Transcript 544 Computer and Network Security - Home

453 Network Security
Section 2: Cryptography
Dr. E.C. Kulasekere
Sri Lanka Institute of Information Technology - 2006
Outline
• Importance of Cryptography
• Encryption algorithms and principles
(DEA, BlowFish)
• Ciphering
• Public key cryptography principles
and algorithms.
• Digital signatures
What is Cryptography?
June 20, 2006
Hi ! Happy to see you all in Sri Lanka. Many thanks for your
invitation letter and for the spring examination packages.
All new entry forms are ready
for final dispatch to the syndicate by tonight.
Things are improving here, though there's room
for improvement still; just give us three or four
more years and we can do great things! Please
don't let these wretched 16+important proposals destroy
your basic pattern. Certainly this
sort of change, if implemented immediately,
would bring chaos.
Yours sincerely,
Obvious Solution For Information
Security
• Develop hardware and software to ensure the
following
– Conceal the context of message from all except
the sender and recipient.
– Verify the correctness of the message to the
recipient via authentication.
– Use hidden writing encryption such as digital
signatures. And digital watermarks.
• The above expectation is embodied in two forms
– Conventional or symmetric encryption
– Public key or asymmetric encryption.
Conventional Encryption Scheme
Ingredients
• Plaintext – the original message
• Encryption algorithm – performs various
substitutions and transformations to the plaintext
• Secret key – used for above
• Ciphertext – scrambled message depending on the
key and plaintext. For the same text, two different
keys will generate two ciphertexts.
• Decryption algorithm – encryption algorithm run in
the reverse. Uses a Secret key + ciphertext to
produce plaintext.
• Note that the security depends on the secrecy of the
key and not on the secrecy of the algorithm.
Simplified Model of Symmetric
Encryption
Requirements for Secure use of
Conventional Encryption
• A strong Encryption Algorithm:
– Opponent knows the algorithm by default.
– May also have access to the ciphertext
– However the opponent should not be able to decipher the text or
figure out the key.
– This should be the case if the opponent has several ciphertext
which have been encrypted using the same key.
• Secure Key Handling:
– The sender and receiver should obtain copies of the key
securely.
– If the key is known the ciphertext can be decoded.
Advantages and Disadvantages of
Conventional Encryption Methods
• It is assumed to be impractical to decrypt a message
on the basis of the cipertext plus the algorithm. The
time you spend on deciphering is too large hence a
deterrent. That is the algorithm need not be kept a
secret.
• The features such as the above makes the
conventional method widely applicable.
• Low cost on chip implementations of this algorithm
is available due to the algorithm being available.
• The principle problem is the secrecy of the key.
• The fundamental requirement of all algorithms is
that the process should be reversible (no information
should be lost).
Classification of Cryptographic
Systems (1)
• Based on the type of operations used to
transform plaintext to ciphertext
– Substitution – each element in the plaintext
(bit, letter, or groups of these) is mapped into
another element.
– Transposition – Elements in the plaintext are
rearranged.
Classification of Cryptographic
Systems (2)
• The number of keys used
– Symmetric – the sender and receiver uses
same key.
– Asymmetric – the sender and receiver use
two separate keys.
• The manner in which the plaintext is
processed
– Block cipher processes
– A stream cipher process.
Model of a Conventional
Cryptosystem
Cryptology
Are we Safe Now? (1)
• Cryptanalysis is defined as the
approaches to attacking a conventional
encryption method. (just when you thought
it was safe!!!)
• These procedures will attempt to discover
the plaintext or the encryption key.
If a crypt is broken, all present, future and past
encryptions using this key is compromised
Are we Safe Now? (2)
• The attacks on a conventional encryption
scheme can be categorized into:
– Cryptanalysis: This type of attack relies on the
nature of the algorithm and perhaps some
knowledge of the general characteristics of
plaintext.
– Brute-Force attack: All possible key
combinations are tried on ciphertext until
plaintext is obtained.
Cryptanalysis – Type of Attacks
Brute Force Search
• always possible to simply try every key
• most basic attack, proportional to key size
• assume either know / recognise plaintext
Unconditional Security
• no matter how much computer power is
available, the cipher cannot be broken.
• That is the ciphertext provides insufficient
information to uniquely determine the
corresponding plaintext.
• We note that no algorithm is
unconditionally secure.
• if it is then it cannot be uniquely decrypted.
Computational Security
• given limited computing resources (eg
time needed for calculations is greater
than age of universe), the cipher cannot
be broken.
• Or in a milder case, the cost of breaking
the cipher exceeds the value of the
encrypted data or the required time to
break the cipher exceeds the useful
lifetime of the information.
Classical Substitution Ciphers
• where letters of plaintext are replaced by
other letters or by numbers or symbols
• or if plaintext is viewed as a sequence of
bits, then substitution involves replacing
plaintext bit patterns with ciphertext bit
patterns
Machine Cipher Language
Jefferson Cylinder
•
•
•
•
•
•
developed in 1790s,
comprised of 36 disks
each with a random alphabet
order of disks was the key
message was set in one row
another row became cipher
WW2 Cipher Machine
Caesar Cipher (1)
•
•
•
•
•
earliest known substitution cipher
by Julius Caesar
first attested use in military affairs
replaces each letter by 3rd letter on
example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB
Caesar Cipher (2)
• can define transformation as:
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
• mathematically give each letter a number
a b c
0 1 2
n o
13 14
d e f
3 4 5
p q
15 16
g h i
6 7 8
r s
17 18
j k l m
9 10 11 12
t u v w x y Z
19 20 21 22 23 24 25
• then have Caesar cipher as:
C = E(p) = (p + k) mod (26) – encryption
algorithm E
p = D(C) = (C – k) mod (26) – decryption
algorithm D
Cryptanalysis of Caesar Cipher
• only have 25 possible cipher keys
– A maps to A,B,..Z
• could simply try each in turn
• The task is made easier since the
language of plaintext is also known.
• a brute force search
• given ciphertext, just try all shifts of letters
• do need to recognize when the plaintext is
obtained
Example Cryptanalysis
• eg. break ciphertext
"GCUA VQ DTGCM"
Block Cipher Methods
• A block cipher operates on a plaintext block of n
bits and produces a ciphertext block of n bits.
• For the 2n possible different plaintext blocks
must produce 2n different ciphertext blocks for
reversible encryption.
Reversible Mapping
Plaintext Ciphertext
Irreversible Mapping
Plaintext
Ciphertext
00
11
00
11
01
10
01
10
10
00
10
01
11
01
11
01
Illustration of Block Cipher
Technique
Illustration of Stream Cipher
Which one is safer?
Which one has faster en-decryption speeds?
Which one is commercially
viable?
Eliminated the need for
padding
STOP! XOR the Magic Maker
• XOR is wonderful for Cryptography.
• It is a bitwise operator with a domain of two bits.
• With the XOR operation the attacker cannot
make a prediction, even a statistical, i.e. we do
not know the transform value of the plaintext bit.
• That is a plaintext 0 can be a 1 or 0 in the cipher
text depending on the encryption bit. Complete
lack of predictability if secret key is not known.
• The XOR operation is lossless (reversible): C=A
xor B, C xor B=A xor B xor B= A (show this with
the truth table) (Other operations like AND will
lead to loss of information.
Feistel Cipher Structure (1)
• Virtually all conventional block encryption
algorithms, including DES, have a structure
described by Horst Feistel of IBM in 1973.
• Inputs to the encryption algorithm
– Plaintext block of 2w bits
– A key K
• The plain text block is divided into two halves L0
and R0
Feistel Cipher Structure (2)
• The two halves of data are then passed
through n rounds of processing and then
combined to produce the ciphertext block.
• Each round i has as input Li-1 and Ri-1
derived from the previous round and a
subkey Ki derived from the overall K
Classical Feistel Network
• Subkeys are generated using
a subkey generation function
• All rounds have the same
structure
• A substitution is performed on
the left half of the data
• It is done by applying a round
function F to the right half of
the data and then taking XOR
of the output of that function
and the left half of the data.
• F is parameterized depending
on the subkey
• The permutation consists of
interchanging the left and the
right halves.
Design Features of Feistel
Structure (1)
• The exact realization of the structure will
depend on all or most of the following
design feature.
• Block size
– Larger block sizes means greater security (all
other things being equal)
– Larger block sizes reduces en-/de-cryption
speeds.
– Generally accepted size is 64 bits.
Design Features of Feistel Structure (2)
• Key size
– Larger key sizes => greater security.
– Again this can reduce en-/de-crypt ion speeds.
– Common key length in modern algorithms is 128bits.
• Number of Rounds
– Multiple rounds offer higher security.
– A typical size is 16 rounds
• Subkey generation algorithm
– Greater difficulty in this algorithm leads to greater
difficulty of cryptanalysis
Design Features of Feistel Structure (3)
• Round Function
– Greater complexity means greater resistance
to cryptanalysis
• Fast Software Encryption/Decryption
– Encryption algorithm is mainly embedded in
software
– Hardware implementation becomes
impossible in these cases
– He speed of execution will be of concern in
such cases.
Design Features of Feistel Structure (4)
• Ease of Analysis
– The more difficult the algorithm is, the more
difficult it is to guarantee its strengths.
– Complex algorithms make it harder to
cryptanalyze.
Mathematics Behind the Feistel
Structure
(Encryption)
The output the ith round of a Feistel network is determined
from the output of the i-1 round by:
L{i} = R{i-1}
R{i} = L{i-1} XOR f(R{i-1},K{i})
Mathematics Behind the Feistel
Structure
(Decryption)
Why is a Feistel network reversible?
Clearly, R{i-1} can be obtained from L{i} with no work at all.
How do we get L{i-1}? That is straightforward also, by the nature of
XOR:
L{i-1} = L{i-1} XOR F(R{i-1},K{i}) XOR F(R{i-1},K{i}
Or, simplifying:
L{i-1} = R{i} XOR F(L{i},K{i})
Additional Information
For the above to be possible the subkeys
need to be
Generated at the receiver end. This is a
given in a encoding system.
Furthermore decryption uses the same
Feistel structure that makes
This method simpler.
Decryption Example
• Note that we have to
show the previous stage
of the encryption values
can be obtained through
the reverse traverse of
the decryption algorithm.
• That is LD1=RE15 and
RD1=LE15
• The final permutation also
has to be taken into
account.
• The result is independent
of the function ‘F’ and it
need not be reversible
Data Encryption Standard (DES)
• This was the most widely used encryption
scheme.
• This was adopted in 1977 as a standard
and later cracked in 2002.
• This is a block cipher technique.
• The plaintext is processed in 64 bit blocks.
• Cont …
Data Encryption Standard (DES)
• This uses a secret key of 64 bits. However
8 of the bits are used as parity and can
also be set arbitrarily. Hence the key size
is usually stated as 56 bits.
• With the exception of the initial and final
permutations in DES it has exactly the
same structure as the Feistel cipher.
General Description of DES
A Single Round in DES
Important Design Features of DES (1)
• S-box design
– The relationship provided by the s-box should
be nonlinear and difficult to approximate with
a linear function
– Should be reversible?
– The size should be large enough to
incorporate complexity
Important Design Features of DES (2)
• The function F
– Should provide an element of confusion
– Resistance against unscrambling the
substitutions performed by F
– The encoding should be nonlinear so that it
cannot be approximated by a linear function
during cryptanalysis
Important Facts About DES (1)
• The 64 bit plaintext passes through an initial
permutation.
– IP reorders the input data bits.
– Even bits to LH half and the odd bits to the
RH half.
• Next stage consists of 16 iterations similar to the
Feistel cipher.
– Uses two 32 bit L and H halves.
Li = Ri–1
Ri = Li–1 xor F(Ri–1, Ki)
Important Facts About DES (2)
• The stage continues …
– takes 32-bit R half and 48-bit subkey and
– expands R to 48-bits using perm E and adds
to subkey
– passes through 8 S-boxes to get 32-bit result
(use tables)
– finally permutes this using 32-bit perm P
Important Facts About DES (3)
• The subkeys required by the previous
stage will be generated as given below.
– Initial permutation is carried out using
permuted choice 1
– Then for each of the 16 iterations the key is
produced by a combination of circular left shift
and a permutations (permutation choice 2)
– The permutation function is same for each
stage. However different subkeys are
generated due to the shifted input.
Time to Break the Code
(assuming 10e6 decryptions per microsecond)
Strengths and Weaknesses of DES (1)
• Concerns about DES fall into two
categories
– Concerns about the algorithm itself
– Concerns about the key length.
• The S-boxes (substitution boxes) are
made to be resistant to what is known as
differential cryptanalysis (latest, analysis
the pattern differences to crack).
Strengths and Weaknesses of DES (2)
• The modern computer power is fast
approaching the computational
horsepower to crack the code in a
reasonable amount of time.
• The DES algorithm has some alternatives
that could be still commercially viable.
• Note however other than the brute force
method, no cryptanalytic method has been
devised to crack DES.
Triple DEA (TDEA)
• This uses three keys and three executions
of DES. Uses a Encrypt-Decrypt-Encrypt
sequence.
•
•
•
•
C = EK3[DK2[EK1[P]]]
C = ciphertext
P = Plaintext
EK[X] = encryption of X using key K
DK[Y] = decryption of Y using key K
• Effective Key length is 168 bits
• Decryption is
P = DK1[EK2[DK3[C]]]
Triple DEA (TDEA) (1)
• There is no cryptographic significance in
having the center decryption stage.
However it is useful for the following
C = EK1[DK1[EK1[P]]]=EK1[P]
• It can be used to decrypt data encrypted
using single DES.
• Unlike the single DES, with this, the brute
force attacks are effectively impossible.
Triple DEA (TDEA) (2)
• However this is still only providing a stop
gap for AES implementation. However no
cryptanalytic crack has been found for this.
• The implementation is relatively sluggish
in software which is a drawback
Advances Encryption Standard (AES) (1)
• AES was chosen from among a lot of
algorithms after a security check carried
out by the National Institute of Standards
and Technology (NIST) in 2001.
• The selected algorithm was called Rijndael
proposed by two cryptographic
researchers Dr. John Daemen and Dr.
Vincen Rijmen.
Advances Encryption Standard (AES)
• The three categories of criteria used for
evaluation are
– Security: practicality of an attack.
– Cost: should be usable in high-speed
applications
– Algorithm and implementation
characteristics: flexibility of the algorithm
and suitability of hardware and software
implementation.
• The evaluation report.
AES Finalist
AES Parameters
AES Structure
• This is a block cipher technique.
• Resistance against all known attacks.
• Speed and code compactness on a wide range
of platforms. Design simplicity.
• This is not a Feistel cipher where the data is
processed in two halves.
• The entire data block is processed in parallel
during each round using substitutions and
permutations.
• Four different stages are used in a round The
stages are reversible.
Other Conventional Encryption
Algorithms
BlowFish
• Blowfish is a block cipher designed by Bruce
Schneier in 1993.
• This was designed for easy implementation and
high speed.
• It is also a very compact algorithm and can run
in 5k of memory.
• Blowfish has 16 rounds and has a variable key
size that can go up to 448 bits. The generally
chosen size is 128 bits.
• This also uses the S-box and XOR technique
used in the DES algorithm, apart from this it also
uses binary addition.
BlowFish …
• The interesting feature of the s-box
technique is that it uses dynamic s-boxes
that are dependent on the key rather than
the static ones used in DES.
• A total of 521 operations are required to
generate the s-boxes and subkeys.
• Hence it is not suitable for applications
where the secret key changes frequently.
• No weakness of this has been found so
far.
Cipher Block Modes of Operation
• DES encryption is safe on a block of text.
• However when the data is transmitted over the
communication line in several blocks the mode
in which it is sent is important.
• For plaintext longer than 64 bits it is necessary
to break the block into 64 bit segments and pad
the last block if necessary before applying the
modes.
• Depending on the mode of operation, the cipher
can be weak or strong. That is, it can be either
easily cryptanalyzed or not.
Block Cipher Modes
Electronic Code Book (ECB)
• Simplest form. The plaintext is handled in
64 bit blocks at a time.
• Each block of plaintext is encrypted using
the same key.
• The term codebook is used because for
each plaintext and the key there is a
unique ciphertext for every 64 bit block.
Electronic Code Book (ECB) …
• This is not good since in ECB the same plaintext
appearing more than once in the message will
generate the same cipher text since the same
key is used. (codebook effect)
• Hence for lengthy messages and structured
messages ECB is not secure.
• If the message has repetitive elements occurring
every 64 bits, with a number of plaintextciphertext blocks the cryptanalyst can identify
the encryption.
Illustration of ECB
Cipher Block Chaining Mode (CBC) (1)
• To overcome the security issues in ECB,
CBC was proposed where, the same
plaintext block, if repeated, produces
different cipher text blocks.
• The input to the current encryption
algorithm is the XOR of the current
plaintext block and the preceding
ciphertext block. The same key is used for
each block as before.
Cipher Block Chaining Mode (CBC) (2)
• Now the processing is chained and the outputs
for the same plaintext block is not the same.
This is because now the plaintext blocks into the
encryption algorithm bears no relationship the
preceding block.
• The initial vector used for XORing the first block
has to be chosen and also safe guarded like the
secret key.
• Both the sender and the receiver has to know
the IV.
Illustration of CBC
Mathematics of CBC
Ci  E k [Ci 1  Pi ]
D K [Ci ]  D K [EK (Ci 1  Pi )]
D K [Ci ]  (Ci 1  Pi )
Ci 1  D K [Ci ]  C i 1  C i 1  Pi  Pi
Cipher Feedback Mode (CFB) (1)
• It is possible to convert DES into a stream
cipher using CFB.
• This also eliminates the need for padding
to make an integral number of text blocks.
• It operates in real time.
• Thus is a character stream is being
transmitted, each character can be
encrypted and transmitted immediately
using a character oriented stream cipher.
Cipher Feedback Mode (CFB) (2)
• Not good over a noisy link since if any bit
is in error all of the block ciphertext gets
effected.
• The IV is encrypted and the first s bits
chosen to XOR the input plaintext as well
as shift the contents of the register and
substitute for the LSB.
Illustration of CFB
Mathematics Behind CFB
C1 = P1 XOR Ss(Ek(IV))
P1 = C1 XOR Ss(Ek(IV))
Location of Encryption Device
Location of Encryption Device …
• Link Encryption
– A lot of encryption devices
– High level of security
– Decrypt packets at each switch since the
switch have the address in the header to
route the packet.
• End to End Encryption
– The source encrypts and the destination
decrypts
– Payload encrypted
– Header in the clear.
Next Lecture
•
•
•
•
•
•
Message authentication.
Hash functions
Public key cryptography principles.
Public key cryptography algorithms.
Digital signatures
Key management.