Computer Security:

Principles and Practice

Chapter 2 – Cryptographic Tools
First Edition
by William Stallings and Lawrie Brown
Lecture slides by Lawrie Brown / Modified by Dr.
Qussai Yaseen, J.U.S.T university, Jordan
Cryptographic Tools

• cryptographic algorithms important element in security

services
• review various types of elements
• symmetric encryption
• public-key (asymmetric) encryption
• digital signatures and key management
• secure hash functions
• example is use to encrypt stored data
Introduction -
Caesar Cipher
 What is a Caesar Cipher?
• Caesar used to encrypt his messages using a very simple
algorithm, which could be easily decrypted if you know the key.
• He would take each letter of the alphabet and replace it with a
letter a certain distance away from that letter. When he got to
the end, he would wrap back around to the beginning.
• Example with a shift of 3:

A B C D E F G H I J K L MN O P Q R S T U V WX Y Z
D E F G H I J K L MN O P Q R S T U V WX Y Z A B C
 How Is That Helpful?
• When using a Caesar cipher, you assign each letter to an
index starting from 0.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

• You would then compute the following.

(plain letter index + key) mod (total number of letters)

• This will give you the index of the encrypted letter!

• As you can see, the modulus is the total number of
letters in the alphabet. For English, this modulus is 26.
A Simple Example
• Let’s say we have a 5 letter alphabet with only the letters A-E
• First, we assign each letter an index, starting from 0.
A B C D E
0 1 2 3 4

• We then have to choose a key. For this example, we’ll use 2.

• Let’s try encoding the word BEAD using the formula for the
previous slide.
• The index of the letter B is 1. The key is 2. The modulus is 5,
since the alphabet is 5 letters.
• Let’s use the algorithm: (1+2) = 3. 3 mod 5 = 3. The index of
D is 3, so B would become the letter D.
• Using algorithm on each letter, can you encode the full word?
DBCA
Why Does Modding Work?
• The mod accounts for wrapping back around once you
reach the end of the alphabet.

A B C D E
0 1 2 3 4

• When converting the letter E using the key 2, you first

add 4 + 2, which gives you 6. As you can see, the index 6
is beyond the scope of this alphabet. When you do 6
mod 5, you get the remainder of 1, which is how much
you need to go back and count from the beginning of the
alphabet.
What About Decoding?
• To decode, you do the following:

(cipher letter index – key + total number of letters) mod (total number of
letters)

• Does anyone know why we can’t just do:

(cipher letter index – key) mod (total number of letters)?

• By adding the total number of letters, you don’t have to end up

taking the mod of a negative number.

• See if you can decode DBCA to get back to the word

BEAD.
 How Would You Program
This?
• It’s unbelievably simple!
• The mod function is one of the most basic components of a lot of
programming languages. That means all we have to deal with is indexing
the letters. The solution lies in ASCII.
Wait, What’s ASCII?
• Computers have to represent everything as numbers,
including things as basic as text.
• ASCII is the standard character encoding scheme,
where each symbol is assigned a number.
• These symbols range from upper and lower case letters
to numbers to things like punctuation and arrows.
There are many tables online that allow you to look up
the number associated with each symbol.
The ASCII Table
Using ASCII for Caesar’s
Cipher
• You probably noticed that the letter A is associated with the
number 65, B with 66, C with 67, and so on.
• Most programming languages have a function that can take a
letter and find out it’s ASCII value.
• What would you need to do to make the ASCII encoded letters
usable for Caesar’s Cipher?
• Subtract 65 from each letter!
• Since it’s really simple to code for a computer to use mod and
assign the correct index for each letter, you can probably see
how programming a simple encoder/decoder would be a
cinch!
The Problem with Caesar’s
Cipher
• It’s too easy to break! Let’s go back to our five letter alphabet.
• Say you had the word DBCA, but didn’t know the key. It would be
easy to make a list of all possible keys. If you expected the
unencrypted text to be in English, you could easily figure out which
word was right:

Shift of 1 CABE
Shift of 2 BEAD  The clear winner!
Shift of 3 ADEC
Shift of 4 ECDB

• If you were using the full English alphabet, this would take longer,
but for someone trying to find our your secret, it’s a small price to
pay!
Photo Encryption- Colors
• We can apply what we’ve learned about encryption to pictures too!
• As you may have noticed when using Photoshop, colors are
determined by concentrations of red, green, and blue. The amount
of each color is represented by a digit between 0 and 255.
• For instance, red would be represented as

(255,0,0)

Red Green Blue

How It Works
• This means that, just like words, we can convert all of our
colors into numbers! This is helpful for encryption.
• For instance, let’s say that one pixel of your image has a color
value of (253,244,3). It looks like this:
How It Works
• We want to send this color to someone else safely- do you
have any idea how we can do this?
• We can use a secret code, just like before!
• Like the alphabet, we can shift our color values.
• In this case, we are going to add another color’s value to our
original value.
Adding Them Up

+ =

+ =
Notice that adding two color values together is not the same as mixing
two colors (like you would when painting).
Adding Them Up- Mods
• What if we add two color values together and their sum is
greater than 255?
• (60,45,300)  Not a color! The computer wouldn’t know what
to do with this information.
• This is where mods come in handy- like the Caesar Cipher, we
have 256 values. This means that after you add two values
together, you need to convert it to mod 256.
• (60,45,300)(60,45,44)
Decoding
• To decode this color, all the recipient needs to do is subtract
the color we added- in this case, we subtract the blue from
the light yellow.

- =
Applications
• We just encoded and decoded one pixel. We can apply this to
an entire picture by adding one image to another.
• Think of it this way- You have a photo that you are sending
and a photo that is your “key.” As long as the other person has
the key, they can subtract it from your encoded photo to get
back the original!
• This isn’t particularly useful in computer science, however,
because there is no way to stop someone from seeing your
photo key and decoding it themselves. They could intercept
this key (just like they could intercept the photo) if you try to
send it to anyone or make it public!
Cryptography
• Cryptography is the study and practice of hiding information.
Caesar’s cipher and photo encryption are just two ways to encrypt
and decrypt information. They are both too weak for real-world
applications.
• There are many methods of cryptography that are much more
foolproof than these two methods!
Symmetric Encryption
Attacking Symmetric Encryption
• cryptanalysis
• rely on nature of the algorithm
• plus some knowledge of plaintext characteristics
• even some sample plaintext-ciphertext pairs
• exploits characteristics of algorithm to deduce specific plaintext or key
• brute-force attack
• try all possible keys on some ciphertext until get an intelligible
translation into plaintext
Cryptanalysis
attacks:
 ciphertext only - least info, hardest
 known plaintext - some plain/cipher pairs
 chosen plaintext - get own plain/cipher pairs
only weak algs fail a ciphertext-only attack
usually design algs to withstand a known-plaintext attack
Computationally Secure Algs
 encryption is computationally secure if:
 cost of breaking cipher exceeds info value
 time required to break cipher exceeds the useful lifetime of the info
 usually very difficult to estimate the amount of effort required to break
 can estimate time/cost of a brute-force attack (see Ch 2)
Feistel
Cipher
Structure
Block Cipher Structure
have a general iterative block cipher structure
 with a sequence of rounds
 with substitutions / permutations controlled by key
parameters and design features:
 block size
 key size
 number of rounds
 subkey generation algorithm
 round function
 also: fast software en/decrypt, ease of analysis
Exhaustive Key Search
Symmetric Encryption Algorithms
Data Encryption Standard (DES)
Triple DES (3DES)
first used in financial applications
uses three keys & three DES executions:

C = E(K3, D(K2, E(K1, P)))

decryption same with keys reversed
use of decryption in second stage gives compatibility with original
DES users
effective 168-bit key length, slow, secure
AES will eventually replace 3DES
Advanced Encryption Standard
(AES)
• needed a better replacement for DES
• NIST called for proposals in 1997
• efficiency, security, HW/SW suitability, 128, 256, 256 keys
• selected Rijndael in Nov 2001
• symmetric block cipher
• uses 128 bit data & 128/192/256 bit keys
• now widely available commercially
Advanced
Encryption
Standard
(AES)
AES Round Structure
Block
verses
Stream
Ciphers
Modes of Operation
block ciphers process data in blocks
 e.g. 64-bits (DES, 3DES) or 128-bits (AES)
for longer messages must break up
 and possibly pad end to blocksize multiple
have 5 five modes of operation for this
 modes are:
 Electronic Code Book (ECB) mode
 Cipher Block Chaining (CBC) mode
 Cipher Feedback (CFB) mode
 Output Feedback (OFB)
 Counter (CTR) mode
Electronic Codebook (ECB)
 simplest mode
 split plaintext into blocks
 encrypt each block using the same key
 “codebook” because have unique ciphertext value for each plaintext block
 not secure for long messages since repeated plaintext is seen in repeated
ciphertext
Cipher Block Chaining (CBC)
Message Authentication
• protects against active attacks
• verifies received message is authentic
• contents unaltered
• from authentic source
• timely and in correct sequence
• can use conventional encryption
• only sender & receiver have key needed
• or separate authentication mechanisms
• append authentication tag to cleartext message
Message Authentication Codes
Secure Hash Functions
Message
Auth

S
S
Hash Function Requirements
1. applied to any size data
2. H produces a fixed-length output.
3. H(x) is relatively easy to compute for any given x
4. one-way property
• computationally infeasible to find x such that H(x) = h
5. weak collision resistance
• computationally infeasible to find y ≠ x such that H(y) = H(x)
6. strong collision resistance
• computationally infeasible to find any pair (x, y) such that H(x) = H(y)
Hash Functions
• two attack approaches
• cryptanalysis
• exploit logical weakness in alg
• brute-force attack
• trial many inputs
• strength proportional to size of hash code (2n/2)
• SHA most widely used hash algorithm
• SHA-1 gives 160-bit hash
• more recent SHA-256, SHA-384, SHA-512 provide improved size and
security
Public Key Encryption
Public Key Authentication
Authentication and/or data integrity
Public Key Requirements
1. computationally easy to create key pairs
2. computationally easy for sender knowing public key to
encrypt messages
3. computationally easy for receiver knowing private key to
decrypt ciphertext
4. computationally infeasible for opponent to determine private
key from public key
5. computationally infeasible for opponent to otherwise
recover original message
6. useful if either key can be used for each role
Public Key Algorithms
• RSA (Rivest, Shamir, Adleman)
• developed in 1977
• only widely accepted public-key encryption alg
• given tech advances need 1024+ bit keys
• Diffie-Hellman key exchange algorithm
• only allows exchange of a secret key
• Digital Signature Standard (DSS)
• provides only a digital signature function with SHA-1
• Elliptic curve cryptography (ECC)
• new, security like RSA, but with much smaller keys
Public Key
Certificates
See textbook figure p.63
Digital
Envelopes

Another application of public key alg

Random Numbers
• random numbers have a range of uses
• requirements:
• randomness
• based on statistical tests for uniform distribution and independence
• unpredictability
• successive values not related to previous
• clearly true for truly random numbers
• but more commonly use generator
Pseudorandom verses Random
Numbers
• often use algorithmic technique to create pseudorandom
numbers
• which satisfy statistical randomness tests
• but likely to be predictable
• true random number generators use a nondeterministic
source
• e.g. pulse detectors of ionizing radiation events
• increasingly provided on modern processors
Practical Application:
Encryption of Stored Data
• common to encrypt transmitted data
• much less common for stored data
• which can be copied, backed up, recovered
• approaches to encrypt stored data:
• Back-end appliance: a hardware device that sits between servers and storage systems
and encrypts all data going from the server to the storage system and decrypts data
going in the opposite direction.
• Background laptop and PC data encryption: software products that provide
encryption that is transparent to the application and the user. Some encrypt all or
designated files and folder,. others create a virtual disk locally on the hard drive or on
a network storage device, with all data on the virtual disk encrypted. Various key
management solutions are offered to restrict access to the owner of the data.
Summary
• introduced cryptographic algorithms
• symmetric encryption algorithms for confidentiality
• message authentication & hash functions
• public-key encryption
• digital signatures and key management
• random numbers