보안이론ppt

Cryptography and
Network Security
Chapter 16
Fourth Edition
by William Stallings
Lecture slides by Lawrie Brown
IP Security
have a range of application specific
security mechanisms
eg. S/MIME, PGP, Kerberos, SSL/HTTPS
however there are security concerns that
cut across protocol layers
would like security implemented by the
network for all applications
IPSec
general IP Security mechanisms
provides
authentication
confidentiality
key management
applicable to use over LANs, across public
& private WANs, & for the Internet
IPSec Uses
Benefits of IPSec
in a firewall/router provides strong security
to all traffic crossing the perimeter
in a firewall/router is resistant to bypass
is below transport layer, hence transparent
to applications
can be transparent to end users
can provide security for individual users
secures routing architecture
IP Security Architecture
specification is quite complex
defined in numerous RFCs
incl. RFC 2401/2402/2406/2408
many others, grouped by category
mandatory in IPv6, optional in IPv4
have two security header extensions:
Authentication Header (AH)
Encapsulating Security Payload (ESP)
IPSec Services
Access control
Connectionless integrity
Data origin authentication
Rejection of replayed packets
a form of partial sequence integrity
Confidentiality (encryption)
Limited traffic flow confidentiality
Security Associations
a one-way relationship between sender &
receiver that affords security for traffic flow
defined by 3 parameters:
Security Parameters Index (SPI)
IP Destination Address
Security Protocol Identifier
has a number of other parameters
seq no, AH & EH info, lifetime etc
have a database of Security Associations
provides support for data integrity &
authentication of IP packets
end system/router can authenticate user/app
prevents address spoofing attacks by tracking
sequence numbers
based on use of a MAC
HMAC-MD5-96 or HMAC-SHA-1-96
parties must share a secret key
Authentication Header
Transport & Tunnel Modes
Encapsulating Security Payload
(ESP)
provides message content confidentiality &
limited traffic flow confidentiality
can optionally provide the same authentication
services as AH
supports range of ciphers, modes, padding
incl. DES, Triple-DES, RC5, IDEA, CAST etc
CBC & other modes
padding needed to fill blocksize, fields, for traffic flow
Encapsulating Security
Payload
Transport vs Tunnel Mode
ESP
transport mode is used to encrypt &
optionally authenticate IP data
data protected but header left in clear
can do traffic analysis but is efficient
good for ESP host to host traffic
tunnel mode encrypts entire IP packet
add new header for next hop
good for VPNs, gateway to gateway security
Combining Security
Associations
SAs can implement either AH or ESP
to implement both need to combine SAs
form a security association bundle
may terminate at different or same endpoints
combined by
transport adjacency
iterated tunneling
issue of authentication & encryption order
Combining Security
Associations
Key Management
handles key generation & distribution
typically need 2 pairs of keys
2 per direction for AH & ESP
manual key management
sysadmin manually configures every system
automated key management
automated system for on demand creation of
keys for SAs in large systems
has Oakley & ISAKMP elements
Oakley
a key exchange protocol
based on Diffie-Hellman key exchange
adds features to address weaknesses
cookies, groups (global params), nonces, DH
key exchange with authentication
can use arithmetic in prime fields or elliptic
curve fields
ISAKMP
Internet Security Association and Key
Management Protocol
provides framework for key management
defines procedures and packet formats to
establish, negotiate, modify, & delete SAs
independent of key exchange protocol,
encryption alg, & authentication method
ISAKMP
ISAKMP Payloads &
Exchanges
have a number of ISAKMP payload types:
Security, Proposal, Transform, Key,
Identification, Certificate, Certificate, Hash,
Signature, Nonce, Notification, Delete
ISAKMP has framework for 5 types of
message exchanges:
base, identity protection, authentication only,
aggressive, informational
Summary
have considered:
IPSec security framework
AH
ESP
key management & Oakley/ISAKMP
Ch. 1 Introduction
Division of Computer Science and Engineering
Hanyang University
2
Contents
Introduction
Key Security Concepts
Security Trends
Security services, Security Mechanisms
A Model for Network Security & Computer Security
3
Introduction
Information security
Securing all kinds of data even if they are not electronic.
For example, the use of lock for a cabinet storing sensitive information
Computer security
Securing data stored in computers
Network security or Internet security
Securing data transmitted over interconnected networks.
Key Security Concepts
5
Security Trends
Internetrelated vulnerabilities
6
Security Trends
Security-related incidents
7
Security Trends
Attack sophistication and intruder knowledge
High
Low
8
The OSI Security Architecture
ITU-TRecommendation X.800, Security Architecture for OSI
defines
Security attack
Any action that compromises the security of information
Security mechanism
A process designed to detect, prevent, or recover from a security attack
Security service
A service making use of security mechanisms to counter security attacks.
9
Security Attacks
Passive Attacks
Observing the information from the system
without affecting system resources.
Active Attacks
Try to alter system resources or affect their operation.
Security Attacks
10
Release of message contents
Passive Attacks
11
Traffic analysis
Passive Attacks
12
Passive Attacks
Difficult to detect (after they occurred)
because they do not involve any change of the data.
Thus, they should beprevented rather than be detected.
Passive Attacks
13
Active attacks
Creating illegitimate messages
Masquerade (who)
Replay (when)
Modification of messages (what)
Denying legitimate messages
Repudiation
Making system facilities unavailable
Active Attacks
14
Masquerade
One entity pretends to be a different entity.
Active Attacks
15
Replay
A message is captured and retransmitted later.
Active Attacks
16
Modification of messages
A message is captured, modified, and transmitted.
Active Attacks
17
Repudiation
Denial of sending or receiving legitimate messages.
Active Attacks
18
Denial of service
Making system facilities unavailable.
Active Attacks
19
Active Attacks
Difficult to prevent
Because of new vulnerabilities.
So, the goal is to detect active attacks and to recover as soon as
possible.
Active Attacks
20
Threat and Attacks
Threat and Attack
Threat
A possible danger
Attack
An assault on system security
21
Security Services
Security service
A service making use of security mechanisms to counter security attacks.
Categories of security services
Authentication
Access Control
Data Confidentiality
Data Integrity
Non-Repudiation
Availability
22
Authentication
Assuring the communicating entity is the one that it claims to be.
To protect network from masquerade and replay
In a connectionless protocol,
to assure the recipient that a single message is from the source that it claims
to be.
Peer entity authentication
In alogical connection,
to assure that the two entities are authentic and
that the connection is not interfered by a third party.
Security Services
23
Access Control
To prevent unauthorized use of a resource.
This service controls
who can have access to a resource,
under what conditions access can occur, and
what those accessing the resource are allowed to do.
Security Services
24
Data Confidentiality
To protect data from release of message contents and traffic analysis.
Connection confidentiality
Protecting all data on a connection
Connectionless confidentiality
Protecting all data in a single data block
Selective-Field confidentiality
Protecting selected fields within the data.
Traffic-flow confidentiality
Protecting traffic flow information.
Security Services
25
Data Integrity
To assure that the data are not modified during transmission.
Connection integrity with recovery
Connection integrity without recovery
Selective-field connection integrity
connectionless integrity
Selective-field connectionless integrity
Security Services
26
Non-repudiation
To provide protection against denial by the sender or receiver.
Non-repudiation, Origin
To prove that the message was sent by the sender
Non-repudiation, Destination
To prove that the message was received by the receiver
Security Services
27
Availability
To provide system availability against denial-of-service attack.
Security Services
28
Security Mechanisms
Security Mechanisms
A process designed to detect, prevent, or recover from a security attack
A security mechanism is a basic building block of security services.
29
Specific Security Mechanisms
Encipherment
Digital Signature
Access Control
Data Integrity
Authentication Exchange
Traffic Padding
Routing Control
Notarization
Security Mechanisms
30
Relationship between Security Services and Mechanisms
Encipherm
ent
Digital
Signature
Access
Control
Data
Integrity
Authentication
Exchange
Traffic
padding
Routing
Control
Notarization
Peer entity
authentication
Y Y Y
Data origin
Authentication
Y Y
Access Control Y
Confidentiality Y Y
Traffic flow
confidentiality
Y Y Y
Data integrity Y Y Y
Nonrepudiation Y Y Y
Availabilty Y Y
Security Mechanisms
31
A Model for Network Security
Figure 1.5
Protect the communication from opponents.
32
A Model for Computer Security
Figure 1.6
Protect a system from unwanted access
33
Information access threat
To see or modify data in the system.
Service threat
To prevent legitimate users from using services of the system.
34
Security mechanisms against unwanted access are categorized
as
Gatekeeper function (prevention)
Password-based login procedures to deny access to unauthorized users
Screening logic to detect and reject worms, viruses.
Monitoring activity (detection)
Monitoring abnormal activities to detect unwanted intruders.
Ch 2 Classical Encr ption Ch. 2 Classical Encryption
Techniques
1
C t t Contents
S t i Ci h M d l Symmetric Cipher Model
Classical Ciphers
Substitution Techniques Substitution Techniques
Shift Cipher (Caesar Cipher)
Monoalphabetic Ciphers
Playfair Cipher
Hill Cipher
Polyalphabetic Ciphers y p p
One-Time Pad
Transposition Techniques
Rotor Machines (skip due to lack of time)
Steganography (skip due to lack of time)
2
Plaintext (or message)- The original message
Ciphertext - The coded message
Encipher (or encrypt) - Converting plaintext to ciphertext
Decipher (or decrypt) - Restoring plaintext from ciphertext
Key Secret input to encryption and decryption.
3
Cryptography
A study on creating encryption schemes
Cryptanalysis
A study on breaking encryption schemes
Cryptology
Cryptography + Cryptanalysis
4
T i t f t i i h Two requirements for symmetric ciphers
Th ti l ith h ld b t The encryption algorithm should be strong.
An opponent cannot decrypt a ciphertext and discover the key
even if the opponent knows the encryption algorithm. even if the opponent knows the encryption algorithm.
So, the encryption algorithm does not need to be kept secret.
This feature makes it convenient for widespread use
A secret key should be known only to sender and receiver.
Because if someone has the key he can decrypt every ciphertext Because if someone has the key, he can decrypt every ciphertext.
5
F l N t ti Formal Notations
Plaintext Plaintext
X= [X
1
, X
2
, , X
m
]
Ciphertext
6
Y= [Y
1
, Y
2
, , Y
n
]
Secret Key Secret Key
K= [K
1
, K
2
, , K
j
]
Key source may be either a sender or a third party.
7
Encryption: Y= E
K
(X)
Decryption: X= D
K
(Y)
8
yp
K
( )
A cryptanalyst tries to find either the plaintext or the secret key.
9
C t h Cryptography
Cl ifi ti f t hi t Classification of cryptographic system
The type of encryption operations The type of encryption operations
Substitution
Each element in the plaintext is mapped into another element.
Transposition
Elements in the plaintext are rearranged.
10
C t h Cryptography
The number of keys The number of keys
Single-key or secret-key or conventional encryptions
Both sender and receiver use the same key
Two-key or public-key encryptions
Sender and receiver use different keys.
11
C t h Cryptography
The way in which plaintext is processed The way in which plaintext is processed
A block cipher
Processes the input one block of elements at a time.
Produces an output block for each input block.
A stream cipher
Processes the input elements continuously Processes the input elements continuously.
Produces output one element at a time.
12
C t l i Cryptanalysis
Types of cryptanalytic attacks Types of cryptanalytic attacks
Based on the amount of information known to the cryptanalyst
Ciphertext only
Known plaintext
Chosen plaintext more information
Chosen ciphertext
Chosen text Chosen text
13
C t l i
Ci h t t l
Cryptanalysis
Ciphertext only
Known information
Encryption algorithm Encryption algorithm
Ciphertext
Known plaintext
Known information.
Encryption algorithm
Ciphertext
O l i t t i h t t i One or more plaintext-ciphertext pairs
14
C t l i
Ch l i t t
Cryptanalysis
Chosen plaintext
Known information.
Ciphertext
One or more plaintext-ciphertext pairs where the opponent can
choose the plaintext.
Ch i h t t Chosen ciphertext
Known information.
Ciphertext
15
choose the ciphertext.
C t l i
Ch t t
Cryptanalysis
Chosen text
Known information.
Ciphertext
choose either the plaintext or the ciphertext.
16
U diti ll S Unconditionally Secure
A ti h i diti ll (Sti ) An encryption scheme is unconditionally secure (Stinson)
If the ciphertext does not contain enough information
Ciphertext is generated by encryption scheme and information can Ciphertext is generated by encryption scheme and information can
be used to determine the uniquely corresponding to the plaintext
then opponent is impossible to decrypt the ciphertext
17
C t ti ll S Computationally Secure
C t ti ll ( ti ) Computationally secure (stinson)
The cost of breaking the cipher exceeds the value of the encrypted
information information
The value of the contents of the encrypted original message is not
big enough to decrypt
The time required to break the cipher exceeds the useful lifetime of The time required to break the cipher exceeds the useful lifetime of
the information
After the decryption, the message is no longer valuable
18
B t f Att k Brute-force Attack
Trying every possible key
until an intelligible translation of the ciphertext into plaintext is
obtained obtained
On average, half of all possible keys must be tried to achieve success.
Key Size (bit) Number of
Alternative Keys
Time required at
1 encryption/
Time required at
10
6
encryptions/
y
1 encryption/ 10 encryptions/
32 2
32
=4.310
9
2
31
=35.8 minutes 2.15 milliseconds
56 (DES) 2
56
=7.210
16
2
55
=1142 years 10.01 hours
128 (AES) 2
128
=3.410
38
2
127
=5.410
24
years 5.410
18
years
168 (Triple DES) 2
168
=3.710
50
2
167
=5.910
36
years 5.910
30
years
26characters 26!=410
26
210
26
=6.410
12
years 6.410
6
years
19
6c a acte s
(permutation)
26! 4 10 2 10 6.4 10 years 6.4 10 years
C t t Contents
Classical Ciphers
Substitution Techniques Substitution Techniques
Shift Cipher (Caesar Cipher)
Monoalphabetic Ciphers
Playfair Cipher
Hill Cipher
Polyalphabetic Ciphers y p p
One-Time Pad
Transposition Techniques
Rotor Machines (skip due to lack of time)
Steganography (skip due to lack of time)
20
S b tit ti /T iti T h i Substitution/Transposition Techniques
S b tit ti t h i Substitution techniques
The letters of plaintext are replaced by other letters.
A C BF A C, BF,
Transposition techniques Transposition techniques
The letters in plaintext are transposed.
message
essgeam
21
Shift Ci h (C Ci h ) Shift Cipher (Caesar Cipher)
A i l b tit ti i h A simple substitution cipher
Substitution rule Substitution rule
Circular right shift by k alphabets where k is the key.
When k = 4, A E, B F, X B, Y C, Z D , , , , ,
Encryption of plaintext baby with k = 4
22
Shift Ci h Shift Cipher
D ti f i h t t h ht Decryption of ciphertext hphtwwxppe
Inverse of encryption
Cryptanalysis of shift cipher
Brute-force approach Brute force approach
The key space is too small: only 26 possible keys
JBCRCLQRWCRVNBJENBWRWN
0 Jbcrclqrwcrvnbjenbwrwn 0 Jbcrclqrwcrvnbjenbwrwn
1 Iabqbkpqvbqumaidmavqvm

23
9 astitchintimesavesnine
Three important characteristics of to use a p
brute-force cryptanalysis
1. The encryption and decryption algorithms are known. yp yp g
2. There are only 25 keys to try.
3. The language of the plaintext is known and easily
recognizable.
What generally makes brute-force cryptanalysis impractical is the
use of an algorithm that employs a large number of keys
24
M l h b ti Ci h Monoalphabetic Cipher
E ti Encryption
Substitute each symbol in a plaintext using a permutation.
a b c d e f g h i j k l m
X N Y A H P O G Z Q W B T
n o p q r s t u v w x y z
S F L R C V M U E K J D I S F L R C V M U E K J D I
25
D i Decryption
Substitute each symbol in a ciphertext using the inverse
i permutation.
Quiz
MGZVYZLGHCMHJMYXSSFMNHAHYCDLMHA ?
The Shift Cipher is a special case of monoalphabetic cipher.
26
B t f tt k i i ibl Brute-force attack is impossible.
26! possible permutation is available p p
4 10
26
possible keys
27
A th li f tt k Another line of attack
If th t l t k th t f th l i t t If the cryptanalyst knows the nature of the plaintext,
then the analyst can exploit the regularities of the language.
Using a standard frequency distribution for English Using a standard frequency distribution for English
28
The first step
The relative frequency of the letters in ciphertext can be determined
And compared to a standard frequency distribution for English p q y g
Ciphertext
U Z Q S O V U O H X M O P V G P O Z P E V S G Z W S Z O P F P E S X U D B M E T S X A I Z U Z Q S O V U O H X M O P V G P O Z P E V S G Z W S Z O P F P E S X U D B M E T S X A I Z
V U E P H Z H M D Z S H Z O W S F P A P P D T S V P Q U Z W Y M X U Z U H S X
E P Y E P O P D Z S Z U F P O M B Z W P F U P Z H M D J U D T M O H M Q
29
E li h L tt F i English Letter Frequencies
P 13.33 H 5.83 F 3.33 B 1.67 C 0.00
Z 11.67 D 5.00 W 3.33 G 1.67 K 0.00
S 8.33 E 5.00 Q 2.50 Y 1.67 L 0.00
U 8 33 V 4 17 T 2 50 I 0 83 N 0 00 U 8.33 V 4.17 T 2.50 I 0.83 N 0.00
O 7.50 X 4.17 A 1.67 J 0.83 R 0.00
M 6.67
30
Relative Frequency of Letters in English Text
Comparing this breakdown with Figure 2.5
Cipher text letters P plain letters e
and Z are the equivalent of and t and Z are the equivalent of and t
But it is not certain which is which
The letter S,U,O,M and H plain letters from the set {a, h, i, n, o, r, s}
31
A powerful tool is to look at the frequency of two-letter
combinations (as diagram) ( g )
The most common such diagram is th
In our ciphertext, the most common diagram is ZW
Guess ZWth
M t f t t i (th l tt bi ti ) Most frequent trigrams (three-letter combination)
ZWP appears in the ciphertext, and translate that we sequence as
the
32
N t t Next step
Notice the sequence ZWSZ in the first line.
it is of the formth t it is of the form th_t.
S => a
U Z Q S O V U O H X M O P V G P O Z P E V S G Z W S Z O P F P E S X U D B M E T S X A I Z
t a e e t e a t h a t e e a a
V U E P H Z H M D Z S H Z O W S F P A P P D T S V P Q U Z W Y M X U Z U H S X
e t t a t h a e e e a e t h t a
The completed plaintext
E P Y E P O P D Z S Z U F P O M B Z W P F U P Z H M D J U D T M O H M Q
e e e t a t e t h e t
p p
it was disclosed yesterday that several informal but direct
contacts have been made with political representatives of the
viet cong in moscow
33
viet cong in moscow
E t b k Easy to break
Reflect the frequency data of the original alphabet
Countermeasure by Carl Friedrich Gauss Countermeasure by Carl Friedrich Gauss
Homophones
The letter e 16, 74, 35 and 21
Each homophone used in rotation or randomly
Frequency of each letter is ideal.
And frequency information of each letter is concealed And frequency information of each letter is concealed
But multiple-letter patterns still survive in the ciphertext
34
Pl f i i h Playfair cipher
T th d t l th t t t hi h th t t f Two methods to lessen the extent to which the structure of
the plaintext survives in the ciphertext
One approach is to encrypt multiple letters of plaintext
The other is to use multiple cipher alphabets
35
Th b t k lti l l tt ti i h The best-known multiple-letter encryption cipher
Treats diagrams (two letter) in the plaintext as single units and
translates these units into ciphertext p
The way to making rectangle
Key : MONARCHY, 5 5 matrix
Filli i th l tt f th k d f ( i d li t ) l ft t i ht Filling in the letters of the keyword from (minus duplicates) left to right
and from top to bottom
Filling in the remainder of the matrix with the remaining letters in
l h b ti d alphabetic order
The letter I and J count as one letter
M O N A R
C H Y B D
E F G I/J K
L P Q S T
36
U V W X Z
Repeating plaintext letters are separated with a filler letter Repeating plaintext letters are separated with a filler letter
balloon : ba lx lo on
Plaintext letters that fall in the same row of the matrix are each
M O N A R
C H Y B D
Plaintext letters that fall in the same row of the matrix are each
replaced by the letter to the right, circularly
ar : RM
E F G I/J K
Plaintext letters that fall in the same column are each replaced
by the letter beneath, circularly
mu : CM
L P Q S T
U V W X Z
The other case, Each plaintext letter is replaced by the letter
The letter (h) lies in its own row ( )
And the column occupied by the other plaintext letter (s)
hs : BP, ea : IM or JM
37
Th t th f l f i i h The strength of playfair cipher
A great advance over simple Monoalphabetic cipher
26 26 =676 diagrams 26 26 =676 diagrams
Making frequency analysis much more difficult
Long time considered unbreakable
Relatively easy to break
Because it still leaves much of the structure of the plaintext
language
A few hundred letters of ciphertext are generally sufficient A few hundred letters of ciphertext are generally sufficient
38
Compare of the effectiveness of the Playfair p y
cipher and other ciphers
39
The each letter is arranged by the order of decreasing frequency
The each letter of the array correspond to the points on the horizontal axis
The meaning of vertical axis is normalized relative frequency distribution
40
If the frequency distribution information were totally concealed in the
encryption process
41
The plot would be flat
And cryptanalysis using ciphertext only would be effectively impossible
The Playfair cipher has a flatter distribution than does plaintext
But nevertheless it reveals plenty of structure
42
Hill Ci h Hill Cipher
A th lti l l tt i h b th ti i L t Another multiple letter cipher by mathematician Lester
Hill in 1929
Take m successive plaintext letters and substitutes for
themm ciphertext letters them m ciphertext letters
Hill Cipher uses matrix operations to hide freq inf Hill Cipher uses matrix operations to hide freq. inf.
The use of a larger matrix hides more frequency information
A 3 x 3 Hill cipher hides not only single-letter but also two-letter p y g
frequency information
43
Strong against a ciphertext-only attack but easily broken
with a known plaintext attack
Vi i h Vigenre cipher
Th t f l t d l h b ti b tit ti l The set of related monoalphabetic substitution rules
consists of the 26 Caesar ciphers, with shifts 0 to 25.
Encryption Algorithm
Example Example
Each cipher is denoted by a key letter
b key : d (shift of 3) E
A key is needed that is as long as the message
Repeating keyword Repeating keyword
Keyword : deceptive
Key: deceptivedeceptivedeceptive
Plaintext: wearediscoveredsaveyourself
44
Cipheretxt: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
Th d Vi T bl The modern Vigenre Tableau
a b c d e f g h i j k l m n o p q r s t u v w x y z
A l l h b t f th
a A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
b B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
c C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
d D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
e E F G H I J K L MN O P Q R S T U V W X Y Z A B C D
f F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
A normal alphabet for the
plaintext runs across the top.
Each of the 26 cipher is laid out
g G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
h H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
i I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
j J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
k K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
p
horizontally, with the key letter
for each cipher to its left.
The process of encryption
Q
l L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
m M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
n N O P Q R S T U VW X Y Z A B C D E F G H I J K L M
o O P Q R S T U V WX Y Z A B C D E F G H I J K L M N
p P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
The process of encryption
key letter x, plaintext letter y
The ciphertext letter is at the
i i f h l b l d
q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
r R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
s S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
t T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
u U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
v V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
intersection of the row labeled x
and the column labeled y
In this case V
V W C G J N O Q S U
w W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
x X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
45
D ti Al ith Decryption Algorithm
The key letter again identifies the row.
The position of the ciphertext letter in that row determines the The position of the ciphertext letter in that row determines the
column
The plaintext letter is at the top of that column
Key : deceptive, ciphertext : ZIC
a b c d e f g h i j k l m n o p q r s t u v w x y z
a A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
b B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
c C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
d D E F G H I J K L M N O P Q R S T U V W X Y Z A B C d D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
e E F G H I J K L MN O P Q R S T U V W X Y Z A B C D
g G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
46
Th t th f Vi i h The strength of Vigenre cipher
B thi i h lti l i h t t l tt f h Because, this cipher use multiple ciphertext letters for each
plaintext letter
Thus, the letter frequency information is obscured q y
The problem of this cipher
Not all knowledge of plaintext structure is obscured.
An improvement is achieved over the Playfair cipher, but
considerable frequency information remains considerable frequency information remains
47
48
Th th The other way
Th lti t t t d th h i k d The ultimate way to prevented them choosing a keyword
The keyword is as long as the plaintext
And this has no statistical relationship And this has no statistical relationship
By AT&T engineer named Gilbert Vernamin 1918 By AT&T engineer named Gilbert Vernam in 1918
This system works on binary data rather than letters
49
Th th The other way
E ti Al ith Encryption Algorithm
l i t t f di it bi ith

i i i
k p c
ciphertext of digit binary ith c
key of digit binary ith k
plaintext of digit binary ith p
i
i
D ti Al ith
ration or(XOR)ope exclusive
ciphertext of digit binary ith c
i

Decryption Algorithm
Proposed the use of a running loop of tape
i i i
k c p
oposed e use o u g oop o pe
This is eventually repeated the key.
It can be broken with sufficient ciphertext, the use of known or
b bl l i b h
50
probable plaintext sequences, or both
O Ti P d One-Time Pad
B A A Si l C ffi J h M b By An Army Signal Corp officer, Joseph Mauborgne
Suggested Using a random key Suggested Using a random key
that was truly as long as the message, with no repetitions
Unbreakable
Because it produce random output that bears no statistical
relationship to the plaintext.
And the ciphertext contains no information whatsoever about And the ciphertext contains no information whatsoever about
plaintext
51
T diff t d ti i t diff t k Two different decryptions using two different key
Using a Vigenre cipher scheme with 27 characters
The tableau of Vigenre be expanded to 27 27 The tableau of Vigenre be expanded to 27 27
A N K Y O D K Y U R E P F J B Y O J D S P L R E Y I U N O F D O I U E R F P L U Y T S
ciphertext: A N K Y O D K Y U R E P F J B Y O J D S P L R E Y I U N O F D O I U E R F P L U Y T S
key: p x l m v m s y d o f t y r v z w c t n l e b n e c v g d u p a h f z z l m n y i h
l i d i h h d l i k i h h l l plaintext: m r m u s t a r d w i t h t h e c a n d l e s t i c k i n t h e h a l l
ciphertext: A N K Y O D K Y U R E P F J B Y O J D S P L R E Y I U N O F D O I U E R F P L U Y T S
key: m f u g p m i y d g a x g o u f h k l l l m h s q d q o g t e w b q f g y o v u h w t
plaintext: m i s s s c a r l e t w i t h t h e k n i f e i n t h e l i b r a r y
Suppose that cryptanalyst to find these two keys
Two plausible plaintext are produced
How is the cryptanalyst to decide which is the correct decryption?
If the actual key were produced A truly random fashion,
Thus, there is no way to decide which key is correct
52
Thus, there is no way to decide which key is correct
T f d t l diffi lti Two fundamental difficulties:
The practical problem of making large quantities of random keys
Any heavily used system might require millions of random Any heavily used system might require millions of random
characters on a regular basis.
The problem of key distribution and protection
For every message to be sent, a key of equal length is needed by
both sender and receiver.
Because of these difficulties, the one-time pad is of limited utility
53
SYMMETRIC CIPHER MODEL SYMMETRIC CIPHER MODEL
S b tit ti T h i Substitution Techniques
Caesar Cipher
Monoalphabetic Ciphers Monoalphabetic Ciphers
Playfair Cipher
Hill Cipher
Polyalphabetic Ciphers
Transposition (Permutation) Techniques
Rail Fence Technique
Block (Columnar) Transposition Technique Block (Columnar) Transposition Technique
(skip due to lack of time)
54
2 3 TRANSPOSITION TECHNIQUES 2.3 TRANSPOSITION TECHNIQUES
Definition of TRANSPOSITION
Performing some sort of permutation on the plaintext letters Performing some sort of permutation on the plaintext letters
55
R il f Rail fence
Th i l t t iti t h i The simplest transposition technique
Encryption
Plaintext : meet me after the toga party Plaintext : meet me after the toga party
m e m a t r h t g p r y m e m a t r h t g p r y
e t e f e t e o a a t e t e f e t e o a a t
Write down as a sequence of diagonals
R d ff f Read off as a sequence of rows
Ciphertext : mematrhtgpryetefeteoaat
Depth : 2 Depth : 2
56
Chapter 3
Block Ciphers & The Data Encryption Standard
1
Contents Contents
Block Cipher Principles
The Data Encryption Standard
The Strength of DES
Differential and Linear Cryptananlysis
2
Block Cipher principles Block Cipher principles
Stream Ciphers and Block Ciphers
Motivation for the Feistel Cipher Structure
The Feistel Cipher The Feistel Cipher
3
StreamCiphers and Block Ciphers Stream Ciphers and Block Ciphers
Stream cipher
encrypts one bit or one byte at a time encrypts one bit or one byte at a time.
Vigenre cipher, Vernam cipher
Block cipher
encrypts a block of plaintext as a whole
d h bl k f l l h to produce a ciphertext block of equal length.
Typical block size: 64 or 128 bits
4
Motivation for the Feistel Cipher Structure Motivation for the Feistel Cipher Structure
A block cipher operates on a plaintext block of n bits to
produce a ciphertext block of n bits. p oduce a cp e e boc o n b s
Each plaintext must produce a unique ciphertext block (for
decryption to be possible).
h f ll d bl l Such transformation is called reversible or nonsingular.
Reversible Mapping Irreversible Mapping Reversible Mapping Irreversible Mapping
Plaintext Ciphertext Plaintext Ciphertext
00 11 00 11
01 10 01 10
10 00 10 01
5
11 01 11 01
The logic of a general substitution cipher. (for n =4)
6
A practical problem with the general substitution cipher
If a small block size is used then the systemis equivalent to a If a small block size is used, then the system is equivalent to a
classical substitution cipher.
Such systems are vulnerable to a statistical analysis of the plaintext. Such systems are vulnerable to a statistical analysis of the plaintext.
If block size is sufficiently large and an arbitrary reversible
substitution is allowed, then statistical analysis is infeasible. , y
This is not practical from a performance point of view.
For n-bit block cipher, the key size is n X 2
n
bits.
For n = 4, the key size is 4 x 2
64
= 4 x 16 = 64 bits.
For n = 64, the key size is 64 x 2
64
bits
7
The Feistel Cipher The Feistel Cipher
Feistel proposed the use of a cipher that alternates
substitutions and permutations. substitutions and permutations.
In fact, this is a practical application of a proposal by Claude p pp p p y
Shannonto develop a product cipher that alternates confusion
and diffusion functions.
8
Diffusion and Confusion Diffusion and Confusion
Shannon suggests two methods for frustrating statistical
cryptanalysis cryptanalysis.
Diffusion and Confusion
9
Diffusion
To make the statistical relationship between the plaintext and To make the statistical relationship between the plaintext and
ciphertext as complex as possible in order to thwart attempts to
discover the key.
Confusion
To make the relationship between the statistics of the ciphertext
and the value of the encryption key as complex as possible to
th t tt t t di th k thwart attempts to discover the key.
10
Diffusion can be achieved by
a permutation followed by a function a permutation followed by a function.
Confusion can be achieved by Confusion can be achieved by
a substitution.
11
Feistel Cipher Structure Feistel Cipher Structure
Feistel structure
I t Input
Plaintext : 2w bits
A K K A Key K
O t t Output
Ciphertext : 2w bits
12
The input is divided into two halves
L
0
and R
0
and they pass through n
rounds.
Round i
Input: L
i 1
, R
i 1
, and K
i
(roundkey) Input: L
i-1
, R
i-1
, and K
i
(round key)
Output: L
i
andR
i
A substitution is performed on A substitution is performed on
the left half L
i-1
.
) , (
1 1 i i i
K R F L

A permutation is performed by
swapping the two halves.
13
) , (
1 1
1
i i i i
i i
K R F L R
R L


Design features
Block size Block size
The larger it is, the securer the cipher is but the slower the cipher is.
64 or 128 bits
Key size
64 or 128 bits
Number of rounds
16 rounds is typical.
14
Design features
Subkey generation Subkey generation
The more complex it is, the securer the cipher is but the slower
Round function
The more complex it is, the securer the cipher is but the slower
Fast software encryption/ decryption
Ease of analysis
15
Feistel Decryption
Algorithm
Decryption is the same as the Decryption is the same as the
encryption except that
the subkeys are used
in reverse order.
16
Round i
1 i i
R L

) , (
1 1 i i i i
K R F L R

L R
) , (
1 1
1
i i i i
i i
K R F R L
L R

) , (
1
1
i i i i
i i
K L F R L
L R

17
The Data Encryption Standard The Data Encryption Standard
DES Encryption
Initial Permutation
Details of Single Round
Key Generation
The Avalanche Effect The Avalanche Effect
18
The Data Encryption Standard The Data Encryption Standard
The most widely used encryption.
Adopted in 1977 by NIST Adopted in 1977 by NIST
FIPS PUB 46
Data are encrypted in 64-bit blocks using a 56-bit key.
19
DES Encryption DES Encryption
20
DES is a Feistel cipher with the exception of IP and IP
-1
.
Initial Permutation Initial Permutation
The permutation
X =IP(M) X =IP(M)
The inverse permutation The inverse permutation
Y =IP
-1
(X) =IP
-1
(IP(M))
The original ordering is restored g g
21
Single Round Single Round
F function
R
i-1
is expanded to 48-bits using E.
The result is XORedwith the 48-bit
round key.
The 48-bit is substituted by a 32-bit The 48 bit is substituted by a 32 bit.
The 32-bit is permuted by P.
22
ExpansionE Expansion E
32 bits 48 bits
16bit d 16 bits are reused.
Permutation P
23
Substitution Substitution
48 bits 32 bits
b 8 S-boxes
Each S-box gets 6 bits and outputs 4 bits.
24
Each S-box is given in page 79.
Outer bits 1 &6 (row bits) select one row Outer bits 1 & 6 (row bits) select one row
Inner bits 2-5 (col bits) are substituted
Example : Input : 011001
the row is 01 (row 1)
the column is 1100 (column 12)
Output is 1001
25
Key Generation Key Generation
A 64-bit key used as input
Every 8
th
bit is ignored. y g
Thus, the key is 56 bits.
PC1 permute 56 bits into PC1 permute 56 bits into
two 28-bit halves.
26
In each round,
each 28 bits are rotated left and each 28 bits are rotated left and
24 bits are selected from each half.
27
28
29
DES Decryption DES Decryption
Decryption uses the same algorithm as encryption.
F i l i h Feistel cipher
Roundkey schedule is reversed.
30
A small change of plaintext or key produces a significant
change in the ciphertext change in the ciphertext.
DES hibit t l h ff t DES exhibits a strong avalanche effect.
31
Example
Plaintext 1 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Plaintext 2 10000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
K 00000001 1001011 0100100 1100010 0011100 0011000 0011100 0110010 Key 00000001 1001011 0100100 1100010 0011100 0011000 0011100 0110010
32
Example
l i 01101000 10000101 00101111 01111010 00010011 01110110 11101011 10100100 plaintext 01101000 10000101 00101111 01111010 00010011 01110110 11101011 10100100
Key 1 1110010 1111011 1101111 0011000 0011101 0000100 0110001 11011100
Key 2 0110010 1111011 1101111 0011000 0011101 0000100 0110001 11011100 y
33
The Strength of DES The Strength of DES
The Use of 56-bit keys
The Nature of the DES Algorithm
Timing Attacks
34
The Use of 56 bit Keys The Use of 56-bit Keys
If the key length is 56-bit, we have 2
56
= 7.2 x 10
16
keys.
In 1998, Electronic Frontier Foundation (EFF) announced DES
cracker which can attack DES in 3 days.
It was built for less than $250,000.
Alternatives to DES Alternatives to DES
AES (key size is 128 ~ 256 bit) and triple DES (112 ~ 168 bit)
35
Differential and Linear Cryptanalysis Differential and Linear Cryptanalysis
Differential Cryptanalysis
Linear Cryptanalysis
36
Differential Cryptanalysis Differential Cryptanalysis
One of the most significant advances in cryptanalysis in
recent years is differential cryptanalysis recent years is differential cryptanalysis.
37
History History
Murphy, Biham&Shamir published 1990.
The first published attack that is capable of breaking DES in
less than 2
55
complexity. less than 2 complexity.
As reported, can successfully cryptanalyze DES with an effort on
the order of 2
47
, requiring chosen plaintexts.
This is a powerful tool, but it does not do very well against
DES DES
Differential cryptanalysis was known to IBMas early as 1974
38
Linear Cryptanalysis Linear Cryptanalysis
another recent development
also a statistical method also a statistical method
must be iterated over rounds, with decreasing probabilities
developed by Matsui et al in early 90's developed by Matsui et al in early 90s
based on finding linear approximations
can attack DES with 2
47
known plaintexts, still in practise p , p
infeasible
39
Cryptography and Cryptography and
N k S i N k S i Network Security Network Security
Ch t 4 Ch t 4 Chapter 4 Chapter 4
Fourth Edition Fourth Edition
by William Stallings by William Stallings
Lecture slides by Lawrie Brown Lecture slides by Lawrie Brown
Introduction Introduction Introduction Introduction
will now introduce finite fields will now introduce finite fields
of increasing importance in cryptography of increasing importance in cryptography of increasing importance in cryptography of increasing importance in cryptography
AES, Elliptic Curve, IDEA, Public Key AES, Elliptic Curve, IDEA, Public Key
concern operations on numbers concern operations on numbers
where what constitutes a number and the where what constitutes a number and the where what constitutes a number and the where what constitutes a number and the
type of operations varies considerably type of operations varies considerably
start with concepts of groups rings fields start with concepts of groups rings fields start with concepts of groups, rings, fields start with concepts of groups, rings, fields
from abstract algebra from abstract algebra
Group Group Group Group
a set of elements or numbers a set of elements or numbers
with some operation whose result is also with some operation whose result is also with some operation whose result is also with some operation whose result is also
in the set (closure) in the set (closure)
obeys: obeys: obeys: obeys:
associative law: associative law: (( a. b a. b) . c = a. ( ) . c = a. ( b. c b. c))
h id tit h id tit has identity has identity ee:: e. a e. a = = a. e a. e = a = a
has inverses has inverses aa
-- 11
:: a. a a. a
-- 11
= e = e
if commutative if commutative a. b a. b = = b. a b. a
then forms an then forms an abelian abelian group group then forms an then forms an abelian abelian group group
Cyclic Group Cyclic Group Cyclic Group Cyclic Group
define define exponentiation exponentiation as repeated as repeated
application of operator application of operator application of operator application of operator
example: example: aa
33
= = a. a. a a. a. a
d l t id tit b d l t id tit b
00
and let identity be: and let identity be: e= e=aa
00
a group is cyclic if every element is a a group is cyclic if every element is a a group is cyclic if every element is a a group is cyclic if every element is a
power of some fixed element power of some fixed element
ie ie b = b =aa
kk
for some for some aa and every and every bb in group in group ie ie b = b =aa
kk
for some for some aa and every and every bb in group in group
aa is said to be a generator of the group is said to be a generator of the group
Ring Ring Ring Ring
a set of numbers a set of numbers
with two operations (addition and multiplication) with two operations (addition and multiplication)
which form: which form: which form: which form:
an an abelian abelian group with addition operation group with addition operation
and multiplication: and multiplication: and multiplication: and multiplication:
has closure has closure
is associative is associative is associative is associative
distributive over addition: distributive over addition: a( a( b+c b+c) = ) = ab ab + ac + ac
if multiplication operation is commutative, it if multiplication operation is commutative, it p p , p p ,
forms a forms a commutative ring commutative ring
Field Field Field Field
a set of numbers a set of numbers
with two operations which form: with two operations which form: with two operations which form: with two operations which form:
abelian group for addition abelian group for addition
abelian group for multiplication (ignoring 0) abelian group for multiplication (ignoring 0)
ring ringgg
have hierarchy with more axioms/laws have hierarchy with more axioms/laws
> i > i > fi ld > fi ld group group --> ring > ring --> field > field
Modular Arithmetic Modular Arithmetic Modular Arithmetic Modular Arithmetic
d fi d fi d l t d l t t b t b define define modulo operator modulo operator a mod n a mod n to be to be
remainder when a is divided by n remainder when a is divided by n
th t th t ff b d b d use the term use the term congruence congruence for: for: a = b mod n a = b mod n
when divided by when divided by n, n, a & b have same remainder a & b have same remainder
100 34 d 11 100 34 d 11 eg eg. 100 = 34 mod 11 . 100 = 34 mod 11
b is called a b is called a residue residue of a mod n of a mod n
i ith i t l it i ith i t l it since with integers can always write: since with integers can always write: a = a = qn qn + b + b
usually chose smallest positive remainder as residue usually chose smallest positive remainder as residue
ie ie 0 <= b <= n 0 <= b <= n 11 ie ie. . 0 <= b <= n 0 <= b <= n-- 11
process is known as process is known as modulo reduction modulo reduction
eg eg. . -- 12 mod 7 12 mod 7 == . . . 2 mod 7 . . . 2 mod 7 gg
Divisors Divisors Divisors Divisors
say a non say a non--zero number zero number bb divides divides aa if for if for
some some mmhave have a=mb a=mb ((a, b, m a, b, mall integers) all integers) some some mmhave have a mb a mb ((a, b, m a, b, mall integers) all integers)
that is that is bb divides into divides into aa with no remainder with no remainder
denote this denote this b| a b| a
and say that and say that bb is a is a divisor divisor of of aa and say that and say that bb is a is a divisor divisor of of aa
eg. all of 1,2,3,4,6,8,12,24 divide 24 eg. all of 1,2,3,4,6,8,12,24 divide 24
Modular Arithmetic Operations Modular Arithmetic Operations Modular Arithmetic Operations Modular Arithmetic Operations
is 'clock arithmetic' is 'clock arithmetic'
uses a finite number of values and loops uses a finite number of values and loops uses a finite number of values, and loops uses a finite number of values, and loops
back from either end back from either end
modular arithmetic is when do addition & modular arithmetic is when do addition &
multiplication and modulo reduce answer multiplication and modulo reduce answer pp
can do reduction at any point, ie can do reduction at any point, ie
a+b mod n = [ a mod n + b mod n] mod n a+b mod n = [ a mod n + b mod n] mod n
Modular Arithmetic Modular Arithmetic Modular Arithmetic Modular Arithmetic
can do modular arithmetic with any group of can do modular arithmetic with any group of
integers: integers: ZZ
nn
= {0, 1, , n = {0, 1, , n-- 1} 1}
form a commutative ring for addition form a commutative ring for addition
with a multiplicative identity with a multiplicative identity with a multiplicative identity with a multiplicative identity
note some peculiarities note some peculiarities
if if (( bb)) (( ) d ) d if if (( a+b a+b)) =( =( a+c a+c) mod n ) mod n
then then b=c mod n b=c mod n
b t if b t if but if but if (( a. b a. b)) =( =( a. c a. c) mod n ) mod n
then then b=c mod n b=c mod n only if only if a a is relatively prime to is relatively prime to nn
Modulo 8 Addition Example Modulo 8 Addition Example Modulo 8 Addition Example Modulo 8 Addition Example
+ 0 1 2 3 4 5 6 7 + 0 1 2 3 4 5 6 7
0 0 1 2 3 4 5 6 7
1 1 2 3 4 5 6 7 0
2 2 3 4 5 6 7 0 1 3 5 6 7 0
3 3 4 5 6 7 0 1 2
4 4 5 6 7 0 1 2 3
5 5 6 7 0 1 2 3 4
6 6 7 0 1 2 3 4 5
7 7 0 1 2 3 4 5 6 7 7 0 1 2 3 4 5 6
Greatest Common Divisor (GCD) Greatest Common Divisor (GCD) Greatest Common Divisor (GCD) Greatest Common Divisor (GCD)
a common problem in number theory a common problem in number theory
GCD (a b) of a and b is the largest number GCD (a b) of a and b is the largest number GCD (a,b) of a and b is the largest number GCD (a,b) of a and b is the largest number
that divides evenly into both a and b that divides evenly into both a and b
eg GCD(60,24) = 12 eg GCD(60,24) = 12
often want often want no common factors no common factors (except 1) (except 1) often want often want no common factors no common factors (except 1) (except 1)
and hence numbers are and hence numbers are relatively prime relatively prime
eg GCD(8 15) = 1 eg GCD(8 15) = 1 eg GCD(8,15) = 1 eg GCD(8,15) = 1
hence 8 & 15 are relatively prime hence 8 & 15 are relatively prime
Euclidean Algorithm Euclidean Algorithm Euclidean Algorithm Euclidean Algorithm
an efficient way to find the GCD(a,b) an efficient way to find the GCD(a,b)
uses theorem that: uses theorem that:
GCD( a, b) = GCD( b, a mod b) GCD( a, b) = GCD( b, a mod b)
Euclidean Algorithm to compute GCD(a,b) is: Euclidean Algorithm to compute GCD(a,b) is: g p ( ) g p ( )
EUCLI D( a, b) EUCLI D( a, b)
1. A 1. A = = a; B a; B = = b b
2. i f B = 0 r et ur n A = gcd( a, b) 2. i f B = 0 r et ur n A = gcd( a, b)
3. R = A mod B 3. R = A mod B
4. A = B 4. A = B
5. B 5. B = = R R
6. got o 2 6. got o 2
Example GCD(1970 1066) Example GCD(1970 1066) Example GCD(1970,1066) Example GCD(1970,1066)
1970 = 1 x 1066 + 904 1970 = 1 x 1066 + 904 gcd gcd( 1066, 904) ( 1066, 904)
1066 = 1 x 904 + 162 1066 = 1 x 904 + 162 gcd gcd( 904, 162) ( 904, 162)
904 = 5 x 162 + 94 904 = 5 x 162 + 94 gcd gcd( 162, 94) ( 162, 94)
162 = 1 x 94 + 68 162 = 1 x 94 + 68 gcd gcd( 94, 68) ( 94, 68)
94 1 68 + 26 94 1 68 + 26 dd( 68 26) ( 68 26) 94 = 1 x 68 + 26 94 = 1 x 68 + 26 gcd gcd( 68, 26) ( 68, 26)
68 = 2 x 26 + 16 68 = 2 x 26 + 16 gcd gcd( 26, 16) ( 26, 16)
26 = 1 x 16 + 10 26 = 1 x 16 + 10 gcd gcd( 16 10) ( 16 10) 26 = 1 x 16 + 10 26 = 1 x 16 + 10 gcd gcd( 16, 10) ( 16, 10)
16 = 1 x 10 + 6 16 = 1 x 10 + 6 gcd gcd( 10, 6) ( 10, 6)
10 = 1 x 6 + 4 10 = 1 x 6 + 4 gcd gcd( 6, 4) ( 6, 4) 10 1 x 6 + 4 10 1 x 6 + 4 gcd gcd( 6, 4) ( 6, 4)
6 = 1 x 4 + 2 6 = 1 x 4 + 2 gcd gcd( 4, 2) ( 4, 2)
4 = 2 x 2 + 0 4 = 2 x 2 + 0 gcd gcd( 2, 0) ( 2, 0) gg ( , ) ( , )
Galois Fields Galois Fields Galois Fields Galois Fields
finite fields play a key role in cryptography finite fields play a key role in cryptography
can show number of elements in a finite can show number of elements in a finite can show number of elements in a finite can show number of elements in a finite
field field must must be a power of a prime p be a power of a prime p
nn
known as Galois fields known as Galois fields
denoted GF(p denoted GF(p
nn
)) denoted GF(p denoted GF(p ))
in particular often use the fields: in particular often use the fields:
GF(p) GF(p)
GF(2 GF(2
nn
)) (( ))
Galois Fields GF(p) Galois Fields GF(p) Galois Fields GF(p) Galois Fields GF(p)
GF(p) is the set of integers {0,1, , p GF(p) is the set of integers {0,1, , p--1} 1}
with arithmetic operations modulo prime p with arithmetic operations modulo prime p with arithmetic operations modulo prime p with arithmetic operations modulo prime p
these form a finite field these form a finite field
since have multiplicative inverses since have multiplicative inverses
hence arithmetic is well hence arithmetic is well--behaved and behaved and hence arithmetic is well hence arithmetic is well behaved and behaved and
can do addition, subtraction, multiplication, can do addition, subtraction, multiplication,
and division without leaving the field GF(p) and division without leaving the field GF(p) and division without leaving the field GF(p) and division without leaving the field GF(p)
GF(7) Multiplication Example GF(7) Multiplication Example GF(7) Multiplication Example GF(7) Multiplication Example
0 1 2 3 4 5 6 0 1 2 3 4 5 6
0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6
2 0 2 4 6 1 3 5 2 0 2 4 6 1 3 5
3 0 3 6 2 5 1 4
4 0 4 1 5 2 6 3
5 0 5 3 1 6 4 2 5 0 5 3 1 6 4 2
6 0 6 5 4 3 2 1
Finding Inverses Finding Inverses Finding Inverses Finding Inverses
EXTENDED EUCLI D( EXTENDED EUCLI D( mm, , bb))
1. 1. ( A1, A2, A3) =( 1, 0, ( A1, A2, A3) =( 1, 0, mm) ; ) ;
( B1 B2 B3) =( 0 1 ( B1 B2 B3) =( 0 1 bb)) ( B1, B2, B3) =( 0, 1, ( B1, B2, B3) =( 0, 1, bb))
2. if 2. if B3 = 0 B3 = 0
return return A3 = A3 = gcd gcd(( mm, , bb) ; no i nver se ) ; no i nver se
3. if 3. if B3 = 1 B3 = 1
return return B3 = B3 = gcd gcd(( mm, , bb) ; B2 = ) ; B2 = bb
11
mod mod mm
44 Q = A3 di v B3 Q = A3 di v B3 4. 4. Q A3 di v B3 Q A3 di v B3
5. 5. ( T1, T2, T3) =( A1 ( T1, T2, T3) =( A1 Q B1, A2 Q B1, A2 Q B2, A3 Q B2, A3 Q B3) Q B3)
6. 6. ( A1, A2, A3) =( B1, B2, B3) ( A1, A2, A3) =( B1, B2, B3)
7. 7. ( B1, B2, B3) =( T1, T2, T3) ( B1, B2, B3) =( T1, T2, T3)
8. 8. goto goto 22
Inverse of 550 in GF(1759) Inverse of 550 in GF(1759) Inverse of 550 in GF(1759) Inverse of 550 in GF(1759)
Q A1 A2 A3 B1 B2 B3
1 0 1759 0 1 550 1 0 1759 0 1 550
3 0 1 550 1 3 109
5 1 3 109 5 16 5
21 5 16 5 106 339 4 21 5 16 5 106 339 4
1 106 339 4 111 355 1
Polynomial Arithmetic Polynomial Arithmetic Polynomial Arithmetic Polynomial Arithmetic
can compute using polynomials can compute using polynomials
ff((xx) = a ) = a xx
nn
+ a + a
11
xx
nn--1 1
+ + a + + a
11
x + x + aa
00
= a = a
i i
xx
i i
ff((xx) a ) a
nn
xx + a + a
nn--11
xx + + a + + a
11
x + x + aa
00
a a
i i
xx
nb. not interested in any specific value of x nb. not interested in any specific value of x
which is known as the indeterminate which is known as the indeterminate which is known as the indeterminate which is known as the indeterminate
several alternatives available several alternatives available
ordinary polynomial arithmetic ordinary polynomial arithmetic
poly arithmetic with coords mod p poly arithmetic with coords mod p p y p p y p
poly arithmetic with coords mod p and poly arithmetic with coords mod p and
polynomials mod m(x) polynomials mod m(x) polynomials mod m(x) polynomials mod m(x)
Ordinary Polynomial Arithmetic Ordinary Polynomial Arithmetic Ordinary Polynomial Arithmetic Ordinary Polynomial Arithmetic
add or subtract corresponding coefficients add or subtract corresponding coefficients
multiply all terms by each other multiply all terms by each other multiply all terms by each other multiply all terms by each other
eg eg
l t l t ff(( ))
33
++
22
+ 2 d + 2 d (( ))
22
+ 1 + 1 let let ff((xx) = ) = xx
33
+ + xx
22
+ 2 and + 2 and gg((xx) = ) = xx
22
x x + 1 + 1
ff((xx) + ) + gg((xx) = ) = xx
33
+ 2 + 2xx
22
x x + 3 + 3
33
ff((xx) ) gg((xx) = ) = xx
33
+ + x x + 1 + 1
ff((xx) x ) x gg((xx) = ) = xx
55
+ 3 + 3xx
22
22x x + 2 + 2
Polynomial Arithmetic with Polynomial Arithmetic with
Modulo Coefficients Modulo Coefficients
when computing value of each coefficient when computing value of each coefficient
do calculation modulo some value do calculation modulo some value
forms a polynomial ring forms a polynomial ring
could be modulo any prime could be modulo any prime could be modulo any prime could be modulo any prime
but we are most interested in mod 2 but we are most interested in mod 2
i ll ffi i t 0 1 i ll ffi i t 0 1 ie all coefficients are 0 or 1 ie all coefficients are 0 or 1
eg. let eg. let ff((xx) = ) = xx
33
+ + xx
22
and and gg((xx) = ) = xx
22
+ + x x + 1 + 1
ff((xx) + ) + gg((xx) = ) = xx
33
+ + x x + 1 + 1
ff((xx) x ) x gg((xx) = ) = xx
55
+ + xx
22
(( )) gg(( ))
Polynomial Division Polynomial Division Polynomial Division Polynomial Division
can write any polynomial in the form: can write any polynomial in the form:
ff((xx) = ) = qq((xx) ) gg((xx) + ) + rr((xx)) (( )) qq(( )) gg(( )) (( ))
can interpret can interpret rr((xx) ) as being a remainder as being a remainder
rr((xx) = ) = ff((xx) mod ) mod gg((xx)) rr((xx) ) ff((xx) mod ) mod gg((xx))
if have no remainder say if have no remainder say gg((xx) divides ) divides ff((xx))
if if (( ) h di i th th it lf & 1 ) h di i th th it lf & 1 if if gg((xx) has no divisors other than itself & 1 ) has no divisors other than itself & 1
say it is say it is irreducible irreducible (or prime) polynomial (or prime) polynomial
arithmetic modulo an irreducible arithmetic modulo an irreducible
polynomial forms a field polynomial forms a field p y p y
Polynomial GCD Polynomial GCD Polynomial GCD Polynomial GCD
can find greatest common divisor for polys can find greatest common divisor for polys
c(x) c(x) = GCD( = GCD(a(x), b(x) a(x), b(x)) if ) if c(x) c(x) is the poly of greatest is the poly of greatest
d hi h di id b th d hi h di id b th ( ) b( ) ( ) b( ) degree which divides both degree which divides both a(x), b(x) a(x), b(x)
can adapt Euclids Algorithm to find it: can adapt Euclids Algorithm to find it:
EUCLID[ EUCLID[ (( )) bb(( )] )] EUCLID[ EUCLID[aa((xx)), b , b((xx)] )]
1. 1. A( A(xx) = ) = aa((xx); B( ); B(xx) = ) = bb((xx))
2 if 2 if B( B( ) 0 ) 0 ret rn ret rn A( A( ) gcd[ ) gcd[aa(( )) bb(( )] )] 2. if 2. if B( B(xx) = 0 ) = 0 return return A( A(xx) = gcd[ ) = gcd[aa((xx)), b , b((xx)] )]
3. 3. R( R(xx) = A( ) = A(xx) mod B( ) mod B(xx))
44 A( A(xx)) B( B(xx)) 4. 4. A( A(xx) ) B( B(xx))
5. 5. B( B(xx) ) R( R(xx))
6 goto 6 goto 22 6. goto 6. goto 22
Modular Polynomial Modular Polynomial
Arithmetic Arithmetic
can compute in field GF(2 can compute in field GF(2
nn
) )
polynomials with coefficients modulo 2 polynomials with coefficients modulo 2 polynomials with coefficients modulo 2 polynomials with coefficients modulo 2
whose degree is less than n whose degree is less than n
h t d d l i d ibl l h t d d l i d ibl l hence must reduce modulo an irreducible poly hence must reduce modulo an irreducible poly
of degree n (for multiplication only) of degree n (for multiplication only)
form a finite field form a finite field
can always find an inverse can always find an inverse can always find an inverse can always find an inverse
can extend Euclids Inverse algorithm to find can extend Euclids Inverse algorithm to find
Example GF(2 Example GF(2
33
)) Example GF(2 Example GF(2
33
))
Computational Computational
Considerations Considerations
since coefficients are 0 or 1, can represent since coefficients are 0 or 1, can represent
any such polynomial as a bit string any such polynomial as a bit string y p y g y p y g
addition becomes XOR of these bit strings addition becomes XOR of these bit strings
multiplication is shift & XOR multiplication is shift & XOR multiplication is shift & XOR multiplication is shift & XOR
cf long cf long- -hand multiplication hand multiplication
modulo reduction done by repeatedly modulo reduction done by repeatedly
substituting highest power with remainder substituting highest power with remainder
of irreducible poly (also shift & XOR) of irreducible poly (also shift & XOR)
Computational Example Computational Example p p p p
in in GF(2 GF(2
33
) have ) have (x (x
22
+1) is 101 +1) is 101
22
& (x & (x
22
+x+1) is 111 +x+1) is 111
22
in in GF(2 GF(2 ) have ) have (x (x 1) is 101 1) is 101
22
& (x & (x x 1) is 111 x 1) is 111
22
so addition is so addition is
(x (x
22
+1) + (x +1) + (x
22
+x+1) = x +x+1) = x (x (x 1) (x 1) (x x 1) x x 1) x
101 XOR 111 = 010 101 XOR 111 = 010
22
and multiplication is and multiplication is and multiplication is and multiplication is
(x+1).(x (x+1).(x
22
+1) = x.(x +1) = x.(x
22
+1) + 1.(x +1) + 1.(x
22
+1) +1)
= x = x
33
+x+x +x+x
22
+1 = x +1 = x
33
+x +x
22
+x+1 +x+1
011.101 = (101)<<1 XOR (101)<<0 = 011.101 = (101)<<1 XOR (101)<<0 =
1010 XOR 101 = 1111 1010 XOR 101 = 1111
2222
polynomial modulo reduction (get q(x) & r(x)) is polynomial modulo reduction (get q(x) & r(x)) is
(x (x
33
+x +x
22
+x+1 ) mod (x +x+1 ) mod (x
33
+x+1) = 1.(x +x+1) = 1.(x
33
+x+1) + (x +x+1) + (x
22
) = x ) = x
22
(( ) ( ) ( ) ( ) ( ) ( ) ( ))
1111 mod 1011 = 1111 XOR 1011 = 0100 1111 mod 1011 = 1111 XOR 1011 = 0100
22
Using a Generator Using a Generator Using a Generator Using a Generator
equivalent definition of a finite field equivalent definition of a finite field
aa generator generator g is an element whose g is an element whose a a generator generator g is an element whose g is an element whose
powers generate all non powers generate all non--zero elements zero elements
in F have 0 g in F have 0 g
00
gg
11
gg
qq--22
in F have 0, g in F have 0, g , g , g , , g , , g
qq
can create generator from can create generator from root root of the of the
irreducible polynomial irreducible polynomial irreducible polynomial irreducible polynomial
then implement multiplication by adding then implement multiplication by adding
exponents of generator exponents of generator
Summary Summary Summary Summary
have considered: have considered:
concept of groups rings fields concept of groups rings fields concept of groups, rings, fields concept of groups, rings, fields
modular arithmetic with integers modular arithmetic with integers
E lid l ith f GCD E lid l ith f GCD Euclids algorithm for GCD Euclids algorithm for GCD
finite fields GF(p) finite fields GF(p)
polynomial arithmetic in general and in GF(2 polynomial arithmetic in general and in GF(2
nn
) )
Cryptography and Cryptography and
N k S i N k S i Network Security Network Security
Ch t 5 Ch t 5 Chapter 5 Chapter 5
Fourth Edition Fourth Edition
by William Stallings by William Stallings
Lecture slides by Lawrie Brown Lecture slides by Lawrie Brown
Origins Origins Origins Origins
clear a replacement for DES was needed clear a replacement for DES was needed
have theoretical attacks that can break it have theoretical attacks that can break it
have demonstrated exhaustive key search attacks have demonstrated exhaustive key search attacks
can use Triple can use Triple--DES DES but slow, has small blocks but slow, has small blocks
US NIST issued call for ciphers in 1997 US NIST issued call for ciphers in 1997
15 candidates accepted in J un 98 15 candidates accepted in J un 98 pp
5 were shortlisted in Aug 5 were shortlisted in Aug--99 99
Rijndael was selected as the AES in Oct Rijndael was selected as the AES in Oct--2000 2000 Rijndael was selected as the AES in Oct Rijndael was selected as the AES in Oct 2000 2000
issued as FIPS PUB 197 standard in Nov issued as FIPS PUB 197 standard in Nov--2001 2001
AES Requirements AES Requirements AES Requirements AES Requirements
private key symmetric block cipher private key symmetric block cipher
128 128--bit data, 128/192/256 bit data, 128/192/256--bit keys bit keys 128 128 bit data, 128/192/256 bit data, 128/192/256 bit keys bit keys
stronger & faster than Triple stronger & faster than Triple--DES DES
ti lif f 20 ti lif f 20 30 ( hi l ) 30 ( hi l ) active life of 20 active life of 20--30 years (+ archival use) 30 years (+ archival use)
provide full specification & design details provide full specification & design details p p g p p g
both C & J ava implementations both C & J ava implementations
NIST have released all submissions & NIST have released all submissions & NIST have released all submissions & NIST have released all submissions &
unclassified analyses unclassified analyses
AES Evaluation Criteria AES Evaluation Criteria AES Evaluation Criteria AES Evaluation Criteria
initial criteria: initial criteria:
security security effort for practical cryptanalysis effort for practical cryptanalysis yy p yp y p yp y
cost cost in terms of computational efficiency in terms of computational efficiency
algorithm&implementation characteristics algorithm&implementation characteristics algorithm & implementation characteristics algorithm & implementation characteristics
final criteria final criteria
l it l it general security general security
ease of software & hardware implementation ease of software & hardware implementation
implementation attacks implementation attacks
flexibility (in en/decrypt, keying, other factors) flexibility (in en/decrypt, keying, other factors)
AES Shortlist AES Shortlist AES Shortlist AES Shortlist
after testing and evaluation, shortlist in Aug after testing and evaluation, shortlist in Aug--99: 99:
MARS (IBM) MARS (IBM) -- complex, fast, high security margin complex, fast, high security margin
RC6 (USA) RC6 (USA) - - v. simple, v. fast, low security margin v. simple, v. fast, low security margin
Rijndael (Belgium) Rijndael (Belgium) -- clean, fast, good security margin clean, fast, good security margin
S (E ) S (E ) l l hi h i i l l hi h i i Serpent (Euro) Serpent (Euro) - - slow, clean, v. high security margin slow, clean, v. high security margin
Twofish (USA) Twofish (USA) -- complex, v. fast, high security margin complex, v. fast, high security margin
th bj t t f th l i & t th bj t t f th l i & t then subject to further analysis & comment then subject to further analysis & comment
saw contrast between algorithms with saw contrast between algorithms with
few complex rounds verses many simple rounds few complex rounds verses many simple rounds
which refined existing ciphers verses new proposals which refined existing ciphers verses new proposals
The AES Cipher The AES Cipher Rijndael Rijndael The AES Cipher The AES Cipher - - Rijndael Rijndael
designed by Rijmen designed by Rijmen--Daemen in Belgium Daemen in Belgium
has 128/192/256 bit keys, 128 bit data has 128/192/256 bit keys, 128 bit data
an an iterative iterative rather than rather than feistel feistel cipher cipher
processes processes data as block of 4 columns of 4 bytes data as block of 4 columns of 4 bytes pp yy
operates on entire data block in every round operates on entire data block in every round
designed to be: designed to be: gg
resistant against known attacks resistant against known attacks
speed and code compactness on many CPUs speed and code compactness on many CPUs
design simplicity design simplicity
Rijndael Rijndael Rijndael Rijndael
data block of data block of 4 columns of 4 bytes is state 4 columns of 4 bytes is state data block of data block of 4 columns of 4 bytes is state 4 columns of 4 bytes is state
key is expanded to array of words key is expanded to array of words
h 9/11/13 d i hi h t t d h 9/11/13 d i hi h t t d has 9/11/13 rounds in which state undergoes: has 9/11/13 rounds in which state undergoes:
byte substitution (1 S byte substitution (1 S- -box used on every byte) box used on every byte)
shift rows (permute bytes between groups/columns) shift rows (permute bytes between groups/columns)
mix columns (subs using matrix multipy of groups) mix columns (subs using matrix multipy of groups)
add round key (XOR state with key material) add round key (XOR state with key material)
view as alternating XOR key & scramble data bytes view as alternating XOR key & scramble data bytes
initial XOR key material & incomplete last round initial XOR key material & incomplete last round
with fast XOR &table lookup implementation with fast XOR &table lookup implementation with fast XOR & table lookup implementation with fast XOR & table lookup implementation
Rijndael Rijndael Rijndael Rijndael
Byte Substitution Byte Substitution Byte Substitution Byte Substitution
a simple substitution of each byte a simple substitution of each byte
uses one table of 16x16 bytes containing a uses one table of 16x16 bytes containing a
permutation of all 256 8 permutation of all 256 8--bit values bit values
each byte of state is replaced by byte indexed by each byte of state is replaced by byte indexed by
row (left 4 row (left 4--bits) & column (right 4 bits) & column (right 4--bits) bits)
eg. byte {95}is replaced by byte in row 9 column 5 eg. byte {95}is replaced by byte in row 9 column 5
which has value {2A} which has value {2A}
SS--box constructed using defined transformation box constructed using defined transformation
f l i GF(2 f l i GF(2
88
)) of values in GF(2 of values in GF(2
88
))
designed to be resistant to all known attacks designed to be resistant to all known attacks
Byte Substitution Byte Substitution Byte Substitution Byte Substitution
Shift Rows Shift Rows Shift Rows Shift Rows
a circular byte shift in each each a circular byte shift in each each
11
st st
row is unchanged row is unchanged
22
nd nd
row does 1 byte circular shift to left row does 1 byte circular shift to left
3rd row does 2 byte circular shift to left 3rd row does 2 byte circular shift to left
4 h d 3 b i l hif l f 4 h d 3 b i l hif l f 4th row does 3 byte circular shift to left 4th row does 3 byte circular shift to left
decrypt inverts using shifts to right decrypt inverts using shifts to right
since state is processed by columns, this step since state is processed by columns, this step
permutes bytes between the columns permutes bytes between the columns
Shift Rows Shift Rows Shift Rows Shift Rows
Mix Columns Mix Columns Mix Columns Mix Columns
each column is processed separately each column is processed separately
each byte is replaced by a value each byte is replaced by a value each byte is replaced by a value each byte is replaced by a value
dependent on all 4 bytes in the column dependent on all 4 bytes in the column
effectively a matrix multiplication in GF(2 effectively a matrix multiplication in GF(2
88
) )
using prime poly m(x) =x using prime poly m(x) =x
88
+x +x
44
+x +x
33
+x+1 +x+1 g p p y ( ) g p p y ( )
can express each col as 4 equations can express each col as 4 equations
to derive each new byte in col to derive each new byte in col yy
decryption requires use of inverse matrix decryption requires use of inverse matrix
with larger coefficients hence a little harder with larger coefficients hence a little harder with larger coefficients, hence a little harder with larger coefficients, hence a little harder
have an alternate characterisation have an alternate characterisation
each column a 4 each column a 4 termpolynomial termpolynomial each column a 4 each column a 4--term polynomial term polynomial
with coefficients in GF(2 with coefficients in GF(2
88
) )
and polynomials multiplied modulo (x and polynomials multiplied modulo (x
44
+1) +1) and polynomials multiplied modulo (x and polynomials multiplied modulo (x
44
+1) +1)
Add Round Key Add Round Key Add Round Key Add Round Key
XOR state with 128 XOR state with 128- -bits of the round key bits of the round key
again processed by column (though again processed by column (though again processed by column (though again processed by column (though
effectively a series of byte operations) effectively a series of byte operations)
inverse for decryption identical inverse for decryption identical
since XOR own inverse, with reversed keys since XOR own inverse, with reversed keys since XOR own inverse, with reversed keys since XOR own inverse, with reversed keys
designed to be as simple as possible designed to be as simple as possible
f f V i h d d k f f V i h d d k a form of Vernam cipher on expanded key a form of Vernam cipher on expanded key
requires other stages for complexity / security requires other stages for complexity / security
Add Round Key Add Round Key Add Round Key Add Round Key
AES Round AES Round AES Round AES Round
AES Key Expansion AES Key Expansion AES Key Expansion AES Key Expansion
takes 128 takes 128- -bit (16 bit (16--byte) key and expands byte) key and expands
into array of 44/52/60 32 into array of 44/52/60 32--bit words bit words into array of 44/52/60 32 into array of 44/52/60 32 bit words bit words
start by copying key into first 4 words start by copying key into first 4 words
then loop creating words that depend on then loop creating words that depend on
values in previous & 4 places back values in previous & 4 places back p p p p
in 3 of 4 cases just XOR these together in 3 of 4 cases just XOR these together
11
st st
word in 4 has rotate +S word in 4 has rotate +S box +XOR round box +XOR round 11
st st
word in 4 has rotate + S word in 4 has rotate + S--box + XOR round box + XOR round
constant on previous, before XOR 4 constant on previous, before XOR 4
th th
back back
AES Key Expansion AES Key Expansion AES Key Expansion AES Key Expansion
Key Expansion Rationale Key Expansion Rationale Key Expansion Rationale Key Expansion Rationale
designed to resist known attacks designed to resist known attacks
design criteria included design criteria included design criteria included design criteria included
knowing part key insufficient to find many more knowing part key insufficient to find many more
invertible transformation invertible transformation invertible transformation invertible transformation
fast on wide range of CPUs fast on wide range of CPUs
d t t t b k t d t t t b k t use round constants to break symmetry use round constants to break symmetry
diffuse key bits into round keys diffuse key bits into round keys
enough non enough non--linearity to hinder analysis linearity to hinder analysis
simplicity of description simplicity of description
AES Decryption AES Decryption AES Decryption AES Decryption
AES decryption is not identical to AES decryption is not identical to
encryption since steps done in reverse encryption since steps done in reverse yp p yp p
but can define an equivalent inverse but can define an equivalent inverse
cipher with steps as for encryption cipher with steps as for encryption cipher with steps as for encryption cipher with steps as for encryption
but using inverses of each step but using inverses of each step
with a different key schedule with a different key schedule with a different key schedule with a different key schedule
works since result is unchanged when works since result is unchanged when
swap byte substitution & shift rows swap byte substitution & shift rows
swap mix columns & add (tweaked) round key swap mix columns & add (tweaked) round key
AES Decryption AES Decryption AES Decryption AES Decryption
Implementation Aspects Implementation Aspects Implementation Aspects Implementation Aspects
can efficiently implement on 8 can efficiently implement on 8--bit CPU bit CPU
byte substitution works on bytes using a table byte substitution works on bytes using a table byte substitution works on bytes using a table byte substitution works on bytes using a table
of 256 entries of 256 entries
shift rows is simple byte shift shift rows is simple byte shift shift rows is simple byte shift shift rows is simple byte shift
add round key works on byte XORs add round key works on byte XORs
mix columns requires matrix multiply in mix columns requires matrix multiply in GF(2 GF(2
88
) )
which works on byte values, can be simplified which works on byte values, can be simplified
to use table lookups & byte XORs to use table lookups & byte XORs
Implementation Aspects Implementation Aspects Implementation Aspects Implementation Aspects
can efficiently implement on 32 can efficiently implement on 32- -bit CPU bit CPU
redefine steps to use 32 redefine steps to use 32--bit words bit words pp
can precompute 4 tables of 256 can precompute 4 tables of 256--words words
then each column in each round can be then each column in each round can be then each column in each round can be then each column in each round can be
computed using 4 table lookups + 4 XORs computed using 4 table lookups + 4 XORs
at a cost of 4Kb to store tables at a cost of 4Kb to store tables at a cost of 4Kb to store tables at a cost of 4Kb to store tables
designers believe this very efficient designers believe this very efficient
implementation was a key factor in its implementation was a key factor in its implementation was a key factor in its implementation was a key factor in its
selection as the AES cipher selection as the AES cipher
Summary Summary Summary Summary
have considered: have considered:
the AES selection process the AES selection process the AES selection process the AES selection process
the details of Rijndael the details of Rijndael the AES cipher the AES cipher
l k d t th t i h d l k d t th t i h d looked at the steps in each round looked at the steps in each round
the key expansion the key expansion
implementation aspects implementation aspects
1
Chapter 6
More on Symmetric Ciphers
2
Contents
Multiple Encryption and Triple DES
Block Cipher Modes of Operation
Stream Ciphers and RC4
3
Double DES
Triple DES with Two Keys
Triple DES with Three Keys
4
The potential vulnerability of DES to a brute-force attack
Clear a replacement for DES was needed
AES (The Advanced Encryption Standard)
AES was announced by National Institute of Standards and Technology (NIST)
as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001
AES is a non-Feistel cipher
Block size: 128 bits
Round #: It uses 10, 12, or 14 rounds.
key size: 128, 192, or 256 bits, depends on the number of rounds.
Prior to this alternative was to use multiple encryption with
DES implementations
5
Double DES
Two encryption stages and two keys
C = E
K2
[E
K1
[P]]
P = D
K1
[D
K2
[C]]
key length : 56 X 2 = 112 bits
6
Reduction to a Single Stage
Suppose given any two keys K
1
and K
2
, it would be possible
to find a key K
3
Double DES would be useless
Because the result would be equivalent to a single encryption
] [ ]] [ [
3 1 2
P E P E E
K K K

7
Consider
Encryption is a mapping of 64-bit blocks to 64-bit blocks
can be viewed as a permutation
Consider all 2
64
possible input blocks
map each block into a unique block (with a specific key)
How many different mapping?
(2
64
)!10
347380000000000000000
(10
10
20
)
8
DES defines one mapping for each different key
For a total number of mappings
If DES is used twice with different key, it will produce one of
the many mappings that is not defined by a single application
of DES
17 56
10 2
9
Meet-in-the-Middle Attack
C = E
K2
[E
K1
[P]], then X = E
K1
[P] = D
K2
[C]
Given a known pair (P,C),
Encrypt P for all 2
56
possible value of K1.
Decrypt C using all 2
56
possible value of K2.
Check the results of two and find the matching pair.
Test the two keys against a new know pair (P,C).
10
Meet-in-the-Middle Attack
x = E
k
1
( m ) = D
k
2
( c )
Given a pair of ( m, c ),
x
i
= E
k
1
( m ) , i = 1,2, ..., 2
56
x
1
x
2
:
x
2
56
x
j
= D
k
2
( c ) , j = 1,2, ..., 2
56
x
1
x
2
:
x
2
56
11
Triple DES
3DES with two keys
if K1=K2 then can work with single DES
]]] [ [ [
1 2 1
P E D E C
K K K
] [ ]]] [ [ [
1 1 1 1
P E P E D E C
K K K K

12
Triple DES
Currently, there are no practical cryptanalytic attacks.
Cost of a brute-force key search
2
112
(5 10
33
)
13
Triple DES
3DES with three keys
key length of 168bits
has been adopted by some Internet applications, eg PGP,
S/MIME
]]] [ [ [
1 2 3
P E D E C
K K K
14
Electronic Codebook Mode
Cipher Block Chaining Mode
Cipher Feedback Mode
Output Feedback Mode
Counter Mode
15
The simplest mode
plaintext is handled 64-bits at a time (assume the use in DES)
each block of plaintext is encrypted using the same key
16
Decryption is performed one block at a time, always using the
same key
17
Ideal
for short amount of data, such as an encryption key
Characteristic of ECB
the same block of plaintext always produces the same ciphertext.
For lengthy message, the ECB mode may not to be
secure.
18
To overcome the security deficiencies of ECB, the same
plaintext block produces different ciphertext block.
19
The simple way to satisfy this requirement is the CBC mode.
The input is the XOR of the current plaintext block and the preceding ciphertext
block.
The same key used for each block.
So, repeating patterns not exposed.
20
For decryption,
D
K
[C
j
] D
K
[E
K
(C
j1
P
j
)]
D
K
[C
j
] (C
j1
P
j
)
C
j1
D
K
[C
j
] C
j1
C
j1
P
j
P
j
C
j
E
K
[C
j1
P
j
]
21
Initialization vector (IV)
Must be known to both the sender and receiver.
Should be protected as well as the key (for maximum security).
Sending using ECB encryption.
22
One reason for protecting the IV is
If an opponent is able to fool the receiver into using a different value for
IV, then the opponent is able to invert selected bits in the first block of
plaintext.
X[i] denotes the i th bit of the 64bit quantity X.
where he prime notation denotes bit complementation.
This means that if an opponent can predictably change bits in IV, the
corresponding bits of the received value of P
1
can be changed.
P
1
[i] IV[i] D
K
(C
1
)[i]
P
1
[i]' IV[i]' D
K
(C
1
)[i]
23
The DES scheme is essentially a block cipher technique.
However, it is possible to convert into a stream cipher, using
either the CFB or OFB.
Eliminates the need to pad a message.
Can operate in real time.
24
Similar to CFB
but, the output of the encryption function to the shift register.
25
26
One advantage of the OFB
Bit errors in transmission do not propagate.
If a bit error occurs in C
1
, only the recovered value of P
1
is
affected.
The disadvantage of the OFB
It is vulnerable to a message stream modification attack.
27
Message is treated as a stream of bits.
encryption
input is a 64-bit shift register.
initially set to some initialization vector (IV)
the leftmost s bits are XORed with the plaintext segment.
shifted left by s bits and ciphertext is placed in the rightmost s bits.
decryption
the same scheme is used.
received ciphertext is XORed with output of the encryption function to
produce the plaintext.
28
29
Counter Mode
Counter mode has increased recently
application to ATM network security and IPSec
The counter value must be different for each plaintext block.
requirement in SP 800-38A
The counter is initialized to some value.
the counter incremented by 1 for each block.
30
Counter Mode
31
Counter Mode
Advantages of CTR mode
Hardware efficiency
Can be done in parallel on multiple blocks of plaintext or ciphertext.
Software efficiency
Processors that support parallel features can be effectively utilized.
Preprocessing
Does not depend on input of the plaintext or ciphertext.
Random access
The i th block of plaintext or ciphertext can be processed in random
access fashion.
32
Counter Mode
Advantages of CTR mode
Provable security
CTR is at least as secure as the other modes.
Simplicity
CTR mode requires only the implementation of the encryption
algorithm and not decryption algorithm.
The decryption key scheduling need not be implemented.
33
Stream Cipher Structure
The RC4 Algorithm
34
Stream Cipher
35
Stream Cipher
Important design considerations for a stream cipher
The encryption sequence should have a large period.
The keystream should approximate the properties of a true
random number stream as close as possible.
The key needs to be sufficiently long.
A key length of at least 128 bits is desirable.
36
Stream Cipher Structure
The advantage of a stream cipher over a block cipher
Faster
Use far less code
37
RC4
Designed in 1987 by Ron Rivest
Variable key size and byte-oriented
Based on the use of random permutation
The period of the cipher is likely to be greater than 10
100
.
Widely used SSL/TLS and WEP
38
RC4
Algorithm overview
Initialize arrays S[0..255] andT[0..255].
Produce the initial permutation of S
Stream generation
39
RC4
40
RC4
Initialization of arrays S[0..255] andT[0..255].
S[i] = i for 0 i 255.
S[0] = 0, , S[255] = 255
T[i] = K [i mod keylen] for 0 i 255.
T[0] = K[0], T[1] = K[1], T[keylen+1] = K[1], ...
41
RC4
Produce the initial permutation of S
/* Initial Permutation of S */
j = 0 ;
for i = 0 to 255 do
j = ( j + S[i] + T[i] ) mod 256;
Swap ( S[i], S[j] );
42
RC4 Key schedule
Stream generation
/* Stream Generation */
i, j = 0 ;
while (true)
i = (i + 1) mod 256 ;
j = (j + S[i]) mod 256 ;
Swap (S[i], S[j]) ;
t = (S[i] + S[j]) mod 256 ;
k = S[t] ;
Chapter 8
Introduction to Number Theory
2
Contents
Prime Numbers
Fermats and Eulers Theorems
3
Prime Numbers
Primes numbers
An integer p > 1 is a prime number if and only if it is divisible by only 1
and p.
4
Prime Numbers
Integer factorization
Any integer a > 1 can be factored in a unique way as
where p
1
< p
2
< < p
t
are prime numbers and
each a
i
is a positive integer.
t
a
t
a a a
p p p p a ...
3 2 1
3 2 1
=
91 = 7 13;
11101 = 7 11
2
13
5
Prime Numbers
Another integer factorization
If P is the set of all prime numbers, then any positive integer can be
written uniquely in the following form:
The right side is the product over all possible prime numbers p.
Most of the exponents a
p
will be 0.
0 each where
P
> =
[
e
p
p
a
a p a
p
3600 = 2
4
3
2
5
2
7
0
11
0
.
6
Prime Numbers
Another integer factorization
The value of any given positive integer can be specified by listing all
the nonzero exponents.
The integer 12 =2
2
3
1
is represented by {a
2
=2, a
3
=1}.
The integer 18 =2
1
3
2
2
=1, a
3
=2}.
The integer 91= 7
2
13
1
7
= 2, a
13
= 1}.
7
Prime Numbers
Multiplication
Multiplication of two numbers is adding the corresponding exponents.
k = 12 18 = 216
12 = 2
2
3
1
18 = 2
1
3
2
------------------
216 = 2
3
3
3
8
Prime Numbers
Divisibility
a|b a
p
b
p
for all p
a = 12; b= 36; 12|36
12 = 2
2
3;
36 = 2
2
3
2
a
2
= 2 = b
2
a
3
= 1 2 = b
3
9
Prime Numbers
GCD
k = gcd (a, b) k
p
= min(a
p
, b
p
) for all p
300 = 2
2
3
1
5
2
18 = 2
1
3
2
5
0
gcd (18, 300) = 2
1
3
1
5
0
= 6
10
Fermats theorem
If p is prime and a is a positive integer not divisible by p,
then
a
p-1
1 (mod p)
11
Proof of Fermats theorem.
Outline
Show {1, 2, , p-1}={a mod p, 2a mod p, , (p-1)a mod p}
Show .
Since is relatively prime to p, we multiply
to both sides to get .
p a p p
p
mod )! 1 ( )! 1 (
1

)! 1 ( p
-1
)! 1 ( p
p a
p
mod 1
1
12
Proof of Fermats theorem
Show {1, 2, , p-1}={a mod p, 2a mod p, , (p-1)a mod p}
Show ka mod p for any 1 k p-1 is in {1, 2, , p-1}
by showing that ka mod p ka mod p for k k.
Show ka mod p ka mod p for 1 k k p-1.
Proof by contradiction
Assume that ka ka mod p for some 1 k k p-1.
Since a is relatively prime to p, we multiply a
-1
to get k k mod p,
which contradiction the fact that k k.
13
Proof of Fermats theorem
Show .
{1, 2, , p-1} = {a mod p, 2a mod p, , (p-1)a mod p}
p p a p
p
mod )! 1 ( )! 1 (
1

p a
p a p p
p a p a a p ...
p p a p p a p a p ...
p
p
mod 1
mod )! 1 ( )! 1 (
mod ] ) 1 ( ... 2 [ )] 1 ( 2 1 [
mod )] mod ) 1 ( ( ... ) mod 2 ( ) mod [( )] 1 ( 2 1 [
1
1

14
An alternative form of Fermats Theorem
a
p
a mod p
where p is prime and a is any positive integer.
Proof
If a and p are relatively prime, we get a
p
a mod p by
multiplying a to each side of a
p-1
1 mod p.
If a and p are not relatively prime, a = cp for some positive
integer c. So a
p
(cp)
p
0 mod p and a 0 mod p, which
means a
p
a mod p.
15
An alternative form of Fermats Theorem
a
p
a mod p
where p is prime and a is any positive integer.
p = 5, a = 3 3
5
= 243 3 mod 5
p = 5, a = 10 10
5
= 100000 10 mod 5 0 mod 5
16
Eulers Totient Function
The number of positive integers less than n and relatively prime to n.
) (n |
= 36
37 is prime, so all the positive number from 1 to 36
are relatively prime to 37.
= 24
35 = 57
1, 2, 3, 4, 6, 8, 9,11, 12, 13, 16, 17, 18, 19, 22,
23, 24, 26, 27, 29, 31, 32, 33, 34
) 37 ( |
) 35 ( |
17
How to compute
In general,
For a prime n, (Z
n
= {1,2,, n-1})
For n = pq, p and q are prime numbers and p q
) (n |
1 ) ( = n n |
) 1 ( ) 1 ( ) ( = q p n |
n p
p
n n dividing primes the all over runs where , )
1
1 ( ) (
[
= |
18
Proof of
is the number of positive integers less than pq that are relatively
prime to pq.
can be computed by subtract from pq 1 the number of positive
integers in {1, , pq 1} that are not relatively prime to pq.
The positive integers that are not relatively prime to pq are a multiple of
either p or q.
{ p, 2p,,(q 1)p}, {q, 2q, ,(p 1)q}
There is no same elements in the two sets.
So, there are p + q 2 elements that are not relatively prime to pq.
Hence, = pq 1 (p + q 2)
= pq p q +1
= (p 1)(q 1)
) (n |
) 1 ( ) 1 ( ) ( = q p n |
) (n |
) (n |
19
(21) = (3)(7) = (3-1)(7-1) = 2 6 = 12
Z
21
={1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20}
(3)={3,6,9,12,15,18}
(7)={7,14}
where the 12 integers are {1,2,4,5,8,10,11,13,16,17,19,20}
20
Eulers theorem
For every a and n that are relatively prime:
n a
n
mod 1
) (
|
a = 3; n = 10; (10) = 4; 3
4
= 81 1 mod 10
a = 2; n = 11; (11) = 10; 2
10
= 1024 1 mod 11
21
Proof of Eulers theorem
If n is prime, it holds due to Fermats theorem.
Otherwise (If n is not prime),
define two sets R and S.
show the sets R and S are the same.
then, show
n a
n
mod 1
) (
|
n a
n
mod 1
1
n a
n
mod 1
) (
|
22
Set R
The elements are positive integers less than n and relatively prime to n.
The number of elements is
R={x
1
, x
2
,, x
(n)
} where x
1
< x
2
<< x
(n)
Set S
Multiplying each element of R by aR modulo n
S ={(ax
1
mod n), (ax
2
mod n),(ax
(n)
mod n)}.
) (n |
23
The sets R and S are the same.
We show S has all integers less than n and relatively prime to n.
S ={(ax
1
mod n), (ax
2
mod n),(ax
(n)
mod n)}
1. All the elements of S are integers less than n that are relatively prime
to n because a is relatively prime to n and x
i
is relatively prime to n,
ax
i
must also be relatively prime to n.
2. There are no duplicates in S.
If ax
i
mod n = ax
j
mod n, then x
i
= x
j.
by cancellation law.
24
Since R and S are the same sets,
) (mod 1
) (mod
) (mod
) mod (
) (
) (
1
) (
1
) (
) (
1
) (
1
) (
1
) (
1
n a
n x x a
n x ax
x n ax
n
n
i
i
n
i
i
n
n
i
n
i
i i
n
i
n
i
i i
=
[ [
[ [
[ [
= =
= =
= =
|
| |
|
| |
| |
25
Alternative form of the theorem
If a and n are relatively prime, it is true due to Eulers
theorem.
Otherwise, .
) (mod
1 ) (
n a a
n
+ |
26
Fermats and Eulers Theorem
The validity of RSA algorithm
Given 2 prime numbers p and q, and integers n = pq and m,
with 0<m<n, the following relationship holds.
If m and n are re relatively prime, it holds by Eulers theorem.
If m and n are not relatively prime, m is a multiple of either p or q.
n m m m
q p n
mod
1 ) 1 )( 1 ( 1 ) (
=
+ + |
27
Case 1: m is a multiple of p
m=cp for some positive integer c.
gcd(m, q)=1, otherwise, m is a multiple of p and q and yet m<pq
because gcd(m, q)=1, Eulers theorem holds
by the rules of modular arithmetic,
Multiplying each side by m=cp
q m
q
mod 1
1
k kq m
q m
q m
n
n
p q
integer some for , 1
mod 1
mod 1 ] [
) (
) (
1 1
+ =

|
|
n m m
kcn m kcpq m m
n
n
mod
1 ) (
1 ) (
+ = + =
+
+
|
|
28
Case 2: m is a multiple of q
prove similarly.
Thus, the following equation is proved.
n m m m
q p n
mod
1 ) 1 )( 1 ( 1 ) (
=
+ + |
29
An alternative form of this corollary is directly
relevant to RSA.
n m
n m
n m m
m
k
k n
n k
mod
theorem s Euler' by , mod ] ) 1 [(
mod ] [(
1 ) (
1 ) (

+
|
|
Chapter 9
Public-Key Cryptography and RSA
2
Contents
Principles of Public-Key Cryptosystems
Public-Key Cryptosystems
Applications for Public-Key Cryptosystems
Requirements for Public-Key Cryptography
Public-Key Cryptanalysis
The RSA Algorithm
Description of the Algorithm
The Security of RSA
3
Principles of public-key cryptosystems
Symmetric encryption has two difficult problems.
Key distribution problem
Symmetric encryption requires either
that two communicants already share a key or
the use of key distribution center (KDC).
If the KDC is compromised,
Hard to be used for digital signatures
4
Public-key algorithms use two separate key.
Public key and private key
It is computationally infeasible to determine the private key given
only knowledge of the cryptographic algorithm and the public key.
Normally, public key is used for encryption and private key is
used for decryption.
In some algorithms such as RSA, either of the two keys can be
used for encryption, with the other used for decryption.
5
A public-key encryption scheme has six ingredients.
Plaintext
Encryption algorithm
Ciphertext
Decryption algorithm
Public and private key
One is for encryption and the other is for decryption.
6
The use of public-key encryption
Each user generate his/her public and private keys.
Each user places the public key in a public register and keeps the
private key secret.
If Bob wants to send a message to Alice, Bog encrypts the
message using Alices public key.
Alice decrypts the ciphertext using her private key.
7
The use of public-key encryption. (Bob sends a message to Alice.)
8
A public-key encryption scheme : Secrecy
9
The use of public-key encryption to provide authentication.
10
A public-key encryption scheme : Authentication
11
A public-key encryption scheme : Secrecy and authentication
12
Applications for Public-Key Cryptosystems
The use of public-key cryptosystems
Encryption/ decryption (provide secrecy)
Digital signatures (provide authentication)
Key exchange (of session keys)
Some algorithms are suitable for all applications, others can be used
only for one or two.
13
Diffie and Hellman did lay out the conditions that such
algorithms must fulfill when A sends a message to B.
1. It is easy for B to generate his/her public and private key.
2. It is easy for A to encrypt a message M using Bs public key.
3. It is easy for B to decrypt the ciphertext using Bs private key.
) (M E C
b
KU
)] ( [ ) ( M E D C D M
b b b
KU KR KR

14
4. It is infeasible for an opponent, knowing the public key, KU
b
, to
determine the private key, KR
b
.
b
,
and a ciphertext, C, to recover the original message, M.
6. (Optional) The encryption and decryption functions can be
applied in either order.
)] ( [ )] ( [ M E D M D E M
b b b b
KR KU KR KU

15
These requirements are hard to achieve so only two
algorithms (RSA, elliptic curve cryptography) have received
widespread acceptance.
Why the requirements are so formidable?
The requirements needs a trap-door one-way function.
16
One-way function
A one-to-one function such that
The calculation of the function is easy
but the calculation of the inverse is infeasible.
Easy
A problem can be solved in polynomial time.
Infeasible
It is hard to invert a function for virtually all inputs, not for the
worst case or even average case.
Y = f(X) easy
X = f
-1
(Y) infeasible
17
Trap-door one-way function
Easy to calculate in one direction and infeasible to calculate in
the other direction unless certain additional information is known.
Thus, the development of a practical public-key scheme depends
on discovery of a suitable trap-door one-way function.
Y = f
k
(X) easy, if k and X are known
X = f
k
-1
(Y) easy, if k and Y are known
X = f
k
-1
(Y) infeasible, if Y is known but k is not known
18
Brute-force attacks for private keys
Countermeasure: use large keys
The key size must be large enough to make brute-force attack
impractical but small enough for practical encryption and decryption.
Computing the private key given the public key
No algorithms are proven safe from this attack.
19
A probable-message attack
Suppose that a message were a 56-bit DES key.
An opponent could encrypt all possible keys using the public key.
He could decipher any message by matching the transmitted
ciphertext.
Countermeasure
Large key size (?)
Append some random bits to messages.
20
The RSA Algorithm
Developed in 1977 by Rivest, Shamir, and Adleman at MIT.
The RSA scheme is a block cipher in which the plaintext /
ciphertext are integers between 0 and n 1 for some n.
A typical size for n is 1024 bits, or 309 decimal digits.
n = pq
21
Description of the RSA Algorithm
Plaintext is encrypted in blocks.
Each block have a binary value less than some number n.
That is, the block size must be less than or equal to log
2
(n).
The block size is k bits, where2
k
< n 2
k+1
.
22
Encryption/Decryption
M : plaintext block
C : ciphertext block
public key: {e, n}
private key: {d, n}.
n M n M n C M
n M C
ed d e d
e
mod mod ) ( mod
mod

23
Diffie and Hellmans requirements
1. It is easy for B to generate his/her public and private key.
It should be easy for B to find values of e, d, and n.
2. It is easy for A to encrypt a message M using Bs public key.
It should be easy to calculate M
e
.
3. It is easy for B to decrypt the ciphertext using Bs private key.
It should be easy to calculate C
d
.
b
, to
determine the private key, KR
b
.
It is infeasible to determine d given e and n.
b
, and a
ciphertext, C, to recover the original message, M.
6. (Optional) The encryption and decryption functions can be applied in
either order.
24
First requirement
It should be easy to find values of e, d, n such that
for all M < n.
n M M
ed
mod
25
A corollary to Eulers theorem
Given two prime numbers, p and q, and two integer, n and m,
such that n = pq and 0 < m < n, and arbitrary integer k,
n m m
n m m
q p k
n k
mod
mod
1 ) 1 )( 1 (
1 ) (

where(n) is the Euler totient function, which is the number of positive
integers less than n and relatively prime to n.
26
If we select e and d such that
they satisfy .
is equivalent to saying
According to the rules of modular arithmetic, this is true
only if e (and therefore d) is relatively prime to (n).
1 ) ( n k ed
) ( mod
) ( mod 1
1
n e d
n ed
1 ) ), ( gcd( e n
n M M
ed
mod
1 ) ( n k ed
27
RSAs ingredient.
Public key consist of {e, n} and a private key consist of {d, n}
p, q, two prime numbers (private, chosen)
n = pq (public, calculated)
e, with gcd((n), e) = 1 1 < e < (n) (public, chosen)
(private, calculated)
) ( mod
1
n e d
28
RSAs scheme
Suppose user B wishes to send the message M to A.
User A has published its public key, KU={e, n}.
B calculates C = M
e
(mod n) and transmits C.
Then, user A decrypts by calculating M = C
d
(mod n).
(use KR={d, n})
29
RSA algorithm (example) : the keys generating
Select two prime number, p = 17 and q = 11.
Calculate n = pq = 17 X 11 = 187.
Calculate (n) = (p 1)(q 1) = 16 X10 = 160.
Select e = 7 (e is relatively prime to (n)).
Determine d, de = 1 mod 160 (Using extended Euclids algorithm).
d = 23
30
11 187 mod 432 , 894 187 mod ) 132 77 88 ( 187 mod 88
132 187 mod ) 77 77 ( 187 mod 536 , 969 , 59 187 mod 88
77 187 mod ) 88 88 ( 187 mod 7744 187 mod 88
88 187 mod 88
187 mod )] 187 mod 88 ( ) 187 mod 88 ( ) 187 mod 88 [( 187 mod 88
7
4
2
1
1 2 4 7

88 187 mod 243 , 720 , 79 187 mod ) 33 33 55 121 11 ( 187 mod 11
33 187 mod ) 55 55 ( 881 , 358 , 214 187 mod 11
55 187 mod ) 121 121 ( 187 mod 641 , 14 187 mod 11
121 187 mod ) 11 11 ( 187 mod 11
11 187 mod 11
187 mod )] 187 mod 11 ( ) 187 mod 11 ( ) 187 mod 11 ( ) 187 mod 11 ( ) 187 mod 11 [( 187 mod 11
23
8
4
2
1
8 8 4 2 1 23

Encryption
Decryption
31
The Security of RSA
Three possible approaches to attacking the RSA.
Brute force
Mathematical attacks
Timing attacks
Brute force
trying all possible private keys
Countermeasures: Use a large key space.
32
The Security of RSA
Mathematical attacks
Factor n into its two prime factors. This enables calculation of
(n) and determination of d.
Determine (n) directly, without first determining p and q. This
enable determination of d.
This is equivalent to factoring n.
Determine d directly, without first determining (n).
With presently known algorithms, this appears to be at least as time-
consuming as the factoring problem.
33
The Security of RSA
Focused on the task of factoring n into its two prime factors.
34
The Security of RSA
To avoid values of n that may be factored more easily, the
algorithms inventors suggest constraints on p and q.
p and q should differ in length by only a few digits.
Both (p 1) and (q 1) should contain a large prime factor.
gcd (p 1, q 1) should be small.
In addition, it has been demonstrated that if e < n and d
< n
1/4
, then d can be easily determined.
Cryptography and
Network Security
Chapter 10
Fourth Edition
Key Management
public-key encryption helps address key
distribution problems
have two aspects of this:
distribution of public keys
use of public-key encryption to distribute
secret keys
Distribution of Public Keys
can be considered as using one of:
public announcement
publicly available directory
public-key authority
public-key certificates
Public Announcement
users distribute public keys to recipients or
broadcast to community at large
eg. append PGP keys to email messages or
post to news groups or email list
major weakness is forgery
anyone can create a key claiming to be
someone else and broadcast it
until forgery is discovered can masquerade as
claimed user
Publicly Available Directory
can obtain greater security by registering
keys with a public directory
directory must be trusted with properties:
contains {name,public-key}entries
participants register securely with directory
participants can replace key at any time
directory is periodically published
directory can be accessed electronically
still vulnerable to tampering or forgery
Public-Key Authority
improve security by tightening control over
distribution of keys from directory
has properties of directory
and requires users to know public key for
the directory
then users interact with directory to obtain
any desired public key securely
does require real-time access to directory
when keys are needed
Public-Key Certificates
certificates allow key exchange without
real-time access to public-key authority
a certificate binds identity to public key
usually with other info such as period of
validity, rights of use etc
with all contents signed by a trusted
Public-Key or Certificate Authority (CA)
can be verified by anyone who knows the
public-key authorities public-key
Public-Key Distribution of Secret
Keys
use previous methods to obtain public-key
can use for secrecy or authentication
but public-key algorithms are slow
so usually want to use private-key
encryption to protect message contents
hence need a session key
have several alternatives for negotiating a
suitable session
Simple Secret Key
Distribution
proposed by Merkle in 1979
A generates a new temporary public key pair
A sends B the public key and their identity
B generates a session key K sends it to A
encrypted using the supplied public key
A decrypts the session key and both use
problem is that an opponent can intercept
and impersonate both halves of protocol
Keys
if have securely exchanged public-keys:
Diffie-Hellman Key Exchange
first public-key type scheme proposed
by Diffie & Hellman in 1976 along with the
exposition of public key concepts
note: now know that Williamson (UK CESG)
secretly proposed the concept in 1970
is a practical method for public exchange
of a secret key
used in a number of commercial products
a public-key distribution scheme
cannot be used to exchange an arbitrary message
rather it can establish a common key
known only to the two participants
value of key depends on the participants (and
their private and public key information)
based on exponentiation in a finite (Galois) field
(modulo a prime or a polynomial) - easy
security relies on the difficulty of computing
discrete logarithms (similar to factoring) hard
Diffie-Hellman Setup
all users agree on global parameters:
large prime integer or polynomial q
a being a primitive root mod q
each user (eg. A) generates their key
chooses a secret key (number): x
A
< q
compute their public key: y
A
= a
x
A
mod q
each user makes public that key y
A
shared session key for users A & B is K
AB
:
K
AB
= a
x
A.
x
B
mod q
= y
A
x
B
mod q ( whi ch B can comput e)
= y
B
x
A
mod q ( whi ch A can comput e)
K
AB
is used as session key in private-key
encryption scheme between Alice and Bob
if Alice and Bob subsequently communicate,
they will have the same key as before, unless
they choose new public-keys
attacker needs an x, must solve discrete log
Diffie-Hellman Example
users Alice & Bob who wish to swap keys:
agree on prime q=353 and a=3
select random secret keys:
A chooses x
A
=97, B chooses x
B
=233
compute respective public keys:
y
A
=3
97
mod 353 = 40 (Alice)
y
B
=3
233
mod 353 = 248 (Bob)
compute shared session key as:
K
AB
= y
B
x
A
mod 353 = 248
97
= 160 (Alice)
K
AB
= y
A
x
B
mod 353 = 40
233
= 160 (Bob)
Key Exchange Protocols
users could create random private/public
D-H keys each time they communicate
users could create a known private/public
D-H key and publish in a directory, then
consulted and used to securely
communicate with them
both of these are vulnerable to a meet-in-
the-Middle Attack
authentication of the keys is needed
Cryptography and
Network Security
Chapter 10
Fourth Edition
Key Management
public-key encryption helps address key
distribution problems
have two aspects of this:
l distribution of public keys
l use of public-key encryption to distribute
secret keys
Distribution of Public Keys
can be considered as using one of:
l public announcement
l publicly available directory
l public-key authority
l public-key certificates
Public Announcement
users distribute public keys to recipients or
broadcast to community at large
l eg. append PGP keys to email messages or
post to news groups or email list
major weakness is forgery
l anyone can create a key claiming to be
someone else and broadcast it
l until forgery is discovered can masquerade as
claimed user
Publicly Available Directory
can obtain greater security by registering
keys with a public directory
directory must be trusted with properties:
l contains {name,public-key} entries
l participants register securely with directory
l participants can replace key at any time
l directory is periodically published
l directory can be accessed electronically
still vulnerable to tampering or forgery
improve security by tightening control over
distribution of keys from directory
has properties of directory
and requires users to know public key for
the directory
then users interact with directory to obtain
any desired public key securely
l does require real-time access to directory
when keys are needed
certificates allow key exchange without
real-time access to public-key authority
a certificate binds identity to public key
l usually with other info such as period of
validity, rights of use etc
with all contents signed by a trusted
Public-Key or Certificate Authority (CA)
can be verified by anyone who knows the
public-key authorities public-key
Keys
use previous methods to obtain public-key
can use for secrecy or authentication
but public-key algorithms are slow
so usually want to use private-key
encryption to protect message contents
hence need a session key
have several alternatives for negotiating a
suitable session
Simple Secret Key
Distribution
proposed by Merkle in 1979
l A generates a new temporary public key pair
l A sends B the public key and their identity
l B generates a session key K sends it to A
encrypted using the supplied public key
l A decrypts the session key and both use
problem is that an opponent can intercept
and impersonate both halves of protocol
Keys
if have securely exchanged public-keys:
first public-key type scheme proposed
by Diffie & Hellman in 1976 along with the
exposition of public key concepts
l note: now know that Williamson (UK CESG)
secretly proposed the concept in 1970
is a practical method for public exchange
of a secret key
used in a number of commercial products
a public-key distribution scheme
l cannot be used to exchange an arbitrary message
l rather it can establish a common key
l known only to the two participants
value of key depends on the participants (and
their private and public key information)
based on exponentiation in a finite (Galois) field
(modulo a prime or a polynomial) - easy
security relies on the difficulty of computing
discrete logarithms (similar to factoring) hard
Diffie-Hellman Setup
all users agree on global parameters:
l large prime integer or polynomial q
l a being a primitive root mod q
each user (eg. A) generates their key
l chooses a secret key (number): x
A
< q
l compute their public key: y
A
= a
x
A
mod q
each user makes public that key y
A
shared session key for users A & B is K
AB
:
K
AB
= a
x
A.
x
B
mod q
= y
A
x
B
mod q (which B can compute)
= y
B
x
A
mod q (which A can compute)
K
AB
is used as session key in private-key
encryption scheme between Alice and Bob
if Alice and Bob subsequently communicate,
they will have the same key as before, unless
they choose new public-keys
attacker needs an x, must solve discrete log
Diffie-Hellman Example
users Alice & Bob who wish to swap keys:
agree on prime q=353 and a=3
select random secret keys:
l A chooses x
A
=97, B chooses x
B
=233
compute respective public keys:
l y
A
=3
97
mod 353 = 40 (Alice)
l y
B
=3
233
mod 353 = 248 (Bob)
compute shared session key as:
l K
AB
= y
B
x
A
mod 353 = 248
97
= 160 (Alice)
l K
AB
= y
A
x
B
mod 353 = 40
233
= 160 (Bob)
Key Exchange Protocols
users could create random private/public
D-H keys each time they communicate
users could create a known private/public
D-H key and publish in a directory, then
consulted and used to securely
communicate with them
both of these are vulnerable to a meet-in-
the-Middle Attack
authentication of the keys is needed
Cryptography and
Network Security
Chapter 11
Fourth Edition
Message Authentication
message authentication is concerned with:
protecting the integrity of a message
validating identity of originator
non-repudiation of origin (dispute resolution)
will consider the security requirements
then three alternative functions used:
message encryption
message authentication code (MAC)
hash function
Security Requirements
disclosure
traffic analysis
masquerade
content modification
sequence modification
timing modification
source repudiation
destination repudiation
Message Encryption
message encryption by itself also provides
a measure of authentication
if symmetric encryption is used then:
receiver know sender must have created it
since only sender and receiver now key used
know content cannot of been altered
if message has suitable structure, redundancy
or a checksum to detect any changes
Message Encryption
if public-key encryption is used:
encryption provides no confidence of sender
since anyone potentially knows public-key
however if
sender signs message using their private-key
then encrypts with recipients public key
have both secrecy and authentication
again need to recognize corrupted messages
but at cost of two public-key uses on message
Message Authentication Code
(MAC)
generated by an algorithm that creates a
small fixed-sized block
depending on both message and some key
like encryption though need not be reversible
appended to message as a signature
receiver performs same computation on
message and checks it matches the MAC
provides assurance that message is
unaltered and comes from sender
Codes
as shown the MAC provides authentication
can also use encryption for secrecy
generally use separate keys for each
can compute MAC either before or after encryption
is generally regarded as better done before
why use a MAC?
sometimes only authentication is needed
sometimes need authentication to persist longer than
the encryption (eg. archival use)
note that a MAC is not a digital signature
MAC Properties
a MAC is a cryptographic checksum
MAC = C
K
( M)
condenses a variable-length message M
using a secret key K
to a fixed-sized authenticator
is a many-to-one function
potentially many messages have same MAC
but finding these needs to be very difficult
Requirements for MACs
taking into account the types of attacks
need the MAC to satisfy the following:
1. knowing a message and MAC, is infeasible
to find another message with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the
message
Using Symmetric Ciphers for
MACs
can use any block cipher chaining mode
and use final block as a MAC
Data Authentication Algorithm (DAA) is
a widely used MAC based on DES-CBC
using IV=0 and zero-pad of final block
encrypt message using DES in CBC mode
and send just the final block as the MAC
or the leftmost M bits (16M64) of final block
but final MAC is now too small for security
Data Authentication Algorithm
CBC-MAC
One-way Hash Functions
condenses arbitrary message to fixed size
h = H( M)
e.g. SHA1("The quick brown fox jumps over the lazy cog")=
0x de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3
usually assume that the hash function is
public and not keyed
cf. MAC which is keyed
hash used to detect changes to message
can use in various ways with message
storing password, creating a unique file_id, ..
most often to create a digital signature
HMAC
Hash Functions &
Digital Signatures
Requirements for Hash
Functions
1. can be applied to any sized message M
2. produces fixed-length output h
3. is easy to compute h=H( M) for any message M
4. given h is infeasible to find x s.t. H( x) =h
one-way property
5. given x is infeasible to find y s.t. H( y) =H( x)
weak collision resistance
6. is infeasible to find any x, y s.t. H( y) =H( x)
strong collision resistance
Simple Hash Functions
are several proposals for simple functions
based on XOR of message blocks
not secure since can manipulate any
message and either not change hash or
change hash also
need a stronger cryptographic function
MD5, SHA-1, SHA-256/384/512, RIPEMD160,
Birthday Attacks
might think a 64-bit hash is secure
but by Birthday Paradox is not
birthday attack works thus:
opponent generates 2
m
/
2
variations of a valid message
all with essentially the same meaning
opponent also generates 2
m
/
2
variations of a desired
fraudulent message
two sets of messages are compared to find pair with
same hash (probability > 0.5 by birthday paradox)
have user sign the valid message, then substitute the
forgery which will have a valid signature
conclusion is that need to use larger MAC/hash
Hash Functions & MAC
Security
like block ciphers have:
brute-force attacks exploiting
strong collision resistance hash have cost 2
m
/
2
have proposal for h/w MD5 cracker
128-bit hash looks vulnerable, 160-bits better
MACs with known message-MAC pairs
can either attack keyspace (cf key search) or MAC
at least 128-bit MAC is needed for security
Security
cryptanalytic attacks exploit structure
like block ciphers want brute-force attacks to be the
best alternative
have a number of analytic attacks on iterated
hash functions
Summary
have considered:
message authentication using
message encryption
MACs
hash functions
general approach & security
Cryptography and
Network Security
Chapter 11
Fourth Edition
message authentication is concerned with:
l protecting the integrity of a message
l validating identity of originator
l non-repudiation of origin (dispute resolution)
will consider the security requirements
then three alternative functions used:
l message encryption
l message authentication code (MAC)
l hash function
Security Requirements
disclosure
traffic analysis
masquerade
content modification
sequence modification
timing modification
source repudiation
destination repudiation
Message Encryption
message encryption by itself also provides
a measure of authentication
if symmetric encryption is used then:
l receiver know sender must have created it
since only sender and receiver now key used
l know content cannot of been altered
if message has suitable structure, redundancy
or a checksum to detect any changes
Message Encryption
if public-key encryption is used:
l encryption provides no confidence of sender
l since anyone potentially knows public-key
l however if
sender signs message using their private-key
then encrypts with recipients public key
have both secrecy and authentication
l again need to recognize corrupted messages
l but at cost of two public-key uses on message
(MAC)
generated by an algorithm that creates a
small fixed-sized block
l depending on both message and some key
l like encryption though need not be reversible
appended to message as a signature
receiver performs same computation on
message and checks it matches the MAC
provides assurance that message is
unaltered and comes from sender
Codes
as shown the MAC provides authentication
can also use encryption for secrecy
l generally use separate keys for each
l can compute MAC either before or after encryption
l is generally regarded as better done before
why use a MAC?
l sometimes only authentication is needed
l sometimes need authentication to persist longer than
the encryption (eg. archival use)
note that a MAC is not a digital signature
MAC Properties
a MAC is a cryptographic checksum
MAC = C
K
(M)
l condenses a variable-length message M
l using a secret key K
l to a fixed-sized authenticator
is a many-to-one function
l potentially many messages have same MAC
l but finding these needs to be very difficult
Requirements for MACs
taking into account the types of attacks
need the MAC to satisfy the following:
1. knowing a message and MAC, is infeasible
to find another message with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the
message
Using Symmetric Ciphers for
MACs
can use any block cipher chaining mode
and use final block as a MAC
Data Authentication Algorithm (DAA) is
a widely used MAC based on DES-CBC
l using IV=0 and zero-pad of final block
l encrypt message using DES in CBC mode
l and send just the final block as the MAC
or the leftmost M bits (16M64) of final block
but final MAC is now too small for security
Data Authentication Algorithm
CBC-MAC
One-way Hash Functions
condenses arbitrary message to fixed size
h = H(M)
e.g. SHA1("The quick brown fox jumps over the lazy cog")=
0x de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3
usually assume that the hash function is public
and not keyed
l cf. MAC which is keyed
hash used to detect changes to message: HMAC
can use in various ways with message
l storing password, creating a unique file_id, ..
most often to create a digital signature
HMAC
Hash Functions &
Digital Signatures
Requirements for Hash
Functions
1. can be applied to any sized message M
2. produces fixed-length output h
3. is easy to compute h=H(M) for any message M
4. given h is infeasible to find x s.t. H(x)=h
one-way property
5. given x is infeasible to find y s.t. H(y)=H(x)
weak collision resistance
6. is infeasible to find any x,y s.t. H(y)=H(x)
strong collision resistance
Simple Hash Functions
are several proposals for simple functions
based on XOR of message blocks
not secure since can manipulate any
message and either not change hash or
change hash also
need a stronger cryptographic function
l MD5, SHA-1, SHA-256/384/512, RIPEMD160,
Birthday Attacks
might think a 64-bit hash is secure
but by Birthday Paradox is not
birthday attack works thus:
l opponent generates 2
m
/
2
variations of a valid message
all with essentially the same meaning
l opponent also generates 2
m
/
2
variations of a desired
fraudulent message
l two sets of messages are compared to find pair with
same hash (probability > 0.5 by birthday paradox)
l have user sign the valid message, then substitute the
forgery which will have a valid signature
conclusion is that need to use larger MAC/hash
Security
like block ciphers have:
brute-force attacks exploiting
l strong collision resistance hash have cost 2
m
/
2
have proposal for h/w MD5 cracker
128-bit hash looks vulnerable, 160-bits better
l MACs with known message-MAC pairs
can either attack keyspace (cf key search) or MAC
at least 128-bit MAC is needed for security
Security
cryptanalytic attacks exploit structure
l like block ciphers want brute-force attacks to be the
best alternative
have a number of analytic attacks on iterated
hash functions
Summary
have considered:
l message authentication using
l message encryption
l MACs
l hash functions
l general approach & security
Cryptography and
Network Security
Chapter 14
Fourth Edition
Authentication Applications
will consider Kerberos a private-key
authentication service
then X.509 - a public-key directory
authentication service
Kerberos
trusted key server system from MIT
provides centralised private-key third-party
authentication in a distributed network
l allows users access to services distributed
through network
l without needing to trust all workstations
l rather all trust a central authentication server
two versions in use: 4 & 5
Kerberos Requirements
its first report identified requirements as:
l secure
l reliable
l transparent
l scalable
implemented using an authentication
protocol based on Needham-Schroeder
l symmetric key protocol
l mutual auth., & establishing a session key between two parties
Kerberos v4 Overview
a basic third-party authentication scheme
have an Authentication Server (AS)
l users initially negotiate with AS to identify self
l AS provides a non-corruptible authentication
credential (ticket granting ticket TGT)
have a Ticket Granting server (TGS)
l users subsequently request access to other
services from TGS on basis of users TGT
Kerberos v4 Dialogue
1. obtain ticket granting ticket from AS
once per session
2. obtain service granting ticket from TGT
for each distinct service required
3. client/server exchange to obtain service
on every service request
Kerberos 4 Overview
Kerberos Realms
a Kerberos environment consists of:
l a Kerberos server
l a number of clients, all registered with server
l application servers, sharing keys with server
this is termed a realm
l typically a single administrative domain
if have multiple realms, their Kerberos
servers must share keys and trust
Kerberos Realms
Kerberos Version 5
developed in mid 1990s
specified as Internet standard RFC 1510
provides improvements over v4
l addresses environmental shortcomings
encryption alg, network protocol, byte order, ticket
lifetime, authentication forwarding, interrealm auth
l and technical deficiencies
double encryption, non-std mode of use, session
keys, password attacks
X.509 Authentication Service
part of CCITT X.500 directory service standards
l distributed servers maintaining user info database
defines framework for authentication services
l directory may store public-key certificates
l with public key of user signed by certification authority
also defines authentication protocols
uses public-key crypto & digital signatures
l algorithms not standardised, but RSA recommended
X.509 certificates are widely used
X.509 Certificates
issued by a Certification Authority (CA), containing:
l version (1, 2, or 3)
l serial number (unique within CA) identifying certificate
l signature algorithm identifier
l issuer X.500 name (CA)
l period of validity (from - to dates)
l subject X.500 name (name of owner)
l subject public-key info (algorithm, parameters, key)
l issuer unique identifier (v2+)
l subject unique identifier (v2+)
l extension fields (v3)
l signature (of hash of all fields in certificate)
notation CA<<A>> denotes certificate for A signed by CA
X.509 Certificates
Obtaining a Certificate
any user with access to CA can get any
certificate from it
only the CA can modify a certificate
because cannot be forged, certificates can
be placed in a public directory
CA Hierarchy
if both users share a common CA then they are
assumed to know its public key
otherwise CA's must form a hierarchy
use certificates linking members of hierarchy to
validate other CA's
l each CA has certificates for clients (forward) and
parent (backward)
each client trusts parents certificates
enable verification of any certificate from one CA
by users of all other CAs in hierarchy
CA Hierarchy Use
Certificate Revocation
certificates have a period of validity
may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
CAs maintain list of revoked certificates
l the Certificate Revocation List (CRL)
users should check certificates with CAs CRL
X.509 Version 3
has been recognised that additional
information is needed in a certificate
l email/URL, policy details, usage constraints
rather than explicitly naming new fields
defined a general extension method
extensions consist of:
l extension identifier
l criticality indicator
l extension value
Certificate Extensions
key and policy information
l convey info about subject & issuer keys, plus
indicators of certificate policy
certificate subject and issuer attributes
l support alternative names, in alternative
formats for certificate subject and/or issuer
certificate path constraints
l allow constraints on use of certificates by
other CAs
Public Key Infrastructure
Summary
have considered:
l Kerberos trusted key server system
l X.509 authentication and certificates
Cryptography and
Network Security
Chapter 16
Fourth Edition
IP Security
have a range of application specific
security mechanisms
eg. S/MIME, PGP, Kerberos, SSL/HTTPS
however there are security concerns that
cut across protocol layers
would like security implemented by the
network for all applications
IPSec
general IP Security mechanisms
provides
authentication
confidentiality
key management
applicable to use over LANs, across public
& private WANs, & for the Internet
IPSec Uses
Benefits of IPSec
in a firewall/router provides strong security
to all traffic crossing the perimeter
in a firewall/router is resistant to bypass
is below transport layer, hence transparent
to applications
can be transparent to end users
can provide security for individual users
secures routing architecture
IP Security Architecture
specification is quite complex
defined in numerous RFCs
incl. RFC 2401/2402/2406/2408
many others, grouped by category
mandatory in IPv6, optional in IPv4
have two security header extensions:
Encapsulating Security Payload (ESP)
IPSec Services
Access control
Connectionless integrity
Rejection of replayed packets
a form of partial sequence integrity
Confidentiality (encryption)
Limited traffic flow confidentiality
Security Associations
a one-way relationship between sender &
receiver that affords security for traffic flow
defined by 3 parameters:
Security Parameters Index (SPI)
IP Destination Address
Security Protocol Identifier
has a number of other parameters
seq no, AH & EH info, lifetime etc
have a database of Security Associations
provides support for data integrity &
authentication of IP packets
end system/router can authenticate user/app
prevents address spoofing attacks by tracking
sequence numbers
based on use of a MAC
HMAC-MD5-96 or HMAC-SHA-1-96
parties must share a secret key
Authentication Header
Transport & Tunnel Modes
Encapsulating Security Payload
(ESP)
provides message content confidentiality &
limited traffic flow confidentiality
can optionally provide the same authentication
services as AH
supports range of ciphers, modes, padding
incl. DES, Triple-DES, RC5, IDEA, CAST etc
CBC & other modes
padding needed to fill blocksize, fields, for traffic flow
Encapsulating Security
Payload
Transport vs Tunnel Mode
ESP
transport mode is used to encrypt &
optionally authenticate IP data
data protected but header left in clear
can do traffic analysis but is efficient
good for ESP host to host traffic
tunnel mode encrypts entire IP packet
add new header for next hop
good for VPNs, gateway to gateway security
Combining Security
Associations
SAs can implement either AH or ESP
to implement both need to combine SAs
form a security association bundle
may terminate at different or same endpoints
combined by
transport adjacency
iterated tunneling
issue of authentication & encryption order
Combining Security
Associations
Key Management
handles key generation & distribution
typically need 2 pairs of keys
2 per direction for AH & ESP
manual key management
sysadmin manually configures every system
automated key management
automated system for on demand creation of
keys for SAs in large systems
has Oakley & ISAKMP elements
Oakley
a key exchange protocol
based on Diffie-Hellman key exchange
adds features to address weaknesses
cookies, groups (global params), nonces, DH
key exchange with authentication
can use arithmetic in prime fields or elliptic
curve fields
ISAKMP
Internet Security Association and Key
Management Protocol
provides framework for key management
defines procedures and packet formats to
establish, negotiate, modify, & delete SAs
independent of key exchange protocol,
encryption alg, & authentication method
ISAKMP
ISAKMP Payloads &
Exchanges
have a number of ISAKMP payload types:
Security, Proposal, Transform, Key,
Identification, Certificate, Certificate, Hash,
Signature, Nonce, Notification, Delete
ISAKMP has framework for 5 types of
message exchanges:
base, identity protection, authentication only,
aggressive, informational
Summary
have considered:
IPSec security framework
AH
ESP
key management & Oakley/ISAKMP
Cryptography and
Network Security
Chapter 17
Fourth Edition
Web Security
Web now widely used by business,
government, individuals
but Internet & Web are vulnerable
have a variety of threats
l integrity
l confidentiality
l denial of service
l authentication
need added security mechanisms
SSL (Secure Socket Layer)
transport layer security service
originally developed by Netscape
version 3 designed with public input
subsequently became Internet standard
known as TLS (Transport Layer Security)
uses TCP to provide a reliable end-to-end
service
SSL has two layers of protocols
SSL Architecture
SSL Architecture
SSL connection
l a transient, peer-to-peer, communications link
l associated with 1 SSL session
SSL session
l an association between client & server
l created by the Handshake Protocol
l define a set of cryptographic parameters
l may be shared by multiple SSL connections
SSL Record Protocol
Services
message integrity
l using a MAC with shared secret key
l similar to HMAC but with different padding
confidentiality
l using symmetric encryption with a shared
secret key defined by Handshake Protocol
l AES, IDEA, RC2-40, DES-40, DES, 3DES,
Fortezza, RC4-40, RC4-128
l message is compressed before encryption
SSL Record Protocol
Operation
SSL Change Cipher Spec
Protocol
one of 3 SSL specific protocols which use
the SSL Record protocol
a single message
causes pending state to become current
hence updating the cipher suite in use
SSL Alert Protocol
conveys SSL-related alerts to peer entity
severity
warning or fatal
specific alert
fatal: unexpected message, bad record mac,
decompression failure, handshake failure, illegal
parameter
warning: close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked,
certificate expired, certificate unknown
compressed & encrypted like all SSL data
SSL Handshake Protocol
allows server & client to:
l authenticate each other
l to negotiate encryption & MAC algorithms
l to negotiate cryptographic keys to be used
comprises a series of messages in phases
1. Establish Security Capabilities
2. Server Authentication and Key Exchange
3. Client Authentication and Key Exchange
4. Finish
TLS (Transport Layer
Security)
IETF standard RFC 2246 similar to SSLv3
with minor differences
l in record format version number
l uses HMAC for MAC
l a pseudo-random function expands secrets
l has additional alert codes
l some changes in supported ciphers
l changes in certificate types & negotiations
l changes in crypto computations & padding
Summary
have considered:
l need for web security
l SSL/TLS transport layer security protocols
Cryptography and
Network Security
Chapter 17
Fourth Edition
Web Security
Web now widely used by business,
government, individuals
but Internet & Web are vulnerable
have a variety of threats
l integrity
l confidentiality
l denial of service
l authentication
need added security mechanisms
SSL (Secure Socket Layer)
transport layer security service
originally developed by Netscape
version 3 designed with public input
subsequently became Internet standard
known as TLS (Transport Layer Security)
uses TCP to provide a reliable end-to-end
service
SSL has two layers of protocols
SSL Architecture
SSL Architecture
SSL connection
l a transient, peer-to-peer, communications link
l associated with 1 SSL session
SSL session
l an association between client & server
l created by the Handshake Protocol
l define a set of cryptographic parameters
l may be shared by multiple SSL connections
SSL Record Protocol
Services
message integrity
l using a MAC with shared secret key
l similar to HMAC but with different padding
confidentiality
l using symmetric encryption with a shared
secret key defined by Handshake Protocol
l AES, IDEA, RC2-40, DES-40, DES, 3DES,
Fortezza, RC4-40, RC4-128
l message is compressed before encryption
SSL Record Protocol
Operation
SSL Change Cipher Spec
Protocol
one of 3 SSL specific protocols which use
the SSL Record protocol
a single message
causes pending state to become current
hence updating the cipher suite in use
SSL Alert Protocol
conveys SSL-related alerts to peer entity
severity
warning or fatal
specific alert
fatal: unexpected message, bad record mac,
decompression failure, handshake failure, illegal
parameter
warning: close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked,
certificate expired, certificate unknown
compressed & encrypted like all SSL data
allows server & client to:
l authenticate each other
l to negotiate encryption & MAC algorithms
l to negotiate cryptographic keys to be used
comprises a series of messages in phases
1. Establish Security Capabilities
2. Server Authentication and Key Exchange
3. Client Authentication and Key Exchange
4. Finish
TLS (Transport Layer
Security)
IETF standard RFC 2246 similar to SSLv3
with minor differences
l in record format version number
l uses HMAC for MAC
l a pseudo-random function expands secrets
l has additional alert codes
l some changes in supported ciphers
l changes in certificate types & negotiations
l changes in crypto computations & padding
Summary
have considered:
l need for web security
l SSL/TLS transport layer security protocols

보안이론ppt

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

보안이론ppt

Uploaded by

Copyright:

Available Formats

Cryptography and

Feistel Cipher Structure Feistel Cipher Structure

You might also like