Elementary Encryption Explained

Chapter
p 2
Elementary Encryption
Ch l P.
Charles P Pfleeger
Pfl & Sh
Sharii LLawrence Pfl
Pfleeger, SSecurity
i ini Computing,
C i
4th Ed., Pearson Education, 2007 1
y In this chapter
y Concepts
C off encryption
i
y Cryptanalysis: how encryption systems are "broken"
y Symmetric
S t i (secret
( t key)
k ) encryption
ti andd th
the DES andd AES algorithms
l ith
y Asymmetric (public key) encryption and the RSA algorithm
y Key
K exchange
h protocols
t l andd certificates
tifi t
y Digital signatures
y Cryptographic
C t hi hhashh ffunctions
ti
2
gy and Background
2.1. Terminology g
y Consider the steps involved in sending messages
y from
f a sender, d S, S to a recipient,
i i R
y If S entrusts the message to T, who then delivers it to R, T then
bbecomes th the transmission
t i i medium di
y an outsider, O, wants to access the message (to read, change, or
even destroy
d t it), it) we callll O an interceptor
i t t or intruder.
i t d
y Any time after S transmits it via T, the message is vulnerable to
exploitation
l it ti
y O might try to access the message in any of the following ways:

y Block
Bl k it,
i by
b preventing
i its
i reaching
hi R,R thereby
h b affecting
ff i the
h
availability of the message.
y Intercept
I t t it,
it bby reading
di or lilistening
t i to t th
the message, thereby
th b
affecting the confidentiality of the message.
y Modify
M dif it,it bby seizing
i i th
the message andd changing
h i it iin some way,
affecting the message's integrity.
y Fabricate
F b i t an authentic-looking
th ti l ki message, arranging i ffor it to
t be
b
delivered as if it came from S, thereby also affecting the integrity of
the message.
th
4
y Terminology
y Encryption
E i isi the
h process off encoding
di a message so that
h its
i
meaning is not obvious;
y decryption
d ti isi ththe reverse process, ttransforming
f i an encrypted td
message back into its normal, original form.
y Alternatively,
Alt ti l the th tterms encoded andd decode
d d or encipheri h andd
decipher are used instead of encrypt and decrypt.
y A system
t forf encryptionti andd decryption
d ti iis called
ll d a cryptosystem.
t t
Figure 2-1 Encryption.

• The original form of a message is known as plaintext, and the
encrypted form is called ciphertext.
ciphertext
• Denote a plaintext message P as a sequence of individual characters
P = <p1, p2, …, pn>.
>
• Similarly, ciphertext is written as C = <c1, c2, …, cm>.
• For instance
instance, the plaintext message "II want cookies
cookies" can be denoted
as the message string <I, ,w,a,n,t, , c,o,o,k,i,e,s>.
• It can be transformed into ciphertext <c1, c2, …, c14>, > and the
encryption algorithm tells us how the transformation is done.
6
Figure 2-1 Encryption.
• we write C = E(P) and P = D(C)
where C represents the ciphertext,
ciphertext E is the encryption rule,
rule
P is the plaintext D is the decryption rule.
• What we seek is a cryptosystem for which P = D(E(P)).
D(E(P))
• In other words, we want to be able to convert the message to
protect it from an intruder,
intruder but we also want to be able to get the
original message back so that the receiver can read it properly.
y Encryption Algorithms
y The
Th cryptosystem iinvolves
l a set off rules
l for
f how
h to encrypt the
h
plaintext and how to decrypt the ciphertext.
y The
Th encryption
ti andd ddecryption
ti rules,
l called
ll d algorithms,
l ith often ft use a
device called a key, denoted by K,
y The
Th resulting
lti ciphertext
i h t t ddepends
d on ththe original
i i l plaintext
l i t t message,
the algorithm, and the key value.
y We
W write
it thi
this ddependence
d as C = E(K
E(K, P)
P).
8
y Encryption Algorithms (Cont’d)
y Sometimes
S i theh encryption
i andd ddecryption
i keys
k are the
h same, so P =
D(K, E(K,P)).
y This
Thi fform iis called
ll d symmetric
t i encryption
ti because
b D andd E are
mirror-image processes.

y At
A other
h times,
i encryption
i andd ddecryption
i keys
k come in
i pairs.
i Then,
Th
a decryption key, KD, inverts the encryption of key KE so that P =
D(KD, E(KE,P)).
P))
y Encryption algorithms of this form are called asymmetric because
converting
ti C bbackk tto P iinvolves
l a series
i off steps
t andd a kkey ththatt are
different from the steps and key of E.
10
Figure 2-2 Encryption with Keys.
11

y A kkey gives
i us flflexibility
ibili iin using
i an encryption
i scheme.
h W
We can
create different encryptions of one plaintext message just by
changing
h i the th key.
k
y Moreover, using a key provides additional security. If the encryption
algorithm
l ith shouldh ld fall
f ll iinto
t th
the iinterceptor's
t t ' hhands,
d ffuture
t messages
can still be kept secret because the interceptor will not know the
k value.
key l
y An encryption scheme that does not require the use of a key is
called
ll d a keyless
k l cipher.
i h
12
y The
Th wordd cryptography
h means hidden
hidd writing,
i i andd iit refers
f to the
h
practice of using encryption to conceal text.
y A cryptanalyst
t l t studies
t di encryption
ti andd encryptedt d messages, hhoping
i
to find the hidden meanings.
y Normally,
N ll a cryptographer
t h works k on bbehalf
h lf off a llegitimate
iti t sender
d or
receiver, whereas a cryptanalyst works on behalf of an unauthorized
it
interceptor.
t
y Cryptology is the research into and study of encryption and
d
decryption;
ti it includes
i l d bbothth cryptography
t h andd cryptanalysis.
t l i
13
y Cryptanalysis
y A cryptanalyst's
l ' chore
h iis to break
b k an encryption.
i
y That is, the cryptanalyst attempts to deduce the original meaning of
a ciphertext
i h t t message.
14
y Cryptanalysis
y a cryptanalyst
l can attempt to do d any or allll off sixi diff
different things:
hi
y break a single message
y recognize patterns in encrypted messages,
messages to be able to break subsequent
ones by applying a straightforward decryption algorithm
y infer some meaning without even breaking the encryption, such as noticing
an unusual frequency of communication or determining something by
whether the communication was short or long
y deduce the key, to break subsequent messages easily
y find weaknesses in the implementation or environment of use of encryption
y find general weaknesses in an encryption algorithm
algorithm, without necessarily
having intercepted any messages
15
y Breakable Encryption
y An
A encryption
i algorithm
l i h isi called
ll d breakable
b k bl when,
h given
i enoughh
time and data, an analyst can determine the algorithm.
y However,
H an algorithm
l ith th thatt iis th
theoretically
ti ll bbreakable
k bl may iin ffactt bbe
impractical to try to break.
16
y Breakable Encryption (Cont’d)
y To
T see why,
h consider
id a 25
25-character
h message that
h iis expressedd iin
just uppercase letters.
y A given
i cipher
i h scheme
h may hhave 2625 (approximately
( i t l 1035) possible
ibl
decipherments, so the task is to select the right one out of the 2625.
17

y If your computer could
ld perform
f on the d off 1010 operations
h order i per
second, finding this decipherment would require on the order of
1016 seconds, hl 1011 years.
d or roughly
y In this case, although we know that theoretically we could generate
th solution,
the l ti ddetermining
t i i th the ddeciphering
i h i algorithm
l ith bby examining
i i allll
possibilities can be ignored as infeasible with current technology.
18
y Two
T other
h iimportant iissues must be
b addressed
dd d when
h considering
id i
the breakability of encryption algorithms.
y FiFirst,t the
th cryptanalyst
t l t cannott bbe expected
t d tto ttry only
l the
th hhard,
d llong way. In
I
the example just presented, the obvious decryption might require 26 25
machine operations,
p , but a more ingenious
g approach
pp might q onlyy 1015
g require
operations. At the speed of 1010 operations per second, 1015 operations take
slightly more than one day.
19

y Two
T other
h iimportant iissues must be
b addressed
dd d when
h considering
id i
the breakability of encryption algorithms.
y SSecond, d estimates
ti t off breakability
b k bilit are bbasedd on currentt ttechnology.
h l
y A conjecture known as "Moore's Law" asserts that the speed of processors
doubles everyy 1.5 years,
y , and this conjecture
j has been true for over two
decades.
y It is risky to pronounce an algorithm secure just because it cannot be broken
with current technology, or worse, that it has not been broken yet.
20
y Representing Characters
y we use the
h convention
i that
h plaintext
li iis written
i iin UPPERCASE
letters, and ciphertext is in lowercase letters.
y Because
B mostt encryption
ti algorithms
l ith are bbasedd on mathematical
th ti l
transformations, they can be explained or studied more easily in
mathematical
th ti l form.
f
21
Letter A B C D E F G H I J K L M
Code 0 1 2 3 4 5 6 7 8 9 10 11 12
Letter N O P Q R S T U V W X Y Z
Code 13 14 15 16 17 18 19 20 21 22 23 24 25
22
y There
Th are many types off encryption.
i
y Two simple forms of encryption:
y substitutions,
b tit ti iin which
hi h one lletter
tt iis exchanged
h d ffor anotherth
y transpositions, in which the order of the letters is rearranged.
23
p
2.2. Substitution Ciphers
y The goal of substitution is confusion
y The
Th Caesar
C Ci
Cipher
h
y each letter is translated to the letter a fixed number of places after
it in
i th
the alphabet.
lhbt
y Caesar used a shift of 3, so plaintext letter pi was enciphered as
ciphertext
i h t t letter
l tt ci by
b th
the rule
l
ci = E(pi) = pi + 3
24
y The Caesar Cipher
p (Cont’d)
( )
y Using this encryption, the message
TREATY IMPOSSIBLE
would be encoded as
T R E A T Y I M P O S S I B L E
w u h d w b l p s r v v l e o h
25
y The Caesar Cipher (Cont’d)

y Advantages
Ad andd Disadvantages
Di d off the
h Caesar
C Cipher
Ci h
y The Caesar cipher is quite simple.
y During Caesar
Caesar'ss lifetime,
lifetime the simplicity did not dramatically compromise the
safety of the encryption because anything written, even in plaintext, was
rather well protected; few people knew how to read!
y Its obvious pattern is also the major weakness of the Caesar cipher. A secure
encryption should not allow an interceptor to use a small piece of the
ciphertext to predict the entire pattern of the encryption.
26
y Cryptanalysis of the Caesar Cipher
y have
h many cluesl from
f the h ciphertext
i h
y For example, the break between the two words is preserved in the
ciphertext,
i h t t andd ddouble
bl lletters
tt are preservedd
T R E A T Y I M P O S S I B L E
w u h d w b l p s r v v l e o h
27
y Cryptanalysis of the Caesar Cipher

y Suppose
S you are given
i theh following
f ll i ciphertext
i h message, andd you
want to try to determine the original plaintext.
wklv phvvdjh lv qrw wrr kdug wr euhdn
The message has actually been enciphered with a 27-symbol

alphabet: A through Z plus the "blank"
blank
28
y In substitutions, the alphabet is scrambled, and each plaintext letter
maps to a unique
i ciphertext
i h letter.
l
y A permutation is a reordering of the elements of a sequence
y For
F iinstance,
t we can permute t th
the numbers
b l tto 10 in i many ways,
including the permutations n1 = 1, 3, 5, 7, 9, 10, 8, 6, 4, 2; and
n2 = 10
10, 99, 88, 7,
7 6,
6 55, 44, 3,
3 2,
2 1.
1
y A permutation is a function, so we can write expressions such as
n1(3) = 5 meaning i ththatt the
th letter
l tt iin position
iti 3 iis tto bbe replaced
l d bby
the fifth letter.
29
y One way to scramble an alphabet is to use a key, a word that controls

the
h permutation i
y For instance,
y if th
the kkey iis word,
d th
the sender
d or receiver i fifirstt writes
it th the alphabet
lhbt
and then writes the key under the first few letters of the alphabet.
y The
Th senderd or receiveri ththen fills
fill iin th
the remaining
i i lletters
tt off th
the
alphabet, in some easy-to-remember order, after the keyword.
ABCDEFGHIJKLMNOPQRSTUVWXYZ
wordabcefghijklmnpqstuvxyz
30
y Complexity of Substitution Encryption and Decryption
y An
A iimportant iissue iin using
i any cryptosystem isi the
h time
i iti takes
k to
turn plaintext into ciphertext, and vice versa.
y The
Th timing
ti i isi directly
di tl related
l t d tto the
th complexity
l it off the
th encryption
ti
algorithm.
31
y Cryptanalysis of Substitution Ciphers

y Try
T a guess andd continue
i to workk to substantiate
b i that h guess untilil
you have all the words in place
y Consider
C id the th difficulty
diffi lt off breaking
b ki a substitution
b tit ti cipher.
i h
y By using a brute force attack, the cryptanalyst could try all 26!
permutations of a particular ciphertext message.
message
y Working at one permutation per microsecond, it would still take over a
thousand years to test all 26! possibilities.
32
y Cryptanalysis of Substitution Ciphers (Cont’d)
y We
W can use our knowledge
k l d off language
l to simplify
i lif this
hi problem.
bl
y For example, in English, some letters are used more often than others. The
letters E,
E T,
T O,
O and A occur far more often than J,J Q,
Q X,
X and Z,
Z for example.
example
y When messages are long enough, the frequency distribution analysis
quickly betrays many of the letters of the plaintext.
33
y The Cryptographer's Dilemma

y Cryptanalyst
C l works
k by
b fifinding
di patterns. Short
Sh messages give
i the
h
cryptanalyst little to work with, so short messages are fairly secure
with
ith even simple
i l encryption.
ti
y An encryption algorithm must be regular for it to be algorithmic and
f cryptographers
for t h to t be
b ablebl to
t remember
b it.
it Unfortunately,
U f t t l th the
regularity gives clues to the cryptanalyst.
34
y One-Time Pads
y A one-time
i padd isi sometimes
i considered
id d theh perfect
f cipher.
i h
y The sender would write the keys one at a time above the letters of
the plaintext
th l i t t andd encipher
i h the
th plaintext
l i t t with
ith a prearrangedd chart
h t
(called a Vigenère tableau). The sender would then destroy the
usedd keys.
k
y The receiver needs a pad identical to that of the sender
y The
Th one-time
ti padd method
th d hhas ttwo problems:
bl
y the need for absolute synchronization between sender and receiver
y the need for an unlimited number of keys.
keys
35
y The Vernam Cipher

y The
Th Vernam
V cipher
i h isi a type off one-time
i padd devised
d i d byb Gilbert
Gilb
Vernam for AT&T.
y The
Th bbasici encryption
ti involves
i l an arbitrarily
bit il llong nonrepeating ti
sequence of numbers that are combined with the plaintext.
y As
A long
l as th the key
k ttape ddoes nott repeatt or iis nott reused,
d thi
this ttype
of cipher is immune to cryptanalytic attack
36
Figure 2-3 Vernam Cipher.
37
y A simple Vernam encryption
38
y Book Ciphers
y Another
A h source off supposedly
dl ""random"
d " numbers
b iis any book,
b k piece
i
of music, or other object of which the structure can be analyzed.
y Both
B th the
th sender
d andd receiver
i needd access to t identical
id ti l objects.
bj t
y As an example of a book cipher, you might select a passage from
D
Descarte's
t ' meditation:
dit ti I am, I exist,
i t th
thatt isi certain.
ti
y To encipher the message MACHINES CANNOT THINK by using the
D
Descartes
t keyk
iamie xistt hatis cert
MACHI NESCA NNOTT HINK
39
Table 2-1. Vigenère Tableau.

40
y If we use the substitution table shown as Table 2-1, this message would
b encryptedd as
be
uaopm kmkvt unhbl jmed
because row M column i is u,

u row A column a is a,
a and so on.
on
41
y It would seem as though this cipher, too, would be impossible to break.

UUnfortunately,
f l that
h isi not true. The
Th flaw
fl lilies iin the
h fact
f that
h neither
i h the
h
message nor the key text is evenly distributed; in fact, the distributions
off both
b th cluster
l t aroundd hihigh-frequency
hf letters
l tt
Ciphertext u a o p m k m k v t u n h b l j m e d
Possible ? A A ? E ? E ? ? A ? A O N ? ? E A ?
plaintexts O I I T N T T I E
T T T
42
p
2.3. Transpositions (Permutations)
y A transposition is an encryption in which the letters of the message are
rearranged.
d
y With transposition, the cryptography aims for diffusion, widely
spreading
di ththe iinformation
f ti from
f th the message or ththe kkey across th
the
ciphertext.
y Transpositions
T iti ttry tto bbreakk established
t bli h d patterns.
tt
y Because a transposition is a rearrangement of the symbols of a
message, it isi also
l kknown as a permutation.
t ti
43
y Columnar Transpositions
y he
h columnar
l transposition
i i isi a rearrangement off the
h characters
h off
the plaintext into columns.
44
y Columnar Transpositions (Con’td)
y For
F iinstance, suppose you want to write
i the
h plaintext
li message THIS
IS A MESSAGE TO SHOW HOW A COLUMNAR TRANSPOSITION
WORKS We
WORKS. W arrange the
th lletters
tt iin fifive columns
l as
T H I S I
S A M E S
S A G E T The resulting ciphertext would then be
O
H
S
O
H
W
O
A
W
C
read down the columns as
O L U M N
tssoh
t h oaniw
i hhaaso l
lrsto
t
A R T R A imghw utpir seeoa mrook
N S P O S istwc nasns
I T I O N
W O R K S
45
y Combinations of Approaches
y Substitution
S b i i andd transposition
i i can bbe considered
id d as bbuilding
ildi blblocks
k
for encryption.
y Other
Oth ttechniqueshi can be
b bbasedd on eachh off th
them, both
b th off them,
th or a
combination with yet another approach.
y A combination
bi ti off ttwo ciphers i h iis called
ll d a product
d t cipher.
i h
y Product ciphers are typically performed one after another, as
i E2(E1(P,k
in (P k1),) k2).)
y Just because you apply two ciphers does not necessarily mean the
resultlt isi any stronger
t th
than, or even as strong
t as, either
ith iindividual
di id l
cipher. 46
2.4. Makingg "Good" Encryption
yp Algorithms
g
y What Makes a "Secure" Encryption Algorithm?
y Shannon's
Sh ' Characteristics
Ch i i off "G
"Good"d" Ci
Ciphers
h
1. The amount of secrecy needed should determine the amount of labor
appropriate for the encryption and decryption.
decryption
2. The set of keys and the enciphering algorithm should be free from
complexity.
3. The implementation of the process should be as simple as possible.
4. Errors in ciphering should not propagate and cause corruption of further
information in the message.
5. The size of the enciphered text should be no larger than the text of the
original message.
message
47
y Properties of "Trustworthy" Encryption Systems

y when
h we say that
h encryption
i isi "commercial
" i l grade,"
d " or "trustworthy,"
" h "
we mean that it meets these constraints:
y It iis bbasedd on soundd mathematics.
th ti
y It has been analyzed by competent experts and found to be sound.
y It has stood the "test off time."
48
y Symmetric and Asymmetric Encryption Systems
y Symmetric
S i algorithms
l ih
y use one key, which works for both encryption and decryption.
y The symmetric systems provide a two-way channel to their users:
y A and B share a secret key, and they can both encrypt information to
send to the other as well as decrypt information from the other.
y As long as the key remains secret, the system also
provides authentication proof that a message received was not
fabricated by someone other than the declared sender.
y symmetric encryption systems require a means of key distribution
49
y Symmetric and Asymmetric Encryption Systems

y Asymmetric
A i algorithms
l ih
y Public key systems excel at key management.
y By the nature of the public key approach,
approach you can send a public key in an e-
mail message or post it in a public directory.
y Only the corresponding private key, which presumably is kept private, can
decrypt what has been encrypted with the public key.
y For all encryption algorithms, key management is a major issue. It
involves storing, safeguarding, and activating keys.
50
y Stream and Block Ciphers
y Stream
S ciphers
i h convert one symbol
b l off plaintext
li iimmediately
di l iinto a
symbol of ciphertext.
y Some
S kikinds
d off errors, suchh as skipping
ki i a character
h t in i th
the key
k during
d i
encryption, affect the encryption of all future characters
51
Figure 2-6 Stream Encryption.
52
y Stream and Block Ciphers
y A block
bl k cipher
i h encrypts a group off plaintext
li symbols
b l as one block.
bl k
53
Figure 2-7
2 7 Block Cipher Systems.
Systems
54
y Confusion and Diffusion
y Confusion
C f i - the
h iinterceptor should
h ld not bbe able
bl to predict
di what
h will
ill
happen to the ciphertext by changing one character in the plaintext.
y Diffusion
Diff i - theth cipher
i h should
h ld also
l spreadd the
th information
if ti from
f theth
plaintext over the entire ciphertext so that changes in the plaintext
affect
ff t many partst off th
the ciphertext.
i h t t
55
y Cryptanalysis Breaking Encryption Schemes

y Four
F possible
ibl situations
i i confront
f the
h cryptanalyst,
l depending
d di on
what information is available:
y ciphertext
ih t t
y full plaintext
y ppartial plaintext
p
y algorithm
56
y Cryptanalysis Breaking Encryption Schemes (Cont’d)
y Ciphertext
Ci h O
Only
l - the
h ddecryption
i had
h d to be
b based
b d on probabilities,
b bili i
distributions, and characteristics of the available ciphertext, plus
publicly
bli l available
il bl kknowledge.
ld
y Full or Partial Plaintext
y The analyst
Th l t may be
b fortunate
f t t enoughh tto hhave a sample l message andd itits
decipherment
y The interceptor
p has both C and P and needs onlyy to deduce the E for
which C = E(P) to find D
y In this case the analyst is attempting to find E(or D) by using a known
plaintext attack.
57

y Full
F ll or Partial
P i l Plaintext
Pl i (Cont’d)
(C ’d)
y The analyst may have additional information - for example, the analyst may
know that the message was intercepted from a diplomatic exchange
between Germany and Austria. From that information, the analyst may guess
that the words Bonn, Vienna, and Chancellor appear in the message.
y The analyst can use what is called a probable plaintext analysis
y After cryptanalysis has provided possible partial decipherments, a probable
plaintext attack may permit a cryptanalyst to fill in some blanks.
58
y Ciphertext
Ci h off AAny Pl
Plaintext
i
y A chosen plaintext attack - The analyst may have infiltrated the sender's
transmission process so as to be able to cause messages to be encrypted
and sent at will.
y Algorithm
g and Ciphertext
p
y A chosen ciphertext attack - The analyst can run the algorithm on massive
amounts of plaintext to find one plaintext message that encrypts as the
ciphertext.
59

y Ciphertext
Ci h andd Pl
Plaintext
i
y The cryptanalyst may be lucky enough to have some pairs of plaintext and
matching ciphertext.
ciphertext
y Then, the game is to deduce the key by which those pairs were encrypted
so that the same key can be used in cases in which the analyst has only the
ciphertext
60
y Weaknesses
W k
y A cryptanalyst works against humans, who can be hurried, lazy, careless,
naïve or uninformed
naïve, uninformed.
61
y
Symmetric yp
Encryption
y Confusion is the act of creating ciphertext so that its corresponding
plaintext
li iis not apparent. Substitution
S b i i isi the h basic
b i tooll for
f confusion
f i
y Diffusion is the act of spreading the effect of a change in the plaintext
th h t the
throughout th resulting
lti ciphertext.
i h t t
62
y Substitution is sometimes represented by so-called S-boxes, which are
nothing
hi other
h than
h table-driven
bl d i substitutions.
b i i
y Diffusion can be accomplished by permutations, or "P-boxes."
y Strong
St cryptosystems
t t may use severall iterations
it ti off a substitute-
b tit t
permute cycle.
63
Substitutions and Permutations.

64
y Problems of Symmetric Key Systems
1. AAs with
i h allll kkey systems, if the
h key
k isi revealed
l d (stolen,
( l guessed, d
bought, or otherwise compromised), the interceptors can
i
immediately
di t l ddecryptt allll th
the encrypted
t d iinformation
f ti ththey hhave
available. Furthermore, an impostor using an intercepted key can
produce
d bogusb messages under
d the
th guise
i off a llegitimate
iti t sender.d
For this reason, in secure encryption systems, the keys are
changed
h d ffairly i l ffrequently
tl so that
th t a compromisedi d kkey will
ill reveall
only a limited amount of information.
65
y Problems of Symmetric Key Systems (Cont’d)

2. Distribution
Di ib i off kkeys becomes
b a problem.
bl Keys K must bbe
transmitted with utmost security since they allow access to all
if
information
ti encrypted t d under
d th them. FFor applications
li ti that
th t extend
t d
throughout the world, this can be a complex task. Often, couriers
are usedd tto distribute
di t ib t th
the kkeys securely
l bby hhand.
d AAnother
th
approach is to distribute the keys in pieces under separate
channels
h l so that th t any one discovery
di will
ill nott produce
d a ffullll kkey.
66
Key Distribution in Pieces.
67
y Problems of Symmetric Key Systems (Cont’d)

3. the
h number b off kkeys iincreases with
i h the
h square off the
h numberb off
people exchanging secret information. This problem is usually
contained
t i d bby hhaving
i only l a ffew peoplel exchange
h secrets
t di
directly
tl
so that the network of interchanges is relatively small. If people in
separatet networks
t k needd tto exchangeh secrets,
t ththey can do
d so
through a central "clearing house" or "forwarding office" that
acceptst secrets
t from
f one person, decrypts
d t them,
th reencrypts t them
th
using another person's secret key, and transmits them.
68
Distribution Center for Encrypted Information
69
yp Standard
2.5. The Data Encryption
y Background and History
y In
I the
h early
l 1970
1970s, the
h UU.S.
S National
N i l Bureau
B off Standards
S d d (NBS)
recognized that the general public needed a secure encryption
t h i ffor protecting
technique t ti sensitive
iti iinformation
f ti
y Based on IBM Lucifer algorithm
y The
Th DES was officially
ffi i ll adopted
d t d as a UU.S.
S ffederal
d l standard
t d d iin
November 1976, authorized by NBS for use on all public and private
sector
t unclassified
l ifi d communication
i ti
70
y Overview of the DES Algorithm
y A careful
f l andd complex
l combination
bi i off two ffundamental
d l bbuilding
ildi
blocks of encryption: substitution and transposition
y The
Th algorithm
l ith dderives
i itits strength
t th from
f repeated
t d application
li ti off
these two techniques, one on top of the other, for a total of 16
cycles.
l
71
y Overview of the DES Algorithm (Cont’d)

y The
Th algorithm
l i h bbegins
i bby encrypting
i the
h plaintext
li as bl
blocks
k off 64
bits.
y The
Th keyk iis 64 bit
bits llong, bbutt iin ffactt it can bbe any 56
56-bit
bit number.
b (The
(Th
extra 8 bits are often used as check digits and do not affect
encryption
ti iin normall implementations.)
i l t ti )
72
Figure 2-8 Cycles of Substitution and Permutation.
73
• The basis of the DES is two different

ciphers, applied alternately
• a structure called a product cipher.
74
y Details of the Encryption Algorithm
y After
Af iinitialization,
i i li i theh DES algorithm
l i h operates on blocks
bl k off ddata.
y It splits a data block in half, scrambles each half independently,
combines
bi theth key
k with
ith one hhalf,
lf andd swaps th
the ttwo hhalves.
l
y This process is repeated 16 times.
y It is
i an iterative
it ti algorithm
l ith using i just
j t table
t bl llookups
k andd simplei l bit
operations.
75
y Details of the Encryption Algorithm (Cont’d)

y Input
I to the
h DES isi divided
di id d iinto blocks
bl k off 64 bibits.
y The 64 data bits are permuted by a so-called initial permutation.
y The
Th data
d t bits
bit are ttransformed
f d bby a 64
64-bit
bit key
k (of
( f which
hi h only
l 56 bits
bit
are used).
y The
Th key
k isi reduced
d d ffrom 64 bit bits tto 56 bit
bits bby ddropping
i bit
bits 88, 16
16, 24,
24
… 64 (where the most significant bit is named bit "1").
y These
Th bitsbit are assumedd tto bbe parity
it bit
bits th
thatt carry no iinformation
f ti iin
the key.
76
y Next
N begins
b i the
h sequence off operations
i kknown as a cycle. l
y The 64 permuted data bits are broken into a left half and a right
hhalflf off 32 bits
bit each.
h
y The key is shifted left by a number of bits and permuted.
y The
Th key k iis combined
bi d with
ith th
the right
i ht hhalf,
lf which
hi h iis th
then combined
bi d
with the left half.
77

y The
Th resultl off these
h combinations
bi i bbecomes the
h new right
i h hhalf;
lf the
h
old right half becomes the new left half.
y This
Thi sequence off activities,
ti iti which hi h constitutes
tit t a cycle.l
y The cycles are repeated 16 times.
y After
Aft th the llastt cycle
l iis a fifinall permutation,
t ti which
hi h iis th
the iinverse off th
the
initial permutation.
78
A Cycle in the DES.
79

y For
F a 32
32-bit
bi right
i h hhalflf to bbe combined
bi d with
i h a 64
64-bit
bi kkey, two changes
h
are needed. First, the algorithm expands the 32-bit half to 48 bits by
repeating
ti certain
t i bit
bits, while
hil reducing
d i th the 56
56-bit
bit key
k tot 48 bits
bit by
b
choosing only certain bits.
80
y Details of Each Cycle of the Algorithm
y Each
E h cycle l off the
h algorithm
l i h isi really
ll ffour separate operations.
i
y First, a right half is expanded from 32 bits to 48.
y Then,
Th it isi combinedbi d with
ith a fform off th
the kkey.
y The result of this operation is then substituted for another result
andd condensed
d d to t 32 bits
bit att th
the same titime.
y The 32 bits are permuted and then combined with the left half to
yield
i ld a new right
i ht half
h lf
81
82
y Expansion Permutation
y Each
E h right
i h hhalflf isi expanded
d d ffrom 32 to 48 bi
bits bby means off the
h
expansion permutation.
y The
Th expansion i permutes
t ththe order
d off th
the bit
bits andd also
l repeats
t
certain bits.
y The
Th expansion i has
h two
t purposes:
y To make the intermediate halves of the ciphertext comparable in
size
i to
t ththe key
k
y To provide a longer result that can later be compressed.
83
Bit 1 2 3 4 5 6 7 8
Moves to
2,48 3 4 5,7 6,8 9 10 11,13
Position
Bit 9 10 11 12 13 14 15 16
Moves to
12,14 15 16 17,19 18,20 21 22 23,25
Position
Bit 17 18 19 20 21 22 23 24
Moves to
24,26 27 28 29,31 30,32 33 34 35,37
Position
Bit 25 26 27 28 29 30 31 32
Moves to
36,38 39 40
0 41,43
, 3 42,44
, 45
5 46
6 47,1
,
P iti
Position
84
Pattern of Expansion Permutation
85
y Key Transformation
y The
Th 64
64-bit
bi key
k immediately
i di l becomes
b a 56
56-bit
bi key
k by
b deletion
d l i off
every eighth bit.
y At eachh step
t iin th
the cycle,
l the
th kkey iis split
lit iinto
t ttwo 28
28-bit
bit hhalves,
l th the
halves are shifted left by a specified number of digits, the halves are
th pasted
then t d together
t th again, i andd 48 off these
th 56 bits bit are permutedt d tto
use as a key during this cycle.
86
y Key Transformation (Cont’d)
y Next,
N the h key
k for
f the
h cycle
l isi combined
bi d by
b an exclusive
l i OR function
f i
with the expanded right half.
y That
Th t resultlt moves iinto
t the
th SS-boxes
b we are about
b t tto ddescribe.
ib
y At each cycle, the halves of the key are independently shifted left
circularly
i l l by b a specified
ifi d number
b off bit positions.
iti
87
Cycle Number Bits Shifted

1 1
2 1
3 2
4 2
5 2
6 2
7 2
8 2
9 1
10 2
11 2
12 2
13 2
14 2
15 2
16 1
88
y Key Transformation (Cont’d)
y After
Af bbeing
i shifted,
hif d 48 off the
h 56 bi
bits are extractedd ffor the
h exclusive
l i
OR combination with the expanded right half
89
y S-Boxes
y Substitutions
S b i i are performed
f d by
b eight
i h S-boxes.
Sb
y An S-box is a permuted choice function by which six bits of data are
replaced
l d bby ffour bit
bits.
y The 48-bit input is divided into eight 6-bit blocks, identified
as B1B2... B8; blockB
bl kBj isi operated
t d on bby SS-box
b Sj.
90
91
y P-Boxes
y After
Af an SS-box
b substitution,
b i i allll 32 bits
bi off a resultl are permutedd by
b a
straight permutation, P.
Bit Goes to Position

18
1-8 9 17 23 31 13 28 2 18
9-16 24 16 30 6 26 20 10 1
17-24 8 14 25 3 4 29 11 19
25-32 32 12 22 7 5 27 15 21
92
y Initial permutation
1-8 40 8 48 16 56 24 64 32
9-16 39 7 47 15 55 23 63 31
17-24 38 6 46 14 54 22 62 30
25-32
25 32 37 5 45 13 53 21 61 29
33-40 36 4 44 12 52 20 60 28
41-48 35 3 43 11 51 19 59 27
49 56
49-56 34 2 42 10 50 18 58 26
57-64 33 1 41 9 49 17 57 25
93
y Final permutation (or inverse initial permutation)

1-8 58 50 42 34 26 18 10 2
9-16 60 52 44 36 28 20 12 4
17-24 62 54 46 38 30 22 14 6
25-32
25 32 64 56 48 40 32 24 16 8
33-40 57 49 41 33 25 17 9 1
41-48 59 51 43 35 27 19 11 3
49 56
49-56 61 53 45 37 29 21 13 5
57-64 63 55 47 39 31 23 15 7
94
y Decryption of the DES
y The
Th same DES algorithm
l i h iis usedd bbothh ffor encryption
i andd
decryption.
y The
Th only l change
h isi th
thatt the
th keys
k mustt be
b ttaken
k iin reverse order
d
(k16, k15, ..., k1) for decryption.
95
y Questions About the Security of the DES

y Design
D i off the h AlAlgorithm
ih
y Initially, there was concern with the basic algorithm itself.
y During development of the algorithm,
algorithm the National Security Agency (NSA)
indicated that key elements of the algorithm design were "sensitive" and
would not be made public.
y These elements include the rationale behind transformations by the S-
boxes, the P-boxes, and the key changes.
y There are many possibilities for the S-box substitutions, but one particular
set was chosen for the DES.
96
y Questions About the Security of the DES (Cont’d)
y Design
D i off the h Al Algorithm
i h (C (Cont’d)
’d)
y Two issues arose about the design's secrecy.
y The first involved a fear that certain "trapdoors"
trapdoors had been embedded in
the DES algorithm so that a covert, easy means was available to decrypt
any DES-encrypted message. For instance, such trapdoors would give NSA
the ability to inspect private communications.
y The second issue addressed the possibility that a design flaw would be
(or perhaps has been) discovered by a cryptanalyst, this time giving an
interceptor the ability to access private communications.
97

y Design
D i off the h AlAlgorithm
i h (C (Cont’d)
’d)
y The NSA released certain information on the selection of the S-boxes
y No S-box is a linear or affine function of its input; that is
is, the four output
bits cannot be expressed as a system of linear equations of the six input
bits.
y Changing one bit in the input of an S-box results in changing at least two
output bits; that is, the S-boxes diffuse their information well throughout
their outputs.
98
y Design
D i off the h Al Algorithm
i h (C (Cont’d)
’d)
y The NSA released certain information on the selection of the S-boxes
y The S-boxes were chosen to minimize the difference between the
number of 1s and 0s when any single input bit is held constant; that is,
holding a single bit constant as a 0 or 1 and changing the bits around it
should not lead to disproportionately many 0s or 1s in the output.
99

y Number
N b off iterations
i i
y Many analysts wonder whether 16 iterations are sufficient. Since each
iteration diffuses the information of the plaintext throughout the ciphertext,
ciphertext
it is not clear that 16 cycles diffuse the information sufficiently
y Experimentation with both the DES and its IBM predecessor Lucifer was
performed by the NBS and by IBM as part of the certification process of the
DES algorithm. These experiments have shown that 8 iterations are sufficient
to eliminate any observed dependence. Thus, the 16 iterations of the DES
should surely be adequate.
100
y Key
K Length
L h
y The length of the key is the most serious objection raised.
y The key in the original IBM implementation of Lucifer was 128 bits,
bits
whereas the DES key is effectively only 56 bits long.
y The attack strategy is the "brute force" attack
y If someone could test one every 100 milliseconds, the time to test all
keys would be 7.2 * 1015 seconds, or about 228 million years.
y If the test took only one microsecond, then the total time for the
search is (only!) about 2,280 years.
101
y Double and Triple DES

y Double
D bl DES
y The double encryption works in the following way.
y Take two keys,
keys k1 and k2, and perform two encryptions,
encryptions one on top of the
other: E(k2, E(k1,m)).
y Merkle and Hellman [MER81] showed that two encryptions are no better
than one.
y The double encryption only doubles the work for the attacker
102
y Double and Triple DES
y Triple
T i l DES
y C = E(k3, E(k2, E(k1,m))) - that is, you encrypt with one key, decrypt with the
second and encrypt with a third
second, third.
y This process gives a strength equivalent to a 112-bit key (because
the double DES attack defeats the strength of one of the three keys).
y A minor variation of triple DES, which some people also confusingly call
triple DES, is C = E(k1, D(k2,E(k1,m))). This approach is subject to another tricky
attack, so its strength is rated at only about 80 bits.
103
y Security of the DES

y Since
Si iits was fifirst announced,
d DES hhas bbeen controversial
il
y Much of this controversy has appeared in the open literature, but
certain
t i DES features
f t have h neither
ith been
b revealedl d by
b ththe designers
d i
nor inferred by outside analysts
y In
I 1997 researchers
h using i over 3,500
3 500 machines
hi iin parallel
ll l were able
bl
to infer a DES key in four months' work.
y In
I 1998 for
f approximately
i t l $100,000,
$100 000 researchers
h bbuilt
ilt a special
i l "DES
cracker" machine that could find a DES key in approximately four
ddays.
104
yp Algorithm
2.6. The AES Encryption g
y The AES Contest
y In
I January
J 1997,
1997 NIST called
ll d ffor cryptographers
h to ddevelop
l a new
encryption system
y The
Th algorithms
l ith hhadd tto bbe
y unclassified
y publicly disclosed
y available royalty-free for use worldwide
y symmetric block cipher algorithms, for blocks of 128 bits
y usable with key sizes of 128, 192, and 256 bits
105
y The AES Contest (Cont’d)

y In
I August
A 1998
1998, fif
fifteen algorithms
l i h were chosen
h from
f among those
h
submitted
y In
I August
A t 1999 1999, th
the fifield
ld off candidates
did t was narrowedd tto fifive fifinalists.
li t
y The five then underwent extensive public and private scrutiny.
y The
Th fifinall selection
l ti was made d on the
th bbasisi nott only
l off security
it bbutt
also of cost or efficiency of operation and ease of implementation
i software.
in ft
106
y The AES Contest (Cont’d)
y The
Th winning
i i algorithm,
l i h submitted
b i d bby two DDutchh cryptographers,
h was
Rijndael
y The
Th AES was adopted
d t d ffor use bby th
the UU.S.
S governmentt iin DDecember
b
2001 and became Federal Information Processing Standard 197
107
y Overview of Rijndael
y Rijndael
Rij d l isi a ffast algorithm
l i h that
h can bbe iimplemented
l d easily
il on
simple processors.
y Primarily
P i il uses substitution;
b tit ti transposition;
t iti andd the
th shift,
hift exclusive
l i
OR, and addition operations.
y Like
Lik DES
DES, AES uses repeatt cycles
l - there
th are 10 10, 12
12, or 14 cycles
l ffor
keys of 128, 192, and 256 bits, respectively.
y In
I Rijndael,
Rij d l the
th cycles
l are called
ll d ""rounds."
d "
108
y Structure of the AES (Cont’d)
y ItI isi convenient
i to think
hi k off a 128
128-bit
bi block
bl k off AES as a 4 x 4 matrix,
i
called the "state." We present the state here as the
matrix
t i s[0,0]..s[3,3].
[0 0] [3 3]
b0 b4 b8 b12 s0,0
00 s0,1
01 s0,2
02 s0,3
03
b1 b5 b9 b13 s1,0 s1,1 s1,2 s1,3

b2 b6 b10 b14 s2,0 s2,1 s2,2 s2,3
b3 b7 b11 b15 s3,0 s3,1 s3,2 s3,3
109
y Overview of Rijndael (Cont’d)

y Each
E h cycle l consistsi off four
f steps.
y Byte substitution - substituting each byte of a 128-bit block according to a
substitution table.
table This is a straight diffusion operation.
operation
y Shift row: A transposition step.
y For 128- and 192-bit block sizes, row n is shifted left circular (n - 1) bytes;
for 256-bit blocks, row 2 is shifted 1 byte and rows 3 and 4 are shifted 3
and 4 bytes, respectively.
y This is a straight confusion operation.
110
y Overview of Rijndael (Cont’d)
y Each
E h cyclel consistsi off four
f steps.
y Mix column:
y This step involves shifting left and exclusive-ORing bits with themselves.
themselves
y These operations provide both confusion and diffusion.
y Add subkey:
y Here, a portion of the key unique to this cycle is exclusive-ORed with the
cycle result.
y This operation provides confusion and incorporates the key.
111
Figure 2-9 AES Algorithm. 112

y Strength of the Algorithm
y The
Th Rijndael
Rij d l algorithm
l i h iis quite
i new
y However, between its submission as a candidate for AES in 1997 and
itits selection
l ti iin 2001
2001, it underwent
d t extensive
t i cryptanalysis
t l i bby bboth
th
government and independent cryptographers.
y Its
It Dutch
D t h iinventors
t hhave no relationship
l ti hi to t the
th NSA or any other
th
part of the U.S. government, so there is no suspicion that the
governmentt somehow h weakened
k d th the algorithm
l ith or added
dd d a
trapdoor.
113
y Comparison of DES and AES

DES AES
Date 1976 1999

Block size 64 bits 128 bits
Key length 56 bits (effective length) 128, 192, 256 (and possibly more) bits
Encryption primitives Substitution, permutation Substitution, shift, bit mixing

Cryptographic primitives Confusion, diffusion Confusion, diffusion
Design Open Open
Design rationale Closed Open
S l ti process
Selection S
Secret
t S
Secret,
t but
b t accepted
t d open public
bli commentt
Source IBM, enhanced by NSA Independent Dutch cryptographers
114
2.7. Public Keyy Encryption
yp
y In 1976, Diffie and Hellman proposed a new kind of encryption system.
y With
Wi h a public
bli kkey encryption
i system, eachh user hhas a kkey that
h ddoes not
have to be kept secret.
y Although
Alth h counterintuitive,
t i t iti iin ffactt the
th public
bli nature
t off th
the kkey ddoes nott
compromise the secrecy of the system.
y Instead,
I t d theth basis
b i for
f public
bli key
k encryption ti isi to
t allow
ll th
the kkey tto be
b
divulged but to keep the decryption technique secret.
y Public
P bli key
k cryptosystems
t t accomplish li h this
thi goall by
b using
i two
t kkeys: one
to encrypt and the other to decrypt
115
y Motivation
y In
I general,l an n-user system requires
i n * (n
( - 1)/2 keys,
k andd eachh
user must track and remember a key for each other user with which
h or she
he h wants
t tto communicate.
i t
y As the number of users grows, the number of keys increases very
rapidly
idl
116
Figure 2-10 Key Proliferation.
117
y Characteristics
y In
I a public
bli kkey or asymmetric
i encryption
i system, eachh user hhas
two keys: a public key and a private key.
y The
Th user may publish
bli h the
th public
bli kkey ffreely
l bbecause eachh kkey ddoes
only half of the encryption and decryption process.
y The
Th keys
k operate t as inverses,
i meaning
i th thatt one kkey undoes
d th the
encryption provided by the other key.
118
y Characteristics (Cont’d)
y Let
L kPRIV be
b a user's' private
i key,
k andd let
l kPUB be
b the
h corresponding
di
public key. Then, encrypted plaintext using the public key is
d
decrypted
t d by
b application
li ti off the
th private
i t key;
k we write
it th
the
relationship as
P = D(kPRIV, E(kPUB, P))
119
y That
Th is,
i a user can decode
d d with
i h a private
i key
k what
h someone else
l
has encrypted with the corresponding public key. Furthermore, with
some public
bli kkey encryption
ti algorithms,
l ith iincluding
l di RSA
RSA, we hhave thi
this
relationship:
P = D(kPUB, E(kPRIV, P))
120
Secret Key (Symmetric) Public Key (Asymmetric)
Number of keys 1 2
One key must be kept secret; the other

Protection of key Must be kept secret
can be freely exposed
Cryptographic workhorse; secrecy

and integrity of datasingle
Best uses Key exchange, authentication
characters to blocks of data,
messages, files
Public key can be used to distribute other
Key distribution Must be out-of-band
keys
Slow; typically, 10,000 times slower than

Speed Fast
secret key
121
y Rivest Shamir Adelman Encryption

y The
Th algorithm
l i h was iintroduced
d d iin 1978 andd to ddate remainsi secure.
y RSA has been the subject of extensive cryptanalysis, and no serious
flflaws hhave yett been
b ffound.
d
y RSA relies on an area of mathematics known as number theory, in
which
hi h mathematicians
th ti i studyt d properties
ti off numbers
b suchh as th
theiri
prime factors.
122
y Rivest Shamir Adelman Encryption (Cont’d)
y The
Th two kkeys usedd iin RSA
RSA, d andd e, are usedd ffor ddecryption
i andd
encryption.
y They
Th are actually
t ll iinterchangeable:
t h bl
y Either can be chosen as the public key, but one having been chosen,
y the other one must be kept private.
private
y For simplicity, we call the encryption key e and the decryption key d.
y Also, because of the nature of the RSA algorithm, the keys can be applied in
either order:
P = E(D(P)) = D(E(P))
123
y Rivest Shamir Adelman Encryption (Cont’d)

y Any
A plaintext
li blockk P isi encryptedd as Pe modd n.
bl
y Because the exponentiation is performed mod n, factoring Pe to
uncover the
th encryptedt d plaintext
l i t t isi difficult.
diffi lt
y However, the decrypting key d is carefully chosen so that
(Pe)d modd n = PP.
y Thus, the legitimate receiver who knows d simply computes
(Pe)d modd n = P andd recovers P without
ith t having
h i to f t Pe.
t factor
124
y Detailed Description of the Encryption Algorithm
y The
Th RSA algorithm
l i h uses two kkeys, d andd e, which
hi h workk in
i pairs,
i ffor
decryption and encryption, respectively. A plaintext message P is
encrypted
t d tto ciphertext
i h t t C byb
C = Pe mod n
y The
Th plaintext
l i t t iis recoveredd by
b
P = Cd mod n
y Because
B off symmetry
t in
i modular
d l arithmetic,
ith ti encryption ti andd
decryption are mutual inverses and commutative. Therefore,
P = Cd modd n = (Pe)d modd n = (Pd)e modd n
125
y Key Choice
y The
Th encryption
i kkey consists
i off the
h pairi off integers
i (e,
( n),) andd the
h
decryption key is (d, n).
y The
Th starting
t ti point
i t in
i finding
fi di keys
k for f this
thi algorithm
l ith iis selection
l ti off a
value for n.
y The
Th value
l off n should
h ld be b quite
it large,
l a product
d t off two
t
primes p and q.
126
y Key Choice (Cont’d)
y Both
B h p andd q should
h ld beb large
l themselves.
h l
y Typically, p and q are nearly 100 digits each, son is approximately
200 decimal
d i l di digits
it ((about
b t 512 bit
bits)) llong; ddepending
di on th the
application, 768, 1024, or more bits may be more appropriate.
y A large
l value l off n effectively
ff ti l inhibits
i hibit ffactoring
t i n tot infer
i f p andd q.
127
y Key Choice (Cont’d)

y Next,
N a relatively
l i l large
l integer
i e isi chosen
h so that
h e isi relatively
l i l
prime to (p - 1) * (q - 1). (Recall that "relatively prime" means
th t e has
that h no ffactors
t in i common with ith ((p - 1) * (q
( - 1).)
1) )
y An easy way to guarantee that e is relatively prime to (p - 1) * (q - 1)
isi tto choose
h e as a prime
i th thatt iis llarger than
th both
b th (p( - 1) andd ((q - 1).
1)
y Finally, select d such that
e * d = 1 modd (P - 1) * (q ( - 1)
128
y Mathematical Foundations of the RSA Algorithm
y The
Th Euler
E l totient i φ(n)
i ffunction φ( ) is the
h number
b off positive integers
less than n that are relatively prime to n. If p is prime, then
φ(p) = p - 1
y Furthermore, if n = p * q, where p and q are both prime, then
φ(n) = φ(p) * φ(q) = (p - 1) * (q - 1)
129
y Mathematical Foundations of the RSA Algorithm (Cont’d)

y Euler
E l andd FFermat provedd that
h
xφ(n) 1 mod n
f any iinteger
for t x if n andd x are relatively
l ti l prime.
i
130
y Suppose
S we encrypt a plaintext
li message P by
b the
h RSA algorithm
l i h so
that E(P) = Pe. We need to be sure we can recover the message.
y The
Th value
l e isi selected
l t d so th
thatt we can easily
il fifindd itits iinverse d.
d
Because e and d are inverses mod φ(n),
e * d ≡ 1 mod φ(n)
or
e * d = k * φ(n) +1 (*)
f some integer
for i t k.k
131

y Because
B off the
h Euler-Fermat
El F result,
l assuming
i P andd p are relatively
l i l
prime,
p 1 ≡ 1 mod
Pp-1 dp
and, since (p-1) is a factor of φ(n),
φ(n) ≡ 1 mod
pkk*φ(n) dp
y Multiplying by P produces
φ(n)+1 ≡ p mod
pkk*φ(n)+1 dp
132
y The
Th same argument hholds
ld ffor q, so
pk*φ(n)+1 p mod q
y Combining
C bi i theseth last
l t ttwo results
lt with
ith (*) produces
d
(Pe)d = Pe*d = Pk*φ(n)+1 = P mod p = P mod q
so that
th t
(Pe)d ≡ p mod n
y andd e andd d are inverse
i operations.
ti
133
y Example
y Let
L p = 11 andd q = 13,
13
so that n = p * q = 143
andd φ(n)
φ( ) = (p
( - 1) * (q
( - 1) = 10 * 12 = 120
120.
y Next, an integer e is needed,
andd e mustt be
b relatively
l ti l prime
i to t (p
( - 1) * (q
( - 1).
1)
Choose e = 11.
134
y Example (Cont’d)
y The
Th inverse
i off 11 modd 120 isi also
l 1111,
since 11 * 11 = 121 = 1 mod 120.
y Thus,
Th bothb th encryption
ti andd decryption
d ti keys
k are the
th same:
e = d = 11.
(F th
(For the example,
l e = d isi nott a problem,
bl bbutt iin a reall application
li ti
you would want to choose values where e is not equal to d.)
135
y Let
L P beb a "message"
" " to bbe encrypted.
d
y For this example we use P = 7.
The message iis encrypted
Th t d as ffollows:
ll
711 mod 143 = 106, so that E(7) = 106.
136
y This
Thi resultl can bbe computedd fairly
f i l easily
il with
i h the
h use off a common
pocket calculator. 711 = 79 * 72. Then 79 = 40 353 607, but we do
nott have
h to t workk with
ith fifigures th
thatt llarge.
y Because of the reducibility rule, a * b mod n = (a mod n) *
(b modd n)) modd n. Since
Si we will ill reduce
d our fifinall resultlt modd 143
143, we
can reduce any term, such as 79, which is 8 mod 143. Then, 8 *
72 modd 143 = 392 modd 143 = 106 106.
y This answer is correct since D(106) = 10611 mod 143 = 7.
137
y Use of the Algorithm

y The
Th user off the
h RSA algorithm
l i h chooses
h primes
i p andd q, from
f which
hi h
the value n = p * q is obtained.
y Next
N t e isi chosen
h tto be
b relatively
l ti l primei tto (p( - 1) * (q
( - 1);
1) e isi
usually a prime larger than (p - 1) or (q - 1).
y Finally,
Fi ll d isi computedt d as th
the iinverse off e modd (φ(n)).
(φ( ))
138
y Use of the Algorithm (Cont’d)
y The
Th user ddistributes
b e andd n andd keeps
k d secret; p, q, andd φ(n)
φ( ) may
be discarded (but not revealed) at this point.
y Notice
N ti that
th t even ththoughh n isi known
k to
t be
b the
th product
d t off two
t
primes, if they are relatively large (such as 100 digits long), it will not
b ffeasible
be ibl to
t determine
d t i the th primes
i p andd q or the
th private
i t
key d from e.
y Therefore,
Th f thi this scheme
h provides
id adequate
d t security
it for
f d. d
139
y Cryptanalysis of the RSA Method

y The
Th RSA method
h d hhas bbeen scrutinized
i i d iintensely
l bby professionals
f i l in i
computer security and cryptanalysis.
y Several
S l minor
i problems
bl have
h been
b identified
id tifi d with
ith itit, but
b t there
th hhave
been no serious flaws.
140
yp
2.8. The Uses of Encryption
y Four applications of encryption:
1. cryptographic
hi hhashh functions
f i
2. key exchange
3. di it l signatures
digital i t
4. certificates.
141
y Cryptographic Hash Functions

y One
O technique
h i ffor providing
idi the
h seall iis to compute a cryptographic
hi
function, sometimes called a hash or checksum or message
di t off th
digest the fil
file
142
y Cryptographic Hash Functions
y The
Th hhashh ffunction
i hhas special i l characteristics.
h i i
y For instance, some encryptions depend on a function that is easy to
understand but difficult to compute.
compute
y For a simple example, consider the cube function, y = x3. It is relatively easy
to compute x3 by hand, with pencil and paper, or with a calculator. But the
inverse function, is much more difficult to compute.
y Functions like these, which are much easier to compute than their inverses,
are called one-way functions.
y Any change to even a single bit will alter the checksum result
143
y Cryptographic Hash Functions (Cont’d)

y A cryptographic
hi ffunction,
i suchh as the
h DES or AES,
AES isi especially
i ll
appropriate for sealing values, since an outsider will not know the
k andd th
key thus will
ill nott be
b able
bl tto modify
dif th
the stored
t d valuel tto match
th
with data being modified.
y In
I block
bl k encryption
ti schemes,
h chaining
h i i means lilinking
ki eachh block
bl k tto
the previous block's value
144
y Cryptographic Hash Functions (Cont’d)
y The
Th most widely
id l usedd cryptographic
hi hhashh ffunctions
i are MD4,
MD4
MD5 (where MD stands for Message Digest), and SHA/SHS (Secure
H h Al
Hash Algorithm
ith or StStandard).
d d)
y The MD4/5 algorithms were invented by Ron Rivest and RSA
L b t i MD5 iis an iimprovedd version
Laboratories. i off MD4
MD4. BBoth
th condense
d a
message of any size to a 128-bit digest.
y SHA/SHS iis similar
i il tto bboth
th MD4 andd MD5;
MD5 it produces
d a 160
160-bit
bit
digest
145
y Key Exchange
y The
Th problem
bl off two previously
i l unknown
k parties
i exchanging
h i
cryptographic keys is both hard and important. Indeed, the problem
isi almost
l t circular:
i l
TTo establish
t bli h an encrypted
t d session,
i you needd an encrypted
t d means
to exchange keys.
146
y Key Exchange (Cont’d)
y Let
L S sendd E ( kPUB-R , K ) to R.
R
Then, only R can decrypt K.
U f t t l R has
Unfortunately, h no assurance th
thatt K came from
f S. S
y E (kPUB-R , E (kPRIV-S, K) )
147
S’s Public Key
R’s Private Key
Figure 22-11
11 The Idea Behind Key Exchange.
Exchange
148
y Digital Signatures
y A digital
di i l signature
i isi a protocoll that
h produces
d the
h same effect
ff as a
real signature:
y It isi a markk th
thatt only
l th
the sender
d can make,
k bbutt other
th people
l can easily
il
recognize as belonging to the sender.
y Just like a real signature
signature, a digital signature is used to confirm
agreement to a message.
149
y Digital Signatures (Cont’d)

y Properties
P i
y It must be unforgeable.
y If person P signs message M with signature S(P,M),
S(P M) it is impossible for
anyone else to produce the pair [M, S(P,M)].
y It must be authentic.
y If a person R receives the pair [M, S(P,M)] purportedly from P, R can check
that the signature is really from P.
y Only P could have created this signature, and the signature is firmly
attached to M.
150
y Digital Signatures (Cont’d)
y Two
T more properties
i are desirable
d i bl forf transactions
i completed
l d with
ih
the aid of digital signatures:
y It isi nott alterable.
lt bl After
Aft bbeing
i ttransmitted,
itt d M cannott be
b changed
h d by b S,
S R, R or
an interceptor.
y It is not reusable. A pprevious message
g presented
p again
g will be instantlyy
detected by R.
151
Figure 2-12 Requirements for a Digital Signature.

152
y Public Key Protocol
y Public
P bli key
k encryption
i systems are ideally
id ll suited
i d to di
digital
i l signatures.
i
y For simple notation, let us assume that the public key encryption
ffor user U isi accessedd th
throughh E(M,
E(M KU) andd th
thatt the
th private
i t kkey
transformation for U is written as D(M,KU).
y We
W can think
thi k off E as the
th privacy
i t f
transformation
ti (since
( i only l U can
decrypt it) and D as the authenticity transformation (since
only
l U can produce
d it) it).
153
y Public Key Protocol (Cont’d)

y Some
S asymmetrici algorithms
l i h suchh as RSA
RSA, D andd E are commutative,
i
and either one can be applied to any message. Thus,
D(E(M )), ) = M = E(D(M,
D(E(M, E(D(M )), )
154
y If S wishes
i h to sendd M to R,
R S uses the
h authenticity
h i i transformation
f i to
produce D(M, KS).
y S then
th sends d D(M,
D(M KS) to
t R.
R R decodes
d d th the message with
ith th
the public
bli
key transformation of S, computing E(D(M,KS), KS) = M.
y Since
Si only l S can createt a message th
thatt makes
k sense underd E(,K
E( KS),)
the message must genuinely have come from S.
y This
Thi ttestt satisfies
ti fi the
th authenticity
th ti it requirement.
i t
155

y R will
ill save D(M,K
D(M KS).)
y If S should later allege that the message is a forgery (not really
ffrom S),
S) R can simply
i l show
h M andd D(M,K
D(M KS).)
y Anyone can verify that since D(M,KS) is transformed to M with the
public
bli key
k transformation
t f ti off S but
b t only
l S could
ld have
h
produced D(M,KS) then D(M,KS) must be from S.
y This
Thi ttestt satisfies
ti fi the
th unforgeable
f bl requirement.
i t
156
Figure 2-13 Use of Two Keys in Asymmetric Digital Signature.
157
y Certificates
y For
F electronic
l i communication
i i to succeed,
d we must ddevelop
l ways
for two parties to establish trust without having met
y The
Th conceptt off ""vouching
hi for"
f " by
b a thi
thirdd party
t can bbe a bbasisi ffor
trust in commercial settings where two parties do not know each
other.
th
158
y Certificates (Cont’d)
y Trust
T Th Throughh a CCommon Respected R d Individual
I di id l
y The chain of verification might be something like this:
y Ann asks Bill who Andrew is. is
y Bill either asks Betty if he knows her directly or if not, asks Camilla.
y Camilla asks Betty.
y Betty replies that Andrew works for her.
y Camilla tells Bill.
y Bill tells Ann.
159
y Trust
T Th Throughh a CCommon RRespectedd IIndividual di id l (C (Cont’d)’d)
y We can use a similar process for cryptographic key exchange
y If Andrew and Ann want to communicate,
communicate Andrew can give his public key to
Betty, who passes it to Camilla or directly to Bill, who gives it to Ann
y This protocol is a way of obtaining authenticated public keys, a binding of a
key, and a reliable identity.
160
Figure 2-15
2 15 Andrew Passes a Key to Ann.
Ann
161
y Certificates
C ifi to AAuthenticate
h i an Id
Identity
i
y A public key and user's identity are bound together in a certificate, which is
then signed by someone called a certificate authority,
authority certifying the
accuracy of the binding.
162
Figure 2-17 Signed Certificates.
163
Figure 2-18 Chain of Certificates.

164
y Trust
T Without
Wi h a Si Single
l HiHierarchy
h
y it is not necessary to have such a structure or to follow it to use certificate
signing for authentication.
authentication
y Anyone who is considered acceptable as an authority can sign a certificate.
y
165
2.9. Summaryy of Encryption

yp
y The basic processes of encryption and cryptanalysis
y Introduce
I d the h two basic
b i methods
h d off encipherment
i h substitution
b i i andd
transposition or permutation as well as techniques of cryptanalysis
y “Real"
“R l" cryptosystems:
t t DES,
DES AES,
AES andd RSA
y Several very important and widely used applications of cryptography:
h h functions,
hash f ti key k exchange
h protocols,
t l digital
di it l signatures,
i t andd
certificates
166

Elementary Encryption Explained

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Elementary Encryption Explained

Uploaded by

Copyright:

Available Formats

Chapter

y O might try to access the message in any of the following ways:

Figure 2-1 Encryption.

y Encryption Algorithms (Cont’d)

y Encryption Algorithms (Cont’d)

y Breakable Encryption (Cont’d)

y Breakable Encryption (Cont’d)

y The Caesar Cipher (Cont’d)

y Cryptanalysis of the Caesar Cipher

wklv phvvdjh lv qrw wrr kdug wr euhdn

The message has actually been enciphered with a 27-symbol

y One way to scramble an alphabet is to use a key, a word that controls

y Cryptanalysis of Substitution Ciphers

y The Cryptographer's Dilemma

y The Vernam Cipher

y A simple Vernam encryption

Table 2-1. Vigenère Tableau.

uaopm kmkvt unhbl jmed

because row M column i is u,

y It would seem as though this cipher, too, would be impossible to break.

y Properties of "Trustworthy" Encryption Systems

y Symmetric and Asymmetric Encryption Systems

Figure 2-6 Stream Encryption.

y Cryptanalysis Breaking Encryption Schemes

y Cryptanalysis Breaking Encryption Schemes (Cont’d)

y Cryptanalysis Breaking Encryption Schemes (Cont’d)

Substitutions and Permutations.

y Problems of Symmetric Key Systems (Cont’d)

y Problems of Symmetric Key Systems (Cont’d)

y Overview of the DES Algorithm (Cont’d)

• The basis of the DES is two different

y Details of the Encryption Algorithm (Cont’d)

y Details of the Encryption Algorithm (Cont’d)

y Details of the Encryption Algorithm (Cont’d)

Cycle Number Bits Shifted

Bit Goes to Position

y Final permutation (or inverse initial permutation)

Bit Goes to Position

y Questions About the Security of the DES

y Questions About the Security of the DES (Cont’d)

y Questions About the Security of the DES (Cont’d)

y Double and Triple DES

y Security of the DES

y The AES Contest (Cont’d)

b1 b5 b9 b13 s1,0 s1,1 s1,2 s1,3

y Overview of Rijndael (Cont’d)

Figure 2-9 AES Algorithm. 112

y Comparison of DES and AES

Date 1976 1999

Encryption primitives Substitution, permutation Substitution, shift, bit mixing

One key must be kept secret; the other

Cryptographic workhorse; secrecy

Slow; typically, 10,000 times slower than

y Rivest Shamir Adelman Encryption

y Rivest Shamir Adelman Encryption (Cont’d)

y Key Choice (Cont’d)

y Furthermore, if n = p * q, where p and q are both prime, then

φ(n) = φ(p) * φ(q) = (p - 1) * (q - 1)

y Mathematical Foundations of the RSA Algorithm (Cont’d)

y Mathematical Foundations of the RSA Algorithm (Cont’d)

y Use of the Algorithm

y Cryptanalysis of the RSA Method

y Cryptographic Hash Functions