7/30/2019 CNS UNITS 1

1/42

1

UNIT - IINTRODUCTION

Computer data often travels from one computer to another, leaving the safety of its

protected physical surroundings. Once the data is out of hand, people with bad intention couldmodify or forge your data, either for amusement or for their own benefit.

Cryptography can reformat and transform our data, making it safer on its trip between

computers. The technology is based on the essentials of secret codes, augmented by modernmathematics that protects our data in powerful ways.

1 Computer Security - generic name for the collection of tools designed to protect data

and to thwart hackers1 Network Security - measures to protect data during their transmission

1 Internet Security - measures to protect data during their transmission over a

collection of interconnected networks

THE OSI SECURITY ARCHITECTURE

To assess effectively the security needs of an organization and to evaluate and choosevarious security products and policies, the manager responsible for security needs some

systematic way of defining the requirements for security and characterizing the approaches to

satisfying those requirements.The OSI security architecture focuses on security attacks, mechanisms, and services.

These can be defined briefly as follows:

Threats and Attacks (RFC 2828)

ThreatA potential for violation of security, which exists when there is a circumstance,

capability, action, or event that could breach security and cause harm. That is, a threat is a

possible danger that might exploit vulnerability.

Attack

An assault on system security that derives from an intelligent threat; that is, an intelligent

act that is a deliberate attempt (especially in the sense of a method or technique) to evade

security services and violate the security policy of a system.

Security Attacks, Services and Mechanisms

To assess the security needs of an organization effectively, the manager responsible forsecurity needs some systematic way of defining the requirements for security and

characterization of approaches to satisfy those requirements. One approach is to consider three

aspects of information security: Security attack Any action that compromises the security of information owned by an

organization. Security mechanism A mechanism that is designed to detect, prevent orrecover from a securityattack.

7/30/2019 CNS UNITS 1

2/42

Security service A service that enhances the security of the data processing systems and the

information transfers of an organization. The services are intended to counter security attacks

and they make use of one or more security mechanisms to provide the service.

SECURITY SERVICES

The classification of security services are as follows:

Confidentiality: Ensures that the information in a computer system and transmitted

information are accessible only for reading by authorized parties.Eg., printing, displaying and other forms of disclosure.

Authentication: Ensures that the origin of a message or electronic document is

correctly identified, with an assurance that the identity is not false.

Integrity: Ensures that only authorized parties are able to modify computer systemassets and transmitted information. Modification includes writing, changing status,

deleting, creating and delaying or replaying of transmitted messages.

Non repudiation: Requires that neither the sender nor the receiver of a message be able

to deny the transmission.1 Access control: Requires that access to information resources may be controlled by or

the target system.1 Availability: Requires that computer system assets be available to authorized parties

when needed.

Security Services (X.800)

AUTHENTICATION

The assurance that the communicating entity is the one that it claims to be.

1. Peer Entity AuthenticationUsed in association with a logical connection to provide confidence in the identityof the entities connected.

2. Data Origin Authentication

In a connectionless transfer, provides assurance that the source of received data isas claimed.

ACCESS CONTROL

The prevention of unauthorized use of a resource (i.e., this service controls who can have

access to a resource, under what conditions access can occur, and what those accessing the

resource are allowed to do).

DATA CONFIDENTIALITY

The protection of data from unauthorized disclosure.

1. Connection Confidentiality

The protection of all user data on a connection.

2. Connectionless Confidentiality

7/30/2019 CNS UNITS 1

3/42

The protection of all user data in a single data block

3. Selective-Field Confidentiality

The confidentiality of selected fields within the user data on a connection or in asingle data block.

4. Traffic Flow Confidentiality

The protection of the information that might be derived from observation of trafficflows.

DATA INTEGRITY

1. Connection Integrity with Recovery

Provides for the integrity of all user data on a connection and detects any

modification, insertion, deletion, or replay of any data within an entire data sequence,with recovery attempted.

2. Connection Integrity without Recovery

As above, but provides only detection without recovery.

3. Selective-Field Connection IntegrityProvides for the integrity of selected fields within the user data of a data block

transferred over a connection and takes the form of determination of whether the selectedfields have been modified, inserted, deleted, or replayed.

4. Connectionless Integrity

Provides for the integrity of a single connectionless data block and may take theform of detection of data modification. Additionally, a limited form of replay detection

may be provided.

5. Selective-Field Connectionless Integrity

Provides for the integrity of selected fields within a single connectionless datablock; takes the form of determination of whether the selected fields have been modified.

NONREPUDIATION

Provides protection against denial by one of the entities involved in a communication of

having participated in all or part of the communication.

1. Nonrepudiation, Origin

Proof that the message was sent by the specified party.

2. Nonrepudiation, Destination

Proof that the message was received by the specified party.

SECURITY MECHANISMS

One of the most specific security mechanisms in use is cryptographic techniques.Encryption or encryption-like transformations of information are the most common means of

providing security. Some of the mechanisms are

1. Encipherment

Reversible Encipherment Mechanism

It is an encryption algorithm that allows data to be encrypted and

subsequently decrypted

Irreversible Encipherment Mechanism

7/30/2019 CNS UNITS 1

4/42

Irreversible mechanism includes hash algorithms and message

authentication codes, which are used in digital signatures and message

authentication applications.2. Digital Signature

SECURITY ATTACKS

Classifying the security attacks in terms of

Passive attacks

Active attacks

Passive Attacks

Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions.

The goal of the opponent is to obtain information that is being transmitted. Passive attacks are of

two types:

1 1. Release of message contents: A telephone conversation, an e-mail message and a

transferred file may contain sensitive or confidential information. We would like to

prevent the opponent from learning the contents of these transmissions.

1 2.Traffic analysis: If we had encryption protection in place, an opponent might still be

able to observe the pattern of the message. The opponent could determine the location

and identity of communication hosts and could observe the frequency and length ofmessages being exchanged. This information might be useful in guessing the nature of

communication that was taking place.

Passive attacks are very difficult to detect because they do not involve any alteration of data.

However, it is feasible to prevent the success of these attacks.

Active Attacks

These attacks involve some modification of the data stream or the creation of a false

stream. These attacks can be classified in to four categories:

1 1. Masquerade One entity pretends to be a different entity.1 2. Replay involves passive capture of a data unit and its subsequent transmission to

produce an unauthorized effect.

1 3. Modification of messages Some portion of message is altered or the messages aredelayed or recorded, to produce an unauthorized effect.

4. Denial of service Prevents or inhibits the normal use or management of

communication facilities. Another form of service denial is the disruption of an entire network,either by disabling the network or overloading it with messages so as to degrade performance.

It is quite difficult to prevent active attacks absolutely, because to do so would require

physical protection of all communication facilities and paths at all times. Instead, the goal is todetect them and to recover from any disruption or delays caused by them.

7/30/2019 CNS UNITS 1

5/42

CLASSICAL ENCRYPTION TECHNIQUES

Symmetric and public key algorithms

Encryption/Decryption methods fall into two categories.

Symmetric key1 Public key

In symmetric key algorithms, the encryption and decryption keys are known both tosender and receiver. The encryption key is shared and the decryption key is easily calculated

from it. In many cases, the encryption and decryption keys are the same.

In public key cryptography, encryption key is made public, but it is computationallyinfeasible to find the decryption key without the information known to the receiver.

Some basic terminologies used :

plaintext - the original message

ciphertext - the coded message

cipher - algorithm for transforming plaintext to ciphertext

key - info used in cipher known only to sender/receiver

encipher (encrypt) - converting plaintext to ciphertext

decipher (decrypt) - recovering ciphertext from plaintext

cryptography - study of encryption principles/methods

cryptanalysis (codebreaking) - the study of principles/ methods of decipherinciphertext withoutknowing key

cryptology - the field of both cryptography and cryptanalysis

SYMMETRIC CIPHER MODEL

Symmetric cipher model has 5 ingredients:

1. Plaintext the original message ie., fed into the algorithm as input

2. Encryption Algorithm performs substitutions/transformations on plaintext3. Secret Key the exact substitutions/transformations performed by the algorithm depend on th

key

4. Ciphertext this is the scrambled message produced as output

5. Decryption Algorithm inverse of encryption algorithm

7/30/2019 CNS UNITS 1

6/42

Referred conventional / private-key / single-key

1 sender and recipient share a common key1 all classical encryption algorithms are private-key

Two requirements for secure use of symmetric encryption:

A strong encryption algorithm

A secret key known only to sender / receiver

Y= EK(X)X= DK(Y)

Assume encryption algorithm is known

Implies a secure channel to distribute key

(Diagram: Refer Page No. 26 in Cryptography & Network Security by William Stallings, 3rd Edition)

Plaintext, X = [X1, X2, , XM] where M are the number of letters in the message.

K = [K1, K2, , KJ]

Cipher text Y = [Y1, Y2, , YN].

Y = EK(X)

To invert the transformation:

X = DK(Y)

Cryptography

Cryptographic systems are generally classified along 3 independent dimensions:

1 1.Type of operations used for transforming plain text to cipher textAll the encryption algorithms are based on two general principles:

Substitution, in which each element in the plaintext is mapped into another elemen

Transposition, in which elements in the plaintext are rearranged.1 2.The number of keys used

If the sender and receiver uses same key then it is said to be symmetric key (or

single key (or) conventional encryption.

7/30/2019 CNS UNITS 1

7/42

If the sender and receiver use different keys then it is said to be public key

encryption.

1 3.The way in which the plain text is processedA block cipher processes the input and block of elements at a time, producing outpu

block for each input block.

A stream cipher processes the input elements continuously, producing output elemenone at a time, as it goes along.

Cryptanalysis

The process of attempting to discover X or K or both is known as cryptanalysis. The strategy use

by the cryptanalysis depends on the nature of the encryption scheme and the information available to th

cryptanalyst.There are various types of cryptanalytic attacksbased on the amount ofinformation known to th

cryptanalyst.

1 Cipher text only A copy of cipher text alone is known to the cryptanalyst.

1 Known plaintext The cryptanalyst has a copy of the cipher text and the correspondin

plaintext.

Chosen plaintext The cryptanalysts gains temporary access to the encryption machine. The

cannot open it to find the key, however; they can encrypt a large number of suitably chosen plaintext

and try to use the resulting cipher texts to deduce

Chosen cipher text The cryptanalyst obtains temporary access to the decryption machine

uses it to decrypt several string of symbols, and tries to use the results to deduce the key.

Brute-force attack - The attacker tries every possible key on a piece of cipher-text until an

intelligible translation into plaintext is obtained.

SUBSTITUTION TECHNIQUES

A substitution technique is one in which the letters of plaintext are replaced by other letters or by

numbers or symbols. If the plaintext is viewed as a sequence of bits, then substitution involves replacingplaintext bit patterns with cipher text bit patterns.

(i) Caesar cipher (or) shift cipher

The earliest known use of a substitution cipher and the simplest was by Julius Caesar. The

Caesar cipher involves replacing each letter of the alphabet with the letter standing 3 placesfurther down the alphabet.

Ex: Plain text :pay more money

Cipher text: SDB PRUH PRQHB

Note that the alphabet is wrapped around, so that letter following z is a.

For each plaintext letter p, substitute the cipher text letter c such that

7/30/2019 CNS UNITS 1

8/42

C = E(p) = (p+3) mod 26

A shift may be any amount, so that general Caesar algorithm is

C = E (p) = (p+k) mod 26

Where k takes on a value in the range 1 to 25. The decryption algorithm is simply

P = D(C) = (C-k) mod 26

(ii) Monoalphabetic Cipher

Shuffle the letters and map each plaintext letter to a different random ciphertext letter.

Plain letters: abcdefghijklmnopqrstuvwxyz

Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN

Plaintext: ifwewishtoreplaceletters

Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA

Monoalphabetic Cipher Security

Now we have a total of 26! = 4 x 10

26

keys. With so many keys, it is secure against brute-force attacks.

But not secure against some cryptanalytic attacks.

Problem is language characteristics.

Language Statistics and Cryptanalysis

Human languages are not random.

Letters are not equally frequently used.

In English, E is by far the most common letter, followed by T, R, N, I, O, A, S.

Other letters like Z, J, K, Q, X are fairly rare.

There are tables of single, double & triple letter frequencies for various languages

7/30/2019 CNS UNITS 1

9/42

7/30/2019 CNS UNITS 1

10/42

P 13.33 H 5.83 F 3.33 B 1.67 C 0.00

Z 11.67 D 5.00 W 3.33 G 1.67 K 0.00

S 8.33 E 5.00 Q 2.50 Y 1.67 L 0.00

U 8.33 V 4.17 T 2.50 I 0.83 N 0.00

O 7.50 X 4.17 A 1.67 J 0.83 R 0.00

M 6.67

(iii) Playfair cipher

Multiple letter encryption cipher is the playfair

The playfair algorithm is based on the use of5x5 matrix of letters constructed using keyword.

Let the keyword be monarchy.The matrix is constructed by filling in the letters of the keyword (minus duplicates) from

left to right and from top to bottom, and then filling in the remainder of the matrix with theremaining letters in alphabetical order.

The letter i and j count as one letter.

Plaintext is encrypted two letters at a time according to the following rules:

1 Repeating plaintext letters that would fall in the same pair are separated with a filler

letter such as x.

2 Plaintext letters that fall in the same row of the matrix are each replaced by the letter to the right, with the first element of the row following the last.

3 Plaintext letters that fall in the same column are replaced by the letter beneath, with the top element of the column following the last.4 Otherwise, each plaintext letter is replaced by the letter that lies in its own row and the

column occupied by the other plaintext letter.

M O N A R

C H Y B D

E F G I/

J

K

L P Q S T

U V W X Z

Plaintext = meet me at the school house

Splitting two letters as a unit => me et me at th es ch ox ol ho us ex

Corresponding cipher text => CL KL CL RS PD IL HY AV MP HF XL IU

Strength of playfair cipher

Playfair cipher is a great advance over simple mono alphabetic ciphers.

7/30/2019 CNS UNITS 1

11/42

Since there are 26 letters, 26x26 = 676 diagrams are possible, so identification

of individual diagram is more difficult.

Frequency analysis is much more difficult.

(iii) Polyalphabetic ciphers

Another way to improve on the simple monoalphabetic technique is to use different

monoalphabetic substitutionsThe general name for this approach is polyalphabetic cipher. All the techniques have the

following features in common.

1 A set of related monoalphabetic substitution rules are used2 A key determines which particular rule is chosen for a given transformation.

(iv)Vigenere cipher

In this scheme, the set of related monoalphabetic substitution rules consisting of 26 caesarciphers with shifts of 0 through 25. Each cipher is denoted by a key letter. e.g., Caesar cipher with

a shift of 3 is denoted by the key value 'd (since a=0, b=1, c=2 and so on). To aid inunderstanding the scheme, a matrix known as vigenere tableau is constructed.

PLAIN TEXT

K E Y

L E T TE R S

a b c d e f g h i j k x y z

a A B C D E F G H I J K X Y Z

b B C D E F G H I J K L Y Z A

c C D E F G H I J K L M Z A B

d D E F G H I J K L M N A B C

e E F G H I J K L M N O B C D

f F G H I J K L M N O P C D E

g G H I J K L M N O P Q D E F

: : : : : : : : : : : : ::

: : : : : : : : : : : : : : : :

x X Y Z A B C D E F G H W

y Y Z A B C D E F G H I X

z Z A B C D E F G H I J Y

Each of the 26 ciphers is laid out horizontally, with the key letter for each cipher to its left. Anormal alphabet for the plaintext runs across the top.

The process of encryption is simple:

Given a key letter X and a plaintext letter y, the cipher text is at the intersection of the rowlabeled x and the column labeled y;

In this case, the ciphertext is V.To encrypt a message, a key is needed that is as long as the message.

Usually, the key is a repeating keyword

. e.g., key = d e c e p t i v e d e c e p t i v e d e c e p t i v ePlain Text = w e a r e d i s c o v e r e d s a v e y o u r s e l f

Cipher Text = ZICVTWQNGRZGVTWAVZHCQYGLMGJ

7/30/2019 CNS UNITS 1

12/42

Decryption is equally simple:

The key letter again identifies the row. The position of the cipher text letter in that rowdetermines the column, and the plaintext letter is at the top of that column. Strength of Vigenere

cipher

1o

There are multiple ciphertext letters for each plaintext letter.2 o Letter frequency information is obscured.

One Time Pad Cipher

It is an unbreakable cryptosystem. It represents the message as a sequence of 0s and 1s.

this can be accomplished by writing all numbers in binary, for example, or by using ASCII. Thekey is a random sequence of 0s and 1s of same length as the message. Once a key is used, it is

discarded and never used again.

The system can be expressed as follows:Ci = Pi + Ki

Ci - ithbinary digit of cipher textPi - ithbinary digit of plaintextKi - ithbinary digit of key

1 exclusive OR opearaiton

Thus the cipher text is generated by performing the bitwise XOR of the plaintext

and the key. Decryption uses the same key. Because of the properties of XOR, decryption

simply involves the same bitwise operation:Pi = Ci + Ki

e.g., plaintext = 0 0 1 0 1 0 0 1

Key = 1 0 1 0 1 1 0 0-------------------

ciphertext = 1 0 0 0 0 1 0 1

Advantage:

1 Encryption method is completely unbreakable for a ciphertext only attack.

Disadvantages

1 It requires a very long key which is expensive to produce and expensive to transmit.2 Once a key is used, it is dangerous to reuse it for a second message; any knowledge on the first

message would give knowledge of the second.

TRANSPOSITION TECHNIQUESAll the techniques examined so far involve the substitution of a cipher text symbol for a plaintext

symbol.A very different kind of mapping is achieved by performing some sort of permutation on the plaintext

letters. This technique is referred to as a transposition cipher.

Rail fence is simplest of such cipher, in which the plaintext is written down as a sequence of

diagonals and then read off as a sequence of rows.Plaintext = meet at the school house

7/30/2019 CNS UNITS 1

13/42

To encipher this message with a rail fence of depth 2, we write the message as follows:

m e a t e c o l o s

e t t h s h o h u eThe encrypted message is MEATECOLOSETTHSHOHUE

Row Transposition Ciphers-A more complex scheme is to write the message in a rectangle, row by

row, and read the message off, column by column, but permute the order of the columns. The order ofcolumns then becomes the key of the algorithm.

e.g., plaintext = meet at the school house

Key = 4 3 1 2 5 6 7

PT = m e e t a t t

h e s c h o o

l h o u s eCT = ESOTCUEEHMHLAHSTOETO

A pure transposition cipher is easily recognized because it has the same letter frequencies as

the original plaintext. The transposition cipher can be made significantly more secure by performing

more than one stage of transposition. The result is more complex permutation that is not easilyreconstructed.

Rotor Machine

1920s: mechanical devices used for automating encryption

set of independently rotating cylinders through which electrical pulses flow

each cylinder has input & output pin for each letter of the alphabet

implements version of Vigenre cipher

each rotor implements a substitution cipher

output of each rotor is fed into the next rotor

7/30/2019 CNS UNITS 1

14/42

Steganography

The methods of steganography conceal the existence of the message.

It is time-consuming to construct.

Other techniques:

Character Marking

Selected letters of printed or typewritten text are overwritten in pencil.

Invisible Ink

A number of substances can be used for writing but leave no visible trace until heat or some

chemical is applied to the paper.

Pin Pictures

Small pin pictures on selected letters are ordinarily not visible unless the paper is held up in front of

a light.

Typewriter correction ribbon

Used between lines typed with a black ribbon the results of typing with the correction tape are

visible only under a strong light.

7/30/2019 CNS UNITS 1

15/42

Block Cipher Principles

Stream Ciphers and Block Ciphers

Stream cipher, such as Vigene`re cipher, encrypts one letter at a time.

Block cipher, such as Hill cipher, treats a n-letter block of plaintext as a whole and

produce a ciphertext block of equal length.

Motivation for the Feistel Cipher Structure

most symmetric block ciphers are based on a Feistel Cipher Structure

needed since must be able to decrypt ciphertext to recover messages efficiently

block ciphers look like an extremely large substitution

need table of 264 entries for a 64-bit block

instead create from smaller building blocks

using idea of a product cipher

7/30/2019 CNS UNITS 1

16/42

(General n-bit n-bit Block Substitution)

Feistel Cipher

Feistel proposed the use of a cipher that alternates substitution and permutations. This is a practicalapplication of a proposal by Claude Shannon to develop a product cipher that alternates confusion and

diffusion function

Confusion. In Shannons original definitions, confusion makes the relation between the

key and the ciphertext as complex as possible.

Diffusion. Diffusion refers to the property that the statistics structure of the plaintext isdissipated into long range statistics of the ciphertext

Feistel Cipher Structure

Horst Feistel devised the Feistel Cipher

based on concept of invertible product cipher

partitions input block into two halves

process through multiple rounds which

perform a substitution on left data half

based on round function of right half & subkey

then have permutation swapping halves

7/30/2019 CNS UNITS 1

17/42

- implements Shannons S-P net concept

(Classical Feistel Network)

The Feistel network shown in Fig. 1 is a particular form of the substitution-permutation

network.

The input to a Feistel network is a plaintext block of n bits, and a key K. The plaintext

block is divided into two halves, L0 and R0 .

7/30/2019 CNS UNITS 1

18/42

The two halves of the data pass through r rounds of processing and then combine to

produce the ciphertext block.

Each round i has as input Li1 and Ri1, derived from the previous round, as well as

a subkey Ki, derived from the overall key K.

In general, the subkey Ki are different from K and from each other.

In this structure, a substitution is performed via the round function F, and permutation is

performed that interchanges the two halves of thedata.

The exact realization of a Feistel network depends on the choices of the following

parameters and design features.

Parameters

Block size: Larger block size means greater security, but reduces encryption/decryption

speed.

Key size: Larger key size means greater security but may decrease encryption/decryption

speed.

Number of rounds: Multiple rounds offer increasing security.

Subkey generation algorithm: Greater complexity in subkey generation leads to greater

security.

Round function: Greater complexity in round function means greater difficulty of

cryptanalysis.

Design Features

Fast Software encryption/decryption

Ease of analysis

7/30/2019 CNS UNITS 1

19/42

Feistel Decryption Algorithm

(Feistel Encryption and Decryption)

The process of decryption with a Feistel network is essentially the same as the encryption process

by using the ciphertext as input to the network, but using the subkey Ki in reverse order, as shown in

7/30/2019 CNS UNITS 1

20/42

the above Fig. The reason is explained as follows. Lets consider the last step in encryption, which

gives,

LE16 = RE15 (1)

RE16 = LE15 F (RE15 , K16 ) (2)

On the decryption side,

LD1 = RD0 = LE16 = RE15

RD1 = LD0

F (RD0, K16)

=RE16 F (RE15 ,K16)

=[LE15F (RE15 ,K16)]F (RE15 ,K16)

= LE15

The process can be done iteratively. Finally, we will see that the output of the decryption

is the same as the input to the encryption (i.e., original plaintext).

Data Encryption Standard(DES)

most widely used block cipher in world

adopted in 1977 by NBS (now NIST)

as FIPS PUB 46

encrypts 64-bit data using 56-bit key

has widespread use

has been considerable controversy over its security

The following topics are covered

1. DES Encryption

7/30/2019 CNS UNITS 1

21/42

a. Initial Permutation

b. Details of Single Round

c. Key Generation2. DES Decryption

3. The AvalancheEffect

DES Encryption

7/30/2019 CNS UNITS 1

22/42

Initial Permutation (IP):

The plaintext block undergoes an intial permutation.

> 64 bits of the block are permuted.

A Complex Transformation:

64 bit permuted block undergoes 16 rounds of complex transformation. (Using

subkeys)

32-bit swap:

32 bit left and right halves of the output of the 16 th round are swapped.

Inverse Initial Permutation (IP-1):

The 64 bit output undergoes a permutation that is inverse of the intial

permutation.

>The 64 bit output is the ciphertext.

7/30/2019 CNS UNITS 1

23/42

The complex processing at each iteration/round:

Li= Ri-1

Ri = Li-1 F(Ri-1, Ki)

Details of function F:

It takes 32 bits input and produces a 32 bit output.

Details of function F:

>32 bit input is expanded into 48 bits.

-This is done by permuting and

duplicating some bits of 32 bits.

>Exclusive OR operation is performed between these 48 bits and 48 bit subkey.

> 48 bit output of the Exclusive OR operation is grouped into 8 groups of 6 bits each.

7/30/2019 CNS UNITS 1

24/42

> Each 6 bit group is fed into a 6-to-4 substitution box that transforms 6 bits to 4 bits.

> 32 bit output of 8 substitution boxes is fed into a permutation box.

> The 32 bit output of the permutation box is F(Ri-1, Ki).

Concerns about:

The key length (56-bits)

> 56 bit key was adequate in 70s.

> With faster processors, this encryption method is no longer safe.

DES Decryption

Decryption uses the same algorithm as encryption, except that the application of the

subkeysis reversed.

The Avalanche Effect

A change in one bit of the plaintext or one bit of the key should produce a change in

many bits of the ciphertext.

Block Cipher Design Principles

DES Design Criteria

Criteria for S-box

7/30/2019 CNS UNITS 1

25/42

1. No. of output bits of any S-box should be too close to a linear function of the

input bits.

2. Each row of an S-box should include all 16 possible output bit combinations.3. If 2 inputs to an S-box differ in exactly 1 bit, the outputs differ in atleast 2

bits.

4. If 2 inputs to an S-box differ in exactly 2 middle bits, the outputs differ inatleast 2 bits.

5. If 2 inputs to an S-box differ in first 2 bits bit and are identical in last 2 bits,

the 2 outputsmust not be the same.

Criteria for P-box

1. The 4 output bits from each S-box at round i

2 of them affect middle bits of round(i+1)

other 2 affect - end bits

The 2 middle bits of input to an S-box not shared with adjacent S-boxes.

The end bits(2 left-hand bits and 2 right-hand bits) shared with adjacent S-

boxes.

2. The 4 output bits from each S-box affect 6 different S-boxes on the next round.

No 2 affect the same S-box.

3. For 2 S-boxes j,k,

if an o/p bit from Sj affects a middle bit of Skon the next round

then o/p bit from Skcannot affect the middle bit of Sj implies that j=k.

Number of Rounds

The number of rounds is more; it is difficult to perform cryptanalysis.

Known cryptanalytic efforts require more effort than a simple brute-force key search

attack.

Design of Function F

Design Criteria for F

The function F provides the confusion in a Feistel cipher.

Difficult to unscramble the substitution performed by F.

F- nonlinear

Strict Avalanche Criterion(SAC)

Any output bit j of an S-box should change with probability

when any single input bit I is inverted for all i,j.

Bit Independence Criterion(BIC)

Output bits j and k should change independently when any

single i/p bit I is inverted for all I,j and k.

7/30/2019 CNS UNITS 1

26/42

S-Box Design

Guaranteed Avalanche(GA)

An S-box satisfies GA of order if, for a 1bit input change, atleast output bits change.

S-box design suggests the following approaches:

Random

Random digits to generate the entries in the S-box

Random with testing

Choose S-box entries randomly, then test the results against various

criteria and throw it that do not pass.

Human-made

Manual approach with simple mathematics to support it.

Math-made

Generate S-boxes according to mathematical principles.

Key Schedule Algorithm

Key schedule algorithm has les attention than S-box design.

To generate one subkey for each round

Block Cipher Modes of Operations

block ciphers encrypt fixed size blocks

eg. DES encrypts 64-bit blocks, with 56-bit key

need way to use in practise, given usually have arbitrary amount of information to

encrypt

four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use

subsequently now have 5 for DES and AES

have blockand stream modes

Five Modes are

1. Electronic Codebook Mode(ECB)

2. Cipher Block Chaining Mode(CBC)3. Cipher Feedback Mode(CFB)

4. Output Feedback Mode(OFB)5. Counter Mode(CTR)

Electronic Codebook Mode(ECB)

Plaintext is handled 64 bits at a time.

Each block is encrypted using the same key

7/30/2019 CNS UNITS 1

27/42

If a message is longer than 64 bit, the procedure is to break the message into 64bit blocks,

padding the last block if necessary

Decryption is performed one block at a time, using the same key.

Advantage:

Transmit a DES key securely.

Disadvantage:

The same 64bit block of plaintext appears more than once in the message always produce

the same ciphertext.

For lengthy message, the ECB mode may not secure.

Cipher Block Chaining Mode(CBC)

To overcome the security deficiencies of ECE, the same plaintext block, if repeated,

produces different ciphertext blocks.CBC mode is used to satisfy this requirement.

The input to the encryption algorithm is the XOR of the current plaintext block and the

preceding ciphertext block.

The same key is used for each block.

For decryption, each cipher block is passed through the decryption algorithm.

The result is XORed with the preceding ciphertext block to produce the plaintext block.

7/30/2019 CNS UNITS 1

28/42

Cipher Feedback Mode

Message is treated as a stream of bitsIf a character stream is being transmitted, each character can be encrypted and transmitted

immediately using character oriented stream cipher.

The unit of transmission is s(8) bits.

Errors propagate for several blocks after the error

7/30/2019 CNS UNITS 1

29/42

Encryption:

64bits shift register is initialized with vector IV

The leftmost s bits of the output of the encryption function are XORed with the first

segment of plaintext P1 to produce the first unit of ciphertext C1,

The contents of the shift register are shifted left by s bits and C1 is placed in therightmost.

Decryption

The same scheme is used, except that the received ciphertext unit is XORed with the

output of the encryption function to produce the plaintext unit.

C1 = P1 Ss (Ek (IV))

P1 = C1 Ss (Ek (IV))

7/30/2019 CNS UNITS 1

30/42

Output Feedback Mode

The OFB is similar to CFB.

The output of the encryption function that is fed back to the shift register in OFB.

Advantages:

o Bit errors in transmission do not propagate.

o Ex: If a bit error occurs in C1, only the recovered value of P1 is affected;

subsequent plaintext units are not corrupted

Disadvantage

Message stream modification attack than CFB

Counter Mode

A counter, equal to the plaintext block size is used.

Counter value must be different for each plaintext block that is encrypted. A counter

is initialized to some value and then incremented by 1 for each subsequent block

Advantages

Hardware efficiency

Software efficiency

Preprocessing

7/30/2019 CNS UNITS 1

31/42

Random Access

Provable security

Simplicity

Evaluation Criteria for AESThe Origins of AES

clear a replacement for DES was needed

Key size is too small

The variants are just patches

can use Triple-DES but slow, has small blocks

US NIST issued call for ciphers in 1997

15 candidates accepted in Jun 98

5 were shortlisted in Aug-99

AES Evaluation

initial criteria:

security effort for practical cryptanalysis

cost in terms of computational efficiency

algorithm & implementation characteristics

final criteria:

general security

ease of software & hardware implementation

implementation attacks

restricted-space environments

Attacks on implementations

Encryption versus decryption

Key agility

Flexibility

7/30/2019 CNS UNITS 1

32/42

Potential for instruction-level parallelism

AES Cipher Rinjdael

Rijndael was selected as the AES in Oct-2000

issued as FIPS PUB 197 standard in Nov-2001

designed by Joan Daemen and Vincent Rijmen in Belgium

has 128/192/256 bit keys, 128 bit data

an iterative rather than Feistel cipher

processes data as block of 4 columns of 4 bytes

operates on entire data block in every round

Characteristics:

resistant against known attacks

speed and code compactness on many CPUs

design simplicity

7/30/2019 CNS UNITS 1

33/42

1. AES is not a Feistel structure. Process the entire data block in parallel during each round

using substitution and permutation.

2. The key that is provided as i/p is expanded into an array of 44(32 bits) words.

3. Four different stages are used(permutation 1, substitution 3)

1. Substitution Bytes(SB): Uses an S-box to perform substitution

2. Shift Rows(SR): A simple permutation

3. Mix Columns(MC): A substitution that makes use of arithmetic over GF(28)

4. Add Round Key(ARK): A bitwise XOR of the current block with a portion of

the expanded key.

4. The structure is simple.

Both encryption and decryption begins with Add Round Key stage.

Followed by 9 rounds 4 stages

10th round 3 stages

5. Add Round Key - use key vernam cipher

7/30/2019 CNS UNITS 1

34/42

6. Add Round Key - vernam cipher

Other stages(not use the key) provide confusion, diffusion and nonlinearity.

7. Each stage is reversible

8. Decryption algorithm makes use of the expanded key in reverse order

9. All 4 stages are reversible, easy to verify that decryption does recover the plaintext

10. The final round of both encryption and decryption consists of only 3 stages

Substitution Bytes(SB)

a simple substitution of each byte

uses one S-box of 16x16 bytes containing a permutation of all 256 8-bit values

each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits)

eg. byte {95} is replaced by byte in row 9 column 5

which has value {2A}

S-box constructed

Initialize the S-box with the byte values in ascending sequence row by row.

Map each byte in the S-box to its multiplicative inverse in the finite field GF(28)

Each byte in S-box consists of 8 bits labeled(b7,b6,b5,b1,b0)

Shift Row Transformation

a circular byte shift in each each

7/30/2019 CNS UNITS 1

35/42

1st row is unchanged

2nd row does 1 byte circular shift to left

3rd row does 2 byte circular shift to left

4th row does 3 byte circular shift to left

Mix Columns

each column is processed separately

each byte is replaced by a value dependent on all 4 bytes in the column

effectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1

7/30/2019 CNS UNITS 1

36/42

Add Round Key

The 128 bits of state are bitwise XORed with the 128 bits of the round key.

The operation is viewed as a columnwise operation between the 4 bytes of a

State column and one word of the round key.

Triple DES

- In DES, it is possible to perform a brute force attack.

- One alternative is to design a new algorithm.

- Another alternative is to use multiple encryptions with multiple keys.

Double DES

Consider 2-DES with two keys:

7/30/2019 CNS UNITS 1

37/42

C = EK2(EK1(P))

Decryption: P = DK1(DK2(C))

Key length: 56 x 2 = 112 bits

Meet-in-the-Middle Attack on 2DES

2-DES: C = EK2(EK1(P))

So, X = EK1(P) = DK2(C)

Given a known pair (P, C), attack as follows:

Encrypt P with all 256 possible keys for K1.

Decrypt C with all 256 possible keys for K2.

If EK1(P) = DK2(C), try the keys on another (P, C).

If works, (K1, K2) = (K1, K2) with high probability.

Takes O(256) steps; not much more than attacking 1-DES.

Triple DES with Two Keys

A straightforward implementation would be:

C = EK1(EK2(EK1(P)))

In practice: C = EK1(DK2(EK1(P)))

Also referred to as EDE encryption

Reason: if K1=K2, then 3DES = 1DES. Thus, 3DES software can be used as a

single-DES.

Standardized in ANSI X9.17 & ISO8732

7/30/2019 CNS UNITS 1

38/42

Triple DES with Three Keys

Encryption: C = EK3(DK2(EK1(P))).

If K1 = K3, we have 3DES with 2 keys.

If K1 = K2 = K3, we have the regular DES.

So, 3DES w/ 3keys is backward compatible with 3DES w/ 2 keys and with the regular

DES.

Placement of Encryption Function

Points of Vulnerability

Adversary can eavesdrop from a machine on the same LAN

Adversary can eavesdrop by dialing into communication server

Adversary can eavesdrop by gaining physical control of part of external links

twisted pair, coaxial cable, or optical fiber

- radio or satellite links

7/30/2019 CNS UNITS 1

39/42

Confidentiality using Symmetric Encryption

have two major placement alternatives

link encryption

encryption occurs independently on every link

All traffic over all communication links is secured

implies must decrypt traffic between links because the switch must read the

address in the packet header

Each pair of nodes that share a unique key, with a different key used on each link,

many keys.

Message is vulnerable at each switch

If working with a public network, the user has not control over the security of the

nodes

end-to-end encryption

encryption occurs between original source and final destination

need devices at each end with shared keys

Secure the transmission against attacks on the network links or switches

7/30/2019 CNS UNITS 1

40/42

end-to-end principle

What part of each packet will the host encrypt? Header or user data?

A degree of authentication, only alleged sender shares the relevant key

Placement of Encryption

Can place encryption function at various layers in OSI Reference Model

link encryption occurs at layers 1 or 2

end-to-end can occur at layers 3, 4, 6, 7

If move encryption toward higher layer

less information is encrypted but is more secure

application layer encryption is more complex, with more entities and need more

keys

7/30/2019 CNS UNITS 1

41/42

Scope of Encryption

monitoring of communications flows between parties

useful both in military & commercial spheres

can also be used to create a covert channel

link encryption obscures header details

but overall traffic volumes in networks and at end-points is still visible

traffic padding can further obscure flows

but at cost of continuous traffic

when using end-to-end encryption must leave headers in clear

so network can correctly route information

hence although contents protected, traffic pattern flows are not

ideally want both at once

end-to-end protects data contents over entire path and provides authentication

link protects traffic flows from monitoring

7/30/2019 CNS UNITS 1

42/42

Traffic Confidentiality

From a traffic analysis attack the following types of information that can be derived.

- Identities of partners

- How frequently the partners are communicating

- Message pattern, message length or quantity of messages is being

exchanged

- The events that correlate with special conversations between

particular partners

Traffic patterns to create a covert channel. A covert channel is a means of communication in

a fashion unintended by the designers of the communications facility.

Link Encryption Approach

- Network-layer headers are encrypted, reducing the opportunity for traffic

analysis.

- An attacker is still possible to assess the amount of traffic on a network and to

observe the amount of traffic entering and leaving each end system.

- Traffic padding produces ciphertext output continuously, even in the absence of

plaintext. A continuous random data stream is generated.

- When plaintext is present, it is encrypted and transmitted.

- When plaintext is not present, random data is encrypted and transmitted.

End-to-End Encryption Approach

- If en-to-end encryption, the measures available to the defender are more limited.

- If encryption is implemented at the application layer, then the opponent can

determine which transport entities are engaged in dialogue.

- If encryption is at the transport layer, then network-layer address and traffic

patterns remain accessible.