An introduction to cryptography
By-Aditya Raina
I have given history short-shrift in my attempt ...
Part III: Applications of Cryptography
14.1 E-mail Security
14.2 IP-Security
14.3 Web Security
15 Time-stamping
Introduction To “Cryptography: A Black Art”
Cryptography is a fundamental building block for buildinginformation systems, ...


cipher text decryptionplaintext

Figure1-1. Encryption and decryption

A stream cipher operates on ...
In order to cryptographically secure high-value data on a hard disk (or on back-up
media), it is necessary to employ a hig...
signature scheme, now referred to as RSA. The RSA scheme is based on another
hard mathematical problem, the intractability...
Part II -Cryptography
In this section we shall introduce the major methods of encryption, hashing and

supports a larger range of block and key sizes; AES has a fixed block size of 128
bits and a key size of 128, 192 or 256 b...
This has not yet led to any attacks, but some researchers are worried that future
attacks may find a way to exploit this s...
However, a key size of 128 bits is considered secure for the foreseeable future. No
security problem has been found on Cam...
mixing of its inner state between two consecutive iterations. The mixing function is
entirely based on arithmetical operat...
substitute. However, all such schemes are based on algorithms, and must therefore
leave patterns in the key streams for st...
CBC: In the cipher-block chaining (CBC) mode, each block of plaintext is XOR-ed
with the previous ciphertext block before ...
Unlike the available alternative block ciphers, the DES cipher has been proven
mathematically to not be ...
to become the AdvancedEncryption Standard (AES). (If you don‘t speak Dutch,
Flemish or Afrikaans, then theclosest approxim...
The Finite Field:
Both the key expansion and encryption algorithms of simplified AES depend on an
S-box that itself depend...
Main uses of public-key cryptography:
1) Agree on a key for a symmetric cryptosystem.
2) Digital signatures.
Public-key cr...
• (1/q) mod p (often known as iqmp)
Though this form allows faster decryption and signing using the Chinese Remainder
Public key algorithms have complex mathematics and need very long keys. Due to
this public key cryptography is ve...
Keys should whenever possible be distributed by electronic means, enciphered
under previously established h...
If Alice and Bob want to agree on a key for AES, they use the reduction of gaAaB. Alice
can compute this since she looks u...
for obvious reasons, but instead in digest form. To authenticate a user, the password
presented by the user is hashed and ...
B. MD5 (Message-Digest algorithm 5) is a widely-used cryptographic hash function
with a 128-bit hash value. As an Internet...
RIPEMD-160 was designed in the open academic community, in contrast to the
NSA-designed algorithm, SHA-1. On the other han...
Public key digital signatures are generally preferred for electronic commerce
1. Private keys can be used repeate...
private key

Original text

public key


signed text


verified text

Figure . Simple digital signatures...
E-mail Security:
14.1. Pretty Good Privacy:
PGP is a remarkable phenomenon.PGP started as a free secure e-mail program. La...
Plaintext is
encrypted with
session key.

Session key is
encrypted with
public key.

Cipher text + encrypted session

IP Security:
Internet Protocol Security (IPsec) is a competitor of TLS. It works at a different level
than TLS which gives...
impersonating another user, altering messages in transit between client and server, and
altering information on a Web site...
If you have a printed document and want to prove that it existed on a certain date,
you can get it notarize...
and so don‘t want to use it. They could write it down and put it in their wallet/purse,
but that can get stolen. So instea...
18.Quantum Cryptography
There are two ways of agreeing on a symmetric key that do not involve co-presence.
The first is pu...
to start the whole process again and try to prevent Eve from eavesdropping
somehow. ((Ed, what if Eve gets in between and ...
20. Password Management:
Password Protection:
The front line of defence against intruders is the password system. Virtuall...
3. A firewall is a convenient platform for several Internet functions that are not security
related. These include a netwo...
Cryptography- "A Black Art"
Upcoming SlideShare
Loading in …5

Cryptography- "A Black Art"


Published on

Cryptography has opened the doors of security for mankind.

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cryptography- "A Black Art"

  1. 1. An introduction to cryptography By-Aditya Raina I have given history short-shrift in my attempt to get to modern cryptography as quickly as possible.Any mistakes in this document are mine. Please notify me of any that you find at the above e-mail address. Table of contents Part I: Introduction 1 Vocabulary 2 Concepts 3 History 4 Crash Course in Number Theory Part II: Cryptography 5. Simple Cryptosystems 6. Symmetric key cryptography 7. Cryptography Algorithms 7.1 Symmetric key Algorithms 1. Block Ciphers 1. A RIJNDAEL 1. B CAMELLIA 2. Stream Ciphers 2. A RABBIT 8.Finite Fields 9. Modern Stream Ciphers 9.1 RC4 9.2 One-Time Pads 10. Modern Block Ciphers 10.1 Modes of Operation of a Block Cipher 10.2 The Block Cipher DES 10.3 The Block Cipher AES 11. Public Key Cryptography 11.1 Public Key Algorithms 11.1.1. RSA 11.2. Key Management 11.2 .1 Finite Field Discrete Logarithm Problem 11.2.2. Diffie-Hellman Key Agreement 11.3. Elliptic Curve Cryptography 12. Hash functions and Message Authentication Codes 12. a SHA-0, SHA-1 12. b The MD5 hash function 12. c WHIRLPOOL 12. d RIPEMD 12. e SHACAL 12.1 Security of Hash Functions 12.2 MAC 13 Signatures and Authentication 13.1 Public Key digital signatures
  2. 2. Part III: Applications of Cryptography 14.1 E-mail Security 14.2 IP-Security 14.3 Web Security 15 Time-stamping 16 KERBEROS 17 Key Management and Salting 18 Quantum Cryptography Part IV: Introduction to System Security 19. Intruders 19.1 Intrusion Detection 20. Password Management 20.1 Password Protection 21. Firewalls 21.1 Firewall Characteristics 22. Cryptography Failures Part V: Cryptanalysis 23 Basic Concepts of Cryptanalysis 23.1 Cryptanalytic Attacks
  3. 3. Introduction To “Cryptography: A Black Art” Cryptography is a fundamental building block for buildinginformation systems, and as we enter the so-called "information age" of global networks, ubiquitous computing devices, and electronic commerce, we can expect that the cryptography will become more and more important with time.It is used to hide information. It is not only use by spies but for phone, fax and e-mail communication, bank transactions, bank account security, PINs, passwords and credit card transactions on the web. It is also used for a variety of other information security issues including electronic signatures, which are used to prove who sent a message. The main goal of cryptography is to adequately address the following four areas in both theory and practice: a)Confidentiality is a service used to keep the content of information from all but those authorized to have it. Secrecyis a term synonymous with confidentiality and privacy. There are numerous approaches to providing confidentiality, ranging from physical protection to mathematical algorithms which render data unintelligible. b)Data integrity is a service which addresses the unauthorized alteration of data. To assure data integrity, one must have the ability to detect data manipulation by unauthorizedparties. Data manipulation includes such things as insertion, deletion, and substitution. 3)Authentication is a service related to identification. This function applies to both entities and information itself. Two parties entering into a communication should identify each other. Information delivered over a channel should be authenticated as to origin, date of origin, data content, time sent, etc. For these reasons this aspect of cryptography is usually subdivided into two major classes: entity authentication and data origin authentication. Data origin authentication implicitly provides data integrity (for if a message is modified, the source has changed). 4)Non-repudiation is a service which prevents an entity from denying previous commitments or actions. When disputes arise due to an entity denying that certain actions were taken, a means to resolve the situation is necessary. For example, one entity may authorize the purchase of property by another entity and later deny such authorization was granted. A procedure involving a trusted third party is needed to resolve the dispute. 1 Vocabulary A plaintext message, or simply a plaintext, is a message to be communicated. A misguided version of a plaintext message is a ciphertext message or simply a ciphertext. The process of creating a ciphertext from a plaintext is called encryption. The process of turning a ciphertext back into a plaintext is called decryption. The verbs encipher and decipher are synonymous with the verbs encrypt and decrypt. In England, cryptology is the study of encryption and decryption and cryptography is the application of them. In the U.S., the terms are synonymous, and the latter term is used more commonly. In non-technical English, the term encode is often used as a synonym for encrypt. To encode a plaintext changes the plaintext into a series of bits (Usually) or numbers (traditionally). A bit is simply a 0 or a 1. There is nothing secret about encoding. A simple encoding of the alphabet would be A! 0,Z! 25. Using this, we could encode the message HELLO as 7 4 11 11 14. The most common method of encoding a message nowadays is to replace it by its ASCII equivalent, which is an 8 bit representation for each symbol. Decoding turns bits or numbers back into plaintext.
  4. 4. Plaintext encryption cipher text decryptionplaintext Figure1-1. Encryption and decryption A stream cipher operates on a message symbol-by-symbol, or nowadays bit-by-bit. A block cipher operates on blocks of symbols. A digraph is a pair of letters and a trigraph is a triple of letters. These are blocks that were used historically in cryptography. The Advanced EncryptionStandard (AES) operates on 128 bit strings. So when AES is used to encrypt a text message, it encrypts blocks of 128/8 = 16 symbols. A transposition cipher rearranges the letters, symbols or bits in a plaintext. A substitution cipher replaces letters, symbols or bits in a plaintext with others without changing the order. A product cipher alternates transposition and substitution. The concept of stream versus block cipher really only applies to substitution and productciphers, not transposition ciphers. An algorithm is a series of steps performed by a computer (nowadays) or a person (traditionally) to perform some task. 2. Cryptosystem: In this meaning, the term Cryptosystem is used as shorthand for "cryptographic system". A cryptographic system is any computer system that involves cryptography. Such systems include for instance, a system for secure electronic mail which might include methods for digital signatures, cryptographic hash functions, key management techniques, and so on. Cryptographic systems are made up of cryptographic primitives, and are usually rather complex. Because of this, breaking a cryptosystem is not restricted to breaking the underlying cryptographic algorithms usually it is far easier to break the system as a whole, e.g., through the not uncommon misconceptions of users in respect to the cryptosystem. The systematic arrangement of cypher text can abide the security. Meaning in the context of cryptography: In this meaning, a Cryptosystem refers to a suite of algorithms needed to implement a particular form of encryption and decryption. Typically, a cryptosystem consists of three algorithms: 1. for key generation, 2. for encryption, and 3. for decryption. The term cipher (sometimes cypher) is often used to refer to a pair of algorithms, one for encryption and one for decryption. Therefore, the term "cryptosystem" is most often used when the key generation algorithm is important. For this reason, the term "cryptosystem" is commonly used to refer to public key techniques; however both "cipher" and "cryptosystem" are used for symmetric key techniques. CRYPTOSYSTEMS AND KEYS By definition, a cryptosystem is the combination of three elements: an encryptionengine, keying information, and operational procedures for their secure use.
  5. 5. In order to cryptographically secure high-value data on a hard disk (or on back-up media), it is necessary to employ a high-grade cryptosystem: one which even an attacker possessing both a copy of your encryption engine and knowledge of your operating procedures cannot break without your keying information. Cryptanalysis is the process by which the enemy tries to turn Cipher text into Plaintext. It can also mean the study of this. Cryptosystems come in 3 kinds: 1. Those that have been broken (most). 2. Those that have not yet been analysed (because they are new and not yet widely used). 3. Those that have been analysed but not broken. (RSA, Discrete log cryptosystems, Triple-DES, AES). # Three most common ways for the enemy to turn ciphertext into plaintext: 1. Steal/purchase/bribe to get key 2. Exploit sloppy implementation/protocol problems (hacking). Examples: someone usedspouse‘s name as key, someone sent key along with message 3. Cryptanalysis Alice is the sender of an encrypted message. Bob is the recipient. Eve is the eavesdropper who tries to read the encrypted message. 3 History 400 BC Spartan sky tale cipher (sounds like Italy). Example of transposition cipher. Letters were written on a long thin strip of leather wrapped around a cylinder. The diameter of the cylinder was the key. _____________________________ /T/H/I/S/I/S/_/ / / /H/O/W/I/T/ || / /W/O/U/L/D/ / -----------------------------------------------Julius Caesar‘s substitution cipher. Shift all letters three to the right. In our alphabet that would send A! D, B! E, Z! C. Cryptography has a long and fascinating history. The predominant practitioners of the art were those associated with the military, the diplomatic service and government in general. Cryptography was used as a tool to protect national secrets and strategies. The proliferation of computers &communications systems in the 1960s brought with it a demand from the private sector for means to protect information in digital form and to provide security services. Beginning with the work of Feistel at IBM in the early 1970s and culminating in 1977 with the adoption as a U.S. Federal Information Processing Standard for encrypting unclassified information, DES, the Data Encryption Standard, is the most well-known cryptographic mechanism in history. It remains the standard means for securing electronic commerce for many financial institutions around the world. The most striking development in the history of cryptography came in 1976 when Diffie and Hellman published ―New Directions in Cryptography‖. This paper introduced the revolutionary concept of public-key cryptography and also provided a new and ingenious method for key exchange, the security of which is based on the intractability of the discrete logarithm problem. Although the authors had no practical realization of a public-key encryption scheme at the time, the idea was clear and it generated extensive interest and activity in the cryptographic community. In 1978 Rivest, Shamir, and Adleman discovered the first practical public-key encryption and
  6. 6. signature scheme, now referred to as RSA. The RSA scheme is based on another hard mathematical problem, the intractability of factoring large integers. This application of a hard mathematical problem to cryptography revitalized efforts to find more efficient methods to factor. The 1980s saw major advances in this area but none which rendered the RSA system insecure. Another class of powerful and practical public-key schemes was found by ElGamal in 1985. These are also based on the discrete logarithm problem. One of the most significant contributions provided by public-key cryptography is the digital signature. In 1991 the first international standard for digital signatures (ISO/IEC 9796) was adopted. It is based on the RSA public-key scheme. In 1994 the U.S. Government adopted the Digital Signature Standard, a mechanism based on the El Gamal public key scheme. The search for new public-key schemes, improvements to existing cryptographic mechanisms, and proofs of security continues at a rapid pace. Various standards and infrastructures involving cryptography are being put in place. Security products are being developed to address the security needs of an information intensive society. 4 Crash course in Number Theory Let Z denote the integers . . . , −2, −1, 0, 1, 2, . ... The symbol 2 means is an element of. Ifa, b 2 Z we say a divides b if b = na for some n 2 Z and write a|b. a divides b is just another way of saying b is a multiple of a. So 3|12 since 12 = 4 · 3, 3|3 since 3 = 1 · 3, 5| − 5 since −5 = −1 · 5, 6|0 since 0 = 0 · 6. If x|1, what is x? (Answer ±1). Properties: If a, b, c 2 Z and a|b then a|bc. I.e., since 3|12 then 3|60. If a|b and b|c then a|c. If a|b and a|c then a|b ± c. If a|b and a 6 |c (not divide) then a 6 |b ± c. The primes are 2, 3, 5, 7, 11, 13 . ... The Fundamental Theorem of Arithmetic: Any n 2 Z, n >1, can be written uniquely as a product of powers of distinct primes. For example 90 = 21 · 32 · 51. Given a, b € Z_0 (the non-negative integers), not both 0, the greatest common divisor of a and b is the largest integer d dividing both a and b. It is denoted gcd(a, b) or just (a, b). As examples: gcd (12, 18) = 6, gcd (12, 19) = 1. To get the fraction 12/18 into lowest terms, cancel the 6‘s. The fraction 12/19 is already in lowest terms. If you have the factorization of a and b written out, then take the product of the primes to the minimum of the two exponents, for each prime, to get the gcd. 2520 = 23 · 32 · 51 · 71 and 2700 = 22 · 33 · 52 · 70 so gcd (2520, 2700) = 22 · 32 · 51 · 70 = 180. Note 2520/180 = 14, 2700/180 = 15 and gcd (14, 15) = 1. We say that two numbers with gcd equal to 1 are relatively prime. Factoring is slow with large numbers. The Euclidean algorithm for gcd‘ing is very fast with large numbers. Find gcd (329, 119). Recall long division. When dividing 119 into 329 you get 2 with remainder of 91. At each step, previous divisor and remainder become the new dividend and divisor. 329 = 2 · 119 + 91 119 = 1 · 91 + 28 91 = 3 · 28 + 7 28 = 4 · 7 + 0 The number above the 0 is the gcd. So gcd (329, 119) = 7.
  7. 7. Part II -Cryptography In this section we shall introduce the major methods of encryption, hashing and signatures. 5Simple Cryptosystems Let P be the set of possible plaintext messages. For example it might be the set { A, B,. . . ,Z } of size 26 or the set { AA, AB, . . . ,ZZ } of size 26^2. Let C be the set of possible ciphertext messages. An enciphering transformation f is a map from P to C. f shouldn‘t send different plaintext messages to the same ciphertext message (so f should be one-to-one or injective). We‘ll start with a cryptosystem based on single letters. You can replace letters by other letters. Having a weird permutation is slow, like A! F, B! Q, C! N,. ... There‘s less storage if you have a mathematical rule to govern encryption and decryption. Shift transformation: P is plaintext letter/number A=0, B=1, Z=25. The Caesar cipher is an example: Encryption is given by C _ P + 3(mod26) and so decryption is given by P _ C − 3(mod26). This is the Caesar cipher. If you have an N letter alphabet, a shift enciphering transformation is C _ P + b(modN) where b is the encrypting key and –b is the decrypting key. 6.Symmetric key cryptography In symmetric key cryptosystem, Alice and Bob must agree on a secret, shared key ahead of time. We will consider stream ciphers and block ciphers. 7.CRYPTOGRAPHY ALGORITHMS 7.1SYMMETRIC KEY ALGORITHMS I. BLOCK CIPHERS Symmetric (secret key) encryption schemes use the same key for encryption and decryption and usually have predefined key lengths. They provide a high security and a high performance, but suffer from the key exchange problem. A group of n entities needs to exchange n*(n−1)/2 different keys over secure channels. The current state of the art in symmetric encryption is surely given by the five finalists of the AES selection process. In the AES competition, the winner, Rijndael, got 86 votes at the last AES conference while Serpent got 59 votes, Twofish 31 votes, RC6 23 votes and MARS 13 votes Nechvatal et al. A. RIJNDAEL Rijndael, is a block cipher adopted as an encryption standard by the US government. It is expected to be used worldwide and analysed extensively, as was the case with its predecessor, the Data Encryption Standard (DES). AES was adopted by National Institute of Standards and Technology (NIST) as US FIPS PUB 197 in November 2001 after a 5-year standardization process. The cipher was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, and submitted to the AES selection process under the name "Rijndael", acombination of the names of the inventors. Strictly speaking, AES is not precisely Rijndael (although in practice they are used interchangeably) as Rijndael
  8. 8. supports a larger range of block and key sizes; AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits, whereas Rijndael can be specified with key and block sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits. The key is expanded using Rijndael's key schedule. Most of AES calculations are done in a special finite field. AES operates on a 4×4 array of bytes, termed the state -versions of Rijndael with a larger block size have additional columns in the state. For encryption, each round of AES, except the last round consists of four stages: _ AddRoundKey — each byte of the state is combined with the round key; each round key is derived from the cipher key using a key schedule. _ SubBytes — a non-linear substitution step where each byte is replaced with another according to a lookup table. _ Shift Rows — a transposition step where each row of the state is shifted cyclically a certain number of steps. _ Mix Columns — a mixing operation which operates on the columns of the state, combining the four bytes in each column using a linear transformation. The final round replaces the Mix Columns stage with another instance of AddRoundKey. SECURITY As of 2006, the only successful attacks against AES have been side channel attacks. The National Security Agency (NSA) reviewed all the AES finalists, including Rijndael, and stated that all of them were secure enough for US Government nonclassified data. In June 2003, the US Government announced [9] that AES may be used for classified information: “The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use." This marks the first time that the public has had access to a cipher approved by NSA for TOP SECRET information. It is interesting to note that many public products use 128-bit secret keys by default; it is possible that NSA suspects a fundamental weakness in keys this short, or they may simply prefer a safety margin for top secret documents (which may require security decades into the future). The most common way to attack block ciphers is to try various attacks on versions of the cipher with a reduced number of rounds. AES has 10 rounds for 128-bit keys, 12 rounds for 192bit keys, and 14 rounds for 256-bit keys. As of 2006, the best known attacks are on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys. Some cryptographers worry about the security of AES. They feel that the margin between the number of rounds specified in the cipher and the best known attacks is too small for comfort. The risk is that some way to improve these attacks might be found and that, if so, the cipher could be broken. In this meaning, a cryptographic "break" is anything faster than an exhaustive search, so an attack against 128-bit key AES requiring 'only' 2120 operations would be considered a break even though it would be, now, quite unfeasible. In practical application, any break of AES which is only this 'good' would be irrelevant. For themoment, such concerns can be ignored. The largest publicly-known brute-force attack has been against a 64 bit RC5 key by (finishing in 2002; Moore's Law implies that this is roughly equivalent to an attack on a 66- bit key today). Another concern is the mathematical structure of AES. Unlike most other block ciphers, AES has a very neat mathematicaldescription.
  9. 9. This has not yet led to any attacks, but some researchers are worried that future attacks may find a way to exploit this structure. In 2002, a theoretical attack, termed the "XSL attack", was announced by Nicolas Courtois and Josef Pieprzyk, showing a potential weakness in the AES algorithm. Several cryptography experts have found problems in the underlying mathematics of the proposed attack, suggesting that the authors may have made a mistake in their estimates. Whether this line of attack can be made to work against AES remains an open question. For the moment, the XSL attack against AES appears speculative; it is unlikely that anyone could carry out the current attack in practice. B. CAMELLIA The cipher was developed jointly by Mitsubishi and NTT in 2000 , and has similar design elements to earlier block ciphers (E2 and MISTY1) from these companies. Camellia has a block size of 128 bits, and can use 128-bit, 192-bit or 256-bit keys — the same interface as the Advanced Encryption Standard. It is a Feistel cipher with either 18 rounds (if the key is 128 bits) or 24 rounds (if the key is 192 or 256 bits). Every six rounds, a logical transformation layer is applied: the so-called "FL-function" or its inverse. The cipher also uses input and output key whitening. We will focus on the use of the Camellia block cipher algorithm in Cipher Block Chaining Mode, with an explicit Initialization Vector, as a confidentiality mechanism within the context of the IPsec Encapsulating Security Payload (ESP). Camellia was selected as a recommended cryptographic primitive by the EU NESSIE (New European Schemes for Signatures, Integrity and Encryption) project and was included in the list of cryptographic techniques for Japanese e-Government systems that was selected by the Japan CRYPTREC (Cryptography Research, Evaluation Committees). Camellia has been submitted to several other standardization bodies, such as ISO (ISO/IEC 18033) and the IETF S/MIME Mail Security Working Group. Camellia supports 128-bit block size and 128-, 192-, and 256-bit key lengths, i.e., the same interface specifications as the Advanced Encryption Standard (AES).Camellia is a symmetric cipher with a Feistel structure. Camillia was developed jointly by NTT and Mitsubishi Electric Corporation in 2000. It was designed to withstand all known cryptanalytic attacks, and it has been scrutinized by worldwide cryptographic experts. Camellia is suitable for implementation in software and hardware, offering encryption speed in software and hardware implementations that is comparable to AES. Camellia supports three key sizes: 128 bits, 192 bits, and 256 bits. The default key size is 128 bits, and all implementations must support this key size. Implementations may also support key sizes of 192 bits and 256 bits. Camellia uses a different number of rounds for each of the defined key sizes. When a 128-bit key is used, implementations must use 18 rounds. When a 192-bit key is used, implementations must use 24 rounds. When a 256-bit key is used, implementations must use 24 rounds. At the time of writing this document, there are no known weak keys for Camellia. SECURITY Implementations are encouraged to use the largest key sizes they can, taking into account performance considerations for their particular hardware and software configuration. Note that encryption necessarily affects both sides of a secure channel, so such consideration must take into account not only the client side, but also the server.
  10. 10. However, a key size of 128 bits is considered secure for the foreseeable future. No security problem has been found on Camellia [CRYPTREC]. Although patented, Camellia is available under a royalty-free license. II. STREAM CIPHERS A. RABBIT Rabbit is a high-speed stream cipher first presented in February 2003 at the 10th FSE workshop by Martin Boesgaard, Mette Vesterager, Thomas Christensen and Erik Zenner. In May 2005, it was submitted to the eSTREAM. Cryptico has patented the algorithm and requires a license fee for commercial use of the cipher. The license fee is waived for non-commercial uses. The internal state of the stream cipher consists of 513 bits. 512 bits are divided between eight 32-bit state variables xj,I and eight 32-bit counter variables cj,i, where xj,i is the state variable of subsystem j at iteration i, and cj,i denote the corresponding counter variables. There is one counter carry bit, Á7,i, which needs to be stored between iterations. This counter carry bit is initialized to zero. The eight state variables and the eight counters are derived from the key at initialization. The algorithm is initialized by expanding the 128-bit key into both the eight state variables and the eight counters such that there is a one-to-one correspondence between the key and the initial state variables, xj,0, and the initial counters, cj,0. The key, K[127..0], is divided into eight subkeys: k0 = K[15..0], k1 = K[31..16], ..., k7 =K[127..112]. The state and counter variables are initialized from the sub keys as follows: The system is iterated four times, according to the next statefunction defined below, to diminish correlations between bits in the key and bits in the internal state variables. Finally, the counter values are re-initialized according to: cj,4=cj,4 XOR x(j+4 mod 8),4 to prevent recovery of the key by inversion of the counter system. The core of the Rabbit algorithm is the iteration of the system defined by the following equations: x0,i+1 = g0,i + (g7,i<<< 16) + (g6,i<<< 16) x1,i+1 = g1,i + (g0,i<<< 8) + g7,i x2,i+1 = g2,i + (g1,i<<< 16) + (g0,i<<< 16) x3,i+1 = g3,i + (g2,i<<< 8) + g1,i x4,i+1 = g4,i + (g3,i<<< 16) + (g2,i<<< 16) x5,i+1 = g5,i + (g4,i<<< 8) + g3,i x6,i+1 = g6,i + (g5,i<<< 16) + (g4,i<<< 16) x7,i+1 = g7,i + (g6,i<<< 8) + g5,i gj,i = ((xj,i + cj,i)2 XOR ((xj,i + cj,i)2 >> 32) mod 232 where all additions are modulo 232 . SECURITY As of March 2006, no cryptographic weaknesses are known. PERFORMANCE Rabbit uses a 128-bit key and a 64-bit initialization vector. The cipher was designed with high performance in software in mind, where fully optimized implementations achieve an encryption speed of up to 3.7 cycles per byte on a Pentium 3, and of 9.7 cycles per byte on an ARM7. However, the cipher also turns out to be very fast and compact in hardware. The core component of the cipher is a bitstream generator which encrypts 128 message bits per iteration. The cipher's strength rests on strong
  11. 11. mixing of its inner state between two consecutive iterations. The mixing function is entirely based on arithmetical operations that are available on a modern processor, i.e., no S-boxes or lookup tables are required to implement the cipher. 8 Finite fields If p is a prime we rename Z/pZ = Fp, the field with p elements = {0, 1, . . . , p − 1} with +,−,×. Note all elements _ other than 0 have gcd(_, p) = 1 so we can find _−1(modp). So we can divide by any non-0 element. So it‘s like other fields like the rationals, reals and complex numbers. F_ p is {1, . . . , p − 1} here we do ×,÷. Note F_p has _(p − 1) generators g (also called primitive roots of p). The sets {g, g2, g3, . . . , gp−1} and {1, 2, . . . , p−1} are the same (though the elements will be in different orders). Example, F_ 5, g = 2: 21 = 2, 22 = 4, 23 = 3, 24 = 1. Also g = 3: 31 = 3, 32 = 4, 33 = 2, 34 = 1. For F_ 7, 21 = 2, 22 = 4, 23 = 1, 24 = 2, 25 = 4, 26 = 1, so 2 is not a generator. g = 3:31 = 3, 32 = 2, 33 = 6, 34 = 4, 35 = 5, 36 = 1. 9Modern stream ciphers Modern stream ciphers are symmetric key cryptosystems. So Alice and Bob must agree on a key beforehand. The plaintext is turned into ASCII. So the plaintext Go would be encoded as 0100011101101111. There‘s a given (pseudo)random bit generator. Alice and Bob agree on a seed, which acts as the symmetric/shared /secret key. They both generate the same random bit stream like 0111110110001101, which we call the keystream. Alice gets the ciphertext by bit-bybit XOR‘ing, i.e. bit-by-bit addition mod 2. 0 XOR-ed0 = 0, 0 XOR-ed1 = 1, 1 XORed0 = 1, 1 XOR-ed1 = 0. We could sequentially use the letters of a key word as key letters for monoalphabetic substitution of sequential plaintext letters from separate substitution alphabets, equal in number to the number of letters in the key. This polyalphabetic substitution cipher blurs the statistics of the letter frequencies to an almost flat probability distribution. Its modern version is the byte-by-byte addition of a key-stream to the plaintext - a Vernam cipher. For all its apparent complexity, however, if you sample its cipher-text at letter intervals equal to the length of the key, the old statistics jump out at you. Friedman's brilliant index of coincidence statistic will betray that key length. NOTE: An excellent source for understanding how many ways have been devised to break apparently clever ciphers is US Army Field Manual FM-34-40-2, Basic Cryptanalysis, the successor to TM 32-220. It will quickly show you why professional creation of ciphers is restricted to those with proven experience in breaking the codes and ciphers of others. To counter this attack, we must have a secret key-stream as long as the message. If it is used twice on messages of the same length, adding the two cipher-text streams will cancel it out, leaving non-uniformly distributed letters for statistical cryptanalysis. To be unbreakable, the key-stream must come from a onetime pad of length equal to that of all the data bytes encrypted. All this keying material must be kept secret. This horrendous keying materials management problem for the only proven unbreakable cipher has led to searches for keying material generators which can
  12. 12. substitute. However, all such schemes are based on algorithms, and must therefore leave patterns in the key streams for statistical analyses that can break them. Their cryptographic strength is therefore a matter of degree (the cryptanalyst's work factor), not an absolute. However, that strength can still be formidable. One technique for achieving it is the use of Feistal networks, that generate blocks of key stream from blocks of the message itself, through multiple rounds of groups of permutations and substitutions, each dependent on transformations of a key. If they are specifically structured to thwart all the known statistical cryptanalysis methods, their cryptanalytic work factor can be made as large as that for exhaustive key search. RC4 is the most widely used stream cipher. Invented by Ron Rivest (R of RSA) in 1987. The RC stands for Ron‘s code. The pseudo random bit generator was kept secret. The source code was published anonymously on Cypherpunks mailing list in 1994. One-time pads If the key (not the key stream) for a stream cipher is random and as long as the plaintext then this is called a one-time-pad. The key must never be used again. Cryptanalysis is provably impossible. This was used by Russians during the cold war and by the phone linking the White House and the Kremlin. It is very impractical. 10Modern Block Ciphers Most encryption now is done using block ciphers. The two most important historically have been the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES). DES has a 56 bit key and 64 bit plaintext and ciphertext blocks. AES has a 128 bit key, and 128 bit plaintext and ciphertext blocks. 10.1 Modes of Operation of a Block Cipher NIST has defined five modes of operation: CBC (Cipher Block Chaining), ECB (Electronic Codebook), CFB (Cipher Feedback), OFB (Output Feedback), and CTR (Counter). The CBC mode is well defined and well understood for symmetric ciphers, and it is currently required for all other ESP ciphers. ECB: The simplest of the encryption modes is the electronic codebook (ECB) mode, in which the message is split into blocks and each is encrypted separately. The disadvantage of this method is that identical plaintext blocks are encrypted to identical ciphertext blocks; thus, it does not hide data patterns well. In some senses it doesn't provide message confidentiality at all, and it is not recommended for cryptographic protocols.
  13. 13. CBC: In the cipher-block chaining (CBC) mode, each block of plaintext is XOR-ed with the previous ciphertext block before being encrypted. This way, each cipher text block is dependent on all plaintext blocks up to that point. Also, to make each message unique, an initialization vector is used in the first block. CFB The cipher feedback (CFB) mode, a close relative of CBC, makes a block cipher into a self-synchronizing stream cipher. The operation is very similar; in particular, CFB decryption is almost identical to CBC decryption performed in reverse OFB: The output feedback (OFB) mode makes a block cipher into a synchronous stream cipher: it generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many error correcting codes to function normally even if applied before encryption. Because of the symmetry of the XOR operation, encryption and decryption are exactly the same. CTR: Like OFB, counter mode turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a "counter". The counter can be any simple function which produces a sequence which is guaranteed not to repeat for a long time, although an actual counter is the simplest and most popular. CTR mode has very similar characteristics to OFB, but also allows a random access property for decryption and is probably secure if the block cipher is strong. CTR mode is also known as Segmented Integer Counter (SIC) mode. 10.2 The Block Cipher DES The DES cipher was reviewed for NIST (then the National Bureau of Standards) by the NSA, in its COMSEC role (as opposed to its code-breaking COMINT role). The values of the constants in the DES S-box substitution tables were specifically chosen to resist then-known-by-NSA cryptanalytic attacks, including the then-highlyclassified concept of differential cryptanalysis. Its key size was chosen to be secure for at least a decade, while allowing implementations in 1970s integrated circuit technology. This 64-bit block cipher has successfully withstood public cryptanalysis for more than 20 years, a record matched by no other. In that time, however, the cost of specialpurpose key-search machines capable of brute force attacks on its 56-bit key space has dropped below levels feasible for most governments (and some corporations). NOTE: A thousand cooperating million-DES-encryptions-per-second machines, an array affordable by many governments and corporations, could perform the 2-to-the55th-power trial encryptions required to search half the 56-bit key space of DES (the amount necessary, on average) in a year. Ten thousand of them could do such an exhaustive key search in little more than a month. With the speed-per-dollar of such machines doubling every year or so, DES can hardly be considered secure for longterm use. Over two decades of unsuccessful cryptanalysis have shown the DES cipher's cryptographic strength to be, in practical terms, equivalent to the size of its key. Thus, an obvious place to look for its replacement is a version with a larger key.
  14. 14. TRIPLE-DES CIPHER Unlike the available alternative block ciphers, the DES cipher has been proven mathematically to not be an algebraic Group. Consequently, unlike those alternatives, three-pass encryption with DES yields a product cipher with a key space dimension equivalent to the sum of the sizes of the independent keys used in those passes. (Two-pass use of any block cipher is vulnerable to meet-in-the-middle attacks.) Each additional key-bit doubles the size of the key space. This is a crude, but extremely effective approach to defeating exhaustive key-search attacks through many years of increased computing power evolution. NOTE: This type of product cipher can be attacked by two different types of keysearch methods: (1) the obvious one of searching a 168-bit (3x56 bits) key-space, requiring an average of 2-to-the-167th-power triple-DES encryptions to crack the key used for a particular cipher-text (half the key space); or (2) pre-computing 2-to-the-56th-power DES decryptions and checking the stored table of results against an average of 2-to-the-111th-power double-DES encryptions. The former attack requires a thousand million-DES-encryptions-per-second machines to run for 10-to-the-31st-power millennia; the latter "only" requires them to run for 64 million-million millennia, if all one thousand machines can access the lookup table (which requires 500 million gigabytes of storage). Neither attack is taken very seriously by professionals, who would attack the key (and all your other keys at the same time) by exploiting cryptosystem implementation weaknesses or operator mistakes. EXPORT CONTROLS The financial services and banking industry uses the DES cipher to secure trillions of dollars of transactions. It has been moving toward standardizing on 112-bit (2-key) triple-DES as its successor for the next century. (In 2-key triple-DES, the same key is used for the first and third encryptions, requiring less keying material generation.) However, the US Government has thus far refused to provide the required export approvals, instead suggesting the use of its Escrowed Encryption Standard (FIPS PUB 185). This mandates use of the now-declassified Skipjack cipher with an 80-bit key (16 million times the size of the 56-bit DES key space), and a Law Enforcement Access Field (LEAF) permitting key recovery without the user's cooperation. NOTE: The Skipjack cipher is used in the Fortezza and Fortezza Plus encryption engines for all SBU information in NSA's Multi-level Information System Security Initiative (MISSI) system. NSA apparently considers this 64-bit block, 32-round, Feistal network's 80-bit key size to be adequate for fulfilling its SBU INFOSEC mission for the next decade or two. Our software cryptosystems employ a full 168-bit (3-key) triple-DES algorithm in cipher block chaining (CBC) mode. They incorporate neither a LEAF mechanism nor covert channels for key recovery. (The Professional versions do, however, provide you with the ability to generate secure split key shares that enable you to offer emergency access to your encrypted data by multiple trusted parties acting in concert.) 10.3 The Block Cipher AES However, DES was not designed with Triple-DES in mind. Undoubtedly there would be amore efficient algorithm with the same level of safety as Triple-DES. So in 1997, the NationalInstitute of Standards and Technology (NIST) solicited proposals for replacements of DES.In 2001, NIST chose 128-bit block Rijndael with a 128-bit key
  15. 15. to become the AdvancedEncryption Standard (AES). (If you don‘t speak Dutch, Flemish or Afrikaans, then theclosest approximation to the pronunciation is Rinedoll). Rijndael is a symmetric-key blockcipher designed by Joan Daemen and Vincent Rijmen. The Rijndael proposal for AES defined a cipher in which the block length and the key length can be independently specified to be 128, 192, or 256 bits. The AES specification uses the same three key size alternatives but limits the block length to 128 bits. A number of AES parameters depend on the key length (Table 1.1). In the description of this section, we assume a key length of 128 bits, which is likely to be the one most commonly implemented. Table 1.1 AES Parameters Key size (words/bytes/bits) 4/16/128 6/24/192 8/32/256 Plaintext block size (words/bytes/bits) 4/16/128 4/16/128 4/16/128 Number of rounds 10 12 Round key size (words/bytes/bits) 4/16/128 4/16/128 4/16/128 Expanded key size (words/bytes) 44/176 52/208 14 60/240 Rijndael was designed to have the following characteristics: Resistance against all known attacks Speed and code compactness on a wide range of platforms Design simplicity About AES Structure: 1. The key that is provided as input is expanded into an array of forty-four 32-bit words. Four distinct words (128 bits) serve as a round key for each round. 2. Four different stages are used, one of permutation and three of substitution: o Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block o ShiftRows: A simple permutation 8 o MixColumns: A substitution that makes use of arithmetic over GF(2 ) o AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key.
  16. 16. The Finite Field: Both the key expansion and encryption algorithms of simplified AES depend on an S-box that itself depends on the finite field with 16 elements. Let F16 = F2[x]/(x4 + x + 1). The word nibble refers to a four-bit string, like 1011. We will frequently associate an element b0x3 + b1x2 + b2x + b3 of F16 with the nibble b0b1b2b3. The S-box:The S-box is a map from nibbles to nibbles. It can be inverted. (For those in the know, it is one-to-one and onto or bi-jective.) The Simplified AES Algorithm: The simplified AES algorithm operates on 16-bit plaintexts and generates 16-bit ciphertexts, using the expanded key k0 . . . k47. The encryption algorithm consists of the composition of 8 functions applied to the plaintext.Each function operates on a state. A state consists of 4 nibbles. The Function AKi : The abbreviation AK stands for add key. The function AKi consists of XORing Ki with the state so that the subscripts of the bits in the state and the key bits agree modulo 16. The Function NS: The abbreviation NS stands for nibble substitution. The function NS replaces each nibble Ni in a state by S-box(Ni) without changing the order of the nibbles.So it sends the state. The Function SR: The abbreviation SR stands for shift row. The function SR takes the state. The Function MC: The abbreviation MC stands for mix column. A column [Ni,Nj ] of the state is considered to be the element Niz + Nj of F16[z]/(z2 + 1). The function MC multiplies each column by the polynomial c(z) = x2z + 1. The simplest way to explain MC is to note that MC sends a column. The Rounds: The composition of functions AKi _MC _ SR _NS is considered to be the i-th round. So this simplified algorithm has two rounds. There is an extra AK before the first round and the last round does not have an MC. Security As an encryption standard, AES needs to be resistant to all known cryptanalytic attacks. Thus, AES was designed to be resistant against these attacks, especially differential and linear cryptanalysis. To ensure such security, block ciphers in general must have diffusion and non-linearity. Efficiency AES is expected to be used on many machines and devices of various sizes and processing powers. For this reason, it was designed to be versatile. Versatility means that the algorithm works efficiently on many platforms, ranging from desktop computers to embedded devices such as cable boxes. 11Public Key Cryptography In a symmetric key cryptosystem, if you know the encrypting key you can quickly determine the decrypting key (C _ aP +b(modN) or they are the same (modern stream cipher, AES). In public key cryptography, everyone has a public key and a private key. There is now known way of quickly determining the private key from the public key.
  17. 17. Main uses of public-key cryptography: 1) Agree on a key for a symmetric cryptosystem. 2) Digital signatures. Public-key cryptography is rarely used for message exchange since it is slower than symmetric key cryptosystems. 11.1 PUBLIC KEY ALGORITHMS A. RIVEST SHAMIR & ADELMAN (RSA) RSA involves two keys: public key and private key (a key is a constant number later used in the encryption formula.) The public key can be known to everyone and is used to encrypt messages. These messages can only be decrypted by use of the private key. In other words, anybody can encrypt a message, but only the holder of a private key can actually decrypt the message and read it. Intuitive example: Bob wants to send Alice a secret message that only she canread. To do this, Alice sends Bob a box with an open lock, for which only Alice has the key. Bob receives the box, he writes the message in plain English, puts it in the box and locks it with Alice's lock (now Bob can no longer read the message.) Bob sends the box to Alice and she opens it with her key. In this example, the box with the lock is Alice's public key, and the key to the lock is her private key. Key generation Suppose Alice and Bob are communicating over an insecure (open) channel, and Alice wants Bob to send her a private (or secure) message. Using RSA, Alice will take the following steps to generate a public key and a private key: 1. Choose two large prime numbers p and q such that p0q randomly and independently of each other. 2. Compute n=p·q. 3. Compute the totient function: "(n)=(p-1)(q-1). 4. Choose an integer e such that 1<e<"(n) which is coprime to "(n). 5. Compute d such that de21(mod("(n)). • The prime numbers can be probabilistically tested for primality. • A popular choice for the public exponents is e=216+1=65537. Some applications choose smaller values such as e = 3,5, or 35 instead. This is done in order to make implementations on small devices (e.g. smart cards) easier, i.e. encryption and signature verification is faster. But choosing small public exponents may lead to greater security risks. • Steps 4 and 5 can be performed with the extended Euclidean algorithm; see modular arithmetic. • Step 3 changed in PKCS#1 v2.0 to $=LCM(p-1,q-1) instead of "=(p-1)(q-1). The public key consists of • n, the modulus, and • e, the public exponent (sometimes encryption exponent). The private key consists of • n, the modulus, which is public and appears in the public key, and • d, the private exponent (sometimes decryption exponent), which must be kept secret. For reasons of efficiency sometimes a different form of the private key (including CRT parameters) is stored: • p and q, the primes from the key generation, • d mod (p-1) and d mod (q-1) (often known as dmp1 and dmq1)
  18. 18. • (1/q) mod p (often known as iqmp) Though this form allows faster decryption and signing using the Chinese Remainder Theorem (CRT), it considerably lowers the security. In this form, all of the parts of the private key must be kept secret. Yet, it is a bad idea to use it, since it enables side channel attacks in particular if implemented on smart cards, which would most benefit from the efficiency win. (Start with y = xemodn and let the card decrypt that. So it computes yd(mod p) oryd(mod q) whose results give some value z. Now, induce anerror in one of the computations. Then gcd(z − x,n) willreveal p or q.) Alice transmits the public key to Bob, and keeps the private key secret. p and q are sensitive since they are the factors of n, and allow computation of d given e. If p and q are not stored in the CRT form of the private key, they are securely deleted along with the other intermediate values from the key generation. 1) Encrypting messages Suppose Bob wishes to send a message M to Alice. He turns M into a number m <n, using some previously agreed-upon reversible protocol known as a padding scheme. Bob now has m, and knows n and e, which Alice has announced. He then computes the ciphertext ccorresponding to m: c=me mod n This can be done quickly using the method of exponentiation by squaring. Bob then transmits c to Alice. 2) Decrypting messages Alice receives c from Bob, and knows her private key d. She can recover m from c by the following procedure: m=cd mod n Given m, she can recover the original message M. The decryption procedure works because cd 2 (me)d 2 med (mod n) Now, sinceed 2 1 (mod p-1) and ed 2 1 (mod q-1), Fermat's little theorem yields med 2 m (mod p) and med 2 m (mod q) Since p and q are distinct prime numbers, applying the Chinese remainder theorem to these two congruence yields med 2 m (mod pq). Thus, cd 2 m (mod n). PERFORMANCE RSA is much slower than DES and other symmetric cryptosystems. In practice, Bob typically encrypts a secret message with a symmetric algorithm, encrypts the (comparatively short) symmetric key with RSA, and transmits both the RSAencrypted symmetric key and the symmetrically-encrypted message to Alice. This procedure raises additional security issues. For instance, it is of utmost importance to use a strong random number generator for the symmetric key, because otherwise Eve (an eavesdropper wanting to see what was sent) could bypass RSA by guessing the symmetric key.
  19. 19. SECURITY Public key algorithms have complex mathematics and need very long keys. Due to this public key cryptography is very much slower than secret key cryptography and needs timeswhich are some orders of magnitude over those of Rijndael. Due to this public key encryption is normally only used in hybrid encryption systems. Thereby the entities use the public key systems to exchange a secret key. This exchanged key is then used to encrypt the actual message with a symmetric encryption system. In opposite to symmetric systems the encryption performance of asymmetric systems may significantly differ from its decryption performance. The first invented public key encryption system RSA is still the most used one. It is based on the factorization problem. According to Lenstra RSA currently needs a modulus size somewhere between 2790bit and 3390bit to meet the security of a 128bit Rijndael encryption. Rijndael–192 security is reached by a modulus size somewhere between 7160bit and 8200bit. Rijndael–256 security implies an RSA modulus between 14200bit and 15800bit. ECRYPT [16] estimates RSA keys with the length of 3072, 7680 and 15360 offer equivalent security to Rijndael 128, 192 and 256.The most prominent alternative to RSA is elliptic curve cryptography (ECC). It is based on the discrete logarithm problem and is faster than RSA because it manages with shorter keys. Due to the table form Lenstra and Verheul the security of 1024bit RSA is met by an ECC key between 138bit and 147bit. ECRYPT estimates a 160bit ECC key provides RSA–1024 security. All widely used public key cryptosystems are broken by efficient algorithms for sufficiently large quantum computers. There is some research on quantum–safe public key cryptosystems in order to meet this threat. 11.2 Key Management As the entire operation is dependent upon the security of the keys, it is sometimes appropriate to devise a fairly complex mechanism to manage them. Where a single individual is involved, often direct input of a value or string will suffice. The 'memorised' value will then be re-input to retrieve the data, similar to password usage. Sometimes, many individuals are involved, with a requirement for unique keys to be sent to each for retrieval/decryption of transmitted data. In this case, the keys themselves may be encrypted. A number of comprehensive and proven key management systems are available for these situations. CRYPTOGRAPHY KEY BASICS The two components required to encrypt data are an algorithm and a key. The algorithm generally known and the key are kept secret. The key is a very large number that should be impossible to guess, and of a size that makes exhaustive search impractical. In a symmetric cryptosystem, the ‗same key is used for encryption and decryption‘. In an asymmetriccryptosystem, the ‗key used for decryption is different from the key used for encryption‘. THE KEY PAIR: In an asymmetric system the encryption and decryption keys are different but related. The encryption key is known as the public key and the decryption key is known as the private key. The public and private keys are known as a key pair. Where a certification authority is used, remember that it is the public key that is certified and not the private key.
  20. 20. KEY COMPONENT: Keys should whenever possible be distributed by electronic means, enciphered under previously established higher-level keys. There comes a point, of course when no higher-level key exists and it is necessary to establish the key manually. A common way of doing this is to split the key into several parts (components) and entrust the parts to a number of key management personnel. The idea is that none of the key parts should contain enough information to reveal anything about the key itself. Usually; the key is combined by means of the exclusive-OR operation within a secure environment. In the case of DES keys, there should be an odd number of components, each component having odd parity. Odd parity is preserved when all the components are combined. Further, each component should be accompanied by a key check value to guard against keying errors when the component is entered into the system. A key check value for the combined components should also be available as a final check when the last component is entered. A problem that occurs with depressing regularity in the real world is when it is necessary to re-enter a key from its components. This is always an emergency situation, and it is usually found that one or more of the key component holders cannot be found. For this reason it is prudent to arrange matters so that the components are distributed among the key holders in such a way that not all of them need to be present. For example, if there are three components (C1, C2, and C3) and three key holders (H1, H2, H3) then H1 could have (C2, C3), H2 could have (C1, C3) and H3 could have (C1, C2). In this arrangement any two out of the three key holders would be sufficient. In more sophisticated systems the components may be held on smart cards. 11.2.1Finite Field Discrete logarithm problem Let Fq be a finite field. Let g generate F_ q . Let b 2 F_ q . Then gi = b for some positive integeri _ q − 1. Determining i given Fq, g and b is the finite field discrete logarithm problem(FFDLP), which is (to our current knowledge) as hard as factoring. Example. 2 generates F_ 101. So we know 2i = 3 (i.e. 2i _ 3(mod 101)) has a solution. Itis i = 69. Similarly, we know 2i = 5 has a solution; it is i = 24. How could you solve suchproblems faster than brute force? In Sections 30.1 and 30.3.3 we present solutions fasterthan brute force. But they are nonetheless not fast. End example. For cryptographic purposes we take 10300 < q <10600 where q is a (large) prime or of the form 2d. Notation, if gi = b then we write logg(b) = i. Recall the logarithms you have already learned: log10(1000) = 3 since 103 = 1000 and ln(e2) = loge(e2) = 2. In the above example, for q = 101 we have log2(3) = 69 (since 269 _ 3(mod 101)). The best known algorithms for solving the FFLDP take as long as those for factoring, and so are sub-exponential. 11.2.3 Diffie-Hellman key agreement Diffie-Hellman key agreement over a finite field (FFDH) is commonly used. For a bunch of users A, B, C, etc. we fix q and g (a generator of F_q . The numbers q and g are used for the whole system. Each user has a private key a (aA, aB, aC, . . .) with 1 < a < q−1 and a public key, which is the reduction of ga in the field Fq. Each user publishes (the reductions of) gaA, gaB, . . . in a directory or on their websites. Note, often you create a new aA, gaA for each transaction. Alice would then need to send gaA to Bob at the beginning and vice versa.
  21. 21. If Alice and Bob want to agree on a key for AES, they use the reduction of gaAaB. Alice can compute this since she looks up gaB and raises it to aA. Bob can compute this since he looks up gaA and raises it to aB. Eve has q, g, gaA, gaB but cannot seem to find gaAaB without solving the FFDLP. This often seems amazing. She can find gaAgaB = gaA + aB, but that‘s useless. To get gaAaB, she needs to raise gaA, for example, to aB. To get aB she could try to use g and gaB. But determining aB from g and gaB is the FFDLP, for which there is no known fast solution. 11.2.4Elliptic curve cryptography Elliptic curves An elliptic curve is a curve described by an equation of the form y2 + a1xy + a3y = x3 + a2x2 + a4x + a6 and an extra 0-point. 12Hash Functions and Message Authentication Codes Hash Functions take a block of data as input, and produce a hash or message digest as output. The usual intent is that the hash can act as a signature for the original data, without revealing its contents. Therefore, it's important that the hash function be irreversible - not only should it be nearly impossible to retrieve the original data, it must also be unfeasible to construct a data block that matches some given hash value. Randomness, however, has no place in a hash function, which should be completely deterministic. Given the exact same input twice, the hash function should always produce the same output. Even a single bit changed in the input, though, should produce a different hash value. The hash value should be small enough to be manageable in further manipulations, yet large enough to prevent an attacker from randomly finding a block of data that produces the same hash .In cryptography, a cryptographic hash function is a hash function with certain additional security properties to make it suitable for use as a primitive in various information security applications, such as authentication and message integrity. A hash function takes a long string (or message) of any length as input and produces a fixed length string as output, sometimes termed a message digest or a digital fingerprint. A typical use of a cryptographic hash would be as follows: Alice poses to Bob a tough math problem and claims she has solved it. Bob would like to try it himself, but would yet like to be sure that Alice is not bluffing. Therefore, Alice writes down her solution, appends a random nonce, computes its hash and tells Bob the hash value (whilst keeping the solution secret). This way, when Bob comes up with the solution himself a few days later; Alice can verify his solution but still be able to prove that she had the solution earlier. In actual practice, Alice and Bob will often be computer programs, and the secret would be something less easily spoofed than a claimed puzzle solution. The above application is called a commitment scheme. Another important application of secure hashes is verification of message integrity. Determination of whether or not any changes have been made to a message (or a file), forexample, can be accomplished by comparing message digests calculated before, and after, transmission (or any other event) (for example, see Tripwire , a system using this property as a defence against malware and malfeasance). A message digest can also serve as a means of reliably identifying a file. A related application is password verification. Passwords are usually not stored in clear text,
  22. 22. for obvious reasons, but instead in digest form. To authenticate a user, the password presented by the user is hashed and compared with the stored hash. Hashes are also used to identify files on peer-to-peer file sharing networks. For example, in an ed2k link the hash is combined with the file size, providing sufficient information for locating file sources, downloading the file and verifying its contents. Magnet links are another example. Such file hashes are often the top hash of a hash list or a hash tree which allows for additional benefits. For both security and performance reasons, most digital signature algorithms specify that only the digest of the message be "signed", not the entire message. Hash functions can also be used in the generation of pseudorandom bits. The most widely used hash functions (and their modifications) are: _ MD5 of R. Rivest (RFC 1321) _ SHA-1 SHA-224, SHA-256, SHA-384, SHA-512 of NIST ( FIPS PUB 180-1) _ RIPEMD, RIPEMD-128, RIPEMD-160 H. Dobbertin, A. Bosselaers, B. Preneel _ WHIRLPOOL-0, WHIRLPOOL-T, WHIRLPOOL P. Barreto, V. Rijmen (NESSIE project ISO/IEC 10118-3:2004) SHA-1, MD5, and RIPEMD-160 are among the most commonly-used message digest algorithms as of 2005. In August 2004, researchers found weaknesses in a number of hash functions, including MD5, SHA-0 and RIPEMD. This has called into question the long-term security of later algorithms which are derived from these hash functions. In particular, SHA-1 (a strengthened version of SHA-0), RIPEMD-128, and RIPEMD-160 (both strengthened versions of RIPEMD). Neither SHA-0 nor RIPEMD are widely used since they were replaced by their strengthened versions. A. SHA-0,SHA-1 SHA-0 and SHA-1 produce a 160-bit digest from a message with a maximum size of 264 bits, and is based on principles similar to those used by Professor Ronald L. Rivest of MIT in the design of the MD4 and MD5 message digest algorithms. The original specification of the algorithm was published in 1993 as the Secure Hash Standard, FIPS PUB 180, by US government standards agency NIST (National Institute of Standards and Technology). This version is now often referred to as "SHA-0". It was withdrawn by the NSA shortly after publication and was superseded by the revised version, published in 1995 in FIPS PUB 180-1 and commonly referred to as "SHA-1". SHA-1 differs from SHA-0 only by a single bitwise rotation in the message schedule of its compression function. This was done, according to the NSA, to correct a flaw in the original algorithm which reduced its cryptographic security. This function takes as input a 160-bit state and a 512-bit data word and outputs a new 160-bit state. The hash function works by repeatedly calling this compression function with successive 512-bit data blocks and each time updating the state accordingly. This compression function is easily invertible if the data block is known,- given the data block on which it acted and the output of the compression function, one can compute that state that went in. Weaknesses have subsequently been reported in both SHA-0 and SHA-1. SHA-1 appears to provide greater resistance to attacks, supporting the NSA's assertion that the change increased the security. In February 2005, an attack on SHA-1 was reported, finding collisions in about 269 hashing operations, rather than the 280 expected for a 160-bit hash function. In August 2005, another attack on SHA-1 was reported, finding collisions in 263 operations.
  23. 23. B. MD5 (Message-Digest algorithm 5) is a widely-used cryptographic hash function with a 128-bit hash value. As an Internet standard (RFC 1321), MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function, MD4. In 1996, a flaw was found with the design of MD5; while it was not a clearly fatal weakness, cryptographers began to recommend using other algorithms, such as SHA-1 (recent claims suggest thatSHA-1 has been broken, however). In 2004, more serious flaws were discovered making further use of the algorithm for security purposes questionable. MD5 processes a variable length message into a fixedlength output of 128 bits. The input message is broken up into chunks of 512-bit blocks; the message is padded so that its length is divisible by 512. The padding works as follows: first a single bit, 1, is appended to the end of the message. This is followed by as many zeros as are required to bring the length of the message up to 64 bits less than a multiple of 512. The remaining bits are filled up with a 64-bit integer representing the length of the original message. The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words, denoted A, B, C and D. These are initialized to certain fixed constants. The main algorithm then operates on each 512-bit message block in turn, each block modifying the state. The processing of a message block consists of four similar stages, termed rounds; each round is composed of 16 similar operations based on a non-linear function F, modular addition, and left rotation. There are four possible functions F; a different one is used in each round: denote the XOR, AND, OR and NOT operations respectively. C. WHIRLPOOL WHIRLPOOL is a cryptographic hash function designed by Vincent Rijmen and Paulo S. L. M. Barreto. The hash has been recommended by the NESSIE project. It has also been adopted by the International Organization for Standardization (ISO) and the International Electro technicalCommission (IEC) as part of the joint ISO/IEC 10118-3 international standard. WHIRLPOOL is a hash designed after the Square block cipher. WHIRLPOOL is a Miyaguchi-Preneel construction based on a substantially modified Advanced Encryption Standard (AES). Given a message less than 2256 bits in length, it returns a 512-bit message digest. The authors have declared that "WHIRLPOOL is not (and will never be) patented.It may be used free of charge for any purpose. The reference implementations are in the public domain." D. RIPEMD RIPEMD-160 (RACE Integrity Primitives Evaluation Message Digest) is a 160-bit message digest algorithm (and cryptographic hash function) developed in Europe by Hans Dobbertin, Antoon Bosselaers and Bart Preneel, and first published in 1996. It is an improved version of RIPEMD, which in turn was based upon the design principles used in MD4, and is similar in performance to the more popular SHA-1.There also exist 128, 256 and 320-bit versions of thisalgorithm, called RIPEMD-128, RIPEMD-256, and RIPEMD-320, respectively. The 128-bit version was intended only as a drop-in replacement for the original RIPEMD, which was also 128-bit, and which had been found to have questionable security. The 256 and 320bit versions diminish only the chance of accidental collision, and don't have higher levels of security as compared to, respectively, RIPEMD-128 and RIPEMD-160.
  24. 24. RIPEMD-160 was designed in the open academic community, in contrast to the NSA-designed algorithm, SHA-1. On the other hand, RIPEMD-160 is a less popular and correspondingly less well-studied design. RIPEMD-160 is not constrained by any patents. E. SHACAL SHACAL-1 and SHACAL-2 are block ciphers based on cryptographic hash function from the SHA family. It was designed by Helena Handschuh and David Naccache, both cryptographers from the smart card manufacturer Gemplus. It is a 160-bit block cipher based on SHA-1, and supports keys from 128-bit to 512-bit. SHACAL-2 is a 256-bit block cipher based upon the larger hash function SHA-256. SHACAL turns the SHA-1 compression function into a block cipher by using the state input as the data block and using the data input as the key input. In other words SHACAL views the SHA-1 compression function as 160-bit block cipher with a 512-bit key. Keys shorter than 512 bits are supported by padding them with zero up to 512. SHACAL is not intended to be used with keys shorter than128 bit. In 2003, SHACAL-2 was selected by the NESSIE project as one of their 17 recommended algorithms. SECURITY OF HASH FUNCTIONS In order to attack a hash function, the intruder must replace the initial message in such a way, by putting his own message, so as to produce the same output of the hash function. This is called collision and it‘s very difficult to happen. 13Signatures and authentication Making oneself sure that a message came from the proper sender is called authentication. The solution is signatures and certificates. Signatures connect a message with a public key. Certificates connect a public key with an entity. You can use public-key cryptography for signatures. Authentication, nonrepudiation, and integrity checks can be supported witha digital signature. A digital signature is similar to a written signature, however,it is stronger. For example, detection will result from any attemptto change the message content or to forge the signature. We note that aMessage Authentication Code (MAC), as defined in ANSI X 9.9, providesintegrity protection against alteration, but does not provide nonrepudiationbecause of the sharing of the conventional secret DES key. (Anotherterm for a MAC is a manipulation detection code, or MDC.)A digital signature must be a function of the entire document. Changingeven a single bit should produce a different signature. A signed messagecannot be changed without detection Public key digital signatures:The use of public key digital signatures and supporting hash functions can provide both authentication and verification of message integrity. Hash functions, which have been briefly introduced, will be discussed further. They can also serve as cryptographic checksums used for validating the contents of a message. Public key schemes supporting authentication permit generation of digital signatures algorithmically from the same key repeatedly, although the actual signatures are different. Digital signatures are a function of the message and a long-term key. Therefore, key material can be reused many times before replacement. Hash functions also reduce the impact of the computationally intensive nature of public key algorithms.
  25. 25. Public key digital signatures are generally preferred for electronic commerce because: 1. Private keys can be used repeatedly for generating digital signatures algorithmically, and 2. Nonrepudiation of the sender (Alice) is inherently a part of the system design. Therefore, public key implementation of digital signatures is effective and versatile. Nonrepudiation:Nonrepudiation is the system capability that prevents a sender (Alice) from denying that she has sent a message. The integrity of nonrepudiation is a function of the degree of security maintained for the sender‘s (Alice‘s) private key (DA).For example, Alicecould repudiate or deny sending a message if DA is compromised. Depending on the applicable legislation, Alice may still be held liable for messages signed before the compromise was reported to a central authority. Certain administrative approaches have been proposed for incorporation into protocols. Most of these involve use of some form of arbitrator. However, certain disputes may require litigation, because nonrepudiation is a critical business issue. One method of supporting nonrepudiation is to use a central authority. For example, the receiver of a message (Bob) sends a copy to the central authority. The central authority can verify sender‘s (Alice‘s) signature. This verification provides assurance that there is no report that Alice‘s private key (DA) was compromised at the time of sending. In this case, Alice would have to rapidly report the compromise of her private key. We must also consider the impact of the increased workload of the central authority on the throughput of the network. An alternate approach is to use time stamps. Although a network of automated arbitrators may still be required, the system overhead is modest because the arbitrators only have time stamp messages. A receiver (Bob) may check the validity of the sender‘s(Alice‘s) private key by checking with a central authority. Bob has a degree of assurance of nonrepudiation if the received message is time stamped before the validity check. He still has to determine if a compromise is discovered and reported later. Legal requirements for nonrepudiation may include a requirement that the sender (Alice) is responsible for signing until a compromise of her private key is reported to the central authority. Implementation of this approach could require an on-line central authority and realtime validity checks and time stamps. In addition to peak load concentrations that may occur at the central authority, certain requirements for a network-wide clock should be considered. A network-wide clock has other security vulnerabilities, such as vulnerability to forgery of time stamps. If users, such as Alice, are permitted to change their private keys, a central authority should archive past keys to assist in resolving disputes. Each industry should have a set of legal and administrative safeguards to maintain continuity of operations in the event of a compromise or change of keys. For example, credit card systems have effective legal and administrative provisions for cases of lost or stolen credit cards.
  26. 26. private key Original text public key signing signed text verifying verified text Figure . Simple digital signatures Message Authentication Code (MAC): Standard ANSI X9.9-1982, 1986. The Message Authentication Code (MAC) (ANSI X9.9), not to be confused with Mandatory Access Control (MAC), is a cryptographic checksum appended to a message. It seals the message against modification. All fields such as time, date, sources, and so on included in the checksum are rendered unalterable. Either the entire message or selected fields are processed through the algorithm using the Cipher Block Chaining Mode (CBC). As mentioned, the last block is the only output of the process that is used in the MAC. MAC requires a key management protocol, such as ANSI Standard X9.17. 14. Applications of Cryptographyin Network Security: 1. E-mail Security 2. IP Security 3. Web security
  27. 27. E-mail Security: 14.1. Pretty Good Privacy: PGP is a remarkable phenomenon.PGP started as a free secure e-mail program. Largely the effort of a single person, Phil Zimmermann, PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications. In essence, Zimmermann has done the following: 1. Selected the best available cryptographic algorithms as building blocks 2. Integrated these algorithms into a general-purpose application that is independent of operating system and processor and that is based on a small set of easy-to-use commands 3. Made the package and its documentation, including the source code, freely available via the Internet, bulletin boards, and commercial networks such as AOL (America On Line) 4. Entered into an agreement with a company (Via crypt, now Network Associates) to provide a fully compatible, low-cost commercial version of PGP PGP has grown explosively and is now widely used. A number of reasons can be cited for this growth: 1. It is available free worldwide in versions that run on a variety of platforms, including Windows, UNIX, Macintosh, and many more. In addition, the commercial version satisfies users who want a product that comes with vendor support. 2. It is based on algorithms that have survived extensive public review and are considered extremely secure. Specifically, the package includes RSA, DSS, and Diffie-Hellman for public-key encryption; CAST-128, IDEA, and 3DES for symmetric encryption; and SHA-1 for hash coding. 3. It has a wide range of applicability, from corporations that wish to select and enforce a standardized scheme for encrypting files and messages to individuals who wish to communicate securely with others worldwide over the Internet and other networks. 4. It was not developed by, nor is it controlled by, any governmental or standards organization. For those with an instinctive distrust of "the establishment," this makes PGP attractive. 5. PGP is now on an Internet standards track (RFC 3156). Nevertheless, PGP still has an aura of an anti-establishment endeavour. How PGP works: PGP combines some of the best features of both conventional and public key cryptography. PGP is a hybrid cryptosystem. When a user encrypts plaintext with PGP, PGP first compresses the plaintext. Data compression saves modem transmission time and disk space and, more importantly, strengthens cryptographic security. Compression reduces these patterns in the plaintext, thereby greatly enhancing resistance to cryptanalysis. PGP then creates a session key, which is a one-time-only secret key. This key is a random number generated from the random movements of your mouse and the keystrokes you type. This session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted to the Recipient‘s public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient.
  28. 28. Plaintext is encrypted with session key. Session key is encrypted with public key. Cipher text + encrypted session key Figure 1-1: How PGP encryption works Decryption works in the reverse. The recipient‘s copy of PGP uses his or her private key to recover the temporary session key, which PGP then uses to decrypt the conventionally-encrypted ciphertext. Encrypted message Encrypted session key Cipher text recipient’s private key used To decrypt session key session key used To decrypt cipher text original plaintext Figure 1-2. How PGP decryption works 14.2.S/MIME: S/MIME (Secure/Multipurpose Internet Mail Extension) is a security enhancement to the MIME Internet e-mail format standard, based on technology from RSA Data Security. Although both PGP and S/MIME are on an IETF standards track, it appears likely that S/MIME will emerge as the industry standard for commercial and organizational use, while PGP will remain the choice for personal e-mail security for many users. S/MIME is defined in a number of documents, most importantly RFCs 3369, 3370, 3850 and 3851.
  29. 29. IP Security: Internet Protocol Security (IPsec) is a competitor of TLS. It works at a different level than TLS which gives it more flexibility. I do not understand different levels on a computer - it is a concept from computer engineering. IPsec is, however, less efficient than TLS. Its primary use is in Virtual Private Networks (VPN). A VPN is a private communications network. That means it is used within one company or among a small network of companies. TLS is used by everyone on the internet . IPsec encompasses three functional areas: “authentication, confidentiality, and key management”. Authentication makes use of the HMAC message authentication code. Authentication can be applied to the entire original IP packet (tunnel mode) or to the entire packet except for the IP header (transport mode). Confidentiality is provided by an encryption format known as encapsulating security payload. Both tunnel and transport modes can be accommodated. IPsec defines a number of techniques for key management. Web Security: 14.1. Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets. But, the Web presents new challenges not generally appreciated in the context of computer and network security: The Internet is two way. Unlike traditional publishing environments, even electronic publishing systems involving teletext, voice response, or fax-back, the Web is vulnerable to attacks on the Web servers over the Internet. The Web is increasingly serving as a highly visible outlet for corporate and product information and as the platform for business transactions. Reputations can be damaged and money can be lost if the Web servers are subverted. Although Web browsers are very easy to use, Web servers are relatively easy to configure and manage, and Web content is increasingly easy to develop, the underlying software is extraordinarily complex. This complex software may hide many potential security flaws. The short history of the Web is filled with examples of new and upgraded systems, properly installed, that are vulnerable to a variety of security attacks. A Web server can be exploited as a launching pad into the corporation's or agency's entire computer complex. Once the Web server is subverted, an attacker may be able to gain access to data and systems not part of the Web itself but connected to the server at the local site. Casual and untrained (in security matters) users are common clients for Web-based services. Such users are not necessarily aware of the security risks that exist and do not have the tools or knowledge to take effective countermeasures. Web Security Threats This table provides a summary of the types of security threats faced in using the Web. One way to group these threats is in terms of passive and active attacks. Passive attacks include eavesdropping on network traffic between browser and server and gaining access to information on a Web site that is supposed to be restricted. Active attacks include
  30. 30. impersonating another user, altering messages in transit between client and server, and altering information on a Web site. A Comparison of Threats on the Web Threats Consequences Countermeasures Integrity Modification of user data Trojan horse browser Modification of memory Modification of message traffic in transit Loss of information Cryptographic Compromise of checksums machine Vulnerability to all other threats Confidentiality Eavesdropping on the Net Theft of info from server Theft of data from client Info about network configuration Info about which client talks to server Loss of information Encryption, web Loss of privacy proxies Denial of Service Killing of user threads Flooding machine with bogus requests Filling up disk or memory Isolating machine by DNS attacks Disruptive Annoying Prevent user from getting work done Difficult to prevent Authentication Impersonation of legitimate users Data forgery Misrepresentation of user Belief that false information is valid Cryptographic techniques
  31. 31. 15Timestamping If you have a printed document and want to prove that it existed on a certain date, you can get it notarized. This is important for copyrighting a document to prove you originated it. This is more difficult with digital data. If there is a date on it, then the date can be easily replaced by another. The solution is a time stamping service. Here is a second scenario. If Alice signs a message, and later decides that she does not want that message to be signed (this is a kind of cheating) then she can anonymously publishher private key and say that anyone could have done the signing. This is called repudiation.So if someone receives a signature from Alice,he or she can demand that Alice use a digitaltimestamping service. That lessens Alice‘s ability to repudiate the signature. 16KERBEROS A protocol is a sequence of steps involving at least two parties that accomplishes a task. KERBEROS is a third-party authentication protocol for insecure, closed systems. Between systems people use fire walls. Note most problems come from people within a system. KERBEROS is used to prove someone‘s identity (authentication) in a secure manner without using public key cryptography. At SCU, KERBEROS is probably used for access to e-campus, OSCAR, People-soft, Novell, etc. It was developed by MIT and can be obtained free. KERBEROS requires a trusted third party. It enables a person to use a password to gain access to some service. Let C be the client, KDC be the key distribution centre, S be the service that C wants access to and TGS be S‘sticket granting service. Summary: i) KDC authenticates C‘s identity to TGS. ii) TGS gives permission to C to use S. 17. Key Management and Salting A common hacker attack is exploiting sloppy key management. Often bribe or steal to get a key. Scenario 1. Web: You pick your own password, usually. Uses SSL/TLS so use RSA to agree on AES key which is used to encrypt password (first time and later visits). They store passwords in (hopefully hidden) file with userids. Your password is not hashed. Scenario 2. Non-web systems. The system has a file (may or may not be public) with pairs: userid, hash(password). The system administrator has access to this file. Maybesomeday, the password cracker can get access to this file. He cannot use the hashed passwords to get access to your account because access requires entering a password and then having it hashed. In Scenario 2, from the hashes, Cracker may be able to determine the original password. Most people‘s passwords are not random. As another example, it would take about 11 seconds on a single computer using brute force to determine someone‘s key if you knew it consisted of 7 lowercase letters (that is 7 bytes). But if it consisted of 7 bytes from a pseudo-random number generator, then it would take 11 thousand years to brute force it. (This is basically like brute-forcing DES since DES has a 7 byte key and running a hash is like running DES. In fact, DES used to be used as a hash where the key was the 0 string and the password was used as the plaintext.). But most people have trouble remembering a password like 8 _ &u!M}
  32. 32. and so don‘t want to use it. They could write it down and put it in their wallet/purse, but that can get stolen. So instead, most passwords are easy to remember. So attacker can do a dictionary attack. Attacker can hash all entries of a dictionary. Online we can find dictionaries containing all common English words, common proper names and then all of the above entries with i‘s and l‘s replaced by 1‘s and o‘s replaced by 0‘s, etc. Attacker can even brute force all alpha-numeric strings up to a certain length. Then Attacker looks in the password file and finds many matches. This has been used to get tens of thousands of different passwords. The Password Recovery Toolkit can test 200000 passwords per second. In 1998, there was an incident where 186000 account names collected and hashed passwords collected. It was discovered, 1/4 of them using dictionary attack. Salt is a string that is concatenated to a password. It should be different for each user-id. It is public for non-SSL/TLS applications like KERBEROS and UNIX. It might seem like the salt should be hidden. But then the user would need to know the salt and keep it secret. But then the salt may as well just be appended to the password. If the salt were stored on the user‘s machine instead (so it‘s secret and the user would not need to memorize it) then the user could not log in from a different machine. For KERBEROS and UNIX, the system administrator usually gives you your password off-line in a secure way. The system creates your salt. Scenario 3. (Old UNIX) This is the same as Scenario 2, but the public password file has triples: username, user-id, expiration of password, location information, salt, hash(salt,password). The salt is a random string in plaintext, unique for this user-id. Now the dictionary attack won‘t get lots of passwords. But we can attack a single user as in Scenario 2. Scenario 4.UNIX. For reasons of backward-compatibility, new Unix-like operating systems need a non-encrypted password file. It has to be similar to the old password file or certain utilities don‘t work. For example, several utilities need the username to userid map available and look in password file for it. In the password file, where there was once the salt and the hash of a salted password, there is now a *. Unix has a second hidden file called the shadow password file. It is encrypted using a password only known to the system administrator. The shadow file contains user-id, salt, hash (salt, password). The user doesn‘t need to look up the salt. If the user connects to UNIX with SSH (Secure Shell), then the password goes, un-hashed, through SSH‘s encryption. The server decrypts the password, appends the salt, hashes and checks against hash (salt, password) in shadow file. Scenario 5. KERBEROS uses a non-secret salt which is related to the user-id and domain names. If two people have the same password, they won‘t have the same hash and if one person has two accounts with the same password, they won‘t have the same hash. The authentication server (for KERBEROS this is called the key distribution centre) keeps the hash secret, protected by a password known only to the authentication server. A single key or password should not be used forever. The longer it is used, the more Documents there are encrypted with it and so the more damage is done if it is compromised. The longer it is used, the more tempting it is to break it and the more time an attacker has to break it. Good way to generate key, easy to remember, hard to crack.
  33. 33. 18.Quantum Cryptography There are two ways of agreeing on a symmetric key that do not involve co-presence. The first is public key cryptography, which is based on mathematics. The second is quantum cryptography. It currently (2008) works up to 100 miles and is on the market but is not widely used. A photon has a polarization. A polarization is like a direction. The polarization can be measured on any basis in two-space: rectilinear (horizontal and vertical), diagonal (slope 1 and slope -1), etc. If you measure a photon in the wrong basis then you get a random result and you disturb all future measurements. Here is how it works. Alice and Bob need to agree on a symmetric key. Alice sends Bob a stream of photons. Each photon is randomly assigned a polarization in one of the four directions: |, −, , /. We will have | = 1, − = 0, = 1, / = 0. Let‘s say that Alice sends: / | | / | − − − | /. Bob has a polarization detector. For each photon, he randomly chooses a basis: rectilinear or diagonal. Say his choices are × + + × × + + + × × × + + Each time he chooses the right basis, he measures the polarization correctly. If he measures it wrong, then he will get a random measurement. His detector might output − | / / | − / | |.Alice sends / | | / | − − − | / Bob sets × + + × × + + + × × × + + Correct ~ ~ ~ ~ ~ ~ ~ Bob gets − | / − | − / | | Notice that when Bob correctly sets the basis, Alice and Bob have the same polarization, which can be turned into a 0 or 1. Looking at the second and last photons, we see an example of the randomness of Bob‘s measurement if the basis is chosen incorrectly. Now Bob contacts Alice, in the clear, and tells her the basis settings he made. Alice tells him which were correct. The others are thrown out. Alice sends | / | − | Bob gets | / | − | Those are turned into 0‘s and 1‘s Alice sends 1 1 0 1 0 1 1 Bob gets 1 1 0 1 0 1 1 On average, if Alice sends Bob 2n bits, they will end up with n bits after throwing out those from the wrong basis settings. So to agree on a 128 bit key, on average Alice must send 256 bits. What if Eve measures the photons along the way. We will focus on the photons for which Bob correctly guessed the basis. For half of those, Eve will guess the wrong basis. Whenever Eve measures in the wrong basis, she makes Bob‘s measurement random, instead of accurate. Alice sends | / | − | Eve sets × × × × + + + Bob sets × + × + + × + Bob gets − / | − / | Alice sends 1 1 0 1 0 1 1 Bob gets 1 0 0 1 0 0 1 Notefor the second and fourth photon, since Eve set the basis incorrectly, Bob gets a random (and half the time wrong) bit. So if Eve is eavesdropping then we expect her to get the wrong basis sometimes and some of those times Bob will get the wrong polarization. To detect eavesdropping, Alice and Bob agree to check on some of the bits, which are randomly chosen by Alice. For example, in the above, they could both agree to tell, in the clear, what the first three bits are. Alice would say 110 and Bob would say 100 and they would know that they had been tampered with. They would then have
  34. 34. to start the whole process again and try to prevent Eve from eavesdropping somehow. ((Ed, what if Eve gets in between and just reflects back the answer to each one? There are identity issues.)) If those check-bits agreed, then they would use the remaining four bits for their key. Of course there is a possibility that Alice and Bob would get the same three bits even though Eve was eavesdropping. So in real life, Alice and Bob would tell each other a lot more bits to detect eavesdropping. The probability that a lot of bits would all agree, given that Eve was eavesdropping, would then be very small. If they disagreed, then they would know there was eavesdropping. If those all agreed, then with very high probability, there was no eavesdropping. So they would throw the check-bits away and use as many bits as necessary for the keyNotice that Alice needs to be sure that it is actually Bob with whom she is communicating. In 2007, they had gotten quantum cryptography working over 150 kilometers. Quantum cryptography is considered safer than public key cryptography and has a built-in eavesdropping detection. However, it is difficult to transmit a lot of information this way, which is why it would be used for agreeing on a symmetric key (like for AES). At the moment, there are physics implementation issues that have been discovered so that the current implementation of quantum cryptography is insecure. 19Exposures To System Security : 19.1 Intruders:One of the two most publicized threats to security is the intruder (the other is viruses), generally referred to as a hacker or cracker. In an important early study of intrusion, Anderson identified three classes of intruders: Masquerader: An individual who is not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the clandestine user can be either an outsider or an insider. 19.2 Intrusion Detection Inevitably, the best intrusion prevention system will fail. A system's second line of defence is intrusion detection. This interest is motivated by a number of considerations, including the following: 1. If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised. Even if the detection is not sufficiently timely to pre-empt the intruder, the sooner that the intrusion is detected, the less the amount of damage and the more quickly that recovery can be achieved. 2. An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions. 3. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.
  35. 35. 20. Password Management: Password Protection: The front line of defence against intruders is the password system. Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password. The password serves to authenticate the ID of the individual logging on to the system. In turn, the ID provides security in the following ways: The ID determines whether the user is authorized to gain access to a system. In some systems, only those who already have an ID filed on the system are allowed to gain access. The ID determines the privileges accorded to the user. A few users may have supervisory or "super user" status that enables them to read files and perform functions that are especially protected by the operating system. Some systems have guest or anonymous accounts, and users of these accounts have more limited privileges than others. The ID is used in what is referred to as discretionary access control. For example, by listing the IDs of the other users, a user may grant permission to them to read files owned by that user. The Vulnerability of Passwords: To understand the nature of the threat to password-based systems, let us consider a scheme that is widely used on UNIX, in which passwords are never stored in the clear. Rather, the following procedure is employed .Each user selects a password of up to eight printable characters in length. This is converted into a 56-bit value (using 7-bit ASCII) that serves as the key input to an encryption routine. The encryption routine, known as crypt, is based on DES. The DES algorithm is modified using a 12-bit "salt" value. Typically, this value is related to the time at which the password is assigned to the user. The modified DES algorithm is exercised with a data input consisting of a 64-bit block of zeros. The output of the algorithm then serves as input for a second encryption. This process is repeated for a total of 25 encryptions. The resulting 64-bit output is then translated into an 11-character sequence. The hashed password is then stored, together with a plaintext copy of the salt, in the password file for the corresponding user ID. This method has been shown to be secure against a variety of cryptanalytic attacks. 21. Firewalls : Firewall characteristics: The following capabilities are within the scope of a firewall: 1. A firewall defines a single choke point that keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network, and provides protection from various kinds of IP spoofing and routing attacks. The use of a single choke point simplifies security management because security capabilities are consolidated on a single system or set of systems. 2. A firewall provides a location for monitoring security-related events. Audits and alarms can be implemented on the firewall system.
  36. 36. 3. A firewall is a convenient platform for several Internet functions that are not security related. These include a network address translator, which maps local addresses to Internet addresses, and a network management function that audits or logs Internet usage. 4. A firewall can serve as the platform for IPsec. Using the tunnel mode capability described in, the firewall can be used to implement virtual private networks. Firewalls have their limitations, including the following: 1. The firewall cannot protect against attacks that bypass the firewall. Internal systems may have dial-out capability to connect to an ISP. An internal LAN may support a modem pool that provides dial-in capability for traveling employees and telecommuters. 2. The firewall does not protect against internal threats, such as a disgruntled employee or an employee who unwittingly cooperates with an external attacker. 3. The firewall cannot protect against the transfer of virus-infected programs or files. Because of the variety of operating systems and applications supported inside the perimeter, it would be impractical and perhaps impossible for the firewall to scan all incoming files, e-mail, and messages for viruses. 22. Cryptography Failures: Designers of cryptographic systems have suffered from a lackof information about how their products fail in practice,as opposed to how they might fail in theory. This lack offeedback has led to a false threat model being accepted.Designers focussed on what could possibly go wrong, ratherthan on what was likely to; and many of their productsare so complex and tricky to use that they are rarely usedproperly.As a result, most security failures are due to implementation and management errors. One special consequencehas been a spate of ATM fraud, which has not just caused financial losses, but has also caused at least one miscarriage of justice and has eroded confidence in the UK banking system. There has also been a military cost; the details remain classified, but its existence has at last been admitted. Part IV: Cryptanalysis 23Basic Concepts of Cryptanalysis Cryptosystems come in 3 kinds: 1. Those that have been broken (most). 2. Those that have not yet been analysed (because they are new and not yet widely used). 3. Those that have been analysed but not broken. (RSA, Discrete log cryptosystems, AES). 3 most common ways to turn cipher text into plaintext: 1. Steal/purchase/bribe to get key 2. Exploit sloppy implementation/protocol problems (hacking/cracking). Examples: someone used spouse‘s name as key, someone sent key along with message 3. Cryptanalysis