2. Cryptography
• Cryptography comes from the Greek words for
''secret writing.’’ The messages to be encrypted,
known as the plaintext, are transformed by a
function that is parameterized by a key.
3. Plain text and Cipher text:
• The original message, before being transformed, is called plain
text.
• After the message is transformed, it is called cipher text.
– An encryption algorithm transforms the plaintext into
ciphertext;
– a decryption algorithm transforms the ciphertext back into
plaintext.
– The sender uses an encryption algorithm, and the receiver
uses a decryption algorithm.
4. Encryption model
• Cryptography can provide confidentiality, integrity, authentication
and non-repudiation of messages.
• Cryptography can also be used to authenticate the sender and
receiver of the message to each other.
5. Data Encryption
• Encryption is a security method in which information is encoded
in such a way that only authorized user can read it. It uses
encryption algorithm to generate ciphertext that can only be read
if decrypted.
• There are two types of encryptions schemes as listed below:
– Symmetric Key encryption
– Public Key encryption
•
6. Symmetric Key encryption
• Symmetric key encryption algorithm uses same cryptographic
keys for both encryption and decryption of cipher text.
Symmetric encryption is generally more efficient than asymmetric encryption and
therefore preferred when large amounts of data need to be exchanged.
Symmetric-key cryptography is sometimes called secret-key cryptography. The
most popular symmetric-key system is the Data Encryption Standard (DES).
7. Symmetric Key
• An encryption system in which the sender and receiver of a
message share a single, common key that is used to encrypt and
decrypt the message. Contrast this with public-key cryptology,
which utilizes two keys - a public key to encrypt messages and a
private key to decrypt them.
• Symmetric-key systems are simpler and faster, but their main
drawback is that the two parties must somehow exchange the
key in a secure way. Public-key encryption avoids this problem
because the public key can be distributed in a non-secure way,
and the private key is never transmitted.
8. Symmetric Key Cryptography
• Symmetric key cryptography (or symmetric encryption) is a type of
encryption scheme in which the same key is used both to encrypt
and decrypt messages.
• Such a method of encoding information has been largely used in
the past decades to facilitate secret communication between
governments and militaries. Nowadays, symmetric key algorithms
are widely applied in various types of computer systems to
enhance data security.
• Examples for symmetric key cryptography include AES, DES, and
3DES. Key exchange protocols used to establish a shared
encryption key include Diffie-Hellman (DH), elliptic curve (EC) and
RSA.
9. How does symmetric encryption work?
• Symmetric encryption schemes rely on a single key that is shared
between two or more users. The same key is used to encrypt and
decrypt the so-called plaintext (which represents the message or
piece of data that is being encoded). The process of encryption
consists of running a plaintext (input) through an encryption
algorithm called a cipher, which in turn generates a ciphertext
(output).
• If the encryption scheme is strong enough, the only way for a
person to read or access the information contained in the
ciphertext is by using the corresponding key to decrypt it. The
process of decryption is basically converting the ciphertext back to
plaintext.
10. Cont..
• The security of symmetric encryption systems is based on how
difficult it randomly guess the corresponding key to brute force
them.
• A 128-bit key, for example, would take billions of years to guess
using common computer hardware. The longer the encryption key
is, the harder it becomes to crack it.
• Keys that are 256-bits length are generally regarded as highly
secure and theoretically resistant to quantum computer brute force
attacks.
11. Cont..
The most common symmetric encryption schemes used today are
based on block and stream ciphers.
• Block ciphers group data into blocks of predetermined size and
each block is encrypted using the corresponding key and encryption
algorithm (e.g., 128-bit plaintext is encrypted into 128-bit
ciphertext).
• On the other hand, stream ciphers do not encrypt plaintext data by
blocks, but rather by 1-bit increments (1-bit plaintext is encrypted
into 1-bit ciphertext at a time).
12. Symmetric vs. Asymmetric encryption
• Symmetric encryption is one of the two major methods of encrypting
data in modern computer systems. The other is asymmetric encryption,
which is the major application of public key cryptography. The main
difference between these methods is the fact that asymmetric systems
use two keys rather than the one employed by the symmetric schemes.
One of the keys can be publicly shared (public key), while the other must
be kept in private (private key).
• The use of two keys instead of one also produces a variety of functional
differences between symmetric and asymmetric encryption. Asymmetric
algorithms are more complex and slower than the symmetric ones.
Because the public and private keys employed in asymmetric encryption
are to some degree mathematically related, the keys themselves must
also be considerably longer to provide a similar level of security offered
by shorter symmetric keys.
13. Advantages and disadvantages
• Symmetric algorithms provide a fairly high level of security while at the same
time allowing for messages to be encrypted and decrypted quickly. The relative
simplicity of symmetric systems is also a logistical advantage, as they require
less computing power than the asymmetric ones. In addition, the security
provided by symmetric encryption can be scaled up simply by increasing key
lengths. For every single bit added to the length of a symmetric key, the
difficulty of cracking the encryption through a brute force attack increases
exponentially.
14. Advantages and disadvantages
• While symmetric encryption offers a wide range of benefits, there is one major
disadvantage associated with it: the inherent problem of transmitting the keys
used to encrypt and decrypt data. When these keys are shared over an
unsecured connection, they are vulnerable to being intercepted by malicious
third parties. If an unauthorized user gains access to a particular symmetric key,
the security of any data encrypted using that key is compromised. To solve this
problem, many web protocols use a combination of symmetric and asymmetric
encryption to establish secure connections. Among the most prominent
examples of such a hybrid system is the Transport Layer Security
(TLS) cryptographic protocol used to secure large portions of the modern
internet.
• It should also be noted that all types of computer encryption are subject to
vulnerabilities due to improper implementation. While a sufficiently long key
can make a brute force attack mathematically impossible, errors in
implementation made by programmers often create weaknesses that open up
the way for cyber-attacks.
15. Public Key encryption
• Public key encryption algorithm uses pair of keys, one of which is
a secret key and one of which is public. These two keys are
mathematically linked with each other.
16. Hashing
• Hashing is a technique used to encrypt data and generate
unpredictable hash values. It is the hash function that generates
the hash code, which helps to protect the security of
transmission from unauthorized users.
• Hashing algorithm provides a way to verify that the message
received is the same as the message sent. It can take a plain text
message as input and then computes a value based on that
message.
17. Function of Hash algorithms
• Key Points
• The length of computed value is much shorter than the original
message. It is possible that different plain text messages could
generate the same value.
• Here we will discuss a sample hashing algorithm in which we will
multiply the number of a’s, e’s and h’s in the message and will then
add the number of o’s to this value.
• For example, the message is “ the combination to the safe is two,
seven, thirty-five”. The hash of this message, using our simple
hashing algorithm is as follows: 2 x 6 x 3 ) + 4 = 40
18. Digital signatures
Authentication
• Digital signatures help to authenticate the sources of messages.
For example, if a bank’s, branch office sends a message to central
office, requesting for change in balance of an account. If the
central office could not authenticate that message is sent from an
authorized source, acting of such request could be a serious
mistake.
Integrity
• Once the message is signed, any change in the message would
invalidate the signature.
Non-repudiation
• By this property, any entity that has signed some information
cannot at a later time deny having signed it.
20. Public Key Cryptography
• Unlike symmetric key cryptography, we do not find historical use of public-key
cryptography. It is a relatively new concept.
• Symmetric cryptography was well suited for organizations such as
governments, military, and big financial corporations were involved in the
classified communication.
• With the spread of more unsecure computer networks in last few decades, a
genuine need was felt to use cryptography at larger scale. The symmetric key
was found to be non-practical due to challenges it faced for key management.
This gave rise to the public key cryptosystems.
21. The process of encryption and decryption is depicted in the following illustration
22. Public key encryption scheme
• Different keys are used for encryption and decryption. This is a
property which set this scheme different than symmetric
encryption scheme.
• Each receiver possesses a unique decryption key, generally referred
to as his private key.
• Receiver needs to publish an encryption key, referred to as his
public key.
• Some assurance of the authenticity of a public key is needed in this
scheme to avoid spoofing by adversary as the receiver. Generally,
this type of cryptosystem involves trusted third party which
certifies that a particular public key belongs to a specific person or
entity only.
23. Cont..
• Encryption algorithm is complex enough to prohibit attacker from
deducing the plaintext from the ciphertext and the encryption
(public) key.
• Though private and public keys are related mathematically, it is not
be feasible to calculate the private key from the public key. In fact,
intelligent part of any public-key cryptosystem is in designing a
relationship between two keys.
25. AES Origins
• clear a replacement for DES was needed
– have theoretical attacks that can break it
– have demonstrated exhaustive key search attacks
• can use Triple-DES – but slow, has small blocks
• US NIST issued call for ciphers in 1997
• 15 candidates accepted in Jun 98
• 5 were shortlisted in Aug-99
• Rijndael was selected as the AES in Oct-2000
• issued as FIPS PUB 197 standard in Nov-2001
26. The AES Cipher - Rijndael
designed by Rijmen-Daemen in Belgium
has 128/192/256 bit keys, 128 bit data
an iterative rather than Feistel cipher
processes data as block of 4 columns of 4 bytes
operates on entire data block in every round
designed to have:
resistance against known attacks
speed and code compactness on many CPUs
design simplicity
28. AES Structure
data block of 4 columns of 4 bytes is state
key is expanded to array of words
has 9/11/13 rounds in which state undergoes:
byte substitution (1 S-box used on every byte)
shift rows (permute bytes between groups/columns)
mix columns (subs using matrix multiply of groups)
add round key (XOR state with key material)
view as alternating XOR key & scramble data bytes
initial XOR key material & incomplete last round
with fast XOR & table lookup implementation
30. Some Comments on AES
1. an iterative rather than Feistel cipher
2. key expanded into array of 32-bit words
1. four words form round key in each round
3. 4 different stages are used as shown
4. has a simple structure
5. only Add Round Key uses key
6. Add Round Key a form of Vernam cipher
7. each stage is easily reversible
8. decryption uses keys in reverse order
9. decryption does recover plaintext
10.final round has only 3 stages
31. Substitute Bytes
a simple substitution of each byte
uses one table of 16x16 bytes containing a permutation
of all 256 8-bit values
each byte of state is replaced by byte indexed by row
(left 4-bits) & column (right 4-bits)
eg. byte {95} is replaced by byte in row 9 column 5
which has value {2A}
S-box constructed using defined transformation of
values in GF(28)
designed to be resistant to all known attacks
34. Shift Rows
a circular byte shift in each
1st row is unchanged
2nd row does 1 byte circular shift to left
3rd row does 2 byte circular shift to left
4th row does 3 byte circular shift to left
decrypt inverts using shifts to right
since state is processed by columns, this step permutes
bytes between the columns
36. Mix Columns
each column is processed separately
each byte is replaced by a value dependent on
all 4 bytes in the column
effectively a matrix multiplication in GF(28) using
prime poly m(x) =x8+x4+x3+x+1
39. AES Arithmetic
uses arithmetic in the finite field GF(28)
with irreducible polynomial
m(x) = x8 + x4 + x3 + x + 1
which is (100011011) or {11b}
e.g.
{02} • {87} mod {11b} = (1 0000 1110) mod {11b}
= (1 0000 1110) xor (1 0001 1011) = (0001 0101)
40. Mix Columns
can express each col as 4 equations
to derive each new byte in col
decryption requires use of inverse matrix
with larger coefficients, hence a little harder
have an alternate characterization
each column a 4-term polynomial
with coefficients in GF(28)
and polynomials multiplied modulo (x4+1)
coefficients based on linear code with maximal
distance between code words
41. Add Round Key
XOR state with 128-bits of the round key
again processed by column (though effectively a
series of byte operations)
inverse for decryption identical
since XOR own inverse, with reversed keys
designed to be as simple as possible
a form of Vernam cipher on expanded key
requires other stages for complexity / security
44. AES Key Expansion
takes 128-bit (16-byte) key and expands into
array of 44/52/60 32-bit words
start by copying key into first 4 words
then loop creating words that depend on values
in previous & 4 places back
in 3 of 4 cases just XOR these together
1st word in 4 has rotate + S-box + XOR round
constant on previous, before XOR 4th back
46. Key Expansion Rationale
designed to resist known attacks
design criteria included
knowing part key insufficient to find many more
invertible transformation
fast on wide range of CPU’s
use round constants to break symmetry
diffuse key bits into round keys
enough non-linearity to hinder analysis
simplicity of description
49. AES Decryption
AES decryption is not identical to encryption
since steps done in reverse
but can define an equivalent inverse cipher with
steps as for encryption
but using inverses of each step
with a different key schedule
works since result is unchanged when
swap byte substitution & shift rows
swap mix columns & add (tweaked) round key
51. Implementation Aspects
can efficiently implement on 32-bit CPU
redefine steps to use 32-bit words
can precompute 4 tables of 256-words
then each column in each round can be computed
using 4 table lookups + 4 XORs
at a cost of 4Kb to store tables
designers believe this very efficient
implementation was a key factor in its selection
as the AES cipher
52. Summary
have considered:
the AES selection process
the details of Rijndael – the AES cipher
looked at the steps in each round
the key expansion
implementation aspects
53.
54. Firewall
• Firewall is a barrier between Local Area Network (LAN) and the
Internet. It allows keeping private resources confidential and
minimizes the security risks. It controls network traffic, in both
directions.
• The following diagram depicts a sample firewall between LAN and
the internet. The connection between the two is the point of
vulnerability. Both hardware and the software can be used at this
point to filter network traffic.
55. There are two types of Firewall system: One works by using filters at the network layer and
the other works by using proxy servers at the user, application, or network layer.
56. • Key Points
• Firewall management must be addressed by both system
managers and the network managers.
• The amount of filtering a firewall varies. For the same firewall,
the amount of filtering may be different in different directions.