UNIT-I
 Security trends
 OSI Security Architecture
 Security Attacks
 Security Services
 Security mechanisms
 A Mode...
Cryptography
Cryptography is the study of
Secret (crypto-) writing (-graphy).
2
Cryptography
cryptography - study of encryption
principles/methods.
Cryptography deals with creating
documents that can be...
Cryptanalysis
cryptanalysis (code breaking) - study of
principles/ methods of decrypting cipher
text without knowing key.
4
Cryptology
The area of cryptography and crypt
analysis together are called cryptology.
5
Computer Security
generic name for the collection of tools
designed to protect data.
6
Network Security
It is used to protect data during their
transmission.
7
Internet security
it is used to protect data during their
transmission over a collection of
interconnected networks.
8
Security trends
 In 1994, the Internet Architecture Board
(IAB) issued a report entitled "Security in
the Internet Archit...
CERT Statistics
security trend in Internet-related
vulnerabilities reported to CERT over a
10-year period.
These include s...
CERT Statistics
11
OSI Security Architecture
The OSI (open systems interconnection)
security architecture provides a systematic
framework for...
Services, Mechanisms, Attacks
consider three aspects of information
security:
 security attack
 security mechanism
 sec...
Security service
A service that enhances the security of
data processing systems and information
transfers.
A security ser...
Security Services
 Authentication
 Access control
 Data Confidentiality
 Data Integrity
 Non-Repudiation
15
Authentication
Authentication is a process of verification
of the sender.
16
Access Control
prevention of the unauthorized use of a
resource
17
Data Confidentiality
protection of data from unauthorized
disclosure.
18
Data Integrity
assurance that data received is as sent by
an authorized entity
19
Non-Repudiation
Nonrepudiation prevents either sender or
receiver from denying a transmitted
message.
20
Security Mechanism
A mechanism that is designed to detect,
prevent, or recover from a security attack.
21
Encipherment
The use of mathematical algorithm to
transmit from data into a form that is not
understandable.
22
Digital signature
A valid digital signature gives a recipient
reason to believe that the message was
created by a known se...
Access control
A variety of mechanisms that enforce
access right to resource.
24
Data integrity
A variety of mechanism used to assure the
integrity of a data unit.
25
Traffic padding
The insertion of bits into gaps in a data
stream to avoid traffic analysis attempts.
26
Routing control
Enables selection of particular physically
secure routes for data.
27
Notarization
The use of a trusted third party to assure
certain properties of a data exchange.
28
Security Attack
Any action that compromise the security of
information.
threat & attack used to mean same thing
29
passive attacks
 passive attacks attempt to learn or make
use of information from the system but does
not affect system r...
Release of message contents
31
Traffic analysis
32
Active attacks
 active attacks attempt to alter system
resources or affect their operation.
 Easy to detect because they...
Masquerade
A masquerade takes place when one
entity pretends to be a different entity
34
Masquerade
35
Replay
36
Modification of messages
37
Denial of service
38
Model for Network Security
39
Model for Network Security
 design a suitable algorithm for the security
transformation
 generate the secret keys used b...
Model for Network Access Security
Symmetric Encryption
 Symmetric encryption, also referred to as
conventional encryption or single-key
encryption
 All tr...
Some Basic Terminology
 plaintext - original message
 Cipher text - coded message
 key – shared by both sender and rece...
Symmetric Cipher Model
Cryptography
characterize cryptographic system by:
 type of encryption operations used
 substitution / transposition / p...
Cryptanalysis
There are two general approach to attacking a
conventional encryption scheme
 cryptanalytic attack
 brute-...
Cryptanalytic attack
Cryptanalytic attacks rely on the nature of the
algorithm plus perhaps some knowledge of the
general ...
Brute-force attack
Brute-force attacks try every possible key on a
piece of cipher text until plaintext is obtained.
48
Types of Encryption Schemes
Encryption
Classical Modern
Rotor Machines
Substitution Public KeyTransposition Secret Key
Blo...
Substitution Techniques
letters of plaintext are replaced by other
letters or by numbers or symbols.
50
Caesar Cipher
The Caesar cipher involves replacing
each letter of the alphabet with the
letter standing k places further d...
Caesar Cipher
• mathematically give each letter a number
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6...
Caesar Cipher
example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB
53
Brute-Force Cryptanalysis of
Caesar Cipher
If it is known that a given cipher text is a
Caesar cipher, then a brute-force
...
55
Monoalphabetic Ciphers
mono alphabetic substitution uses
fixed substitution over the entire message
56
Mono alphabetic Ciphers
Shuffle the letters and map each plaintext letter
to a different random ciphertext letter:
Plain l...
Monoalphabetic Cipher Security
• the monoalphabetic substitution cipher is
not secure
• problem is language characteristics
Relative Frequency of Letters in English Text
59
Monoalphabetic Cipher
the relative frequency of the letters can be
determined and compared to a standard
frequency distrib...
Playfair Cipher
The Playfair algorithm is based on the use
of a 5 * 5 matrix of letters constructed
using a keyword.
Plain...
62
Playfair Cipher
• Rules:
– Take a pair of letters from plaintext
– Separate repeating letters with an x
– Plaintext let...
Playfair Cipher
63
Keyword: LARGEST
Plain text: Mu st se ey ou
Cipher text: UZTBDLGZPN
Hill Cipher
The encryption algorithm takes m
successive plaintext letters and
substitutes for them m cipher text letters.
...
Hill Cipher
65
Hill Cipher
where C and P are column vectors of
length 3, representing the plaintext and
cipher text, and K is a 3 x 3 mat...
Hill Cipher
In general terms, the Hill cipher system can
be expressed as follows:
C = E(K, P) = KP mod 26
P = D(K1
, C) = ...
Hill Cipher
68
Consider the message ‘CAT', and the key GYBNQKURP
For Example if the key is an 3 X 3 matrix
Plain Text : paymoremoney
m=3
(p a y)=(15 0 24)
So Encryption is as follows
(15 ...
For Decryption you have to find the K-1
How to find inverse of K that is
K-1
1. Find the adjoint of the element in the mat...
Now K-1
is 1/adj(A) * K-1
1/adj(A) = 1 /(-939) = (-939)-1
=
(-939 mod 26)-1
(the easy way to find -939mod 26 is keep
addin...
Polyalphabetic Ciphers
Each plaintext letter has multiple
corresponding cipher text letters.
72
Vigenère Cipher
The Vigenère cipher is a method
of encrypting alphabetic text by using a
series of different Caesar cipher...
Vigenère Cipher
To encrypt a message, a key is needed that
as long as the message. Usually, the key
is a repeating keyword...
75
One-time pad
The one-time pad's security comes from
it's key; the key is EQUAL to the length of
the plaintext and is COMPL...
One-time pad
H E L L O Message
7 4 11 11 14
X M C K L Key
+ 23 12 2 10 11
= 30 16 13 21 25 Message + key
= 4 16 13 21 25 M...
Transposition Encryption
position of the plain text will be changed.
78
Rail Fence cipher
The simplest such cipher is the rail fence technique, in
which the plaintext is written down as a sequen...
Row Transposition Ciphers
A more complex transposition cipher is to
write the message in a rectangle, row by row,
and read...
Row Transposition Ciphers
81
Rotor machine
In cryptography, a rotor machine is an
electro-mechanical device used for
encrypting and decrypting secret
m...
Example of Rotor Machine
83
Steganography
Steganography is the art and science of
writing hidden messages in such a way
that no one knows, apart from ...
Character marking:
text are overwritten in pencil The marks
are ordinarily not visible unless the paper
is held at an angl...
Invisible ink
A number of substances can be used for
writing but leave no visible trace until heat
or some chemical is app...
Pin punctures:
Small pin punctures on selected letters are
ordinarily not visible unless the paper is
held up in front of ...
Block Cipher Principles
A block cipher is an encryption/decryption
scheme in which a block of plaintext is
treated as a wh...
Block Cipher
Divide input bit stream into n-bit sections, encrypt only that section.
89
Block cipher versus Stream
Ciphers
 block ciphers process messages in blocks
 stream ciphers process messages in bit
or ...
Reversible Mapping
Each block of plain text must produce a
unique cipher text block. Such a
transformation is called rever...
Reversible Mapping
92
Irreversible Mapping
Each block of plain text must not produce
a unique cipher text block. Such a
transformation is called...
Irreversible Mapping
94
Feistel cipher
Feistel cipher is a symmetric structure used in
the construction of block ciphers.
95
Confusion and Diffusion
• “Confusion” = Substitution (non linear function)
• a -> b
• “Diffusion” = Transposition (linear ...
Confusion
Each bit of the cipher text block has highly
nonlinear relations with the plaintext block
bits and the key bits....
Diffusion
Each plaintext block bit or key bit affects
many bits of the cipher text block.
98
99
Feistel Cipher Structure
 The inputs to the encryption algorithm are a
plaintext block of length 2w bits and a key K.
 T...
Feistel Cipher Structure
A substitution is performed on the left
half of the data. This is done by applying
a round functi...
Feistel Cipher structure
102
Feistel Cipher structure
103
Feistel Cipher Design Elements
block size - increasing size improves
security, but decrease the encryption
speed.
key size...
Feistel Cipher Design Elements
sub key generation algorithm - greater
complexity can make analysis harder,
decrease the en...
Simplified DES
 Developed 1996 as a teaching tool
 Santa Clara University
 Prof. Edward
 Takes an 8-bit block plaintex...
107
Five Functions to Encrypt
 IP – an initial permutation
 fk - a complex, 2-input function
 SW – a simple permutation tha...
109
110
111
112
113
114
115
116
DES
The Data Encryption Standard (DES) is
a block cipher that uses shared secret
encryption.
data are encrypted in 64-bit ...
DES
• Adopted in 1976 as US Government
standard encryption technique
• Utilizes a 56-bit symmetric key
• Cracked in 1998
•...
119
DES
• First, the 64-bit plaintext passes through
an initial permutation (IP) that rearranges
the bits to produce the permu...
DES
• The output of the last (sixteenth) round
consists of 64 bits that are a function of
the input plaintext and the key....
64 Bit input
122
Initial permutation
123
124
Figure 23-13
Permutation
125
Details of Single Round
• uses two 32-bit L & R halves
• as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 ⊕ ...
127
MS 128
1 4 5 8 9 12 13 16 17 20 21 24 25 28 29 32
1 48
Expansion Permutation
32
48
Definition of DES S-Boxes
129
S-Boxes
• The substitution consists of a set of eight
S-boxes, each of which accepts 6 bits as
input and produces 4 bits a...
Example
• For example, in S1 for input 011001, the
row is 01 (row 1) and the column is 1100
(column 12).
• The value in ro...
S-Boxes
132
133
Key Generation
134
64 bit input key
135
Permuted Choice One (PC-1)
136
Permuted Choice Two (PC-2)
137
Schedule of Left Shifts
138
Avalanche Effect
A small change in the plaintext or in the key
results in a significant change in the cipher text.
DES pro...
Avalanche Effect in DES
140
The Strength of DES
• The use of 56 bit key
• The Nature of the DES algorithm
• Timing attacks
141
The use of 56 bit key
• With a key length of 56 bits, there are 256
possible keys.
• single machine performing one DES
enc...
The Nature of the DES algorithm
Eight S-boxes, that are used in each
iteration.
143
Timing Attacks
timing attack is one in which information
about the key or the plaintext is obtained
by observing how long ...
Differential Cryptanalysis
• Differential cryptanalysis is the first
published attack that is capable of
breaking DES in l...
Differential Cryptanalysis
differential cryptanalysis compares two
related pairs of encryptions.
it is feasible to determi...
Differential Cryptanalysis
Compares Pairs of Encryptions
• with a known difference in the input
• searching for a known di...
Linear Cryptanalysis
• another recent development
• also a statistical method
• must be iterated over rounds, with
decreas...
Linear Cryptanalysis
For example, the following equation,
states the XOR sum of the first and third
plaintext bits (as in ...
Block Cipher Design
• basic principles still like Feistel’s in 1970’s
• number of rounds
– more is better, exhaustive sear...
AES
• DES finally proved insecure in July 1998,
when the Electronic Frontier Foundation
(EFF) announced that it had broken...
AES
AES is a block cipher intended to replace
DES for commercial applications.
It uses a 128-bit block size.
AES does not ...
Evaluation Criteria for AES
153
Security
Minimum key size for AES is 128 bits,
brute-force attacks with current and
projected technology were considered
i...
COST
The algorithm(s) specified in the AES shall
be available on a worldwide, non-
exclusive, royalty-free basis.
155
Computational efficiency
Computational efficiency refers to the
speed of the algorithm.
156
Memory requirement
The memory required to implement a
candidate algorithm for both hardware and
software implementations o...
Algorithm and implementation
characteristics
This category includes a variety of
considerations, including flexibility;
su...
Key Agility
Key agility refers to the ability to change
keys quickly and with a minimum of
resources.
159
The AES Cipher
• The input to the encryption and decryption
algorithms is a single 128-bit block.
• This block is copied i...
161
162
AES
163
164
Substitute Bytes
Transformation
• Replace each byte in the state array with
its corresponding value from the S-Box
00 44 8...
Shift row transformation
• The first row of State is not altered.
• For the second row, a 1-byte circular left
shift is pe...
Shift row transformation
167
Shift row transformation
168
Mix column Transformation
• Apply mix column transformation to each
column.
169
Mix column Transformation
170
Add Round Key
• XOR each byte of the round key with its
corresponding byte in the state array.
171
AddRoundKey
S0,0 S0,1 S0,2 S0,3
S1,0 S1,1 S1,2 S1,3
S2,0 S2,1 S2,2 S2,3
S3,0 S3,1 S3,2 S3,3
S’0,0 S’0,1 S’0,2 S’0,3
S’1,0 ...
Key Expansion Algorithm
• The AES key expansion algorithm takes
as input a 4-word (16-byte) key and
produces a linear arra...
174
175
1. Using this Playfair matrix
encrypt this message: cryptography and network security
Answer
176
BGXQHWEGROKWLOSUADAWGIDLDQBPCW
Example
Given the plaintext {00 01 02 03 04 05 06 07 08 09
0A 0B 0C 0D 0E 0F} and the key {01 01 01 01 01
01 01 01 01 01 0...
State array
178
State array after initial
AddRoundKey
179
State array after Sub Bytes
180
State array after Shift Rows
181
State array after Mix Columns
182
Example
Consider the given key K and the plaintext,
namely: in hexadecimal notation: 0 1 2 3 4
5 6 7 8 9 A B C D E F
• in ...
A. Derive K1, the first-round sub key.
B. Derive L0, R0.
C. Expand R0 to get E[R0], where E[·] is the
expansion function.
...
UNIT-II
 Multiple Encryption and Triple DES
 Block Cipher Modes of Operation
 Stream cipher and RC4
 Placement of Encr...
Multiple Encryption
Multiple encryption is a technique in
which an encryption algorithm is used
multiple times.
186
Double DES
The simplest form of multiple encryption
has two encryption stages and two keys .
Given a plaintext P and two e...
Double DES
188
Double DES
• Decryption requires that the keys be
applied in reverse order
P = D(K1, D(K2, C))
• this scheme apparently in...
Meet-in-the-middle attack
• Given a known pair, (P, C), the attack
proceeds as follows.
• First, encrypt P for all 256
pos...
Meet-in-the-middle attack
• If a match occurs, then test the two
resulting keys against a new known
plaintext-cipher text ...
Triple DES with Two Keys
• Triple DES makes use of three stages of
the DES algorithm, using a total of two or
three distin...
Triple DES with Two Keys
193
Triple DES with Three Keys
• Three-key 3DES has an effective key
length of 168 bits and is defined as
follows:
• C = E(K3,...
Block Cipher Modes of
Operation
• To apply a block cipher in a variety of
applications, four "modes of operation"
have bee...
Electronic Codebook (ECB)
Each block of 64 plaintext bits is encrypted
independently using the same key.
196
Electronic Codebook (ECB)
197
Limitation of ECB
• The most significant characteristic of ECB
is that the same b-bit block of plaintext, if it
appears mo...
Typical Application
• Secure transmission of single values (e.g.,
an encryption key)
199
Cipher Block Chaining (CBC)
200
• To overcome the security deficiencies of
ECB, we would like a technique in which
the sam...
Cipher Block Chaining (CBC)
201
Cipher Block Chaining (CBC)
• use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
202
Limitations of CBC
• need Initialization Vector (IV)
203
Typical Application
• General-purpose block-oriented
transmission
• Authentication
204
Cipher Feedback (CFB)
205
Input is processed j bits at a time.
Preceding cipher text is used as input to
the encryption al...
Cipher Feedback (CFB)
206
Cipher Feedback (CFB)
207
Limitation of CFB
A possible problem is that if its used over
a "noisy" link, then any corrupted bit will
destroy values i...
Typical Application
209
• General-purpose stream-oriented
transmission
• Authentication
Output Feedback (OFB)
The alternative to CFB is OFB. Here the
generation of the "random" bits is
independent of the messag...
Output Feedback (OFB)
211
Typical Application
• Stream-oriented transmission over noisy
channel (e.g., satellite communication)
212
Counter (CTR)
Each block of plaintext is XOR ed with an
encrypted counter. The counter is
incremented for each subsequent ...
Counter (CTR)
214
Advantages and Limitations of CTR
can do parallel encryptions in h/w or s/w.
good for bursty high speed links.
provable se...
Typical Application
• General-purpose block-oriented transmission
• Useful for high-speed requirements
216
Stream Ciphers and RC4
217
Stream Ciphers
• stream cipher encrypts plaintext one byte
at a time.
• stream cipher may be designed to operate
on one bi...
Stream Cipher Structure
Stream Cipher Structure
220
Design considerations
• long period with no repetitions of pseudo
random key.
• output of the pseudorandom number
generato...
RC4 Basics
• A symmetric key encryption algorithm.
• Invented by Ron Rivest.
• Normally uses 64 bit and 128 bit key sizes....
RC4 Block Diagram
Plain Text
Secret Key
RC4
+
Encrypted
Text
Keystream
RC4 …break up
• Initialize an array of 256 bytes.
• Run the KSA on them
• Run the PRGA on the KSA output to
generate keyst...
Array Initialization
C Code:
char S[256];
Int i;
For(i=0; i< 256; i++)
S[i] = i;
After this the array would like this :
S[...
The KSA
• The initialized array S[256] is now run through
the KSA. The KSA uses the secret key to
scramble the array.
• C ...
The PRGA
• The KSA scrambled S[256] array is used to generate the
PRGA. This is the actual keystream.
• C Code:
i = j = 0;...
Encryption using RC4
• Choose a secret key
• Run the KSA and PRGA using the key to
generate a keystream.
• XOR keystream w...
Decryption using RC4
• Use the same secret key as during the encryption phase.
• Generate keystream by running the KSA and...
RC4 Example
• Simple 4-byte example
• S = {0, 1, 2, 3}
• K = {1, 7, 1, 7}
• Set i = j = 0
KSA
First Iteration (i = 0, j = 0, S = {0, 1, 2, 3}):
j = (j + S[ i ] + K[ i ]) = (0 + 0 + 1) = 1
Swap S[ i ] with S[ j ]:...
KSA
Third Iteration (i = 2, j = 0, S = {0, 1, 2, 3}):
j = (j + S[ i ] + K[ i ]) = (0 + 2 + 1) = 3
Swap S[ i ] with S[ j ]:...
PRGA
Reset i = j = 0, Recall S = {2, 1, 3, 0}
i = i + 1 = 1
j = j + S[ i ] = 0 + 1 = 1
Swap S[ i ] and S[ j ]: S = {2, 1, ...
Analysis of RC4
• Advantages
– Faster than DES
– Enormous key space (average of 1700 bits)
• Disadvantages
– Large number ...
Placement of Encryption
function
If encryption is to be used to counter
attacks on confidentiality, we need to
decide what...
Confidentiality using Symmetric
Encryption
• traditionally symmetric encryption is used
to provide message confidentiality
Placement of Encryption
• link encryption
• end-to-end encryption
237
Link encryption
Link encryption is an approach to
encrypts and decrypts all data at each
end of a communications line
238
End-to-end encryption
encryption process is carried out at the
two end systems
239
Placement of Encryption
Placement of Encryption
With end-to-end encryption, user data are
secure, but the traffic pattern is not because
packet he...
Placement of Encryption
• can place encryption function at various
layers in OSI Reference Model
– link encryption occurs ...
Front-End Processor Function
243
244
Traffic Confidentiality
Knowledge about the number and length
of messages between nodes may enable
an opponent to determin...
Information that can be derived from a traffic
analysis attack:
• Identities of partners
• How frequently the partners are...
Link Encryption Approach
Network-layer headers are encrypted,
reducing the opportunity for traffic
analysis.
However, it i...
Traffic-Padding Encryption Device
• Traffic padding produces cipher text
output continuously, even in the absence
of plain...
Traffic-Padding Encryption Device
249
Traffic-Padding Encryption Device
• A continuous random data stream is
generated.
• When plaintext is available, it is enc...
End-to-End Encryption Approach
• if encryption is implemented at the
application layer, then an opponent can
determine whi...
Key Distribution
252
Key Distribution
given parties A and B have various key
distribution alternatives:
1. A can select key and physically deli...
Session key
• Session keys can also be termed
temporary keys or one-time use keys.
Usually after a session, these keys are...
Master key
• session keys are transmitted in encrypted
form, using a master key that is shared
by the key distribution cen...
The Use of a Key Hierarchy
256
Key Distribution Scenario
Key Distribution Scenario
• A issues a request to the KDC for a
session key to protect a logical connection
to B.
• The KD...
Key Distribution Scenario
• A stores the session key for use in the upcoming
session and forwards to B the information tha...
Key Distribution Scenario
• Using the newly minted session key for
encryption, B sends a nonce, N2, to A.
• Also using Ks,...
15.261
Hierarchical Key Control
Hierarchical Key Control
• It is not necessary to limit the key
distribution function to a single KDC.
Indeed, for very la...
Decentralized Key Control
263
Decentralized Key Control
1. A issues a request to B for a session key and
includes a nonce, N1
2. B responds with a messa...
Principles of Public-Key
Cryptosystems
265
Private-Key Cryptography
• traditional private/secret/single key
cryptography uses one key
• shared by both sender and rec...
Public-Key Cryptography
• Asymmetric encryption is a form of cryptosystem
in which encryption and decryption are performed...
Public-Key Cryptography
public-key/two-key/asymmetric cryptography
involves the use of two keys:
– a public-key, which may...
Principles of Public-Key
Cryptosystems
• The concept of public-key cryptography
evolved from an attempt to attack two of
t...
270
Confidentiality using public-Key
system
Encryption
• Each user generates a pair of keys to be
used for the encryption and decryption of
messages.
• Each user plac...
Encryption
• If Bob wishes to send a confidential
message to Alice, Bob encrypts the
message using Alice's public key.
• W...
273
Authentication using Public-Key
System
Difference between Symmetric Encryption and asymmetric
Encryption
Symmetric encryption Asymmetric encryption
symmetric enc...
Public-Key Cryptosystem:
Secrecy
275
Public-Key Cryptosystem:
Secrecy
• With the message X and the encryption
key PUb as input, A forms the cipher text
Y = [Y1...
Public-Key Cryptosystem:
Authentication
277
Public-Key Cryptosystem:
Authentication and Secrecy
278
Applications for Public-Key
Cryptosystems
• Encryption/decryption
• Digital signature
• Key exchange
279
Requirements for Public-Key
Cryptography
1.It is computationally easy for a party B to
generate a pair (public key PUb, pr...
Requirements for Public-Key
Cryptography
4. It is computationally infeasible for an
opponent, knowing the public key, PUb,...
The RSA Algorithm
282
Our dramatis personae
Rivest Shamir Adleman
283
The RSA Algorithm
RSA algorithm is developed by Ron
Rivest , Adi Shamir, and Len Adleman at
MIT and first published in 197...
RSA Public Key Cryptosystem
c=
m e
mod n
Network
Plain Text Cipher Text Cipher Text Plain Text
Alice
Bob
Bob: (e, n)
Publi...
The RSA Algorithm – Key Generation
1. Select p,q p and q both prime
2. Calculate n = p x q
3. Calculate
4. Select integer ...
The RSA Algorithm - Encryption
• Plaintext: M<n
• Ciphertext: C = Me
(mod n)
287
The RSA Algorithm - Decryption
• Ciphertext: C
• Plaintext: M = Cd
(mod n)
288
Example
Select two prime numbers, p = 17 and q = 11.
Calculate n = pq = 17 x 11 = 187
Calculate θ(n) = (p -1)(q -1) = 16 x...
Example
Calculate d value using the formula
d=(1+X * θ(n) )/e
X=0 d=(1+0*160)/ 7 = 0.143
X=1 d=(1+1 *160)/7 = 23
d=23
290
Example
PU={e, n}
PR={d , n}
The resulting keys are
public key PU = {7,187}
private key PR = {23,187}.
291
Encryption
Ciphertext: C = Me
(mod n)
C=887
(mod 187)
c=11
292
Decryption
Plaintext: M = Cd
(mod n)
M=1123
(mod 187)
M=88
293
The RSA Algorithm
294
The RSA Algorithm
295
The RSA Algorithm
296
Example
perform the Encryption and decryption for
p =7, q = 11, e = 17 and m = 8
297
Key generation
Calculate n = pq = 7 x 11 = 77
Calculate θ(n) = (p -1)(q -1) = 6 x 10 = 60
Calculate d value using the form...
Key generation
X=4 d=(1+4*60)/17=14.17
X=5 d=(1+5*60)/17=17.70
X=6 d=(1+6*60)/17=21.23
X=7 d=(1+7*60)/17=24.76
X=8 d=(1+8*...
Key generation
X=11 d=(1+11*60)/17=38.88
X=12 d=(1+12*60)/17=42.41
X=13 d=(1+13*60)/17=45.94
X=14 d=(1+14*60)/17=49.47
X=1...
Key generation
PU={e, n}
PR={d , n}
The resulting keys are
public key PU = {17,77}
private key PR = {53,77}.
301
Encryption
Ciphertext: C = Me
(mod n)
C=817
(mod 77)
c=57
302
Decryption
Plaintext: M = Cd
(mod n)
M=5753
(mod 77)
M=8
303
The Security of RSA
Brute force: This involves trying all
possible private keys.
Mathematical attacks: There are several
a...
Key Management
One of the major roles of public-key
encryption has been to address the
problem of key distribution.
• The ...
Distribution of Public Keys
• Public announcement
• Publicly available directory
• Public-key authority
• Public-key certi...
Public Announcement of
Public Keys
• any participant can send his or her public
key to any other participant or broadcast
...
Public Announcement of
Public Keys
308
Example
• For Example USENET is a public forum
anybody can post a message and read
message.
• it has a major weakness.
• s...
Publicly Available Directory
• can obtain greater security by registering keys
with a public directory
• The authority mai...
Publicly Available Directory
311
Public-Key Authority
Stronger security for public-key distribution
can be achieved by providing tighter
control over the d...
Public-Key Authority
313
Public-Key Authority
1. A sends a time stamped message to the public-key authority containing a
request for the current pu...
Public-Key Authority
A stores B's public key and also uses it to encrypt a message to B containing
an identifier of A(IDA)...
Public-Key Certificates
316
Public-Key Certificates
• Any participant can read a certificate to
determine the name and public key of the
certificate's...
Distribution of Secret Keys Using Public-Key
Cryptography
• Simple Secret Key Distribution
• Secret Key Distribution with
...
Simple Secret Key Distribution
319
Simple Secret Key
Distribution
1.A generates a public/private key pair
{PUa, PRa} and transmits a message to B
consisting ...
Simple Secret Key
Distribution
3. A computes D(PRa, E(PUa, Ks)) to
recover the secret key. Because only A
can decrypt the ...
Man-in-the-middle attack
1.A generates a public/private key pair
{PUa, PRa} and transmits a message
intended for B consist...
Man-in-the-middle attack
3.B generates a secret key, Ks, and
transmits E(PUe, Ks).
4.E capture the message, and learns Ks ...
Secret Key Distribution with
Confidentiality and Authentication
324
1. A uses B's public key to encrypt a
message to B containing an identifier of A
(IDA) and a nonce (N1), which is used to
...
3. A returns N2 encrypted using B's public
key, to assure B that its correspondent is
A.
4. A selects a secret key Ks and ...
Diffie-Hellman Key Exchange
The purpose of the algorithm is to enable
two users to securely exchange a key that
can then b...
Primitive roots
P is prime number
a is a primitive root of p means
It should satisfies following condition
a mod p, a2
mod...
Primitive roots
3 is a primitive root of 5:
a=3,p=5
p ap
ap
mod 5
1 3 3
2 9 4
3 27 2
4 81 1
329
Primitive roots
4 is not a primitive root of 5:
a= 4 p=5
p ap
ap
mod 5
1 4 4
2 16 1
3 64 4
4 256 1
330
The Diffie-Hellman Key
Exchange Algorithm
331
The Diffie-Hellman Key
Exchange Algorithm
332
The Diffie-Hellman Key
Exchange Algorithm
333
The Diffie-Hellman Key
Exchange Algorithm
334
The Diffie-Hellman Key
Exchange Algorithm
335
The Diffie-Hellman Key
Exchange Algorithm
336
Diffie-Hellman Example
Users A and B use the Diffie-Hellman key
exchange technique with a common prime
q = 71 and a primit...
Diffie-Hellman Example
YA= a
XA
mod q
=75
mod 71
= 51
YB= a
XB
mod q
=712
mod 71
= 4
338
Diffie-Hellman Example
Ks= yB
XA
mod q = 4
5
mod 71 = 30
Ks= yA
XB
mod q = 51
12
mod 71 = 30
339
Diffie-Hellman Example
Consider a Diffie-Hellman scheme with a
common prime q = 11 and a primitive root
a = 2.
I. Show tha...
Elliptic Curve Cryptography
Elliptical curve cryptography (ECC) is a
public key encryption technique based on
elliptic cur...
Elliptic Curve Cryptography
ECC generates keys through the
properties of the elliptic curve equation
instead of the tradit...
Elliptic Curve Cryptography
• ECC requires significantly smaller key
size with same level of security.
• Benefits of havin...
elliptic curve
• Elliptic curves are not ellipses. They are
so named because they are described by
cubic equations, used f...
elliptic curve
345
ECC Diffie-Hellman Key Exchange
346
ECC Diffie-Hellman Key
Exchange
347
ECC Diffie-Hellman Key
Exchange
348
ECC Diffie-Hellman Key
Exchange
349
ECC Diffie-Hellman Key
Exchange
350
UNIT-III
351
Contents
 Message Authentication and Hash functions
Authentication requirements
Authentication functions
Message Authenti...
Authentication requirements
 disclosure
 traffic analysis
 masquerade
 content modification
 sequence modification
 ...
Authentication Functions
Message encryption: The cipher text of the
entire message serves as its authenticator
Message aut...
Basic Uses of Message Encryption
355
Basic Uses of Message Encryption
356
Basic Uses of Message Encryption
357
Basic Uses of Message Encryption
358
Internal Error Control
359
External Error Control
360
Message Authentication Codes
Message authentication code (often
MAC) is a short piece of information used
to authenticate ...
Message Authentication Codes
MAC = C(K, M)
M = input message
C= MAC function
K= shared secret key
MAC= message authenticat...
Basic Uses of Message
Authentication Code
363
Basic Uses of Message
Authentication Code
364
Basic Uses of Message
Authentication Code
365
Requirements for MACs
1. knowing a message and MAC, is infeasible
to find another message with same MAC
2. MACs should be ...
Data Authentication Algorithm
• Data Authentication Algorithm (DAA) is
a widely used MAC based on DES-CBC
– using IV=0 and...
Data Authentication Algorithm
Hash Function
hash function accepts a variable-size
message M as input and produces a fixed-
size output, referred to as a...
Basic Uses of Hash Function
370
Basic Uses of Hash Function
371
Basic Uses of Hash Function
372
Basic Uses of Hash Function
373
Basic Uses of Hash Function
374
Basic Uses of Hash Function
375
Requirements for Hash Functions
1. can be applied to any sized message M
2. produces fixed-length output h
3. is easy to c...
Weak collision resistance
Given an input m1 it should be difficult to
find another input m2 — where m1!=m2
— such that H(m...
Strong collision resistance
It should be difficult to find two different
messages m1 and m2 such that
H(m1)=H(m2)
378
Hash Functions & MAC Security
• like block ciphers have:
• brute-force attacks exploiting
– strong collision resistance ha...
Hash Functions & MAC Security
• cryptanalytic attacks exploit structure
– like block ciphers want brute-force attacks to b...
Secure Hash Algorithms
The Secure Hash Algorithm (SHA) was
developed by the National Institute of
Standards and Technology...
Types of SHA
1. SHA-0
2. SHA-1
3. SHA-224
4. SHA-256
5. SHA-384
6. SHA-512
382
Comparisons
SHA-1 SHA-256 SHA-384 SHA-512
Message digest
size
160 256 384 512
Message size <264
<264
<2128
<2128
Block siz...
SHA-512
• The algorithm takes as input a message
with a maximum length of less than 2128
bits
and produces as output a 512...
SHA-512 Logic
Padding is the addition of one or more
extra bits to a transmission .
385
Message Digest Generation
Using SHA-512
386
Message Digest Generation
Using SHA-512
Step 1: Append padding bits.
Step 2: Append length.
Step 3: Initialize hash buffer...
Processing of a Single 1024-Bit Block
388
Processing of a Single 1024-
Bit Block
• A 512-bit buffer is used to hold
intermediate and final results of the hash
funct...
a = 6A09E667F3BCC908
b = BB67AE8584CAA73B
c = 3C6EF372FE94F82B
c = A54FF53A5F1D36F1
e = 510E527FADE682D1
f = 9B05688C2B3E6...
SHA-512 Processing of a
Single 1024-Bit Block
• Each round takes as input the 512-bit
buffer value abcdefgh, and updates t...
H0= IV
Hi= SUM64(Hi-1, abcdefghi)
MD= HN
392
• Where
IV= initial value of the abcdefgh buffer,
• abcdefghi= the output of the last round of
processing of the ith messa...
SHA-512 Round Function
394
SHA-512 Round Function
395
SHA-512 Round Function
396
SHA-512 Round Function
397
SHA-512 Round Function
398
SHA-512 Round Function
399
Creation of 80-word Input Sequence for SHA-
512 Processing of Single Block
400
Creation of 80-word Input Sequence for SHA-
512 Processing of Single Block
401
Creation of 80-word Input Sequence for SHA-
512 Processing of Single Block
402
Whirlpool
• Whirlpool is based on the use of a block
cipher for the compression function.
• It takes a message of any leng...
Features
• The hash code length is 512 bits
• The underlying block cipher is based on
AES .
404
Whirlpool Hash Structure
405
12.406
Message Digest Generation Using
Whirlpool
Whirlpool Overview
Step 1: Append padding bits
Step 2: Append length
Step 3: Initialize hash matrix
Step 4: Process messag...
Whirlpool Overview
408
Comparison of Whirlpool
Block Cipher W and AES
W AES
Block size (bits) 512 128
Key size (bits) 512 128, 192, or 256
Matrix...
Whirlpool Block Cipher W
410
Whirlpool Block Cipher W
The encryption algorithm takes a 512-bit
block of plaintext and a 512-bit key as
input and produc...
Whirlpool Matrix Structure
• The plaintext input to W is a single 512-bit
block.
• This block is treated as an 8 x 8 squar...
Whirlpool Matrix Structure
413
The Nonlinear Layer SB
414
The Nonlinear Layer SB
The leftmost 4 bits of the byte are used as
a row value and the rightmost 4 bits are
used as a colu...
Mix Row
• Each byte of a row is mapped into a new
value that is a function of all eight bytes in
that row.
• The transform...
Whirlpool Performance &
Security
• Whirlpool is a very new proposal, hence
there is little experience with use
• compared ...
MAC
418
HMAC(Hash-based Message Authentication Code)
CMAC(Cipher-based Message Authentication Code)
Types of MAC
419
HMAC
Message authentication code is generated
by hash function.
HMAC is computationally very fast and
very compact.
Any cr...
HMAC Algorithm
H = embedded hash function
IV = initial value input to hash function
M = message input to HMAC
Yi = ith blo...
HMAC Algorithm
K+ = K padded with zeros on the left
ipad = 00110110 (36 in hexadecimal)
opad = 01011100 (5C in hexadecimal...
HMAC Overview
423
HMAC Overview
1.Append zeros to the left end of K to create
a b-bit string K+.
2. XOR K+ with ipad to produce the b-bit
bl...
HMAC Overview
6.Append the hash result from step 4 to So
7.Apply H to the stream generated in step 6
and output the result...
HMAC Overview
426
Efficient Implementation of HMAC
427
Two quantities are precomputed
428
CMAC
Message authentication code is generated
by cipher based.
429
CMAC Overview
430
CMAC Overview
The message is divided into n blocks
M1..Mn, padded if necessary.
The algorithm makes use of a k-bit
encrypt...
CMAC Overview
432
CMAC Overview
T= MSBTlen(Cn)
where
T= message authentication code, also referred to
as the tag
Tlen= bit length of T
MSBs(...
Digital signature
A digital signature is an authentication
mechanism that enables the creator of a
message to attach a cod...
Digital Signature Properties
 The signature must be a bit pattern that depends on the
message being signed.
 The signatu...
Direct Digital Signatures
Direct Digital Signatures involve only the
communicating parties.
A digital signature may be for...
Arbitrated Digital Signatures
• involves use of arbiter A
– validates any signed message
– then dated and sent to recipien...
Arbitrated Digital Signatures
438
X = sender
Y = recipient
A = Arbiter
M = message
T = timestamp
Authentication Protocols
• Authentication Protocols are used to
support parties of each others identity and
to exchange se...
One-Way Authentication
• required when sender & receiver are not in
communications at same time (eg. email)
440
Mutual Authentication
• required when sender & receiver are in
communications at same time. (eg. Client-
server)
441
Digital Signature Standard
The digital signature standard (DSS) is an
NIST standard that uses the secure hash
algorithm (S...
Two Approaches to Digital
Signatures
443
The Digital Signature
Algorithm (DSA)
444
Global Public-Key Components
p prime number where 2L-1
< p < 2L
for 512 <= L <= 1024
q prime divisor of (p- 1), where 2159...
User's Private Key
X random or pseudorandom integer with 0 < x < q
446
User's Public Key
y= gx
mod p
447
User's Per-Message Secret Number
k= random or pseudorandom integer with 0 < k < q
448
Signing
r= (gk
mod p) mod q
s= [k-1
(H(M) + xr)] mod q
Signature = (r, s)
449
Verifying
w= (s')-1
mod q
u1= [H(M')w] mod q
u2=(r')w mod q
v= [(gu1
yu2
) mod p] mod q
450
Verifying
TEST: v = r'
M= message to be signed
H(M)= hash of M using SHA-1
M', r', s’= received versions of M, r, s
451
Kerberos
452
Kerberos
Kerberos provides a centralized
authentication server whose function is to
authenticate users to servers and serv...
Kerberos
Kerberos is an authentication service
designed for use in a distributed
environment.
Kerberos makes use of a trus...
455
Requirements for KERBEROS
Secure:
opponent does not find it to be the weak link
Scalable:
The system supports large nu...
A Simple Authentication
Dialogue
C = client
AS = authentication server
V =server
IDC = identifier of user on C
IDV = ident...
457
A Simple Authentication Dialogue
1- IDc + Pc+IDv
2- Ticket
3- IDc +Ticket
Ticket=Ekv[IDc,ADc,IDv]
kv=Secret Key betwee...
A More Secure Authentication Dialogue
 minimize the number of times that a
user has to enter a password
 tickets are not...
Once per user logon session:
(1)CAS : IDC||Idtgs
(2) AS C : E(Kc, Tickettgs)
459
Once per type of service:
(3) C TGS: IDC||IDV||Tickettgs
(4) TGS C: Ticketv
460
Once per service session:
(5) C V: IDC||Ticketv
461
Kerberos 4 Overview
462
1.The client requests a ticket-granting ticket on
behalf of the user by sending its user's ID and
password to the AS, toge...
3.The client requests a service-granting ticket on
behalf of the user.
4. The TGS decrypts the incoming ticket and
verifie...
5.The client requests access to a service on
behalf of the user. For this purpose, the
client transmits a message to the s...
466
467
468
Kerberos allows the global distribution of ASs and TGSs,
with each system called a realm. A user may get a ticket for
a lo...
Kerberos realm
• 1.The Kerberos server must have the user ID
and hashed passwords of all participating users
in its databa...
31/03/2005 Authentication Applications471
Request for Service in another realm:
1-Request ticket
for local TGS
2-Ticket fo...
The minor differences between version 4 and version 5
1) Version 5 has a longer ticket lifetime.
2) Version 5 allows ticke...
X.509 Authentication Service
X.509 is an ITU-T standard for a public key
infrastructure (PKI) and Privilege Management
Inf...
Public-Key Certificate Use
474
X.509 Certificates
• issued by a Certification Authority (CA), containing:
– version (1, 2, or 3)
– serial number (unique ...
X.509 Certificates
476
CRL
• certificates have a period of validity
• may need to revoke before expiry, eg:
1. user's private key is compromised
...
Obtaining a Certificate
• any user with access to CA can get any
certificate from it
• only the CA can modify a certificat...
CA Hierarchy
• if both users share a common CA then they are
assumed to know its public key
• otherwise CA's must form a h...
CA Hierarchy Use
480
A get B certificate using chain:
X<<W>>W<<V>>V<<Y>>Y<<Z>>Z<<B>>
31/03/2005 Authentication Applications 481
Authentication Procedures:
• CA must authenticate/verify an applicant
before is...
One-Way Authentication
• One way authentication involves a single
transfer of information from one user (A) to
another (B)...
31/03/2005 Authentication Applications 483
One-Way Authentication:
• 1 message ( A->B) used to establish
– the identity of...
31/03/2005 Authentication Applications 484
Two-Way Authentication
• 2 messages (A->B, B->A) which also
establishes in addi...
31/03/2005 Authentication Applications 485
Three-Way Authentication
• 3 messages (A->B, B->A, A->B) which
enables above au...
Public-Key Infrastructure
public-key infrastructure (PKI) as the set of
hardware, software, people, policies, and
procedur...
Public-Key Infrastructure
End entity: A generic term used to denote
end users, devices (e.g., servers, routers)
Certificat...
Public-Key Infrastructure
CRL issuer: An optional component that a
CA can delegate to publish CRLs.
Repository: A generic ...
Public-Key Infrastructure
489
Public-Key Infrastructure
Registration: This is the process whereby a
user first makes itself known to a CA (directly, or
...
Public-Key Infrastructure
Certification: This is the process in which
a CA issues a certificate for a user's public
key, a...
Public-Key Infrastructure
Cross certification: one certificate
authority use the certificate to the another
certificate au...
UNIT-IV
493
Contents
 Pretty Good Privacy
 S/MIME
 IP Security Overview
 IP Security Architecture
 Authentication Header
 Encaps...
Pretty Good Privacy
495
Pretty Good Privacy
 PGP provides a confidentiality and
authentication service that can be used for
electronic mail and f...
Pretty Good Privacy
 PGP is an open-source freely available
software package for e-mail security.
 It provides authentic...
Pretty Good Privacy
 It provides compression using the ZIP
algorithm.
 It provides e-mail compatibility using the
radix-...
Pretty Good Privacy
 Ks =session key used in symmetric
encryption scheme
 PRa =private key of user A, used in
public-key...
Pretty Good Privacy
 EP = public-key encryption
 DP = public-key decryption
 EC = symmetric encryption
 DC = symmetric...
501
Authentication
1.The sender creates a message.
2.SHA-1 is used to generate a 160-bit hash
code of the message.
3.The hash ...
Authentication
5. The receiver generates a new hash code
for the message and compares it with the
decrypted hash code. If ...
Confidentiality
1.The sender generates a message and a
random 128-bit number to be used as a
session key for this message ...
Confidentiality
4.The receiver uses RSA with its private key
to decrypt and recover the session key.
5.The session key is ...
Transmission and Reception
of PGP Messages
506
PGP Message Format
PGP Message Format
 The message component includes the
actual data to be stored or transmitted,
as well as a filename and...
PGP Message Format
 The signature component includes the
following:
 Timestamp: The time at which the
signature was made...
PGP Message Format
 Leading two octets of message digest:
To enable the recipient to determine if
the correct public key ...
PGP Message Format
 The session key component includes
the session key and the identifier of the
recipient's public key t...
Signing the message
 PGP retrieves the sender's private key from the
private-key ring using your_userid as anindex. If
yo...
Encrypting the message
 PGP generates a session key and
encrypts the message.
 PGP retrieves the recipient's public key
...
PGP Message Generation
PGP Message Reception
Decrypting the message
 PGP retrieves the receiver's private key
from the private-key ring, using the Key ID
field in
 t...
Authenticating the message
 PGP retrieves the sender's public key from the
public-key ring, using the Key ID field in the...
S/MIME
 Another security service designed for electronic mailAnother security service designed for electronic mail
is Sec...
RFC 822
 RFC 822 defines a format for text
messages that are sent using electronic
mail. It has been the standard for Int...
RFC 822
520
MIME
MIME is an extension to the RFC 822
framework that is intended to address
some of the problems and limitations of
the...
MIME
SMTP cannot transmit executable files or other
binary objects.
SMTP cannot transmit text data that includes
national ...
16.523
MIME
16.524
MIME Message structure
16.525
MIME-VersionMIME-Version
This header defines the version of MIME used. TheThis header defines the version of MIME u...
16.526
16.527
16.3.1 Continued
S/MIME Functions
enveloped data
encrypted content and associated keys
signed data
encoded message + signed digest
clear-si...
Cryptographic Algorithms
Function Requirement
Create a message digest to be used in
forming a digital signature.
MUST supp...
Cryptographic Algorithms
Encrypt message for
transmission with one-time
session key.
Sending and receiving agents MUST sup...
S/MIME Messages
Type Subtype smime Parameter Description
Multipart Signed
A clear-signed message in two parts:
one is the ...
Enveloped data
This consists of encrypted content of any
type and encrypted-content encryption
keys for one or more recipi...
533
enveloped data
Version
Encrypted Content Info
Recipient Info
Version
Recipient ID (issuer and s.no.)
Key Encryption Al...
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Cyptography and network security
Upcoming SlideShare
Loading in …5
×

Cyptography and network security

1,861 views

Published on

f

Published in: Engineering, Technology, Education
0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,861
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
85
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide
  • Computer Emergency Response Team
  • See Table 1.4 for details of the 5 Security Service categories and the 14 specific services.
  • Have “passive attacks” which attempt to learn or make use of information from the system but does not affect system resources.
    By eavesdropping on, or monitoring of, transmissions to:
    + obtain message contents (as shown above in Stallings Figure 1.3a), or
    + monitor traffic flows
    Are difficult to detect because they do not involve any alteration of the data.
  • In considering the place of encryption, its useful to use the following two models. The first models information flowing over an insecure communications channel, in the presence of possible opponents. Hence an appropriate security transform (encryption algorithm) can be used, with suitable keys, possibly negotiated using the presence of a trusted third party.
  • The second, illustrated in Figure 1.6, model is concerned with controlled access to information or resources on a computer system, in the presence of possible opponents. Here appropriate controls are needed on the access and within the system, to provide suitable security. Some cryptographic techniques are useful here also.
  • Briefly review some terminology used throughout the course.
  • Detail the five ingredients of the symmetric cipher model, shown in Stallings Figure 2.1:
    plaintext - original message
    encryption algorithm – performs substitutions/transformations on plaintext
    secret key – control exact substitutions/transformations used in encryption algorithm
    ciphertext - scrambled message
    decryption algorithm – inverse of encryption algorithm
  • Cryptographic systems can be characterized along these three independent dimensions.
  • Typically objective is to recover the key in use rather then simply to recover the plaintext of a single ciphertext.
    There are two general approaches:
    Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext or even some sample plaintext-ciphertext pairs.
    Brute-force attacks try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained. On average,half of all possible keys must be tried to achieve success.
  • Substitution ciphers form the first of the fundamental building blocks. The core idea is to replace one basic unit (letter/byte) with another. Whilst the early Greeks described several substitution ciphers, the first attested use in military affairs of one was by Julius Caesar, described by him in Gallic Wars (cf. Kahn pp83-84). Still call any cipher using a simple letter shift a caesar cipher, not just those with shift 3.
  • This mathematical description uses modulo (clock) arithmetic. Here, when you reach Z you go back to A and start again. Mod 26 implies that when you reach 26, you use 0 instead (ie the letter after Z, or 25 + 1 goes to A or 0).
    Example: howdy (7,14,22,3,24) encrypted using key f (ie a shift of 5) is MTBID
  • Note that even given the very large number of keys, being 10 orders of magnitude greater than the key space for DES, the monoalphabetic substitution cipher is not secure, because it does not sufficiently obscure the underlying language characteristics.
  • The simplest such cipher is the rail fence technique, in which the plaintext is written down as a sequence of diagonals and then read off as a sequence of rows.
    The example message is: &amp;quot;meet me after the toga party&amp;quot; with a rail fence of depth 2.
    This sort of thing would be trivial to cryptanalyze.
  • Block ciphers work a on block / word at a time, which is some number of bits. All of these bits have to be available before the block can be processed. Stream ciphers work on a bit or byte of the message at a time, hence process it as a “stream”. Block ciphers are currently better analysed, and seem to have a broader range of applications, hence focus on them.
  • Most symmetric block encryption algorithms in current use are based on a structure referred to as a Feistel block cipher. A block cipher operates on a plaintext block of n bits to produce a ciphertext block of n bits. An arbitrary reversible substitution cipher for a large block size is not practical, however, from an implementation and performance point of view. In general, for an n-bit general substitution block cipher, the size of the key is n x 2n. For a 64-bit block, which is a desirable length to thwart statistical attacks, the key size is 64 x 264 = 270 = 1021 bits. In considering these difficulties, Feistel points out that what is needed is an approximation to the ideal block cipher system for large n, built up out of components that are easily realizable.
  • Biham &amp; Shamir show Differential Cryptanalysis can be successfully used to cryptanalyse the DES with an effort on the order of 247 encryptions, requiring 247 chosen plaintexts. They also demonstrated this form of attack on a variety of encryption algorithms and hash functions.
    Differential cryptanalysis was known to the IBM DES design team as early as 1974 (as a T attack), and influenced the design of the S-boxes and the permutation P to improve its resistance to it. Compare DES’s security with the cryptanalysis of an eight-round LUCIFER algorithm which requires only 256 chosen plaintexts, verses an attack on an eight-round version of DES requires 214 chosen plaintexts.
  • This attack is known as Differential Cryptanalysis because the analysis compares differences between two related encryptions, and looks for a known difference in leading to a known difference out with some (pretty small but still significant) probability. If a number of such differences are determined, it is feasible to determine the subkey used in the function f.
    Shown here is the equation from Stallings section 3.4 which shows how this removes the influence of the key, hence enabling the analysis.
  • A more recent development is linear cryptanalysis. This attack is based on finding linear approximations to describe the transformations performed in DES. This method can find a DES key given 2^43 known plaintexts, as compared to 2^47 chosen plaintexts for differential cryptanalysis. Although this is a minor improvement, because it may be easier to acquire known plaintext rather than chosen plaintext, it still leaves linear cryptanalysis infeasible as an attack on DES. Again, this attack uses structure not seen before. So far, little work has been done by other groups to validate the linear cryptanalytic approach.
  • The objective of linear cryptanalysis is to find an effective linear equation relating some plaintext, ciphertext and key bits that holds with probability p&amp;lt;&amp;gt;0.5 as shown. Once a proposed relation is determined, the procedure is to compute the results of the left-hand side of the equation for a large number of plaintext-ciphertext pairs, in order to determine whether the sum of the key bits is 0 or 1, thus giving 1 bit of info about them. This is repeated for other equations and many pairs to derive some of the key bit values. Because we are dealing with linear equations, the problem can be approached one round of the cipher at a time, with the results combined. See [MATS93] for details.
  • The cryptographic strength of a Feistel cipher derives from three aspects of the design: the number of rounds, the function F, and the key schedule algorithm. Briefly discuss these.
    The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F. In general, the criterion should be that the number of rounds is chosen so that known cryptanalytic efforts require greater effort than a simple brute-force key search attack. This criterion is attractive because it makes it easy to judge the strength of an algorithm and to compare different algorithms.
    The function F provides the element of confusion in a Feistel cipher, want it to be difficult to “unscramble” the substitution performed by F. One obvious criterion is that F be nonlinear. The more nonlinear F, the more difficult any type of cryptanalysis will be. We would like it to have good avalanche properties, or even the strict avalanche criterion (SAC). Another criterion is the bit independence criterion (BIC). One of the most intense areas of research in the field of symmetric block ciphers is that of S-box design. Would like any change to the input vector to an S-box to result in random-looking changes to the output. The relationship should be nonlinear and difficult to approximate with linear functions.
    A final area of block cipher design, and one that has received less attention than S-box design, is the key schedule algorithm. With any Feistel block cipher, the key schedule is used to generate a subkey for each round. Would like to select subkeys to maximize the difficulty of deducing individual subkeys and the difficulty of working back to the main key. The key schedule should guarantee key/ciphertext Strict Avalanche Criterion and Bit Independence Criterion.
  • CTR mode has a number of advantages in parallel h/w &amp; s/w efficiency, can preprocess the output values in advance of needing to encrypt, can get random access to encrypted data blocks, and is simple. But like OFB have issue of not reusing the same key+counter value.
  • Stallings Figure 6.8 illustrates the general structure of a stream cipher, where a key is input to a pseudorandom bit generator that produces an apparently random keystream of bits, and which are XOR’d with message to encrypt it, and XOR’d again to decrypt it by the receiver.
  • If encryption is to be used to counter attacks on confidentiality, need to decide what to encrypt and where the encryption function should be located. Now examine potential locations of security attacks and then look at the two major approaches to encryption placement: link and end to end.
    Have many locations where attacks can occur in a typical scenario (Stallings Figure 7.1), such as when have:
    + workstations on LANs access other workstations &amp; servers on LAN
    + LANs interconnected using switches/routers
    + with external lines or radio/satellite links
    Consider attacks and placement in this scenario:
    + snooping from another workstation
    + use dial-in to LAN or server to snoop
    + physically tap line in wiring closet
    + use external router link to enter &amp; snoop
    + monitor and/or modify traffic one external links
  • Stallings Figure 7.2 contrasts the two encryption placement alternatives, for encryption over a Packet Net.
  • With end-to-end encryption, user data are secure, but the traffic pattern is not because packet headers are transmitted in the clear. However end-to-end encryption does provide a degree of authentication, since a recipient is assured that any message that it receives comes from the alleged sender, because only that sender shares the relevant key. Such authentication is not inherent in a link encryption scheme. To achieve greater security, both link and end-to-end encryption are needed, as is shown in Figure 7.2 on the previous slide.
  • Can place encryption at any of a number of layers in the OSI Reference Model.
    Link encryption can occur at either the physical or link layers.
    End-to-end encryption could be performed at the network layer (for all processes on a system, perhaps in a Front End Processor), at the Transport layer (now possibly per process), or at the Presentation/Application layer (especially if need security to cross application gateways, but at cost of many more entities to manage).
    Can view alternatives noting that as you move up the communications hierarchy, less information is encrypted but it is more secure.
  • The strength of any cryptographic system thus depends on the key distribution technique. For two parties A and B, key distribution can be achieved in a number of ways:
    Physical delivery (1 &amp; 2) is simplest - but only applicable when there is personal contact between recipient and key issuer. This is fine for link encryption where devices &amp; keys occur in pairs, but does not scale as number of parties who wish to communicate grows. 3 is mostly based on 1 or 2 occurring first.
    A third party, whom all parties trust, can be used as a trusted intermediary to mediate the establishment of secure communications between them (4). Must trust intermediary not to abuse the knowledge of all session keys. As number of parties grow, some variant of 4 is only practical solution to the huge growth in number of keys potentially needed.
  • The key distribution concept can be deployed in a number of ways. A typical scenario is illustrated in Stallings Figure 7.9 above, which has a “Key Distribution Center” (KDC) which shares a unique key with each party (user). See text section 7.3 for details of the steps shown in this distribution process.
  • So far all the cryptosystems discussed, from earliest history to modern times, have been private/secret/single key (symmetric) systems.
    All classical, and modern block and stream ciphers are of this form, and still rely on the fundamental building blocks of substitution and permutation (transposition).
  • Emphasize here the radical difference with Public-Key Cryptography is the use of two related keys but with very different roles and abilities. Anyone knowing the public key can encrypt messages or verify signatures, but cannot decrypt messages or create signatures, all thanks to some clever use of number theory.
  • In assessing the security of a MAC function, we need to consider the types of attacks that may be mounted against it. Hence it needs to satisfy the listed requirements.
    The first requirement deals with message replacement attacks, in which an opponent is able to construct a new message to match a given MAC, even though the opponent does not know and does not learn the key.
    The second requirement deals with the need to thwart a brute-force attack based on chosen plaintext.
    The final requirement dictates that the authentication algorithm should not be weaker with respect to certain parts or bits of the message than others.
  • Can also use block cipher chaining modes to create a separate authenticator, by just sending the last block. This was done with the Data Authentication Algorithm (DAA), a widely used MAC based on DES-CBC (next slide). However this suffers from being too small for acceptable use today.
  • Stallings Figure 11.6 “Data Authentication Algorithm”, illustrates the FIPS PUB 113 / ANSI X9.17 MAC based on DES-CBC with IV 0 and 0-pad of the final block if needed. Resulting MAC can be 16-64 bits of the final block. But this is now too small for security.
  • The purpose of a hash function is to produce a “fingerprint”of a file, message, or other block of data.
    These are the specifications for good hash functions. Essentially it must be extremely difficult to find 2 messages with the same hash, and the hash should not be related to the message in any obvious way (ie it should be a complex non-linear function of the message). There are quite a few similarities in the evolution of hash functions &amp; block ciphers, and in the evolution of the design requirements on both.
  • Just as with symmetric and public-key encryption, we can group attacks on hash functions and MACs into two categories: brute-force attacks and cryptanalysis.
    The strength of a hash function against brute-force attacks depends solely on the length of the hash code produced by the algorithm, with cost O(2^m/2). See proposal in text for a h/w MD5 cracker.
    A brute-force attack on a MAC is a more difficult undertaking because it requires known message-MAC pairs. However analysis shows cost is related to min(2^k, 2^n), similar to symmetric encryption algorithms.
  • As with encryption algorithms, cryptanalytic attacks on hash functions and MAC algorithms seek to exploit some property of the algorithm to perform some attack other than an exhaustive search. The way to measure the resistance of a hash or MAC algorithm to cryptanalysis is to compare its strength to the effort required for a brute-force attack. That is, an ideal hash or MAC algorithm will require a cryptanalytic effort greater than or equal to the brute-force effort.
    Cryptanalysis of hash functions focuses on the internal structure of the compression function f and is based on attempts to find efficient techniques for producing collisions for a single execution of f. Keep in mind that for any hash function there must exist collisions, but want it to be computationally infeasible to find these collisions.
  • Stallings Figure 12.7 shows the structure of Block Cipher W. The encryption algorithm takes a 512-bit block of plaintext as input and a 512-bit key and produces a 512-bit block of ciphertext as output. The encryption algorithm involves the use of four different functions, or transformations: add key (AK), substitute bytes (SB), shift columns (SC), and mix rows (MR). Note that the input is mapped by rows (unlike AES which is mapped by column). Hence the use of “Mix Rows” as the diffusion layer; and “Shift Columns” as the permutation (vs Mix Columns &amp; Shift Rows in AES). Note also that the Key Schedule uses the same W round function, but with round constants RC[I] (being S-box outputs) taking the role of “subkeys” in the AddKey function.
  • Whirlpool is a very new proposal, hence there is little experience with use, though many AES findings should apply to it. As yet, there has been little implementation experience with Whirlpool. One study [KITS04] compared Whirlpool with a number of other secure hash functions. The authors developed multiple hardware implementations of each hash function and concluded that, compared to SHA-512, Whirlpool requires more hardware resources but performs much better in terms of throughput.
  • The idea of a keyed hash evolved into HMAC, designed to overcome some problems with the original proposals. It involves hashing padded versions of the key concatenated with the message, and then with another outer hash of the result prepended by another padded variant of the key. The hash function need only be used on 3 more blocks than when hashing just the original message (for the two keys + inner hash). HMAC can use any desired hash function, and has been shown to have the same security as the underlying hash function. Can choose the hash function to use based on speed/security concerns.
  • Stallings Figure 12.10 shows the structure of HMAC, which implements the function:
    HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad) || M)]
    elements are:
    K+ is K padded with zeros on the left so that the result is b bits in length
    ipad is a pad value of 36 hex repeated to fill block
    opad is a pad value of 5C hex repeated to fill block
    M is the message input to HMAC (including the padding specified in the embedded hash function)
  • Stallings Figure 12.12 shows the structure of CMAC.
    It uses the blocksize of the underlying cipher (ie 128-bits for AES or 64-bits for triple-DES). The message is divided into n blocks M1..Mn, padded if necessary. The algorithm makes use of a k-bit encryption key K and an n-bit constant K1 or K2 (depending on whether the message was padded or not). For AES, the key size k is 128,192, or 256 bits; for triple DES, the key size is 112 or 168 bits. The two constants K1 &amp; K2 are derived from the original key K using encryption of 0 and multiplication in GF(2^n), as detailed in the text.
  • Stallings Figure 14.1 diagrammatically summarizes the Kerberos v4 authentication dialogue, with 3 pairs of messages, for each phase listed previously.
  • X.509 is part of the X.500 series of recommendations that define a directory service, being a server or distributed set of servers that maintains a database of information about users.
    X.509 defines a framework for the provision of authentication services by the X.500 directory to its users. The directory may serve as a repository of public-key certificates. In addition, X.509 defines alternative authentication protocols based on the use of public-key certificates. X.509 is based on the use of public-key cryptography and digital signatures. The standard does not dictate the use of a specific algorithm but recommends RSA.
    The X.509 certificate format is widely used, in for example S/MIME, IP Security and SSL/TLS and SET.
  • The X.509 certificate is the heart of the standard. There are 3 versions, with successively more info in the certificate - must be v2 if either unique identifier field exists, must be v3 if any extensions are used. These user certificates are assumed to be created by some trusted certification authority (CA) and placed in the directory by the CA or by the user. The directory server itself is not responsible for the creation of public keys or for the certification function; it merely provides an easily accessible location for users to obtain certificates. The certificate includes the elements shown.
    The standard uses the notation for a certificate of: CA&amp;lt;&amp;lt;A&amp;gt;&amp;gt; where the CA signs the certificate for user A with its private key.
  • Stallings Figure 14.4 shows the format of an X.509 certificate and CRL.
  • User certificates generated by a CA have the characteristics that any user with access to the public key of the CA can verify the user public key that was certified, and no party other than the certification authority can modify the certificate without this being detected. Because certificates are unforgeable, they can be placed in a directory without the need for the directory to make special efforts to protect them.
  • If both parties use the same CA, they know its public key and can verify others certificates. If not, then there has to be some means to form a chain of certifications between the CA&amp;apos;s used by the two parties, by the use of client and parent certificates. It is assumed that each client trusts its parents certificates.
  • Stallings Figure 14.5 illustrates the use of an X.509 hierarchy to mutually verify clients certificates.
    Track chains of certificates:
    A get B certificate using chain: X&amp;lt;&amp;lt;W&amp;gt;&amp;gt;W&amp;lt;&amp;lt;V&amp;gt;&amp;gt;V&amp;lt;&amp;lt;Y&amp;gt;&amp;gt;Y&amp;lt;&amp;lt;Z&amp;gt;&amp;gt;Z&amp;lt;&amp;lt;B&amp;gt;&amp;gt;
    B obtain A certificate using chain: Z&amp;lt;&amp;lt;Y&amp;gt;&amp;gt;&amp;lt;&amp;lt;V&amp;gt;&amp;gt;V&amp;lt;&amp;lt;W&amp;gt;&amp;gt;W&amp;lt;&amp;lt;X&amp;gt;&amp;gt;X&amp;lt;&amp;lt;A&amp;gt;&amp;gt;
  • Stallings Figure 15.3 shows the format of a transmitted PGP message. A message consists of three components: the message component, a signature (optional), and a session key component (optional).
  • Stallings Figure 15.5 illustrates how these key rings are used in message transmission to implement the various PGP crypto services (ignoring compression and radix-64 conversion for simplicity).
  • Stallings Figure 15.6 then illustrates how these key rings are used in message reception to implement the various PGP crypto services (again ignoring compression and radix-64 conversion for simplicity).
  • In terms of general functionality, S/MIME is very similar to PGP. Both offer the ability to sign and/or encrypt messages. S/MIME provides the functions shown.
  • Stallings Figure 16.1 illustrates a typical IP Security scenario. An organization maintains LANs at dispersed locations. Nonsecure IP traffic is conducted on each LAN. For traffic offsite, through some sort of private or public WAN, IPSec protocols are used. These protocols operate in networking devices, such as a router or firewall, that connect each LAN to the outside world. The IPSec networking device will typically encrypt and compress all traffic going into the WAN, and decrypt and decompress traffic coming from the WAN; these operations are transparent to workstations and servers on the LAN. Secure transmission is also possible with individual users who dial into the WAN. Such user workstations must implement the IPSec protocols to provide security.
  • [MARK97] lists the benefits shown for IPSec. It also plays a vital role in the routing architecture required for internetworking.
  • The IPSec specification has become quite complex. The IPSec specification consists of numerous documents. The most important of these,issued in November of 1998, are
    • RFC 2401: An overview of a security architecture
    • RFC 2402: Description of a packet authentication extension to IPv4 and IPv6
    • RFC 2406: Description of a packet encryption extension to IPv4 and IPv6
    • RFC 2408: Specification of key management capabilities
    In addition to these four RFCs, a number of additional drafts have been published by the IP Security Protocol Working Group set up by the IETF. The documents are divided into seven groups.
    Support for these features is mandatory for IPv6 and optional for IPv4.
    In both cases, the security features are implemented as extension headers that follow the main IP header. The extension header for authentication is known as the Authentication Header (AH); that for encryption is known as the Encapsulating Security Payload (ESP) header.
  • IPSec provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services. The security services supported are as shown above. See Stallings Table 16.1 for the services provided by AH &amp; ESP respectively. For ESP, there are two cases: with and without the authentication option. Both AH and ESP are vehicles for access control, based on the distribution of cryptographic keys and the management of traffic flows relative to these security protocols.
  • Stallings Figure 16.3 shows the Authentication Header fields:
    • Next Header (8 bits): Identifies the type of header immediately following this header
    • Payload Length (8 bits): Length of Authentication Header in 32-bit words, minus 2.
    • Reserved (16 bits): For future use
    • Security Parameters Index (32 bits): Identifies a security association
    • Sequence Number (32 bits): A monotonically increasing counter value
    • Authentication Data (variable): A variable-length field (must be an integral number of 32-bit words) that contains the Integrity Check Value (ICV), or MAC,for this packet
  • Stallings Figure 16.5 shows the difference between end-to-end (transport) mode and end-to-intermediate (tunnel) mode.
    Transport mode provides protection primarily for upper-layer protocol payloads, by inserting the AH after the original IP header and before the IP payload. Typically, transport mode is used for end-to-end communication between two hosts.
    or router that implements IPSec. Tunnel mode provides protection to the entire IP, after the AH or ESP fields are added to the IP packet, the entire packet plus security fields is treated as the payload of new “outer”IP packet with a new outer IP header. Tunnel mode is used when one or both ends of an SA are a security gateway, such as a firewall
  • The Encapsulating Security Payload provides confidentiality services, including confidentiality of message contents and limited traffic flow confidentiality. As an optional feature, ESP can also provide an authentication service, with the same MACs as AH. ESP supports range of ciphers, modes, and padding, as shown.
  • Stallings Figure16.7 shows the format of an ESP packet. It contains the following fields:
    • Security Parameters Index (32 bits): Identifies a security association
    • Sequence Number (32 bits): A monotonically increasing counter value; this provides an anti-replay function ,as discussed for AH
    • Payload Data (variable): This is a transport-level segment (transport mode) or IP packet (tunnel mode) that is protected by encryption
    • Padding (0–255 bytes): for various reasons
    • Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this field
    • Next Header (8 bits): Identifies the type of data contained in the payload data field by identifying the first header in that payload
    • Authentication Data (variable): A variable-length field that contains the Integrity Check Value computed over the ESP packet minus the Authentication Data field
  • Transport mode ESP is used to encrypt and optionally authenticate the data carried by IP. Transport mode operation provides confidentiality for any application that uses it, thus avoiding the need to implement confidentiality in every individual application. This mode of operation is also reasonably efficient, adding little to the total length of the IP packet. One drawback to this mode is that it is possible to do traffic analysis on the transmitted packets.
    Tunnel mode ESP is used to encrypt an entire IP packet. Tunnel mode is useful in a configuration that includes a firewall or other sort of security gateway that protects a trusted network from external networks.
  • An individual SA can implement either the AH or ESP protocol but not both. Sometimes a particular traffic flow will call for the services provided by both AH and ESP. Further, a particular traffic flow may require IPSec services between hosts and ,for that same flow, separate services between security gateways, such as firewalls. In all of these cases, multiple SAs must be employed for the same traffic flow to achieve the desired IPSec services. The term security association bundle refers to a sequence of SAs through which traffic must be processed to provide a desired set of IPSec services. The SAs in a bundle may terminate at different endpoints or at the same endpoints.
    Security associations may be combined into bundles in two ways:
    • Transport adjacency: more than one security protocol on same IP packet, without invoking tunneling
    • Iterated tunneling: application of multiple layers of security protocols effected through IP tunneling
    One interesting issue is the order in which authentication and encryption may be applied between a given pair of endpoints.
  • The IPSec Architecture document lists four examples of combinations of SAs that must be supported by compliant IPSec hosts or security gateways. These are illustrated in Stallings Figure 16.10. Note the *’d devices implement IPSec. The cases are:
    Case 1 security is provided between end systems that implement IPSec.
    Case 2 security is provided only between gateways (routers,firewalls,etc.) and no hosts implement IPSec.
    Case 3 builds on Case 2 by adding end-to-end security .The same combinations discussed for cases 1 and 2 are allowed here.
    Case 4 provides support for a remote host that uses the Internet to reach an organization’s firewall and then to gain access to some server or workstation behind the firewall. Only tunnel mode is required between the remote host and the firewall.
  • The key management portion of IPSec involves the determination and distribution of secret keys. A typical requirement is four keys for communication between two applications: transmit and receive pairs for both AH and ESP. The IPSec Architecture document mandates support for two types of key management:
    • Manual where a system administrator manually configures each system with its own keys and with the keys of other communicating
    • Automated where an automated system enables the on-demand creation of keys for SAs and facilitates the use of keys in a large distributed system with an evolving configuration
    The default automated key management protocol for IPSec is referred to as ISAKMP/Oakley.
  • The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for Internet key management and provides the specific protocol support, defining procedures and packet formats to establish, negotiate, modify, and delete security associations. ISAKMP defines payloads for exchanging key generation and authentication data. These payload formats provide a consistent framework independent of the specific key exchange protocol, encryption algorithm, and authentication mechanism.
  • An ISAKMP message consists of an ISAKMP header followed by one or more payloads, carried in a transport protocol (UDP by default).
    Stallings Figure16.12a shows the header format for an ISAKMP message. All ISAKMP payloads begin with the same generic payload header shown in Figure 16.12b.
  • The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats as shown. These can be described as passive attacks including eavesdropping on network traffic between browser and server and gaining access to information on a Web site that is supposed to be restricted, and active attacks including impersonating another user, altering messages in transit between client and server, and altering information on a Web site. The web needs added security mechanisms to address these threats.
  • Stallings Figure 17.2 shows the SSL Protocol stack. The SSL Record Protocol provides basic security services to various higher-layer protocols. In particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSL. Three higher-layer protocols are also defined as part of SSL: the Handshake Protocol, Change Cipher Spec Protocol, and Alert Protocol. These SSL-specific protocols are used in the management of SSL exchanges.
  • Two important SSL concepts are the SSL connection and the SSL session:
    • Connection: A connection is a network transport that provides a suitable type of service, such connections are transient, peer-to-peer relationships, associated with one session
    • Session: An SSL session is an association between a client and a server, created by the Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each connection.
  • Stallings Figure17.3 shows the overall operation of the SSL Record Protocol. The Record Protocol takes an application message to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies a MAC, encrypts, adds a header, and transmits the resulting unit in a TCP segment. Received data are decrypted, verified, decompressed, and reassembled and then delivered to higher-layer applications.
  • The Change Cipher Spec Protocol is one of the three SSL-specific protocols that use the SSL Record Protocol, and it is the simplest, consisting of a single message. Its purpose is to cause the pending state to be copied into the current state, which updates the cipher suite to be used on this connection.
  • The Alert Protocol is used to convey SSL-related alerts to the peer entity. As with other applications that use SSL, alert messages are compressed and encrypted, as specified by the current state. Each message in this protocol consists of two bytes,
    the first takes the value warning(1) or fatal(2) to convey the severity of the message. The second byte contains a code that indicates the specific alert. The first group shown are the fatal alerts, the others are warnings.
  • The most complex part of SSL is the Handshake Protocol. This protocol allows the server and client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in an SSL record. The Handshake Protocol is used before any application data is transmitted. The Handshake Protocol consists of a series of messages exchanged by client and server, which can be viewed in 4 phases:
    Phase 1. Establish Security Capabilities - this phase is used by the client to initiate a logical connection and to establish the security capabilities that will be associated with it
    Phase 2. Server Authentication and Key Exchange - the server begins this phase by sending its certificate if it needs to be authenticated.
    Phase 3. Client Authentication and Key Exchange - the client should verify that the server provided a valid certificate if required and check that the server_hello parameters are acceptable
    Phase 4. Finish - this phase completes the setting up of a secure connection. The client sends a change_cipher_spec message and copies the pending CipherSpec into the current CipherSpec
  • Stallings Figure17.6 shows the initial exchange needed to establish a logical connection between client and server. The exchange can be viewed as having the four phases discussed previously.
  • TLS is defined as a Proposed Internet Standard in RFC 2246. RFC 2246 is very similar to SSLv3, but with a number of minor differences in the areas shown, as discussed in the text.
  • Now briefly detail the sequence of events that are required for a transaction as shown, details in text.
  • The purpose of the SET dual signature is to link two messages that are intended for two different recipients, the order information (OI) for the merchant and the payment information (PI) for the bank. The merchant does not need to know the customer’s credit card number, and the bank does not need to know the details of the customer’s order, however the two items must be linked in a way that can be used to resolve disputes if necessary. The customer takes the hash (using SHA-1) of the PI and the hash of the OI, concatenates them, and hashes the result. Finally,the customer encrypts the final hash with his or her private signature key, creating the dual signature. This can be summarized as: DS=E(PRc, [H(H(PI)||H(OI))])
  • The purchase request exchange consists of four messages: Initiate Request, Initiate Response, Purchase Request, and Purchase Response. In order to send SET messages to the merchant, the cardholder must have a copy of the certificates of the merchant and the payment gateway. The customer requests the certificates in the Initiate Request message, sent to the merchant. The merchant generates a response and signs it with its private signature key. The cardholder verifies the merchant and gateway certificates by means of their respective CA signatures and then creates the OI and PI. Next, the cardholder prepares the Purchase Request message with Purchase-related information &amp; Order-related information. The Purchase Response message includes a response block that acknowledges the order and references the corresponding transaction number.
  • Stallings Figure 17.10 shows the details of the contents of the Purchase Request message generated b y the customer.
    The message includes the following:
    Purchase-related information, which will be forwarded to the payment gateway by the merchant and consists of: PI, dual signature, &amp; OI message digest (OIMD).
    2. Order-related information, needed by the merchant and consists of: OI, dual signature, PI message digest (PIMD).
    3. Cardholder certificate. This contains the cardholder’s public signature key.
  • When the merchant receives the Purchase Request message, the actions listed are performed.
    Details of the request verification are shown on the next slide; and of the payment authorization on the following slide.
    The Purchase Response message includes a response block that acknowledges the order and references the corresponding transaction number. This block is signed by the merchant using its private signature key.The block and its signature are sent to the customer, along with the merchant’s signature certificate.
  • Stallings Fig 17.11 illustrates the crypto processes used by the merchant to verify the customer’s purchase request order (step 2 on previous slide).
  • Stallings Figure 20.1 suggests, in very abstract terms, the nature of the task confronting the designer of an intrusion detection system. Although the typical behavior of an intruder differs from the typical behavior of an authorized user, there is an overlap in these behaviors. Thus, a loose interpretation of intruder behavior, which will catch more intruders, will also lead to a number of &amp;quot;false positives,&amp;quot; or authorized users identified as intruders. On the other hand, an attempt to limit false positives by a tight interpretation of intruder behavior will lead to an increase in false negatives, or intruders not identified as intruders. Thus, there is an element of compromise and art in the practice of intrusion detection.
  • Stallings Figure18.2 shows the overall architecture, consisting of three main components, of the system independent distributed IDS developed at the University of California at Davis. The components are:
    • Host agent module: audit collection module operating as a background process on a monitored system
    • LAN monitor agent module: like a host agent module except it analyzes LAN traffic
    • Central manager module: Receives reports from LAN monitor and host agents and processes and correlates these reports to detect intrusion
  • Stallings Figure 18.3 shows the general approach that is taken. The agent captures each native O/S audit record, &amp; applies a filter that retains only records of security interest. These records are then reformatted into a standardized format (HAR). Then a template-driven logic module analyzes the records for suspicious activity. When suspicious activity is detected, an alert is sent to the central manager. The central manager includes an expert system that can draw inferences from received data. The manager may also query individual systems for copies of HARs to correlate with those from other agents.
  • Honeypots are decoy systems, designed to lure a potential attacker away from critical systems, and:
    • divert an attacker from accessing critical systems
    • collect information about the attacker’s activity
    • encourage the attacker to stay on the system long enough for administrators to respond
    These systems are filled with fabricated information designed to appear valuable but which any legitimate user of the system wouldn’t access, thus, any access is suspect.
    They are instrumented with sensitive monitors and event loggers that detect these accesses and collect information about the attacker’s activities.
    Have seen evolution from single host honeypots to honeynets of multiple dispersed systems.
    The IETF Intrusion Detection Working Group is currently drafting standards to support interoperability of IDS info (both honeypot and normal IDS) over a wide range of systems &amp; O/S’s.
  • The front line of defense against intruders is the password system, where a user provides a name/login identifier (ID) and a password. The password serves to authenticate the ID of the individual logging on to the system. Passwords are usually stored encrypted rather than in the clear (which would make them more vulnerable to theft). Unix systems traditionally used a multiple DES variant with salt as a one-way hash function (see text). More recent O/S’s use a cryptographic hash function (eg. MD5). The file containing these passwords hashes needs access control protections to make guessing attacks harder.
  • Studies have shown that users tend to choose poor passwords too often.
    A study at Purdue University in 1992 observed password change choices on 54 machines, for 7000 users, and found almost 3% of the passwords were three characters or fewer in length, easily exhaustively searched!
    Password length is only part of the problem, since many people pick a password that is guessable, such as their own name, their street name, a common dictionary word, and so forth. This makes the job of password cracking straightforward.
    A study by Klein 1990 collected UNIX password files, containing nearly 14,000 encrypted passwords, and found nearly one-fourth of these passwords were guessable.
    A strategy is needed to force users to select passwords that are difficult to guess.
  • Computer-generated passwords create a password for the user, but have problems. If the passwords are quite random in nature, users will not be able to remember them. Even if the password is pronounceable, the user may have difficulty remembering it and so be tempted to write it down. In general, computer-generated password schemes have a history of poor acceptance by users. FIPS PUB 181 defines one of the best-designed automated password generators. The standard includes not only a description of the approach but also a complete listing of the C source code of the algorithm, which generates words by forming a random set of pronounceable syllables and concatenating them to form a word.
  • A very general depiction of virus structure is shown in Figure 21.1. In this case, the virus code, V, is prepended to infected programs, and it is assumed that the entry point to the program, when invoked, is the first line of the program. An infected program begins with the virus code and works as follows. The first line of code is a jump to the main virus program. The second line is a special marker that is used by the virus to determine whether or not a potential victim program has already been infected with this virus. When the program is invoked, control is immediately transferred to the main virus program. The virus program first seeks out uninfected executable files and infects them. Next, the virus may perform some action, usually detrimental to the system. This action could be performed every time the program is invoked, or it could be a logic bomb that triggers only under certain conditions. Finally, the virus transfers control to the original program. If the infection phase of the program is reasonably rapid, a user is unlikely to notice any difference between the execution of an infected and uninfected program.
  • The ideal solution to the threat of viruses is prevention, but in general this is impossible to achieve. The next best approach is to be able to do the following:
    • Detection: determine that infection has occurred and locate the virus
    • Identification: of the specific virus that has infected a program
    • Removal: of all traces of the virus from the infected program and restore it to its original state; or discard infected program and reload a clean backup version
  • As the virus arms race has evolved,both viruses and, necessarily, antivirus software have grown more complex and sophisticated. See four generations of antivirus software:
    • First generation: simple scanners use a virus signature to identify a virus, limited to known viruses; or use length of program to detect changes to it
    • Second generation: heuristic scanners use rules to search for probable virus infection, eg for code fragments; or use crypto hash of programs to detect changes
    • Third generation: activity traps which identify a virus by its actions rather than its structure
    • Fourth generation: full-featured protection using packages consisting of a variety of antivirus techniques used in conjunction, including scanning and activity trap components
    The arms race continues. With fourth-generation packages, a more comprehensive defense strategy is employed, broadening the scope of defense to more general purpose computer security measures.
  • Stallings Figure19.4 illustrates the typical steps in digital immune system operation:
    A monitoring program on each PC uses a variety of heuristics based on system behavior, suspicious changes to programs, or family signature to infer that a virus may be present, &amp; forwards infected programs to an administrative machine
    2. The administrative machine encrypts the sample and sends it to a central virus analysis machine
    3. This machine creates an environment in which the infected program can be safely run for analysis to produces a prescription for identifying and removing the virus
    4. The resulting prescription is sent back to the administrative machine
    5. The administrative machine forwards the prescription to the infected client
    6. The prescription is also forwarded to other clients in the organization
    7. Subscribers around the world receive regular antivirus updates that protect them from the new virus.
  • A DDoS attack attempts to consume the target’s resources so that it cannot provide service. One way to classify DDoS attacks is in terms of the type of resource that is consumed, either an internal host resource on the target system, or data transmission capacity in the target local network.
    Stallings Figure19.5a shows an example of an internal resource attack - the SYN flood attack. 1. The attacker takes control of multiple hosts over the Internet 2. The slave hosts begin sending TCP/IP SYN (synchronize/initialization) packets, with erroneous return IP address information, to the target 3. For each such packet, the Web server responds with a SYN/ACK (synchronize/acknowledge) packet. The Web server maintains a data structure for each SYN request waiting for a response back and becomes bogged down as more traffic floods in.
    Stallings Figure 19.5b illustrates an example of an attack that consumes data transmission resources. 1. The attacker takes control of multiple hosts over the Internet, instructing them to send ICMP ECHO packets with the target’s spoofed IP address to a group of hosts that act as reflectors 2. Nodes at the bounce site receive multiple spoofed requests and respond by sending echo reply packets to the target site. 3. The target’s router is flooded with packets from the bounce site, leaving no data transmission capacity for legitimate traffic.
  • One of the primary functions of a firewall is to provide a buffer between trusted and untrusted networks. The most common place for this – as demonstrated in the slide – is between the corporate network and the Internet. Other examples could include:
    Protecting a group of R&amp;D computers from the rest of the network.
    Separating sensitive HR or finance servers from the corporate network.
  • Firewalls have their limitations, including that they:
    cannot protect against attacks that bypass the firewall, eg PCs with dial-out capability to an ISP, or dial-in modem pool use
    2. do not protect against internal threats, eg disgruntled employee or one who cooperates with an attacker
    3. cannot protect against the transfer of virus-infected programs or files, given wide variety of O/S &amp; applications supported
  • Have three common types of firewalls: packet filters, application-level gateways, &amp; circuit-level gateways.
    A packet-filtering router applies a set of rules to each incoming and outgoing IP packet to forward or discard the packet. Filtering rules are based on information contained in a network packet such as src &amp; dest IP addresses, ports, transport protocol &amp; interface. Some advantages are simplicity, transparency &amp; speed.
    If there is no match to any rule, then one of two default policies are applied:
    • that which is not expressly permitted is prohibited (default action is discard packet), conservative policy
    • that which is not expressly prohibited is permitted (default action is forward packet), permissive policy
  • Stallings Figure 20.1a illustrates the packet filter firewall placement in the border router, on the security perimeter, between the external less-trusted Internet, and the internal more trusted private network.
  • A circuit-level gateway relays two TCP connections, one between itself and an inside TCP user, and the other between itself and a TCP user on an outside host. Once the two connections are established, it relays TCP data from one connection to the other without examining its contents. The security function consists of determining which connections will be allowed. It is typically used when internal users are trusted to decide what external services to access.
    One of the most common circuit-level gateways is SOCKS, defined in RFC 1928. It consists of a SOCKS server on the firewall, and a SOCKS library &amp; SOCKS-aware applications on internal clients.
  • An application-level gateway (or proxy server), acts as a relay of application-level traffic. A user contacts the gateway to access some service, provides details of the service, remote host &amp; authentication details, contacts the application on the remote host and relays all data between the two endpoints. If the gateway does not implement the proxy code for a specific application, then it is not supported and cannot be used. Note that some services naturally support proxying, whilst others are more problematic. Application-level gateways tend to be more secure than packet filters, &amp;can log and audit traffic at application level.
  • Stallings Figure 20.1b illustrates an application-level gateway (or proxy server), emphasizing that it only supports a specific list of application services.
  • Stallings Figure 20.1c illustrates a circuit-level gateway, showing how it relays between 2 TCP connections. Note that it can be implemented in a stand-alone system or can be a specialized function in an application-level gateway for certain applications. Note also that relaying UDP packets is more problematical, because of the lack of connection context, and require a parallel TCP connection to provide these details.
  • In addition to the use of a simple configuration consisting of a single system, more complex configurations are possible and indeed more common. Stallings Figure 20.2 illustrates three common firewall configurations.
    Figure 20.2a shows the “screened host firewall, single-homed bastion configuration”, where the firewall consists of two systems:
    a packet-filtering router - allows Internet packets to/from bastion only
    a bastion host - performs authentication and proxy functions
    This configuration has greater security, as it implements both packet-level &amp; application-level filtering, forces an intruder to generally penetrate two separate systems to compromise internal security, &amp; also affords flexibility in providing direct Internet access to specific internal servers (eg web) if desired.
  • Stallings Figure 20.2b illustrates the “screened host firewall, dual-homed bastion configuration” which physically separates the external and internal networks, ensuring two systems must be compromised to breach security. The advantages of dual layers of security are also present here. Again, an information server or other hosts can be allowed direct communication with the router if this is in accord with the security policy, but are now separated from the internal network.
  • Stallings Figure 20.2c shows the “screened subnet firewall configuration”, being the most secure shown. It has two packet-filtering routers, one between the bastion host and the Internet and the other between the bastion host and the internal network, creating an isolated subnetwork. This may consist of simply the bastion host but may also include one or more information servers and modems for dial-in capability. Typically, both the Internet and the internal network have access to hosts on the screened subnet, but traffic across the screened subnet is blocked.
    This configuration offers several advantages:
    • There are now three levels of defense to thwart intruders
    • The outside router advertises only the existence of the screened subnet to the Internet; therefore the internal network is invisible to the Internet
    • Similarly, the inside router advertises only the existence of the screened subnet to the internal network; hence systems on the inside network cannot construct direct routes to the Internet
  • Cyptography and network security

    1. 1. UNIT-I  Security trends  OSI Security Architecture  Security Attacks  Security Services  Security mechanisms  A Model for Network Security  Symmetric Cipher Model  Substitution Techniques and Transposition Techniques  Block Cipher Principles  The Data Encryption Standard and The Strength of DES  Differential and linear cryptanalysis Block  cipher design principles  Evaluation criteria for AES and The AES Cipher. 1
    2. 2. Cryptography Cryptography is the study of Secret (crypto-) writing (-graphy). 2
    3. 3. Cryptography cryptography - study of encryption principles/methods. Cryptography deals with creating documents that can be shared secretly over public communication channels. 3
    4. 4. Cryptanalysis cryptanalysis (code breaking) - study of principles/ methods of decrypting cipher text without knowing key. 4
    5. 5. Cryptology The area of cryptography and crypt analysis together are called cryptology. 5
    6. 6. Computer Security generic name for the collection of tools designed to protect data. 6
    7. 7. Network Security It is used to protect data during their transmission. 7
    8. 8. Internet security it is used to protect data during their transmission over a collection of interconnected networks. 8
    9. 9. Security trends  In 1994, the Internet Architecture Board (IAB) issued a report entitled "Security in the Internet Architecture"  The report stated the general agreement that the Internet needs more and better security, and it identified key areas for security mechanisms. 9
    10. 10. CERT Statistics security trend in Internet-related vulnerabilities reported to CERT over a 10-year period. These include security weaknesses in the operating systems of attached computers as well as vulnerabilities in Internet routers and other network devices. 10
    11. 11. CERT Statistics 11
    12. 12. OSI Security Architecture The OSI (open systems interconnection) security architecture provides a systematic framework for defining security attacks, mechanisms, and services. 12
    13. 13. Services, Mechanisms, Attacks consider three aspects of information security:  security attack  security mechanism  security service 13
    14. 14. Security service A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms. 14
    15. 15. Security Services  Authentication  Access control  Data Confidentiality  Data Integrity  Non-Repudiation 15
    16. 16. Authentication Authentication is a process of verification of the sender. 16
    17. 17. Access Control prevention of the unauthorized use of a resource 17
    18. 18. Data Confidentiality protection of data from unauthorized disclosure. 18
    19. 19. Data Integrity assurance that data received is as sent by an authorized entity 19
    20. 20. Non-Repudiation Nonrepudiation prevents either sender or receiver from denying a transmitted message. 20
    21. 21. Security Mechanism A mechanism that is designed to detect, prevent, or recover from a security attack. 21
    22. 22. Encipherment The use of mathematical algorithm to transmit from data into a form that is not understandable. 22
    23. 23. Digital signature A valid digital signature gives a recipient reason to believe that the message was created by a known sender. 23
    24. 24. Access control A variety of mechanisms that enforce access right to resource. 24
    25. 25. Data integrity A variety of mechanism used to assure the integrity of a data unit. 25
    26. 26. Traffic padding The insertion of bits into gaps in a data stream to avoid traffic analysis attempts. 26
    27. 27. Routing control Enables selection of particular physically secure routes for data. 27
    28. 28. Notarization The use of a trusted third party to assure certain properties of a data exchange. 28
    29. 29. Security Attack Any action that compromise the security of information. threat & attack used to mean same thing 29
    30. 30. passive attacks  passive attacks attempt to learn or make use of information from the system but does not affect system resources.  Are difficult to detect because they do not involve any alteration of the data. 30
    31. 31. Release of message contents 31
    32. 32. Traffic analysis 32
    33. 33. Active attacks  active attacks attempt to alter system resources or affect their operation.  Easy to detect because they will involve alteration of the data. 33
    34. 34. Masquerade A masquerade takes place when one entity pretends to be a different entity 34
    35. 35. Masquerade 35
    36. 36. Replay 36
    37. 37. Modification of messages 37
    38. 38. Denial of service 38
    39. 39. Model for Network Security 39
    40. 40. Model for Network Security  design a suitable algorithm for the security transformation  generate the secret keys used by the algorithm  develop methods to distribute secret key  specify a protocol enabling the principals to use the transformation and secret information for a security service 40
    41. 41. Model for Network Access Security
    42. 42. Symmetric Encryption  Symmetric encryption, also referred to as conventional encryption or single-key encryption  All traditional schemes are symmetric / single key / private-key encryption algorithms, with a single key, used for both encryption and decryption.  Since both sender and receiver are equivalent, either can encrypt or decrypt messages using that common key. 42
    43. 43. Some Basic Terminology  plaintext - original message  Cipher text - coded message  key – shared by both sender and receiver  encipher (encrypt) - converting plaintext to cipher text  decipher (decrypt) – converting cipher text to plaintext
    44. 44. Symmetric Cipher Model
    45. 45. Cryptography characterize cryptographic system by:  type of encryption operations used  substitution / transposition / product  number of keys used  single-key or private / two-key or public  way in which plaintext is processed  block / stream
    46. 46. Cryptanalysis There are two general approach to attacking a conventional encryption scheme  cryptanalytic attack  brute-force attack
    47. 47. Cryptanalytic attack Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext. 47
    48. 48. Brute-force attack Brute-force attacks try every possible key on a piece of cipher text until plaintext is obtained. 48
    49. 49. Types of Encryption Schemes Encryption Classical Modern Rotor Machines Substitution Public KeyTransposition Secret Key BlockStream Steganography 49
    50. 50. Substitution Techniques letters of plaintext are replaced by other letters or by numbers or symbols. 50
    51. 51. Caesar Cipher The Caesar cipher involves replacing each letter of the alphabet with the letter standing k places further down the alphabet, for k in the range 1 through 25.
    52. 52. Caesar Cipher • mathematically give each letter a number a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 • then have Caesar cipher as: c = E(p) = (p + k) mod (26) p = D(c) = (c – k) mod (26)
    53. 53. Caesar Cipher example: meet me after the toga party PHHW PH DIWHU WKH WRJD SDUWB 53
    54. 54. Brute-Force Cryptanalysis of Caesar Cipher If it is known that a given cipher text is a Caesar cipher, then a brute-force cryptanalysis is easily performed. Simply try all the 25 possible keys. 54
    55. 55. 55
    56. 56. Monoalphabetic Ciphers mono alphabetic substitution uses fixed substitution over the entire message 56
    57. 57. Mono alphabetic Ciphers Shuffle the letters and map each plaintext letter to a different random ciphertext letter: Plain letters: abcdefghijklmnopqrstuvwxyz Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN Plaintext: ifwewishtoreplaceletters Cipher text: WIRFRWAJUHYFTSDVFSFUUFYA 57
    58. 58. Monoalphabetic Cipher Security • the monoalphabetic substitution cipher is not secure • problem is language characteristics
    59. 59. Relative Frequency of Letters in English Text 59
    60. 60. Monoalphabetic Cipher the relative frequency of the letters can be determined and compared to a standard frequency distribution for English. If the message were long enough, this technique alone might be sufficient, 60
    61. 61. Playfair Cipher The Playfair algorithm is based on the use of a 5 * 5 matrix of letters constructed using a keyword. Plaintext is encrypted two letters at a time using this matrix. 61
    62. 62. 62 Playfair Cipher • Rules: – Take a pair of letters from plaintext – Separate repeating letters with an x – Plaintext letters in the same row are replaced by letters to the right (cyclic manner) – Plaintext letters in the same column are replaced by letters below (cyclic manner) – Plaintext letters in different row and column are replaced by the letter in the row corresponding to the column of the other letter and vice versa
    63. 63. Playfair Cipher 63 Keyword: LARGEST Plain text: Mu st se ey ou Cipher text: UZTBDLGZPN
    64. 64. Hill Cipher The encryption algorithm takes m successive plaintext letters and substitutes for them m cipher text letters. The substitution is determined by m linear equations in which each character is assigned a numerical value (a = 0, b = 1 ... z = 25). 64
    65. 65. Hill Cipher 65
    66. 66. Hill Cipher where C and P are column vectors of length 3, representing the plaintext and cipher text, and K is a 3 x 3 matrix, representing the encryption key 66
    67. 67. Hill Cipher In general terms, the Hill cipher system can be expressed as follows: C = E(K, P) = KP mod 26 P = D(K1 , C) = K1 C mod 26 = P 67
    68. 68. Hill Cipher 68 Consider the message ‘CAT', and the key GYBNQKURP
    69. 69. For Example if the key is an 3 X 3 matrix Plain Text : paymoremoney m=3 (p a y)=(15 0 24) So Encryption is as follows (15 0 24) = (303 303 531) mod 26 = (17 17 11) = RRL Now the cipher text for pay is RRL
    70. 70. For Decryption you have to find the K-1 How to find inverse of K that is K-1 1. Find the adjoint of the element in the matrix, 2. Transpose the matrix adj A= 300 -357 6 -313 313 0 267 -252 -51 This is Transpose of adj A Determinant of matrix A is= =17(18*19 – 21*2) -17(21*9 – 21*2) + 5(21*2 – 18*2) = -939 (18*19 – 21*2) – (19*21 – 21*2) + ( 17*19 – 5*2) ………
    71. 71. Now K-1 is 1/adj(A) * K-1 1/adj(A) = 1 /(-939) = (-939)-1 = (-939 mod 26)-1 (the easy way to find -939mod 26 is keep adding 26 with -939 till you get a positive value, so that you will get 23) = (23)-1 mod 26 = 23 * 17 = 391 mod 26 =1 (find a number when multiplied with 23 gives a number consider “ s” ; then s mod 26 should give 1) Now (-939 mod 26)-1 = 17 Now according to 1/adj(A) * K-1 = 17 * K-1 = 17 * = 300 -313 267 -357 313 -252 6 0 -51 5100 -5321 4539 6069 5321 4284 102 0 867 Mod 26 Mod 26 = This is the inverse matrix
    72. 72. Polyalphabetic Ciphers Each plaintext letter has multiple corresponding cipher text letters. 72
    73. 73. Vigenère Cipher The Vigenère cipher is a method of encrypting alphabetic text by using a series of different Caesar ciphers based on the letters of a keyword. It is a simple form of polyalphabetic substitution. 73
    74. 74. Vigenère Cipher To encrypt a message, a key is needed that as long as the message. Usually, the key is a repeating keyword. key: `deceptivedeceptive plaintext: wearediscoveredsaveyourself ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ 74
    75. 75. 75
    76. 76. One-time pad The one-time pad's security comes from it's key; the key is EQUAL to the length of the plaintext and is COMPLETELY random. 76
    77. 77. One-time pad H E L L O Message 7 4 11 11 14 X M C K L Key + 23 12 2 10 11 = 30 16 13 21 25 Message + key = 4 16 13 21 25 Message+key(mod 26) E Q N V Z → ciphertext 77
    78. 78. Transposition Encryption position of the plain text will be changed. 78
    79. 79. Rail Fence cipher The simplest such cipher is the rail fence technique, in which the plaintext is written down as a sequence of diagonals and then read off as a sequence of rows. The example message is: meet me after the toga party eg. write message out as: m e m a t r h t g p r y e t e f e t e o a a t giving ciphertext MEMATRHTGPRYETEFETEOAAT
    80. 80. Row Transposition Ciphers A more complex transposition cipher is to write the message in a rectangle, row by row, and read the message off shuffling the order of the columns in each row. 80
    81. 81. Row Transposition Ciphers 81
    82. 82. Rotor machine In cryptography, a rotor machine is an electro-mechanical device used for encrypting and decrypting secret messages. 82
    83. 83. Example of Rotor Machine 83
    84. 84. Steganography Steganography is the art and science of writing hidden messages in such a way that no one knows, apart from the sender and receiver. 84
    85. 85. Character marking: text are overwritten in pencil The marks are ordinarily not visible unless the paper is held at an angle to bright light. 85
    86. 86. Invisible ink A number of substances can be used for writing but leave no visible trace until heat or some chemical is applied to the paper. 86
    87. 87. Pin punctures: Small pin punctures on selected letters are ordinarily not visible unless the paper is held up in front of a light. 87
    88. 88. Block Cipher Principles A block cipher is an encryption/decryption scheme in which a block of plaintext is treated as a whole and used to produce a cipher text block of equal length. 88
    89. 89. Block Cipher Divide input bit stream into n-bit sections, encrypt only that section. 89
    90. 90. Block cipher versus Stream Ciphers  block ciphers process messages in blocks  stream ciphers process messages in bit or byte. 90
    91. 91. Reversible Mapping Each block of plain text must produce a unique cipher text block. Such a transformation is called reversible. 91
    92. 92. Reversible Mapping 92
    93. 93. Irreversible Mapping Each block of plain text must not produce a unique cipher text block. Such a transformation is called reversible. 93
    94. 94. Irreversible Mapping 94
    95. 95. Feistel cipher Feistel cipher is a symmetric structure used in the construction of block ciphers. 95
    96. 96. Confusion and Diffusion • “Confusion” = Substitution (non linear function) • a -> b • “Diffusion” = Transposition (linear function) • abcd -> dacb Encryption Decryption plaintext ciphertext plaintext Key KA Key KB 96
    97. 97. Confusion Each bit of the cipher text block has highly nonlinear relations with the plaintext block bits and the key bits. 97
    98. 98. Diffusion Each plaintext block bit or key bit affects many bits of the cipher text block. 98
    99. 99. 99
    100. 100. Feistel Cipher Structure  The inputs to the encryption algorithm are a plaintext block of length 2w bits and a key K.  The plaintext block is divided into two halves, L0 and R0.  The two halves of the data pass through n rounds of processing and then combine to produce the cipher text block.  Each round i has as inputs Li-1 and Ri-1, derived from the previous round, as well as a subkey Ki, derived from the overall K. 100
    101. 101. Feistel Cipher Structure A substitution is performed on the left half of the data. This is done by applying a round function F to the right half of the data and then taking the exclusive-OR of the output of that function and the left half of the data. 101
    102. 102. Feistel Cipher structure 102
    103. 103. Feistel Cipher structure 103
    104. 104. Feistel Cipher Design Elements block size - increasing size improves security, but decrease the encryption speed. key size – increasing key size improves security, but decrease the encryption speed. number of rounds - increasing number of rounds improves security but decrease the encryption speed. 104
    105. 105. Feistel Cipher Design Elements sub key generation algorithm - greater complexity can make analysis harder, decrease the encryption speed. round function - greater complexity can make analysis harder, but decrease the encryption speed. 105
    106. 106. Simplified DES  Developed 1996 as a teaching tool  Santa Clara University  Prof. Edward  Takes an 8-bit block plaintext, a 10 –bit key and produces an 8-bit block of cipher text  Decryption takes the 8-bit block of cipher text, the same 10-bit key and produces the original 8- bit block of plaintext 106
    107. 107. 107
    108. 108. Five Functions to Encrypt  IP – an initial permutation  fk - a complex, 2-input function  SW – a simple permutation that swaps the two nybles  fk - a complex, 2-input function; again  IP – inverse permutation of the initial permutation 108
    109. 109. 109
    110. 110. 110
    111. 111. 111
    112. 112. 112
    113. 113. 113
    114. 114. 114
    115. 115. 115
    116. 116. 116
    117. 117. DES The Data Encryption Standard (DES) is a block cipher that uses shared secret encryption. data are encrypted in 64-bit blocks using a 56-bit key. The algorithm transforms 64-bit input in a series of steps into a 64-bit output. 117
    118. 118. DES • Adopted in 1976 as US Government standard encryption technique • Utilizes a 56-bit symmetric key • Cracked in 1998 • Replaced in 2002 by AES which utilizes 128 bit keys. 118
    119. 119. 119
    120. 120. DES • First, the 64-bit plaintext passes through an initial permutation (IP) that rearranges the bits to produce the permuted input. • This is followed by a phase consisting of 16 rounds of the same function, which involves both permutation and substitution functions. 120
    121. 121. DES • The output of the last (sixteenth) round consists of 64 bits that are a function of the input plaintext and the key. • The left and right halves of the output are swapped to produce the preoutput. • Finally, the preoutput is passed through a permutation (IP-1) that is the inverse of the initial permutation function, to produce the 64-bit cipher text. 121
    122. 122. 64 Bit input 122
    123. 123. Initial permutation 123
    124. 124. 124
    125. 125. Figure 23-13 Permutation 125
    126. 126. Details of Single Round • uses two 32-bit L & R halves • as for any Feistel cipher can describe as: Li = Ri–1 Ri = Li–1 ⊕ F(Ri–1, Ki) • F takes 32-bit R half and 48-bit sub key: – expands R to 48-bits using perm E – adds to sub key using XOR – passes through 8 S-boxes to get 32-bit result – finally permutes using 32-bit perm P 126
    127. 127. 127
    128. 128. MS 128 1 4 5 8 9 12 13 16 17 20 21 24 25 28 29 32 1 48 Expansion Permutation 32 48
    129. 129. Definition of DES S-Boxes 129
    130. 130. S-Boxes • The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and produces 4 bits as output. • The first and last bits of the input to box Si form a 2-bit binary that represent the row of the table for Si. • The middle four bits select one of the sixteen columns 130
    131. 131. Example • For example, in S1 for input 011001, the row is 01 (row 1) and the column is 1100 (column 12). • The value in row 1, column 12 is 9, so the output is 1001. 131
    132. 132. S-Boxes 132
    133. 133. 133
    134. 134. Key Generation 134
    135. 135. 64 bit input key 135
    136. 136. Permuted Choice One (PC-1) 136
    137. 137. Permuted Choice Two (PC-2) 137
    138. 138. Schedule of Left Shifts 138
    139. 139. Avalanche Effect A small change in the plaintext or in the key results in a significant change in the cipher text. DES provides a strong avalanche effect Changing 1 bit in the plaintext affects 34 bits in the cipher text on average. 139
    140. 140. Avalanche Effect in DES 140
    141. 141. The Strength of DES • The use of 56 bit key • The Nature of the DES algorithm • Timing attacks 141
    142. 142. The use of 56 bit key • With a key length of 56 bits, there are 256 possible keys. • single machine performing one DES encryption per microsecond would take more than a thousand years to break the cipher. 142
    143. 143. The Nature of the DES algorithm Eight S-boxes, that are used in each iteration. 143
    144. 144. Timing Attacks timing attack is one in which information about the key or the plaintext is obtained by observing how long it takes a given implementation to perform decryptions on various cipher texts. 144
    145. 145. Differential Cryptanalysis • Differential cryptanalysis is the first published attack that is capable of breaking DES in less than 255 encryptions. • powerful method to analyse block ciphers
    146. 146. Differential Cryptanalysis differential cryptanalysis compares two related pairs of encryptions. it is feasible to determine the sub key used in the function f. The differential cryptanalysis attack is complex. 146
    147. 147. Differential Cryptanalysis Compares Pairs of Encryptions • with a known difference in the input • searching for a known difference in output • when same subkeys are used
    148. 148. Linear Cryptanalysis • another recent development • also a statistical method • must be iterated over rounds, with decreasing probabilities • developed by Matsui in early 90's • based on finding linear approximations • can attack DES with 243 known plaintexts, easier but still in practise infeasible
    149. 149. Linear Cryptanalysis For example, the following equation, states the XOR sum of the first and third plaintext bits (as in a block cipher's block) and the first cipher text bit is equal to the second bit of the key P1ӨP3 ӨC1=k2
    150. 150. Block Cipher Design • basic principles still like Feistel’s in 1970’s • number of rounds – more is better, exhaustive search best attack • function f: – provides “confusion”, is nonlinear, avalanche – have issues of how S-boxes are selected • key schedule – complex subkey creation, key avalanche
    151. 151. AES • DES finally proved insecure in July 1998, when the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose "DES cracker" machine that was built for less than $250,000. • The Advanced Encryption Standard (AES) was published by NIST (National Institute of Standards and Technology) in 2001. 151
    152. 152. AES AES is a block cipher intended to replace DES for commercial applications. It uses a 128-bit block size. AES does not use a Feistel structure. 152
    153. 153. Evaluation Criteria for AES 153
    154. 154. Security Minimum key size for AES is 128 bits, brute-force attacks with current and projected technology were considered impractical. 154
    155. 155. COST The algorithm(s) specified in the AES shall be available on a worldwide, non- exclusive, royalty-free basis. 155
    156. 156. Computational efficiency Computational efficiency refers to the speed of the algorithm. 156
    157. 157. Memory requirement The memory required to implement a candidate algorithm for both hardware and software implementations of the algorithm will also be considered during the evaluation process. 157
    158. 158. Algorithm and implementation characteristics This category includes a variety of considerations, including flexibility; suitability for a variety of hardware and software implementations. 158
    159. 159. Key Agility Key agility refers to the ability to change keys quickly and with a minimum of resources. 159
    160. 160. The AES Cipher • The input to the encryption and decryption algorithms is a single 128-bit block. • This block is copied into the State array, which is modified at each stage of encryption or decryption. • After the final stage, State is copied to an output matrix. 160
    161. 161. 161
    162. 162. 162
    163. 163. AES 163
    164. 164. 164
    165. 165. Substitute Bytes Transformation • Replace each byte in the state array with its corresponding value from the S-Box 00 44 88 CC 11 55 99 DD 22 66 AA EE 33 77 BB FF 55 165
    166. 166. Shift row transformation • The first row of State is not altered. • For the second row, a 1-byte circular left shift is performed. • For the third row, a 2- byte circular left shift is performed. • For the fourth row, a 3-byte circular left shift is performed. 166
    167. 167. Shift row transformation 167
    168. 168. Shift row transformation 168
    169. 169. Mix column Transformation • Apply mix column transformation to each column. 169
    170. 170. Mix column Transformation 170
    171. 171. Add Round Key • XOR each byte of the round key with its corresponding byte in the state array. 171
    172. 172. AddRoundKey S0,0 S0,1 S0,2 S0,3 S1,0 S1,1 S1,2 S1,3 S2,0 S2,1 S2,2 S2,3 S3,0 S3,1 S3,2 S3,3 S’0,0 S’0,1 S’0,2 S’0,3 S’1,0 S’1,1 S’1,2 S’1,3 S’2,0 S’2,1 S’2,2 S’2,3 S’3,0 S’3,1 S’3,2 S’3,3 S0,1 S1,1 S2,1 S3,1 S’0,1 S’1,1 S’2,1 S’3,1 R0,0 R0,1 R0,2 R0,3 R1,0 R1,1 R1,2 R1,3 R2,0 R2,1 R2,2 R2,3 R3,0 R3,1 R3,2 R3,3 R0,1 R1,1 R2,1 R3,1 XOR 172
    173. 173. Key Expansion Algorithm • The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces a linear array of 44 words (176 bytes). • This is sufficient to provide a 4-word round key for the initial AddRoundKey stage and each of the 10 rounds of the cipher. 173
    174. 174. 174
    175. 175. 175 1. Using this Playfair matrix encrypt this message: cryptography and network security
    176. 176. Answer 176 BGXQHWEGROKWLOSUADAWGIDLDQBPCW
    177. 177. Example Given the plaintext {00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F} and the key {01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01}, I. Show the original contents of State, displayed as a 4 x 4 matrix. II.Show the value of State array after initial AddRoundKey. III.Show the value of State array after Sub Bytes. IV.Show the value of State array after Shift Rows. V.Show the value of State array after Mix Columns. 177
    178. 178. State array 178
    179. 179. State array after initial AddRoundKey 179
    180. 180. State array after Sub Bytes 180
    181. 181. State array after Shift Rows 181
    182. 182. State array after Mix Columns 182
    183. 183. Example Consider the given key K and the plaintext, namely: in hexadecimal notation: 0 1 2 3 4 5 6 7 8 9 A B C D E F • in binary notation: 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 0100 1101 1110 1111 183
    184. 184. A. Derive K1, the first-round sub key. B. Derive L0, R0. C. Expand R0 to get E[R0], where E[·] is the expansion function. D. Calculate A = E[R0] Ө K1. E. Group the 48-bit result of (d) into sets of 6 bits and evaluate the corresponding S-box substitutions. F. Concatenate the results of (e) to get a 32-bit result, B. G. Apply the permutation to get P(B). H. Calculate R1 = P(B)Ө L0. i. Write down the cipher text. 184
    185. 185. UNIT-II  Multiple Encryption and Triple DES  Block Cipher Modes of Operation  Stream cipher and RC4  Placement of Encryption function  Traffic confidentiality  Key Distribution  Principle of Public Key Cryptosystems  The RSA Algorithm  Key management  Diffie Hellman Key Exchange  Elliptic curve cryptography. 185
    186. 186. Multiple Encryption Multiple encryption is a technique in which an encryption algorithm is used multiple times. 186
    187. 187. Double DES The simplest form of multiple encryption has two encryption stages and two keys . Given a plaintext P and two encryption keys K1 and K2, cipher text C is generated as C = E(K2, E(K1, P)) 187
    188. 188. Double DES 188
    189. 189. Double DES • Decryption requires that the keys be applied in reverse order P = D(K1, D(K2, C)) • this scheme apparently involves a key length of 56 x 2 = 112 bits, of resulting in a dramatic increase in cryptographic strength 189
    190. 190. Meet-in-the-middle attack • Given a known pair, (P, C), the attack proceeds as follows. • First, encrypt P for all 256 possible values of K1 Store these results in a table and then sort the table by the values of X. • Next, decrypt C using all 256 possible values of K2. As each decryption is produced, check the result against the table for a match. 190
    191. 191. Meet-in-the-middle attack • If a match occurs, then test the two resulting keys against a new known plaintext-cipher text pair. • If the two keys produce the correct cipher text, accept them as the correct keys. 191
    192. 192. Triple DES with Two Keys • Triple DES makes use of three stages of the DES algorithm, using a total of two or three distinct keys. • The function follows an encrypt-decrypt- encrypt (EDE) sequence C = E(K1, D(K2, E(K1, P))) 192
    193. 193. Triple DES with Two Keys 193
    194. 194. Triple DES with Three Keys • Three-key 3DES has an effective key length of 168 bits and is defined as follows: • C = E(K3, D(K2, E(K1, P))) 194
    195. 195. Block Cipher Modes of Operation • To apply a block cipher in a variety of applications, four "modes of operation" have been defined by NIST . • mode of operation is a technique for enhancing the effect of a cryptographic algorithm for an application 195
    196. 196. Electronic Codebook (ECB) Each block of 64 plaintext bits is encrypted independently using the same key. 196
    197. 197. Electronic Codebook (ECB) 197
    198. 198. Limitation of ECB • The most significant characteristic of ECB is that the same b-bit block of plaintext, if it appears more than once in the message, always produces the same cipher text. • For lengthy messages, the ECB mode may not be secure. 198
    199. 199. Typical Application • Secure transmission of single values (e.g., an encryption key) 199
    200. 200. Cipher Block Chaining (CBC) 200 • To overcome the security deficiencies of ECB, we would like a technique in which the same plaintext block, if repeated, produces different cipher text blocks. • A simple way to satisfy this requirement is the cipher block chaining (CBC) mode • The input to the encryption algorithm is the XOR of the next 64 bits of plaintext and the preceding 64 bits of cipher text.
    201. 201. Cipher Block Chaining (CBC) 201
    202. 202. Cipher Block Chaining (CBC) • use Initial Vector (IV) to start process Ci = DESK1(Pi XOR Ci-1) C-1 = IV 202
    203. 203. Limitations of CBC • need Initialization Vector (IV) 203
    204. 204. Typical Application • General-purpose block-oriented transmission • Authentication 204
    205. 205. Cipher Feedback (CFB) 205 Input is processed j bits at a time. Preceding cipher text is used as input to the encryption algorithm to produce pseudorandom output, which is XORed with plaintext to produce next unit of cipher text.
    206. 206. Cipher Feedback (CFB) 206
    207. 207. Cipher Feedback (CFB) 207
    208. 208. Limitation of CFB A possible problem is that if its used over a "noisy" link, then any corrupted bit will destroy values in the current and next blocks. 208
    209. 209. Typical Application 209 • General-purpose stream-oriented transmission • Authentication
    210. 210. Output Feedback (OFB) The alternative to CFB is OFB. Here the generation of the "random" bits is independent of the message being encrypted. The advantage is that firstly, they can be computed in advance, good for bursty traffic, and secondly, any bit error only affects a single bit. Thus this is good for noisy links (eg satellite TV transmissions etc). 210
    211. 211. Output Feedback (OFB) 211
    212. 212. Typical Application • Stream-oriented transmission over noisy channel (e.g., satellite communication) 212
    213. 213. Counter (CTR) Each block of plaintext is XOR ed with an encrypted counter. The counter is incremented for each subsequent block. 213
    214. 214. Counter (CTR) 214
    215. 215. Advantages and Limitations of CTR can do parallel encryptions in h/w or s/w. good for bursty high speed links. provable security (good as other modes) but CTR does not reusing the same key and counter value
    216. 216. Typical Application • General-purpose block-oriented transmission • Useful for high-speed requirements 216
    217. 217. Stream Ciphers and RC4 217
    218. 218. Stream Ciphers • stream cipher encrypts plaintext one byte at a time. • stream cipher may be designed to operate on one bit at a time. 218
    219. 219. Stream Cipher Structure
    220. 220. Stream Cipher Structure 220
    221. 221. Design considerations • long period with no repetitions of pseudo random key. • output of the pseudorandom number generator is conditioned on the value of the input key. • To protect against brute-force attacks, the key needs to be sufficiently long. 221
    222. 222. RC4 Basics • A symmetric key encryption algorithm. • Invented by Ron Rivest. • Normally uses 64 bit and 128 bit key sizes. • Cryptographically very strong yet very easy to implement. • Consists of 2 parts: Key Scheduling Algorithm (KSA) & Pseudo-Random Generation Algorithm
    223. 223. RC4 Block Diagram Plain Text Secret Key RC4 + Encrypted Text Keystream
    224. 224. RC4 …break up • Initialize an array of 256 bytes. • Run the KSA on them • Run the PRGA on the KSA output to generate keystream. • XOR the data with the keystream.
    225. 225. Array Initialization C Code: char S[256]; Int i; For(i=0; i< 256; i++) S[i] = i; After this the array would like this : S[] = { 0,1,2,3, ……, 254, 255}
    226. 226. The KSA • The initialized array S[256] is now run through the KSA. The KSA uses the secret key to scramble the array. • C Code for KSA: int i, j = 0; for(i=0; i<256; i++) { j = ( j + S[i] + key[ i % key_len] ) % 256; swap(S[i], S[j]); }
    227. 227. The PRGA • The KSA scrambled S[256] array is used to generate the PRGA. This is the actual keystream. • C Code: i = j = 0; while(output_bytes) { i = ( I + 1) % 256; j = ( j + S[i] ) % 256; swap( S[i], S[j] ); output = S[ ( S[i] + S[j] ) % 256 ] }
    228. 228. Encryption using RC4 • Choose a secret key • Run the KSA and PRGA using the key to generate a keystream. • XOR keystream with the data to generated encrypted stream. • Transmit Encrypted stream.
    229. 229. Decryption using RC4 • Use the same secret key as during the encryption phase. • Generate keystream by running the KSA and PRGA. • XOR keystream with the encrypted text to generate the plain text. • Logic is simple : (A xor B) xor B = A A = Plain Text or Data B = KeyStream
    230. 230. RC4 Example • Simple 4-byte example • S = {0, 1, 2, 3} • K = {1, 7, 1, 7} • Set i = j = 0
    231. 231. KSA First Iteration (i = 0, j = 0, S = {0, 1, 2, 3}): j = (j + S[ i ] + K[ i ]) = (0 + 0 + 1) = 1 Swap S[ i ] with S[ j ]: S = {1, 0, 2, 3} Second Iteration (i = 1, j = 1, S = {1, 0, 2, 3}): j = (j + S[ i ] + K[ i ]) = (1 + 0 + 7) = 0 (mod 4) Swap S[ i ] with S[ j ]: S = {0, 1, 2, 3}
    232. 232. KSA Third Iteration (i = 2, j = 0, S = {0, 1, 2, 3}): j = (j + S[ i ] + K[ i ]) = (0 + 2 + 1) = 3 Swap S[ i ] with S[ j ]: S = {0, 1, 3, 2} Fourth Iteration (i = 3, j = 3, S = {0, 1, 3, 2}): j = (j + S[ i ] + K[ i ]) = (3 + 2 + 7) = 0 (mod 4) Swap S[ i ] with S[ j ]: S = {2, 1, 3, 0}
    233. 233. PRGA Reset i = j = 0, Recall S = {2, 1, 3, 0} i = i + 1 = 1 j = j + S[ i ] = 0 + 1 = 1 Swap S[ i ] and S[ j ]: S = {2, 1, 3, 0} Output z = S[ S[ i ] + S[ j ] ] = S[2] = 3
    234. 234. Analysis of RC4 • Advantages – Faster than DES – Enormous key space (average of 1700 bits) • Disadvantages – Large number of “weak” keys 1 of 256 – “Weak” keys can be detected and exploited with a high probability
    235. 235. Placement of Encryption function If encryption is to be used to counter attacks on confidentiality, we need to decide what to encrypt and where the encryption function should be located. 235
    236. 236. Confidentiality using Symmetric Encryption • traditionally symmetric encryption is used to provide message confidentiality
    237. 237. Placement of Encryption • link encryption • end-to-end encryption 237
    238. 238. Link encryption Link encryption is an approach to encrypts and decrypts all data at each end of a communications line 238
    239. 239. End-to-end encryption encryption process is carried out at the two end systems 239
    240. 240. Placement of Encryption
    241. 241. Placement of Encryption With end-to-end encryption, user data are secure, but the traffic pattern is not because packet headers are transmitted in the clear. To achieve greater security, both link and end-to-end encryption are needed
    242. 242. Placement of Encryption • can place encryption function at various layers in OSI Reference Model – link encryption occurs at layers 1 or 2 – end-to-end can occur at layers 3, 4, 6, 7
    243. 243. Front-End Processor Function 243
    244. 244. 244
    245. 245. Traffic Confidentiality Knowledge about the number and length of messages between nodes may enable an opponent to determine who is talking to whom. 245
    246. 246. Information that can be derived from a traffic analysis attack: • Identities of partners • How frequently the partners are communicating • Message pattern, message length, or quantity of messages that suggest important information is being exchanged 246
    247. 247. Link Encryption Approach Network-layer headers are encrypted, reducing the opportunity for traffic analysis. However, it is still possible to observe the amount of traffic entering and leaving each end system. 247
    248. 248. Traffic-Padding Encryption Device • Traffic padding produces cipher text output continuously, even in the absence of plaintext. 248
    249. 249. Traffic-Padding Encryption Device 249
    250. 250. Traffic-Padding Encryption Device • A continuous random data stream is generated. • When plaintext is available, it is encrypted and transmitted. • When input plaintext is not present, random data are encrypted and transmitted. • This makes it impossible for an attacker to distinguish between true data flow and padding 250
    251. 251. End-to-End Encryption Approach • if encryption is implemented at the application layer, then an opponent can determine which transport unit are engaged in dialogue. • In addition, null messages can be inserted randomly into the stream. These tactics deny an opponent knowledge about the amount of data exchanged between end users and difficult to understand the underlying traffic pattern. 251
    252. 252. Key Distribution 252
    253. 253. Key Distribution given parties A and B have various key distribution alternatives: 1. A can select key and physically deliver to B 2. third party can select & deliver key to A & B 3. if A & B have communicated previously can use previous key to encrypt a new key 4. if A & B have secure communications with a third party C, C can relay key between A & B
    254. 254. Session key • Session keys can also be termed temporary keys or one-time use keys. Usually after a session, these keys are discarded and not used again. • Communication between end systems is encrypted using session key. 254
    255. 255. Master key • session keys are transmitted in encrypted form, using a master key that is shared by the key distribution center and an end system or user. 255
    256. 256. The Use of a Key Hierarchy 256
    257. 257. Key Distribution Scenario
    258. 258. Key Distribution Scenario • A issues a request to the KDC for a session key to protect a logical connection to B. • The KDC responds with a message encrypted using Ka Thus, A is the only one who can successfully read the message, and A knows that it originated at the KDC 258
    259. 259. Key Distribution Scenario • A stores the session key for use in the upcoming session and forwards to B the information that originated at the KDC for B, namely, E(Kb, [Ks || IDA]). Because this information is encrypted with Kb, it is protected from eavesdropping. • B now knows the session key (Ks), knows that the other party is A (from IDA), and knows that the information originated at the KDC (because it is encrypted using Kb). 259
    260. 260. Key Distribution Scenario • Using the newly minted session key for encryption, B sends a nonce, N2, to A. • Also using Ks, A responds with f(N2), where f is a function that performs some transformation on N2 (e.g., adding one). 260
    261. 261. 15.261 Hierarchical Key Control
    262. 262. Hierarchical Key Control • It is not necessary to limit the key distribution function to a single KDC. Indeed, for very large networks, it may not be practical to do so. As an alternative, a hierarchy of KDCs can be established. • If two entities in different domains desire a shared key,then the corresponding local KDCs can communicate through a global KDC. 262
    263. 263. Decentralized Key Control 263
    264. 264. Decentralized Key Control 1. A issues a request to B for a session key and includes a nonce, N1 2. B responds with a message that is encrypted using the shared master key. The response includes the session key selected by B, an identifier of B, the value f(N1), and another nonce, N2. 3. Using the new session key, A returns f(N2) to B. 264
    265. 265. Principles of Public-Key Cryptosystems 265
    266. 266. Private-Key Cryptography • traditional private/secret/single key cryptography uses one key • shared by both sender and receiver • if this key is disclosed communications are compromised • does not support authentication 266
    267. 267. Public-Key Cryptography • Asymmetric encryption is a form of cryptosystem in which encryption and decryption are performed using the different keys—one a public key and one a private key. It is also known as public-key encryption. • Asymmetric encryption transforms plaintext into cipher text using a one of two keys and an encryption algorithm. Using the paired key and a decryption algorithm, the plaintext is recovered from the cipher text. • Asymmetric encryption can be used for confidentiality, authentication, or both. 267
    268. 268. Public-Key Cryptography public-key/two-key/asymmetric cryptography involves the use of two keys: – a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures – a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures 268
    269. 269. Principles of Public-Key Cryptosystems • The concept of public-key cryptography evolved from an attempt to attack two of the most difficult problems associated with symmetric encryption. • Key distribution • Does not Supports Data authentication 269
    270. 270. 270 Confidentiality using public-Key system
    271. 271. Encryption • Each user generates a pair of keys to be used for the encryption and decryption of messages. • Each user places one of the two keys in a public register This is the public key. • The companion key is kept private. 271
    272. 272. Encryption • If Bob wishes to send a confidential message to Alice, Bob encrypts the message using Alice's public key. • When Alice receives the message, she decrypts it using her private key. • No other recipient can decrypt the message because only Alice knows Alice's private key. 272
    273. 273. 273 Authentication using Public-Key System
    274. 274. Difference between Symmetric Encryption and asymmetric Encryption Symmetric encryption Asymmetric encryption symmetric encryption is a form of cryptosystem in which encryption and decryption are performed using same key. Asymmetric encryption is a form of cryptosystem in which encryption and decryption are performed using the different keys .one is public key and another one is private key. It is also known as secret key encryption. It is also known as public-key encryption. symmetric encryption can be used for confidentiality. Asymmetric encryption can be used for confidentiality, authentication, or both. The most widely used symmetric key- key cryptosystem is Transposition and substitution. The most widely used public-key cryptosystem is RSA. 274
    275. 275. Public-Key Cryptosystem: Secrecy 275
    276. 276. Public-Key Cryptosystem: Secrecy • With the message X and the encryption key PUb as input, A forms the cipher text Y = [Y1, Y2,..., YN]: • Y = E(PUb, X) • The intended receiver, in possession of the matching private key, is able to invert the transformation: • X = D(PRb, Y) 276
    277. 277. Public-Key Cryptosystem: Authentication 277
    278. 278. Public-Key Cryptosystem: Authentication and Secrecy 278
    279. 279. Applications for Public-Key Cryptosystems • Encryption/decryption • Digital signature • Key exchange 279
    280. 280. Requirements for Public-Key Cryptography 1.It is computationally easy for a party B to generate a pair (public key PUb, private key PRb). 2. It is computationally easy for a sender A, knowing the public key and the message to be encrypted, M, to generate the corresponding cipher text: C = E(PUb, M) 3.It is computationally easy for the receiver B to decrypt the resulting cipher text using the private key to recover the original message: M = D(PRb, C) = D[PRb, E(PUb, M)] 280
    281. 281. Requirements for Public-Key Cryptography 4. It is computationally infeasible for an opponent, knowing the public key, PUb, to determine the private key, PRb. 5.It is computationally infeasible for an opponent, knowing the public key, PUb, and a cipher text, C, to recover the original message, M. 281
    282. 282. The RSA Algorithm 282
    283. 283. Our dramatis personae Rivest Shamir Adleman 283
    284. 284. The RSA Algorithm RSA algorithm is developed by Ron Rivest , Adi Shamir, and Len Adleman at MIT and first published in 1978. The RSA scheme is a block cipher in which the plaintext and cipher text are integers between 0 and n. 284
    285. 285. RSA Public Key Cryptosystem c= m e mod n Network Plain Text Cipher Text Cipher Text Plain Text Alice Bob Bob: (e, n) Public Key Directory (Yellow/White Pages) public key: e & n secret key: d m= c d mod n
    286. 286. The RSA Algorithm – Key Generation 1. Select p,q p and q both prime 2. Calculate n = p x q 3. Calculate 4. Select integer e 5. Calculate d 6. Public Key KU = {e,n} 7. Private key KR = {d,n} 286 )1)(1()( −−=Φ qpn )(1;1)),(gcd( neen Φ<<=Φ )(mod1 ned Φ= −
    287. 287. The RSA Algorithm - Encryption • Plaintext: M<n • Ciphertext: C = Me (mod n) 287
    288. 288. The RSA Algorithm - Decryption • Ciphertext: C • Plaintext: M = Cd (mod n) 288
    289. 289. Example Select two prime numbers, p = 17 and q = 11. Calculate n = pq = 17 x 11 = 187 Calculate θ(n) = (p -1)(q -1) = 16 x 10 = 160. Select e such that e is relatively prime to θ(n) = 160 and less than θ(n) we choose e = 7 289
    290. 290. Example Calculate d value using the formula d=(1+X * θ(n) )/e X=0 d=(1+0*160)/ 7 = 0.143 X=1 d=(1+1 *160)/7 = 23 d=23 290
    291. 291. Example PU={e, n} PR={d , n} The resulting keys are public key PU = {7,187} private key PR = {23,187}. 291
    292. 292. Encryption Ciphertext: C = Me (mod n) C=887 (mod 187) c=11 292
    293. 293. Decryption Plaintext: M = Cd (mod n) M=1123 (mod 187) M=88 293
    294. 294. The RSA Algorithm 294
    295. 295. The RSA Algorithm 295
    296. 296. The RSA Algorithm 296
    297. 297. Example perform the Encryption and decryption for p =7, q = 11, e = 17 and m = 8 297
    298. 298. Key generation Calculate n = pq = 7 x 11 = 77 Calculate θ(n) = (p -1)(q -1) = 6 x 10 = 60 Calculate d value using the formula d=(1+X * θ(n) )/e X=0 d=(1+0*60)/ 17 = 0.0588 X=1 d=(1+1*60)/17 = 3.58 X=2 d=(1+2*60)/17 =7.11 x=3 d=(1+3*60)/17=10.64 298
    299. 299. Key generation X=4 d=(1+4*60)/17=14.17 X=5 d=(1+5*60)/17=17.70 X=6 d=(1+6*60)/17=21.23 X=7 d=(1+7*60)/17=24.76 X=8 d=(1+8*60)/17=28.29 X=9 d=(1+9*60)/17=31.82 x=10 d=(1+10*60)/17=35.35 299
    300. 300. Key generation X=11 d=(1+11*60)/17=38.88 X=12 d=(1+12*60)/17=42.41 X=13 d=(1+13*60)/17=45.94 X=14 d=(1+14*60)/17=49.47 X=15 d=(1+15*60)/17=53 300
    301. 301. Key generation PU={e, n} PR={d , n} The resulting keys are public key PU = {17,77} private key PR = {53,77}. 301
    302. 302. Encryption Ciphertext: C = Me (mod n) C=817 (mod 77) c=57 302
    303. 303. Decryption Plaintext: M = Cd (mod n) M=5753 (mod 77) M=8 303
    304. 304. The Security of RSA Brute force: This involves trying all possible private keys. Mathematical attacks: There are several approaches, all equivalent in effort to factoring the product of two primes. Timing attacks: These depend on the running time of the decryption algorithm. Chosen cipher text attacks This type of attack make use of properties of the RSA algorithm. 304
    305. 305. Key Management One of the major roles of public-key encryption has been to address the problem of key distribution. • The distribution of public keys • Distribution of secret keys using public key 305
    306. 306. Distribution of Public Keys • Public announcement • Publicly available directory • Public-key authority • Public-key certificates 306
    307. 307. Public Announcement of Public Keys • any participant can send his or her public key to any other participant or broadcast the key to the community at large. 307
    308. 308. Public Announcement of Public Keys 308
    309. 309. Example • For Example USENET is a public forum anybody can post a message and read message. • it has a major weakness. • some user could pretend to be user A and send a public key to another participant. 309
    310. 310. Publicly Available Directory • can obtain greater security by registering keys with a public directory • The authority maintains a directory with a {name, public key} entry for each participant. • Each participant registers a public key with the directory authority. • A participant may replace the existing key with a new one at any time. • Participants could also access the directory electronically. 310
    311. 311. Publicly Available Directory 311
    312. 312. Public-Key Authority Stronger security for public-key distribution can be achieved by providing tighter control over the distribution of public keys from the directory. 312
    313. 313. Public-Key Authority 313
    314. 314. Public-Key Authority 1. A sends a time stamped message to the public-key authority containing a request for the current public key of B. 2. The authority responds with a message that is encrypted using the authority's private key, PRauthThus, A is able to decrypt the message using the authority's public key. The message includes the following: ● B's public key, PUb which A can use to encrypt messages destined for B ● The original request, to enable A to match this response with the corresponding earlier request and to verify that the original request was not altered before reception by the authority ● The original timestamp, so A can determine that this is not an old message from the authority. 314
    315. 315. Public-Key Authority A stores B's public key and also uses it to encrypt a message to B containing an identifier of A(IDA) and a nonce (N1), which is used to identify this transaction uniquely. 4,5.B retrieves A's public key from the authority in the same manner as A retrieved B's public key. At this point, public keys have been securely delivered to A and B, and they may begin their protected exchange. However, two additional steps are desirable: 6. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new nonce generated by B (N2) Because only B could have decrypted message (3), the presence of N1 in message (6) assures A that the correspondent is B. 7. A returns N2, encrypted using B's public key, to assure B that its correspondent is A. 315
    316. 316. Public-Key Certificates 316
    317. 317. Public-Key Certificates • Any participant can read a certificate to determine the name and public key of the certificate's owner. • Any participant can verify that the certificate originated from the certificate authority and is not counterfeit. • Only the certificate authority can create and update certificates. 317
    318. 318. Distribution of Secret Keys Using Public-Key Cryptography • Simple Secret Key Distribution • Secret Key Distribution with Confidentiality and Authentication 318
    319. 319. Simple Secret Key Distribution 319
    320. 320. Simple Secret Key Distribution 1.A generates a public/private key pair {PUa, PRa} and transmits a message to B consisting of Pua and an identifier of A, IDA. 2. B generates a secret key, Ks, and transmits it to A, encrypted with A's public key. 320
    321. 321. Simple Secret Key Distribution 3. A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can decrypt the message, only A and B will know the identity of Ks. 4. A discards PUa and PRa and B discards PUa. 321
    322. 322. Man-in-the-middle attack 1.A generates a public/private key pair {PUa, PRa} and transmits a message intended for B consisting of PUa and an identifier of A, IDA. 2.E capture the message, creates its own public/private key pair {PUe, PRe} and transmits PUe|| IDA to B. 322
    323. 323. Man-in-the-middle attack 3.B generates a secret key, Ks, and transmits E(PUe, Ks). 4.E capture the message, and learns Ks by computing D(PRe, E(PUe, Ks)). 5.E transmits E(PUa, Ks) to A. 323
    324. 324. Secret Key Distribution with Confidentiality and Authentication 324
    325. 325. 1. A uses B's public key to encrypt a message to B containing an identifier of A (IDA) and a nonce (N1), which is used to identify this transaction uniquely. 2. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new nonce generated by B (N2) Because only B could have decrypted message (1), the presence of N1 in message (2) assures A that the correspondent is B. 325
    326. 326. 3. A returns N2 encrypted using B's public key, to assure B that its correspondent is A. 4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message with B's public key ensures that only B can read it; encryption with A's private key ensures that only A could have sent it. 5. B computes D(PUa, D(PRb, M)) to recover the secret key. 326
    327. 327. Diffie-Hellman Key Exchange The purpose of the algorithm is to enable two users to securely exchange a key that can then be used for subsequent encryption of messages. 327
    328. 328. Primitive roots P is prime number a is a primitive root of p means It should satisfies following condition a mod p, a2 mod p,..., ap-1 mod p are distinct and consist of the integers from 1 through p-1 in some permutation. 328
    329. 329. Primitive roots 3 is a primitive root of 5: a=3,p=5 p ap ap mod 5 1 3 3 2 9 4 3 27 2 4 81 1 329
    330. 330. Primitive roots 4 is not a primitive root of 5: a= 4 p=5 p ap ap mod 5 1 4 4 2 16 1 3 64 4 4 256 1 330
    331. 331. The Diffie-Hellman Key Exchange Algorithm 331
    332. 332. The Diffie-Hellman Key Exchange Algorithm 332
    333. 333. The Diffie-Hellman Key Exchange Algorithm 333
    334. 334. The Diffie-Hellman Key Exchange Algorithm 334
    335. 335. The Diffie-Hellman Key Exchange Algorithm 335
    336. 336. The Diffie-Hellman Key Exchange Algorithm 336
    337. 337. Diffie-Hellman Example Users A and B use the Diffie-Hellman key exchange technique with a common prime q = 71 and a primitive root a = 7. i)If user A has private key XA = 5, what is A's public key YA? ii)If user B has private key XB = 12, what is B's public key YB? iii) What is the shared secret key? 337
    338. 338. Diffie-Hellman Example YA= a XA mod q =75 mod 71 = 51 YB= a XB mod q =712 mod 71 = 4 338
    339. 339. Diffie-Hellman Example Ks= yB XA mod q = 4 5 mod 71 = 30 Ks= yA XB mod q = 51 12 mod 71 = 30 339
    340. 340. Diffie-Hellman Example Consider a Diffie-Hellman scheme with a common prime q = 11 and a primitive root a = 2. I. Show that 2 is a primitive root of 11. II.If user A has public key YA = 9, what is A's private key XA? III.If user B has public key YB = 3, what is the shared secret key K, shared with A? 340
    341. 341. Elliptic Curve Cryptography Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. 341
    342. 342. Elliptic Curve Cryptography ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers 342
    343. 343. Elliptic Curve Cryptography • ECC requires significantly smaller key size with same level of security. • Benefits of having smaller key sizes : faster computations, need less storage space. • ECC ideal for constrained environments : Pagers ; PDAs ; Cellular Phones ; Smart Cards. 343
    344. 344. elliptic curve • Elliptic curves are not ellipses. They are so named because they are described by cubic equations, used for calculating the circumference of an ellipse. • An elliptic curve is a set of points (x, y), for which it is true that • y2 = x3 + ax + b given certain chosen numbers a and b. 344
    345. 345. elliptic curve 345
    346. 346. ECC Diffie-Hellman Key Exchange 346
    347. 347. ECC Diffie-Hellman Key Exchange 347
    348. 348. ECC Diffie-Hellman Key Exchange 348
    349. 349. ECC Diffie-Hellman Key Exchange 349
    350. 350. ECC Diffie-Hellman Key Exchange 350
    351. 351. UNIT-III 351
    352. 352. Contents  Message Authentication and Hash functions Authentication requirements Authentication functions Message Authentication codes and Hash functions Security of hash functions and MAC’s  Secure hash Algorithm  Whirlpool  HMAC and CMAC  Digital Signatures  Authentication protocols  Digital signature standard  Kerberos  X.509 Authentication Service • Public Key Infrastructure. 352
    353. 353. Authentication requirements  disclosure  traffic analysis  masquerade  content modification  sequence modification  timing modification  source repudiation  destination repudiation 353
    354. 354. Authentication Functions Message encryption: The cipher text of the entire message serves as its authenticator Message authentication code (MAC): A function of the message and a secret key that produces a fixed-length value that serves as the authenticator Hash function: A function that maps a message of any length into a fixed-length hash value, which serves as the authenticator 354
    355. 355. Basic Uses of Message Encryption 355
    356. 356. Basic Uses of Message Encryption 356
    357. 357. Basic Uses of Message Encryption 357
    358. 358. Basic Uses of Message Encryption 358
    359. 359. Internal Error Control 359
    360. 360. External Error Control 360
    361. 361. Message Authentication Codes Message authentication code (often MAC) is a short piece of information used to authenticate a message. 361
    362. 362. Message Authentication Codes MAC = C(K, M) M = input message C= MAC function K= shared secret key MAC= message authentication code 362
    363. 363. Basic Uses of Message Authentication Code 363
    364. 364. Basic Uses of Message Authentication Code 364
    365. 365. Basic Uses of Message Authentication Code 365
    366. 366. Requirements for MACs 1. knowing a message and MAC, is infeasible to find another message with same MAC 2. MACs should be uniformly distributed 3. MAC should depend equally on all bits of the message.
    367. 367. Data Authentication Algorithm • Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC – using IV=0 and zero-pad of final block – encrypt message using DES in CBC mode – and send just the final block as the MAC • or the leftmost M bits (16≤M≤64) of final block • but final MAC is now too small for security
    368. 368. Data Authentication Algorithm
    369. 369. Hash Function hash function accepts a variable-size message M as input and produces a fixed- size output, referred to as a hash code H(M). The hash code is also referred to as a message digest or hash value A hash value h is generated by a function H of the form h = H(M) 369
    370. 370. Basic Uses of Hash Function 370
    371. 371. Basic Uses of Hash Function 371
    372. 372. Basic Uses of Hash Function 372
    373. 373. Basic Uses of Hash Function 373
    374. 374. Basic Uses of Hash Function 374
    375. 375. Basic Uses of Hash Function 375
    376. 376. Requirements for Hash Functions 1. can be applied to any sized message M 2. produces fixed-length output h 3. is easy to compute h=H(M) for any message M 4. given h is infeasible to find x s.t. H(x)=h • one-way property
    377. 377. Weak collision resistance Given an input m1 it should be difficult to find another input m2 — where m1!=m2 — such that H(m1)=H(m2) 377
    378. 378. Strong collision resistance It should be difficult to find two different messages m1 and m2 such that H(m1)=H(m2) 378
    379. 379. Hash Functions & MAC Security • like block ciphers have: • brute-force attacks exploiting – strong collision resistance hash have cost 2 m/2 • have proposal for h/w MD5 cracker • 128-bit hash looks vulnerable, 160-bits better – MACs with known message-MAC pairs • can either attack keyspace (cf key search) or MAC • at least 128-bit MAC is needed for security
    380. 380. Hash Functions & MAC Security • cryptanalytic attacks exploit structure – like block ciphers want brute-force attacks to be the best alternative • have a number of analytic attacks on iterated hash functions – CVi = f[CVi-1, Mi]; H(M)=CVN – typically focus on collisions in function f – like block ciphers is often composed of rounds – attacks exploit properties of round functions
    381. 381. Secure Hash Algorithms The Secure Hash Algorithm (SHA) was developed by the National Institute of Standards and Technology (NIST) and published as a federal information processing standard in 1993. 381
    382. 382. Types of SHA 1. SHA-0 2. SHA-1 3. SHA-224 4. SHA-256 5. SHA-384 6. SHA-512 382
    383. 383. Comparisons SHA-1 SHA-256 SHA-384 SHA-512 Message digest size 160 256 384 512 Message size <264 <264 <2128 <2128 Block size 512 512 1024 1024 Word size 32 32 64 64 Number of steps 80 64 80 80 383
    384. 384. SHA-512 • The algorithm takes as input a message with a maximum length of less than 2128 bits and produces as output a 512-bit message digest. • The input is processed in 1024-bit blocks. 384
    385. 385. SHA-512 Logic Padding is the addition of one or more extra bits to a transmission . 385
    386. 386. Message Digest Generation Using SHA-512 386
    387. 387. Message Digest Generation Using SHA-512 Step 1: Append padding bits. Step 2: Append length. Step 3: Initialize hash buffer. Step 4: Process message in 1024-bit (128-word) blocks. 387
    388. 388. Processing of a Single 1024-Bit Block 388
    389. 389. Processing of a Single 1024- Bit Block • A 512-bit buffer is used to hold intermediate and final results of the hash function. • The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h). • These registers are initialized default hexadecimal values. 389
    390. 390. a = 6A09E667F3BCC908 b = BB67AE8584CAA73B c = 3C6EF372FE94F82B c = A54FF53A5F1D36F1 e = 510E527FADE682D1 f = 9B05688C2B3E6C1F g = 1F83D9ABFB41BD6B h = 5BE0CDI9137E2179 390
    391. 391. SHA-512 Processing of a Single 1024-Bit Block • Each round takes as input the 512-bit buffer value abcdefgh, and updates the contents of the buffer. 391
    392. 392. H0= IV Hi= SUM64(Hi-1, abcdefghi) MD= HN 392
    393. 393. • Where IV= initial value of the abcdefgh buffer, • abcdefghi= the output of the last round of processing of the ith message block • N= the number of blocks in the message (including padding and length fields) • SUM64= Addition modulo 264 performed separately on each word of the pair of inputs • MD= final message digest value 393
    394. 394. SHA-512 Round Function 394
    395. 395. SHA-512 Round Function 395
    396. 396. SHA-512 Round Function 396
    397. 397. SHA-512 Round Function 397
    398. 398. SHA-512 Round Function 398
    399. 399. SHA-512 Round Function 399
    400. 400. Creation of 80-word Input Sequence for SHA- 512 Processing of Single Block 400
    401. 401. Creation of 80-word Input Sequence for SHA- 512 Processing of Single Block 401
    402. 402. Creation of 80-word Input Sequence for SHA- 512 Processing of Single Block 402
    403. 403. Whirlpool • Whirlpool is based on the use of a block cipher for the compression function. • It takes a message of any length less than 2256 bits and returns a 512-bit message digest. 403
    404. 404. Features • The hash code length is 512 bits • The underlying block cipher is based on AES . 404
    405. 405. Whirlpool Hash Structure 405
    406. 406. 12.406 Message Digest Generation Using Whirlpool
    407. 407. Whirlpool Overview Step 1: Append padding bits Step 2: Append length Step 3: Initialize hash matrix Step 4: Process message in 512-bit (64- byte) blocks, using as its core, the block cipher W. 407
    408. 408. Whirlpool Overview 408
    409. 409. Comparison of Whirlpool Block Cipher W and AES W AES Block size (bits) 512 128 Key size (bits) 512 128, 192, or 256 Matrix orientation Input is mapped row-wise Input is mapped column- wise Number of rounds 10 10, 12, or 14 409
    410. 410. Whirlpool Block Cipher W 410
    411. 411. Whirlpool Block Cipher W The encryption algorithm takes a 512-bit block of plaintext and a 512-bit key as input and produces a 512-bit block of cipher text as output. The encryption algorithm involves the use of four different functions add key (AK), substitute bytes (SB), shift columns (SC), and mix rows (MR). 411
    412. 412. Whirlpool Matrix Structure • The plaintext input to W is a single 512-bit block. • This block is treated as an 8 x 8 square matrix of bytes, labeled Cstate. 412
    413. 413. Whirlpool Matrix Structure 413
    414. 414. The Nonlinear Layer SB 414
    415. 415. The Nonlinear Layer SB The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as a column value. These row and column values serve as indexes into the S-box to select a unique 8-bit output value. For example, the hexadecimal value[3] {95}references row 9, column 5 of the S- box, which contains the value {BA}. Accordingly, the value {95}is mapped into the value {BA}. 415
    416. 416. Mix Row • Each byte of a row is mapped into a new value that is a function of all eight bytes in that row. • The transformation can be defined by the matrix multiplication: B = AC • where A is the input matrix, B is the output matrix, and C is the transformation matrix: 416
    417. 417. Whirlpool Performance & Security • Whirlpool is a very new proposal, hence there is little experience with use • compared to SHA-512, Whirlpool requires more hardware resources but performs much better in terms of throughput. 417
    418. 418. MAC 418
    419. 419. HMAC(Hash-based Message Authentication Code) CMAC(Cipher-based Message Authentication Code) Types of MAC 419
    420. 420. HMAC Message authentication code is generated by hash function. HMAC is computationally very fast and very compact. Any cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC. 420
    421. 421. HMAC Algorithm H = embedded hash function IV = initial value input to hash function M = message input to HMAC Yi = ith block of M, L = number of blocks in M b = number of bits in a block n = length of hash code produced by embedded hash function K= secret key 421
    422. 422. HMAC Algorithm K+ = K padded with zeros on the left ipad = 00110110 (36 in hexadecimal) opad = 01011100 (5C in hexadecimal) 422
    423. 423. HMAC Overview 423
    424. 424. HMAC Overview 1.Append zeros to the left end of K to create a b-bit string K+. 2. XOR K+ with ipad to produce the b-bit block Si. 3. Append M to Si. 4. Apply H to the stream generated in step 5. XOR K+ with opad to produce the b-bit block So 424
    425. 425. HMAC Overview 6.Append the hash result from step 4 to So 7.Apply H to the stream generated in step 6 and output the result. 425
    426. 426. HMAC Overview 426
    427. 427. Efficient Implementation of HMAC 427
    428. 428. Two quantities are precomputed 428
    429. 429. CMAC Message authentication code is generated by cipher based. 429
    430. 430. CMAC Overview 430
    431. 431. CMAC Overview The message is divided into n blocks M1..Mn, padded if necessary. The algorithm makes use of a k-bit encryption key K and an n-bit constant K1 or K2 (depending on whether the message was padded or not). 431
    432. 432. CMAC Overview 432
    433. 433. CMAC Overview T= MSBTlen(Cn) where T= message authentication code, also referred to as the tag Tlen= bit length of T MSBs(X)= the s leftmost bits of the bit string X 433
    434. 434. Digital signature A digital signature is an authentication mechanism that enables the creator of a message to attach a code that acts as a signature. The signature is formed by taking the hash of the message and encrypting the message with the creator's private key. The signature guarantees the source and integrity of the message. 434
    435. 435. Digital Signature Properties  The signature must be a bit pattern that depends on the message being signed.  The signature must use some information unique to the sender, to prevent both fake and disagreement.  It must be relatively easy to produce the digital signature.  It must be relatively easy to recognize and verify the digital signature.  It must be computationally infeasible to fake a digital signature.  It must be practical to retain a copy of the digital signature in storage. 435
    436. 436. Direct Digital Signatures Direct Digital Signatures involve only the communicating parties. A digital signature may be formed by encrypting the entire message with the sender’s private key. Confidentiality can be provided by further encrypting the entire message plus signature using either public or private key schemes. security depends on sender’s private-key 436
    437. 437. Arbitrated Digital Signatures • involves use of arbiter A – validates any signed message – then dated and sent to recipient • requires suitable level of trust in arbiter • can be implemented with either private or public-key algorithms • arbiter may or may not see message 437
    438. 438. Arbitrated Digital Signatures 438 X = sender Y = recipient A = Arbiter M = message T = timestamp
    439. 439. Authentication Protocols • Authentication Protocols are used to support parties of each others identity and to exchange session keys. • may be one-way or mutual 439
    440. 440. One-Way Authentication • required when sender & receiver are not in communications at same time (eg. email) 440
    441. 441. Mutual Authentication • required when sender & receiver are in communications at same time. (eg. Client- server) 441
    442. 442. Digital Signature Standard The digital signature standard (DSS) is an NIST standard that uses the secure hash algorithm (SHA). 442
    443. 443. Two Approaches to Digital Signatures 443
    444. 444. The Digital Signature Algorithm (DSA) 444
    445. 445. Global Public-Key Components p prime number where 2L-1 < p < 2L for 512 <= L <= 1024 q prime divisor of (p- 1), where 2159 < q < 2160 g = h(p-1)/q mod p, where h is any integer with 1 < h < (p -1) such that h(p- 1)/q mod p > 1 445
    446. 446. User's Private Key X random or pseudorandom integer with 0 < x < q 446
    447. 447. User's Public Key y= gx mod p 447
    448. 448. User's Per-Message Secret Number k= random or pseudorandom integer with 0 < k < q 448
    449. 449. Signing r= (gk mod p) mod q s= [k-1 (H(M) + xr)] mod q Signature = (r, s) 449
    450. 450. Verifying w= (s')-1 mod q u1= [H(M')w] mod q u2=(r')w mod q v= [(gu1 yu2 ) mod p] mod q 450
    451. 451. Verifying TEST: v = r' M= message to be signed H(M)= hash of M using SHA-1 M', r', s’= received versions of M, r, s 451
    452. 452. Kerberos 452
    453. 453. Kerberos Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. 453
    454. 454. Kerberos Kerberos is an authentication service designed for use in a distributed environment. Kerberos makes use of a trusted third-part authentication service that enables clients and servers to establish authenticated communication. 454
    455. 455. 455 Requirements for KERBEROS Secure: opponent does not find it to be the weak link Scalable: The system supports large number of clients and severs Reliable: For all services that rely on Kerberos for access control, lack of availability of the Kerberos service means lack of availability of the supported services. Transparent: the user should not be aware that authentication is taking place.
    456. 456. A Simple Authentication Dialogue C = client AS = authentication server V =server IDC = identifier of user on C IDV = identifier of V PC = password of user on C ADC = network address of C Kv = secret encryption key shared by AS and V 456
    457. 457. 457 A Simple Authentication Dialogue 1- IDc + Pc+IDv 2- Ticket 3- IDc +Ticket Ticket=Ekv[IDc,ADc,IDv] kv=Secret Key between AS and V (Server) Pc=password of client
    458. 458. A More Secure Authentication Dialogue  minimize the number of times that a user has to enter a password  tickets are not reusable  To solve these problems, we introduce a scheme a new server, known as the ticket- granting server (TGS) 458
    459. 459. Once per user logon session: (1)CAS : IDC||Idtgs (2) AS C : E(Kc, Tickettgs) 459
    460. 460. Once per type of service: (3) C TGS: IDC||IDV||Tickettgs (4) TGS C: Ticketv 460
    461. 461. Once per service session: (5) C V: IDC||Ticketv 461
    462. 462. Kerberos 4 Overview 462
    463. 463. 1.The client requests a ticket-granting ticket on behalf of the user by sending its user's ID and password to the AS, together with the TGS ID, indicating a request to use the TGS service. 2. The AS responds with a ticket that is encrypted with a key that is derived from the user‘s password. When this response arrives at the client, the client prompts the user for his or her password, generates the key, and attempts to decrypt the incoming message. If the correct password is supplied, the ticket is successfully recovered. 463
    464. 464. 3.The client requests a service-granting ticket on behalf of the user. 4. The TGS decrypts the incoming ticket and verifies the success of the decryption by the presence of its ID. It checks to make sure that the lifetime has not expired. Then it compares the user ID and network address with the incoming information to authenticate the user. If the user is permitted access to the server V, the TGS issues a ticket to grant access to the requested service. 464
    465. 465. 5.The client requests access to a service on behalf of the user. For this purpose, the client transmits a message to the server containing the user's ID and the service- granting ticket. The server authenticates by using the contents of the ticket. 465
    466. 466. 466
    467. 467. 467
    468. 468. 468
    469. 469. Kerberos allows the global distribution of ASs and TGSs, with each system called a realm. A user may get a ticket for a local server or a remote server. Kerberos realm
    470. 470. Kerberos realm • 1.The Kerberos server must have the user ID and hashed passwords of all participating users in its database. • 2.The Kerberos server must share a secret key with each server. All servers are registered with the Kerberos server. • Such an environment is referred to as a Kerberos realm. 470
    471. 471. 31/03/2005 Authentication Applications471 Request for Service in another realm: 1-Request ticket for local TGS 2-Ticket for local TGS 5-Request ticket for remote server 6-Ticket for remote server 3-Request ticket for remote TGS 4-Ticket for remote TGS 7-request for remote service
    472. 472. The minor differences between version 4 and version 5 1) Version 5 has a longer ticket lifetime. 2) Version 5 allows tickets to be renewed. 3) Version 5 can accept any symmetric-key algorithm. 4) Version 5 uses a different protocol for describing data types. 5) Version 5 has more overhead than version 4.
    473. 473. X.509 Authentication Service X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm. 473
    474. 474. Public-Key Certificate Use 474
    475. 475. X.509 Certificates • issued by a Certification Authority (CA), containing: – version (1, 2, or 3) – serial number (unique within CA) identifying certificate – signature algorithm identifier – issuer X.500 name (CA) – period of validity (from - to dates) – subject X.500 name (name of owner) – subject public-key info (algorithm, parameters, key) – issuer unique identifier (v2+) – subject unique identifier (v2+) – extension fields (v3) – signature (of hash of all fields in certificate) • notation CA<<A>> denotes certificate for A signed by CA 475
    476. 476. X.509 Certificates 476
    477. 477. CRL • certificates have a period of validity • may need to revoke before expiry, eg: 1. user's private key is compromised 2. user is no longer certified by this CA 3. CA's certificate is compromised • CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. 477
    478. 478. Obtaining a Certificate • any user with access to CA can get any certificate from it • only the CA can modify a certificate • because cannot be forged, certificates can be placed in a public directory 478
    479. 479. CA Hierarchy • if both users share a common CA then they are assumed to know its public key • otherwise CA's must form a hierarchy • use certificates linking members of hierarchy to validate other CA's – each CA has certificates for clients (forward) and parent (backward) • each client trusts parents certificates • enable verification of any certificate from one CA by users of all other CAs in hierarchy 479
    480. 480. CA Hierarchy Use 480 A get B certificate using chain: X<<W>>W<<V>>V<<Y>>Y<<Z>>Z<<B>>
    481. 481. 31/03/2005 Authentication Applications 481 Authentication Procedures: • CA must authenticate/verify an applicant before issuing it a certificate for it. • Three alternative authentication procedures: – One-Way Authentication – Two-Way Authentication – Three-Way Authentication
    482. 482. One-Way Authentication • One way authentication involves a single transfer of information from one user (A) to another (B) 482
    483. 483. 31/03/2005 Authentication Applications 483 One-Way Authentication: • 1 message ( A->B) used to establish – the identity of A and that message is from A – message was intended for B – integrity & originality of message A B1-A {ta,ra,B,sgnData,KUb[Kab]} Ta-timestamp rA=nonce B =identity sgnData=signed with A’s private key
    484. 484. 31/03/2005 Authentication Applications 484 Two-Way Authentication • 2 messages (A->B, B->A) which also establishes in addition: – the identity of B and that reply is from B – that reply is intended for A – integrity & originality of reply A B 1-A {ta,ra,B,sgnData,KUb[Kab]} 2-B {tb,rb,A,sgnData,KUa[Kab]}
    485. 485. 31/03/2005 Authentication Applications 485 Three-Way Authentication • 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks A B 1- A {ta,ra,B,sgnData,KUb[Kab]} 2 -B {tb,rb,A,sgnData,KUa[Kab]} 3- A{rb}
    486. 486. Public-Key Infrastructure public-key infrastructure (PKI) as the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography. 486
    487. 487. Public-Key Infrastructure End entity: A generic term used to denote end users, devices (e.g., servers, routers) Certification authority (CA): The issuer of certificates and certificate revocation lists (CRLs). Registration authority (RA): An optional component that can assume a number of administrative functions. 487
    488. 488. Public-Key Infrastructure CRL issuer: An optional component that a CA can delegate to publish CRLs. Repository: A generic term used to denote any method for storing certificates and CRLs so that they can be retrieved by End Entities. 488
    489. 489. Public-Key Infrastructure 489
    490. 490. Public-Key Infrastructure Registration: This is the process whereby a user first makes itself known to a CA (directly, or through an RA), prior to that CA issuing a certificate or certificates for that user. Initialization: Before a client system can operate securely, it is necessary to install key materials that have the appropriate relationship with keys stored elsewhere in the infrastructure 490
    491. 491. Public-Key Infrastructure Certification: This is the process in which a CA issues a certificate for a user's public key, and returns that certificate to the user's client system and/or posts that certificate in a repository. Key pair update: All key pairs need to be updated regularly (i.e., replaced with a new key pair) and new certificates issued. 491
    492. 492. Public-Key Infrastructure Cross certification: one certificate authority use the certificate to the another certificate authority. 492
    493. 493. UNIT-IV 493
    494. 494. Contents  Pretty Good Privacy  S/MIME  IP Security Overview  IP Security Architecture  Authentication Header  Encapsulating Security Payload  Combining Security Associations  Key management. 494
    495. 495. Pretty Good Privacy 495
    496. 496. Pretty Good Privacy  PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications. 496
    497. 497. Pretty Good Privacy  PGP is an open-source freely available software package for e-mail security.  It provides authentication through the use of digital signature;  It provides confidentiality through the use of symmetric block encryption; 497
    498. 498. Pretty Good Privacy  It provides compression using the ZIP algorithm.  It provides e-mail compatibility using the radix-64 encoding scheme.  It provides Segmentation and reassembly to accommodate long e-mails. 498
    499. 499. Pretty Good Privacy  Ks =session key used in symmetric encryption scheme  PRa =private key of user A, used in public-key encryption scheme  PUa =public key of user A, used in public- key encryption scheme 499
    500. 500. Pretty Good Privacy  EP = public-key encryption  DP = public-key decryption  EC = symmetric encryption  DC = symmetric decryption  H = hash function  || = concatenation  Z = compression using ZIP algorithm  R64 = conversion to radix 64 ASCII format 500
    501. 501. 501
    502. 502. Authentication 1.The sender creates a message. 2.SHA-1 is used to generate a 160-bit hash code of the message. 3.The hash code is encrypted with RSA using the sender's private key, and the result is prepended to the message. 4.The receiver uses RSA with the sender's public key to decrypt and recover the hash code. 502
    503. 503. Authentication 5. The receiver generates a new hash code for the message and compares it with the decrypted hash code. If the two match, the message is accepted as authentic. 503
    504. 504. Confidentiality 1.The sender generates a message and a random 128-bit number to be used as a session key for this message only. 2.The message is encrypted, using CAST- 128 (or IDEA or 3DES) with the session key. 3.The session key is encrypted with RSA, using the recipient's public key, and is prepended to the message. 504
    505. 505. Confidentiality 4.The receiver uses RSA with its private key to decrypt and recover the session key. 5.The session key is used to decrypt the message. 505
    506. 506. Transmission and Reception of PGP Messages 506
    507. 507. PGP Message Format
    508. 508. PGP Message Format  The message component includes the actual data to be stored or transmitted, as well as a filename and a timestamp that specifies the time of creation. 508
    509. 509. PGP Message Format  The signature component includes the following:  Timestamp: The time at which the signature was made.  Message digest: The 160-bit SHA-1 digest, encrypted with the sender's private signature key. 509
    510. 510. PGP Message Format  Leading two oc