You are on page 1of 16

Chapter 2

Conventional Encryption and Message Confidentiality


Conventional Encryption: A conventional encryption scheme has five ingredients: Plaintext: This is the original message or data that is fed into the algorithm as input. Encryption algorithm: The encryption algorithm performs various substitutions and transformations on the plaintext. Secret key: The secret key is also input to the algorithm. The exact substitutions and transformations performed by the algorithm depend on the key. Cipher text: This is the scrambled message produced as output. It depends on the plaintext and the secret key. For a given message, two different keys will produce two different cipher texts. Decryption algorithm: This is essentially the encryption algorithm run which takes the cipher text and the secret key and produces the original plaintext.

There are two requirements for secure use of conventional encryption: 1. The encryption algorithm must be strong enough that, even if the opponent knows the algorithm and has access to one or more cipher texts would be unable to decipher the cipher text or figure out the key. 2. Sender and receiver must have obtained copies of the secret key in a secure fashion and must keep the key secure. [Note 1: The security of conventional encryption depends on the secrecy of the key, not the secrecy of the algorithm. That is, it is assumed that it is impractical to decrypt a message on the basis of the cipher text plus knowledge of the encryption/decryption algorithm. It is not necessary to keep the algorithm secret; but only the key secret.]

2.1

The algorithm is not necessary to kept secret so the manufacturers can and have developed low-cost chip implementations of data encryption algorithms. These chips are widely available and incorporated into a number of products. Cryptography Cryptographic systems are generically classified along three independent dimensions: 1 The type of operations used for transforming plaintext to cipher text. All encryption algorithms are based on two general principles: substitution (in which each element in the plaintext (bit, letter, group of bits or letters) is mapped into another element) and transposition (in which elements in the plaintext are rearranged). The fundamental requirement is that no information be lost (that is, that all operations be reversible). Most systems, referred to as product systems, involve multiple stages of substitutions and transpositions. 2 The number of keys used. If both sender and receiver use the same key, the system is referred to as symmetric, single-key, secret-key, or conventional encryption. If the sender and receiver each uses a different key, the system is referred to as asymmetric, two-key, or public-key encryption. 3 The way in which the plaintext is processed. A block cipher processes the input one block of elements at a time, producing an output block for each input block. A stream cipher processes the input elements continuously, producing output one element at a time, as it goes along. Cryptanalysis The process of attempting to discover the plaintext or key is known as cryptanalysis. There are different cryptanalytic attacks: In cipher text only attack brute-force approach is used by trying all possible keys on a cipher text. If the key space is very large, this becomes impractical. Thus, the opponent must rely on an analysis of the cipher text itself, generally applying various statistical tests to it. To use this approach, the opponent must have some general idea of the type of plaintext that is concealed, such as English or French text, an MS-DOS EXE file, a Java source listing, an accounting file, and so on. In many cases, however, the analyst has more information. The analyst may be able to capture one or more plaintext messages as well as their encryptions. Or the analyst may know that certain plaintext patterns will appear in a message. For example, a file that is encoded in the Postscript format always begins with the same pattern, or there may be a standardized header or banner to an electronic funds transfer message, and so on. All these are examples of known plaintext attack. With this knowledge, the analyst may be able to deduce the key on the basis of the way in which the known plaintext is transformed. In probable-word attack, if the opponent is working with the encryption of some general text message, he/she may have little knowledge of what is in the message. However, if the opponent is though with some specific information, then parts of the message may be known. For example, if an entire accounting file is being transmitted, the opponent may know the placement of certain key words in the header of the file. As another example, the source code for a program developed by a corporation might include a copyright statement in some standardized position. If the analyst is able somehow to get the source system to insert into the system a message chosen by the analyst, then a chosen-plaintext attack is possible.

2.2

An encryption scheme is computationally secure if the cipher text generated by the scheme meets one or both of the following criteria: The cost of breaking the cipher exceeds the value of the encrypted information. The time required to break the cipher exceeds the useful lifetime of the information. A brute-force approach involves trying every possible key until an intelligible translation of the cipher text into plaintext is obtained. On average, half of all possible keys must be tried to achieve success. Below table shows how much time is involved for various key sizes. Key Size (bits) 32 56 128 168 Number of Alternative Keys 232 = 4.3 x 109 256 = 7.2 x 1016 2128 = 3.4 x 1038 2168 = 3.7 x 1050 Time required at 106 Decryption/s 2.15 milliseconds 10 hours 5.4 x 1018 years 5.9 x 1030 years

Table: Average Time Required for Exhaustive Key Search Feistel Cipher Structure Virtually all conventional block encryption algorithms have a structure first described by Horst Feistel of IBM in 1973 and is shown in Figure2.2. The inputs to the encryption algorithm are a plaintext block of length 2w bits and a key K. The plaintext block is divided into two halves, L0 and R0. The two halves of the data pass through n rounds of processing and then combine to produce the cipher text block. Each round i has as inputs Li-1and Ri-1, derived from the previous round, as well as a subkey Ki, derived from the overall K. In general, the subkeys Ki are different from K and from each other and are generated from the key by a subkey generation algorithm. All rounds have the same structure. A substitution is performed on the left half of the data. This is done by applying a round function F to the right half of the data and then taking the exclusive-OR (XOR) of the output of that function and the left half of the data. The round function has the same general structure for each round but is parameterized by the round sub key Ki. Following this substitution, a permutation is performed that consists of the interchange of the two halves of the data.

2.3

Different parameters in the design of Feistel network are: Block size: Larger block sizes mean greater security but reduced encryption/decryption speed. A block size of 64 bits is a reasonable tradeoff and is nearly universal in block cipher design. Key size: Larger key size means greater security but may decrease encryption/decryption speed. The most common key length in modern algorithms is 128 bits. Number of rounds: A single round offers inadequate security but that multiple rounds offer increasing security. A typical size is 16 rounds. Subkey generation algorithm: Greater complexity in this algorithm should lead to greater difficulty of cryptanalysis. Round funct1on: Greater complexity generally means greater resistance to cryptanalysis. Fast software encryption/decryption: In many cases encryption is embedded in applications or utility functions in such a way as to preclude a hardware implementation. Accordingly the speed of execution of the algorithm becomes a concern. 2.4

Ease of analysis: If the algorithm can be briefly and clearly explained, it is easier to analyze that algorithm for cryptanalytic vulnerabilities and therefore develop a higher level of assurance as to its strength. Decryption with a Feistel cipher is essentially the same as the encryption process. The rule is as follows: Use the cipher text as input to the algorithm, but use the subkeys Ki in reverse order. That is, use Kn in the first round, Kn-l in the second round, and so on until K1 is used in the last round. Because of this feature it is not necessary to implement two different algorithms one for encryption and one for decryption. Data Encryption Standard (DES) General representation of DES Encryption algorithm is shown below.

DES is the most widely used encryption scheme. The plaintext is 64 bits in length and the key is 56 bits in length; plain texts are processed in 64-bit blocks. The first portion of the figure shows the processing of the plaintext that proceeds in three phases. First, the 64-bit plaintext passes through an initial permutation (IP) that rearranges the bits to produce the permuted input. This is followed by a phase consisting 2.5

of 16 iterations of the same function. The output of the last (sixteenth) iteration consists of 64 bits that are a function of the input plaintext and the key. The left and right halves of the output are swapped to produce the pre-output. Finally, the pre-output is passed through a permutation (IP-1) that is the inverse of the initial permutation function, to produce the 64-bit cipher text. The other portion of Figure shows the way in which the 56-bit key is used. Initially, the key is passed through a permutation function. Then, for each of the 16 iterations, a subkey (Ki) is produced by the combination of a left circular shift and a permutation. The permutation function is the same for each iteration, but a different subkey is produced because of the repeated shifting of the key bits. Single Round of DES Algorithm

The 64-bit permuted input passes through 16 iterations, producing an intermediate 64-bit value at the conclusion of each iteration. The left and right halves of each 64-bit intermediate value are treated as separate 32-bit quantities, labeled L (left) and R (right). The overall processing at each iteration can be summarized in the following formulas: Li= Ri-l Ri = Li-l F(Ri-1, Ki) Where denotes the bitwise XOR function. Thus, the left-hand output of an iteration (Li) is simply equal to the right-hand input to that iteration (Ri-l). The right-hand output (Ri) is the exclusive-OR of Li-l and a complex function F of Ri-1 and Ki. This complex function involves both permutation and

2.6

substitution operations. The substitution operation, represented as tables called "SBoxes" simply maps each combination of 48 input bits into a particular 32-bit pattern. The 56-bit key is treated as two 28-bit quantities, labeled C0 and D0, At each iteration, C and D are separately subjected to a circular left shift, or rotation, of 1 or 2 bits. These shifted values serve as input to the next iteration. They also serve as input to another permutation function, which produces- a 48-bit output that serves as input to the function F(Ri-1, Ki). The rule for the decryption process is as follows: Use the cipher text as input to the DES algorithm but use the keys Ki in reverse order. That is, use K16 on the first iteration, K15 on the second iteration, and so on until Kl is used on the sixteenth and last iteration. The Strength of DES The strength of DES fall into two categories: The use of Algorithm The use of a 56-bit key Over the years, there have been numerous attempts to find and exploit weaknesses in the algorithm, making DES the most-studied encryption algorithm in existence. Despite numerous approaches, no one has so far succeeded in discovering a fatal weakness in DES. [Note 1: In July 1998, the Electronic Frontier Foundation (EFF) announced that, a special-purpose "DES cracker" machine, built for less than $250,000 can break a DES encryption algorithm. This attack took less than three days. Unless known plaintext is provided, the analyst must be able to recognize plaintext as plaintext. If the text message has been compressed before encryption, then recognition is more difficult. If the message is some more general type of data, such as a numerical file, and this has been compressed, the problem becomes even more difficult to automate. Thus, to supplement he brute-force approach, some degree of knowledge about the expected plaintext is needed, and some means of automatically distinguishing plaintext from garble is also needed. The EFF approach introduces some automated techniques that would be effective in many contexts.] If only brute force is used then some idea of size of the key is required. Assume, if a DES cracker can perform one million decryptions per microsecond, then a DES code would take about 10 hours to crack. For example, for a 128-bit key, it would take over 1018 years to break the code using the EFF cracker. Even if it is managed to speed up the cracker by a factor of 1 trillion (1012), it would still take over 1 million years to break the code. So a 128-bit key is guaranteed to result in an algorithm that is unbreakable by brute force. Triple DEA Triple DEA (TDEA) was first proposed by Tuchman. TDEA uses three keys and three executions of the DES algorithm. The function follow an encrypt-decrypt-encrypt (EDE) sequence. C = EK3[DK2[EK1[P]]] 2.7

Where C = cipher text P = plain text EK[X] = encryption of X using key K DK[Y] = decryption of Y using key K K1 A K2 B K3

Encryption Decryption is the same operation with the key reversed P = DK1[EK2[DK3[C]]] K3 B K2 A K1

Decryption With three distinct keys, TDEA has an effective key length of 168 bits. Advantages: TDEA is very resistance to cryptanalysis, because, it is based on the cryptographic DEA algorithm. With a 168-bit key length, brute-force attacks are effectively impossible. Disadvantages: TDEA is relatively slow in software. [Original DEA was designed for hardware implementation and does not produce efficient software code.] Both DEA and TDEA use a 64-bit block size. For reasons of efficiency and security, a larger block size is required. Guidelines for TDEA TDEA is a conventional encryption algorithm approved by FIPS. New procurements should support TDEA. Government organizations with old DEA systems are encourage to transition to TDEA. Advanced Encryption Standard (AES) To overcome the drawbacks of the TDEA, a new Advanced Encryption Standard is proposed. AES must be a symmetric block cipher with a block length of 128 bits AES support for key lengths of 128, 192, and 256 bits. Evaluation criteria of AES include security, 2.8

computational efficiency, memory requirements, hardware and software suitability, and Flexibility.

Other symmetric Block Ciphers International Data Encryption Algorithm (IDEA) o IDEA is developed by Xuejia Lai and James Massey of the Swiss Federal Institute of Technology o Is a symmetric block cipher. o It has 8 of rounds. o The key size is 128 bits. o For round function, IDEA does not use S-boxes but relies on three different mathematical operations: XOR, binary addition of 16-bit integers, and binary multiplication of 16-bit integers. These functions are combined in such a way as to produce a complex transformation that is very difficult to analyze and hence very difficult to cryptanalyze. o The subkey generation algorithm relies only on the use of circular shifts but uses these in a complex way to generate a total of six subkeys for each rounds of IDEA. o IDEA is highly resistant to cryptanalysis. o IDEA is used in PGP and is also used in a number of commercial products. Blowfish o Blow fish was developed by Bruce Schneier. o Its execution speed is high. o It is also a very compact algorithm that can rum in less than 5K of memory. o The key length is variable and can be as long as 448 bits. Generally 128-bit key is used. o It uses 16 rounds. o It uses variable (dynamic) S-boxes and the XOR function, but also uses binary addition. o Blowfish is not suitable for applications in which the secret key changes frequently. o Blowfish is used in a number of commercial applications. RC5 o RC5 was developed by Ron Rivest. o Suitable for hardware or software: RCS uses only primitive computational operations commonly found on microprocessors. o Fast: RCS is a simple algorithm and is word oriented. The basic operations work on full words of data at a time. o Adaptable to processors of different word lengths: The number of bits in a word is a parameter of RCS; different word lengths yield different algorithms. o Variable number of rounds: The number of round is variable and is as long as 255. This parameter allows a tradeoff between higher speed and higher security. o Variable-length key: The key length is variable and is as long as 2048-bits. This allows a tradeoff between speed and security. 2.9

o Simple: RC5s simple structure is easy to implement and simplifies the task of determining the strength of the algorithm. o Low memory requirement: A low memory requirement makes RCS suitable for smart cards and other devices with restricted memory. o High security: RC5 is intended to provide high security with suitable parameters. o Data-dependent rotations: RCS incorporates rotations (circular bit shifts) whose amount is data dependent. This appears to strengthen the algorithm against cryptanalysis. o RCS is used in a number of products from RSA Data Security. CAST -128 o CAST is a design Carlisle Adams and Stafford Tavares. o It makes use of a key size that varies from 40 bits to 128 bits in 8-bit increments. o It uses fixed S-boxes, is larger and is very nonlinear and resistant to cryptanalysis. o Sub keys are generated using S-boxes and resistant to cryptanalysis. o It uses 16 rounds. o Round function used in CAST-128 is differs from round to round, again adding to cryptanalytic strength. o It is used in number of products including PGP. Cipher Block Modes of Operation A symmetric block cipher processes one bit block of data at a time. In the case of DEA and TDEA, the block length is 64 bits. For longer amounts of plaintext, it is necessary to break the plaintext into 64-bit blocks (padding the last block if necessary). The simplest way to proceed is what is known as electronic code book (ECB) mode, in which plaintext is handled 64 bits at a time and each block of plain text is encrypted using the same key. The term codebook is used because, for a given key, there is a unique cipher text for every 64-bit block of plaintext. This code book, there is an entry for every possible 64-bit plaintext pattern showing its corresponding cipher text. With ECB, if the same 64-bit block of plaintext appears more than once in message, it always produces the same cipher text. Because of this, for lengthy messages, the ECB mode may not be secure. If the message is highly structured, it may be possible for a cryptanalyst to exploit these regularities. For example, if it is known that the message always starts out with certain predefined fields, then, cryptanalyst may have a number of known plaintext-cipher text pairs to work with. This may help in the analysis or may provide an opportunity for substituting or rearranging blocks. There are two alternatives which produces different cipher text blocks for the same plaintext blocks if repeated. They are Cipher Block Chaining Mode Cipher Feedback Mode Cipher Block Chaining (CBC) Mode In the cipher block chaining (CBC) mode, the input to the encrypt algorithm is the XOR of the current plaintext block and the preceding cipher text block; the same key is used for each block. The processing of the sequence of plaintext blocks are chained. For decryption, each cipher block is passed through the decryption algorithm. The result is XORed with the preceding cipher text block to produce the plaintext block. 2.10

From the figure it is clear that, Ci = EK[Ci-1 Pi] Where EK[X] is the encryption of plaintext X using key K, and is the exclusive OR operation. Then, DK[Ci] = DK[E K(Ci-1 Pi)] DK[Ci] = (Ci-1 Pi) Ci-1 DK[Ci] = Ci-1 Ci-1 Pi = Pi To produce the first block of ciphertext, an initialization vector (IV) is XORed with the first block of plaintext. On decryption, the IV is XORed with the output of the decryption algorithm to recover the first block of plaintext. The IV must be known to both the sender and receiver. For maximum security, the IV should be protected as well as the key. This could be done by sending the IV using ECB encryption. CBC is widely used in security applications. Cipher Feedback (CFB) Mode It is possible to convert DES which used 64-bit block cipher into a stream cipher, using the cipher feedback (CFB) mode. A stream cipher eliminates the need to pad a message to be an integral number of blocks. It also can operate in real time. Thus, if a character stream is being transmitted, each character can be encrypted and transmitted immediately using a character-oriented stream cipher.

2.11

One desirable property of a stream cipher is that the cipher text be of the same length as the plaintext. Thus, if 8-bit characters are being transmitted, each character should be encrypted using 8 bits. If more than 8 bits are used, transmission capacity is wasted. Figure 2.8 depicts the j bit CFB Mode scheme.
IV

CM-1 Shift Register 64 j bits | j bits Shift Register 64 j bits | j bits

Shift Register 64 j bits | j bits


64 bits K

DES Encrypt
64 bits

DES Encrypt

DES Encrypt

Select Discard j bits | 64 j bits Select Discard j bits | 64 j bits

Select Discard j bits | 64 j bits


j bits

+
j bits

j bits C1

C2

CM

P1

P2

PM

Figure 2.8: (a) Encryption

2.12

IV

CM-1 Shift Register 64 j bits | j bits Shift Register 64 j bits | j bits

Shift Register 64 j bits | j bits


64 bits

DES Encrypt
64 bits

DES Encrypt

DES Encrypt

Select Discard j bits | 64 j bits Select Discard j bits | 64 j bits

Select Discard j bits | 64 j bits


j bits j bits

+
j bits

C1

C2

CM

P1

P2

PM

Figure 2.8: (b) Decryption It is assumed that the unit of transmission is j bits; a common value is j = 8. As with CBC, the units of plaintext are chained together, so that the cipher text of any plaintext unit is a function of all the preceding plaintext. Encryption: The input to the encryption function is a 64-bit shift register that is initially set to some initialization vector (IV). The leftmost (most significant) j bits of the output of the encryption function are XORed with the first unit of plaintext P1 to produce the first unit of cipher text C1, which is then transmitted. In addition, the contents of the shift register are shifted left by j bits and C1 is placed in the rightmost (least significant) j bits of the shift register. This process continues until all plaintext units have been encrypted. Decryption: The received cipher text unit is XORed with the output of the encryption function to produce the plaintext unit. Note that it is the encryption function that is used, not the decryption function, This is easily explained. Let Sj(X) be defined as the most significant j bits of X. Then Ci = P1 Sj(E(IV)) Therefore, P1 = C1 Sj(E(IV)) The same reasoning holds for subsequent steps in the process.

Location of Encryption Devices There are two questions when encryption is used for network security. They are ? What to encrypt. ? Where the encryption device should be located. 2.13

There are two fundamental alternatives: o Link encryption o End-to-End encryption These are illustrated in use over a packet-switching network in Figure 2.9. Link Encryption: Here, each vulnerable (easily harmed) communications link is equipped on both ends with an encryption device. In a large network, this requires a lot of encryption devices and it provides a high level of security. The drawback of this approach is that the message must be decrypted each time it enters a packet switch; this is necessary because the switch must read the address in the packet header to route the packet. Thus the message is vulnerable at each switch. End-to-End encryption Here, the encryption process is carried out at the two end systems. The source host or terminal encrypts the data. The destination shares a key with the source and so is able to decrypt the data. This approach would seem to secure the transmission against attacks on the network links or switches.

Suppose that the host encrypts the entire packet, including the header. The packetswitching node will receive an encrypted packet. And be unable to read the header. Therefore, it will not be able to route the packet. Only the destination can decrypt the message. If the host encrypts only the data and leave the header clear, then it can be read by the network (switches). Thus, with end-to-end encryption, the user data are secure. However, the traffic pattern is not secure, because packet headers are transmitted in the clear. To achieve greater security, both end-to-end and link encryption are needed. In this approach, the host encrypts the user data portion of a packet using an end-to-end encryption key. The entire packet is then encrypted using a link-encryption key. As the 2.14

packet traverse the network, each switch decrypts packet using a link-encryption key to read the header and then encrypts the entire packet again for send it out on the next link. Key Distribution For conventional encryption, the two parties to a secure exchange must have the same key, and that key must be protected from access by others. One of the simple way to distribute the key among the two parties (A and B) is; If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B. Figure 2.10 illustrates the above implementation that satisfies the end-to-end encryption. For this scheme, two kinds of keys are identified: Session key: When two end systems (hosts, terminals, etc.) wish to communicate, they establish a logical connection (e.g., virtual circuit). For the duration of that logical connection, all user data are encrypted with a one-time session key. At the conclusion of the session, or connection, the session key is destroyed. Permanent key: A permanent key is a key used between entities for the purpose of distributing session keys. The configuration consists of the following elements: Key distribution center: The key distribution center determines which systems are allowed to communicate with each other. When permission is granted for two systems to establish a connection, the key distribution center provides a one-time session key for that connection. Front-end processor: The front-end processor performs end-to-end encryption and obtains session keys on behalf of its host or terminal. The steps involved in establishing a connection are; 1 When one host wishes to set up a connection to another host, it transmits a connection-request packet. 2 The front-end processor saves that packet and applies to the KDC for permission to establish the connection. 3 If the KDC approves the connection request, it generates the session key and delivers it to the two appropriate front-end processors, using a unique permanent key for each front end. 4 The requesting front-end processor can now release the connection request packet, and a connection is set up between the two end systems.

2.15

[Note 2: The communication between the FEP and the KDC is encrypted using a master key shared only by the FEP and the KDC. Note 3: All user data exchanged between the two end systems are encrypted by their respective front -end processors using the one-time session key. Note 4: The automated key distribution approach provides the flexibility and dynamic characteristics needed to allow a number of terminal users to access a number of hosts and for the hosts to exchange data with each other.]

2.16