1

“He, who wants to defend everything, defends nothing.”

--- Frederick, the Great

2

Focus of a Security PlanReference: Thomas Calabrese,”Information Security Intelligence,” Thomson Delmar learning, 2004, pp 4

Scope: restricting the scope as much as possible

Prioritization Practicability

Some Examples of Attacks and a Hint about technologies

3

Example of a Security Incident: PhishingPhishing (mis)uses the following rule:If ASCII 00 and 01 characters are used

just prior to @ character, IE would not display the rest of the URL.

Example: http://www.whitehouse.gov%01%00@www.hacker.com/......

will show up as http://www.whitehouse.gov in the status bar, indicating as if the message is from the White House. However the response will go to the Hacker.

4

Anti-Phishing.org A Web site www.antiphishing.org, for reporting

incidents, set up by a group of global banks and technology

companies, led by Secure-messaging firm Tumbleweed Communications Corp

Fast Response required; The phishing Web sites: often only in place for a

day. Example: Dec 2003: Phishing e-mail appeared to

come from the U.K. bank NatWest. Anti-Phishing.org tracked the IP address to a

spoofed home computer in San Francisco. "The owner of the computer probably had no idea he'd been hijacked," says Dave Jevans, Tumbleweed's senior vice president of marketing.

5

Common attacks on Financial Institutions like

Banks through InternetCommon attacks: phishing (attempts to trick account holders to

give their account authentication details away), fraudulent association with the bank as part of

investment scams, and trademark violation Losses due to attacks:"The major banks don't want to divulge the amount

of losses. But just to give one example, a major Australian bank has put several million dollars in reserve since August 2003 to cover damages due to Internet frauds.“– Dave Jevans, eWeek, Dec 2003

6

An Example: time-to-market for Internet Security

products 16 December, 2003: Discovery of the

problem of Phishing 5 January 2004: Announcement of

development of a new Anti-phishing service by Netcraft, of Bath, England.

Netcraft says that the service is mainly for banks and other financial organizations

7

General Strategies for security Continuous vigilance by monitoring and

analysis reduce size of target: disable unneeded services limit access of attacker to target

systems hardening the OS and applications Use technologies, which cannot be

hacked easily

8

General Strategies for security: Technologies

Confidentiality: encrypting sensitive data

Integrity: Hashing, Digital Signatures

Authentication: Digital certificates Non-repudiation: Trusted Digital 3rd

part signatures

9

“Using encryption on the Internet is the equivalent of using an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.“

--- Professor Eugene Spafford Purdue University

10

CRYPTOGRAPHY

Cryptography (from two words in Greek): means secret writing.

Cryptoanalysis: breaking of a cryptographic code

CRYPTOGRAPHY: process data into unintelligible form, reversibly/irreversibly without data loss usually one-to-one in size /compression

11

CryptographyServices, provided by cryptographic tools:

Encoding information into a form which makes the information unintelligible to an unauthorized person

integrity checking: no tampering authentication: not an impostor

Encryption or Enciphering

Encryption AlgorithmPlaintext

Key

Ciphertext

12

Why encrypt?

A few valid reasons for (reversibly) encrypting data are:

To prevent casual browsers from viewing sensitive data files

To prevent accidental disclosure of sensitive data

To prevent privileged users (e.g., system administrators) from viewing private data files

To complicate matters for intruders who attempt to search through a system's files

13

Kerckhoff’s principle

The security of an encryption scheme should depend upon only the secrecy of the key, and NOT on the secrecy of the algorithm.

14

Classification

Two types of Encryption Algorithms Reversible Irreversible

Two types of Keys Symmetric Asymmetric

15

Types of Cryptographic Algorithms:

Cryptographic Algorithms:• Secret Key

• Example: DES, AES (Rijndael)• Public Key

• Example: RSA, Rabin, El Gamal• Message Digest (Hash or cryptographic

checksum) Example : SHA 256

• Message Authentication Codes

16

Reversible Encryption

Reversible ENCRYPTION:

cleartext ENCRYPTION DEVICE encryption key

cleartext

can be used only when the same type of encryption software/equipment is available at both the ends

ciphertext

Decryption Device

Decryption key

17

Decryption Decryption or Deciphering

DecryptionAlgorithm

Ciphertext

Plaintext

Key

18

Fingerprinting Data Irreversible Encryption

Hash Functions

EncryptionAlgorithm

Plaintext

Collisions in the output?

Hash

19

Cryptographic Hash Functions (H) H : A transformation m = variable size input h = hash value : a fixed size string, also known as message digest or

fingerprint or compression function.

H(m)m h

20

Message Digest

VariableLengthMessage

HashingAlgorithm

Fixed LengthDigest

21

Uses of Hash Functions Integrity check for getting a document time- stamped

without revealing its contents to the time stamp service

Authentication through Digital Signatures For generation of pseudo-random

numbers to generate several keys from a single shared secret

Typical output of a Hash: 128 to 512 bits

22

A Cryptographic Hash functionProperties of Cryptographic Hash functions : One-way functions ‘Hard’ to invert : Computationally infeasible

to find some input m such that H(m) = h. Collision-resistant: a very large number of

collisions exist. But these cannot be found. Should be a random mapping from all

possible input values to the set of possible output values

23

Message Digest (MD)

• Consider an algorithm that generates outputs which are randomly distributed.

• Let the MD (output) be of n bits• 2n No of possible outputs.

• Since these are randomly distributed, the probability is that after 1.2 (2n )1/2 digests are computed, we may find the same value.

( Reference: statistical ideas of Birthday Paradox; Please see the last set of slides on Cryptoanalysis for a statement of the Paradox.)

• Thus for n = 128, it would be (1.2)264 .

24

DefinitionsWEAKLY COLLISION FREE HASH FUNCTION: Given a message m1. It is computationally infeasible to find m2

such that

m1 is not equal to m2, and, H(m1) = H(m2).

STRONGLY COLLISION FREE HASH FUNCTION:It is computationally infeasible to find any two

messages m1 and m2 such that H(m1) = H(m2).

25

Hash Functions: Collision-free ExampleExample: Consider a Hash of 128 bits.Weak: The probability of finding a

message m2 corresponding to a given hash value H(m1) is

2-128.Strong:The probability of finding two

messages with the same hash value (with no constraint on any of the two messages) is 2-64.

26

Properties of Cryptographic Hash functions (continued) H(m) is easy to compute. The input can be of any length. The output has a fixed length.

Notes 1: Consider a transformation of a sequence of length n1 to a sequence of length n2, where n1 > n2.

In such a case, there must exist multiple input sequences that map to the same fixed-length hash value.

27

Notes on hash functions (continued)

In the definitions of hash functions, it is only

required that ‘to find x’ should be computationally infeasible, even though we know that x exists.

2. Computationally Infeasible (CI) means that the time complexity of the algorithm should grow faster than any polynomial.

So CI means that it may take an extremely long time to compute x on even the fastest machine of the day.

28

Popular Hash Functions Iterative functions:

Split the message to equal sized blocks m1, m2,…… mk(padding for the last block)

Hi = h(Hi-1, mi), with H0 as a fixed value MD2 , MD4 and MD5 developed by Rivest. MD2 (1989 ): Optimized for 8 bit machine; MD4 (1990) , MD5 (1991) : Optimized for

32-bit machines . MD4 and MD5 : Both produce a 128-bit

hash value.

29

Popular Hash Function: MD5 MD4:

Den Boer and Bosselaers ( in a paper in 1991) discovered weaknesses.

was cracked by Dobbertin. He devised a method to generate collisions in MD4.

MD5 (Ref: RFC 1321) was supposed to be more secure. probability of MD5 collision 1/3x1038

1994: A non-fatal flaw discovered. SHA1 (Secure Hash Algorithm) :

Produces a 160 bit hash value from a message of less than 264 bits;

30

Popular Hash Function: SHA 1 SHA 1: designed by NSA and standardized by

NIST as a part of the Capstone project. (based on MD5 and 2 to 3 times slower than MD5) (Ref: RFC 3174 and FIPS 180-1)

Aug 2004: reported generating collisions in MD4 using "hand calculation", and in the family of MD4/MD5/SHA/RIPEMD. So its usage is now not recommended.*

*Reference: Xiaoyun Wang and Dengguo Feng and Xuejia Lai and Hongbo Yu,” Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD,” Cryptology ePrint Archive: Report 2004/199, http://eprint.iacr.org/2004/199.pdf

31

Popular Hash Functions: To be used today SHA 256, SHA 384 and SHA 512 (Ref:

FIPS 180-2)designed for use with AES with 128, 196 and 256

bits. Slower than SHA1; may take nearly as much time as encryption by AES.

SHA384 uses SHA 512 method and discards the remaining bits. So though it takes the same time as SHA 512, it is less secure.

Others: Snerfu: generates 128 bit or 256 bit hash;

Haval: produces 128, 160, 192, 224 or 256 bit hash.

32

Secret Key/ Symmetric Cryptography

Simpler and faster (than asymmetric by a factor of 1000)

For Integrity check, a fixed-length checksum for the message may have to be used; CRC* not sufficient

*Cyclic Redundancy Check

33

Symmetric Key Encryption

Also called Private/Secret key Encryption

Sender-endMessageby sender

Messageat receiver

Pr-key

Pr-key

EncryptedMessage

EncryptedMessage

Internet

Receiver-end

34

Symmetric Key Cipher Standards

Data Encryption Standard: the initial version developed by IBM as a US standard from 1975 to 1999

Advanced Encryption Standard The proposal from two belgian

professor accepted in Sept 2000 Declared in Nov 2001

35

Theoretical Basis of DESClaude Shannon’s theories: Recapitulation

1945: Introduce diffusion and confusion through cryptographic algorithms.

• Diffusion: Use permutation followed by some functional transformation.

• So that one ‘character’ in ciphertext = function of a large number of ‘characters’ in the

plaintext.• Thus if e is the most commonly used character in

English plaintext, it may not be so in the ciphertext. In ciphertext all the characters should have ideally

an equal frequency of occurrence.

36

Diffusion & Confusion : Recapitulation

• Diffusion: seeks to make statistical relationship between the plaintext and ciphertext as complex as possible. Diffuses the structure of the plaintext over a large part of the ciphertext.

• Confusion: makes the relationship between the statistics of the ciphertext and the encryption key as complex as possible.

• Achieved by using a complex substitution algorithm.

37

Substitution and permutationSubstitution or Permutation: easy to break by

using statistical analysis

For every language: frequency of characters, digrams ( two letter sequences) and trigrams are known. statistical analysis to decipher encrypted information.

English: e: the character with highest frequency

C: #define and #include in the beginning Protocols and tcpdump: repetitive, fixed

sized fields

38

Kerckhoff’s RuleThe strength of an encryption algorithm depends upon:

1. Design of the algorithm2. Key length3. Secrecy of the key ( requires proper

management of key distribution)1883: Jean Guillaumen Hubert Victor Fransois AlexandreAuguste Kerckhoff von Nieuwenhof: “ Cryptosystems shouldrely on the secrecy of the key, but not of algorithm.”

Advantages of Openness: 1994: A hacker published the source code of RC4, a secret encryption algorithm, designed by RSA Data security Inc. attacks, that exposed several weaknesses of RC4

39

Types of Cipher Algorithms Streaming Cipher: encrypts data bit

by bit Block cipher: encrypts a fixed- sized

block of data at a timeBlock ciphers: For a 64 bit block of plaintext, for

encryption to a 64-bit ciphertext, may need a table of 264 = 150 million terabytes.

For a block size of 128 bits, the table would require a memory of 5x1039 bytes.

40

DES Encryption: DES a public standard. But its design criterion has not been published.64 bit plaintext goes through• an Initial Permutation (IP).• 16 Rounds of a complex function fk as follows:

• Round 1 of a complex function fk with sub key K1 .• Round 2 of a complex function fk with sub key K2.

• Round 16 of a complex function fk with sub key K16

Every round ends with a swap of Left-half and Right-half. • an Inverse Initial Permutation (IP-1 ) to produce 64 bit ciphertext.

41

DES Round x: block of plaintext let x0 = IP (x) = L0:R0

16 rounds with f: cipher function Ki: sub-key for the ith round While i ≤ 16,xi = Li:Ri

Li = Ri-1

Ri = Li: f(Ri-1 , Ki)

42

Function Expansion permutation to get 48 bits from 32

bits of Ri : each input block of 4 bits contributes 2 bits to each output block Avalanche Effect: A small difference in plaintext causes quite different ciphertext

E(Ri-1) Ki S-boxes for converting 48 bits to 32 bits

output: Non-linear; provide major part of the strength of the cipher

Straight permutation XOR with left half Switch the left half and the right half

43

Key Schedule Algorithm Each sub-key Ki : 48 bits: obtained from a

56 bit key K Fixed Permutation: PC1(K) = C0:D0 A left circular shift (of 1 or 2 bits) on the

Left-half (C0 ) and Right-half (D0) separately (Output: C1 of 28 bits and D1 of 28 bits)

2 bits: for rounds 3-8 and 10-15 Compression permutation PC2 to get 48 bit

key Ki from Ci:Di Round-dependent left shifts different

parts of initial key create each sub-key

44

Sub Key GenerationThe input key: 56 bitsHardware Design: the 8, 16, 24, 32, 40, 48, 56

and 64th bit is always the odd parity bit. 64 bit key

Software design: the key is stated in ASCII code. Each character of 8 bits, with the first bit being zero plus 7 bits of code. (!)

Since DES was designed with the viewpoint ofhardware implementation, the conversion to 56bits is done by neglecting every 8th bit. PC1 converts to 56 bits and permutes.

45

Key Schedule K: 64 bit key C0: D0 =PC1(K) , 56 bit key 16 steps for i = 1-15: A left circularshift (of 1 or 2 bits) on the Left-half (Ci-1)

and Right-half (Di-1) separately (Output: Ci of 28 bits and Di of 28 bits)

16 Subkeys for i = 1-15: Ki = PC2(Ci : Di )

of 48 bits each

46

PC1: Obtaining C0 and D0

PC1 generates C0 and D0, the left and the right halves respectively.

C0 Read the first column of the input 64-bit key from bottom up. Write it row-wise from left to right. Repeat for the second, the third and the lower-half of the fourth column respectively.

D0 Read the seventh column of the input 64-bit key from bottom up. Write it row-wise from left to right. Repeat for the sixth, the fifth and the upper-half of the fourth column respectively.

Probably the conversion to the two halves was donedue to the limitation of the hardware of seventies.

47

Sub Key Generation: continued

Thus DES has a 56 bit key K consisting of C0 and D0.All the sub keys K1 to K16 are of 48 bits.To generate these keys, K goes through • A Permuted Choice (PC-1) (output C0 of 28 bits

and D0 of 28 bits).• A left circular shift (of 1 or 2 bits) on the Left-half (C0 )

and Right-half (D0) separately (Output: C1 of 28 bits and D1 of 28 bits)

followed by a Permuted Choice (PC-2) which permutes as well as ‘contracts’ to produce a sub-key K1 of 48 bits.

48

Sub Key Generation (continued)• A left circular shift (of 1 or 2 bits) on the Left-half (C1 ) and

Right-half (D1) separately (Output: C2 of 28 bits and D2 of 28 bits)

followed by a Permuted Choice (PC-2) which permutes as well as ‘contracts’ to produce a sub-key K2 of 48 bits.

• .• .• .• A left circular shift (of 1 or 2 bits) on the Left-half (C15 )

and Right-half (D15) separately (Output: C16 of 28 bits and D16 of 28 bits)

followed by a Permuted Choice (PC-2) which permutes as well as ‘contracts’ to produce a sub-key K16 of 48 bits.

49

Key Schedule KA = PC1(K) KB1 = LS-j(KA); LS-j is left circular shift by j bits, on the two halves ofthe 56 bits separately. j is given by Table 5. KB2 = LS-j(KB1) KB3 = LS-j(KB2) . KBi = LS-j(Kbi-1) . KB16 = LS-j(KB15) Ki = PC2(KBi)

50

i-th RoundThe part in yellow, in the previous slide, shows the subkey generation. After PC1, the circular rotations areindependent for the left half and the right-half.

ENCRYPTION: In the i-th round,Li = Ri-1

Ri = Li-1 F(Ri-1, Ki)

= Li-1 P(S( E(Ri-1) Ki ))Where E: expansion from 32 bits to 48 S: Using 8 S-boxes to convert 48 bits to 32 bits – each S box converts 6 bits to 4 bits

P: permutation

51

Expansion-Permutation (E/P):

• In figure 2, the E-table generates 48-bit output from 32 bit input by expansion-permutation by using table T6.

32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 1312 13 14 15 16 1716 17 18 19 20 2120 21 22 23 24 2524 25 26 27 28 2928 29 30 31 32 1

Table T6: E/P

52

DES Decryption:

Decryption uses the same algorithm as encryption

except that the application of the sub-keys isreversed.:

• In the first round of decryption, sub-key K16 is used.• .• .• .• In the 16th round of decryption, sub-key K1 is used .

53

Decryption RelationsENCRYPTION: (from slide 49)Li = Ri-1

Ri = Li-1 F(Ri-1, Ki)

= Li-1 P(S( E(Ri-1) Ki ))Rewriting: DECRYPTION relations are:Ri-1= Li

Li-1 = Ri F(Ri-1, Ki)

On substituting the value of Ri-1 from the first decryption relation,

Li-1 = Ri F(Li, Ki)

54

Decryption Process First: IP on ciphertext: undoes the final

IP-1 step of encryption 16 Rounds: First round with subkey 16

undoes 16th round of encryption . . Sixteenth round with subkey 1 undoes

1st encryption round Last: IP-1 undoes the initial encryption IP

55

AES AES: designed by Joan Daemen and Vincent

Rijmen Initially known as Rijndael Cipher

56

Rijndael CipherThree steps: initial XOR of the block with the sub-key 1 has 9/11/13 rounds in which state undergoes:

byte substitution (The same S-box used on every byte)

shift rows(permute bytes between columns) mix columns (subs using matrix multiply of

groups) add round key (XOR state with separate sub-

keys for each round) Incomplete last (i.e. 10/12/14th) round (without

mix columns operation)

57

Rijandael Cipher continued The Rijndael cipher has a variable block

length and key length. currently keys with a length of 128, 192, or 256 bits

to encrypt blocks with a length of 128, 192 or 256 bits (all nine combinations of key length and block length are possible). Both block length and key length can be extended very easily by multiples of 32 bits.

Rijndael can be implemented efficiently on a wide range of processors and in hardware.

all operations can be combined into XOR and table lookups - hence very fast & efficient

58

Rijandael Cipher continued for 128 bit block: processes data as 4 groups

of 4 bytes each. Each group is shown as a column in a matrix

of four columns. Each column has 4 rows. Each cell of the 4x4 matrix contains one byte. The output in every round creates a new

state of 128 bits or of 4 columns of 4bytes each.

The ciphertext is the final output generated by the cipher system.

59

Steps of a Round Function Round function: uniform and parallel,

composed of 4 steps (except for the incomplete– without MixColumn-- last round)

Each step has its own particular function: ByteSub: non-linearity ShiftRow: inter-column diffusion Mix Column: inter-byte diffusion within columns Round key addition

Figure on slide 20: shows both encryption and decryption processes; STATE at corresponding levels for encryption and decryption is the same.

60

Pseudo Code for Encryption for the earlier rounds, and, for the last round Round(State, RoundKey) { Bytesub(State); ShiftRow(State); MixColumn(State); AddRoundKey(State, Roundkey); } For the last round, it is a little different:Round(State, RoundKey) { Bytesub(State); ShiftRow(State); AddRoundKey(State, Roundkey); }

61

Rijandael Cipher continued

62

Three Steps of Decryption initial XOR of the ciphertext with the sub-key has 9/11/13 rounds in which state undergoes:

InvByte substitution (The same Inverse S-box used on every byte)

InvShift rows(permute bytes between columns) InvMix columns (subs using matrix multiply of

groups) add round key (XOR state with separate sub-

keys for each round) Incomplete last (i.e. 10/12/14th) round (without

InvMix columns operation)

63

Pseudo Code for Decryption for the earlier rounds, and, for the last round Round(State, RoundKey) { InvByteSub(State); InvShiftRow(State); InvMixColumn(State); AddRoundKey(State, Roundkey); } For the last round, it is a little different:Round(State, RoundKey) { InvBytesub(State); InvShiftRow(State); AddRoundKey(State, Roundkey); }

64

Public Key/ Asymmetric Cryptography

invented in 1976 by Whitfield Diffie and Martin Hellman two keys: private (d), public (e) Both are mathematically related.REQUIREMENTS: Computationally infeasible

to derive one key from the other; to find out the private key from a chosen plaintext

attack much slower (about 1000 times) than secret key

cryptography

65

public-key cryptography (continued) public-key cryptography system requires

a trusted system for distributing public keys

RSA (Rivest, Shamir and Adelman) Algorithm is well known for the public key system.

APPLICATIONS a digital signature system to authenticate

that a message is really from whom it purports to be from

Pretty Good Privacy system, an e-mail system, uses the public key system for security.

66

public-key cryptography (continued)

67

Asymmetric/Public Key Encryption

Message

Message

B’s public

B’s private

EncryptedMessage

EncryptedMessage

Internet

A

B

key

key

68

public-key cryptography (continued) Data transmission: private key(d), public

key (e)

69

public-key cryptography (continued)Applications and Advantages: Storage: for safety: use public key of trusted

person Secret vs. Public Key system: secret key system: needs secret key for every pair

of persons, that wish to communicate n users n(n-1)/2 keys public key system: needs two keys for every

person, who wants to communicate. n users 2n keys

70

Digital certificate for getting Public Key reliably A digital certificate from a trusted party

may contain: The name of a person His e-mail address His public key

The recipient of the encrypted certificate uses the public key of the Certification Authority to decode the certificate.

Examples of CAs: www.verisign.com or www.thawte.com (Verisign’s liability limited to $100 only!)

Standard for certificate: X.509

71

Digital signatures Digital Signatures: A is to sign a Msg and

send it to B

Msg

Msg

Msg +EncodedDigest

DigestAlgorithm

Msg +EncodedDigest

DigestAlgorithm

Decode digest using Public key of A

Encoding using Private key of A

Digest

Digest

Compare

BA

72

Key management issues Distribution of keys for both symmetric and

asymmetric cases is a challenge, when the two communicating parties are located at a distance.

Certifying authorities, as mentioned earlier, help. But in view of the very limited liability, that the certifying authorities are ready to shoulder, it is not a complete solution.

73

Message/data EncryptionCombines conventional and public-key encryption

Session key

Recipient’s

Public key

data

Encrypt

Encrypt

Encrypted sessionkey

Encrypted data

74

Message/data EncryptionCombines conventional and public-key encryption

Session key

Recipient’s

Private key

data

Decrypt

Decrypt

Encrypted sessionkey

Encrypted data

Public-key encryption provides a secure channel to exchange symmetric encryption keys

75

Message Authentication CodesMAC: A sort of Hash function, which uses

a keym: message (can be of any size)K: fixed-size symmetric key known to both the sender and receiver

only

MAC: of fixed size m MACMAC Function

Key

76

MAC’s for integrity

Message Authentication code, adds a password/key to a hash

data

Mac

Password/key

Only the password holder(s) can generate the MAC

data

Message MAC

77

MAC continued A MAC function (also called a cryptographic

checksum) Need not be reversible. Many-to-one function

MAC provides Authentication and integrity If one more symmetric key is used, confidentiality

can be provided. This separates authentication and confidentiality

functionalities.

78

MAC continued Separation of Authentication and Confidentiality:

This may be required in a system wherein authentication may be at the application layer, whereas confidentiality may be required at a lower layer (like at transport layer.)

Or the recipient organisation may check for authentication at the entry system. The confidentiality may be required up to the final host within the recipient organization.

Does not provide signatures The recipient can forge the message. The sender can repudiate it.

79

HMAC: keyed Hashing for Message AuthenticationHMAC: An algorithm which uses a keyless hash

function and a cryptographic key to develop a MAC

Advantages: Hash functions are faster;no export controls on keyless hash functions. H: a keyless hash function Input: a block of b bytes Output: a hash of l bytesK: key no longer than b bytesK’:pad K, if required, so that K’ becomes b bytes

long

80

HMAC (continued)ipad: a sequence of b bytes obtained by repeating the byte

0011 0110opad: a sequence of b bytes obtained by repeating the byte

0101 1100Definition of a HMAC-H function with a key K and

message m: H(K,m) = H( (K’ XOR opad) ll H( (K’ XOR ipad) ll m) )

Reference: 1. M. Bellare, R. Kaneti and H.Krawczyk, ‘Keyed Hash Functions and Message Authentication,’ Advances in Cryptology- Proceedings of CRYPTO ’96, PP. 1-15 (1996) 2.H.Krawczyk, M. Bellare and R. Kaneti, ‘RFC 2104’, Feb 1997

81

Function for MAC HMAC:

MD5 or an SHA function may be used. Recommendation for a 128 bit security: SHA-

256 MAC may also be obtained by using a

block cipher and by throwing away all the blocks except the last block. This is called CBC-MAC.

CBC: cipher block chaining method However if it is used, the key for

encryption and the key for message authentication must be different.

Secondly it would be slower than HMAC.

82

Authentication issues If only the message between Alice and Bob is

authenticated, Eve could store the message and send it later again. Or Eve could send the message from Alice -- back to Alice

at some later time, spoofing it as a message from Bob. To avoid it, d = information like message

number, sender address and receiver address etc may be concatenated with m before creating a MAC.

If a protocol for time synchronization is being used by both the sender and the receiver, time in seconds after midnight at Greenwich may also be used. Alternatively a random number, called a nonce may also be usedfor the purpose.

83

Authentication issues ….2 Further problem: Version problem,

which may increase the size of fields. Example: Alice sends the older

version. Eve adds data to make it look to Bob as if Alice sent the new version. So version number has also to be added to d. RULE: Authentication at a higher layer only.

84

Cryptanalysis continuedCryptanalysis : It tries to locate the structures and

patterns of the plaintext in the ciphertext.

None of the cryptological methods can completelyeliminate the patterns and structures of the

plaintext in the ciphertext.

Polyalphabetic cipher where the substitutiondiffers from character to character in responseto a key, which is

as long as the message, and which is, truly random

can eliminate such patterns. But the key?

85

Cryptanalysis Methods: Finding the KeyAssumption: The hacker always knows the ciphertext

and the encryption algorithm.More is the information available to a hacker Easier is the analysis for finding the KeyTYPES OF ATTACKS: The type is dependent on the

amount of INFORMATION available to a Hacker:1.ciphertext only Analysis for key: Most difficult

2.Known plaintext-ciphertext pairs3.Chosen plaintext-ciphertext pairs4.Chosen ciphertext-plaintext pairs5.Chosen text (both 3 and 4) Analysis for key: Easiest

86

Two Definitions UNCONDITIONALLY SECURE: An encryption

algorithm for which no amount of ciphertext can make it possible for one to determine uniquely the corresponding plaintext.

There is no such algorithm available. COMPUTATIONALLY SECURE: An encryption

algorithm is said to be computationally secure if

The cost of breaking the cipher is more than the intrinsic value of the information, or,

the time required to break the cipher is more than the time over which the information is required to be confidential.

87

Exhaustive Key SearchKey Size No. of Average Time Possible keys at 1 decryption

per microsecond32 232 =4.3x109 231= 35.8m

56 256 = 7.2x1016 1142 y128 2128 = 3.4 x1038 5.4x1024 y26P 26!=4x1026 4x1026 =6.4x1012y

88

Large numbers and computational security -- as worked out by Dr Lawrie Brown It can be shown from energy consumption

considerations that the maximum number of possible elementary operations in 1000 years is about:

3 x 1048. Similarly if 10 atoms are needed to store a bit of

information, the greatest possible number of bits storable in a volume of say the moon is: 1045.

If for deciphering a cipher requires more operations than 3 x 1048, or needs more storage than 1045, it is pretty reasonable to say it is computationally secure.

Reference: Notes of Dr Lawrie Brown, Australian Defence ForceAcademy available at

http://www.williamstallings.com/Crypto3e.html

89

Exhaustive Key Search (continued)

A calculation in 1995 showed that: 56-bit key broken in 1 week with 120,000 processors

($6.7M); 56-bit key broken in 1 month with 28,000 processors

($1.6M); 64-bit key broken in 1 week with 3.1x 107 processors

($1.7B); 128-bit key broken in 1week with 5.6x 1026 processors

90

Brute Force Cryptoanalysis 1999: 56-bit key broken in 22.5 h with 1,800 chips

($250,000) (245 109 keys/s, or 4.08 microsecond for one key -- see eff.org); helped by distributed.net

1998: 56-bit key broken, on dedicated h/w, in a few days

1997: 56-bit key broken, by using a large number

of machines in parallel on the Internet, in a few months

91

Birthday paradox

A result from probability theory: Consider an element that has an equal probability of assuming any one of the N values. The probability of a collision is more than 50% after choosing 1.2√N values.

FunctionRandom input

One of k equally likely values

The same output can be expected after 1.2k1/2 inputs. Thus in a group of 23, two or more persons are likely to share the same birthday. (Put k = 365) Birthday attacks are used to find collisions of Hash functions

92

Birthday Bound A 64 bit key has 264 = 18x1018

different key values. But 232 = 4.3x109

A Key is selected at random. So after seeing 1.2x 232

transactions, a hacker can expect the same key to be used.

For an n-bit case, 2n/2 is called the Birthday Bound

93

Example of a Birthday AttackAssume A 64 bit key The first statement in a message is always the

same.A hacker listens to and stores all encrypted messages. When the FIRST encrypted sentence turns out to

be the same, he replaces the rest of the new message by the old message, that he has in his memory.

By Birthday Paradox, this is likely to happen after 232 transactions.

94

Example of a “Meet in the Middle” attack Generate 232 keys. Store encrypted messages of the first

sentence. Compare the first sentence of every

encrypted message on the net with each of the stored messages.

On getting a match, the Hacker knows the key. So he can now replace the remaining message by whatever he wants.