Like this presentation? Why not share!

Jaimin chp-8 - network security-new -use this - 2011 batch

on Apr 06, 2011

• 720 views

GTU-MCA-SEM IV - Fundamentals of Networking

GTU-MCA-SEM IV - Fundamentals of Networking

Views

Total Views
720
Views on SlideShare
720
Embed Views
0

Likes
0
0
0

No embeds

Report content

• Comment goes here.
Are you sure you want to
• Here walk through example using “trivial” sized numbers. Selecting primes requires the use of primality tests. Finding d as inverse of e mod ø( n ) requires use of Inverse algorithm (see Ch4)
• Rather than having to laborious repeatedly multiply, can use the &quot;square and multiply&quot; algorithm with modulo reductions to implement all exponentiations quickly and efficiently (see next).
• Stallings Fig 12.1
• The padded message is broken into 512-bit blocks, processed along with the buffer value using 4 rounds, and the result added to the input buffer to make the new buffer value. Repeat till run out of message, and use final buffer value as hash. nb. due to padding always have a full final block (with length in it).
• Each round mixes the buffer input with the next &quot;word&quot; of the message in a complex, non-linear manner. A different non-linear function is used in each of the 4 rounds (but the same function for all 16 steps in a round). The 4 buffer words (a,b,c,d) are rotated from step to step so all are used and updated. g is one of the primitive functions F,G,H,I for the 4 rounds respectively. X[k] is the kth 32-bit word in the current message block. T[i] is the ith entry in the matrix of constants T. The addition of varying constants T and the use of different shifts helps ensure it is extremely difficult to compute collisions.
• Compare using the design goals listed earlier. SHA-1 is probbaly the preferred hash function for new applications. Currently no problems are known with it.
• See Stallings Tables 12.3 and 12.4 for details.

Jaimin chp-8 - network security-new -use this - 2011 batchPresentation Transcript

• Chapter 8
• Introduction to Cryptography
• Substitution Ciphers
• Transposition Ciphers
• Two Fundamental Cryptographic Principles
• Some people who cause security problems and why.
• The encryption model (for a symmetric-key cipher).
• A transposition cipher.
• The use of a one-time pad for encryption and the possibility of getting any possible plaintext from the ciphertext by the use of some other pad.
• An example of quantum cryptography.
• DES – The Data Encryption Standard
• AES – The Advanced Encryption Standard
• Cipher Modes
• Basic elements of product ciphers. (a) P-box. (b) S-box. (c) Product.
The alternation of substitution from the S-boxes, and permutation of bits from the P-box and E-expansion provides so-called &quot; confusion and diffusion &quot; respectively
• The reason for diffusion is the following :
• If one changes one bit of the plaintext, then it is fed into an S-box, whose output will change at several bits, then all these changes are distributed by the P-box among several S-boxes, hence the outputs of all of these S-boxes are again changed at several bits, and so on.
• Doing several rounds, each bit changes several times back and forth, therefore, by the end, the ciphertext has changed completely, in a pseudorandom manner. In particular, for a randomly chosen input block, if one flips the i-th bit, then the probability that the j-th output bit will change is approximately a half, for any i and j, which is the Strict Avalanche Criterion.
• The reason for confusion is exactly the same as for diffusion:
• changing one bit of the key changes several of the round keys , and every change in every round key diffuses over all the bits, changing the ciphertext in a very complex manner.
• Vice versa, changing one bit in the ciphertext will change the key completely.
• The basic process in enciphering a 64-bit data block and a 56-bit key using the DES consists of:
• An initial permutation (IP)
• 16 rounds of a complex key dependent calculation f
• A final permutation, being the inverse of IP
•
• The data encryption standard. (a) General outline. (b) Detail of one iteration. The circled + means exclusive OR.
• The function consists of four steps, carried out in sequence. Step-1 Expansion - a 48-bit number, E, is constructed by expanding the 32-bit according to a fixed transposition and duplication rule. Step-2 Key mixing - E and K i are XORed together. Sixteen 48-bit subkeys — one for each round — are derived from the main key using the key schedule. Step-3 Substitution This output is then partitioned into eight groups of 6 bits each (8x6), each of which is fed into a different S-box. Each of the 32 possible inputs to an S-box is mapped onto a 4-bit output. Step-4 Permutation these 32 (8 x 4) bits are passed through a P-box
• (a) Triple encryption using DES. (b) Decryption.
• Triple DES uses a &quot;key bundle&quot; which comprises three DES keys, K1, K2 and K3, each of 56 bits (excluding parity bits). The encryption algorithm is: ciphertext = EK3(DK2(EK1(plaintext))) I.e., DES encrypt with K1, DES decrypt with K2, then DES encrypt with K3. Decryption is the reverse: plaintext = DK1(EK2(DK3(ciphertext))) I.e., decrypt with K3, encrypt with K2, then decrypt with K1. Each triple encryption encrypts one block of 64 bits of data. In each case the middle operation is the reverse of the first and last. This improves the strength of the algorithm when using keying option 2, and provides backward compatibility with DES with keying option 3.  Keying options The standards define three keying options: Keying option 1: All three keys are independent. Keying option 2: K1 and K2 are independent, and K3 = K1. Keying option 3: All three keys are identical, i.e. K1 = K2 = K3. Keying option 1 is the strongest, with 3 × 56 = 168 independent key bits. Keying option 2 provides less security, with 2 × 56 = 112 key bits. This option is stronger than simply DES encrypting twice, e.g. with K1 and K2, because it protects against meet-in-the-middle attacks. Keying option 3 is equivalent to DES, with only 56 key bits. This option provides backward compatibility with DES, because the first and second DES operations cancel out
• Rules for AES proposals
• The algorithm must be a symmetric block cipher.
• The full design must be public.
• Key lengths of 128, 192, and 256 bits supported.
• Both software and hardware implementations required
• The algorithm must be public or licensed on nondiscriminatory terms.
• An outline of Rijndael.
• Creating of the state and rk arrays.
• Block ciphers encrypt fixed-size blocks
• e.g. DES encrypts 64-bit blocks
• We need some way to encrypt a message of arbitrary length
• e.g. a message of 1000 bytes
• NIST defines several ways to do it
• called modes of operation
• Electronic codebook mode (ECB)
• Cipher block chaining mode (CBC) – most popular
• Output feedback mode (OFB)
• Cipher feedback mode (CFB)
• Stream Cipher
• Counter mode (CTR)
• The plaintext is broken into blocks, P 1 , P 2 , P 3 , ...
• Each block is encrypted independently:
• C i = E K (P i )
• For a given key, this mode behaves like we have a gigantic codebook, in which each plaintext block has an entry, hence the name Electronic Code Book
• Strength: it’s simple.
• Weakness:
• Repetitive information contained in the plaintext may show in the ciphertext, if aligned with blocks.
• If the same message (e.g., an SSN) is encrypted (with the same key) and sent twice, their ciphertexts are the same.
• Typical application: secure transmission of short pieces of information (e.g. a temporary encryption key)
• The plaintext of a file encrypted as 16 DES blocks.
• Cipher block chaining. (a) Encryption. (b) Decryption.
• The encryption of a block depends on the current and all blocks before it.
• So, repeated plaintext blocks are encrypted differently.
• Initialization Vector (IV)
• Must be known to both the sender & receiver
• Typically, IV is either a fixed value or is sent encrypted in ECB mode before the rest of ciphertext.
• (a) Encryption. (c) Decryption.
• Plaintext blocks: p 1 , p 2 , …
• Key: k
• Basic idea: construct key stream k 1 , k 2 , k 3 , …
• Encryption:
• The block cipher is used as a stream cipher.
• Appropriate when data arrives in bits/bytes.
• s can be any value; a common value is s = 8.
• A ciphertext segment depends on the current and all preceding plaintext segments.
• A corrupted ciphertext segment during transmission will affect the current and next several plaintext segments.
• How many plaintext segments will be affected?
• Plaintext blocks: p 1 , p 2 , …
• Key: k
• Basic idea: construct key stream k 1 , k 2 , k 3 , …
• Encryption:
• Cipher Feedback Output Feedback
• The block cipher is used as a stream cipher.
• Appropriate when data arrives in bits/bytes.
• more resistant to transmission errors; a bit error in a ciphertext segment affects only the decryption of that segment.
• Cannot recover from lost ciphertext segments; if a ciphertext segment is lost, all following segments will be decrypted incorrectly (if the receiver is not aware of the segment loss).
• IV should be generated randomly each time and sent with the ciphertext.
• A stream cipher. (a) Encryption. (b) Decryption.
• applications exist in which having a 1-bit transmission error mess up 64 bits of plaintext is too large an effect. For these applications, a fourth option, stream cipher mode, exists.
• It works by encrypting an initialization vector, using a key to get an output block.
• The output block is then encrypted, using the key to get a second output block.
• This block is then encrypted to get a third block, and so on.
• The (arbitrarily large) sequence of output blocks, called the keystream, is treated like a one-time pad and XORed with the plaintext to get the ciphertext,
• Note that the IV is used only on the first step. After that, the output is encrypted.
• Also note that the keystream is independent of the data, so it can be computed
• Plaintext blocks: p 1 , p 2 , p 3 , …
• Key: k
• Basic idea: construct key stream k 1 , k 2 , k 3 , …
• Encryption:
• T 1 = IV (random)
• T i = IV + i - 1
• C i = P i ♁ E K (T i )
• C = (IV, C 1 , C 2 , C 3 , ...)
• Strengthes:
• Needs only the encryption algorithm
• Fast encryption/decryption; blocks can be processed (encrypted or decrypted) in parallel; good for high speed links
• IV should not be reused.
• Encryption using counter mode.
• Some common symmetric-key cryptographic algorithms.
• Public-key (or two-key ) cryptography involves the use of two keys:
• A public-key , which may be known by anybody, and can be used to encrypt messages , and verify signatures
• A private-key , known only to the recipient, used to decrypt messages , and sign (create) signatures
• In a Public Key system when Alice sends email to Bob, she finds his public key (possibly in a directory of some sort) and encrypts her message using that key.
• Unlike secret-key cryptography, though, the key used to encrypt will not decrypt the ciphertext. Knowledge of Bob’s public key will not help an eavesdropper.
• To decrypt, Bob uses his private key. If Bob wants to respond to Alice, he will encrypt his message using her public key.
• Trudy (from Intruder) tries to disrupt the communication between Alice and Bob
• The public-key is easily computed from the private key and other information about the cipher
• However, knowing the public-key and public description of the cipher, it is still computationally infeasible to compute the private key
• Thus the public-key may be distributed to anyone wishing to communicate securely with its owner (although secure distribution of the public-key is a non-trivial problem - the key distribution problem)
• RSA
• Other Public-Key Algorithms
• First choose two large prime numbers, p and q, and find their product , n . n is also called modulus in RSA jargon.
• Compute z = (p-1)(q-1)
• Next choose a number e, relatively prime to z = (p-1)(q-1) - this is the encryption key.
• Finally compute d such that the product of e and d is congruent to 1 mod ((p-1)(q-1)) . This is the decryption key.
• Obviously, d can only be recovered if you reveal p and q , or if p and q are recovered from n, the modulus. Since we are assuming the factorization of n to be too hard to attempt, d cannot be recovered from e . Or so it is currently speculated. It has not, so far, been proven.
• Now e and n together form the public key, while d and n together form the private key.
•
• Select primes: p =17 & q =11
• Compute n = pq =17 × 11=187
• Compute ø( n )=( p– 1)( q- 1)=16 × 10=160
• Select e : gcd(e,160)=1; choose e =7
• Determine d : de= 1 mod 160 and d < 160 Value is d=23 since 23 × 7=161= 10 × 16+1
• Publish public key KU={7,187}
• Keep secret private key KR={23, 17 , 11}
• sample RSA encryption/decryption is:
• given message M = 88 (nb. 88<187 )
• encryption:
• C = 88 7 mod 187 = 11
• decryption:
• M = 11 23 mod 187 = 88
• Select two primes : p = 3 and q = 11
• Compute n = p X q = 33 -- This is the modulus
• Compute ø(n)= z = (p-1) X (q -1) = 20 -- This is the totient function  (n). There are 20 relative primes to 33. What are they? 1, 2, 4, 5, 7 , 8, 10, 13, 14, 16, 17, 19, 20 , 23, 25, 26, 28, 29, 31, 32
• Choose a number relatively prime to z and call it d. here, d = 7 because 7 and 20 have no common factors but 1
• Find e such that e x d = 1 mod z.
• 7e = 1 mod 20
• e = 3
• C = P e (mod n) to generate Cipher Text - Encryption
• P = C d (mod n) to get plain text - Decription
• The best known public key cryptosystem is RSA - named after its authors, Rivest, Shamir and Adelman
• RSA is a public-key cryptosystem that MIT professors Ronald L. Rivest, Adi Shamir and Leonard M. Adleman invented in 1977.
• The system is based on several mathematical principles in number theory .
• Public key crypto-systems were developed from some very subtle insights about the mathematics of large numbers and how they relate to the power of computers.
• Public Key Encryption works because of what is known in math as a trapdoor problem .
• A trapdoor is a mathematical formula that is easy to work forward but very hard to work backward .
• The challenge of public-key cryptography is developing a system in which it is impossible (or at least intractable) to deduce the private key from the public key .
• This can be accomplished by utilizing a one-way function . With a one-way function, given some input values, it is relatively simple to compute a result. But if you start with the result, it is extremely difficult to compute the original input values.
• In mathematical terms, given x, computing f(x) is easy, but given f(x), it is extremely difficult to determine x .
• It turns out that multiplication can be a one-way function.
• In general it is easy (especially on computers) to multiply two big prime numbers .
• But for most very large numbers, it is extremely time-consuming to factor them .
• Public key algorithms depend on a person publishing a large public key and others being unable to factor this public key into its component parts.
• Because the creator of the key knows the factors of his or her large number, he or she can use those factors to decode messages created by others using his or her public key.
• Those who only know the public key will be unable to discover the private key , because of the difficulty of factoring the large number.
• A prime number , or prime, is a number that is evenly divisible by only 1 and itself.
• For instance 10 is not prime because it is evenly divisible by 1, 2, 5 and 10. But 11 is prime, since only 1 and 11 evenly divide it.
• The numbers that evenly divide another number are called factors . The process of finding the factors of a number is called factoring .
• For example, factoring 15 is simple, it is 3 * 5. But what about 6,320,491,217?
• Now how about a 155-digit number? Or 200 digits or more? In short, factoring numbers takes a certain number of steps, and the number of steps increases subexponentially as the size of the number increases .
• That means even on supercomputers, if a number is sufficiently large, the time to execute all the steps to factor it would be so great that it could take years to compute .
• Modular math means that the only numbers under consideration are the non-negative integers less than the modulus.
• So for mod n , only the integers from 0 to (n - 1) are valid operands and results of operations will always be numbers from 0 to ( n - 1).
• Think of military time where the modulus is 2400. For instance, 2200 plus 400 (10:00 PM plus 4 hours) is not 2600. Once you reach 2400, you start over at 0. Hence, 2200 + 400 mod 2400 is 2600 - 2400 = 0200, or 2:00 in the morning. Likewise, if we start at 0, or midnight, 6 times 500 (say six 5-hour shifts) is not 3000, but 0600, or 6:00 AM the following day.
• a = b mod (m) means that when a is divided by m the remainder is b .
• Examples:
• 11 = 1 mod (5) i.e 11 devided by 5 = 1
• 20 = 2 mod (6) i.e 20 devided by 6 = 2
• Prime numbers possess various useful properties when used in modular math.
• The RSA algorithm takes advantage of these properties.
• Another aspect of modular math is the concept of a modular inverse .
• Two numbers are the modular inverses of each other if their product equals 1 .
• For instance, 7 * 343 = 2401, but if our modulus is 2400, the result is:
• (7 * 343) mod 2400 = 2401 – 2400 = 1 mod 2400
• Two numbers are relatively prime if they share only one factor, namely 1.
• For example, 10 and 21 are relatively prime. Neither is prime, but the numbers that evenly divide 10 are 1, 2, 5 and 10, whereas the numbers that evenly divide 21 are 1, 3, 7 and 21.
• The only number in both lists is 1, so the numbers are relatively prime.
• In the eighteenth century, the mathematician Leonhard Euler (pronounced &quot;Oiler&quot;) described  (n) as the number of numbers less than n that are relatively prime to n.
• The character  is the Greek letter &quot;phi&quot; (in math circles it rhymes with &quot;tea,&quot; in the academic organization Phi Beta Kappa it rhymes with &quot;tie&quot;). This is known as Euler’s phi-function.
• So  (6), for instance, is 2, since of all the numbers less than 6 (1, 2, 3, 4 and 5), only two of them (1 and 5) are relatively prime with 6. The numbers 2 and 4 share with 6 a common factor other than 1, namely 2. And 3 and 6 share 3 as a common factor.
• What about  (7)? Because 7 is prime, its only factors are 1 and 7. Hence, any number less than 7 can share with 7 only 1 as a common factor. Without even examining those numbers less than 7, we know they are all relatively prime with 7. Since there are 6 numbers less than 7,  (7) = 6. Clearly this result will extend to all prime numbers.
• Namely, if p is prime,  (p) = (p ‑ 1).
• Exponentiation is taking numbers to powers, such as 2 3 , which is 2 * 2 * 2 = 8. In this example, 2 is known as the base and 3 is the exponent .
• There are some useful algebraic identities in exponentiation.
• ( b x ) * ( b y ) = b x + y
• ( b x ) y = b xy
• Euler noticed that  ( n ) was the &quot;exponential period&quot; modulo n for numbers relatively prime with n .
• What that means is that for any number a < n , if a is relatively prime with n , a  (n) mod n = 1 .
• So if you multiply a by itself  (n) ties , then perform modulo n , the result is 1 . Then if you multiply by a one more time, you are finding the product of 1 * a which is a , so you are starting over again.
• Hence, a  (n) *a = a  (n)+1 mod n = a.
• For example, if n is 5 (a prime number), then  (5) = 4. Let a be 3 and compute
• a  ( n ) mod n = 3 4 = 3 * 3 * 3 * 3 mod 5
• We can take advantage of this fact in the following way. Take a number m , and raise it to some power e modulo  p ,
• c = m e mod p
• Now take the result of that exponentiation, c , and raise it to some other power d ,
• c d mod p
• That is equivalent to
• ( m e ) d mod p
• which is equivalent to
• m ed mod p
• How is that useful?
• Suppose someone gave you c , e and p and said, “I computed c  =  m e  mod  p . Find d such that c d  mod p = 1 .” You would simply find d such that e  *  d  =   ( p ). Because then
• c d mod p = ( m e ) d = m ed = m  ( p ) = 1 mod p
• But now suppose someone gave you c , e and p and said, “I computed c  =  m e  mod  p . I want you to find d such that c d  mod p = m .” You would need to find d such that e  *  d  =   ( p ) + 1. Because then
• c d mod p = ( m e ) d = m ed = m  ( p )+1 = m mod p
• For example, let c  = 4, e  = 3 and p  = 11.
• To find m , determine d such that 3 d  =   (11) + 1.
• Since 11 is prime,  (11) = 10.
• So find d where 3 d  = 11.
• But wait, because we are dealing with integers only, there is no d that will satisfy that equation 3 d  = 11. Note that 3 * 3 = 9 and 3 * 4 = 12.
• We can make it work with modular math.  ( p ) + 1 is 1 mod   ( p ). Remember, when we reach the modulus, we start over at 0. Hence,
• (  ( p ) + 1) mod   ( p ) = (  ( p ) + 1) ‑   ( p ) = 1 mod   ( p )
• So what you want to find is d such that e  *  d  = 1 mod   ( p )  Remember, this is known as the modular inverse.
• Could this be our public-key cryptosystem? Find a prime, p , pick a public exponent, e , and make those two values public.
• Using the extended Euclidian algorithm, determine d , the inverse of the public exponent modulo  ( p ) = ( p  ‑ 1).
• Keep d private. When people want to send you a message m , they can encrypt and produce ciphertext c by computing c  =  m e  mod  p .
• To recover the plaintext message, you compute m  =  c d  mod  p .
• There is, of course, one reason this could not be a useful system. Our private key is the inverse of e modulo ( p  ‑ 1). Since p is public, anyone can compute ( p  ‑ 1) and therefore determine d .
• The RSA algorithm solves that problem by using an important property of Euler’s phi‑function. It is “multiplicative.” If p and q are relatively prime, then  ( pq ) =   ( p )  ( q ). Hence, for primes p and q and n  =  pq ,
•  ( n ) = ( p  ‑ 1)( q  ‑ 1).
• Previously we chose a prime number p to be the modulus. Now, instead, we find two large primes, p and q , and use their product
• n  =  pq
• as the modulus. We still choose a public exponent, e , and using the extended Euclidian algorithm find d , the inverse of e modulo   ( n ). This time, however, we are finding the d that satisfies
• e  *  d  = 1 mod ( p  ‑ 1)( q  ‑ 1)
• The pair ( n ,  e ) is the public key and d is the private key. The primes p and q must be kept secret or destroyed.
• To compute ciphertext c from a plaintext message m , find
• c  =  m e  mod  n
• To recover the original message, compute
• m  =  c d  mod  n
• Only the entity that knows d can decrypt.
• Because of the relationship between d and e , the algorithm correctly recovers the original message m , since
• c d mod n = ( m e ) d = m ed = m 1 = m mod n
• Anyone else who wants to compute d , must first know  ( n ), but to know  ( n ) one must know p and q .
• In other words, they must factor n . Remember the one-way function? We knew that multiplying big prime numbers can be a one-way function, we simply needed to figure out a way to use that fact.
• Here it is, build the private key using two primes and the public key using their product.
• There is one more condition, the public exponent e must be relatively prime with ( p  ‑ 1)( q  ‑ 1). That is because if e is not relatively prime with ( p  ‑ 1)( q  ‑ 1), there will be no modular inverse.
• Incidentally, in practice you would generally pick e , the public exponent first, then find the primes p and q such that e is relatively prime with ( p  ‑ 1)( q  ‑ 1). There is no mathematical requirement to do so, it simply makes key pair generation a little easier.
• In fact, the two most popular e ‘s in use today are F0 = 3 and F4 = 65,537. The F in F0 and F4 stands for Pierre de Fermat, the 17th century mathematician who first described the special properties of these and other interesting numbers.
• Three important uses of public-key algorithms:
• Public-Key Distribution Schemes (PKDS) - where the scheme is used to securely exchange a single piece of information (whose value depends on the two parties, but cannot be set).
• This value is normally used as a session key for a private-key scheme
• Signature Schemes - used to create a digital signature only, where the private-key signs (create) signatures, and the public-key verifies signatures
• Public Key Schemes (PKS) - used for encryption, where the public-key encrypts messages, and the private-key decrypts messages.
• Any public-key scheme can be used as a PKDS, just by selecting a message which is the required session key
• Many public-key schemes are also signature schemes (provided encryption and decryption can be done in either order)
• First choose two large prime numbers, p and q , and find their product, n . n is also called modulus in RSA jargon.
• Compute z = (p-1)(q-1)
• Next choose a number e , relatively prime to z = (p-1)(q-1) - this is the encryption key.
• Finally compute d such that the product of e and d is congruent to 1 mod ((p-1)(q-1)) . This is the decryption key.
• Obviously, d can only be recovered if you reveal p and q , or if p and q are recovered from n, the modulus. Since we are assuming the factorization of n to be too hard to attempt, d cannot be recovered from e . Or so it is currently speculated. It has not, so far, been proven.
• Now e and n together form the public key, while d and n together form the private key.
• To use the scheme, first generate keys:
• Key-Generation by each user consists of:
• selecting two large primes at random (~100 digit), p, q
• calculating the system modulus n=p.q and p, q are primes
• selecting at random the encryption key e,
• e < n, gcd(e,  (n)) = 1
• Solving the congruence to find the decryption key d:
• e.d  1 mod  (n) 0 <= d <= n
• Publishing the public encryption key: Kpub={e,n}
• Securing the private decryption key: Kpvt={d,p,q}
• To encrypt a plaintext message block m, compute
• C=M e mod n
• To decrypt the block, compute
• M=C d mod n
• Each plaintext block must be smaller than the value of n.
• p = 3
• q = 11
• n = p X q = 33 -- This is the modulus
• z = (p-1) X (q -1) = 20 -- This is the totient function  (n). There are 20 relative primes to 33. What are they? 1, 2, 4, 5, 7, 8, 10, 13, 14, 16, 17, 19, 20, 23, 25, 26, 28, 29, 31, 32
• d = 7 -- 7 and 20 have no common factors but 1
• 7e = 1 mod 20
• e = 3
• C = P e (mod n)
• P = C d (mod n)
• Generally D K Pvt (E K Pub (P))=P
• RSA also has the property D K Pub (E K Pvt (P))=P
• Since the text can also be encrypted with K Pvt and decrypted with K Pub , it is possible to use RSA for signatures, where a block of data is encrypted with the private key, and can be decrypted with the public key to show that the sender truly did sign/send that data him/herself.
• However, simply using the encryption of a plaintext document using the private key is not only inefficient (producing a much-too-large signature) but also insecure. Bruce Schneier describes a possible attack in this situation in Applied Cryptography . It is important to use a one-way hash function before signing a document.
• RSA (Rivest-Shamir-Adelman) is the most commonly used public key algorithm.
• Can be used both for encryption and for digitally signing.
• It is generally considered to be secure when sufficiently long keys are used (512 bits is insecure, 768 bits is moderately secure, and 1024 bits is good, for now).
• The security of RSA relies on the difficulty of factoring large integers. Dramatic advances in factoring large integers would make RSA vulnerable.
• RSA is currently the most important public key algorithm. It is patented in the United States (expires year 2000), and free elsewhere.
• At present, 512 bit keys are considered weak, 1024 bit keys are probably secure enough for most purposes, and 2048 bit keys are likely to remain secure for decades.
• One should know that RSA is very vulnerable to chosen plaintext attacks . There is also a new timing attack that can be used to break many implementations of RSA. The RSA algorithm is believed to be safe when used properly, but one must be very careful when using it to avoid these attacks.
• The security of the RSA cryptosystem therefore depends on the fact, that it is practically impossible to factor the large known modulus n . So nobody can infer the two primes p and q from his or her knowledge of the publicly known modulus to gain the secret key.
• 70 -digit numbers will be factored today (1998) on a workstation within 10 hours .
• 100 -digit numbers will be factored on a workstation within 1 year .
• 129 -digit numbers :
• In August 1977 Martin Gardner asked the readers of Scientific American to factor 114 381 625 757 888 867 669 235 779 967 146 612 010 218 296 721 242 362 562 561 842 935 706 935 245 733 897 830 597 123 563 958 705 058 989 075 147 599 290 026 879 543 541 .
• Some 16 years later, in April 1994 the factors were presented by Paul Leyland (University of Oxford), Michael Graff (University of Iowa) and Derek Atkins (MIT). They had been supported by over 600 volunteers running a computerprogram written by K. Lenstra (Bell Labs, Morristown, New Jersey) on their workstations at night sharing the work of factoring over the internet.
• 140 -digit numbers are the smallest numbers not having been factored in 1996 .
• They will be factored within about 5 years using large-scale networking.
• 160 -digit numbers:
• In 1996 experts expect factoring to be possible within about 5 years using a new method of factoring known as number field sieve.
• 200 -digit numbers:
• The time for factoring is estimated at 52 000 000 years in 1998
• The two primes, p and q , which compose the modulus, should be of roughly equal length; this will make the modulus harder to factor than if one of the primes was very small. Thus if one chooses to use a 768-bit modulus, the primes should each have length approximately 384 bits. If the two primes are extremely close (identical except for, say, 100 - 200 bits), there is a potential security risk, but the probability that two randomly chosen primes are so close is negligible.
• As Euclid proved over two thousand years ago, there are infinitely many prime numbers. Because RSA is generally implemented with a fixed key length, however, the number of primes available to a user of the algorithm is effectively finite. Although finite, this number is nonetheless very large. The Prime Number Theorem states that the number of primes less than or equal to n is asymptotic to n /ln n . Hence, the number of prime numbers of length 512 bits or less is roughly 10 150 . This is greater than the number of atoms in the known universe.
• In practice, RSA is often used together with a secret-key cryptosystem, such as DES, to encrypt a message by means of an RSA digital envelope.
• Suppose Alice wishes to send an encrypted message to Bob. She first encrypts the message with DES, using a randomly chosen DES key. Then she looks up Bob's public key and uses it to encrypt the DES key. The DES-encrypted message and the RSA-encrypted DES key together form the RSA digital envelope and are sent to Bob. Upon receiving the digital envelope, Bob decrypts the DES key with his private key, then uses the DES key to decrypt the message itself. This combines the high speed of DES with the key-management convenience of RSA.
• RSA is part of many official standards worldwide. The ISO (International Standards Organization) 9796 standard lists RSA as a compatible cryptographic algorithm, as does the ITU-T X.509 security standard. RSA is part of the Society for Worldwide Interbank Financial Telecommunications (SWIFT) standard, the French financial industry's ETEBAC 5 standard, the ANSI X9.31 rDSA standard and the X9.44 draft standard for the U.S. banking industry. The Australian key management standard, AS2805.6.5.3, also specifies RSA.
• RSA is found in Internet standards and proposed protocols including S/MIME IPSec, and TLS, the Internet standards-track successor to SSL, as well as the PKCS standard for the software industry. The OSI Implementers' Workshop (OIW) has issued implementers' agreements referring to PKCS, which includes RSA.
• A number of other standards are currently being developed and will be announced over the next few years; many are expected to include RSA as either an endorsed or a recommended system for privacy and/or authentication. A comprehensive survey of cryptography standards can be found in publications by Kaliski [ Kal93b ] and Ford [ For94 ].
• RSA is currently used in a wide variety of products, platforms, and industries around the world. It is found in many commercial software products and is planned to be in many more. RSA is built into current operating systems by Microsoft, Apple, Sun, and Novell. In hardware, RSA can be found in secure telephones, on Ethernet network cards, and on smart cards. In addition, RSA is incorporated into all of the major protocols for secure Internet communications, including S/MIME, SSL and S/WAN. It is also used internally in many institutions, including branches of the U.S. government, major corporations, national laboratories, and universities.
• RSA technology is licensed by more than 350 companies. The estimated installed base of RSA encryption engines is around 300 million, making it by far the most widely used public-key cryptosystem in the world. This figure is expected to grow rapidly as the Internet and the World Wide Web expand.
• An &quot;RSA operation,&quot; whether encrypting, decrypting, signing, or verifying is essentially a modular exponentiation. This computation is performed by a series of modular multiplications.
• In practical applications, it is common to choose a small public exponent for the public key. In fact, entire groups of users can use the same public exponent, each with a different modulus. (There are some restrictions on the prime factors of the modulus when the public exponent is fixed.) This makes encryption faster than decryption and verification faster than signing.
• With the typical modular exponentiation algorithms used to implement RSA, public key operations take O ( k 2 ) steps, private-key operations take O ( k 3 ) steps, and key generation takes O ( k 4 ) steps, where k is the number of bits in the modulus. &quot;Fast multiplication&quot; techniques, such as FFT-based methods, require asymptotically fewer steps. In practice, however, they are not as common due to their greater software complexity and the fact that they may actually be slower for typical key sizes.
• The speed and efficiency of the many commercially available software and hardware implementations of RSA are increasing rapidly. On a 90 MHz Pentium, has a throughput for private-key operations of 21.6 kbits per second with a 512-bit modulus and 7.4 kbits per second with a 1024-bit modulus. The fastest RSA hardware has a throughput greater than 300 kbits per second with a 512-bit modulus, implying that it performs over 500 RSA private-key operations per second (There is room in that hardware to execute two RSA 512-bit RSA operations in parallel, hence the 600 kbits/s speed reported in [ SV93 ]. For 970-bit keys, the throughput is 185 kbits/s.). It is expected that RSA speeds will reach 1 mbits/second in late 1999.
• By comparison, DES and other block ciphers are much faster than RSA. In software, DES is generally at least 100 times as fast as RSA.
• In hardware, DES is between 1,000 and 10,000 times as fast, depending on the implementation.
• Implementations of RSA will probably narrow the gap a bit in coming years, due to high demand, but DES will get faster as well.
• An example of the RSA algorithm.
• Symmetric-Key Signatures
• Public-Key Signatures
• Message Digests
• The Birthday Attack
• Hash is also called message digest
• One-way function: d=h(m) but no h’(d)=m
• Cannot find the message given a digest
• Cannot find m 1 , m 2 , where d 1 =d 2
• Arbitrary-length message to fixed-length digest
• Randomness
• any bit in the outputs ‘1’ half the time
• each output: 50% ‘1’ bits
• How many people do you need so that the probability of having two of them share the same birthday is > 50% ?
• Random sample of n birthdays (input) taken from k (365, output)
• k n total number of possibilities
• (k) n =k(k-1)…(k-n+1) possibilities without duplicate birthday
• Probability of no repetition:
• p = (k) n /k n  1 - n(n-1)/2k
• For k=366, minimum n = 23
• n(n-1)/2 pairs, each pair has a probability 1/k of having the same output
• n(n-1)/2k > 50%  n>k 1/2
• m bits, takes 2 m/2 to find two with the same hash
• 64 bits, takes 2 32 messages to search (doable)
• Need at least 128 bits
• Alice to Bob: challenge r A
• Bob to Alice: MD( K AB |r A )
• Bob to Alice: r B
• Alice to Bob: MD( K AB |r B )
• Only need to compare MD results
• One-time pad with K AB
• Compute bit streams using MD, and K
• b 1 =MD( K AB ), b i =MD( K AB | b i-1 ), …
•  with message blocks
• Add a random 64 bit number (aka IV) b 1 =MD( K AB |IV), b i =MD( K AB | b i-1 ), …
• Iterative compression function
• Each f is collision-resistant, so is the resulting hashing
• input Message Output 128 bits Digest
• Until recently the most widely used hash algorithm
• in recent times have both brute-force & cryptanalytic concerns
• Specified as Internet standard RFC1321
•
• Pad message so its length is 448 mod 512
• Append a 64-bit original length value to message
• Initialise 4-word (128-bit) MD buffer (A,B,C,D)
• Process message in 16-word (512-bit) blocks:
• Using 4 rounds of 16 bit operations on message block & buffer
• Add output to buffer input to form new buffer value
• Output hash value is the final buffer value
• Given original message M, add padding bits “10 * ” such that resulting length is 64 bits less than a multiple of 512 bits.
• Append ( original length in bits mod 2 64 ), represented in 64 bits to the padded message
• Final message is chopped 512 bits a block
• As many stages as the number of 512-bit blocks in the final padded message
• Digest: 4 32-bit words: MD=A|B|C|D
• Every message block contains 16 32-bit words: m 0 |m 1 |m 2 …|m 15
• Digest MD 0 initialized to: A=01234567,B=89abcdef,C=fedcba98, D=76543210
• Every stage consists of 4 passes over the message block, each modifying MD
• Each block 4 rounds, each round 16 steps
• ABCD=f F (ABCD,m i ,T[1..16]) ABCD=f G (ABCD,m i ,T[17..32]) ABCD=f H (ABCD,m i ,T[33..48]) ABCD=f I (ABCD,m i ,T[49..64]) m i + + + + A B C D MD i MD i+1
•
•
•
• Each step t (0 <= t <= 79):
• Input:
• m t – a 32-bit word from the message
• With different shift every round
• T t – int(2 32 * abs(sin(i))), 0<i<65
• Provided a randomized set of 32-bit patterns, which eliminate any regularities in the input data
• ABCD: current MD
• Output:
• ABCD: new MD
• Each round has 16 steps of the form:
• a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
• a,b,c,d refer to the 4 words of the buffer, but used in varying permutations
• note this updates 1 word only of the buffer
• after 16 steps each word is updated 4 times
• where g(b,c,d) is a different nonlinear function in each round (F,G,H,I)
•
• F(x,y,z) == (x  y)  (~x  z)
• selection function
• G(x,y,z) == (x  z)  (y  ~ z)
• H(x,y,z) == x  y  z
• I(x,y,z) == y  (x  ~z)
• Developed by NIST, specified in the Secure Hash Standard (SHS, FIPS Pub 180), 1993
• SHA is specified as the hash algorithm in the Digital Signature Standard (DSS), NIST
• Input message must be < 2 64 bits
• not really a problem
• Message is processed in 512-bit blocks sequentially
• Message digest is 160 bits
• SHA design is similar to MD5, but a lot stronger
• Step2: Appending length as 64 bit unsigned
• Step3: Initialize MD buffer 5 32-bit words
• Store in big endian format, most significant bit in low address
• A|B|C|D|E
• A = 67452301
• B = efcdab89
• D = 10325476
• E = c3d2e1f0
• Step 4: the 80-step processing of 512-bit blocks – 4 rounds, 20 steps each.
• Each step t (0 <= t <= 79):
• Input:
• W t – a 32-bit word from the message
• K t – a constant.
• ABCDE: current MD.
• Output:
• ABCDE: new MD.
• Only 4 per-round distinctive additive constants
• 0 <=t<= 19 K t = 5A827999
• 20<=t<=39 K t = 6ED9EBA1
• 40<=t<=59 K t = 8F1BBCDC
• 60<=t<=79 K t = CA62C1D6
•
•
•
•
• Brute force attack is harder (160 vs 128 bits for MD5)
• Not vulnerable to any known cryptanalytic attacks (compared to MD4/5)
• A little slower than MD5 (80 vs 64 steps)
• Both work well on a 32-bit architecture
• Both designed as simple and compact for implementation
• NIST have issued a revision FIPS 180-2
• SHA-256, SHA-384, SHA-512
• designed for compatibility with increased security provided by the AES cipher
• structure & detail is similar to SHA-1
• hence analysis should be similar
• Digital signatures with Big Brother.
• Digital signatures using public-key cryptography.
• Digital signatures using message digests.
• Use of SHA-1 and RSA for signing nonsecret messages.
• (a) A message padded out to a multiple of 512 bits.
• (b) The output variables. (c) The word array.
• Certificates
• X.509
• Public Key Infrastructures
• A way for Trudy to subvert public-key encryption.
• A possible certificate and its signed hash.
• The basic fields of an X.509 certificate.
• (a) A hierarchical PKI. (b) A chain of certificates.
• IPsec
• Firewalls
• Virtual Private Networks
• Wireless Security
• The IPsec authentication header in transport mode for IPv4.
• (a) ESP in transport mode. (b) ESP in tunnel mode.
• A firewall consisting of two packet filters and an application gateway.
• (a) A leased-line private network. (b) A virtual private network.
• Packet encryption using WEP.
• Authentication Based on a Shared Secret Key
• Establishing a Shared Key: Diffie-Hellman
• Authentication Using a Key Distribution Center
• Authentication Using Kerberos
• Authentication Using Public-Key Cryptography
• Two-way authentication using a challenge-response protocol.
• A shortened two-way authentication protocol.
• The reflection attack.
• A reflection attack on the protocol of Fig. 8-32 .
• Authentication using HMACs.
• The Diffie-Hellman key exchange.
• The bucket brigade or man-in-the-middle attack.
• A first attempt at an authentication protocol using a KDC.
• The Needham-Schroeder authentication protocol.
• The Otway-Rees authentication protocol (slightly simplified).
• The operation of Kerberos V4.
• Mutual authentication using public-key cryptography.
• PGP – Pretty Good Privacy
• PEM – Privacy Enhanced Mail
• S/MIME
• PGP in operation for sending a message.
• A PGP message.
• Threats
• Secure Naming
• SSL – The Secure Sockets Layer
• Mobile Code Security
• (a) Normal situation. (b) An attack based on breaking into DNS and modifying Bob's record.
• How Trudy spoofs Alice's ISP.
• An example RRSet for bob.com . The KEY record is Bob's public key. The SIG record is the top-level com server's signed has of the A and KEY records to verify their authenticity.
• A self-certifying URL containing a hash of server's name and public key.
• Layers (and protocols) for a home user browsing with SSL.
• A simplified version of the SSL connection establishment subprotocol.
• Data transmission using SSL.
• Applets inserted into a Java Virtual Machine interpreter inside the browser.
• Privacy
• Freedom of Speech
• Users who wish anonymity chain requests through multiple anonymous remailers.
• Possibly banned material:
• Material inappropriate for children or teenagers.
• Hate aimed at various ethnic, religious, sexual, or other groups.
• Information about democracy and democratic values.
• Accounts of historical events contradicting the government's version.
• Manuals for picking locks, building weapons, encrypting messages, etc.
• (a) Three zebras and a tree. (b) Three zebras, a tree, and the complete text of five plays by William Shakespeare.
•
• Radio is the transmission of signals by modulation of electromagnetic waves with frequencies below those of visible light.
• Electromagnetic radiation travels by means of oscillating electromagnetic fields that pass through the air and the vacuum of space.
• Information is carried by systematically changing (modulating) some property of the radiated waves, such as amplitude, frequency, phase, or pulse width.
• When radio waves pass an electrical conductor, the oscillating fields induce an alternating current in the conductor.
• This can be detected and transformed into sound or other signals that carry information.