Topics

Modern Cryptography Algorithm

MODERN CRYPTOGRAPHY
Block and Stream

DES
BITS3413

AES

MAC
Lecture 3
Digital Signature, RSA
Week 3

Modern Cryptography Algorithm Modern Cryptography Algorithm

Most modern ciphers use a sequence of binary
digits (bits), that is, zeros and ones such as
ASCII.

This bit sequence representing the plaintext is
then encrypted to give the ciphertext as a bit
sequence.

The encryption algorithm may act on a bit-string in
a number of ways.

stream ciphers where the sequence is encrypted bit-by-
bit.

block ciphers, where the sequence is divided into
blocks of a predetermined size.

ASCII requires 8 bits to represent one character, and
so for a block cipher that has 64-bit blocks, the
encryption algorithm acts on eight characters at once.
Modern Cryptography Algorithm
 Since most modern algorithms operate on binary
strings we need to be familiar with a method of
combining two bits called Exclusive OR and often
written as XOR or ⊕.
0 1

0 ⊕ 0 = 0, 0 ⊕ 1 =1, 0 0 1

1 ⊕ 0 = 1 and 1 ⊕ 1 = 0
1 1 0 translated as one block, block size need not have any
Stream Ciphers
 The plaintext is enciphered bit by bit.

The value of each bit is changed to the alternative value or
leave unchanged.

If a bit is changed twice, it returns to its original value.
 If an attacker knows that a stream cipher has been
used, then their task is to try to identify the position of
those bits which have been changed and to change
them back to their original values.

If there is any easily detectable pattern that identifies the
changed bits then the attacker task may be simple.

The position of the changed bits must be unpredictable to
the attacker but the genuine receiver needs to be able to
identify them easily.
Modern Cryptography Algorithm
 Stream ciphers

they convert one symbol of plaintext immediately into a
symbol of ciphertext

depends on symbol, key and control information of
encipherment algorithm
 Block ciphers

encrypt a group of plaintext symbols as one block
examples are transposition ciphers
 e.g, in columnar transposition, the entire message is
particular relationship to the size of the character
Stream Ciphers
 The encryption key is often called a keystream
sequence.

0 to mean ‘leave unchanged’, 1 to mean ‘change’.

Plaintext, ciphertext and keystream are all binary
sequences.
 Suppose that we have the plaintext 1100101 and the
keystream is 1000110.

By applying the rule gives 0100011 as the ciphertext.
 Changing a bit twice has the effect of returning it to its
original value.

This means that decryption process is identical to the
encryption process, so the keystream also determines
decryption.
Stream Ciphers
 If Pi, Ki and Ci are respectively the plaintext,
keystream and ciphertext bits in position i, then
the ciphertext bit Ci is given by Ci = Pi ⊕ Ki.

The decryption is defined by Pi = Ci ⊕ Ki.
 A stream cipher takes a short key to generate
a long keystream.

This is achieved by using binary sequence
generator.
Stream Ciphers
 If the keystream generator produces the same bit
stream every time it is turned on, the resulting
cryptosystem will be trivial to break.

Anyone who has two different ciphertexts encrypted with
the same keystream, can XOR them together and get two
plaintext messages XORed with each other.

When the interceptor gets a single plaintext/ciphertext
pair, they can read everything.

That is why all stream ciphers have keys - the output of
the keystream generator is a function of the key.
Stream Ciphers
 The keystream bit in position i, Ki = Pi ⊕ Ci can be
determined as the XOR of the plaintext and
ciphertext in position i.

This highlight the potential weakness for stream
ciphers.

Anyone who is able to launch a known plaintext
attack, can deduce parts of the keystream sequence
from the corresponding plaintext and ciphertext bit
pairs.

Thus the keystream must be unpredictable in the sense
that knowledge of some of it should not enable an
attacker to deduce the rest.
Block Ciphers
 For a block cipher, the bit-string is divided into blocks
of a given size and the encryption algorithm acts on
that block to produce a cryptogram block that, for
most symmetric ciphers, has the same size.
 Block ciphers have many applications.

Can be used to provide confidentiality, integrity, or user
authentication and can even be used to provide the
keystream generator for stream ciphers.
 A symmetric algorithm is said to be well designed if an
exhaustive key search is the simplest form of attack.
 Usual number of blocks are 64,128,256 and 512 bits
Block Ciphers
 There are a few obvious properties that a strong block
cipher should possess.

Diffusion properties - which a small change in the plaintext,
may be one or two positions, should produce an
unpredictable change in the ciphertext.

Confusion properties - if an attacker is conducting an
exhaustive key search then there should be no indication
that they are near to the correct key.

To prevent divide-and-conquer attacks we require
completeness - each bit of a ciphertext must depend on
every bit of the key.

Statistical testing forms a fundamental component of the
assessment of block ciphers for these three listed properties
and others.
Data Encryption Standards (DES)
 Widely used encryption scheme
 Adopted by The national Bureau of standard in
1977
 The plaintext is divided into 64 bit blocks with
a key of 56 bits(with 8 bit parity).
 DES structure is similar to Fiestel Network
concept.
 Process through 16 round of Expansion,
substitution, key mixing and permutation
process.

Data Encryption Standards (DES)

 Is it breakable?
 Yes, can try brute force attack using all the
2^56 possible key
 1998, Electronic Frontier Foundation (EFF) has
created a USD220,000 machine to go through
the entire 56 bit DES key space in average of
4.5 days.
 Triple DES has been introduced to improve the
standard.
 Advanced Encryption Standard (AES)
 needed a better replacement for DES
 NIST called for proposals in 1997
 selected Rijndael in Nov 2001
 published as FIPS 197
 symmetric block cipher
 uses 128 bit data & 128/192/256 bit keys
 now widely available commercially

Message Authentication Message Authentication Codes (MAC)

 protects against active attacks
 verifies received message is authentic

contentsunaltered

from authentic source

timely and in correct sequence

 can use conventional encryption

only sender & receiver have key needed
 or separate authentication mechanisms

append authentication tag to cleartext message
Hash Function

Hash Function Requirements Simple Hash Functions

 a one-way or secure hash function used in message
 applied to any size data
authentication, digital signatures
 H produces a fixed-length output.
 all hash functions process input a block at a time in an
 H(x) is relatively easy to compute for any given x iterative fashion
 one-way property  one of simplest hash functions is the bit-by-bit exclusive-OR

computationally infeasible to find x such that H(x) = h (XOR) of each block
 weak collision resistance

computationally infeasible to find y ? x such that H(y) = H(x)
 strong collision resistance
– effective data integrity check on random data

computationally infeasible to find any pair (x, y) such thatH(x) =
– less effective on more predictable data
H(y)
– virtually useless for data security
Hash Functions Hash Functions
 two attack approaches  There are 2 prominent algorithms in Hashing

cryptanalysis functions.
 exploit logical weakness in alg
First,the most popularly used technique is MD5.

brute-force attack

Second, the well accepted standard is secure hashing
 trial many inputs algorithm SHA-1.
 strength proportional to size of hash code (2n/2)
 SHA most widely used hash algorithm  Nevertheless, SHA-256 is chosen in this class as it is

SHA-1 gives 160-bit hash
considered to be the primary next-generation

more recent SHA-256, SHA-384, SHA-512 provide improved size
and security
algorithm.

Hash Functions SHA Secure Hash Functions

 MD-5

A hash function designed by Ron Rivest, one of the inventors of the RSA
public-key encryption scheme.

The MD-5 algorithm produces a 128-bit output. Note that MD-5 is now
known to have some weaknesses and should be avoided if possible.

SHA-1 is generally recommended.
 SHA-1 (Secure Hash Algorithm-1)

SHA-1 is an MD-5-like algorithm that was designed to be used with the
Digital Signature Standard (DSS).

NIST (National Institute of Standards and Technology) and NSA
(National Security Agency) are responsible for SHA-1.

The SHA-1 algorithm produces a 160-bit MAC.

This longer output is considered to be more secure than MD-5.
 SHA originally developed by NIST/NSA in 1993
 was revised in 1995 as SHA-1

– US standard for use with DSA signature scheme

– standard is FIPS 180-1 1995, also Internet RFC3174

– produces 160-bit hash values
 NIST issued revised FIPS 180-2 in 2002

– adds 3 additional versions of SHA

– SHA-256, SHA-384, SHA-512

– with 256/384/512-bit hash values

– same basic structure as SHA-1 but greater security
 NIST intend to phase out SHA-1 use
 For SHA-1 and SHA-256, each message block has 512 bits,
which are represented as a sequence of sixteen 32-bit
words.
 SHA-256 uses six logical functions, where each function
operates on 32-bit words, which are
 SHA-1 and SHA-256
 Suppose that the length of the message, M, is l bits. Append the bit “1”
to the end of the message.
 followed by k zero bits, where k is the smallest, non-negative solution
to the equation
 l +1+ k ≡ 448mod 512 . Then append the 64-bit block that is equal to
the number l expressed
 using a binary representation. For example, the (8-bit ASCII) message
“abc” has length 8×3 = 24, so the message is padded with a one bit,
then 448 − (24 +1) = 423 zero bits, and then the message length, to
become the 512-bit padded message

Initial value
 For SHA-1 and SHA-256, the padded message is
parsed into N 512-bit blocks, M(1), M(2),…,M(N).
Since the 512 bits of the input block may be
expressed as sixteen 32-bit words, the first 32 bits
of message block i are denoted M (i) 0, the next 32
bits are M (i) 1, and so on up to M (i) 15.
 For SHA-256, the initial hash value, H(0), shall consist
of the following eight 32-bit words, in hex:
 SHA-512 Structure
 Refer to the psudocode

Digital Signatures (Cont.)

 It is the provision of a means of settling

disputes between sender and receiver that
SHA-512 distinguishes the digital signature
mechanism from the MACing process.
Round

Such dispute can only be settled if there
is asymmetric between sender and
receiver.
Digital Signatures (Basic Principle)
 For a digital signature scheme based on RSA or El
Gamal:

Each user has a private key that only they can
use and its use is accepted as identifying them.

There is a corresponding public key.

Anyone who knows this public key, can check
that the corresponding private key has been
used, but cannot determine the private key.

This gives the receiver assurance of both the
origin and content of the message.
Generating a Digital Signature
 Asymmetric cryptographic processing
requires much computational processing.
 Thus a condensed version or hash of the
message is produced by applying a hash
function to the message.
 The signature is produced from the hash
(which represent the message) by using the
asymmetric algorithm with the private key.
 Thus only the owner of the private key can
generate the signature.

Digital signature HASH FUNCTION

M M M
E E E Hf
S S S
S S S
A A A
G G G
E E E Compare

Hf

E D

Private key Public key

How to Create a Digital Signature Using RSA Verifying a Digital Signature
MESSAGE  The signature can be verified by anyone who
knows the corresponding public key.
HASHING  To do this a value is produced from the
FUNCTION signature using the asymmetric algorithm with
the public key.
 This value should be the hash of the message,
HASH OF MESSAGE which anyone can calculate.
 If this value and the hash agree, the
Sign using Private Key signature is accepted as genuine.

SIGNATURE -
SIGNED HASH OF MESSAGE

How to Verify a Digital Signature Using RSA Certification Authority (CA)

Message
 AIM:
Signature

To guarantee the authenticity of public keys.
Verify the Re-hash the
Received Signature Received Message  METHOD:
Message
The CA guarantees the authenticity by signing a
Signature certificate containing user’s identity and public key
with its secret key.
Hashing
Verify using Function  REQUIREMENT:
Public key
All users must have an authentic copy of the
Certification Authority’s public key.
Hash of Message
Hash of Message
If hashes are equal, signature is
authentic
Certification Process How Does it Work?

 The certificate can accompany all

Centre Verifies Creates sender’s messages.
credentials Certificate
 The recipient must directly or indirectly:
Distribution

Trustthe CA
Owner

Validate the certificate
Presents Public Receives
Generates
Key and (and checks)
Key Set
credentials certificate

Certification Authorities Attacks on Digital Signature

 Problems / Questions  Suppose digital signatures are being used as

Who generates users’ key? a means of identification.

How is identity established?  If user A wishes to impersonate user B, then
there are two different forms of attack:

How can certificates be
cancelled?
A attempts to obtain the use of B’s private
key

Any others?

A tries to substitute their public key for B’s
public key.
Public Key Infrastructure (PKI)
 The motivation of using PKI is to facilitate the use of
public key cryptography.
 Three key players in PKI system:

The certificate owner - who applies for the certificate.

CA - which issues the certificate that binds the owner’s
identity to the owner’s public key value.

The relying party - who uses on the certificate.
 Other players:

Registration Authority (RA) - in some systems the
identification verification is performed by a separate
authority.

Validation Authority (VA) - end users ask the VA if a
given certificate is still valid and receive a yes or no
answer.
Key Management
 A typical requirement specification for a symmetric
key system might include each of the following:

Keys must be generated using a random or
pseudorandom process.

Any key used by a communicating pair must be
unique to them.

A key must be used for only for a purpose, e.g.
the same key should not be used for both
encryption and authentication.

Each key must be replaced within the time
deemed necessary to determine it by an
exhaustive search.
Establishing a PKI
 When a PKI is established, the following
processes need to take place:

The key pairs for CAs must be generated.

The key pairs for users must be generated.

Users must request certificates

Users’ identities must be verified.

Users’ key pairs must be verified.

Certificates must be produced.

Certificates must be checked.

Certificates must be removed/updated (when
necessary).

Certificates must be revoked (when
necessary).
Key Management (Cont.)

A key must not be used if its compromise is either
known or suspected.

Compromise of a key which is shared between two
parties must not compromise any key used by a
third party.

Keys should only appear in clear form within a
highly tamper resistant device. Elsewhere all keys
must be encrypted or in component form.

Keys must be protected against misuse.

Unauthorized modification, substitution or replay
of any key must be prevented or detected.
The Key Life Cycle RSA
 by Rivest, Shamir & Adleman of MIT in
Generation
1977
 best known & widely used public-key
Destruction Distribution scheme
 Ingredients of RSA:
p, q, two primes number (private, chosen)

Storage n = p*q (public, calculated)

Change
e, with gcd (Ø(n),e) =1; (public, chosen)
1<e<Ø(n)
Usage d = e-1 (mod Ø(n)) (private, calculated)

RSA Key Setup RSA Use

 each user generates a public/private key pair by:
 selecting two large primes at random - p, q
 computing their system modulus n=p*q

note ø(n)=(p-1)(q-1)
 selecting at random the encryption key e
 where 1<e<ø(n), gcd(e,ø(n))=1
 solve following equation to find decryption key d

e*d=1 mod ø(n) and 0≤d≤n
 publish their public encryption key: PU={e,n}
 keep secret private decryption key: PR={d,n}
 to encrypt a message M the sender:

obtains public key of recipient PU={e,n}

computes: C = Me mod n, where 0≤M<n
 to decrypt the ciphertext C the owner:

uses their private key PR={d,n}

computes: M = Cd mod n
 note that the message M must be smaller than
the modulus n (block if needed)
RSA Example - Key Setup RSA Example - En/Decryption
1. Select primes: p=17 & q=11 sample RSA encryption/decryption is:
2. Compute n = pq =17 x 11=187  given message M = 88 (number 88<187)
3. Compute ø(n)=(p–1)(q-1)=16 x  encryption:
10=160 C = Me mod n
4. Select e: gcd(e,160)=1; choose e=7 C = 887 mod 187 = 11
5. Determine d: de=1 mod 160 and d <  decryption:
160 Value is d=23
M = Cd mod n
6. Publish public key PU={7,187}
M = 1123 mod 187 = 88
7. Keep secret private key PR={23,187}

Exponentiation (Algorithm for Computing ab mod

Exponentiation n)

 can use the Square and Multiply Algorithm c = 0; f = 1

 a fast, efficient algorithm for exponentiation
for i = k downto 0
 concept is based on repeatedly squaring base
 and multiplying in the ones that are needed to do c = 2 x c
compute the result f = (f x f) mod n
 look at binary representation of exponent if bi == 1 then
 only takes O(log2 n) multiples for number n
c=c+1

eg. 75 = 74.71 = 3.7 = 10 mod 11

eg. 3129 = 3128.31 = 5.3 = 4 mod 11 f = (f x a) mod n
return f
Efficient Encryption
 encryption uses exponentiation to power e
 hence if e small, this will be faster

often choose e=65537 (216-1)

also see choices of e=3 or e=17
 but if e too small (eg e=3) can attack

using Chinese remainder theorem & 3 messages
with different moduli
 if e fixed must ensure gcd(e,ø(n))=1

i.e. reject any p or q not relatively prime to e
RSA Key Generation
 users of RSA must:

determine two primes at random - p, q

select either e or d and compute the other
 primes p,q must not be easily derived from
modulus n=p*q

means must be sufficiently large

typically guess and use probabilistic test
 exponents e, d are inverses, so use Inverse
algorithm to compute the other
Efficient Decryption
 decryption uses exponentiation to power d

this is likely large, insecure if not
 can use the Chinese Remainder Theorem (CRT) to
compute mod p & q separately. then combine to get
desired answer

approx 4 times faster than doing directly
 only owner of private key who knows values of p &
q can use this technique
RSA Security
 possible approaches to attacking RSA are:

brute force key search (infeasible given size of
numbers)

mathematical attacks (based on difficulty of
computing ø(n), by factoring modulus n)

timing attacks (on running of decryption)

chosen ciphertext attacks (given properties of
RSA)
Methods of Attack Methods of Attack (Cont.)
 Four general attacks can be perform against  There are also specific attacks that can
encrypted information: be launched against encryption systems.

Ciphertext-only attack
Brute-Force attack
guessing the plaintext or using frequency  Exhaustive key search - trying every possible
analysis combination.

Known Plaintext
Replay attacks

 Taking encrypted information and playing it
guess using known pliantext. back at a later point in time.

Chosen-plaintext
Man-in-the-middle attacks

Chosen-ciphertext attack
Fault in Cryptosytem