Embed Size (px)
Citation preview
CryptographyBlock Cipher – Breaks the plaintext into blocks and encrypts each with the same algorithm
Cipher – Cryptographic transformation operates on the characters or bites
Ciphertext or Cryptogram – unintelligible message
Clustering – plaintext message generates identical ciphertext using the same algorithm but different keys
Codes – A cryptographic transformation that operates at the word or phrase level
Cryptanalysis – act of obtaining plaintext or key from ciphertext. It is used to obtain valuable information and to pass on altered or fake messages in order to deceive the original intended recipient.
Cryptographic Algorithm – Step-by-step procedure used to encipher plaintext and decipher ciphertext
Cryptography – Art and Science of hiding the meaning of communication
Cryptology – encompasses cryptography and cryptanalysis
Cryptosystem – set of transformations from message space to ciphertext space; A strong cryptosystem has a large keyspace (entire keyspace to choose the values from) . It has a reasonably large unicity distance. A system that provides encryption and decryption.
Strength of cryptosystem: An algorithm with no flaws, a large key, using all possible values within a key space and protecting the actual key are important elements of encryption. If one is weak it affects the whole process.
Cryptoperiod: period for which the same is used.
Decipher - to undo cipherment process
Encipher – to make a message unintelligible to all except recipient
End-to-end encryption – Encrypted information that is send from sender to receiver. End-to-end encryption: refers to the protection of data from the originating host all the way to the final destination host with no unprotected transmission points. In a complex environment, end to end encryption is provided at the presentation or application layer.
Encryption (Encipher) is the transformation of data into a form that is as close to impossible as possible to read with out the appropriate knowledge (a key). Its purpose is to ensure privacy by keeping information hidden from anyone for whom it is not intended, even those who have access to the encrypted data.
Decryption (Decipher) is the reverse of encryption; it is the transformation of encrypted data back into an intelligible form.
Exclusive Orn Boolean Operation n Indicated by XORn Indicated by symbol n Easily implemented in hardwaren 0+0=0, 0+1=1, 1+1=0, 1+1=0
Input A Input B Output T0 0 0
0 1 11 0 11 1 0
n XOR operated on the bit leveln XOR the plain text (byte level) with the keystream sourcen Can be reversed by simple XOR of output plus keystream.
n A XOR B = Tn T XOR B = A
Key – cryptovariablen Information or sequence that controls enciphering and deciphering of message
Plaintext – a message in clear text
Steganogrophyn Secret communication of a message where communication is hiddenn Example – least significant bit of each pixel in an image file contains bit of a message.n Hiding the existence of the message.n A digital watermark would be used to detect copying of digital images
Work Function (Factor)n Difficulty in recovering plain text from ciphertext as a factor if time and costn Systems security is directly proportional to the work functionn Work function should be commensurate with the value of the data
Security of cryptosystem should depend ONLY on the secrecy of keys and not on algorithm
History of CryptographyTraced back to the Egyptians in 3000B.C.
Scytalen used by Spartans in 400B.C. – wrap message around wooden doweln diameter and length are the keys to the cipher.
Caesar ciphern Monoalphabetic substitution – only used one alphabetn Specifically - Involved shifting the alphabet three lettersn Known as C3 (Caesar shift 3 places)
Cipher Disksn Two concentric disks with letters on the edgen Can be used to match up letters
Arabs invented cryptanalysisn Arab philosopher al-Kindi wrote Manuscript on Deciphering Cryptographic Messages
Thomas Jefferson - disksn 1790 developed device with 26 disks that could be rotated individuallyn Message would assembled by lining up the disks to the alignment barn Then the bar was rotated a given angle and the resulting letters were the cipher textn The angle of rotation of the alignment bar was the key
Disks used extensively during the civil war
UNIX – ROT13 shift the alphabet 13 places
Hagelin Machinen Developed in 1920 by Boris Hagelin – Stockholm Swedenn Known as the M-209 in the US
1920’a Herbert O. Yardley was in charge of U.S. MI-8 (a.k.a. the Black Chamber)n Cracked codes of a number of Nationsn Gave U.S edge in Japanese negotiations in 1921-1922n U.S. State Department shut down MI-8n Upset, Yardley published book The American Black Chamber 1931n Japanese got new codesn Yardley is father of American Cryptology
William Frederick Frederick published the Index of coincidence and its applications in cryptography. He is referred to as the “father of modern cryptography”.
Japanese Purple MachineAfter Yardley William Friedman resumed cryptanalysis for U.S. ArmyBroke the new Japanese cipher.U.S. Navy broke the Purple Machine naval codes during World War II
German Enigma Machinen Polyalphabetic substitution cipher - using mechanical rotorsn Developed in 1919 by Dutchman Arthur Scherbius obtained US Patent for Berlin firmn Polish cryptanalyst broke the three-ring system with card file of all 6 x 17,576 possible rotor positionsn 1938 German went to six ringsn In 1938 Poles and French developed the “Bombe” there own Enigma machinen British took over in 1940 and by 1943 British and US had high speed “bombe”n Disks have 26 contacts on each side, to communicate with each neighboring disk one of them makes
contact with the other diskn Also rotates the disks after encryption of each letter n Rotates next highest rotor like a “gas pump” – polyalphabeticn Other rotor machines – German Enigma, Japanese Red, Japanese Purple and American SIGABA “Big
Machine”
Vigenere Polyalphabetic Ciphern Caesar is a subset of the Vigenere Polyalphabetic Ciphern Vigenere used 26 alphabetsn Each letter of the message corresponds to a different alphabetn Subject to guessing the period, when the alphabet changes
Modulo returns the remainder over the modulo valueC=(M+b) mod NWhere C = Cipher TextM= MessageB = fixed integerN = size of alphabet
Caesar monoalphabetic can be attacked by using frequency analysis.Polyalphabetic cipher is accomplished through the use of multiple substitution: counters frequency analysis but can be attacked by discovery of periods.
Transposition – Permutationn Columnar Transposition – write the message vertically and read horizontally
n Can be attacked through frequency analysis however hides the statistical properties of letter pairs such as IS and TOO.
Book or Running Key Ciphern Using text from a book as the key and performing modulo26 addition on it.n Would use specific line and page number
Codes - Deal with words and phrases and represent them with other numbers or letter
Identify types of Encryption systems
Types of Cipher Characteristcs Problems Classical substitution ciphers
Replaces bits, characters, or blocks of characters with different bits, characters, or blocks.
Transposition (permutation) ciphers
The letters of the plaintext are permuted. Frequency analysis But it hides the statistical properties of letter pairs and triples such as IS and TOO.
Monoalphabetic or simple substitution ciphers
Only one alphabet was used, which are monoalphabetic substitution
Frequency analysis
Polyalphabetic Ciphers Does not replace the original text with different text but moves the original text around. Is accomplished through use of multiple substitution ciphers
Counters Frequency analysis however, attacked by discovery of periods.
Running key ciphers Using text from a book as the key and performing modulo26 addition on it.Would use specific line and page numberDoes not require electronic algorithm and bit alterations
-
Concealment The true letters of plaintext are hidden/disguised in a sentence say every third word in a sentence. Does not require electronic algorithm and bit alterations
-
Digital System Codes Deal with words and phrases and
represent them with other numbers or letter
SteganographyHiding the existence of the message.A digital watermark would be used to detect copying of digital images
Machines End-to-end encryption Encrypted information that is send from
sender to receiverProtection of data from the originating host all the way to the final destination host with no unprotected transmission points. In a complex environment, end to end encryption is provided at the presentation or application layer.Start to finish; more flexibility; higher
Headers, addresses, routing and trailer information are not encrypted hence attackers can learn more about capture packetDestination to have same encryption mechanism to properly decrypt the message.
granularity becos each application different key; hop computer does not need to have key for decryption.
Link-to-link encryption : n Each entity has key in common with two neighboring nodes.
n Node 1 –Encrypts with key An Node 2 – Decrypts with key A and
encrypts with key Bn Node 3 – Decrypts with Key B and
encrypts with Key CThe term refers to the use of encryption to protect a single segment between two physically contiguous nodes. It is usually a hardware device operating at layer 2. Such devices are used by financial firms to protect automatic teller machines transactions. Another common form of link-to-link encryption in the secure telephone unit (STU) used by the military.Provides data flow security since everything is encrypted. Users need not do anything; works at lowest layer – physical layer
Key distribution and key management is more complex because each hop computer must receive a key and when the keys change each must be updated.Messages are decrypted at each hop thus there are more points of vulnerability.
Both End to End and link should be used to strengthen the process:
The data is encrypted with the End to End and entire packet ie header and encrypted data packet is encrypted with link – great
One-Time pad Vernam Cipher. Unbreakable and each pad is used exactly once.Truly non-repeating set of random bits that are combined bitwise XOR with message to produce cipher text. Encryption with key K ith components k1, k2,…kn, the encipherment uses each component of k to encrypt message M with components m1, m2,…mn. n The Key is the same length as the
Message; Random key n Key only used once and never againn Key must be completely randomn Two identical key pads one with
sender and another with receiver n Unbreakable by exhaustive search n Relies on physical security of the
pad n Used n Invented 1917 by the US Army
Signal Corps and AT&T
More overheadDistribution of pad, or key can be challenging Perfect synchronization of timing for usage.Cipher Long as message hence infeasible to use in all application. Not very practical
Clipper Chip Clipper Chip – implemented in tamper proof hardwareSkipjack algorithm
Only 80 bit hence weak and not opened for testing or any proof of trying out. 16 bit checksum can be defeatedCC id tagged and identified every communication session.
Double/Triple DES -refer above-
Public Key -refer above-RSA -refer above-Elliptic curve -refer above-PGP -refer below-El Gamal -refer above-Diffie-Hellman -refer above-
Escrowed encryptionUS government clipper chip; n Allowing law enforcement to obtain
the keys to view peoples encrypted data
n Escrow the key in two pieces with two trusted escrow agents
n Court order to get both piecesn Clipper Chip – implemented in
tamper proof hardwaren 80 bit family key and 80 bit unit key
( which is to be secret and this encrypts the session key). Session key is used to encrypt the message.
n Based on Skipjack algorithmn Key exchange through Diffie-
Hellman
Key Escrow Uses public key cryptographyn Fair Cryptosystems – Sylvio Micali,
MITn Private key is split and distributedn Can verify each portion of the key
without joining.n Public key is also split and sent
along
n Criminal encryption use exists.
n Encryption is not regulatable outside the US.
n Key recovery is expensive for both government and software companies.
n Escrow has not been thoroughly tested.
n Mandatory escrow can be circumvented. There is no way to "scan" the Internet to detect use of non-escrowed encryption.
n Escrow involves humans. n The government would
hold the key to everyone's personal data. Under current proposed legislation, keys would be released by a court subpoena, not a judicial order.
Types of EncryptionSecret Key Cryptography – Symmetric Keyn Sender and receiver both know the keyn Encrypt and decrypt with the same keyn Secret key should be changed frequentlyn Requires secure distribution of keys – by alternate channel; Out of band method is used to exchange
the key.n Ideally only used oncen Secret Key Cryptosystem does have both public and private informationn Large keys like >128 bit are very hard to breakn Very fastn Key needs to be secret. n Sender requires different key for each receivern Time stamps can be associated to the key so valid only during time window (counters replay)n Symmetric key do no Authentication or repudiationn Best known is DES developed by IBM in 1970’s for commercial usen Key Management: only for symmetric wide distribution of keys. Can be manual, or through link or end
to end encryption and last choice is through KDC.
n Algorithm need not be secret though we need strong algorithm. Used in : low cost chip implementations which are widely available and incorporated into a number of products, because algorithm need not be secure.
The encryption scheme is computationally secure if the cipher text meets one or both criteria such as cost of breaking the cipher exceeds the value of the encrypted information and time required is more than the useful life of the data.
Publicn Algorithm for enciphering plaintextn Possibly some plaintext and cipher textn Possibly encipherment of chosen plaintextPrivaten The KEYn One cryptographic transformation out of many possible transformations
Fiestal : Dr. Horst Feistel led a research project at the IBM Watson Research Lab in the 1960's which developed the Lucifer cipher. This later inspired the US DES (below) and other product ciphers, creating a family labeled ``Feistel ciphers''.
1. Higher block size it is safe but reduced speed; tradeoff 642. key size – higher the better ; trade off 1283. number of rounds : higher the better typical is 164. subkey generation algorithm and round key function : more complex the better.
Speed is a concern if the encryption is embedded in applications which precludes the hardware hence slower; also, ease of analysis is good but DES is not done that way.
Public Key Cryptographyn Employee private and public keyn Public made available to anyone wanting to encrypt a messagen Private key is used to decryptn Public Key cannot decrypt the message it encryptedn Ideally private key cannot be derived from the public keyn The other can decrypt a message encrypted by one of the keysn Private key is kept privaten 1,000 to 10,000 times slower than secret key encryption
n Hybrids use public key to encrypt the symmetric keyn Important algorithms Diffie-Helllman RSA, El Gamal, Knapsack, Elliptic Curven Whitfield Diffie and Martin Hellman published ``New Directions in Cryptography'', introducing the
idea of public key cryptography.n Key management: only transcription and storage. n Very slow, better key distribution, scalability and provide confidentiality, authentication and non-
repudiation. n In order to be useful should have a trap door, a secret mechanism that enables you to accomplish the
reverse function in a ONE WAY HASH FUNCTION. A mathematical function that is easier to compute in one direction (forward direction) than in the
opposite direction (inverse direction) Forward direction could take seconds, inverse months ‘Trap-door one way function’ is a one way function for which the inverse direction is easy given a
piece of information (the trap door) Public Key Cryptography is based on ‘trap-door one way functions’
Public key: gives info about the function Private key: gives info about the trap door Whoever knows the trap door (private key) can compute function easily in both directions
Under Public Key Cryptography, there are two formats:Open message ( if authentication is more important) Sender encodes message with own private key Receiver decodes with sender's public keySecure message format ( if confidentiality is more important) Sender encodes in the receiver’s public key. Receiver decodes with own private keySecure & signed message Sender encodes message with own private key Sender re-encodes message with receiver's public key Receiver decodes message with own private key Receiver decodes message with sender's public key
Hybrid systemsUsing Symmetric and Asymmetric known as public key cryptography: symmetric for bulk data encryption and asymmetric for protecting encryption keys and key distribution. Asymmetric algorithm performs encryption and decryption by using public and private keys Symmetric algorithm performs encryption and decryption by using a secret key. A secret key is used to encrypt the actual message Public and private keys are used to encrypt the secret key A secret key is synonymous to a symmetric key An asymmetric key refers to a public or private key
Symmetric Algorithm
Developer Provides Key Size (bits)
Characteristics
DES
64 bit block size
IBM under US government contract (devised in 1972 as a derivative of Lucifer algorithm by Horst Feistal at IBM.
Modified by NSA to come up with US DES
Confidentiality.It can be used in many applications including during data transmission and file security. Implemented in electronic devices including VLSI, RAM, PROM, EEPROM and ROM
56 bits Defacto industry standard. 64 bit block size. It begins with a 64-bit key and strips off 8 parity (1 odd in each byte) bits. 8 bit parity can be used for error detection 16 rounds of transposition and substitutionUses techniques of confusion and diffusion.Adopted as US federal standard in 1976 Increasing concern over resistance to brute-force attack (though with 56 bit key , one has to try 256 or 70 quadrillion keys, can be broken using large computers in a networkU.S. Government no longer uses itPatented in 1974 - Block Cipher Cryptographic SystemCommercial and non-classified systemsDES describes the Data Encryption Algorithm DEAFederal Information Processing Standard FIPS adopted DES in 1977Re-certified in 1993 by National Institute of Standards and Technology but will be replaced by AES Advanced Encryption Standard by Rijndael.DES Operates in four modes
n Cipher Block Chaining (CBC)n Electronic Code Book (ECB)n Cipher Feedback (CFB)n Output Feedback (OFB)
13) Never adopted for national security applications. 14) single chip installation (hardware) now software. n Commercial and non-classified systemsn DES uses confusion and diffusion as suggested by
Claude Shannonn Confusion conceals statistical connectionAccomplished through non-linear S-boxes in DES. n Diffusion spread the influence of plaintext character
over many ciphertext characters: Accomplished through p-boxes
n Distributed systems can break it. U.S. Government no longer uses it
n DES is considered vulnerable by brute force (exhaustive) search of the key – replaced by triple DES and AES. If the attack is only the brute force, then counter it by longer keys. Hence 128 key is better.
n Knowledge of expected plain text and automatically distinguishing plaintext from garble is needed for breaking the key.
n Triple DES – three encryptions using DEA are now being used until AES is adopted
3DES 3 sequential applications of DES.
Algorithm is too sluggish in software, hence very slow and 64 bit block size can be higher.
112 (using 2 keys)
168 (using 3 keys)
7 modes of operation of TDEA
1) Slow2) Double encryption is subject to meet in the middle attack
Encrypt on one end decrypt on the other and compare the valuesWork factor of DES and Double DES is the same.So Triple DES is usedCan be done several different ways
a) DES – EDE2 (encrypt key 1, decrypt key 2, encrypt key 1)b) DES – EE2 (encrypt key 1, encrypt key 2, encrypt key 1)
c) DES –EE3 (encrypt key 1, encrypt key 2, encrypt key 3) - most secure however Triple DES with two keys will prevent the brute force and meet in the middle with a less payload. 3 keys are also known as key bundle. TDEA is a formidable algorithm. Same resistence as to DEA. Stronger 168 bit key, brute force is not possible. If security is only concern, then TDEA is best for the years to come.
IDEA (- Internatio
Developed in Switzerland by Xuejia Lai and James
128 bit key 1) 64 bit block, 8 rounds2) Used in PGP
nal Data Encryption Algorithm)
Massey. 3) Much more difficult than DES4) Differs in round function and subkey generation
function. 5) Uses both confusion and diffusion but confusion
is not achieved through use of S-boxes6) Instead XOR, binary addition and binary
multiplication of 16 bit integers. 7) Highly resistant to cryptanalysis.
Blowfish Bruce Schneier
Key length Up to 448
1) Upto 16 rounds of data blocks 2) Published in 1993.3) Fast, compact and flexible.4) Uses S-boxes, X0r and binary addition5) Variable S-boxes
Suitable:Due to its high execution speed and easy implementation and compact algorithm, < than 5 k of memory, its is used in number of commercial applications.
Since sub keys and S-boxes are generated by repeated application, it is not suitable for applications in which secret key changes frequently.
Twofish Developed by Counterpane based on Blowfish (also by Counterpane) - Bruce Schnier, John Kelsey, Doug Whiting, David Wagner, Chris Hall and Niels Ferguson, U.S.A.
up to 256 bit 1) 128 bit blocks in 16 rounds2) Employs whitening before first round and after
last round3) Need to break whitening keys in addition to
Twofish key prewhitening” 4) Employs prewhitening” and “post whitening”
where additional subkeys are XORed with the plaintext before the first round and after the sixteenth round.
5) In twofish algorithm, the MDS matrix, the PHT, and key additions provide diffusion
RC5 – Family of algorith
Developed by Ronald Rivest in 1994
0 to 2048 bit keys
1) 32,64 or 128 bit blocks, up to 0 to 255 rounds2) RSA patented in 1997Suitablity
ms It is suitable for hardware or software – uses primitive computational operations commonly found on microprocessorsFast, with a simple algorithmVariable number of rounds & variable key lengthEasy to implementLow memory requirement makes it suitable for smart cards other devices with restricted memory; higher security with suitable parameters. Number of RSA products uses this.
AES 1) Block Cipher that will replace DESAnticipated that Triple DES will remain approved for Government UseAES announced by NIST in January 1997 to find replacement for DESFive finalist MARSMARS IBM Corp. (represented by Nevenko Zunic), U.S.A. RC6RC6 RSA Laboratories (represented by Matthew Robshaw), U.S.A. RijndaelRijndael Joan Daemen and Vincent Rijmen, Belgium SERPENTSERPENT Ross Anderson, Eli Biham and Lars Knudsen, U.K., israel and Norway TWOFISHTWOFISH- Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall and Niels Ferguson, U.S.A.
3) October 2, 2000 NIST Selected Rijndael2 Belgian Cryptographers Dr. Daeman and Dr. RijmenWill be used by government for sensitive but unclassified documents
Rijndael Block Cipher
Joan Daemen and Vincent Rijmen
variable block length and key lengths that
1) Iterative block cipher2) Resistance to all known attacks3) Design Simplicity
(AES) Weakness:One issue was with then underlying architecture: some opined that its internal mathematics is simple. The Rijndael team defended its design pointing that simpler mathematics made Rijndael easier to implement in embedded hardware.They argued that obfuscation was not needed.
can be independently chosen as 128, 192 or 256 bits.
To break 128 bit AES key, it is estimated to take 140 trillion years.
4) Code compactness and speed on wide variety of platforms
5) Intermediate cipher result is called “state” that transformations operate on6) Does not use Feistel transposition structure from
DES7) Uses round transformation of 3 layers
Non-linear layer – S-boxes Linear mixing layer – shifting of rows
and mixing of columns Key addition layer – An exclusive OR
of the round key to the intermediate. 8) Suitable for High Speed Chips and compact co-
processor on smart cards9) Key taken from cipher key through key schedule
which consists of key expansion and round key selection: total number of round key bit is equal to block length multiplied by the number of rounds plus 1.
10) High speed chip; no area restriction.11) It is a substitution-linear transformation network
(non Fiestal)NIST selected Rijndael for the following reasons:n Good performance in both hardware and software
across wide range of computing environmentsn Good Performance in both feedback and non-
feedback modesn Key setup time is excellent.n Key agility is goodn Very low memory requirementsn Easy to defend against power and timing attacks,
without significantly impacting performance.SERPENT
Ross Anderson, Eli Biham and Lars Knudsen, U.K., israel and Norway
RC6 RSA Laboratories (represented by Matthew
Robshaw), U.S.ARC4 MARS IBM Corp. (represented
by Nevenko Zunic), U.S.A.
There are 4 primary modes of operation on which the block ciphers can be based: Type Character Problem Electronic Code Book The weakness in ECB is that identical input blocks will produce identical cipher results of the same length.
Suitable for short messages and non repeating patterns ECB is best with small amounts of data ( like challenge response operations and key management, encrypting PIN etc.,
Can be used for IV encryption in the case of CBC because along with the key the IV also should be sent.
n Native mode of DES (natural mode – direct application)
n Block Ciphern ECB is applied to 64 bits of plain text and
produces corresponding 64 bit blocks of ciphertext
n 64 input vector is broken in to two block (right block and left block)
n Each 32 bit block is copied into a 48 bit block
n Each 48 bit block is XORed with a 48 bit encryption key
n Exists pairs of plain text an corresponding code
Replay & Substitution attack.
Interestingly, this is a fundamental encryption flaw that affected the Enigma.
Cipher Block Chaining (CBC)
Widely used in security applications
n Plaintext block of 64 bitsn Randomly generated 64 bit Initialization
Vector is XORed with the first blockn Then encrypted with DESn First ciphertext will then be XORed with
the next plaintext 64 bit blockn Enhanced mode of ECB which chains
together block of cipher text.
Errors are propagated using this method
Cipher Feedback (CFB) – Errors n Stream cipher where cipher text is used as n Errors will
will propogate feedback into the key generation source to develop the next key stream
n Ie. Input to the DES to generate pseudorandom number which are combined with plain text to produce the cipher
propogate
Output Feedback (OFB) - Errors will not propogate
n Feedback is used to generate the key stream
n Therefore the key stream variesn Errors do not propagaten Functioning like a stream cipher by
generating random binary bits to be combined with plaintext to create ciphertext.
n Previous output of DES is used as input n OFB does not chain the cipher
A block cipher is a type of symmetric key encryption algorithm that accepts a fixed block of plaintext to produce cipher text of the same length – a linear relationship.
Block Ciphers are more suited to implementation in software to execute on a general purpose computer. This guideline is not absolute, and there are variety of operational reasons to choose one method over the other. Types of block ciphers DES, 3DES, Idea, RC5, Rijndeal, Twofish, DES CBC, DES ECB,
The secret to the secret sauce is the key. It is the key that provides the randomness of the encryption process.
Stream Cipher
Tend to be implemented more in hardware devices. This guideline is not absolute, and there are variety of operational reasons to choose one method over the other. It is symmetric encryption algorithm and it is extremely faster. Rotor machines RC4 DES Cipher Feed Back (CFB) Link encryption Onetime pad (vernam cipher) -- it is possible to generate ciphertext that is random and therefore unbreakable even by brute-force attacks. Output feedback mode
Linear feedback shift register (LFSR) : this is one of the simplest finite state machines. This is used for generation of key stream from the key generation. Shifts in a block of 4 last by one but 3rd and 4th bit before shift Xord and assigned as last.
Some of the features that a cryptographer will design in to the algorithm for a stream cipher include:1) Long periods without a repetition.2) Functional complexity – each keystreambit should depend on most or all of the cryptovariable bits.3) Statistically unpredictable – given n successive bits from the keystream it is not possible to predict the n+1st bit with a probability different from ½.4) The keystream should be statistically unbiased – there should be as many 0s as 1s, as many 00s as 10s, 01s and 11s etc.,5) The keystream should not be linearly related to the cryptovariable.
The first condition is trivial to satisfy. The second condition, ensuring that the two machines have the same crypto variable is an administrative problem (key management). We can ensure that the two machines start in the same state by several means. One way is to include initial state as part of the crypto variable. Another way is to send the initial state to the receiver at the beginning of each message. (This is sometimes called a message indicator or initial vector)
Common Asymmetric Algorithms:RSA and other public key systems is as key distribution systems:
Algorithm Developed by Provides CharacteristicRSA Rivest, Shamir and
Addleman . Introduced in 1976.
Suitable for High Speed Chips and compact co-processor on smart cards
Provide confidentiality, authentication and non-repudiation.
Encryption, key exchange, and digital signatures
Based on difficulty of factoring a number which is the product of two large prime numbers, may be 200 digits each. Is insecure, 768 moderately secure, and
1024 bits is good. Suitable for High Speed Chips and compact co-processor on smart cardsTwo possible approach of defeating RSA: brute force approach: try all possible
private keys. finding out the large prime numbers.
Diffie-Hellman Whitfield Diffie & Martin Hellman
“came up with whole public key/private key concept”.
For key distribution only
1) Invented in 1976-first public key algorithm
2) Key agreement protocol 3) Security stems from difficulty
of calculating discrete logarithms in a finite field. While it is relatively easy to calculate exponentials modulo a prime, it is very difficult to calculate discrete logarithms. For large primes, the latter task is considered infeasible.
4) Used for key distribution of a shared key but not for message encryption/decryption
5) Vulnerable to ‘man in the middle’ attacks ( since peers are not authenticated) – result : station to station protocol.
6) Patent expired in 1997El Gamal Dr. T.E. El Gamal For digital
signatureAnd encryption
Extended Diffie-Hellman to include signatures and encryption.
First key for digital signature un-patented public key crypto
system that involves discrete logrithm problem.
Merkle-Hellman Knapsack
Having set of items with fixed weights
Determining which items can be added in order to obtain a given total weight
Illustrated using Super increasing weights (all weights greater than sum of previous)
ECC Neil Koblitz 160 bit key Digital signatures,
n Elliptic curve discrete logarithm are hard to compute than general
Suitable for High Speed Chips and compact co-processor on smart cards First proposed by Victor Miller (IBM/CRD) 1985 & Neal koblitz ( Washington univ)
encryption and key management
Suited to smart cards and wireless devices (less memory and processing)
discrete logarithmn Smaller key size same level of
security like RSA : higher strength per key.
n No other advantage than speed over RSA
n Computational power limited n Integrated circuit space limited n High speed required n Intensive signing, verifying,
authenticating required n Signed messages stored or
transmitted n Bandwidth limited n Wireless communications/some
networks
Asymmetric and Symmetric Key Comparisons
Asymmetric Key Symmetric Key512 bits 64 bits1024 bits 80 bits 1729 bits 112 bits2304 bits 128 bits
Like symmetric algorithms, public key encryption implementations do not rely on the obscurity of their algorithm, but use key lengths that are so long that a brute-force attack is impossible. Asymmetric encryption keys are based on prime numbers, which limits the population of numbers that can be used as keys.
Comparison of DES and RSA:
CHARACTERISTIC DES RSARelative Speed Fast SlowFunctions Used Transportation and Substitution MultiplicationKey Length 56 bits 400-800 bitsLeast Cost Attack Exhaustion FactoringCost of Attack Centuries CenturiesTime to generate a key Microseconds Tens of SecondsKey Type Symmetric Assymmetric
Note: Most products use symmetric key cryptography to encrypt files, messages, sessions and objects, but use asymmetric key cryptography to exchange and protect keys.Preferred Crypto algorithms should have the following properties:n No reliance on algorithm secrecyn Explicitly designed for encryptionn Available for analysisn Subject to analysisn No practical weaknesses
PKC systems are based on problems that are difficult to solve (Hard problems):Factoring large prime integers
RSADiscrete logarithm problem (difficulty of taking logarithms in finite fields) Diffie-Hellman
El Gamal encryption schemes & signature algorithms Schnorr's signature algorithm Nybergrueppel's signature algorithm Station-to-station protocol for key agreement (STS) Digital Signature Algorithm (DSA) Elliptic Curve Crypto (ECC) ( only speed is a factor) – higher key strength compared to the RSA. DSS (Digital Signature Standard) - NIST & NSA proposed in 1991 LUC
Mathematical Problems Factoring
Given P, Q, easy to compute P*Q Given product N = P*Q, not easy to compute P and Q Pick E (encrypt number) Compute D so that D*E=1, MOD(P-1)*(Q-1) But there are better than exhaustion attacks against factoring This is why parameters have to be large (512, 1024, 2048)
Discrete Logs Based on two facts
n Exponentiation is easy: if you have G and X, it is easy to compute S=G to the power of Xn Logarithms are hard: if you have S and G, it is hard to find X such that G to the power of
X=S
Usage of public key cryptography1) For encryption and decryption: encrypts the message with receiver’s public key2) For digital signatures: encrypting the message digest or MAC value3) Two sides co-operate to exchange session keys.
Algorithm Encryption/Decryption Digital signature key exchange
RSA Yes Yes Yes ECC Yes Yes Yes Diffie - - YesDSS - Yes -
Hash algorithms:
A hash algorithm is a one-way cryptographic function. When applied to a data object, it outputs a fixed-size output, often called a message digest (fingerprint). It is conceptually similar to a checksum, but is much more difficult to corrupt. One way hash function Reversible by trap door
Provide confidentiality and AuthenticationOne way hash algorithm Irreversible
Provides only integrity.
Purpose of Digital Signaturesn To Detect unauthorized modifications and to authenticate identity and non-repudiation.n Generates block of data smaller than the original datan One way hash functionsn One way has produces fixed size output (digest)n Has the following good hash function characteristics
After message digest is calculated it is encrypted with senders private key.Receiver decrypts using senders public key, if it opens then it is from the sender.
Then receiver computes message digest of sent file if hash is the same it has not been modified.
Hash functions are much faster than encryption processes and can be utilized to enhance performance while maintaining integrity.
Good hash function characteristics1. hash should be computed on the entire message2. hash should be a one way hash function so that messages are not disclosed by their signatures.
(original message should not be found out). – one way property. 3. It should be impossible given a message and its hash value to compute another message with the
same hash value. Collision resistance. 4. It should be resistant to birthday attacks meaning an attacker should not be able to find two
messages with the same hash value. – larger output is stronger and less vulnerable to brute force attacks like birthday attack.
One way Hash with or without encryption can be used. Encryption is discouraged some times due to higher hardware cost, export regulations, slow in software and not suitable for small data values such as hash.
Hash Blocks and hash size Other characteristics MD2 128 bit hash value
Ron Rivest Slower than MD5 & MD4MD2 is a hash function that has collision vulnerability.
MD4 Ron Rivest 128 bit hash value
Used for high speed computation in software implementations and is optimized for microprocessors. Problem:Hash function’s poor one-way property.
Haval Variable length one way hash Blocks of 1024 bits.
Modification of MD5
MD 5 n Developed by Ronald Rivest in 1991
n Produces 128 bit message digest from arbitrary length of data
n 512 blocks of in four distinct rounds
64 (4 of 16) rounds
infinite input size.
4 primitive logical function and 64 additive constants used.
Message Digest (MD) is the most common hash function today.Developed by Ron RivestCommonly used as a data integrity checking tool, such as in Tripwire and other products
SHA - 1 160 bit hash if < 2(64) bit as input.
Integrity of the message. 512 blocks of data.
80 (4 rounds of 20)
4 primitive logical function and 4 additive constants used.
Developed by NSA It is relatively easy to computer Hash for a given value given hardware and software implementations practical. Algorithm is used to input the message and get the hash ( called as cryptographic hash)Used in PGPUsed for generating digest for
Applying the process of computing the SHA1 and then processed by the DSA to either generate or verify the signature for a shorter message is more efficient than applying it to the longer message.
digital signatures It is computationally infeasible to find a message that corresponds to a given message digest It is computationally infeasible to find two different messages that produce the same message digest. It is computationally impractical to find any pair which will have same pair of hash. Padding bits are added to message to make it a multiple of 512.The length of the message is the number of bits in a message Equivalent to factoring (RSA)Input into DSA to get digital signture Resistant to “birthday” attack and brute force attacks
. Message Authentication Code (MAC)
Last 16 bit or 32 bit code from the cipher text generated by DES algorithm on the message.
Provides authentication but not confidentiality ; has proper sequence number hence sequence of the message is ensured.
Combination of encryption and hashing; key depended one way hash – requires symmetric key in the process – hash encrypted with symmetric key. DES is recommended for the encryption of the message and the last 16 bit or 32 bit cyper text code is taken / used as the code.
Similar to encryption, however the authentication algorithm need not be reversible. Smaller fixed length that is not designed for decryption hence need not be reversible
HMAC
Available hash function must be used
Allow replaceability of the hash function
Preserve performance of the hash function
Use and handle keys in a simple way
Have well understood cryptographic analysis of the strength of the authentication mechanism based on reasonable assumptions on
Uses key to generate a Message Authentication Code which is used as a checksum.
The hash function is either MD5 or SHA1 which is incorporated with a secret key in to existing hash algorithm
HMAC can be used with any iterative cryptographic hash function (MD5, SHA1) in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of underlying hash function.
It is now mandatory to use HMAC in IP security. And is used in TLS & SET.
the embedded hash function.
Digital Signature Standard (DSS) & Secure Hash Standard
Condenses message to 160 bitsKey size 512-1024 bitsn Enables use of RSA digital
signature algorithm or DSA –Digital Signature Algorithm (based on El Gamal)
n Both use The Secure Hash Algorithm to compute message digest then processed by DSA to verify the signature. Message digest is used instead of the longer message because faster.
NIST proposed in 1991 Uses secure hash algorithm
(SHA 1) – 160 bit. Modular arithmetic
exponentiations of large numbers
Difficult to invert exponentiations (security)
Equivalent to factoring (RSA)
Digital Signature Algorithm
Integrity
Digital Signature Algorithm
Others signature algorithm include:
•Nyberg-Rueppel•Schnorr
Generate and verify signatures. Provides authentication and integrity i.e identify the signatory and integrity of data.
Only for digital signature and not for encryption (unlike RSA which does both),
FIPS 186:This Standard specifies a Digital Signature Algorithm (DSA) appropriate for applications requiring a digital rather than written signature. The DSA digital signature is a pair of large numbers represented in a computer as strings of binary digits. Provides authentication, integrity and non-repudiation.
Ripemd –160 160 bits512 block of size160 ( 5 paired rounds of 16)5 primitive logical function and 9 additive constants used.Infinite input length.
Public Key Certification SystemsA source could post a public key under the name of another individualDigital certificates counter this attack, a certificate can bind individuals to their keyA Certificate Authority (CA) acts as a notary to bind the key to the personCA must be cross-certified by another CA
Public Key Infrastructure - (PKI)Integration of digital signatures and certificates.n Digital Certificatesn Certificate Authorities (CA)n Registrations Authoritiesn Policies and proceduresn Certificate Revocationn Non-repudiation supportn Time stamping n Lightweight Directory Access Protocoln Security Enabled Applicationsn Cross Certificationn Provides Access control, authentication, confidentiality, integrity, non-repudiation
n Assumes, that receiver’s public identity can be positively ensured through certificates and that the DH exchange will automatically negotiate the process of key exchange.
n Identifies users, create and distribute certificates, maintain and revoke certificates, distribute and maintain encryption keys, and enable all technologies to communicate and work together for the purpose of encrypted communication.
n Digital Certificate binds that certificate to its particular owner with a unique serial number within the CA. Popular certificate is the x.509 v3 certificate.
n Separate keys can be used for digital signature and encryption. Layers of necessary protection.
Cryptographic AttacksCipher text only attacks
Encryption algorithmCiphertext to be decoded
Known plaintext Encryption algorithmCiphertext to be decodedOne or more pair of plain text cipher text pairs formed with the secret key.
Chosen Plaintext Encryption algorithmCiphertext to be decodedPlaintext message chosen by cryptanalyst, together with its corresponding ciphertext generated with the secret key
Chosen Ciphertext Encryption algorithmCiphertext to be decodedPurported cipher text chosen by cryptanalyst, together with its corresponding decrypted plaintext generated with the secret key. Portions of the cipher text are selected for trial decryption while having access to plain text; goal is to figure out the key. Attacker has some plain text, can capture an encrypted message and therefore capture the cipher text. Once few pieces of puzzle discovered, rest is accomplished by reverse-engineering and trial-and-error attempts.
Chosen text Encryption algorithmCiphertext to be decodedPlaintext message chosen by cryptanalyst, together with its corresponding ciphertext generated with the secret key Purported cipher text chosen by cryptanalyst, together with its corresponding decrypted plaintext generated with the secret key.
Birthday Attackn You in a room with better than 50/50 chance of another person having your birthday? Need 253 peoplen You in a room with better than 50/50 chance of two people having the same birthday? Need 23 peopleTwo different messages having same message digest or finding two different messages that have the same message digesBrute Force - Attack try every possible combinationAdaptive Chosen Plain Text – selection of plain text is altered based on previous resultsAdaptive Chosen Ciphertext - Chosen cipher text are selected for trial decryption where selection is based on previous resultsMeet in the Middle – For attacking double encryption from each end and comparing in the middleDifferential Cryptanalysis – Private key cryptography looking at text pairs after encryption looking for differencesLinear Cryptanalysis – using plain text and cipher text to generate a linear approximation of a portion of the keyDifferential Linear Cryptanalysis – using both linear and differential approaches; S-boxes are used to minimize the danger from an attack called differential cryptanalysis.Factoring – using mathematics to determine the prime factors of large numbersStatistical – exploiting the lack of randomness in key generation
Dictionary attack – with a database of one-way function password, dictionary program and a captured password file, this attack can be accomplished. Replay attack – attacker able to intercept an encrypted secret message but not able to readily decrypt the message… OS flaws, memory residue, temporary files, differential power analysis, distributed computing…Time stamping and sequence numbering are two measures to counter this.
Active attacks include: Replay – countered by timestamping & block chaining Substitution – countered by block chaining Modification of messages Denial of service Statistical attacks: in the design based on statistical weakness – more1s than 0s in the key stream. Analytic attacks: Use algorithm and algebraic manipulation to reduce complexity - RSA factoring and Double DES are examples. Implementaion attacks: weak implementation Even when an algorithm is correctly implemented, the overall system security posture may be weakened by some other factor. Key generation is a weak spot. If an attacker discovers a pattern in key generation, it effectively reduces the total population of possible keys and greatly reduces the strength of implementation.A recent example was the failure of one of the original implementations of Netscape’s SSL, which used a predictable time-based technique for random number generation. When subjected to statistical analysis, few man-made devices can provide sufficiently random output.Man in the middle: changing the public key of B by C as his key…. Prevented by PKI/digital certificates: Intercepting messages and forwarding on modified versions by replacing the public key that are kept on public server and acts as a middle man Clear text attack & cipher text only attack – can’t work on key encrypting key.
Passive attacks involve the listening-in, eavesdropping, or monitoring of information, which may lead to interception of unintended information or traffic analysis where information is inferred.Traffic analysis - inference of information from analysis of traffic (presence, absence, frequency, etc.): Traffic padding - generation of spurious data units & padding are the counters. Dictionary attacks has proved immensely successful in attacking and compromising UNIX systems and Windows NT systems. UNIX systems generally use the crypt () function to generate theoretically irreversible encrypted password hashes. The problem is some users choose weak passwords based on real words. It is possible to use dictionary of words and to use this well known function until there is a match with the encoded password. In Windows NT, it is possible by obtaining a copy of the NT SAM file, which contains the encrypted passwords.
Cryptographically secure digital timestamps (CSDTs) have been used for a variety of purposes, including variety of document archiving, digital notary services, etc. By adding a CSDT to every digital certificate issued within a PKI, one now has a method for ensuring not only that the certificate is valid, but also at what point in time that validity was declared.
Time stamps: Primary component of a CSDT is the timestamp itself and a time source is required.To allow high volume transactions, a 16-bit sequence no is appended to the timestamp to ensure that there can be no 2 CSDTs with the identical time If the time resolution is 0.0001 sec, it is possible to issue 65,536 CSDT’s that all happen within that same 0.0001 sec.
Hash of the certificate: For a CSDT to be bound to a particular certificate, some data must be included to tie it to the certificate in question. A hash generated by a known and trusted algorithm, such as SHA-1 or MD5, is used to provide this connection. This is the same hash that is calculated and encrypted during the Certificate Authority signing process.
To resist cipher-text only attacks, good practice requires that all such patterns as format, e.g., file or e-mail message, language (e.g English) alphabet (e.g Roman), and public code (e.g., ASCII or EBCDIC) in the clear text object must be disguised before the object is encrypted. (pg 376 vol 1)
In a brute force attack, one tries keys one after another until one finds the key in use. here are 2 ways- clear-and cipher-text attacks, and cipher-text-only attacks. Neither of these attacks will work on a key-encrypting key, if principles of key management are adhered to.
Note: On average, the correct key will be found once half of the total key space has been tried in a brute force attack.
It is not always practical to provide a digital certificate with every signed object, and high –assurance CA’s need a CRL server. Directory service is a distributed database optimized for reading that can make both CRL’s and certificates available on a wide area network (WAN) or the Internet. Most directory services are based on the X.500 standard and use the extensible format X.509 to store digital certificates.
Point: Encryption rarely improves availability, but if mission-critical encryption services fail, then availability requirements probably will not meet. Use of cryptographically based strong authentication system to prevent denial-of-service attacks would be an example of using encryption to increase availability.
Boomerang Attack:
Recently, a means of improving the flexibility of differential cryptanalysis was discovered by David A. Wagner. Called the boomerang attack, it allows the use of two unrelated characteristics for attacking two halves of a block cipher.
A technique called the boomerang amplifier attack works like this: instead of considering the pairs of inputs, differing by the XOR required for the characteristic of the first few rounds, as completely independent, one could note that it would be quite likely that somehow, taking two such pairs at a time, one could obtain any desired XOR difference between two such pairs by the birthday paradox. This allows a boomerang attack to be mounted with only chosen plaintext, instead of adaptive chosen ciphertext as well.
Email Security n Non-repudiationn Confidentiality of messagesn Authentication of Sourcen Verification of deliveryn Labeling of sensitive materialn Control Access
E-mail Security Characterics/ features Provides whatIn which layer
PEM (Privacy Enhanced Mail)
n Internet Standard to provide secure email over the internet.
n A standard proposed by IETF to be compliant with the Public Key Cryptography Standards
n DES in CBC moden Compliant with Public Key
Cryptography Standards (PKCS)
Confidentiality,Authentication, message integrity, key management Non-repudiation
application level protocol.
n Developed by consortium of Microsoft, Sun, and Novell
n Triple DES-EDE – Symmetric Encryption
n MD2 and MD5 Message Digest
n RSA Public Key – signatures and key distribution
n X.509 Certificates and formal CA
RIPEM Is a public domain implementation of PEM protocol although not in its entirely.
Message Security Protocol Military PEMx.400 compatible
application level protocol.
PGP (Pretty Good Privacy) – n Phil Zimmermann No CA uses “web of trust”n Users can certify each othern Uses passphrasesn User keeps collection signed
public keys he has received from other users in a file referred to as a Key ring.
n It provides a number of mechanisms for ensuring that one is using the correct and intended public key for a correspondent. One of these is called the “key fingerprint”.
n Public domain softwaren Not endorsed by the NSA. n Bound by federal export
laws due to its usage of the RSA, IDEA, Diffie-Hellman, 3DES and CAST algorithms.
Confidentiality through IDEA ( with 128 bit) - Block cipher key
Integrity through MD5 hashing;
(or) SHA to generate digital signatures.
Authentication by using PKC
Non-repudiation by use of cryptographically signed messages
Internet Security HTTP Stateless protocol
For development of web pagesHTTP is a stateless protocol because each command is executed independently without any knowledge of the commands that came before it. The shortcoming of HTTP to implement Web sites that react intelligently to user input is being addressed in a number of new technologies including ActiveX, Java, Javascript and cookies.
Secure Telnet n Secure RPC: Uses Diffie- Encryption (confidentiality)
Remote terminal accessSecure TelnetSecure RPC authentication (SRA)
Hellman public key to deter the shared key for encryption with 192 bit key. Even if the packet is sniffed and captured, it cannot be necessarily decrypted.
Application layer
S-HTTP n Designed to send individual messages securely.
n Stateful protocoln Does not get disconnected
like HTTP. n Can be used to secure
individual WWW Documents
n SSL is session basedn Computes hash value of the
message and the value can be digitally signed.
n Can use public key technology, symmetric, PEM etc., - shows flexibility
Data integrity and sender authentication capability Application Layer
SSL /TLS
n Developed by Netscape in 1994
n Uses public key to authenticate server to the client
n Also provides option client to sever authentication
n Supports RSA public Key Algorithms, IDEA, DES, and 3DES
n Supports MD5 Hashingn HTTPS headern Resides between the
application and TCP layern Can be used by telnet, FTP,
HTTP and e-mail protocols.n Based on X.509
Designed to establish a secure connection between two computers.Requires SSL enabled web-browser. SSL is both an API and a protocol intended for end-to-end encryption to client-server application across an arbitrary network.This protocol was developed by Netscape.Navigator browser is its reference implementationIt uses public key certificates to authenticate the server to the client and optionally the client to the server.It uses the server’s public key to negotiate a session key to be used for the session.It manifests this key by setting a solid key icon in the lower lefthand corner of the screen.Refer below for connectivity.
SSL lies beneath the application layer and above the transport layer. (precisely transport layer)
Man in the middle attack possible.
Using digital signature during session key exchange can circumvent this attack.
Heavily used for internet transaction.
Provides authentication, compression, confidentiality, and integrity
Transaction Layer Security Successor to SSL: Can use with Kerberos and with PPP for authentication
SKIP - Simple Key Management for Internet Protocol
Similar to SSL – however no prior communication required Requires no prior communication in order to establish or exchange keys on a session-by-session
Uses Diffie-Hellman to generate a shared secret, which in turn provides IP packet-based encryption and authentication
basis Enables TCP/IP host to send
encrypted IP packet to another host without requiring a prior message
Well suited for Internet, since both are stateless protocols
SKIP does not continually generate new key values as SSH does
High availability
MIME (Multipurpose Internet Mail Extensions)
was standardized with RFC 822 and RFC 1521.defines the mail header and type of mail contentdesigned to provide facilities to include multiple objects in a single message, to represent body text in character sets other than US-ASCII, to represent formatted multi-font text messages, to represent non-textual material such as images and audio fragments and generally to facilitate later extensions defining new types of internet mail for use by cooperating mail agents.
MOSS (MIME Object Security Services)
Provides flexibility by supporting different trust models
Permits identification outside of the X.509 Standard
Uses MD5, RSA Public Key and DESEncryption and hashing
S/MIME (Secure Multipurpose Internet Mail Extensions)
n Adds secure services to messages in MIME format
n Follows Public Key Cryptography Standards (PKCS)
n Uses X.509 Signatures
Provides authentication through digital signaturesApplication layer protocol
MONDEX system n Smart cash card applicationn Proprietary encryption
algorithmn Card is same as cash
IOTP is Internet open trading protocol.
n Aimed at consumer to business transaction
n Flexible and future focusedSET n Visa and Mastercard
developed in 1997n Encrypts the payment
informationn DES – Symmetric
Encryptionn RSA Public Key –
signatures and key distribution
Internet transaction and Authentication of sender and receiver Application layer protocol
n Taken over by SSL SSH 2 n Remote access via encrypted
tunneln Client to server
authenticationn Comprised of:n Transport Layer protocoln User Authentication
protocoln Connection Protocoln
Host and user authentication, data compression, data confidentiality and integrityKey exchange and encryption RSA & Triple DES accordingly.
Heavily used for internet transaction.
Operates in Transport layer. IPSEC
S/WAN – Secure WAN – defines IPSec based widespread use of VPNs on the internet
IPSec adds per-packet authentication, payload verification, and encryption mechanisms to traditional IP.n Two Main Protocols aren Authentication Headern Encapsulating Security
Payload n Can operate with single
protocol ( with or without encryption – confidentiality)
n Security Association is required between two parties – one way connection - Comprised of Security Parameter Index – (SPI) – 32 bit identifier
n Bi-directional communication requires two Security Associations
n In VPN implementation IPSec can operate in transport or tunnel mode
n Transport mode – data encrypted, header not
n Tunnel mode – data and original IP header encrypted, new header is added
n New header has address of VPN gateway
n MD5 and SHA are used for integrity
n Security Associations can be combined into bundles using either
n Transport Adjacencyn Iterated Tunnelingn IKE – Internet Key
Exchange is used for key management with IPSEC
n IKE is set of three protocolsn Internet Security and Key
Management Protocol
Provides encryption, access control, and non-repudiation over IP.Operates in Network Layer
ESP: provides authenticity, integrity and confidentiality.Authentication Header – integrity, authentication and non-repudiation
(ISAKMP) –phases for establishing relationship
n Secure Key Exchange Mechanism – SKEME – secure exchange mechanism
n Oakley – modes of operation needed to establish secure connection
Kerberos
Authentication Server: Knows all the passwords of the user and stores in a centralized database. It also shares a unique secret key with each server, which is pre-distributed in some manner.
Minimize the number of time the user has to enter a password & requirement multiple tickets for every different service:
Plaintext transmission of the password: TGS is introduced. TGS issues tickets to users who have been authenticated to AS. Hence user requires TGT from AS, then using that TGS grants a service granting ticket. Ticket can be used b the client to request multiple service-granting ticket. TGT is reusable. To counter the replay attack, timestamp is included as to till when the ticket is valid. : this satisfies both the problem above.
Capturing the TGT and the service granting ticket and using it before it expires within the time frame:
AS to provide a secret piece of information in a secure manner for both the user and the client. : referred as session key in kerberos.
Service / server needing to authenticate to the client so that the user is sure of the correct server / service he is looking for: for mutual authentication is required the server can reply as shown in message. The server returns the value of the timestamp from the authenticator incremented by 1, and encrypted in the session key.
Set of servers with a kerberos are reffered to realm and there needs to certification with cross realms.
Kerberos 5 came up with avoiding environmental short comings and technical deficiencies
1. encryption system dependence: allowing same key to be used in different algorithm and different variation on a given algorithm
2. IP dependence is not there.3. ticket life time is flexible4. authentication forwarding: client to access a server and have that service
access another server on behalf of the client5. interrealm authentication reduced relationships; Double encryption is removed; explicit integrity and not PCBC , standard CBC Session key; sub session key to prevent replayPassword attack: cant prevent but system of pre-authentication thus making password attacks ore difficult.
Includes nonce – random value to be repeated in message to assure that the response is fresh and has not been replayed by an opponent.
1. The basic Kerberos 5 protocol defines the syntax and semantics for authentication, secure messaging, limited syntax and semantics for authorization, and the application of various cryptographic algorithms within those elements.
2. Kerberos is often described as an “application-layer” protocol.
3. Kerberos is used very effectively at all layers of the network, as well as in middleware. Kerberos is used for authentication and key management in a virtual Private network (VPN).
4. Organizational models:Autocracy : All control flows from a central authority.Anarchy : All authority flows from individuals.
5. In Kerberos, the entities that authenticate with one another are referred to as ‘Principals’, as in ‘principals to a transaction”.
6. Kerberos credentials are refered to as ‘tickets’ (pg 401 vol 1). A ticket is a part of a cryptographically sealed credential issued by the KDC to a client. (Pg 410 vol1)
7. The KDC logically consists of a set of services and a database that contains information about principals. In Kerberos that collective is referred to as a “realm”. Principals in different realms can interact using ‘cross-realm’ (sometimes referred to as ‘inter-realm’)
8. In Kerberos, the trusted third party is known as the Key Distribution Center (KDC). In public key systems, the trusted third party is referred to as a Certificate Authority (CA)
9. In typical operation, a cryptovariable is inserted prior to encrypting a message and the same key is used for some period of time. This period of time is known as ‘cryptoperiod’. For reasons having to do with cryptanalysis, the key should be changed on a regular basis.
10. The AS generates a random key, referred to as the ‘session key’
11. While we can formulate solutions to authentication, confidentiality, integrity and access control that are useful and that are independent of a broad range of applications, the same cannot be said of delegation and authorization.
12. The combined ability to provide both efficient and secure access to services, and the ability to serve as the basis for a collective security mechanism is one of Kerberos’s major strengths.
13. Replay Protection : Time-Stamps: Replay protection using timestamps is most suited to datagram ot transaction otrientd protocols and requires loosely synchronized clocks based on a secure time service and the use of a replay ‘cache’ by the receiver. A replay cache is simply a cache of messages previously seen by the receiver, or more likely, a hash of each of those messages. The receiver must check each received message against the replay cache to determine if the message is a replay. Time-stamps help to limit the size of the replay cache.
14. Challenge-Response: Replay protection using a challenge-response exchange is most suited to session-oriented protocols, such as TCP/IP. (Please refer Pg 422 Vol 1 there is a lot about it, that I didn’t understand. Read it and delete this)
15. Multiple security functions including authentication, authorization, access control, and key management – can be provided by or built from Kerberos. While the concept of aggregate enterprise security service is not native to Kerberos, the union of the two is very natural.
16. Security Services – KerberosAuthentication : The Kerberos authentication protocol implicitly provides the cryptogphic material or session keys needed fir establishing a secure channel that continues to protect he principal’s conversation after authentication that occurred.
Secure Channels: A secure channel provides integrity and confidentiality services to communicating principals. Kerberos provides these services either directly through the use of Kerberos protocol messages, or indirectly by providing the cryptographic material needed by other protocols or applications to implement their own form of secure channel.
Integrity: Kerberos provides message integrity through the use of signed message checksums or one-way hashes using a choice of algorithms.
Confidentiality: Kerberos provides message confidentiality by encrypting messages using a choice of encryption algorithm.
Access Control: Kerberos does not directly provide access control for persistent data, such as disk files. However, the Kerberos protocol provides for the inclusion and protection of authorization information needed by applications and operating systems in making access control decisions
Authorization: An authorization service provides information that is used to make access control decisions. Common mechanisms used to represent authorization information include access control lists (ACLs) and capabilities. An ACL based system uses access control lists to make access decisions. Capability based systems require the encapsulation of authorization information in a tamper-proof package that is bound to an identity.
17. Non-repudiation: Kerberos does not offer the arbitration services that are requited for the complete implementation of such a service (non-repudiation).
18. Availability: Distributed security systems generally do not offer availability services.
So Kerberos can give Authentication, Secure Channel, Integrity, Confidentiality, Access Control and Authorization, but does not provide non-repudiation and availability.
19. Additional layer is built in now namely ticket granting service. Ie. Now AS gives ticket to TGS which is called as TGT and TGS gives out sessions tickets to the users.
Kerberos related technologies
n OSF DCE – open software foundation, distributed computing environment uses kerberos 5 as the underlying security mechanism.
n GSS-API- generic security service applications programming interface (GSS-API). n Sengo : simple and protected GSS-API negotiation mechanismn SSPI Microsoft Security service provider interface n SSL – Secure socket layer. n SASL – simple authentication and security layer (SASL)n IPSEC – key management by kerberosn Radius- to surrogate radius clients – integrated with kerberos n Common data security architecture, token cards etc., where kerberos can be implemented.
Wireless SecurityWAP – Wireless Application ProtocolDesigned for mobile devices (PDA, Phones)Set of protocols covering layers 7 to 3 of the OSI modelLess overhead than TCP/IPn Wireless Markup language (WML)n Wireless Application Environment (WAE)n Wireless Session Protocol (WSP)n Wireless Transport Security Protocol (WTLS)n Wireless Datagram Protocol (WDP)
For security WAP uses Wireless Transport Security Protocol (WTLS)Three classes of securityn Class 1 – Anonymous Authenticationn Class 2- Sever Authenticationn Class 3 – Two way client and server authentication
Authentication and Authorisation can be performed through smart cards/tokens
Security vulnerability of WAPn WAP GAP – where WTLS is decrypted and re-encrypted to SSL at the WAP gateway
C-HTML is competing with WML from JapanC-HTML is stripped down HTML, C-HTML can be displayed on standard browser
Mobile PKI – relates to the possible time lapse between the expiration of a public key and the reissue of the certificates to them.
IEEE – 802.11 StandardsActive mode (can transmit and receive) and power save mode (does not enable the user to transmit or receive)n Interface between clients and base stationn 802.11 Layersn The physical layer PHY can use:
DSSS - Direct Sequence Spread SpectrumFH – Frequency Hoping Spread SpectrumIR – Infrared pulse modulation : more secure for data capturing since it requires line of sight path
n MAC Layer – Medium Access ControlSpecifies CSMA/CA Carrier Sense Multiple Access Collision Avoidance
n Provides:Data TransferAssociationRe-associationAuthentication - WEPPrivacy – WEPPower Management
Notes to remember
Private key is 1000 or more times faster than public key Time stamps can be used to prevent replay attacks. One time pad is usually implemented as a stream cipher using XOR function Security of cryptosystem should only depend on security of keys, not the algorithm. Unix systems use a substitution cipher called ROT 13 Lightweight Directory Access Protocol (LDAP) appears to be the chosen method for distributing keys. Keep in mind that the server storing the certificates and the delivery of the certificates containing the keys do not have to be secure. The signature from the CA with the certificate vouches for the authenticity of the key pair. Availability and integrity are the main concerns of the LDAP server and if attacked by DOS, then CRL cannot be processed and thus permit the use of the revoked certificate for transactions.
Protecting the Private key of the CA & the software used for signing and the private key of users will be important. Users secure – by encrypted passphrase and / or smart cards with CPU and RAM and unlocked by the PIN when inserted in a card reader.
The Data Criticality Matrix is helpful in comprehending and prioritizing an organization’s information asset security categories. This matrix includes 5 security requirements. The widely used CIA requirements of Confidentiality, Integrity and Availability are supplemented with the two additional requirements: Non-repudiation and Time.
RSA Secure PC
This is just a hint. The object of encryption is always the individual file rather than the drive or the directory. When a file is initially encrypted, the system generates a 64-bit block cipher key to be used to encrypt the file. This file key is then encrypted using the public key of the system and is stored with the file.
Cryptography requirements
Secrecy requirements If ciphertext and plaintext are known, it should be computationally infeasible to determine the
deciphering algorithm It should be computationally infeasible to systematically determine plaintext from intercepted
ciphertext (Even if you decrypt ciphertext once, it should require the same amount of work to do it again.)
Note: “systematically” allows for a lucky guessNote: “Computationally infeasible” means great effort, doesn’t account for advances in computing, mathematics
Authentication requirements If ciphertext and plaintext are known, it should be computationally infeasible to determine the
enciphering algorithm It should be computationally infeasible to find valid ciphertext (Even if you encrypt plaintext so that it
can be decrypted once, it should require the same amount of work to do it again.)
Identify applications of cryptography Data Storage Prevent disclosure Password files Backup tapes Bulk Telecommunications Prevent disclosure Data transmission STU Message authentication Detect fraudulent insertion Detect fraudulent deletion Detect fraudulent modification Detect replay Digital Signature Source Verification Non-Repudiation
Uses
EFT systems Protecting stored data E-mail Communication links VPNs E-Commerce (Secure WWW Connections) SSL, S-HTTP Digital Signatures MD5, SHA
Encryption laws:
The Electronic Data Security Act states it’s goals as:
To enable the development of a key management infrastructure for public-key-based encryption and attendant encryption products that will assure that individuals and businesses can transmit and receive information electronically with confidence in the information's confidentiality, integrity, availability, and authenticity, and that will promote timely lawful government access.
IEEE P1363a, will cover additional public-key techniques
Standards Activities Involving ECC IEEE, P1363 (public-key crypto)
Covers main public key techniques RSA, ECC, El Gamal, Diffie-Hellman
ANSI X9 Elliptic Curve Digital Signature Algorithm (ECDSA) proposed work item
ANSI ASC X9 Elliptic curve key agreement & key management proposed work item
ISO/IEC CD 148883 “digital signatures with appendix” Variety of digital signature mechanisms
ISO/IEC (International Electrotechnical Commission) is the joint technical committee developing the standards for information technology.
There is four type of modules: inline, offline, enbedded, stand-alone
Inline
Front end configuration Module capable of accepting plaintext from source
o Performing crypto processing o Passing processed data directly to communications equipment o Without passing back to source
May also decrypt reverse process Data cannot leave host without passing through module Comm equip in module or external to host
Offline
Back end configuration Module capable of accepting data from source
o Performing crypto processing
o Passing processed data back to source Source responsible for storage and further transmission
o Maintaining separation between protected and unprotected data Ideal for local file encryption Comm boards may be internal to host
Embedded
Module physically enclosed within and interfaces with computer Either inline or offline Less expensive Physical security (temper protection and detection) questionable
Standalone
Module contained in own physical enclosure Outside host computer Either inline or offline
Describe the principle of key management Must be fully automated Key length should be long enough to provide the necessary level of protection Should be stored and transmitted by secure for key discipline and secrecy No key in clear outside of crypto device for secrecy and known plaintext attack resistance Choose keys randomly from entire key space to prevent pattern can be
exploited by attacker to reduce work Key encrypting keys must be separate from data keys : Nothing appearing in clear is encrypted with key-encrypting-key Keep KEK invulnerable to brute force attack Disguise all pattern in cleartext object before encryption Format, language, alphabet, public code to resist ciphertext only attacks Infrequently use keys with long life More key is used, more likely a successful attack and greater the consequences – shorter should be life time. Backed by escrow in case of emergencies. Lifetime should correspond with the sensitivity of data it is processing Emergency key recovery can be possible by multiparty control. Member from management, individual from auditing, IT department to require collusion for fraudulent activities to take place-key escrow.
Key Management Activities n Key controln Key recoveryn Key storagen Key retirement/destructionn Key Changen Key Generationn Key theftn Frequency of key usen Describe Bitstream Authentication
Generate new MAC Compare with original Mac Algorithm qualities Sensitive to bit changes
Creates MAC unable to be duplicated
In the mid-80's, NSA introduced a program called the Commercial COMSEC Endorsement Program, or CCEP: Commercial communications security endorsement program (
NSA and industry relationship Combine government crypto knowledge with industry product-development expertise Type 1 or type 2 high-grade crypto products. Type 1 encrypt classified and SUI
o STU Secure telephone unit Type 2 encrypts SUI
o Authentication devices, transmission security devices, secure LAN’s
Cryptography is export-controlled for several reasons. Strong cryptography can be used for criminal purposes or even as a weapon of war. During wartime, the ability to intercept and decipher enemy communications is crucial. Hence protected.
Cryptography is just one of many technologies which is covered by the ITAR (International Traffic in Arms Regulations).
In the United States, government agencies consider strong encryption to be systems that use RSA with key sizes over 512-bits or symmetric algorithms (like DES, IDEA, or RC5) with key sizes over 40-bits. Since government encryption policy is heavily influenced by the agencies responsible for gathering domestic and international intelligence (the FBI and NSA, respectively) the government is compelled to balance the conflicting requirements of making strong cryptography available for commercial purposes while still making it possible for those agencies to break those codes, if need be. The US government does, however, allow 56-bit block ciphers to be exported for financial cryptography.
Cryptographic Protocols & Standards Domain Name Server Security (DNSSEC)
o Secure Distributed Name Services Generic Security Services API (GSSAPI)
o Provides generic authentication, key exchange & encryption interface for different systems & authentication methods
Secure Socket Layer (SSL)o Secure WWW connections
Secure Hypertext Transfer Protocol (SHTTP)o Secure WWW connectionso More flexible than SSL, but not as widely used
E-mail security and related serviceo S/MIME (Secure MIME)
Secure Multipurpose Internet Mail Extensions Specs for secure electronic messaging Developed to fix interception & forgery of e-mail Easily integrated into e-mail & messaging products Provides privacy, data integrity, authentication
MSP (Message Security Protocol)n Offers confidentiality, authentication, non-repudiation, return-receipt, signature
n Public Key Cryptography Standards (PKCS) Provides an agreed upon format for Public Key Cryptography Extension to PEM
SSH2 Protocol Used to secure terminal sessions, developed by IETF Provides 3 components
n Transport Layer Protocol server authentication, confidentiality, and integrity
n User Authentication Protocol authenticates the client to the server
n Connection Protocol: multiplexes encrypted tunnel into several logical channelsn multiplexes encrypted tunnel into several logical channels
X.509
1) Framework for the provision of authentication services by the X.500 directory to its users. 2) Directory is a repository of public key certificates3) Certificate contains the public key of user and is signed by private key of trusted certification
authority 4) X.509 defines alternative authentication protocols as well.5) Certificate structure and authentication protocols defined hence very important and used in variety
of content Ex; SSL, SET., SMIME etc.,6) Based on public key cryptography and digital signatures and the recommended algorithm is RSA. 7) Certificate issues is associated with each user. Certificate contains, version, serial number,
signature algorithm identifier, issue name, period of validity, subject name, subject’s public key information, issuer unique identifier, subject unique identifier, extensions & signature.
8) Cross certificate between CAs9) Suggest that Cas be arranged in a hierarchy so that navigation is straightforward. 10) Forward certificates: certificates of X generated by other CAs11) Reverse certificates: certificates generated by X that are the certificates of other Cas12) Revocation of certificates and that must be maintained as CRL
AuthenticationOne way authentication: initiating entity is authenticated, message is from A, and is for B & integrity and originality is assured.
Two way authentication: all three plus the reverse is also done.
Three way authentication: Final message from A to B is included, which contains the signed copy of the Nonce.
X.509 version 3: all that are needed for recent design and implementation is not available which were added up to include key and policy information, certificate and issuer identification and certificate path constraints.
Cracking of Symmetric and Asymmetric – History
DES Cracker In 1998, the DES message was cracked in 39 days. In July 1998 EFF(Electronic Freedom Foundation) announced that it had easily won the RSA
Security ‘DES challenge II’, taking less than 3 days to recover the original message. In January 1999, EFF announced in collaboration with Distributed.Net, it had won the RSA
Security ‘DES Challenge III’), taking 22 hours to recover the plain-text. In 1977, Whitfield Diffie and Martin Hellman proposed the construction of DES-cracking
machine that could crack 56-bit DES keys in 20 hours. In 1994, Micheal Weiner proposed a design built from existing technology which could crack 56-
bit DES in under 4 hours for a cost of US $1 million Contests held in 1997 and 1998 to crack DES-encrypted messages, were won by distributed
computing efforts.
RSA-155 (512bit) factorization:n In August 1999 factorization of 155-digit (512 bit) RSA Challenge Number was completed in
around five to seven months without dedicating hardware.n RSA-140 was solved in 9 weeks.n In summer 1999, Adi Shamir presented a design for the Weizmann Institute Key Locating Engine
(TWINKLE) cost: US $5000, provides processing equivalent to 100 to 1000 PCs. This device is targeted at 512-bit RSA keys.
n In January 1997, it was announced that a Berkeley student using the idle time on a network of 250 computers was able to break the RSA challenge message, encrypted using a 40-bit key, in three and one-half hours.
Data/Session: This is often negotiated using standard protocols or sent in a protected manner using secret public and private keys.
Key Encrypting Split keys
Strength Comparison:Moore’s law: Processing speeds seem to double (or costs halved) every 18 months.
MIPS year (M.Y) is the number of instructions a million-instruction-per-second can execute in one year. One M.Y is approximately
10 13.5 instructions. Based on exhaustive key search, a triple-DES (112-bit) key is approximately equal to a 1792-bit RSA key (i.e., key modulus) and a 1024-bit RSA key is approximately equal to a 160-bit ECC key.
EC Key Size RSA Key Size MIPs Year160 1,024 1012
320 5,120 1036
600 21,000 1079
1,200 120,000 10168
![Information Security using Genetic Algorithm and Chaos · There are two types of cryptographic schemes: symmetric cryptography [1-2] and asymmetric cryptography [3]. The symmetric](https://img.dokumen.tips/doc/110x75/5f0647b77e708231d417334a/information-security-using-genetic-algorithm-and-chaos-there-are-two-types-of-cryptographic.jpg)
![Centre for Research on Cryptography and Security [CRoCS wiki] - … · 2014-10-07 · Outline • Short intro to symmetric/asymmetric cryptography • Classical implementations &](https://img.dokumen.tips/doc/110x75/5f1672e3b7baf4109319114b/centre-for-research-on-cryptography-and-security-crocs-wiki-2014-10-07-outline.jpg)
