1 Week 2 Cryptography. 2 Concepts 3 Cryptography Cryptsecret Graphia writing Latin Concerned with developing algorithms: - Conceal the context of some

1

Week 2Cryptography

2

CryptographyConcepts

3

Cryptography Crypt secret

Graphia writing

Latin

• Concerned with developing algorithms:- Conceal the context of some message from all except the sender and recipient (privacy or secrecy), and/or

Cryptography

Every night in my dreamI see you

I feel you thatIs how I know youGo on far away a

Cross the distance

in night Everydream

I you see myI you that feel

know you Is how I Go away a on far

distance Cross the

4

Cryptography

• Concerned with developing algorithms:

- Verify the correctness of a message to the recipient (authentication)

- Form the basis of many technological solution to computer and communications security problems

cryptography - study of encryption principles/methods

5

Goals & Setting

• To ensure security of communication across an insecure channel.

• The ideal channel:

Dedicated, untappable, impenetrable

Pipe/tube

Sender Receiver

6

Secure Channel

ISP/Office

7

Secure Channel

8

Secure Channel

9

Secure Channel

10

Secure Channel

11

Secure Channel

12

Authenticated

Secure Channel

13

Secure Channel

14

Connected

Secure Channel

15

Secure Channel

ISP/Office

Connection Established

16

Goal & Setting

Sender Receiver

Adversary (Attacker) The source of allpossible threats

Not all aspect of an ideal channel can be emulated

17

Basic Terminology

plaintext - the original message ciphertext - the coded message cipher - algorithm for transforming plaintext to ciphertext key - info used in cipher known only to sender/receiver encipher (encrypt) - converting plaintext to ciphertext decipher (decrypt) - recovering ciphertext to plaintext

18

Sender Receiver

Plaintext

The secret message is:You can get A-/A+ in SKR5200; (however depend onyou)

Encryption Decryption

The secret message is:You can get A-/A+ in SKR5200; (however depend onyou)

hjfjghkf@#@#$%^&jklll098GHJFD!@#$#$#$%

Plaintext

ciphertext

Simple Process

19

Categories of cryptography

20

Comparison between two categories of cryptography

21

Symmetric Encryption Asymmetric Encryption

Cryptography

•conventional / private-key / single-key•sender and recipient share a common key•all classical encryption algorithms are private-key

•uses two keys – a public & a private key•asymmetric since parties are not equal •uses clever application of number theoretic concepts to function•complements rather than replaces private key crypto

Encryption Method

22

Symmetric Encryption

23


Classical Modern

Stream cipher Block cipher

Symmetric Encryption Technique

24


• conventional / private-key / single-key• sender and recipient share a common key

• 2 Techniques: Classical & Modern

Classical Techniques: • Substitution:

Caesar Cipher Monalphabatic Cipher Playfair Cipher Hill Cipher Polyalphabetic Cipher One-Time Pad

• Transposition• Rotor Machines • Steganography

Modern Techniques: •DES, 3DES, AES

25

Basic of Symmetric Cryptography


Classical SubstitutionCipher


Classical TranspositionsCipher


SummarySummary

26


or conventional / private-key / single-keysender and recipient share a common keyall classical encryption algorithms are private-keywas only type prior to invention of public-key in 1970’s

27

Basic Terminology

plaintext - the original message ciphertext - the coded message cipher - algorithm for transforming plaintext to ciphertext key - info used in cipher known only to sender/receiver encipher (encrypt) - converting plaintext to ciphertext decipher (decrypt) - recovering ciphertext from plaintextcryptography - study of encryption principles/methodscryptanalysis (codebreaking) - the study of principles/ methods of deciphering ciphertext without knowing keycryptology - the field of both cryptography and cryptanalysis

28

Symmetric Cipher Model

29

Requirementstwo requirements for secure use of symmetric encryption:

a strong encryption algorithma secret key known only to sender / receiver, have:

plaintext X ciphertext Y key K encryption algorithm Ek

decryption algorithm Dk

Ciphertext Y = EK(X) Plaintext X = DK(Y)

assume encryption algorithm is knownimplies a secure channel to distribute key

30

Cryptography

can characterize by:type of encryption operations used

substitution / transposition / productnumber of keys used

single-key or private / two-key or publicway in which plaintext is processed

block / stream

31

Types of Cryptanalytic Attacks

ciphertext only only know algorithm / ciphertext, statistical, can identify plaintext

known plaintext know/suspect plaintext & ciphertext to attack cipher

chosen plaintext select plaintext and obtain ciphertext to attack cipher

chosen ciphertext select ciphertext and obtain plaintext to attack cipher

chosen text select either plaintext or ciphertext to en/decrypt to attack cipher

32

Simple Question

What are the essential ingredients of a symmetric cipher?

How many keys are required for two people to communicate via a cipher?

33

Simple Question

What are the essential ingredients of a symmetric cipher?

Plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm.

How many keys are required for two people to communicate via a cipher?

One secret key.

34







SummarySummary

35

Classical Substitution Ciphers

where letters of plaintext are replaced by other letters or by numbers or symbolsor if plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns

36

Caesar Cipher

earliest known substitution cipherby Julius Caesar first attested use in military affairsreplaces each letter by 3rd letter onexample:meet me after the toga party

PHHW PH DIWHU WKH WRJD SDUWB

37

Caesar Cipher

can define transformation as:Plain: a b c d e f g h i j k l m n o p q r s t u v w x y zCipher:D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

mathematically give each letter a numbera b c d e f g h i j k l m0 1 2 3 4 5 6 7 8 9 10 11 12n o p q r s t u v w x y Z13 14 15 16 17 18 19 20 21 22 23 24 25

then have Caesar cipher as:C = E(p) = (p + k) mod (26)p = D(C) = (C – k) mod (26)

38

Example 1

Caesar used a shift of 3

Using this encryption, the message:• treaty impossible

Would be encoded as :

t r e a t y i m p o s s i b l e WUHDWB LP S RVVLEOH

39

Example 2

Caesar used a shift of 5

Using this encryption, the message:• treaty impossible

Would be encoded as :

t r e a t y i m p o s s i b l e

40

To test your understanding

Ceasar wants to arrange a secret meeting with Marc Anthony, either at the Tiber (the river) or at the Colisuem (the arena). He sends the ciphertext EVIRE. However, Anthony doest not know the key, so he tries all possibilities. Where will he meet Caesar?

41

To test your understanding

Ceasar wants to arrange a secret meeting with Marc Anthony, either at the Tiber (the river) or at the Colisuem (the arena). He sends the ciphertext EVIRE. However, Anthony doest not know the key, so he tries all possibilities. Where will he meet Caesar?

Among the shifts of EVIRE, there are two words: arena and river. Therefore, Anthony cannot determine where to meet Caesar.

42

Cryptanalysis of Caesar Cipher

only have 26 possible ciphers A maps to A,B,..Z

could simply try each in turn a brute force search given ciphertext, just try all shifts of lettersdo need to recognize when have plaintexteg. break ciphertext "GCUA VQ DTGCM"

43

Summary of Substitutions

Substitutions are effective cryptographic devices. In fact, they werethe basis of many cryptographic algorithms used for diplomatic communication through the first half of the century.

But substitution is not only kind of encryption technique. Thegoal of substitution is confusion; the encryption method is an attempt to make it difficult for cryptanalyst or intruder to determinehow a message and key were transformed into ciphertext.

44







SummarySummary

45

A transposition is an encryption in which the letters of the messageare re arranged. With transposition is an encryption in which the letters of the message are rearranged. With transposition, thecryptography aims for diffusion, widely spreading the informationfrom the message or key across the ciphertext. Transpositions tryto break established patterns. Because a transposition is re arranged of the symbols of a message, it also known as a permutation.

Transpositions (permutations)

46

Transposition Ciphers

now consider classical transposition or permutation ciphers these hide the message by rearranging the letter order without altering the actual letters usedcan recognise these since have the same frequency distribution as the original text

47

Rail Fence cipher

write message letters out diagonally over a number of rows then read off cipher row by roweg. write message out as:

“meet me after the toga party”

giving ciphertext

MEMATRHTGPRYETEFETEOAATm

e

e

t

m

e

a

f

t

e

r

t

h

e

t

o

g

a

p

a

r

t

y

48

Row Transposition Ciphers

a more complex scheme is to write the message in a rectangle, row by row, and read the message off, column by column, but permute the order of the columns. The order of the columns then becomes the key of the algorithm.

write letters of message out in rows over a specified number of columns

then reorder the columns according to some key before reading off the rows

Key: 4 3 1 2 5 6 7Plaintext: a t t a c k p o s t p o n e d u n t i l t w o a m x y zCiphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ

49

Product Ciphers

ciphers using substitutions or transpositions are not secure because of language characteristicshence consider using several ciphers in succession to make harder, but:

two substitutions make a more complex substitution two transpositions make more complex transposition but a substitution followed by a transposition makes a new much harder cipher

this is bridge from classical to modern ciphers

50







SummarySummary

51

Summary

Stream cipher: that is, they convert one symbol of plaintextimmediately into a symbol of ciphertext. (The exception is the columnar transposition cipher). The transformation depends onlyon the symbol, the key, and the control information of the enciperment algorithm. A model of stream enciphering is shown:

Plain text

Encryption

Key (optional)

CiphertextISSOPMI wdhuw

52

SummarySome kinds of errors, such as skipping a character in the key during encryption,affect the encryption of all future characters. However, such errors can sometimes be recognized during encryption because the plan text will be properly recovered up to a point, and then all following characters will be wrong.

Errors can sometimes be

recognized

#&^&*gjd!@#$%CID&%$ HJG

Erors can sometimes be

recognzed

Errors can sometimes be

recognized

If that is the case, the receiver may be able to recover from the error by droppinga character of the key on the receiving end. Once the receiver has successfully recalibrated the key with the ciphertext, there will be no further effects from this error.

To address this problem and make it harder for cryptanalyst to break the code, Therefore, a block chipper has been introduced.

#&^&*gjd!@#$%CID&%$ HJG recalibrate

53

Summary – easy to break

The Caesar Cipher allows simple straightforward encoding and decoding. Therefore, it allows unauthorized message recipients to crack such encoded messages easily. If an eavesdropper manages to obtain the encoded message, he only has to test the 26 possible shifts in order to find the original message. This message-cracking attack is called “brute force” and is best performed withthe aid of computers. In our example, however, the pen and pencil approach is sufficient.

54

Summary – easy to break

eulqjfvmrkgwnslhxotmiypunjzqvokarwplbsxqmctyrnduzsoevatpfwbuogxcv

rhydwsizextjafyukbgzvlchawmdibxnejcyofkdzpgleaqhmfarenacsjohdtkpi

55

Substitution Technique

Transposition Technique

•where letters of plaintext are replaced by other letters or by numbers or symbols•or if plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns.

• transposition or permutation ciphers • these hide the message by rearranging the letter order • without altering the actual letters used• can recognise these since have the same frequency distribution as the original text

Classical Techniques

56

• A typical stream cipher encrypts plaintext one byte at a time.

• Use a key as input to a pseudorandom bit generator that produces a stream of 8-bit numbers that are apparently random.

• Pseudorandom stream is one that is unpredictable without knowledge of the input key.

Stream Cipher Structure

Pseudorandom byte Generator

(key stream generator)

+Plaintext Byte stream

M

Ciphertext Byte stream

C

Key K

K

Pseudorandom byte Generator

(key stream generator)

+ PlaintextByte stream

M

Key K

K

Encryption Decryption

57

• The output of the generator, called a keystream, is combined one byte at a time with the plaintext stream using the bitwise exclusive-OR (XOR) operation.

11001100 Plaintext

Decryption requires the use of the same pseudorandom sequence:

Stream Cipher Structure

01101100 key stream

10100000 Ciphertext+

10100000 Ciphertext

01101100 key stream

11001100 Plaintext+

58


Classical Modern

Stream cipher Block cipher

Focus

Symmetric Encryption Technique

59

Block Ciphers / Feistel Cipher


60

Block Ciphers

• A block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length.

• Typically, a block size of 64 or 128 bits is used. • Block cipher algorithms can operate in many Modes. A block cipher algorithm can be a :

• Electronic Codebook Mode• Cipher block Chaining Mode• Cipher Feedback Mode• Output Feedback Mode • Counter Mode

• provide secrecy and/or authentication services

61

Feistel Cipher Design Principles

block size increasing size improves security, but slows cipher

key size increasing size improves security, makes exhaustive key searching harder, but may slow cipher

number of rounds increasing number improves security, but slows cipher

subkey generation greater complexity can make analysis harder, but slows cipher

round function greater complexity can make analysis harder, but slows cipher

fast software en/decryption & ease of analysisare more recent concerns for practical use and testing

62

Block Cipher Design

• Divide input bit stream into n-bit sections, encrypt only that section, no dependency/history between sections

• In a good block cipher, each output bit is a function of all n input bits and all k key bits

63

Plaintext

F

Ln+1 Rn+1

RnLn

Kn+1

Substitution

Permutation+XOR

Fiestel Cipher Encryption

Encryption Process: Rn +1 = Ln F(Rn, Kn+1)Ln + 1 = Rn

64

Fiestel Cipher Encryption

Plaintext

F

Ln+1 Rn+1

RnLn

K1

+

F

Ln+1 Rn+1

Ki

+

F

Ln+1 Rn+1

Kn

+

Ciphertext

Round 1

Round i

Round n

65

Ln+1 Rn+1

Plaintext

Ln Rn

F

Kn-1

+XOR

Fiestel Cipher Decryption

Decryption Process:

Ln = Rn+1 F(Ln-1, Kn-1) Rn = Ln - 1

66


Rn

Plaintext

Ln

Ln+1 Rn+1

F

K1

+

Ln+1 Rn+1

F

Ki

+

Ln+1 Rn+1

F

Kn

+

Ciphertext

Round n

Round i

Round 1

67


Rn

Plaintext

Ln

Ln+1 Rn+1

F

K1

+

Ln+1 Rn+1

F

Ki

+

Ln+1 Rn+1

F

Kn

+

Ciphertext

Round n

Round i

Round 1

Plaintext

F

Ln+1 Rn+1

RnLn

K1

+

F

Ln+1 Rn+1

Ki

+

F

Ln+1 Rn+1

Kn

+

Ciphertext

Round 1

Round i

Round n

68

Fiestel Cipher Algorithm

Input: T: 2t bits of clear text k1, k2, ..., kr: r round keys f: a block cipher with bock size of t

Output: C: 2t bits of cipher text

Algorithm: (L0, R0) = T, dividing T in two t-bit parts (L1, R1) = (R0, L0 ^ f(R0, k1)) (L2, R2) = (R1, L1 ^ f(R1, k2)) ...... C = (Rr, Lr), swapping the two parts

^ is the XOR operation.

69

One of Security Implementations

ATM PIN SECURITY

70

ATM Introduction

Automated Teller Machines (ATM) have become ubiquitous and let you withdraw money fromyour bank account 24 hrs a day and 7 days a week with your ATM card. The ATM cardconstitutes of two things:

the Card number and the Personal Identification Number or PIN.

Each bank issues a card number that is unique to each customer. If it is a debit card, the cardnumber will also be unique worldwide.

• The PIN is like a password to verify a customer’s authenticity. • Cash dispensers in the ATM verify both the card number and the PIN.

71

Working Principle of ATM

• The ATM systems have three main components: Cash dispenser, ATM Server and PIN machine. • The Cash dispenser reads the Card number and the PIN entered by a customer and sends them to a central ATM Server. • The ATM Server has a database which stores ATM card no. and PIN details. • The third component, the PIN machine is used to authenticate the customer ‘s ATM PIN. It is directly connected to the ATM Server and is a tamper proof device that stores a single secret key.

Cash Dispenser ATM Server

Customer AccountHolding Server

PIN Machine

Leased Line

BANK

72


ATM Server

Leased Line


PIN Machine

Cash Dispenser ATM Server


PIN Machine

Leased Line

BANK

73


ATM Server

Leased Line


PIN Machine

After the customer enters an ATM counter, he inserts his ATM card into the machine and types his PIN on a numeric keypad.

The Cash dispenser reads the card number from the magnetic strip and the PIN that he has typed and sends them to the ATM Server.

The ATM Server verifies the PIN against the card number with the help of the PIN machine and sends a positive or negative acknowledgement to the Cash dispenser.

At this point, the customer is authenticated and can use his account.

74

ATM PIN Security

• The security of the ATM PIN is a critical element in the entire process.

• There are two ways that an attacker could try to get the ATM PIN: He could either sniff the network when the Cash dispenser is transmitting the PIN to ATM Server or he could compromise the ATM Server and PIN machine to extract the PIN of a user.

• How these threats have been addressed in today’s ATM systems? how.

75

•To prevent the sniffing of the PIN during the transmission, PIN is encrypted using DES or 3DES encryption algorithm and then transmitted from Cash dispenser to ATM Server.

• The shared secret key is stored in Cash dispenser as well as in ATM Server. This application stores the shared DES key in encrypted form using vendor’s proprietary algorithm (e.g. ACI ATM software).

• The solution for the second problem is interesting. The system splits each customer’s PIN into two parts and stores them in two different machines. So even if one of the machines is compromised, the PIN is still secure. Now the problem is of course how to split the PIN securely into two parts. Here we also have to keep in mind that customer can always change his PIN.

ATM PIN Security

76

ATM PIN Security

• An algorithm has been designed that allows the customer’s PIN to be split and also allows the customer to change his PIN.

• Let the customer PIN be a and let’s say it is split into two parts b and c . a = b + c

b is a variable part of the PIN and is called PIN Offset. The PIN Offset is stored in the ATM Server

c is the constant part of the PIN and is called Natural PIN. The Natural PIN is generated in the PIN machine each time.

How does the PIN Machine generate the constant c for each customer and yet keep it a secret? Remember that the ATM card number of a customer is unique. So, the constant part c can be a cryptographic function of the card number.

c = f (card#)

There are different methods to derive a constant number from a card number and a popularmethod is to derive it using the DES algorithm. The PIN machine stores a DES key in itsElectrically Erasable Programmable Read Only Memory (EEPROM). This key is used toencrypt the card number and generate DES encrypted value.

77

ATM PIN Security

There are different methods to derive a constant number from a card number and a popularmethod is to derive it using the DES algorithm. The PIN machine* stores a DES key in itsElectrically Erasable Programmable Read Only Memory (EEPROM). This key is used toencrypt the card number and generate DES encrypted value.

* The DES key is stored in the EEPROM of the machine. EEPROM is chip which is fixed on machine’s circuit board. To retrieve the key, one has to open the box case, remove the circuit board from the box, connect the EEPROM to a EEPROM reader to get the key. So physical security is very important for ATM Server room.

78

ATM PIN Security

Card # + DES key = DES encrypted value

This DES encrypted value is then converted into decimalized form and the first four digits ofthe value are taken. That is the Natural PIN, c . Once again, to summarize, the path is:

DES encrypted value → Decimalized value → First 4 digits of the value = c

The Natural PIN, the constant part, c is not stored anywhere in the entire process. Nobodycan get the PIN by compromising the PIN machine*. The PIN Offset or b is the variable part.When a customer changes his/her PIN only this part is changed. So even if the ATM Server iscompromised only b will be revealed and it is useless without c to get actual Customer PIN a .

* The DES key is stored in the EEPROM of the machine. EEPROM is chip which is fixed on machine’s circuit board. To retrieve the key, one has to open the box case, remove the circuit board from the box, connect the EEPROM to a EEPROM reader to get the key. So physical security is very important for ATM Server room.

79

ATM PIN Authentication Process

• The mechanism for authenticating the ATM PIN is quite simple. When a customer inserts his ATM card and type the PIN, the card number and PIN are sent to the ATM Server encrypted.

• The ATM Server decrypts the card number and the PIN; it first validates the card number against its database.

• The valid card number, the PIN Offset b of that card and the PIN typed by the customer are sent to the PIN machine.

• Now the PIN machine generates the Natural PIN c from the card no., adds it with PIN Offset b and generates the true Customer PIN a .

• Then it compares the actual Customer PIN a with the customer supplied PIN. If the two of them matched then it sends positive acknowledgement to ATM Server indicating that the customer is authenticated.

• Note that in this process, the Natural PIN never leaves the tamper proof PIN Machine, and the PIN machine does not have to store individual PINs of all the users. Instead, it securely stores the DES key for generating the Natural PIN from each user’s card number.

80

Generation & Distribution of ATM PIN

• The ATM system deals with critical customer information and is more secure by design.

• But there can still be security risks during the generation and distribution of a new card and PIN .

• The Card number is generated by the ATM Server and the PIN is generated by the PIN machine from the card number as mentioned above.

• But for the first time, the PIN Offset of the new PIN is randomly generated by the PIN machine.

• There are two ways to print the PIN mailer.

In the first method, the operator will generate a new PIN using the PIN machine, get the PIN and generate the printout of the PIN mailer.

In the second method, the operator requests the PIN machine to generate a new PIN. The PIN machine generates the PIN and directly prints it to a connected printer and seals the print mailer before giving it to the operator.

• The second method is clearly more secure than first one as the operator never comes to know the secret PIN.

81

Modern Techniques (Block Ciphers)&

Asymmetric Cipher

82

Using Key in Cryptography

83

A sequence of symbols that controls the operation of a cryptographic transformation (e.g. encipherment, decipherment).

In practice a key is normally a string of bits used by a cryptographic algorithm to transform plain text into cipher text or vice versa. The key should be the only part of the algorithm that it is necessary to keep secret.

Definition of Key

84

The key length is usually expressed in bits, 8 bits to one byte. Bytes are a more convenient form for storing and representing keys because most computer systems use a byte as the smallest unit of storage (the strict term for an 8-bit byte is octet).

Just remember that most encryption algorithms work with bit strings. It's up to the user to pass them in the required format to the encryption function they are using. That format is generally as an array of bytes, but could be in hexadecimal or base64 format.

In theory, the longer the key, the harder it is to crack encrypted data. The longer the key, however, the longer it takes to carry out encryption and decryption operations.

Key Length

85

Analogy - Strength

86

Analogy - Breaking

87

Block cipher encryption algorithms like AES and Blowfish work by taking a fixed-length block of plaintext bits and transforming it into the same length of ciphertext bits using a key.

Most other block cipher encryption methods have a fixed length key. For example, DES has a 64-bit key (but only uses 56 of them) and Triple DES has a 192-bit key (but only uses 168 of them).

IDEA uses a 128-bit key.

The Advanced Encryption Algorithm (AES) has a choice of three key lengths: 128, 192 or 256 bits.

Public key encryption algorithms like RSA typically have key lengths in the order of 1000-2000 bits. Be careful with the difference in key lengths for block cipher algorithms and public key algorithms.

192-bit Triple DES key is equivalent in security terms to a 2048-bit RSA key, and an AES-128 key is equivalent to a 3072-bit RSA key

Key Length

88

To crack some ciphertext encrypted with a 64-bit key by the brute-force method of trying every combination of keys possible means you have 2^64 possible combinations or 1.8 x 10^19 (that's 18 followed by 18 naughts).

We can expect, on the average, to find a correct answer in half this number of tries. If we have a computer that can carry out one encryption operation every millisecond, it will take about 292 million years to find the correct value. Speed up your computer by a million times and it will still take about 3 centuries to solve.

The equivalent brute force technique for a 128-bit key will, in theory, take a "long time", probably past the expected life of the universe. But, in practice, a set of supercomputers operating in parallel can crack a 64-bit key in a relatively short time.

If an attacker has access to a large selection of messages all encrypted with the same key, there are other techniques that can be used to reduce the time to derive the key.

Relevant of Key Length

89

Most encryption schemes are cracked not by brute force trying of all possible combinations of key bits, but by using other knowledge about how the sender derived the key.

This could be a faulty random number generator known to used by the system, or knowledge that the user derived the key solely from a password of only the letters a to z, or just used simple English words. Or perhaps by finding out the keystrokes typed on the keyboard by the user with a keystroke logger, or by bribing (or torturing) someone to give them the key, or by reading the post-it note the user has conveniently left on the side of the computer with the password written on it. The traps are many and subtle and even the experts get it wrong.

Why spend hours trying to pick the expensive security lock when the owner of the house has left a window open?

How do encryption schemes fail?

90

Strictly, it's not the length of the key, but the "entropy" in the method used to derive the key. There is approximately one bit of entropy in an normal ASCII character.

If you derive a 128-bit key from a password or pass phrase, you will need a very long pass phrase to get enough theoretical entropy in the key to match the security of the underlying key length: Bruce Schneier estimates that you need a 98-character English pass phrase for a 128-bit key. Most people can't be bothered with such a cumbersome pass phrase.


91

Using AES with a 128-bit key should provide adequate security for most purposes. The longer you intend to keep the encrypted data secret, the longer the key you should use, on the principle that cracking techniques will continue to improve over time. Bruce Schneier recommends a 256-bit key for data you intend to keep for 20-30 years.

No one is going to criticise you for using a key that is too long provided your software still performs adequately. However, the biggest danger in using a key that is too large is the false sense of security it provides to the implementers and users. "Oh, we have n-million-bit security in our system" may sound impressive in a marketing blurb, but the fact that your private key is not adequately protected or your random number generator is not random or you have used an insecure algorithm may mean that the total security is next to useless.

Remember it is the security of the total system that counts, including procedures followed by users.


92

Whatever you use, use an accepted algorithm: DES, Triple DES, RSA, AES, Blowfish, IDEA, etc.

Don't try making up your own algorithm; we (learners) aren't that good. The only secret should be in the value of the key.

Choice of Algorithm

93

People often get confused between "password" and "key". A password is typically a series of ASCII characters typed at a keyboard, e.g. "hello123" or "my secret pass phrase". This makes it easier for users to remember. They are, of course, much easier to crack because there are significantly fewer combinations to choose from. A pass phrase is simply a password that consists of several words in a string, e.g. "she sells sea shells", so the terms "password" and "pass phrase" are equivalent for our purposes. In principle, a pass phrase makes it easier for a user to remember a long combination of characters. In practice, this adds to security only if the pass phrase is something known only to the user. Don't use quotes from famous literature - hackers read them, too.

Password, Pass Phrase & Key

94

A password is typically a series of ASCII characters typed at a keyboard, e.g. "hello123" or "my secret pass phrase". This makes it easier for users to remember. They are, of course, much easier to crack because there are significantly fewer combinations to choose from.

A pass phrase is simply a password that consists of several words in a string, e.g. "she sells sea shells", so the terms "password" and "pass phrase" are equivalent for our purposes. In principle, a pass phrase makes it easier for a user to remember a long combination of characters. In practice, this adds to security only if the pass phrase is something known only to the user.

A key used by an encryption algorithm is a bit string. A 128-bit key will have exactly 128 bits in it, i.e. 16 bytes. You will often see keys written in hexadecimal format where each character represents 4 bits, e.g. "FEDCBA98765432100123456789ABCDEF" represents 16 bytes or 128 bits. The actual bits in this example are :

1111 1110 1101 1100 1011 1010 1001 1000 0111 0110 0101 0100 0011 0010 0001 0000 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

Password, Pass Phrase & Key

95

In a university, a student needs to encrypt her password (with a unique symmetric key) before sending it when she logs in. Does encryption protect the university or the student? Explain your answer.

Just to test 1

96

In a university, a student needs to encrypt her password (with a unique symmetric key) before sending it when she logs in. Does encryption protect the university or the student? Explain your answer.

The encryption protects the student and the university for the first time. However, the intruder can intercept the encrypted password and replay the process some other times. The intruder does not have to know the password in plaintext; the encrypted password suffices for replaying. The university system cannot determine if the student has encrypted the message again or the intruder is replaying it.

Answer for the “Just to test 1”

97

How should I derive the key?

98

a. What are two basic functions used in encryption algorithm? Explain how each of these methods works and

please include the example.

Just to test 2

99

a. What are two basic functions used in encryption algorithm? Explain how each of these methods works and please include the

example.

Substitution and Transposition/Permutation

Substitutionwhere letters of plaintext are replaced by other letters or by numbers or symbols. Or if plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns.

Transposition/PermutationA transposition is an encryption in which the letters of the message are re arranged. With transposition is an encryption in which the letters of the message are rearranged. With transposition, the cryptography aims for diffusion, widely spreading the information from the message or key across the ciphertext. Transpositions try to break established patterns. Because a transposition is re arranged of the symbols of a message, it also known as a permutation.

Answer for the “Just to test 2”

100

A block cipher is a function E: {0,1}k x {0,1}n {0,1}n . This notation means that E takes two inputs, one being a k-bit string and the other an n-bit string, and returns an n-bit string. The first input is the key. The second might be called the plaintext, and the output might be called a ciphertext. The key-length k and the block-length n are parameters associated to the block cipher. They vary from block cipher to block cipher.

Block Cipher

Plaintext

F

Ln+1 Rn+1

RnLn

Kn+1

Substitution

Permutation+XOR


101

Block Cipher

For each key K {0,1}k we let Ek: {0,1}n {0,1}n be the function defined by EK(M) = E(K,M). For any block cipher, and any key K, it is required that the function EK be a permutation on {0,1}n. This means that it is a bijection (ie., a one-to-one and onto function) of {0,1}n to {0,1}n . (For every C {0,1}n there is exactly one M {0,1}n such that EK(M) = C.) Accordingly EK has an inverse, and we denote it (EK)-1.

Plaintext

F

Ln+1 Rn+1

RnLn

Kn+1

Substitution

Permutation+XOR


102

Block Cipher

This function also maps {0,1}n {0,1}n , and of course we have (EK)-1(EK(M)) = M and EK ((EK)-1(C)) = C

for all M, C {0,1}n . We let

E-1: {0,1}k x {0,1}n {0,1}n be defined by E-1(K,C) = (EK)-1(C). This is the inverse block cipher to E.

Note: implies ; ∈ set membershipA B means if A is true then B is also true; if A is false then nothing is said about B. a ∈ S means a is an element of the set S

Rn

Plaintext

Ln

Ln+1 Rn+1

F

K1

+

Ln+1 Rn+1

F

Ki

+

Ln+1 Rn+1

F

Kn

+

Ciphertext

Round n

Round i

Round 1

103

Block Cipher

The block cipher E is a public and fully specified algorithm. Both the cipher E and its inverse E-1 should be easily computable, meaning given K,M we can readily compute E(K,M), and given K,C we can readily compute E-1(K,C). By “readily compute" we mean that there are public and relatively efficient programs available for these tasks.

104

Before Start, Just Review BackBefore Start, Just Review Back



DESDES

DES of Modes OperationDES of Modes Operation

105

DES – Data Encryption Standard

A Block cipherData encrypted in 64-bit blocks using a 56-bit key (effective key); Ciphertext is of 64-bit longEncrypts by series of substitution and transpositions (or permutations)

106

DES - Basics

DES uses the two basic techniques of cryptography - confusion and diffusion. At the simplest level, diffusion is achieved through numerous permutations and confusions is achieved through the XOR operation and the S-Boxes.This is also called an S-P network.

107

DES - Basics

Fundamentally DES performs only two operations on its input, bit shifting (permutation), and bit substitution. The key controls exactly how this process works.By doing these operations repeatedly and in a non-linear manner you end up with a result which can not be used to retrieve the original without the key.

108

Input of DES

Data: need to be broken into 64-bit blocks; add pad at the last message if necessary.

e.g. X=(3 5 0 7 7 F 1 0 A B 1 2 F C 6 5)HEX

Secret key: Any string of 64 bits long including 8 parity bits.1 parity bit in each 8-bit byte of the key may be utilized for error detection in key generation, distribution, and storage;K=(k1…k7k8… k15k16k17…k24…k32… k40… k48… k56… k64)

The parity bits k8,k16,k24,k32,k40,k48,k56,k64 help ensure that each byte is of odd parity

109

DES Block cipher

110

DES Encryption

111

DES Encryption Diagram

Initial permutation

64-bit plaintext

Iteration 1

Iteration 2

K1

Iteration 16

32-bit Swap

Inverse permutation

64-bit ciphertext

K2

K16

16 subkeys of each 48-bits

112

How to use DES?

Four modes of operations were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Usesubsequently now have 5 for DES and AEShave block and stream modes

113

Handle long messages

Block ciphers encrypt fixed size blockseg. DES encrypts 64-bit blocks, with 56-bit key How to encrypt arbitrary amount of information ?

Message is broken into blocks of 64 bitsAt end of message, handle possible last short block

by padding either with known non-data value (eg nulls)or pad last block with count of pad size

– eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count

Then they are encrypted and decrypted in various combinations of keys and texts.

Details for DES, Please refer and read:

Stallings, W. (2006). Cryptography and Network Security. New Jersey: Prentice-Hall. Page 63 - 90

114

115

Chapter 3Public-Key Cryptography

116

OverviewOverview

Symmetric Cryptography Summary


Public-Key CryptographyPublic-Key Cryptography

Example: RSAExample: RSA

DiscussionDiscussion

117

Categories of cryptography

118

ASYMMETRIC-KEY CRYPTOGRAPHYASYMMETRIC-KEY CRYPTOGRAPHY

An asymmetric-key (or public-key) cipher uses two An asymmetric-key (or public-key) cipher uses two keys: one private and one public. We discuss one keys: one private and one public. We discuss one algorithms: RSAalgorithms: RSA

RSATopics discussed in this section:Topics discussed in this section:

119

Asymmetric Cryptography

120

Comparison between two categories of cryptography

121






122

Message is encrypted

EAB

E

Message is decrypted

D

EAB

Confidentiality – Alice and Bob share the key/

Authentication – only from Alice, therefore is cannot be altered in transit

Man needs Woman, Woman NeedsMoney for shopping

123456696096785403657849302610395867567484509121212347


Symmetric Concept

No signature - Bob could forge the message - Sender could deny the message

123






124

public-key/two-key/asymmetric cryptography involves the use of two keys:

a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures

is asymmetric becausethose who encrypt messages or verify signatures cannot decrypt messages or create signatures

Private-Key Cryptography Definition

125

allows users to communicate securely without having prior access to a shared secret key,

by using a pair of cryptographic keys, designated as public key and private key, which are related mathematically.

the private key is generally kept secret, while the public key may be widely distributed.

In a sense, one key "locks" a lock; while the other is required to unlock it. It should not be possible to deduce the private key of a pair given the public key.

Private-Key Cryptography - Concept

126


EB


DB

Public-Key Basic Concept


123456696096785403657849302610395867567484509121212347

Man needsWoman, Woman NeedsMoney for shopping

Alice Bob

Message (M)Plaintext Ciphertext

Message (M)Plaintext

Bob’s Public Key (EB) Bob’s Private Key (DB)

127

• This model provides no authentication because any party could also use Bob’s “public key” to encrypt Message (M)


EB


DB

Public-Key Basic Concept


123456696096785403657849302610395867567484509121212347

Man needsWoman, Woman NeedsMoney for shopping

Alice Bob



Confidentiality

128

Private-Key Cryptography

129

There are many forms of public-key cryptography, including:public key encryption — keeping a message secret from anyone that does not possess a specific private key.

public key digital signature — allowing anyone to verify that a message was created with a specific private key.

key agreement — generally, allowing two parties that may not initially share a secret key to agree on one.

Public-Key Cryptography Options

130

The most obvious application of a public key encryption system is confidentiality;a message which a sender encrypts using the recipient's public key can only be decrypted by the recipient's paired private key.

Public-key digital signature algorithms can be used for sender authentication. For instance, a user can encrypt a message with his own private key and send it. If another user can successfully decrypt it using the corresponding public key, this provides assurance that the first user (and no other) sent it.

Private-Key Cryptography

131

• This model does provide authentication and digital signature

To Provide Authentication & Signature


123456696096785403657849302610395867567484509121212347


Alice Bob



• But, this scheme not provide confidentiality, because anyone has Alice’s public key can decrypt the ciphertext.

Alice has “signed” the message


EA

Alice use her private key

E


DA

Bob user Alice’s public key

D

132

To Provide Confidentiality, Authentication and Signature


123456696096785403657849302610395867567484509121212347


Alice BobMessage (M)

Plaintext CiphertextMessage (M)

Plaintext123456696096785403657849302610395867567484509121212347

123456696096785403657849302610395867567484509121212347


EA

Alice use her private key

E


EB

Alice use Bob’s public key

E


DB

Bob use his private key

D


DA

Bob use Alice’s public key

D

•Bottleneck: The public-key algorithm is complex and must be exercised four times rather than two in each communication

Digital Signature&

Authentication

Confidentiality

133

Why Public-Key Cryptography?

developed to address two key issues:key distribution – how to have secure communications in general without having to trust a KDC with your keydigital signatures – how to verify a message comes intact from the claimed sender

Need to read page:

134

Public-Key Applications

can classify uses into 3 categories:encryption/decryption (provide secrecy)digital signatures (provide authentication)key exchange (of session keys)

some algorithms are suitable for all uses, others are specific to one

135

Security of Public Key Schemes

like private key schemes brute force exhaustive search attack is always theoretically possible but keys used are too large (>512bits) security relies on a large enough difference in difficulty between easy (en/decrypt) and hard (cryptanalyse) problemsmore generally the hard problem is known, its just made too hard to do in practise requires the use of very large numbershence is slow compared to private key schemes

136

1) Well-regarded public-key techniques include:• Diffie-Hellman• RSA encryption algorithm• ElGamal• DSS (Digital Signature Standard), which incorporates the Digital Signature Algorithm.• Various Elliptic Curve techniques• Various Password-authenticated key agreement techniques• Paillier cryptosystem

2) Protocols using asymmetric key algorithms include:• PGP – Pretty Good Privacy• GNU Privacy Guard (GPG) an implementation of OpenPGP• Secure Shell (SSH)• SSL now implemented as an IETF standard; Trasnsport Layer Security (TLS)

Example of Public-Key Cryptographic Techniques

137

Course Work: PresentationCourse Work: Presentation






138

As previously mentioned, this algorithm was created by Ron Rivest, Adi Shamir, and Len Adleman of MIT.

Dr. Ron Rivest received his Bachelors Degree in Mathematics from Yale University in 1969, while obtaining his Doctorate Degree in Computer Science from Stanford University in 1974. He is most famously known for his work in the RSA algorithm, along with his creation of the symmetric key encryption algorithms (RC2, RC4, RC5, and RC6).

Dr. Rivest is currently working as a senior Professor of Computer Science in the Department of Electrical Engineering and Computer Science at MIT.

Cryptographers

139

Dr. Adi Shamir received his Bachelors Degree in Mathematics from Tel-Aviv University in 1973, and received his MSc and PhD Degrees in Computer Science from the Weizmann Institute of Israel in 1975 and 1977, respectively. During the latter half of the 1970’s Dr. Shamir participated in research at the facilities of MIT, where he took part in inventing the RSA algorithm. Apart from the RSA algorithm, Dr. Shamir is well known for breaking the Merkle-Hellman cryptosystem and for his creation of the Shamir secret sharing scheme (cryptography).

Presently, Dr. Shamir is a faculty member of the Weizmann Institute in the Department of Mathematics and Computer Science.

Cryptographers

140

Dr. Len Adleman received his Bachelors Degree in Mathematics in 1968 and his Doctorate Degree in Computer Science in 1976 from the University of California, Berkeley. In addition to his involvement in designing the RSA algorithm, Dr. Adleman is widely known for creating the initial field of DNA Computing at the University of Southern California (USC).

At the present time Dr. Adleman is working as a Professor of Computer Science and Molecular Biology at USC.

In 2002 Dr. Rivest, Dr. Shamir, and Dr. Adleman received the ACM Turing Award, awarded on behalf of the Association of Computing Machinery in recognition of their discovery of the RSA encryption algorithm. (This award is commonly referred to as the Nobel Prize of Computer Science.)

Cryptographers

141

RSA

142

Selecting Keys

Bob use the following steps to select the private and public keys:

1. Bob chooses two very large prime numbers p and q. Remember that a prime number is one that can be divided evenly only by 1 and itself.

2. Bob multiplies the above two primes to find n, the modulus for encryption and decryption. In other words, n = p x q.

3. Bob calculate another number = (p-1) x (q-1).

4. Bob chooses a random integer e. He then calculates d so that d x e = 1 mod .

5. Bob announces e and n to the public; he keeps and d secret.

143

Need To Know

In RSA, e and n are announced to the public; d and are kept secret.

Note

144

Encryption

Anyone who needs to send a message to Bob can use n and e. For example, if Alice needs to send a message to Bob, she can change the message, usually a short one, to an integer. This is the plaintext. She then calculates the ciphertext, using e and n.

Alice sends C, the ciphertext, to Bob.

C = Pe (mod n)

145

Decryption

Bob keeps and d private. When he receives the ciphertext, he uses his private key d to decrypt the message.

P = Cd (mod n)

146

Bob chooses 7 and 11 as p and q and calculates n = 7- 11 = 77. The value of Ø=(7-1) or 60. Now he chooses two keys, e and d. if he chooses e to be 13, then d is 37. Now Alice sends the plaintext 5 to Bob. She uses the public key 13 to encrypt 5.

Example 2 - Question

147

Bob chooses 7 and 11 as p and q and calculates n = 7* 11 = 77. The value of Ø=(7-1) or 60. Now he chooses two keys, e and d. if he chooses e to be 13, then d is 37. Now Alice sends the plaintext 5 to Bob. She uses the public key 13 to encrypt 5.

Example 2 - Answer

Plaintext: 5 C = 513 =26 mod 77 Ciphertext: 26

Ciphertext 26 P 2637= 5 mod 77 Plaintext: 5 Intended message sent by Alice

Bob receives the ciphertext 26 and uses the private key 37 to decipher the ciphertext:

The plaintext 5 sent by Alice is received as plaintext 5 by Bob.

148

Example 3

Let me give a realistic example. We choose a 512-bit p and q. We calculate n and . We then choose e and test for relative primeness with (n). We calculate d. Finally, we show the results of encryption and decryption. A program written in Java/C/C++ to do so; this type of calculation cannot be done by a calculator.

The integer q is a 160-digit number.

149

Example 3

We calculate n. It has 309 digits:

We calculate . It has 309 digits:

150

Example 3

We choose e = 35,535. We then find d.

Alice wants to send the message “THIS IS A TEST” which can be changed to a numeric value by using the 00–26 encoding scheme (26 is the space character).

151

Example 3

The ciphertext calculated by Alice is C = Pe, which is.

Bob can recover the plaintext from the ciphertext by using P = Cd, which is

The recovered plaintext is THIS IS A TEST after decoding.

152

Example 4

Bob chooses 7 and 11 as p and q and calculates n = 7 · 11 = 77. The value of = (7 − 1) (11 − 1) or 60. Now he chooses two keys, e and d. If he chooses e to be 13, then d is 37. Now imagine Alice sends the plaintext 5 to Bob. She uses the public key 13 to encrypt 5.

153

Example 4

Bob receives the ciphertext 26 and uses the private key 37 to decipher the ciphertext:

The plaintext 5 sent by Alice is received as plaintext 5 by Bob.

154

Example 5

Jennifer creates a pair of keys for herself. She chooses p = 397 and q = 401. She calculates n = 159,197 and = 396 · 400 = 158,400. She then chooses e = 343 and d = 12,007. Show how Ted can send a message to Jennifer if he knows e and n.

155

Example 5

SolutionSuppose Ted wants to send the message “NO” to Jennifer. He changes each character to a number (from 00 to 25) with each character coded as two digits. He then concatenates the two coded characters and gets a four-digit number. The plaintext is 1314. Ted then uses e and n to encrypt the message. The ciphertext is 1314343 = 33,677 mod 159,197. Jennifer receives the message 33,677 and uses the decryption key d to decipher it as 33,67712,007 = 1314 mod 159,197. Jennifer then decodes 1314 as the message “NO”. Figure 30.25 shows the process.

156

Example 5

157

1. Alice wants to send a cellphone text message to Bob securely, over an insecure communication network. Alice's cellphone has a RSA public key KA and

matching private key VA; likewise, Bob's cellphone has KB and VB. Let's design a cryptographic protocol for doing this, assuming both know each other's public

keys. Here is what Alice's cellphone will do to send the text message m:(i) Alice's phone randomly picks a new AES session key k and computes c = RSA-

Encrypt(KB, k), c’ = AES-CBC-Encrypt(k, m), and t = RSA-Sign(VA, (c, c’)).

(ii) Alice's phone sends (c, c’, t) to Bob's phone.

And here is what Bob's cellphone will do, upon receiving (c, c’, t):

(i) Bob's phone checks that t is a valid RSA signature on (c, c’) under public key KA. If not, abort.

(ii) Bob's phone computes k’ = RSA-Decrypt(VB, c) and m’ = AES-CBC-Decrypt(k’, c’).

(iii) Bob's phone informs Bob that Alice sent message m’.


158

Does this protocol ensure the confidentiality of Alice's messages? Why or why not?

Does this protocol ensure authentication and data integrity for every text message Bob receives? Why or why not?

Suppose that Bob is Alice's stockbroker. Bob hooks up the output of this protocol to an automatic stock trading service, so if Alice sends a text message “Sell 100 shares MSFT” using the above protocol, then this trade will be immediately and automatically executed from Alice's account. Suggest one reason why this might be a bad idea from a security point of view.


159

Does this protocol ensure the confidentiality of Alice's messages? Why or why not?

Yes. Since AES-CBC-Encrypt is secure, no one can recover m from c’ without knowledge of k. Also, since RSA-Encrypt is secure, only someone who knows KB—namely, Bob—can recover k.

Does this protocol ensure authentication and data integrity for every text message Bob receives? Why or why not?

Yes. Since RSA-Sign is secure, if (c, c’) passes step 1, then only someone who knew vA—namely, Alice—could have sent (c, c’). Now (c, c’) uniquely determines m, the message that Alice wanted to send.Conclusion: If Bob accepts m in step 3, then Alice sent m.

Example 6 - Answer

160

Suppose that Bob is Alice's stockbroker. Bob hooks up the output of this protocol to an automatic stock trading service, so if Alice sends a text message “Sell 100 shares MSFT” using the above protocol, then this trade will be immediately and automatically executed from Alice's account. Suggest one reason why this might be a bad idea from a security point of view.

No protection against replays. An active attacker could replay a valid ciphertext from Alice 10 times, causing 1000 shares to be sold—even though Alice only wanted 100 sold. Denial-of-service. An active attacker could prevent Alice’s ciphertext from reaching Bob. Since Alice doesn’t receive any acknowledgement, she will think her trade was executed, when it actually wasn’t. If Alice’s cellphone is lost or stolen, then its new owner can cause trades to be executed from Alice’s account without Alice’s authorization. [It suffices for you to mention any one of these problems.]

Example 6 - Answer

161

How Do You Want Protect Your Network System

Thank YouSee You Next Week

Have A Nice Weekend

Documents

1 Week 2 Cryptography. 2 Concepts 3 Cryptography Cryptsecret Graphia writing Latin Concerned with developing algorithms: - Conceal the context of some