UNIT -8 NETWORK SECURITY
Download
Report
Transcript UNIT -8 NETWORK SECURITY
UNIT -8
NETWORK
SECURITY
Need of Security
For the first few decades computer networks were primarily
used by university researchers for sending e-mail and by
corporate employees for sharing printers.
In these conditions, security did not get a lot of attention.
As we know that presently, millions of ordinary citizens are
using networks for banking, shopping, and filing their tax
returns, so that network security potentially considerable
(huge/gigantic) problem.
Security is a broad topic and covers a large amount of
commitment:
1) It is concerned with making sure that nosy people cannot
read, or secretly modify messages intended for other
recipients.
2) It is concerned with people trying to access remote services
that they are not authorized to use.
3) Security also deals with the problems of legitimate (legal)
messages being captured and replayed, and with people trying
to deny that they sent certain messages.
Need for Security
Most security problems are intentionally caused by malicious people
trying to gain some benefit, get attention, or to harm someone.
A few of the most common harmful/illegal are listed in below table:
Some people who cause security problems and why.
1)
2)
Network security problems can be divided roughly into four
closely intertwined (twist) areas:
Secrecy (Message Confidentiality):
It is also known as confidentiality.
Message confidentiality or privacy means that the sender and
the receiver expect confidentiality.
The transmitted message must make sense to only the
intended receiver.
To all others, the message must be garbage.
When a customer communicates with her/his bank, she
expects that the communication is totally confidential.
It means that keeping information out of the hands of
unauthorized users.
Authentication (Message Authentication):
In message authentication the receiver needs to be sure of
the sender's identity and that an imposter (fraud) has not
sent the message.
It deals with determining whom we are talking to before
revealing sensitive information or entering into a business
deal.
Message authentication is a service beyond message
integrity.
3)Nonrepudiation (Message Nonrepudiation):
Message nonrepudiation means that a sender must not be able to
deny sending a message that he or she did send.
The burden of proof falls on the receiver.
For example, when a customer sends a message to transfer
money from one account to another, the bank must have proof
(in terms of signatures) that the customer actually requested this
transaction. Another example is how we prove that our customer
really placed an electronic order?
4)Integrity Control (Message integrity):
Integrity means that the data must arrive at the receiver exactly
as they were sent. It means that how can we sure that a
message we received was really the one which is sent by actual
recipient and not modified during the transit or concocted by
malicious challenger.
There must be no changes during the transmission, neither
accidentally nor maliciously.
As more and more monetary exchanges occur over the Internet,
integrity is crucial.
For example, it would be disastrous if a request for transferring
$100 changed to a request for $10,000 or $100,000.
The integrity of the message must be preserved in a secure
communication.
Integrity and secrecy are achieved by using registered mail and locking
documents up.
People authenticate other people by recognizing their faces,
voices, and handwriting.
Proof of signing is handled by signatures on letterhead paper,
raised seals, and so on.
Tampering can usually be detected by handwriting, ink, and paper
experts.
For the electronically devices none of the above options are
available. Clearly, other solutions are needed.
There is probably no one single place considering where in the
protocol stack network security belong.
Every layer has something to contribute.
In the physical layer, wiretapping can be foiled (blocked) by
enclosing transmission lines in sealed tubes containing gas at high
pressure. Any attempt to drill into a tube will release some gas,
reducing the pressure and triggering an alarm. Some military
systems use this technique.
In the data link layer, packets on a point-to-point line can be
encrypted as they leave one machine and decrypted as they enter
another. All the details can be handled in the data link layer, with
higher layers unaware to what is going on. This solution breaks
down when packets have to traverse multiple routers, because
packets have to be decrypted at each router, leaving them
vulnerable to attacks from within the router. Also, it does not allow
some sessions to be protected (e.g., those involving on-line
purchases by credit card) and others not. However, link encryption
can be added to any network easily and is often useful.
In the network layer, firewalls can be installed to keep
good packets and bad packets out. IP security also
functions in this layer.
In the transport layer, entire connections can be
encrypted, end to end, that is, process to process. For
maximum security, end-to-end security is required.
Finally,
issues
such
as
user
authentication
and
nonrepudiation can only be handled in the application
layer.
Cryptography is a method of storing and transmitting data in
a form that only those it is intended for can read and process. It
is a science of protecting information by encoding it into an
unreadable format. Cryptography is an effective way of
protecting sensitive information as it is stored on media or
transmitted through network communication paths.
Some Terms
1)Cryptography
Cryptography comes from the Greek words, it means that
''secret writing”. It refers to the science and art of transforming
messages to make them secure and protected to attacks.
2)Plaintext and Ciphertext
The original message, before being transformed, is called
plaintext.
After the message is transformed, it is called ciphertext.
An encryption algorithm transforms the plaintext into ciphertext;
a decryption algorithm transforms the ciphertext back into
plaintext.
The sender uses an encryption algorithm, and the receiver uses
a decryption algorithm.
3)Cipher
A
cipher
is
a
character-for-character
or
bit-for-bit
transformation, without regard to the linguistic structure of the
message.
We refer to encryption and decryption algorithms as ciphers.
The term cipher is also used to refer to different categories of
algorithms in cryptography.
A code replaces one word with another word or symbol.
The most successful code ever devised was used by the U.S.
armed forces during World War II in the Pacific.
4)Key
A key is a number (or a set of numbers) that the cipher as an
algorithm operates on.
To encrypt a message, we need an encryption algorithm, an
encryption key, and the plaintext.
These create the ciphertext.
To decrypt a message, we need a decryption algorithm, a
decryption key, and the ciphertext.
These reveal the original plaintext.
1. Algorithm Set of mathematical rules used in encryption and
decryption
2. Cryptography Science of secret writing that enables you to
store and transmit data in a form that is available only to the
intended individuals
3. Cryptosystem Hardware or software implementation of
cryptography that transforms a message to ciphertext and back
to plaintext
4. Cryptanalysis Practice of obtaining plaintext from ciphertext
without a key or breaking the encryption
5. Cryptology The study of both cryptography and cryptanalysis
6. Ciphertext Data in encrypted or unreadable format
7. Encipher Act of transforming data into an unreadable format
8. Decipher Act of transforming data into a readable format
9. Key Secret sequence of bits and instructions that governs the
act of encryption and decryption
10.Key clustering Instance when two different keys generate the
same ciphertext from the same plaintext
11.Keyspace Possible values used to construct keys
12.Plaintext Data in readable format, also referred to as cleartext
13.Work factor Estimated time, effort, and resources necessary to
break a cryptosystem
An Introduction to Cryptography
The encryption model (for a symmetric-key cipher).
Dk(Ek(P))=P
The messages to be encrypted, known as the plaintext, are
transformed by a function that is parameterized by a key.
The output of the encryption process, known as the ciphertext, is
then transmitted, often by messenger or radio.
We assume that the enemy, or intruder, hears and accurately
copies down the complete ciphertext.
However, unlike the intended recipient, he does not know what
the decryption key is and so cannot decrypt the ciphertext easily.
Sometimes the intruder can not only listen to the communication
channel (passive intruder) but can also record messages and play
them back later, inject his own messages, or modify legitimate
messages before they get to the receiver (active intruder).
The art of breaking ciphers called cryptanalysis, and the art
devising them (cryptography) is collectively known as
cryptology.
It will often be useful to have a notation for relating plaintext,
ciphertext, and keys.
We will use C = EK(P) to mean that the encryption of the plaintext
P using key K gives the ciphertext C.
Similarly, P = DK(C) represents the decryption of C to get the
plaintext again.
It then follows that
This notation suggests that E and D are just mathematical
functions, which they are.
The only tricky part is that both are functions of two
parameters, and we have written one of the parameters (the
key) as a subscript, rather than as an argument, to distinguish
it from the message.
A fundamental rule of cryptography is that one must assume
that the cryptanalyst knows the methods used for encryption
and decryption.
In other words, the cryptanalyst knows how the encryption
method, E, and decryption, D, as shown in diagram.
The amount of effort necessary to invent, test, and install a new
algorithm every time the old method is compromised (or
thought to be compromised) has always made it impractical to
keep the encryption algorithm secret.
Thinking it is secret when it is not does more harm than good.
This is where the key enters.
The key consists of a (relatively) short string that selects one of
many potential encryptions.
In contrast to the general method, which may only be changed
every few years, the key can be changed as often as required.
Thus, our basic model is a stable and publicly-known general
method parameterized by a secret and easily changed key.
The idea that the cryptanalyst knows the algorithms and that
the secrecy lies completely in the keys is called Kerckhoff's
principle, named after the Flemish military cryptographer
Auguste Kerckhoff who first stated it in 1883.
Thus, we have:
Kerckhoff's principle: All algorithms must be public; only
the keys are secret
The nonsecrecy of the algorithm cannot be emphasized enough.
Trying to keep the algorithm secret, known in the trade as
security by obscurity, never works.
Also, by publicizing the algorithm, the cryptographer gets free
consulting from a large number of academic cryptologists eager
to break the system so they can publish papers demonstrating
how smart they are.
If many experts have tried to break the algorithm for 5 years
after its publication and no one has succeeded, it is probably
pretty solid.
Since the real secrecy is in the key, its length is a major design
issue.
Consider a simple combination lock. The general principle is
that we enter digits in sequence.
Everyone knows this, but the key is secret.
A key length of two digits means that there are 100
possibilities.
A key length of three digits means 1000 possibilities, and a key
length of six digits means a million.
The longer the key, the higher the work factor the cryptanalyst
has to deal with.
The work factor for breaking the system by exhaustive search
of the key space is exponential in the key length.
Secrecy comes from having a strong (but public) algorithm and
a long key.
To prevent our kid brother from reading our e-mail, 64-bit keys
will do.
For routine commercial use, at least 128 bits should be used.
To keep major governments at bay, keys of at least 256 bits,
preferably more, are needed.
From the cryptanalyst's point of view, the cryptanalysis
problem has three principal variations.
When he has a quantity of ciphertext and no plaintext, he is
confronted with
the
ciphertext-only problem.
The
cryptograms that appear in the puzzle section of newspapers
pose this kind of problem.
When the cryptanalyst has some matched ciphertext and
plaintext, the problem is called the known plaintext problem.
when the cryptanalyst has the ability to encrypt pieces of
plaintext of his own choosing, we have the chosen plaintext
problem.
Newspaper cryptograms could be broken trivially if the
cryptanalyst were allowed to ask such questions as: What
is the encryption of ABCDEFGHIJKL?
Novices in the cryptography business often assume that if a
cipher can withstand a ciphertext-only attack, it is secure.
This assumption is very inexperienced.
In many cases the cryptanalyst can make a good guess at
parts of the plaintext.
For example, the first thing many computers say when we
call them up is login: . Equipped with some matched
plaintext-ciphertext pairs, the cryptanalyst's job becomes
much easier.
To achieve security, the cryptographer should be
conservative and make sure that the system is unbreakable
even if his opponent can encrypt arbitrary amounts of
chosen plaintext.
Categories of Cryptography
We can divide all the cryptography algorithms (ciphers) into
two groups:
symmetric key (also called secret-key) cryptography
algorithms and
asymmetric
(also
called
public-key)
cryptography
algorithms.
Symmetric-Key Cryptography
In symmetric-key cryptography, the same key is used by both
parties.
The sender uses this key and an encryption algorithm to encrypt
data; the receiver uses the same key and the corresponding
decryption algorithm to decrypt the data.
Asymmetric-Key Cryptography
In asymmetric or public-key cryptography, there are two keys: a
private key and a public key.
The private key is kept by the receiver. The public key is
announced to the public.
In public-key encryption/decryption, the public key that is used for
encryption is different from the private key that is used for
decryption.
The public key is available to the public; the private key is
available only to an individual.
Three Types of Keys
1.
2.
3.
The three types of keys in cryptography:
The secret key: The secret key is the shared key used in
symmetric-key cryptography.
The public key: used in asymmetric-key cryptography.
The private key: used in asymmetric-key cryptography.
We will use three different icons for these keys to
distinguish one from the others, as shown in below
diagram:
Comparison
Let us compare symmetric-key and asymmetric-key
cryptography.
Encryption can be thought of as electronic locking;
decryption as electronic unlocking.
The sender puts the message in a box and locks the box by
using a key; the receiver unlocks the box with a key and
takes out the message.
The difference lies in the mechanism of the locking and
unlocking and the type of keys used.
In symmetric-key cryptography, the same key locks and
unlocks the box.
In asymmetric-key cryptography, one key locks the box,
but another key is needed to unlock it.
Given below diagram shows the difference.
Traditional Ciphers
We can divide traditional symmetric-key ciphers into two
broad
categories:
substitution
ciphers
and
transposition ciphers.
OR
Encryption methods have been divided into two categories:
substitution ciphers and transposition ciphers.
Substitution Ciphers
In a substitution cipher each letter (character) or group of
letters is replaced by another letter (character) or group of
letters to disguise it.
One of the oldest known ciphers is the Caesar cipher,
attributed to Julius Caesar. This is referred to as a shift
alphabet cipher.
In this method, a becomes D, b becomes E, c becomes F, ... ,
and z becomes C.
If the symbols are digits (0 to 9), we can replace 3 with 7, and 2
with 6.
For example, attack becomes DWWDFN.
In examples, plaintext will be given in lower case letters, and
ciphertext in upper case letters.
A slight generalization of the Caesar cipher allows the
ciphertext alphabet to be shifted by k letters, instead of
always 3. In this case k becomes a key to the general method
of circularly shifted alphabets.
If we use 4 as a key then attack becomes the EXXEGO.
monoalphabetic substitution:
The next improvement is to have each of the symbols in the
plaintext map onto some other letter.
For example,
plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y
z
ciphertext: Q W E R T Y U I O P A S D F G H J K L Z X C V B N M
In a monoalphabetic cipher, a character (or a symbol) in the
plaintext is always changed to the same character (or symbol)
in the ciphertext regardless of its position in the text. (i.e. The
general system of symbol-for-symbol substitution is called a
monoalphabetic substitution, with the key being the 26letter string corresponding to the full alphabet.)
For example, if the algorithm says that character A in the
plaintext is changed to character D, every character A is
changed to character D.
In other words, the relationship between characters in the
plaintext and the ciphertext is a one-to-one relationship.
For the key above, the plaintext attack would be transformed
into the ciphertext QZZQEA.
At first glance this might appear to be a safe system
because though the cryptanalyst knows the general system
(letter-for-letter substitution), he does not know which of
the 26! 4 x 1026 possible keys is in use.
In contrast with the Caesar cipher, trying all of them is not
a promising approach.
Even at 1 nsec per solution, a computer would take 1010
years to try all the keys.
However, given a surprisingly small amount of ciphertext,
the cipher can be broken easily.
The basic attack takes advantage of the statistical
properties of natural languages.
In English, for example, e is the most common letter,
followed by t, o, a, n, i, etc.
The most common two-letter combinations, or digrams,
are th, in, er, re, and an.
The most common three-letter combinations, or
trigrams, are the, ing, and, and ion.
A cryptanalyst trying to break a monoalphabetic cipher would
start out by counting the relative frequencies of all letters in the
ciphertext.
Then he might tentatively assign the most common one to e
and the next most common one to t.
He would then look at trigrams to find a common one of the
form tXe, which strongly suggests that X is h.
Similarly, if the pattern thYt occurs frequently, the Y probably
stands for a.
With this information, he can look for a frequently occurring
trigram of the form aZW, which is most likely and.
By making guesses at common letters, digrams, and trigrams
and knowing about likely patterns of vowels and consonants,
the cryptanalyst builds up a tentative plaintext, letter by letter.
Another approach is to guess a probable word or phrase.
For example, consider the following ciphertext from an
accounting firm (blocked into groups of five characters):
CTBMN BYCTC BTJDS QXBNS GSTJC BTSWX CTQTZ CQVUJ
QJSGS TJQZZ MNQJS VLNSX VSZJU JDSTS JQUUS JUBXJ
DSKSU JSNTK BGAQJ ZBGYQ TLCTZ BNYBN QJSW
A likely word in a message from an accounting firm is financial.
Using our knowledge that financial has a repeated letter (i),
with four other letters between their occurrences, we look for
repeated letters in the ciphertext at this spacing.
We find 12 hits, at positions 6, 15, 27, 31, 42, 48, 56, 66, 70,
71, 76, and 82.
However, only two of these, 31 and 42, have the next letter
(corresponding to n in the plaintext) repeated in the proper
place.
Of these two, only 31 also has the a correctly positioned, so we
know that financial begins at position 30.
From this point on, deducing the key is easy by using the
frequency statistics for English text.
The simplest monoalphabetic cipher is probably the shift
cipher.
We assume that the plaintext and ciphertext consist of
uppercase letters (A to Z) only.
In this cipher, the encryption algorithm is "shift key
characters down," with key equal to some number.
The decryption algorithm is "shift key characters up."
For example, if the key is 5, the encryption algorithm is
"shift 5 characters down" (toward the end of the alphabet).
The decryption algorithm is "shift 5 characters up" (toward
the beginning of the alphabet).
Of course, if we reach the end or beginning of the alphabet,
we wrap around.
Example:
Solution:
Example:
Solution:
Use the shift cipher with key = 15 to encrypt
the message "HELLO."
We encrypt one character at a time. Each
character is shifted 15 characters down. Letter
H is encrypted to W. Letter E is encrypted to T.
The first L is encrypted to A. The second L is
also encrypted to A. And 0 is encrypted to D.
The cipher text is WTAAD.
Use the shift cipher with key =15 to decrypt the
message "WTAAD."
We decrypt one character at a time. Each
character is shifted 15 characters up. Letter W
is decrypted to H. Letter T is decrypted to E.
The first A is decrypted to L. The second A is
decrypted to L. And, finally, D is decrypted to O.
The plaintext is HELLO.
Transposition Ciphers
A transposition cipher is a rearrangement of the letters in the
plaintext according to some specific system & key (i.e. a
permutation of the plaintext).
In a transposition cipher, there is no substitution of characters;
instead, their locations change.
A character in the first position of the plaintext may appear in
the tenth position of the ciphertext.
A character in the eighth position may appear in the first
position.
In other words, a transposition cipher reorders the symbols in
a block of symbols.
In this example, MEGABUCK is the key.
The purpose of the key is to number the columns, column 1
being under the key letter closest to the start of the alphabet,
and so on.
The plaintext is written horizontally, in rows.
The ciphertext is read out by columns, starting with the column
whose key letter is the lowest.
Transposition Ciphers
A transposition cipher.
Key In a transposition cipher, the key is a mapping between the
position of the symbols in the plaintext and cipher text. For
example, the following shows the key using a block of four
characters:
Plaintext:
2
4
1
3
Ciphertext:
1
2
3
4
In encryption, we move the character at position 2 to position
1, the character at position 4 to position 2, and so on.
In decryption, we do the reverse.
For the more effective security provide, the key should be long
which means encryption and decryption of long blocks of data.
Simple example:
A route cipher: we arrange the plaintext in a geometrical
figure, then copy it out following a different route.
e.g. P/T: Now is the time for all good men . . .
We arrange this in a rectangle of K columns and extract the
ciphertext by the columns:
NOW IS
TH E TI
ME F OR
A L L GO
O DM EN
Ciphertext: NTMAO OHELD WEFLM ITOGE SIRON
How do we detect this? Well, the character frequency should
be the same as English.
More generally, we deal with:
Rectangular Columnar Transposition:
1) Arrange horizontally in a rectangle.
2) Use a key to generate a permutation of the columns
3) Read vertically.
Key: SCHMID
613542
Plaintext: sell all stock on Monday
6 13 5 42
s e l l al
l s t o ck
o nM o nd
a y
Ciphertext: ESNYL KDLTM ACNLO OSLOA
To break a transposition cipher, the cryptanalyst must first be
aware that he is dealing with a transposition cipher.
By looking at the frequency of E, T, A, O, I, N, etc., it is easy to
see if they fit the normal pattern for plaintext.
If so, the cipher is clearly a transposition cipher, because in such
a cipher every letter represents itself, keeping the frequency
distribution intact.
The next step is to make a guess at the number of columns.
In many cases a probable word or phrase may be guessed at
from the context.
For example, suppose that our cryptanalyst suspects that the
plaintext phrase million dollars occurs somewhere in the
message.
Observe that digrams MO, IL, LL, LA, IR and OS occur in the
ciphertext as a result of this phrase wrapping around.
The ciphertext letter O follows the ciphertext letter M (i.e., they
are vertically adjacent in column 4) because they are separated
in the probable phrase by a distance equal to the key length.
If a key of length seven had been used, the digrams MD, IO, LL,
LL, IA, OR, and NS would have occurred instead.
In fact, for each key length, a different set of digrams is
produced in the ciphertext. By hunting for the various
possibilities, the cryptanalyst can often easily determine the key
length.
The remaining step is to order the columns.
When the number of columns, k, is small, each of the k *(k - 1)
column pairs can be examined to see if its digram frequencies
match those for English plaintext.
The pair with the best match is assumed to be correctly
positioned.
Now each remaining column is tentatively tried as the successor to
this pair.
The column whose digram and trigram frequencies give the best
match is tentatively assumed to be correct.
The predecessor column is found in the same way.
The entire process is continued until a potential ordering is found.
Chances are that the plaintext will be recognizable at this point
(e.g., if milloin occurs, it is clear what the error is).
Some transposition ciphers accept a fixed-length block of input
and produce a fixed-length block of output.
These ciphers can be completely described by giving a list telling
the order in which the characters are to be output.
For example, the cipher of shown in diagram can be seen as a 64
character block cipher.
Its output is 4, 12, 20, 28, 36, 44, 52, 60, 5, 13 , ... , 62.
In other words, the fourth input character, a, is the first to be
output, followed by the twelfth, f, and so on.
One-Time Pads
Constructing an unbreakable cipher is actually quite easy.
First choose a random bit string as the key.
Then convert the plaintext into a bit string, for example by using
its ASCII representation.
Finally, compute the XOR of these two strings, bit by bit.
This method, known as the one-time pad, is protected to all
present and future attacks no matter how much computational
power the intruder has.
The reason derives from information theory: there is simply no
information in the message because all possible plaintexts of the
given length are equally likely.
An example of how one-time pads are used is given in
diagram.
First, message 1, ''I like you.'' is converted to 7-bit ASCII.
Then a one-time pad, pad 1, is chosen and XORed with the
message to get the ciphertext.
A cryptanalyst could try all possible one-time pads to see what
plaintext came out for each one.
For example, the one-time pad listed as pad 2 in the figure
could be tried, resulting in plaintext 2, ''Elvis lives'', which may
or may not be probable.
In fact, for every 11-character ASCII plaintext, there is a onetime pad that generates it.
That is what we mean by saying there is no information in the
ciphertext: we can get any message of the correct length out
of it.
Disadvantage of One-Time Pad
One-time pads are great in theory but have a number of
disadvantages in practice.
The key cannot be memorized, so both sender and receiver
must carry a written copy with them. If either one is subject to
capture, written keys are clearly undesirable.
Additionally, the total amount of data that can be
transmitted is limited by the amount of key available.
Another problem is the sensitivity of the method to lost or
inserted characters. If the sender and receiver get out of
synchronization, all data from then on will appear garbled.
With the advent of computers, the one-time pad might
potentially become practical for some applications.
The source of the key could be a special DVD that contains
several gigabytes of information and if transported in a DVD
movie box and prefixed by a few minutes of video, would not
even be suspicious.
Of course, at gigabit network speeds, having to insert a
new DVD every 30 sec could become tedious.
And the DVDs must be personally carried from the sender
to the receiver before any messages can be sent, which
greatly reduces their practical utility.
Solution to the One Time Pad is
Quantum Cryptography
Quantum Cryptography
Alice and Bob wants to communicate who is also known as
the Principals.
Trudy (Jealous) is intruder.
This algorithm is called BB84 (Bennet & Brassard, 1984)
Quantum cryptography is based on fact that light comes in
little packets called Photons.
Photons can be polarized using polarizing filters.
After passing through second filter, intensity of light is
proportional to square of cosine of angle between axes.
To generate one-time pad, Alice needs two sets of
polarizing filters.
Two filters, vertical and horizontal is called rectilinear basis.
Two filters running 45 degrees is called diagonal basis.
To transform original one time pad to different one for
Trudy’s misinterpretation is called privacy amplification.
See bit 7, 10, 11, 14.
Observe next figure.
Two Fundamental Cryptography
Principles
1. Redundancy
Cryptographic
principle
1:
“Messages must contain some redundancy”
User large size of message
Use CRC, Cryptographic Hash, Hamming Code
for error detection and correction.
2. Freshness Cryptographic principle 2: “Some
method is needed to foil replay attacks”
Include timestamp in every message.
Suppose after 10 sec, message must be thrown
out of the network.
SYMMETRIC-KEY ALGORITHMS
1.
2.
3.
4.
5.
DES –The Data Encryption Standard
AES –The Advanced Encryption Standard
Cipher Modes
Other Ciphers
Cryptanalysis
Symmetric Key Algorithms
They use same key for encryption and
decryption, that’s why called symmetric key
algorithms.
Block Ciphers: which take an n-bit block of
plaintext as input and transform it using the
key into n-bit block of ciphertext.
P (Permutation) Box Cipher
A P-box (permutation box) cryptographic
algorithms can be implemented in either
hardware (for speed) or in software (for
flexibility), but hardware is faster.
It can performs a transposition at the bit
level; it transposes bits.
Transpositions and substitutions can be
implemented with simple electrical circuits.
P-boxes are normally keyless (the number of
rotations is fixed) .
Given diagram shows a device which is
known as a P-box (P stands for permutation),
used to effect a transposition on an 8-bit
input.
If the 8 bits are designated from top to
bottom as 01234567, the output of this
particular P-box is 36071245.
By appropriate internal wiring, a P-box can be made to
perform any transposition and do it at practically the speed of
light since no computation is involved, just signal propagation.
The attacker knows that the general method is permuting the
bits.
But it does not known to attackers that which bit goes where it
means which is the key.
1.
2.
3.
There
are
three
types
of
permutations in P-boxes (shown in
diagram):
straight permutation
expansion permutation
compression permutation
A straight permutation cipher or
a straight P-box has the same
number of inputs as outputs. In
other words, if the number of
inputs is N, the number of outputs
is also N.
In an expansion permutation
cipher, the number of output ports
is greater than the number of
input ports.
In a compression permutation
cipher, the number of output
ports is less than the number of
input ports.
S (substitutions) Box Cipher
The input to an S-box is a stream of bits with length N; the result
is another stream of bits with length M.
It is not necessarily that the N and M are same.
Given below diagram shows an S-box.
The S-box is normally keyless (the number of rotations is fixed)
and is used as an intermediate stage of encryption or decryption.
The function that matches the input to the output may be defined
mathematically or by a table.
Substitutions are performed by Sboxes, as shown in diagram.
In this example a 3-bit plaintext is
entered and a 3-bit cipher text is
output.
The 3-bit input selects one of the eight
lines exiting from the first stage and
sets it to 1; all the other lines are 0.
The second stage is a P-box. The third
stage encodes the selected input line
in binary again.
With the wiring shown, if the eight
octal numbers 01234567 were input
one after another, the output sequence
would be 24506713.
In other words, 0 has been replaced by
2, 1 has been replaced by 4, etc.
Again, by appropriate wiring of the Pbox inside the S-box, any substitution
can be accomplished.
A device can be built in
hardware
and
can
achieve great speed
since
encoders
and
decoders have only one
or
two
(subnanosecond) gate
delays
and
the
propagation time across
the P-box may well be
less than 1 picosecond.
Product Cipher
Shannon proposed to design strong ciphers by mixing different
kinds of transformations.
This can be achieved by alternating substitutions and
transpositions.
The earliest block ciphers were based on this principle and so
were called SP-networks.
Three things need to be done to make the algorithm design
secure:
1. The cipher needs to be “wide” enough.
2. The cipher needs to have enough rounds.
3. The S-boxes need to be suitably chosen.
Product Cipher
The real power of these basic elements only becomes apparent
when we cascade a whole series of boxes to form a product
cipher, as shown in diagram.
In this example, 12 input lines are transposed (i.e., permuted)
by the first stage (P1). Theoretically, it would be possible to
have the second stage be an S-box that mapped a 12-bit
number onto another 12-bit number. However, such a device
would need 212 = 4096 crossed wires in its middle stage.
Instead, the input is broken up into four groups of 3 bits, each
of which is substituted independently of the others.
Product ciphers that operate on k-bit inputs to produce k-bit
outputs are very common. Typically, k is 64 to 256.
A software implementation is programmed as a loop with at
least 8 iterations, each one performing S-box-type
substitutions on sub blocks of the 64- to 256-bit data block,
followed by a permutation that mixes the outputs of the Sboxes.
Often there is a special initial permutation and one at the end
as well. In the literature, the iterations are called rounds.
Data Encryption Standard
One example of a complex block cipher is the Data Encryption
Standard (DES). This cipher, DES (Data Encryption Standard).
DES was designed by IBM and adopted by the U.S. government
in January 1977, as the standard encryption method for
nonmilitary and non classified use (i.e. unclassified
information).
The algorithm encrypts a 64-bit plaintext block using a 64-bit
key.
DES has two transposition blocks (P-boxes) and 16 complex
round ciphers (they are repeated). Although the 16 iteration
round ciphers are conceptually the same, each uses a different
key derived from the original key.
The initial and final permutations are keyless straight
permutations that are the inverse of each other.
The permutation takes a 64-bit input and permutes them
according to predefined values.
Plaintext is encrypted in blocks of 64 bits,
yielding 64 bits of ciphertext.
The key length is 56 bits. (The key is
usually written as a 64-bit number, but
every eight bit is used for parity checking
and is discarded when the key is loaded
into the DES algorithm. It has 19 distinct
stages.
The first stage is a key-independent
transposition on the 64-bit plaintext.
The last stage is the exact inverse of this
transposition. The stage prior to the last
one exchanges the leftmost 32 bits with the
rightmost 32 bits.
The remaining 16 stages are functionally
identical but are parameterized by different
functions of the key.
The algorithm has been designed to allow
decryption to be done with the same key as
encryption, a property needed in any
symmetric-key algorithm.
The steps are just
run in the reverse
order.
Data Encryption Standard
Each stage takes two 32bit inputs and produces
two 32-bit outputs.
The left output is simply a
copy of the right input.
The right output is the
bitwise XOR of the left
input and a function of the
right input and the key for
this stage, Ki.
DES Function
The function consists of four steps,
carried out in sequence.
First, a 48-bit key (number), E, is
constructed by expanding the 32bit Ri – 1 according to a fixed
transposition and duplication rule.
Second, E and Ki are XORed
together.
This output is then partitioned into
eight groups of 6 bits each, each
of which is fed into a different Sbox.
Each of the 64 possible inputs to
an S-box is mapped onto a 4-bit
output.
Finally, these 8 x 4 bits are passed
through a P-box.
In each of the 16 iterations, a different key is used.
Before the algorithm starts, a 56-bit transposition is applied to
the key.
Just before each iteration, the key is partitioned into two 28-bit
units, each of which is rotated left by a number of bits
dependent on the iteration number.
Ki is derived from this rotated key by applying yet another 56bit transposition to it.
A different 48-bit subset of the 56 bits is extracted and
permuted on each round.
A technique that is sometimes used to make DES stronger is
called whitening.
It consists of XORing a random 64-bit key with each plaintext
block before feeding it into DES and then XORing a second 64bit key with the resulting cipher text before transmitting it.
Whitening can easily be removed by running the reverse
operations (if the receiver has the two whitening keys).
Since this technique effectively adds more bits to the key
length, it makes exhaustive search of the key space much
more time consuming.
Note that the same whitening key is used for each block (i.e.,
there is only one whitening key).
DES has been enveloped in controversy since the day it was
launched.
It was based on a cipher developed and patented by IBM,
called Lucifer, except that IBM's cipher used a 128-bit key
instead of a 56-bit key.
When the U.S. Federal Government wanted to standardize on
one cipher for unclassified use, it ''invited'' IBM to ''discuss'' the
matter with NSA, the U.S. Government's code-breaking arm,
which is the world's largest employer of mathematicians and
cryptologists.
NSA is so secret that an industry joke goes:
Q.1
What does NSA stand for?
A1:
No Such Agency.
Actually, NSA stands for National Security Agency.
IBM reduced the key from 128 bits to 56 bits and decided to
keep secret the process by which DES was designed.
Many people suspected that the key length was reduced to
make sure that NSA could just break DES, but no organization
with a smaller budget could.
The point of the secret design was supposedly to hide a back
door that could make it even easier for NSA to break DES.
When an NSA employee discreetly told IEEE to cancel a
planned conference on cryptography, that did not make
people any more comfortable.
NSA denied everything.
In 1977, two Stanford cryptography researchers, Diffie and
Hellman (1977), designed a machine to break DES and
estimated that it could be built for 20 million dollars.
Given a small piece of plaintext and matched ciphertext,
this machine could find the key by exhaustive search of the
256-entry key space in under 1 day.
Nowadays, such a machine would cost well under 1 million
dollars.
Triple DES
As early as 1979, IBM realized that the DES key length was too
short (i.e. the key is too short.).
To lengthen the key (i.e. to effectively increase it), Triple DES
or 3DES has been proposed and implemented.
This uses three DES blocks, as shown in diagram.
In this mechanism, two keys and three stages are used.
The encrypting block uses an encryption-decryptionencryption combination of DESs, while the decryption block
uses a decryption-encryption-decryption combination.
OR
In the first stage, the plaintext is encrypted using DES in the
usual way with K1. In the second stage, DES is run in
decryption mode, using K2 as the key. Finally, another DES
encryption is done with K1.
Two different versions of 3DES are in use: 3DES with two
keys and 3DES with three keys.
This design immediately gives rise to two questions.
First, why are only two keys used, instead of three?
Second, why is EDE (Encrypt Decrypt Encrypt) used, instead of
EEE (Encrypt Encrypt Encrypt)?
To make the key size 112 bits (i.e. the most paranoid
cryptographers believer that 112 bits is adequate for routine
commercial applications for the time being) and at the same
time protect DES from attacks such as the man-in-the-middle
attack, 3DES with two keys was designed.
And among cryptographers, paranoia is considered a feature,
not a bug.
In this version, the first and the third keys are the same (KeY1
= KeY3)'
This has the advantage in that a text encrypted by a single
DES block can be decrypted by the new 3DES.
We just set all keys equal to KeY1‘ Many algorithms use a
3DES cipher with three keys.
This increases the size of the key to 168.It adds the
unnecessary overhead of managing and transporting another
key for little real gain.
The reason for encrypting, decrypting, and then encrypting
again is backward compatibility with existing single-key DES
systems.
Both the encryption and decryption functions are mappings
between sets of 64-bit numbers.
From a cryptographic point of view, the two mappings are
equally strong.
By using EDE instead of EEE, a computer using triple
encryption can speak to one using single encryption by just
setting K1 = K2.
This property allows triple encryption to be phased in
gradually,
something
of
no
concern
to
academic
cryptographers, but of considerable importance to IBM and its
customers.
AES – The Advanced Encryption
Standard
The Advanced Encryption Standard (AES) was designed
because DES's key was too small.
Although Triple DES (3DES) increased the key size, the process
was too slow.
AES is a very complex round cipher.
Rules for AES proposals
1. The algorithm must be a symmetric block cipher.
2. The full design must be public.
3. Key lengths of 128, 192, and 256 bits supported.
4. Both software and hardware implementations required
5. The algorithm must be public or licensed on equal terms.
In August 1998, NIST selected five finalists primarily on the
basis of their security, efficiency, simplicity, flexibility, and
memory requirements (important for embedded systems).
The finalists and their scores were as follows:
1. Rijndael (from Joan Daemen and Vincent Rijmen, 86 votes).
2. Serpent (from Ross Anderson, Eli Biham, and Lars Knudsen, 59
votes).
3. Twofish (from a team headed by Bruce Schneier, 31 votes).
4. RC6 (from RSA Laboratories, 23 votes).
5. MARS (from IBM, 13 votes).
In October 2000, The National Institute of Standards and
Technology (NIST) chose the Rijndael algorithm, named after
its two Belgian inventors, Vincent Rijmen and Joan Daemen, as
the basis of AES.
The name Rijndael, pronounced Rhine-doll (more or less), is
derived from the last names of the authors: Rijmen +
Daemen.
In November 2001 Rijndael became a U.S. Government
standard published as Federal Information Processing Standard
FIPS 197.
Rijndael supports key lengths and block sizes from 128 bits to
256 bits in steps of 32 bits.
The key length and block length may be chosen independently.
However, AES specifies that the block size must be 128 bits and
the key length must be 128, 192, or 256 bits.
It is doubtful that anyone will ever use 192-bit keys, so de
facto, AES has two variants: a 128-bit block with 128-bit key
and a 128-bit block with a 256-bit key.
In our treatment of the algorithm below, we will examine only
the 128/128 case because this is likely to become the
commercial norm.
A 128-bit key gives a key space of 2128 3 x 1038 keys.
Even if NSA manages to build a machine with 1 billion parallel
processors, each being able to evaluate one key per
picosecond, it would take such a machine about 1010 years to
search the key space.
By then the sun will have burned out, so the folks then present
will have to read the results by candlelight.
AES (2)
AES is designed with three key sizes: 128, 192, or 256 bits.
Rijndael
Like DES, Rijndael uses substitution and permutations, and it
also uses multiple rounds.
The number of rounds depends on the key size and block size,
being 10 for 128-bit keys with 128-bit blocks and moving up to
14 for the largest key or the largest block.
However, unlike DES, all operations involve entire bytes, to
allow for efficient implementations in both hardware and
software.
An outline of the code is given in the next slide (program).
The function rijndael has three parameters.
They are: plaintext, an array of 16 bytes containing the input
data.
A ciphertext, an array of 16 bytes where the enciphered
output will be returned
And key, the 16-byte key.
During the calculation, the current state of the data is
maintained in a byte array, state, whose size is NROWS x
NCOLS.
For 128-bit blocks, this array is 4 x 4 bytes.
With 16 bytes, the full 128-bit data block can be stored.
Creating of the state and rk arrays.
The state array is initialized to the plaintext and modified by
every step in the computation.
In some steps, byte-for-byte substitution is performed.
In others, the bytes are permuted within the array.
Other transformations are also used.
At the end, the contents of the state are returned as the cipher
text.
The code starts out by expanding the key into 11 arrays of the
same size as the state.
They are stored in rk, which is an array of structs, each
containing a state array.
One of these will be used at the start of the calculation and the
other 10 will be used during the 10 rounds, one per round.
The calculation of the round keys from the encryption key is too
complicated for us to get into here.
Suffice it to say that the round keys are produced by repeated
rotation and XORing of various groups of key bits.
The next step is to copy the plaintext into the state array so it
can be processed during the rounds.
It is copied in column order, with the first four bytes going into
column 0, the next four bytes going into column 1, and so on.
Both the columns and the rows are numbered starting at 0,
although the rounds are numbered starting at 1.
This initial setup of the 12 byte arrays of size 4 x 4 is illustrated
in given diagram:
1)
2)
3)
4)
There is one more step before the main computation begins:
rk[0] is XORed into state byte for byte.
In other words each of the 16 bytes in state is replaced by the
XOR of itself and the corresponding byte in rk[0].
Step 1 does a byte-for-byte substitution on state. This step is a
straight monoalphabetic substitution cipher.
Step 2 rotates each of the four rows to the left. Row 0 is
rotated 0 bytes (i.e., not changed), row 1 is rotated 1 byte, row
2 is rotated 2 bytes, and row 3 is rotated 3 bytes.
Step 3 mixes up each column independently of the other ones.
The mixing is done using matrix multiplication in which the new
column is the product of the old column and a constant matrix.
step 4 XORs the key for this round into the state array.
The algorithm has been designed not only for great security,
but also for great speed. A good software implementation on a
2-GHz machine should be able to achieve an encryption rate of
700 Mbps, which is fast enough to encrypt over 100 MPEG-2
videos in real time. Hardware implementations are faster still.
The general structure is shown in given diagram.
There is an initial XOR operation followed by 10 round ciphers.
The last round is slightly different from the preceding rounds; it
is missing one operation.
Although the 10 iteration blocks are almost identical, each uses
a different key derived from the original key.
1) IDEA The International Data Encryption Algorithm (IDEA)
was developed by Xuejia Lai and James Massey. The block
size is 64 and the key size is 128. It can be implemented in
both hardware and software.
2) Blowfish Blowfish was developed by Bruce Schneier. The
block size is 64 and the key size between 32 and 448.
3) CAST-128 CAST-128 was developed by Carlisle Adams
and Stafford Tavares. It is a Feistel cipher with 16 rounds
and a block size of 64 bits; the key size is 128 bits.
4) RC5 RC5 was designed by Ron Rivest. It is a family of
ciphers with different block sizes, key sizes, and numbers
of rounds.
Algorithm (Cipher) Mode
An algorithm mode is a combination of a series of the basic
steps carried out on block cipher and some kind of feedback
from the previous step.
1.
2.
3.
4.
ECB – Electronic Code Book Mode
CBC - Cipher Block Chaining Mode
CFB – Cipher Feedback Mode
OFB – Output Feedback Mode
Electronic Code Book Mode
The electronic code book (ECB) mode is a purely block cipher
technique. It is the simplest mode of operation.
In which, incoming plain text is divided into block of 64 bit each.
Each block is then encrypted independently of other block.
At receiver’s end all incoming cipher text is divided into 64 bit
block and same key used for decryption to retrieve plain text.
In general we can say that, The plaintext is divided into blocks of
N bits. The ciphertext is made of blocks of N bits. The value of N
depends on the type of cipher used.
Plain text
K
E
Y
1
Encrypt
Cipher Text
Plain text
K
E
Y
2
Encrypt
Cipher Text
Plain text
K
E
Y
n
Encrypt
Cipher Text
Cipher text
K
E
Y
1
Decrypt
Plain Text
Cipher text
Cipher text
K
E
Y
1
Decrypt
Plain Text
K
E
Y
1
Decrypt
Plain Text
If plain text repeat same block then cipher text also repeats the
same block because of same key used for encrypt.
So it suitable for encrypt and decrypt small message where scope
for the repeating text is quite less
• We mention four characteristics of this mode:
1. Because the key and the encryption/decryption algorithm are
the same, equal blocks in the plaintext become equal blocks in
the ciphertext. For example, if plaintext blocks 1, 5, and 9 are
the same, ciphertext blocks 1, 5, and 9 are also the same.
This can be a security problem; the adversary can guess that
the plaintext blocks are the same if the corresponding
ciphertext blocks are the same.
2. If we reorder the plaintext block, the ciphertext is also
reordered.
3. Blocks are independent of each other. Each block is encrypted
or decrypted independently. A problem in encryption or
decryption of a block does not affect other blocks.
4. An error in one block is not propagated to other blocks. If one
or more bits are corrupted during transmission, it only affects
the bits in the corresponding plaintext after decryption. Other
plaintext blocks are not affected. This is a real advantage if the
channel is not noise-free.
Cipher Block Chaining Mode
The cipher block chaining (CBC) mode tries to improve some
of the problems in ECB by including the previous cipher block
in the preparation of the current block.
This mode ensure that even if a block of plain text repeats in
the input, these two identical text block yield totally different
cipher text block in the output. For this feedback mechanism
is used.
In this method, shown in below diagram, each plaintext block
is XORed with the previous ciphertext block before being
encrypted.
Consequently, the same plaintext block no longer maps onto
the same ciphertext block, and the encryption is no longer a
big monoalphabetic substitution cipher.
The first block is XORed with a randomly chosen IV
(Initialization Vector), which is transmitted (in plaintext) along
with the ciphertext.
We start out by computing C0 = E(P0 XOR IV).
Then we compute C1 = E(P1 XOR C0), and so on.
Decryption also uses XOR to reverse the process, with P0 = IV
XOR D(C0), and so on.
The encryption of block i is a function of all the plaintext in
blocks 0 through i - 1, so the same plaintext generates different
ciphertext depending on where it occurs.
Cipher block chaining also has the advantage that the same
plaintext block will not result in the same ciphertext block,
making cryptanalysis more difficult.
In fact, this is the main reason it is used.
If the current block is i, the previous ciphertext block Ci- 1 is
included in the encryption of block i.
In other words, when a block is completely enciphered, the
block is sent, but a copy of it is kept in a register (a place
where data can be held) to be used in the encryption of the
next block.
The reader may wonder about the initial block. There is no
ciphertext block before the first block.
In this case, a fake block called the initiation vector (IV) is
used.
Both the sender and receiver agree upon a specific
predetermined IV.
In other words, the IV is used instead of the nonexistent C0,
diagram shows the CBC mode.
The reader may wonder about the decryption.
Does the configuration shown in the figure guarantee the
correct decryption?
It can be proven that it does.
The following are some characteristics of CBC.
1. Even though the key and the encryption/decryption algorithm
are the same, equal blocks in the plaintext do not become
equal blocks in the ciphertext. For example, if plaintext blocks
1, 5, and 9 are the same, ciphertext blocks 1, 5, and 9 will not
be the same. An adversary will not be able to guess from the
ciphertext that two blocks are the same.
2. Blocks are dependent on each other. Each block is encrypted or
decrypted based on a previous block. A problem in encryption
or decryption of a block affects other blocks.
3. The error in one block is propagated to the other blocks. If one
or more bits are corrupted during the transmission, it affects
the bits in the next blocks of the plaintext after decryption.
However, cipher block chaining has the disadvantage of
requiring an entire 64-bit block to arrive before decryption can
begin. For use with interactive terminals, where people can
type lines shorter than eight characters and then stop, waiting
for a response, this mode is unsuitable.
Cipher feed back mode
For byte-by-byte encryption, cipher feedback mode, using
(triple) DES is used as shown in diagram.
For AES the idea is exactly the same, only a 128-bit shift
register is used.
In this diagram, the state of the encryption machine is shown
after bytes 0 through 9 have been encrypted and sent.
When plaintext byte 10 arrives, as illustrated in diagram(a), the
DES algorithm operates on the 64-bit shift register to generate a
64-bit ciphertext.
The leftmost byte of that ciphertext is extracted and XORed
with P10.
That byte is transmitted on the transmission line.
In addition, the shift register is shifted left 8 bits, causing C2
to fall off the left end, and C10 is inserted in the position just
vacated at the right end by C9.
Note that the contents of the shift register depend on the
entire previous history of the plaintext, so a pattern that
repeats multiple times in the plaintext will be encrypted
differently each time in the ciphertext.
As with cipher block chaining, an initialization vector is needed
to start the ball rolling.
Decryption with cipher feedback mode just does the same
thing as encryption.
In particular, the content of the shift register is encrypted, not
decrypted, so the selected byte that is XORed with C10 to get
P10 is the same one that was XORed with P10 to generate C10 in
the first place.
As long as the two shift registers remain identical, decryption
works correctly. It is illustrated in diagram(b).
Cipher Feedback Mode
The cipher feedback (CFB) mode was created for those
situations in which we need to send or receive r bits of data,
where r is a number different from the underlying block size of
the encryption cipher used.
The value of r can be 1, 4, 8, or any number of bits.
Since all block ciphers work on a block of data at a time, the
problem is how to encrypt just r bits.
The solution is to let the cipher encrypt a block of bits and use
only the first r bits as a new key (stream key) to encrypt the r
bits of user data.
As shown in the diagram the configuration.
The following are some characteristics of the CFB mode:
1. If we change the IV from one encryption to another using the
same plaintext, the ciphertext is different.
2. The ciphertext Ci depends on both Pi and the preceding
ciphertext block.
3. Errors in one or more bits of the ciphertext block affect the next
ciphertext blocks.
Not all applications can work on block of data, security is
also required for applications which is character oriented for
this we are using Cipher Feedback Mode.
It operated on 8 bit data (a single character).
Step 1: 64 bit Initialization Vector (IV) is used which is kept
on 64 bit shift register. Using encryption we are
obtaining 64 bit cipher IV.
Step 2: The leftmost 8 bits of the encrypted IV are XORed
with first j bits of plain text. It produces first portion
of Cipher Text (C) which is transmitted to Receiver.
Step 3: Now IV is left shifted j bits so the rightmost j
positions of IV are now contain unpredictable
values. This values are filled with C.
Step 4: Now, Steps 1 to 3 are continue until all the plain
text are encrypted.
A problem with cipher feedback mode is that if one bit of the
ciphertext is accidentally inverted during transmission, the 8
bytes that are decrypted while the bad byte is in the shift
register will be corrupted.
Once the bad byte is pushed out of the shift register, correct
plaintext will once again be generated.
Thus, the effects of a single inverted bit are relatively localized
and do not ruin the rest of the message, but they do ruin as
many bits as the shift register is wide.
Output Feedback Mode
The output feedback (OFB) mode is very similar to the CFB
mode with one difference.
Each bit in the ciphertext is independent of the previous bit or
bits.
This avoids error propagation. If an error occurs in
transmission, it does not affect the future bits.
As in CFB, both the sender and the receiver use the encryption
algorithm.
AS in OFB, block ciphers such as DES or AES can only be used
to create the key stream.
The feedback for creating the next bit stream comes from the
previous bits of the key stream instead of the ciphertext.
The ciphertext does not take part in creating the key stream.
diagram shows the OFB mode.
The following are some of the characteristics of the OFB mode.
1. If we change the IV from one encryption to another using the
same plaintext, the ciphertext will be different.
2. The ciphertext Ci depends on the plaintext Pi'
3. Errors in one or more bits of the ciphertext do not affect future
ciphertext blocks.
Output Feedback Mode
Stream Cipher Mode
However, applications exist in which having a 1-bit
transmission error confusion up 64 bits of plaintext is too large
an effect.
For these applications, a fourth option, stream cipher mode,
exists.
It works by encrypting an initialization vector, using a key to
get an output block.
The output block is then encrypted, using the key to get a
second output block.
This block is then encrypted to get a third block, and so on.
The (arbitrarily large) sequence of output blocks, called the
keystream, is treated like a one-time pad and XORed with the
plaintext to get the ciphertext, as shown in diagram(a).
Note that the IV is used only on the first step.
After that, the output is encrypted.
Also note that the keystream is independent of the data, so it
can be computed in advance, if need be, and is completely
insensitive to transmission errors. Decryption is shown in
diagram(b).
Decryption occurs by generating the same keystream at the
receiving side.
Since the keystream depends only on the IV and the key, it is
not affected by transmission errors in the ciphertext.
Thus, a 1-bit error in the transmitted ciphertext generates only
a 1-bit error in the decrypted plaintext.
It is essential never to use the same (key, IV) pair twice with a
stream cipher because doing so will generate the same
keystream each time.
Using the same keystream twice exposes the ciphertext to a
keystream reuse attack.
Imagine that the plaintext block, P0, is encrypted with the
keystream to get P0 XOR K0. Later, a second plaintext block, Q0,
is encrypted with the same keystream to get Q0 XOR K0.
An intruder who captures both of these ciphertext blocks can
simply XOR them together to get P0 XOR Q0, which eliminates
the key.
The intruder now has the XOR of the two plaintext blocks.
If one of them is known or can be guessed, the other can also
be found.
In any event, the XOR of two plaintext streams can be attacked
by using statistical properties of the message.
For example, for English text, the most common character in the
stream will probably be the XOR of two spaces, followed by the
XOR of space and the letter ''e'', etc.
In short, equipped with the XOR of two plaintexts, the
cryptanalyst has an excellent chance of deducing both of them.
Counter Mode
One problem that all the modes except electronic code book
mode have is that random access to encrypted data is
impossible.
For example, suppose a file is transmitted over a network and
then stored on disk in encrypted form.
his might be a reasonable way to operate if the receiving
computer is a notebook computer that might be stolen.
Storing all critical files in encrypted form greatly reduces the
damage due to secret information leaking out in the event that
the computer falls into the wrong hands.
However, disk files are often accessed in non sequential order,
especially files in databases.
With a file encrypted using cipher block chaining, accessing a
random block requires first decrypting all the blocks ahead of
it, an expensive proposition.
For this reason, yet another mode has been invented, counter
mode, as illustrated in diagram.
Here the plaintext is not encrypted directly.
Instead, the initialization vector plus a constant is encrypted,
and the resulting ciphertext XORed with the plaintext. By
stepping the initialization vector by 1 for each new block, it is
easy to decrypt a block anywhere in the file without first having
to decrypt all of its predecessors.
Although counter mode is useful, it has a weakness that is worth
pointing out.
Suppose that the same key, K, is used again in the future (with a
different plaintext but the same IV) and an attacker acquires all the
ciphertext from both runs.
The keystreams are the same in both cases, exposing the cipher to
a keystream reuse attack of the same kind we saw with stream
ciphers.
All the cryptanalyst has to do is to XOR the two ciphertexts together
to eliminate all the cryptographic protection and just get the XOR of
the plaintexts.
This weakness does not mean counter mode is a bad idea. It just
means that both keys and initialization vectors should be chosen
independently and at random.
Even if the same key is accidentally used twice, if the IV is different
each time, the plaintext is safe.
Other Ciphers
Cryptanalysis
The first development is differential cryptanalysis.
This technique can be used to attack any block cipher.
It works by beginning with a pair of plaintext blocks that differ
in only a small number of bits and watching carefully what
happens on each internal iteration as the encryption proceeds.
In many cases, some bit patterns are much more common
than other patterns, and this observation leads to a
probabilistic attack.
The second development worth noting is linear cryptanalysis.
It can break DES with only 243 known plaintexts.
It works by XORing certain bits in the plaintext and ciphertext
together and examining the result for patterns.
When this is done repeatedly, half the bits should be 0s and
half should be 1s.
Often, however, ciphers introduce a bias in one direction or
the other, and this bias, however small, can be exploited to
reduce the work factor.
The third development is using analysis of the electrical power
consumption to find secret keys. Computers typically use 3
volts to represent a 1 bit and 0 volts to represent a 0 bit.
Thus, processing a 1 takes more electrical energy than
processing a 0.
If a cryptographic algorithm consists of a loop in which the key
bits are processed in order, an attacker who replaces the main
n-GHz clock with a slow (e.g., 100-Hz) clock and puts alligator
clips on the CPU's power and ground pins, can precisely monitor
the power consumed by each machine instruction. From this
data, deducing the key is surprisingly easy.
This kind of cryptanalysis can be defeated only by carefully
coding the algorithm in assembly language to make sure power
consumption is independent of the key and also independent of
all the individual round keys.
The fourth development is timing analysis.
Cryptographic algorithms are full of if statements that test bits
in the round keys.
If the then and else parts take different amounts of time, by
slowing down the clock and seeing how long various steps take,
it may also be possible to deduce the round keys.
Once all the round keys are known, the original key can usually
be computed.
Power and timing analysis can also be employed simultaneously
to make the job easier. While power and timing analysis may
seem exotic, in reality they are powerful techniques that can
break any cipher not specifically designed to resist them.
•
Public-Key Algorithms
• RSA
RSA
It is known by the initials of the three discoverers (Rivest,
Shamir, Adleman): RSA
It is most popular and proven asymmetric key cryptography
algorithm.
Prime Number: a prime number is the one which is divisible
only by 1 and itself. So 3 is prime number because it is only
divisible by 1 and itself.
RSA is based on the mathematical fact that is easy to find and
multiply large prime numbers together.
The private and public keys in RSA are based on very large
(more digits) prime numbers.
The real challenge in RSA is generating and selecting public and
private key.
Its major disadvantage is that it requires keys of at least 1024
bits for good security (versus 128 bits for symmetric-key
algorithms), which makes it quite slow.
1.
2.
3.
4.
•
•
•
•
•
Choose two large prime numbers P and Q (typically 1024
bits)
Calculate N=P X Q
Select the public key (Encryption) E such that it is not factor
of
(P-1) and (Q-1)
Select the private key (Decryption) D such that the following
equation is true.
(D X E) mod (P-1)X(Q-1)=1
For Encryption Calculate CT from Plain Text PT as follow:
CT=PTE mod N
For Decryption Calculate PT from Cipher Text as follow:
PT=CTD mod N
To encrypt a message, P, compute C = Pe (mod n). To decrypt
C, compute P = Cd (mod n).
It can be proven that for all P in the specified range, the
encryption and decryption functions are inverses.
To perform the encryption, we need e and n.
To perform the decryption, we need d and n.
Therefore, the public key consists of the pair (e, n), and the