in ECB by including the previous cipher block in the preparation of the current block.

This mode ensure that even if a block of plain text repeats in the input, these two identical text block yield totally different cipher text block in the output. For this feedback mechanism is used.

In this method, shown in below diagram, each plaintext block is XORed with the previous ciphertext block before being encrypted.

Consequently, the same plaintext block no longer maps onto the same ciphertext block, and the encryption is no longer a big monoalphabetic substitution cipher.

The first block is XORed with a randomly chosen IV (Initialization Vector), which is transmitted (in plaintext) along with the ciphertext.

We start out by computing C0 = E(P0 XOR IV). Then we compute C1 = E(P1 XOR C0), and so on. Decryption also uses XOR to reverse the process, with P0 = IV

XOR D(C0), and so on. The encryption of block i is a function of all the plaintext in

blocks 0 through i - 1, so the same plaintext generates different ciphertext depending on where it occurs.

Cipher block chaining also has the advantage that the same plaintext block will not result in the same ciphertext block, making cryptanalysis more difficult.

In fact, this is the main reason it is used.

If the current block is i, the previous ciphertext block Ci- 1 is included in the encryption of block i.

In other words, when a block is completely enciphered, the block is sent, but a copy of it is kept in a register (a place where data can be held) to be used in the encryption of the next block.

The reader may wonder about the initial block. There is no ciphertext block before the first block.

In this case, a fake block called the initiation vector (IV) is used. Both the sender and receiver agree upon a specific

predetermined IV.

In other words, the IV is used instead of the nonexistent C0, diagram shows the CBC mode.

The reader may wonder about the decryption. Does the configuration shown in the figure guarantee the

correct decryption? It can be proven that it does. The following are some characteristics of CBC.1. Even though the key and the encryption/decryption algorithm

are the same, equal blocks in the plaintext do not become equal blocks in the ciphertext. For example, if plaintext blocks 1, 5, and 9 are the same, ciphertext blocks 1, 5, and 9 will not be the same. An adversary will not be able to guess from the ciphertext that two blocks are the same.

2. Blocks are dependent on each other. Each block is encrypted or decrypted based on a previous block. A problem in encryption or decryption of a block affects other blocks.

3. The error in one block is propagated to the other blocks. If one or more bits are corrupted during the transmission, it affects the bits in the next blocks of the plaintext after decryption.

However, cipher block chaining has the disadvantage of requiring an entire 64-bit block to arrive before decryption can begin. For use with interactive terminals, where people can type lines shorter than eight characters and then stop, waiting for a response, this mode is unsuitable.

Cipher feed back mode

For byte-by-byte encryption, cipher feedback mode, using (triple) DES is used as shown in diagram.

For AES the idea is exactly the same, only a 128-bit shift register is used. In this diagram, the state of the encryption machine is shown after bytes 0 through 9 have been encrypted and sent.When plaintext byte 10 arrives, as illustrated in diagram(a), the DES algorithm operates on the 64-bit shift register to generate a 64-bit ciphertext.

The leftmost byte of that ciphertext is extracted and XORed with P10.

That byte is transmitted on the transmission line. In addition, the shift register is shifted left 8 bits, causing C2 to

fall off the left end, and C10 is inserted in the position just vacated at the right end by C9.

Note that the contents of the shift register depend on the entire previous history of the plaintext, so a pattern that repeats multiple times in the plaintext will be encrypted differently each time in the ciphertext.

As with cipher block chaining, an initialization vector is needed to start the ball rolling.

Decryption with cipher feedback mode just does the same thing as encryption.

In particular, the content of the shift register is encrypted, not decrypted, so the selected byte that is XORed with C10 to get P10 is the same one that was XORed with P10 to generate C10 in the first place.

As long as the two shift registers remain identical, decryption works correctly. It is illustrated in diagram(b).

Cipher Feedback Mode The cipher feedback (CFB) mode was created for those situations

in which we need to send or receive r bits of data, where r is a number different from the underlying block size of the encryption cipher used.

The value of r can be 1, 4, 8, or any number of bits. Since all block ciphers work on a block of data at a time, the

problem is how to encrypt just r bits. The solution is to let the cipher encrypt a block of bits and use

only the first r bits as a new key (stream key) to encrypt the r bits of user data.

As shown in the diagram the configuration. The following are some characteristics of the CFB mode:1. If we change the IV from one encryption to another using the

same plaintext, the ciphertext is different.2. The ciphertext Ci depends on both Pi and the preceding ciphertext

block.3. Errors in one or more bits of the ciphertext block affect the next

ciphertext blocks.

Not all applications can work on block of data, security is also required for applications which is character oriented for this we are using Cipher Feedback Mode.

It operated on 8 bit data (a single character).Step 1: 64 bit Initialization Vector (IV) is used which is

kept on 64 bit shift register. Using encryption we are obtaining 64 bit cipher IV.

Step 2: The leftmost 8 bits of the encrypted IV are XORed with first j bits of plain text. It produces first

portion of Cipher Text (C) which is transmitted to Receiver.

Step 3: Now IV is left shifted j bits so the rightmost j positions of IV are now contain unpredictable values. This values are filled with C.

Step 4: Now, Steps 1 to 3 are continue until all the plain text are encrypted.

A problem with cipher feedback mode is that if one bit of the ciphertext is accidentally inverted during transmission, the 8 bytes that are decrypted while the bad byte is in the shift register will be corrupted.

Once the bad byte is pushed out of the shift register, correct plaintext will once again be generated.

Thus, the effects of a single inverted bit are relatively localized and do not ruin the rest of the message, but they do ruin as many bits as the shift register is wide.

Output Feedback Mode The output feedback (OFB) mode is very similar to the CFB

mode with one difference. Each bit in the ciphertext is independent of the previous bit or

bits. This avoids error propagation. If an error occurs in

transmission, it does not affect the future bits. As in CFB, both the sender and the receiver use the encryption

algorithm. AS in OFB, block ciphers such as DES or AES can only be used

to create the key stream. The feedback for creating the next bit stream comes from the

previous bits of the key stream instead of the ciphertext. The ciphertext does not take part in creating the key stream.

diagram shows the OFB mode. The following are some of the characteristics of the OFB mode. 1. If we change the IV from one encryption to another using the

same plaintext, the ciphertext will be different.2. The ciphertext Ci depends on the plaintext Pi'3. Errors in one or more bits of the ciphertext do not affect future

ciphertext blocks.

Output Feedback Mode

Stream Cipher Mode However, applications exist in which having a 1-bit

transmission error confusion up 64 bits of plaintext is too large an effect.

For these applications, a fourth option, stream cipher mode, exists.

It works by encrypting an initialization vector, using a key to get an output block.

The output block is then encrypted, using the key to get a second output block.

This block is then encrypted to get a third block, and so on. The (arbitrarily large) sequence of output blocks, called the

keystream, is treated like a one-time pad and XORed with the plaintext to get the ciphertext, as shown in diagram(a).

Note that the IV is used only on the first step. After that, the output is encrypted. Also note that the keystream is independent of the data, so it

can be computed in advance, if need be, and is completely insensitive to transmission errors. Decryption is shown in diagram(b).

Decryption occurs by generating the same keystream at the receiving side.

Since the keystream depends only on the IV and the key, it is not affected by transmission errors in the ciphertext.

Thus, a 1-bit error in the transmitted ciphertext generates only a 1-bit error in the decrypted plaintext.

It is essential never to use the same (key, IV) pair twice with a stream cipher because doing so will generate the same keystream each time.

Using the same keystream twice exposes the ciphertext to a keystream reuse attack.

Imagine that the plaintext block, P0, is encrypted with the keystream to get P0 XOR K0. Later, a second plaintext block, Q0, is encrypted with the same keystream to get Q0 XOR K0.

An intruder who captures both of these ciphertext blocks can simply XOR them together to get P0 XOR Q0, which eliminates the key.

The intruder now has the XOR of the two plaintext blocks. If one of them is known or can be guessed, the other can also be

found. In any event, the XOR of two plaintext streams can be attacked

by using statistical properties of the message. For example, for English text, the most common character in the

stream will probably be the XOR of two spaces, followed by the XOR of space and the letter ''e'', etc.

In short, equipped with the XOR of two plaintexts, the cryptanalyst has an excellent chance of deducing both of them.

Counter Mode One problem that all the modes except electronic code book

mode have is that random access to encrypted data is impossible.

For example, suppose a file is transmitted over a network and then stored on disk in encrypted form.

his might be a reasonable way to operate if the receiving computer is a notebook computer that might be stolen.

Storing all critical files in encrypted form greatly reduces the damage due to secret information leaking out in the event that the computer falls into the wrong hands.

However, disk files are often accessed in non sequential order, especially files in databases.

With a file encrypted using cipher block chaining, accessing a random block requires first decrypting all the blocks ahead of it, an expensive proposition.

For this reason, yet another mode has been invented, counter mode, as illustrated in diagram.

Here the plaintext is not encrypted directly. Instead, the initialization vector plus a constant is encrypted,

and the resulting ciphertext XORed with the plaintext. By stepping the initialization vector by 1 for each new block, it is easy to decrypt a block anywhere in the file without first having to decrypt all of its predecessors.

Although counter mode is useful, it has a weakness that is worth pointing out.

Suppose that the same key, K, is used again in the future (with a different plaintext but the same IV) and an attacker acquires all the ciphertext from both runs.

The keystreams are the same in both cases, exposing the cipher to a keystream reuse attack of the same kind we saw with stream ciphers.

All the cryptanalyst has to do is to XOR the two ciphertexts together to eliminate all the cryptographic protection and just get the XOR of the plaintexts.

This weakness does not mean counter mode is a bad idea. It just means that both keys and initialization vectors should be chosen independently and at random.

Even if the same key is accidentally used twice, if the IV is different each time, the plaintext is safe.

Other Ciphers

Cryptanalysis The first development is differential cryptanalysis. This technique can be used to attack any block cipher. It works by beginning with a pair of plaintext blocks that differ

in only a small number of bits and watching carefully what happens on each internal iteration as the encryption proceeds.

In many cases, some bit patterns are much more common than other patterns, and this observation leads to a probabilistic attack.

The second development worth noting is linear cryptanalysis. It can break DES with only 243 known plaintexts.

It works by XORing certain bits in the plaintext and ciphertext together and examining the result for patterns.

When this is done repeatedly, half the bits should be 0s and half should be 1s.

Often, however, ciphers introduce a bias in one direction or the other, and this bias, however small, can be exploited to reduce the work factor.

The third development is using analysis of the electrical power consumption to find secret keys. Computers typically use 3 volts to represent a 1 bit and 0 volts to represent a 0 bit.

Thus, processing a 1 takes more electrical energy than processing a 0.

If a cryptographic algorithm consists of a loop in which the key bits are processed in order, an attacker who replaces the main n-GHz clock with a slow (e.g., 100-Hz) clock and puts alligator clips on the CPU's power and ground pins, can precisely monitor the power consumed by each machine instruction. From this data, deducing the key is surprisingly easy.

This kind of cryptanalysis can be defeated only by carefully coding the algorithm in assembly language to make sure power consumption is independent of the key and also independent of all the individual round keys.

The fourth development is timing analysis. Cryptographic algorithms are full of if statements that test bits

in the round keys. If the then and else parts take different amounts of time, by

slowing down the clock and seeing how long various steps take, it may also be possible to deduce the round keys.

Once all the round keys are known, the original key can usually be computed.

Power and timing analysis can also be employed simultaneously to make the job easier. While power and timing analysis may seem exotic, in reality they are powerful techniques that can break any cipher not specifically designed to resist them.

•

Public-Key Algorithms

• RSA

RSA It is known by the initials of the three discoverers (Rivest,

Shamir, Adleman): RSA It is most popular and proven asymmetric key cryptography

algorithm. Prime Number: a prime number is the one which is divisible

only by 1 and itself. So 3 is prime number because it is only divisible by 1 and itself.

RSA is based on the mathematical fact that is easy to find and multiply large prime numbers together.

The private and public keys in RSA are based on very large (more digits) prime numbers.

The real challenge in RSA is generating and selecting public and private key.

Its major disadvantage is that it requires keys of at least 1024 bits for good security (versus 128 bits for symmetric-key algorithms), which makes it quite slow.

1. Choose two large prime numbers P and Q (typically 1024 bits)

2. Calculate N=P X Q3. Select the public key (Encryption) E such that it is not factor

of (P-1) and (Q-1)4. Select the private key (Decryption) D such that the following

equation is true.(D X E) mod (P-1)X(Q-1)=1

For Encryption Calculate CT from Plain Text PT as follow:CT=PTE mod NFor Decryption Calculate PT from Cipher Text as follow:PT=CTD mod N

• To encrypt a message, P, compute C = Pe (mod n). To decrypt C, compute P = Cd (mod n).

• It can be proven that for all P in the specified range, the encryption and decryption functions are inverses.

• To perform the encryption, we need e and n. • To perform the decryption, we need d and n. • Therefore, the public key consists of the pair (e, n), and the

private key consists of (d, n).

Documents

UNIT -8 NETWORK SECURITY. Need of Security For the first few decades computer networks were primarily used by university researchers for sending e-mail