Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Like this presentation? Why not share!

No Downloads

Total views

1,861

On SlideShare

0

From Embeds

0

Number of Embeds

1

Shares

0

Downloads

85

Comments

0

Likes

7

No embeds

No notes for slide

By eavesdropping on, or monitoring of, transmissions to:

+ obtain message contents (as shown above in Stallings Figure 1.3a), or

+ monitor traffic flows

Are difficult to detect because they do not involve any alteration of the data.

plaintext - original message

encryption algorithm – performs substitutions/transformations on plaintext

secret key – control exact substitutions/transformations used in encryption algorithm

ciphertext - scrambled message

decryption algorithm – inverse of encryption algorithm

There are two general approaches:

Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext or even some sample plaintext-ciphertext pairs.

Brute-force attacks try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained. On average,half of all possible keys must be tried to achieve success.

Example: howdy (7,14,22,3,24) encrypted using key f (ie a shift of 5) is MTBID

The example message is: &quot;meet me after the toga party&quot; with a rail fence of depth 2.

This sort of thing would be trivial to cryptanalyze.

Differential cryptanalysis was known to the IBM DES design team as early as 1974 (as a T attack), and influenced the design of the S-boxes and the permutation P to improve its resistance to it. Compare DES’s security with the cryptanalysis of an eight-round LUCIFER algorithm which requires only 256 chosen plaintexts, verses an attack on an eight-round version of DES requires 214 chosen plaintexts.

Shown here is the equation from Stallings section 3.4 which shows how this removes the influence of the key, hence enabling the analysis.

The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F. In general, the criterion should be that the number of rounds is chosen so that known cryptanalytic efforts require greater effort than a simple brute-force key search attack. This criterion is attractive because it makes it easy to judge the strength of an algorithm and to compare different algorithms.

The function F provides the element of confusion in a Feistel cipher, want it to be difficult to “unscramble” the substitution performed by F. One obvious criterion is that F be nonlinear. The more nonlinear F, the more difficult any type of cryptanalysis will be. We would like it to have good avalanche properties, or even the strict avalanche criterion (SAC). Another criterion is the bit independence criterion (BIC). One of the most intense areas of research in the field of symmetric block ciphers is that of S-box design. Would like any change to the input vector to an S-box to result in random-looking changes to the output. The relationship should be nonlinear and difficult to approximate with linear functions.

A final area of block cipher design, and one that has received less attention than S-box design, is the key schedule algorithm. With any Feistel block cipher, the key schedule is used to generate a subkey for each round. Would like to select subkeys to maximize the difficulty of deducing individual subkeys and the difficulty of working back to the main key. The key schedule should guarantee key/ciphertext Strict Avalanche Criterion and Bit Independence Criterion.

Have many locations where attacks can occur in a typical scenario (Stallings Figure 7.1), such as when have:

+ workstations on LANs access other workstations & servers on LAN

+ LANs interconnected using switches/routers

+ with external lines or radio/satellite links

Consider attacks and placement in this scenario:

+ snooping from another workstation

+ use dial-in to LAN or server to snoop

+ physically tap line in wiring closet

+ use external router link to enter & snoop

+ monitor and/or modify traffic one external links

Link encryption can occur at either the physical or link layers.

End-to-end encryption could be performed at the network layer (for all processes on a system, perhaps in a Front End Processor), at the Transport layer (now possibly per process), or at the Presentation/Application layer (especially if need security to cross application gateways, but at cost of many more entities to manage).

Can view alternatives noting that as you move up the communications hierarchy, less information is encrypted but it is more secure.

Physical delivery (1 & 2) is simplest - but only applicable when there is personal contact between recipient and key issuer. This is fine for link encryption where devices & keys occur in pairs, but does not scale as number of parties who wish to communicate grows. 3 is mostly based on 1 or 2 occurring first.

A third party, whom all parties trust, can be used as a trusted intermediary to mediate the establishment of secure communications between them (4). Must trust intermediary not to abuse the knowledge of all session keys. As number of parties grow, some variant of 4 is only practical solution to the huge growth in number of keys potentially needed.

All classical, and modern block and stream ciphers are of this form, and still rely on the fundamental building blocks of substitution and permutation (transposition).

The first requirement deals with message replacement attacks, in which an opponent is able to construct a new message to match a given MAC, even though the opponent does not know and does not learn the key.

The second requirement deals with the need to thwart a brute-force attack based on chosen plaintext.

The final requirement dictates that the authentication algorithm should not be weaker with respect to certain parts or bits of the message than others.

These are the specifications for good hash functions. Essentially it must be extremely difficult to find 2 messages with the same hash, and the hash should not be related to the message in any obvious way (ie it should be a complex non-linear function of the message). There are quite a few similarities in the evolution of hash functions & block ciphers, and in the evolution of the design requirements on both.

The strength of a hash function against brute-force attacks depends solely on the length of the hash code produced by the algorithm, with cost O(2^m/2). See proposal in text for a h/w MD5 cracker.

A brute-force attack on a MAC is a more difficult undertaking because it requires known message-MAC pairs. However analysis shows cost is related to min(2^k, 2^n), similar to symmetric encryption algorithms.

Cryptanalysis of hash functions focuses on the internal structure of the compression function f and is based on attempts to find efficient techniques for producing collisions for a single execution of f. Keep in mind that for any hash function there must exist collisions, but want it to be computationally infeasible to find these collisions.

HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad) || M)]

elements are:

K+ is K padded with zeros on the left so that the result is b bits in length

ipad is a pad value of 36 hex repeated to fill block

opad is a pad value of 5C hex repeated to fill block

M is the message input to HMAC (including the padding specified in the embedded hash function)

It uses the blocksize of the underlying cipher (ie 128-bits for AES or 64-bits for triple-DES). The message is divided into n blocks M1..Mn, padded if necessary. The algorithm makes use of a k-bit encryption key K and an n-bit constant K1 or K2 (depending on whether the message was padded or not). For AES, the key size k is 128,192, or 256 bits; for triple DES, the key size is 112 or 168 bits. The two constants K1 & K2 are derived from the original key K using encryption of 0 and multiplication in GF(2^n), as detailed in the text.

X.509 defines a framework for the provision of authentication services by the X.500 directory to its users. The directory may serve as a repository of public-key certificates. In addition, X.509 defines alternative authentication protocols based on the use of public-key certificates. X.509 is based on the use of public-key cryptography and digital signatures. The standard does not dictate the use of a specific algorithm but recommends RSA.

The X.509 certificate format is widely used, in for example S/MIME, IP Security and SSL/TLS and SET.

The standard uses the notation for a certificate of: CA&lt;&lt;A&gt;&gt; where the CA signs the certificate for user A with its private key.

Track chains of certificates:

A get B certificate using chain: X&lt;&lt;W&gt;&gt;W&lt;&lt;V&gt;&gt;V&lt;&lt;Y&gt;&gt;Y&lt;&lt;Z&gt;&gt;Z&lt;&lt;B&gt;&gt;

B obtain A certificate using chain: Z&lt;&lt;Y&gt;&gt;&lt;&lt;V&gt;&gt;V&lt;&lt;W&gt;&gt;W&lt;&lt;X&gt;&gt;X&lt;&lt;A&gt;&gt;

• RFC 2401: An overview of a security architecture

• RFC 2402: Description of a packet authentication extension to IPv4 and IPv6

• RFC 2406: Description of a packet encryption extension to IPv4 and IPv6

• RFC 2408: Specification of key management capabilities

In addition to these four RFCs, a number of additional drafts have been published by the IP Security Protocol Working Group set up by the IETF. The documents are divided into seven groups.

Support for these features is mandatory for IPv6 and optional for IPv4.

In both cases, the security features are implemented as extension headers that follow the main IP header. The extension header for authentication is known as the Authentication Header (AH); that for encryption is known as the Encapsulating Security Payload (ESP) header.

• Next Header (8 bits): Identifies the type of header immediately following this header

• Payload Length (8 bits): Length of Authentication Header in 32-bit words, minus 2.

• Reserved (16 bits): For future use

• Security Parameters Index (32 bits): Identifies a security association

• Sequence Number (32 bits): A monotonically increasing counter value

• Authentication Data (variable): A variable-length field (must be an integral number of 32-bit words) that contains the Integrity Check Value (ICV), or MAC,for this packet

Transport mode provides protection primarily for upper-layer protocol payloads, by inserting the AH after the original IP header and before the IP payload. Typically, transport mode is used for end-to-end communication between two hosts.

or router that implements IPSec. Tunnel mode provides protection to the entire IP, after the AH or ESP fields are added to the IP packet, the entire packet plus security fields is treated as the payload of new “outer”IP packet with a new outer IP header. Tunnel mode is used when one or both ends of an SA are a security gateway, such as a firewall

• Security Parameters Index (32 bits): Identifies a security association

• Sequence Number (32 bits): A monotonically increasing counter value; this provides an anti-replay function ,as discussed for AH

• Payload Data (variable): This is a transport-level segment (transport mode) or IP packet (tunnel mode) that is protected by encryption

• Padding (0–255 bytes): for various reasons

• Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this field

• Next Header (8 bits): Identifies the type of data contained in the payload data field by identifying the first header in that payload

• Authentication Data (variable): A variable-length field that contains the Integrity Check Value computed over the ESP packet minus the Authentication Data field

Tunnel mode ESP is used to encrypt an entire IP packet. Tunnel mode is useful in a configuration that includes a firewall or other sort of security gateway that protects a trusted network from external networks.

Security associations may be combined into bundles in two ways:

• Transport adjacency: more than one security protocol on same IP packet, without invoking tunneling

• Iterated tunneling: application of multiple layers of security protocols effected through IP tunneling

One interesting issue is the order in which authentication and encryption may be applied between a given pair of endpoints.

Case 1 security is provided between end systems that implement IPSec.

Case 2 security is provided only between gateways (routers,firewalls,etc.) and no hosts implement IPSec.

Case 3 builds on Case 2 by adding end-to-end security .The same combinations discussed for cases 1 and 2 are allowed here.

Case 4 provides support for a remote host that uses the Internet to reach an organization’s firewall and then to gain access to some server or workstation behind the firewall. Only tunnel mode is required between the remote host and the firewall.

• Manual where a system administrator manually configures each system with its own keys and with the keys of other communicating

• Automated where an automated system enables the on-demand creation of keys for SAs and facilitates the use of keys in a large distributed system with an evolving configuration

The default automated key management protocol for IPSec is referred to as ISAKMP/Oakley.

Stallings Figure16.12a shows the header format for an ISAKMP message. All ISAKMP payloads begin with the same generic payload header shown in Figure 16.12b.

• Connection: A connection is a network transport that provides a suitable type of service, such connections are transient, peer-to-peer relationships, associated with one session

• Session: An SSL session is an association between a client and a server, created by the Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each connection.

the first takes the value warning(1) or fatal(2) to convey the severity of the message. The second byte contains a code that indicates the specific alert. The first group shown are the fatal alerts, the others are warnings.

Phase 1. Establish Security Capabilities - this phase is used by the client to initiate a logical connection and to establish the security capabilities that will be associated with it

Phase 2. Server Authentication and Key Exchange - the server begins this phase by sending its certificate if it needs to be authenticated.

Phase 3. Client Authentication and Key Exchange - the client should verify that the server provided a valid certificate if required and check that the server_hello parameters are acceptable

Phase 4. Finish - this phase completes the setting up of a secure connection. The client sends a change_cipher_spec message and copies the pending CipherSpec into the current CipherSpec

The message includes the following:

Purchase-related information, which will be forwarded to the payment gateway by the merchant and consists of: PI, dual signature, & OI message digest (OIMD).

2. Order-related information, needed by the merchant and consists of: OI, dual signature, PI message digest (PIMD).

3. Cardholder certificate. This contains the cardholder’s public signature key.

Details of the request verification are shown on the next slide; and of the payment authorization on the following slide.

The Purchase Response message includes a response block that acknowledges the order and references the corresponding transaction number. This block is signed by the merchant using its private signature key.The block and its signature are sent to the customer, along with the merchant’s signature certificate.

• Host agent module: audit collection module operating as a background process on a monitored system

• LAN monitor agent module: like a host agent module except it analyzes LAN traffic

• Central manager module: Receives reports from LAN monitor and host agents and processes and correlates these reports to detect intrusion

• divert an attacker from accessing critical systems

• collect information about the attacker’s activity

• encourage the attacker to stay on the system long enough for administrators to respond

These systems are filled with fabricated information designed to appear valuable but which any legitimate user of the system wouldn’t access, thus, any access is suspect.

They are instrumented with sensitive monitors and event loggers that detect these accesses and collect information about the attacker’s activities.

Have seen evolution from single host honeypots to honeynets of multiple dispersed systems.

The IETF Intrusion Detection Working Group is currently drafting standards to support interoperability of IDS info (both honeypot and normal IDS) over a wide range of systems & O/S’s.

A study at Purdue University in 1992 observed password change choices on 54 machines, for 7000 users, and found almost 3% of the passwords were three characters or fewer in length, easily exhaustively searched!

Password length is only part of the problem, since many people pick a password that is guessable, such as their own name, their street name, a common dictionary word, and so forth. This makes the job of password cracking straightforward.

A study by Klein 1990 collected UNIX password files, containing nearly 14,000 encrypted passwords, and found nearly one-fourth of these passwords were guessable.

A strategy is needed to force users to select passwords that are difficult to guess.

• Detection: determine that infection has occurred and locate the virus

• Identification: of the specific virus that has infected a program

• Removal: of all traces of the virus from the infected program and restore it to its original state; or discard infected program and reload a clean backup version

• First generation: simple scanners use a virus signature to identify a virus, limited to known viruses; or use length of program to detect changes to it

• Second generation: heuristic scanners use rules to search for probable virus infection, eg for code fragments; or use crypto hash of programs to detect changes

• Third generation: activity traps which identify a virus by its actions rather than its structure

• Fourth generation: full-featured protection using packages consisting of a variety of antivirus techniques used in conjunction, including scanning and activity trap components

The arms race continues. With fourth-generation packages, a more comprehensive defense strategy is employed, broadening the scope of defense to more general purpose computer security measures.

A monitoring program on each PC uses a variety of heuristics based on system behavior, suspicious changes to programs, or family signature to infer that a virus may be present, & forwards infected programs to an administrative machine

2. The administrative machine encrypts the sample and sends it to a central virus analysis machine

3. This machine creates an environment in which the infected program can be safely run for analysis to produces a prescription for identifying and removing the virus

4. The resulting prescription is sent back to the administrative machine

5. The administrative machine forwards the prescription to the infected client

6. The prescription is also forwarded to other clients in the organization

7. Subscribers around the world receive regular antivirus updates that protect them from the new virus.

Stallings Figure19.5a shows an example of an internal resource attack - the SYN flood attack. 1. The attacker takes control of multiple hosts over the Internet 2. The slave hosts begin sending TCP/IP SYN (synchronize/initialization) packets, with erroneous return IP address information, to the target 3. For each such packet, the Web server responds with a SYN/ACK (synchronize/acknowledge) packet. The Web server maintains a data structure for each SYN request waiting for a response back and becomes bogged down as more traffic floods in.

Stallings Figure 19.5b illustrates an example of an attack that consumes data transmission resources. 1. The attacker takes control of multiple hosts over the Internet, instructing them to send ICMP ECHO packets with the target’s spoofed IP address to a group of hosts that act as reflectors 2. Nodes at the bounce site receive multiple spoofed requests and respond by sending echo reply packets to the target site. 3. The target’s router is flooded with packets from the bounce site, leaving no data transmission capacity for legitimate traffic.

Protecting a group of R&D computers from the rest of the network.

Separating sensitive HR or finance servers from the corporate network.

cannot protect against attacks that bypass the firewall, eg PCs with dial-out capability to an ISP, or dial-in modem pool use

2. do not protect against internal threats, eg disgruntled employee or one who cooperates with an attacker

3. cannot protect against the transfer of virus-infected programs or files, given wide variety of O/S & applications supported

A packet-filtering router applies a set of rules to each incoming and outgoing IP packet to forward or discard the packet. Filtering rules are based on information contained in a network packet such as src & dest IP addresses, ports, transport protocol & interface. Some advantages are simplicity, transparency & speed.

If there is no match to any rule, then one of two default policies are applied:

• that which is not expressly permitted is prohibited (default action is discard packet), conservative policy

• that which is not expressly prohibited is permitted (default action is forward packet), permissive policy

One of the most common circuit-level gateways is SOCKS, defined in RFC 1928. It consists of a SOCKS server on the firewall, and a SOCKS library & SOCKS-aware applications on internal clients.

Figure 20.2a shows the “screened host firewall, single-homed bastion configuration”, where the firewall consists of two systems:

a packet-filtering router - allows Internet packets to/from bastion only

a bastion host - performs authentication and proxy functions

This configuration has greater security, as it implements both packet-level & application-level filtering, forces an intruder to generally penetrate two separate systems to compromise internal security, & also affords flexibility in providing direct Internet access to specific internal servers (eg web) if desired.

This configuration offers several advantages:

• There are now three levels of defense to thwart intruders

• The outside router advertises only the existence of the screened subnet to the Internet; therefore the internal network is invisible to the Internet

• Similarly, the inside router advertises only the existence of the screened subnet to the internal network; hence systems on the inside network cannot construct direct routes to the Internet

- 1. UNIT-I Security trends OSI Security Architecture Security Attacks Security Services Security mechanisms A Model for Network Security Symmetric Cipher Model Substitution Techniques and Transposition Techniques Block Cipher Principles The Data Encryption Standard and The Strength of DES Differential and linear cryptanalysis Block cipher design principles Evaluation criteria for AES and The AES Cipher. 1
- 2. Cryptography Cryptography is the study of Secret (crypto-) writing (-graphy). 2
- 3. Cryptography cryptography - study of encryption principles/methods. Cryptography deals with creating documents that can be shared secretly over public communication channels. 3
- 4. Cryptanalysis cryptanalysis (code breaking) - study of principles/ methods of decrypting cipher text without knowing key. 4
- 5. Cryptology The area of cryptography and crypt analysis together are called cryptology. 5
- 6. Computer Security generic name for the collection of tools designed to protect data. 6
- 7. Network Security It is used to protect data during their transmission. 7
- 8. Internet security it is used to protect data during their transmission over a collection of interconnected networks. 8
- 9. Security trends In 1994, the Internet Architecture Board (IAB) issued a report entitled "Security in the Internet Architecture" The report stated the general agreement that the Internet needs more and better security, and it identified key areas for security mechanisms. 9
- 10. CERT Statistics security trend in Internet-related vulnerabilities reported to CERT over a 10-year period. These include security weaknesses in the operating systems of attached computers as well as vulnerabilities in Internet routers and other network devices. 10
- 11. CERT Statistics 11
- 12. OSI Security Architecture The OSI (open systems interconnection) security architecture provides a systematic framework for defining security attacks, mechanisms, and services. 12
- 13. Services, Mechanisms, Attacks consider three aspects of information security: security attack security mechanism security service 13
- 14. Security service A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms. 14
- 15. Security Services Authentication Access control Data Confidentiality Data Integrity Non-Repudiation 15
- 16. Authentication Authentication is a process of verification of the sender. 16
- 17. Access Control prevention of the unauthorized use of a resource 17
- 18. Data Confidentiality protection of data from unauthorized disclosure. 18
- 19. Data Integrity assurance that data received is as sent by an authorized entity 19
- 20. Non-Repudiation Nonrepudiation prevents either sender or receiver from denying a transmitted message. 20
- 21. Security Mechanism A mechanism that is designed to detect, prevent, or recover from a security attack. 21
- 22. Encipherment The use of mathematical algorithm to transmit from data into a form that is not understandable. 22
- 23. Digital signature A valid digital signature gives a recipient reason to believe that the message was created by a known sender. 23
- 24. Access control A variety of mechanisms that enforce access right to resource. 24
- 25. Data integrity A variety of mechanism used to assure the integrity of a data unit. 25
- 26. Traffic padding The insertion of bits into gaps in a data stream to avoid traffic analysis attempts. 26
- 27. Routing control Enables selection of particular physically secure routes for data. 27
- 28. Notarization The use of a trusted third party to assure certain properties of a data exchange. 28
- 29. Security Attack Any action that compromise the security of information. threat & attack used to mean same thing 29
- 30. passive attacks passive attacks attempt to learn or make use of information from the system but does not affect system resources. Are difficult to detect because they do not involve any alteration of the data. 30
- 31. Release of message contents 31
- 32. Traffic analysis 32
- 33. Active attacks active attacks attempt to alter system resources or affect their operation. Easy to detect because they will involve alteration of the data. 33
- 34. Masquerade A masquerade takes place when one entity pretends to be a different entity 34
- 35. Masquerade 35
- 36. Replay 36
- 37. Modification of messages 37
- 38. Denial of service 38
- 39. Model for Network Security 39
- 40. Model for Network Security design a suitable algorithm for the security transformation generate the secret keys used by the algorithm develop methods to distribute secret key specify a protocol enabling the principals to use the transformation and secret information for a security service 40
- 41. Model for Network Access Security
- 42. Symmetric Encryption Symmetric encryption, also referred to as conventional encryption or single-key encryption All traditional schemes are symmetric / single key / private-key encryption algorithms, with a single key, used for both encryption and decryption. Since both sender and receiver are equivalent, either can encrypt or decrypt messages using that common key. 42
- 43. Some Basic Terminology plaintext - original message Cipher text - coded message key – shared by both sender and receiver encipher (encrypt) - converting plaintext to cipher text decipher (decrypt) – converting cipher text to plaintext
- 44. Symmetric Cipher Model
- 45. Cryptography characterize cryptographic system by: type of encryption operations used substitution / transposition / product number of keys used single-key or private / two-key or public way in which plaintext is processed block / stream
- 46. Cryptanalysis There are two general approach to attacking a conventional encryption scheme cryptanalytic attack brute-force attack
- 47. Cryptanalytic attack Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext. 47
- 48. Brute-force attack Brute-force attacks try every possible key on a piece of cipher text until plaintext is obtained. 48
- 49. Types of Encryption Schemes Encryption Classical Modern Rotor Machines Substitution Public KeyTransposition Secret Key BlockStream Steganography 49
- 50. Substitution Techniques letters of plaintext are replaced by other letters or by numbers or symbols. 50
- 51. Caesar Cipher The Caesar cipher involves replacing each letter of the alphabet with the letter standing k places further down the alphabet, for k in the range 1 through 25.
- 52. Caesar Cipher • mathematically give each letter a number a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 • then have Caesar cipher as: c = E(p) = (p + k) mod (26) p = D(c) = (c – k) mod (26)
- 53. Caesar Cipher example: meet me after the toga party PHHW PH DIWHU WKH WRJD SDUWB 53
- 54. Brute-Force Cryptanalysis of Caesar Cipher If it is known that a given cipher text is a Caesar cipher, then a brute-force cryptanalysis is easily performed. Simply try all the 25 possible keys. 54
- 55. 55
- 56. Monoalphabetic Ciphers mono alphabetic substitution uses fixed substitution over the entire message 56
- 57. Mono alphabetic Ciphers Shuffle the letters and map each plaintext letter to a different random ciphertext letter: Plain letters: abcdefghijklmnopqrstuvwxyz Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN Plaintext: ifwewishtoreplaceletters Cipher text: WIRFRWAJUHYFTSDVFSFUUFYA 57
- 58. Monoalphabetic Cipher Security • the monoalphabetic substitution cipher is not secure • problem is language characteristics
- 59. Relative Frequency of Letters in English Text 59
- 60. Monoalphabetic Cipher the relative frequency of the letters can be determined and compared to a standard frequency distribution for English. If the message were long enough, this technique alone might be sufficient, 60
- 61. Playfair Cipher The Playfair algorithm is based on the use of a 5 * 5 matrix of letters constructed using a keyword. Plaintext is encrypted two letters at a time using this matrix. 61
- 62. 62 Playfair Cipher • Rules: – Take a pair of letters from plaintext – Separate repeating letters with an x – Plaintext letters in the same row are replaced by letters to the right (cyclic manner) – Plaintext letters in the same column are replaced by letters below (cyclic manner) – Plaintext letters in different row and column are replaced by the letter in the row corresponding to the column of the other letter and vice versa
- 63. Playfair Cipher 63 Keyword: LARGEST Plain text: Mu st se ey ou Cipher text: UZTBDLGZPN
- 64. Hill Cipher The encryption algorithm takes m successive plaintext letters and substitutes for them m cipher text letters. The substitution is determined by m linear equations in which each character is assigned a numerical value (a = 0, b = 1 ... z = 25). 64
- 65. Hill Cipher 65
- 66. Hill Cipher where C and P are column vectors of length 3, representing the plaintext and cipher text, and K is a 3 x 3 matrix, representing the encryption key 66
- 67. Hill Cipher In general terms, the Hill cipher system can be expressed as follows: C = E(K, P) = KP mod 26 P = D(K1 , C) = K1 C mod 26 = P 67
- 68. Hill Cipher 68 Consider the message ‘CAT', and the key GYBNQKURP
- 69. For Example if the key is an 3 X 3 matrix Plain Text : paymoremoney m=3 (p a y)=(15 0 24) So Encryption is as follows (15 0 24) = (303 303 531) mod 26 = (17 17 11) = RRL Now the cipher text for pay is RRL
- 70. For Decryption you have to find the K-1 How to find inverse of K that is K-1 1. Find the adjoint of the element in the matrix, 2. Transpose the matrix adj A= 300 -357 6 -313 313 0 267 -252 -51 This is Transpose of adj A Determinant of matrix A is= =17(18*19 – 21*2) -17(21*9 – 21*2) + 5(21*2 – 18*2) = -939 (18*19 – 21*2) – (19*21 – 21*2) + ( 17*19 – 5*2) ………
- 71. Now K-1 is 1/adj(A) * K-1 1/adj(A) = 1 /(-939) = (-939)-1 = (-939 mod 26)-1 (the easy way to find -939mod 26 is keep adding 26 with -939 till you get a positive value, so that you will get 23) = (23)-1 mod 26 = 23 * 17 = 391 mod 26 =1 (find a number when multiplied with 23 gives a number consider “ s” ; then s mod 26 should give 1) Now (-939 mod 26)-1 = 17 Now according to 1/adj(A) * K-1 = 17 * K-1 = 17 * = 300 -313 267 -357 313 -252 6 0 -51 5100 -5321 4539 6069 5321 4284 102 0 867 Mod 26 Mod 26 = This is the inverse matrix
- 72. Polyalphabetic Ciphers Each plaintext letter has multiple corresponding cipher text letters. 72
- 73. Vigenère Cipher The Vigenère cipher is a method of encrypting alphabetic text by using a series of different Caesar ciphers based on the letters of a keyword. It is a simple form of polyalphabetic substitution. 73
- 74. Vigenère Cipher To encrypt a message, a key is needed that as long as the message. Usually, the key is a repeating keyword. key: `deceptivedeceptive plaintext: wearediscoveredsaveyourself ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ 74
- 75. 75
- 76. One-time pad The one-time pad's security comes from it's key; the key is EQUAL to the length of the plaintext and is COMPLETELY random. 76
- 77. One-time pad H E L L O Message 7 4 11 11 14 X M C K L Key + 23 12 2 10 11 = 30 16 13 21 25 Message + key = 4 16 13 21 25 Message+key(mod 26) E Q N V Z → ciphertext 77
- 78. Transposition Encryption position of the plain text will be changed. 78
- 79. Rail Fence cipher The simplest such cipher is the rail fence technique, in which the plaintext is written down as a sequence of diagonals and then read off as a sequence of rows. The example message is: meet me after the toga party eg. write message out as: m e m a t r h t g p r y e t e f e t e o a a t giving ciphertext MEMATRHTGPRYETEFETEOAAT
- 80. Row Transposition Ciphers A more complex transposition cipher is to write the message in a rectangle, row by row, and read the message off shuffling the order of the columns in each row. 80
- 81. Row Transposition Ciphers 81
- 82. Rotor machine In cryptography, a rotor machine is an electro-mechanical device used for encrypting and decrypting secret messages. 82
- 83. Example of Rotor Machine 83
- 84. Steganography Steganography is the art and science of writing hidden messages in such a way that no one knows, apart from the sender and receiver. 84
- 85. Character marking: text are overwritten in pencil The marks are ordinarily not visible unless the paper is held at an angle to bright light. 85
- 86. Invisible ink A number of substances can be used for writing but leave no visible trace until heat or some chemical is applied to the paper. 86
- 87. Pin punctures: Small pin punctures on selected letters are ordinarily not visible unless the paper is held up in front of a light. 87
- 88. Block Cipher Principles A block cipher is an encryption/decryption scheme in which a block of plaintext is treated as a whole and used to produce a cipher text block of equal length. 88
- 89. Block Cipher Divide input bit stream into n-bit sections, encrypt only that section. 89
- 90. Block cipher versus Stream Ciphers block ciphers process messages in blocks stream ciphers process messages in bit or byte. 90
- 91. Reversible Mapping Each block of plain text must produce a unique cipher text block. Such a transformation is called reversible. 91
- 92. Reversible Mapping 92
- 93. Irreversible Mapping Each block of plain text must not produce a unique cipher text block. Such a transformation is called reversible. 93
- 94. Irreversible Mapping 94
- 95. Feistel cipher Feistel cipher is a symmetric structure used in the construction of block ciphers. 95
- 96. Confusion and Diffusion • “Confusion” = Substitution (non linear function) • a -> b • “Diffusion” = Transposition (linear function) • abcd -> dacb Encryption Decryption plaintext ciphertext plaintext Key KA Key KB 96
- 97. Confusion Each bit of the cipher text block has highly nonlinear relations with the plaintext block bits and the key bits. 97
- 98. Diffusion Each plaintext block bit or key bit affects many bits of the cipher text block. 98
- 99. 99
- 100. Feistel Cipher Structure The inputs to the encryption algorithm are a plaintext block of length 2w bits and a key K. The plaintext block is divided into two halves, L0 and R0. The two halves of the data pass through n rounds of processing and then combine to produce the cipher text block. Each round i has as inputs Li-1 and Ri-1, derived from the previous round, as well as a subkey Ki, derived from the overall K. 100
- 101. Feistel Cipher Structure A substitution is performed on the left half of the data. This is done by applying a round function F to the right half of the data and then taking the exclusive-OR of the output of that function and the left half of the data. 101
- 102. Feistel Cipher structure 102
- 103. Feistel Cipher structure 103
- 104. Feistel Cipher Design Elements block size - increasing size improves security, but decrease the encryption speed. key size – increasing key size improves security, but decrease the encryption speed. number of rounds - increasing number of rounds improves security but decrease the encryption speed. 104
- 105. Feistel Cipher Design Elements sub key generation algorithm - greater complexity can make analysis harder, decrease the encryption speed. round function - greater complexity can make analysis harder, but decrease the encryption speed. 105
- 106. Simplified DES Developed 1996 as a teaching tool Santa Clara University Prof. Edward Takes an 8-bit block plaintext, a 10 –bit key and produces an 8-bit block of cipher text Decryption takes the 8-bit block of cipher text, the same 10-bit key and produces the original 8- bit block of plaintext 106
- 107. 107
- 108. Five Functions to Encrypt IP – an initial permutation fk - a complex, 2-input function SW – a simple permutation that swaps the two nybles fk - a complex, 2-input function; again IP – inverse permutation of the initial permutation 108
- 109. 109
- 110. 110
- 111. 111
- 112. 112
- 113. 113
- 114. 114
- 115. 115
- 116. 116
- 117. DES The Data Encryption Standard (DES) is a block cipher that uses shared secret encryption. data are encrypted in 64-bit blocks using a 56-bit key. The algorithm transforms 64-bit input in a series of steps into a 64-bit output. 117
- 118. DES • Adopted in 1976 as US Government standard encryption technique • Utilizes a 56-bit symmetric key • Cracked in 1998 • Replaced in 2002 by AES which utilizes 128 bit keys. 118
- 119. 119
- 120. DES • First, the 64-bit plaintext passes through an initial permutation (IP) that rearranges the bits to produce the permuted input. • This is followed by a phase consisting of 16 rounds of the same function, which involves both permutation and substitution functions. 120
- 121. DES • The output of the last (sixteenth) round consists of 64 bits that are a function of the input plaintext and the key. • The left and right halves of the output are swapped to produce the preoutput. • Finally, the preoutput is passed through a permutation (IP-1) that is the inverse of the initial permutation function, to produce the 64-bit cipher text. 121
- 122. 64 Bit input 122
- 123. Initial permutation 123
- 124. 124
- 125. Figure 23-13 Permutation 125
- 126. Details of Single Round • uses two 32-bit L & R halves • as for any Feistel cipher can describe as: Li = Ri–1 Ri = Li–1 ⊕ F(Ri–1, Ki) • F takes 32-bit R half and 48-bit sub key: – expands R to 48-bits using perm E – adds to sub key using XOR – passes through 8 S-boxes to get 32-bit result – finally permutes using 32-bit perm P 126
- 127. 127
- 128. MS 128 1 4 5 8 9 12 13 16 17 20 21 24 25 28 29 32 1 48 Expansion Permutation 32 48
- 129. Definition of DES S-Boxes 129
- 130. S-Boxes • The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and produces 4 bits as output. • The first and last bits of the input to box Si form a 2-bit binary that represent the row of the table for Si. • The middle four bits select one of the sixteen columns 130
- 131. Example • For example, in S1 for input 011001, the row is 01 (row 1) and the column is 1100 (column 12). • The value in row 1, column 12 is 9, so the output is 1001. 131
- 132. S-Boxes 132
- 133. 133
- 134. Key Generation 134
- 135. 64 bit input key 135
- 136. Permuted Choice One (PC-1) 136
- 137. Permuted Choice Two (PC-2) 137
- 138. Schedule of Left Shifts 138
- 139. Avalanche Effect A small change in the plaintext or in the key results in a significant change in the cipher text. DES provides a strong avalanche effect Changing 1 bit in the plaintext affects 34 bits in the cipher text on average. 139
- 140. Avalanche Effect in DES 140
- 141. The Strength of DES • The use of 56 bit key • The Nature of the DES algorithm • Timing attacks 141
- 142. The use of 56 bit key • With a key length of 56 bits, there are 256 possible keys. • single machine performing one DES encryption per microsecond would take more than a thousand years to break the cipher. 142
- 143. The Nature of the DES algorithm Eight S-boxes, that are used in each iteration. 143
- 144. Timing Attacks timing attack is one in which information about the key or the plaintext is obtained by observing how long it takes a given implementation to perform decryptions on various cipher texts. 144
- 145. Differential Cryptanalysis • Differential cryptanalysis is the first published attack that is capable of breaking DES in less than 255 encryptions. • powerful method to analyse block ciphers
- 146. Differential Cryptanalysis differential cryptanalysis compares two related pairs of encryptions. it is feasible to determine the sub key used in the function f. The differential cryptanalysis attack is complex. 146
- 147. Differential Cryptanalysis Compares Pairs of Encryptions • with a known difference in the input • searching for a known difference in output • when same subkeys are used
- 148. Linear Cryptanalysis • another recent development • also a statistical method • must be iterated over rounds, with decreasing probabilities • developed by Matsui in early 90's • based on finding linear approximations • can attack DES with 243 known plaintexts, easier but still in practise infeasible
- 149. Linear Cryptanalysis For example, the following equation, states the XOR sum of the first and third plaintext bits (as in a block cipher's block) and the first cipher text bit is equal to the second bit of the key P1ӨP3 ӨC1=k2
- 150. Block Cipher Design • basic principles still like Feistel’s in 1970’s • number of rounds – more is better, exhaustive search best attack • function f: – provides “confusion”, is nonlinear, avalanche – have issues of how S-boxes are selected • key schedule – complex subkey creation, key avalanche
- 151. AES • DES finally proved insecure in July 1998, when the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose "DES cracker" machine that was built for less than $250,000. • The Advanced Encryption Standard (AES) was published by NIST (National Institute of Standards and Technology) in 2001. 151
- 152. AES AES is a block cipher intended to replace DES for commercial applications. It uses a 128-bit block size. AES does not use a Feistel structure. 152
- 153. Evaluation Criteria for AES 153
- 154. Security Minimum key size for AES is 128 bits, brute-force attacks with current and projected technology were considered impractical. 154
- 155. COST The algorithm(s) specified in the AES shall be available on a worldwide, non- exclusive, royalty-free basis. 155
- 156. Computational efficiency Computational efficiency refers to the speed of the algorithm. 156
- 157. Memory requirement The memory required to implement a candidate algorithm for both hardware and software implementations of the algorithm will also be considered during the evaluation process. 157
- 158. Algorithm and implementation characteristics This category includes a variety of considerations, including flexibility; suitability for a variety of hardware and software implementations. 158
- 159. Key Agility Key agility refers to the ability to change keys quickly and with a minimum of resources. 159
- 160. The AES Cipher • The input to the encryption and decryption algorithms is a single 128-bit block. • This block is copied into the State array, which is modified at each stage of encryption or decryption. • After the final stage, State is copied to an output matrix. 160
- 161. 161
- 162. 162
- 163. AES 163
- 164. 164
- 165. Substitute Bytes Transformation • Replace each byte in the state array with its corresponding value from the S-Box 00 44 88 CC 11 55 99 DD 22 66 AA EE 33 77 BB FF 55 165
- 166. Shift row transformation • The first row of State is not altered. • For the second row, a 1-byte circular left shift is performed. • For the third row, a 2- byte circular left shift is performed. • For the fourth row, a 3-byte circular left shift is performed. 166
- 167. Shift row transformation 167
- 168. Shift row transformation 168
- 169. Mix column Transformation • Apply mix column transformation to each column. 169
- 170. Mix column Transformation 170
- 171. Add Round Key • XOR each byte of the round key with its corresponding byte in the state array. 171
- 172. AddRoundKey S0,0 S0,1 S0,2 S0,3 S1,0 S1,1 S1,2 S1,3 S2,0 S2,1 S2,2 S2,3 S3,0 S3,1 S3,2 S3,3 S’0,0 S’0,1 S’0,2 S’0,3 S’1,0 S’1,1 S’1,2 S’1,3 S’2,0 S’2,1 S’2,2 S’2,3 S’3,0 S’3,1 S’3,2 S’3,3 S0,1 S1,1 S2,1 S3,1 S’0,1 S’1,1 S’2,1 S’3,1 R0,0 R0,1 R0,2 R0,3 R1,0 R1,1 R1,2 R1,3 R2,0 R2,1 R2,2 R2,3 R3,0 R3,1 R3,2 R3,3 R0,1 R1,1 R2,1 R3,1 XOR 172
- 173. Key Expansion Algorithm • The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces a linear array of 44 words (176 bytes). • This is sufficient to provide a 4-word round key for the initial AddRoundKey stage and each of the 10 rounds of the cipher. 173
- 174. 174
- 175. 175 1. Using this Playfair matrix encrypt this message: cryptography and network security
- 176. Answer 176 BGXQHWEGROKWLOSUADAWGIDLDQBPCW
- 177. Example Given the plaintext {00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F} and the key {01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01}, I. Show the original contents of State, displayed as a 4 x 4 matrix. II.Show the value of State array after initial AddRoundKey. III.Show the value of State array after Sub Bytes. IV.Show the value of State array after Shift Rows. V.Show the value of State array after Mix Columns. 177
- 178. State array 178
- 179. State array after initial AddRoundKey 179
- 180. State array after Sub Bytes 180
- 181. State array after Shift Rows 181
- 182. State array after Mix Columns 182
- 183. Example Consider the given key K and the plaintext, namely: in hexadecimal notation: 0 1 2 3 4 5 6 7 8 9 A B C D E F • in binary notation: 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 0100 1101 1110 1111 183
- 184. A. Derive K1, the first-round sub key. B. Derive L0, R0. C. Expand R0 to get E[R0], where E[·] is the expansion function. D. Calculate A = E[R0] Ө K1. E. Group the 48-bit result of (d) into sets of 6 bits and evaluate the corresponding S-box substitutions. F. Concatenate the results of (e) to get a 32-bit result, B. G. Apply the permutation to get P(B). H. Calculate R1 = P(B)Ө L0. i. Write down the cipher text. 184
- 185. UNIT-II Multiple Encryption and Triple DES Block Cipher Modes of Operation Stream cipher and RC4 Placement of Encryption function Traffic confidentiality Key Distribution Principle of Public Key Cryptosystems The RSA Algorithm Key management Diffie Hellman Key Exchange Elliptic curve cryptography. 185
- 186. Multiple Encryption Multiple encryption is a technique in which an encryption algorithm is used multiple times. 186
- 187. Double DES The simplest form of multiple encryption has two encryption stages and two keys . Given a plaintext P and two encryption keys K1 and K2, cipher text C is generated as C = E(K2, E(K1, P)) 187
- 188. Double DES 188
- 189. Double DES • Decryption requires that the keys be applied in reverse order P = D(K1, D(K2, C)) • this scheme apparently involves a key length of 56 x 2 = 112 bits, of resulting in a dramatic increase in cryptographic strength 189
- 190. Meet-in-the-middle attack • Given a known pair, (P, C), the attack proceeds as follows. • First, encrypt P for all 256 possible values of K1 Store these results in a table and then sort the table by the values of X. • Next, decrypt C using all 256 possible values of K2. As each decryption is produced, check the result against the table for a match. 190
- 191. Meet-in-the-middle attack • If a match occurs, then test the two resulting keys against a new known plaintext-cipher text pair. • If the two keys produce the correct cipher text, accept them as the correct keys. 191
- 192. Triple DES with Two Keys • Triple DES makes use of three stages of the DES algorithm, using a total of two or three distinct keys. • The function follows an encrypt-decrypt- encrypt (EDE) sequence C = E(K1, D(K2, E(K1, P))) 192
- 193. Triple DES with Two Keys 193
- 194. Triple DES with Three Keys • Three-key 3DES has an effective key length of 168 bits and is defined as follows: • C = E(K3, D(K2, E(K1, P))) 194
- 195. Block Cipher Modes of Operation • To apply a block cipher in a variety of applications, four "modes of operation" have been defined by NIST . • mode of operation is a technique for enhancing the effect of a cryptographic algorithm for an application 195
- 196. Electronic Codebook (ECB) Each block of 64 plaintext bits is encrypted independently using the same key. 196
- 197. Electronic Codebook (ECB) 197
- 198. Limitation of ECB • The most significant characteristic of ECB is that the same b-bit block of plaintext, if it appears more than once in the message, always produces the same cipher text. • For lengthy messages, the ECB mode may not be secure. 198
- 199. Typical Application • Secure transmission of single values (e.g., an encryption key) 199
- 200. Cipher Block Chaining (CBC) 200 • To overcome the security deficiencies of ECB, we would like a technique in which the same plaintext block, if repeated, produces different cipher text blocks. • A simple way to satisfy this requirement is the cipher block chaining (CBC) mode • The input to the encryption algorithm is the XOR of the next 64 bits of plaintext and the preceding 64 bits of cipher text.
- 201. Cipher Block Chaining (CBC) 201
- 202. Cipher Block Chaining (CBC) • use Initial Vector (IV) to start process Ci = DESK1(Pi XOR Ci-1) C-1 = IV 202
- 203. Limitations of CBC • need Initialization Vector (IV) 203
- 204. Typical Application • General-purpose block-oriented transmission • Authentication 204
- 205. Cipher Feedback (CFB) 205 Input is processed j bits at a time. Preceding cipher text is used as input to the encryption algorithm to produce pseudorandom output, which is XORed with plaintext to produce next unit of cipher text.
- 206. Cipher Feedback (CFB) 206
- 207. Cipher Feedback (CFB) 207
- 208. Limitation of CFB A possible problem is that if its used over a "noisy" link, then any corrupted bit will destroy values in the current and next blocks. 208
- 209. Typical Application 209 • General-purpose stream-oriented transmission • Authentication
- 210. Output Feedback (OFB) The alternative to CFB is OFB. Here the generation of the "random" bits is independent of the message being encrypted. The advantage is that firstly, they can be computed in advance, good for bursty traffic, and secondly, any bit error only affects a single bit. Thus this is good for noisy links (eg satellite TV transmissions etc). 210
- 211. Output Feedback (OFB) 211
- 212. Typical Application • Stream-oriented transmission over noisy channel (e.g., satellite communication) 212
- 213. Counter (CTR) Each block of plaintext is XOR ed with an encrypted counter. The counter is incremented for each subsequent block. 213
- 214. Counter (CTR) 214
- 215. Advantages and Limitations of CTR can do parallel encryptions in h/w or s/w. good for bursty high speed links. provable security (good as other modes) but CTR does not reusing the same key and counter value
- 216. Typical Application • General-purpose block-oriented transmission • Useful for high-speed requirements 216
- 217. Stream Ciphers and RC4 217
- 218. Stream Ciphers • stream cipher encrypts plaintext one byte at a time. • stream cipher may be designed to operate on one bit at a time. 218
- 219. Stream Cipher Structure
- 220. Stream Cipher Structure 220
- 221. Design considerations • long period with no repetitions of pseudo random key. • output of the pseudorandom number generator is conditioned on the value of the input key. • To protect against brute-force attacks, the key needs to be sufficiently long. 221
- 222. RC4 Basics • A symmetric key encryption algorithm. • Invented by Ron Rivest. • Normally uses 64 bit and 128 bit key sizes. • Cryptographically very strong yet very easy to implement. • Consists of 2 parts: Key Scheduling Algorithm (KSA) & Pseudo-Random Generation Algorithm
- 223. RC4 Block Diagram Plain Text Secret Key RC4 + Encrypted Text Keystream
- 224. RC4 …break up • Initialize an array of 256 bytes. • Run the KSA on them • Run the PRGA on the KSA output to generate keystream. • XOR the data with the keystream.
- 225. Array Initialization C Code: char S[256]; Int i; For(i=0; i< 256; i++) S[i] = i; After this the array would like this : S[] = { 0,1,2,3, ……, 254, 255}
- 226. The KSA • The initialized array S[256] is now run through the KSA. The KSA uses the secret key to scramble the array. • C Code for KSA: int i, j = 0; for(i=0; i<256; i++) { j = ( j + S[i] + key[ i % key_len] ) % 256; swap(S[i], S[j]); }
- 227. The PRGA • The KSA scrambled S[256] array is used to generate the PRGA. This is the actual keystream. • C Code: i = j = 0; while(output_bytes) { i = ( I + 1) % 256; j = ( j + S[i] ) % 256; swap( S[i], S[j] ); output = S[ ( S[i] + S[j] ) % 256 ] }
- 228. Encryption using RC4 • Choose a secret key • Run the KSA and PRGA using the key to generate a keystream. • XOR keystream with the data to generated encrypted stream. • Transmit Encrypted stream.
- 229. Decryption using RC4 • Use the same secret key as during the encryption phase. • Generate keystream by running the KSA and PRGA. • XOR keystream with the encrypted text to generate the plain text. • Logic is simple : (A xor B) xor B = A A = Plain Text or Data B = KeyStream
- 230. RC4 Example • Simple 4-byte example • S = {0, 1, 2, 3} • K = {1, 7, 1, 7} • Set i = j = 0
- 231. KSA First Iteration (i = 0, j = 0, S = {0, 1, 2, 3}): j = (j + S[ i ] + K[ i ]) = (0 + 0 + 1) = 1 Swap S[ i ] with S[ j ]: S = {1, 0, 2, 3} Second Iteration (i = 1, j = 1, S = {1, 0, 2, 3}): j = (j + S[ i ] + K[ i ]) = (1 + 0 + 7) = 0 (mod 4) Swap S[ i ] with S[ j ]: S = {0, 1, 2, 3}
- 232. KSA Third Iteration (i = 2, j = 0, S = {0, 1, 2, 3}): j = (j + S[ i ] + K[ i ]) = (0 + 2 + 1) = 3 Swap S[ i ] with S[ j ]: S = {0, 1, 3, 2} Fourth Iteration (i = 3, j = 3, S = {0, 1, 3, 2}): j = (j + S[ i ] + K[ i ]) = (3 + 2 + 7) = 0 (mod 4) Swap S[ i ] with S[ j ]: S = {2, 1, 3, 0}
- 233. PRGA Reset i = j = 0, Recall S = {2, 1, 3, 0} i = i + 1 = 1 j = j + S[ i ] = 0 + 1 = 1 Swap S[ i ] and S[ j ]: S = {2, 1, 3, 0} Output z = S[ S[ i ] + S[ j ] ] = S[2] = 3
- 234. Analysis of RC4 • Advantages – Faster than DES – Enormous key space (average of 1700 bits) • Disadvantages – Large number of “weak” keys 1 of 256 – “Weak” keys can be detected and exploited with a high probability
- 235. Placement of Encryption function If encryption is to be used to counter attacks on confidentiality, we need to decide what to encrypt and where the encryption function should be located. 235
- 236. Confidentiality using Symmetric Encryption • traditionally symmetric encryption is used to provide message confidentiality
- 237. Placement of Encryption • link encryption • end-to-end encryption 237
- 238. Link encryption Link encryption is an approach to encrypts and decrypts all data at each end of a communications line 238
- 239. End-to-end encryption encryption process is carried out at the two end systems 239
- 240. Placement of Encryption
- 241. Placement of Encryption With end-to-end encryption, user data are secure, but the traffic pattern is not because packet headers are transmitted in the clear. To achieve greater security, both link and end-to-end encryption are needed
- 242. Placement of Encryption • can place encryption function at various layers in OSI Reference Model – link encryption occurs at layers 1 or 2 – end-to-end can occur at layers 3, 4, 6, 7
- 243. Front-End Processor Function 243
- 244. 244
- 245. Traffic Confidentiality Knowledge about the number and length of messages between nodes may enable an opponent to determine who is talking to whom. 245
- 246. Information that can be derived from a traffic analysis attack: • Identities of partners • How frequently the partners are communicating • Message pattern, message length, or quantity of messages that suggest important information is being exchanged 246
- 247. Link Encryption Approach Network-layer headers are encrypted, reducing the opportunity for traffic analysis. However, it is still possible to observe the amount of traffic entering and leaving each end system. 247
- 248. Traffic-Padding Encryption Device • Traffic padding produces cipher text output continuously, even in the absence of plaintext. 248
- 249. Traffic-Padding Encryption Device 249
- 250. Traffic-Padding Encryption Device • A continuous random data stream is generated. • When plaintext is available, it is encrypted and transmitted. • When input plaintext is not present, random data are encrypted and transmitted. • This makes it impossible for an attacker to distinguish between true data flow and padding 250
- 251. End-to-End Encryption Approach • if encryption is implemented at the application layer, then an opponent can determine which transport unit are engaged in dialogue. • In addition, null messages can be inserted randomly into the stream. These tactics deny an opponent knowledge about the amount of data exchanged between end users and difficult to understand the underlying traffic pattern. 251
- 252. Key Distribution 252
- 253. Key Distribution given parties A and B have various key distribution alternatives: 1. A can select key and physically deliver to B 2. third party can select & deliver key to A & B 3. if A & B have communicated previously can use previous key to encrypt a new key 4. if A & B have secure communications with a third party C, C can relay key between A & B
- 254. Session key • Session keys can also be termed temporary keys or one-time use keys. Usually after a session, these keys are discarded and not used again. • Communication between end systems is encrypted using session key. 254
- 255. Master key • session keys are transmitted in encrypted form, using a master key that is shared by the key distribution center and an end system or user. 255
- 256. The Use of a Key Hierarchy 256
- 257. Key Distribution Scenario
- 258. Key Distribution Scenario • A issues a request to the KDC for a session key to protect a logical connection to B. • The KDC responds with a message encrypted using Ka Thus, A is the only one who can successfully read the message, and A knows that it originated at the KDC 258
- 259. Key Distribution Scenario • A stores the session key for use in the upcoming session and forwards to B the information that originated at the KDC for B, namely, E(Kb, [Ks || IDA]). Because this information is encrypted with Kb, it is protected from eavesdropping. • B now knows the session key (Ks), knows that the other party is A (from IDA), and knows that the information originated at the KDC (because it is encrypted using Kb). 259
- 260. Key Distribution Scenario • Using the newly minted session key for encryption, B sends a nonce, N2, to A. • Also using Ks, A responds with f(N2), where f is a function that performs some transformation on N2 (e.g., adding one). 260
- 261. 15.261 Hierarchical Key Control
- 262. Hierarchical Key Control • It is not necessary to limit the key distribution function to a single KDC. Indeed, for very large networks, it may not be practical to do so. As an alternative, a hierarchy of KDCs can be established. • If two entities in different domains desire a shared key,then the corresponding local KDCs can communicate through a global KDC. 262
- 263. Decentralized Key Control 263
- 264. Decentralized Key Control 1. A issues a request to B for a session key and includes a nonce, N1 2. B responds with a message that is encrypted using the shared master key. The response includes the session key selected by B, an identifier of B, the value f(N1), and another nonce, N2. 3. Using the new session key, A returns f(N2) to B. 264
- 265. Principles of Public-Key Cryptosystems 265
- 266. Private-Key Cryptography • traditional private/secret/single key cryptography uses one key • shared by both sender and receiver • if this key is disclosed communications are compromised • does not support authentication 266
- 267. Public-Key Cryptography • Asymmetric encryption is a form of cryptosystem in which encryption and decryption are performed using the different keys—one a public key and one a private key. It is also known as public-key encryption. • Asymmetric encryption transforms plaintext into cipher text using a one of two keys and an encryption algorithm. Using the paired key and a decryption algorithm, the plaintext is recovered from the cipher text. • Asymmetric encryption can be used for confidentiality, authentication, or both. 267
- 268. Public-Key Cryptography public-key/two-key/asymmetric cryptography involves the use of two keys: – a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures – a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures 268
- 269. Principles of Public-Key Cryptosystems • The concept of public-key cryptography evolved from an attempt to attack two of the most difficult problems associated with symmetric encryption. • Key distribution • Does not Supports Data authentication 269
- 270. 270 Confidentiality using public-Key system
- 271. Encryption • Each user generates a pair of keys to be used for the encryption and decryption of messages. • Each user places one of the two keys in a public register This is the public key. • The companion key is kept private. 271
- 272. Encryption • If Bob wishes to send a confidential message to Alice, Bob encrypts the message using Alice's public key. • When Alice receives the message, she decrypts it using her private key. • No other recipient can decrypt the message because only Alice knows Alice's private key. 272
- 273. 273 Authentication using Public-Key System
- 274. Difference between Symmetric Encryption and asymmetric Encryption Symmetric encryption Asymmetric encryption symmetric encryption is a form of cryptosystem in which encryption and decryption are performed using same key. Asymmetric encryption is a form of cryptosystem in which encryption and decryption are performed using the different keys .one is public key and another one is private key. It is also known as secret key encryption. It is also known as public-key encryption. symmetric encryption can be used for confidentiality. Asymmetric encryption can be used for confidentiality, authentication, or both. The most widely used symmetric key- key cryptosystem is Transposition and substitution. The most widely used public-key cryptosystem is RSA. 274
- 275. Public-Key Cryptosystem: Secrecy 275
- 276. Public-Key Cryptosystem: Secrecy • With the message X and the encryption key PUb as input, A forms the cipher text Y = [Y1, Y2,..., YN]: • Y = E(PUb, X) • The intended receiver, in possession of the matching private key, is able to invert the transformation: • X = D(PRb, Y) 276
- 277. Public-Key Cryptosystem: Authentication 277
- 278. Public-Key Cryptosystem: Authentication and Secrecy 278
- 279. Applications for Public-Key Cryptosystems • Encryption/decryption • Digital signature • Key exchange 279
- 280. Requirements for Public-Key Cryptography 1.It is computationally easy for a party B to generate a pair (public key PUb, private key PRb). 2. It is computationally easy for a sender A, knowing the public key and the message to be encrypted, M, to generate the corresponding cipher text: C = E(PUb, M) 3.It is computationally easy for the receiver B to decrypt the resulting cipher text using the private key to recover the original message: M = D(PRb, C) = D[PRb, E(PUb, M)] 280
- 281. Requirements for Public-Key Cryptography 4. It is computationally infeasible for an opponent, knowing the public key, PUb, to determine the private key, PRb. 5.It is computationally infeasible for an opponent, knowing the public key, PUb, and a cipher text, C, to recover the original message, M. 281
- 282. The RSA Algorithm 282
- 283. Our dramatis personae Rivest Shamir Adleman 283
- 284. The RSA Algorithm RSA algorithm is developed by Ron Rivest , Adi Shamir, and Len Adleman at MIT and first published in 1978. The RSA scheme is a block cipher in which the plaintext and cipher text are integers between 0 and n. 284
- 285. RSA Public Key Cryptosystem c= m e mod n Network Plain Text Cipher Text Cipher Text Plain Text Alice Bob Bob: (e, n) Public Key Directory (Yellow/White Pages) public key: e & n secret key: d m= c d mod n
- 286. The RSA Algorithm – Key Generation 1. Select p,q p and q both prime 2. Calculate n = p x q 3. Calculate 4. Select integer e 5. Calculate d 6. Public Key KU = {e,n} 7. Private key KR = {d,n} 286 )1)(1()( −−=Φ qpn )(1;1)),(gcd( neen Φ<<=Φ )(mod1 ned Φ= −
- 287. The RSA Algorithm - Encryption • Plaintext: M<n • Ciphertext: C = Me (mod n) 287
- 288. The RSA Algorithm - Decryption • Ciphertext: C • Plaintext: M = Cd (mod n) 288
- 289. Example Select two prime numbers, p = 17 and q = 11. Calculate n = pq = 17 x 11 = 187 Calculate θ(n) = (p -1)(q -1) = 16 x 10 = 160. Select e such that e is relatively prime to θ(n) = 160 and less than θ(n) we choose e = 7 289
- 290. Example Calculate d value using the formula d=(1+X * θ(n) )/e X=0 d=(1+0*160)/ 7 = 0.143 X=1 d=(1+1 *160)/7 = 23 d=23 290
- 291. Example PU={e, n} PR={d , n} The resulting keys are public key PU = {7,187} private key PR = {23,187}. 291
- 292. Encryption Ciphertext: C = Me (mod n) C=887 (mod 187) c=11 292
- 293. Decryption Plaintext: M = Cd (mod n) M=1123 (mod 187) M=88 293
- 294. The RSA Algorithm 294
- 295. The RSA Algorithm 295
- 296. The RSA Algorithm 296
- 297. Example perform the Encryption and decryption for p =7, q = 11, e = 17 and m = 8 297
- 298. Key generation Calculate n = pq = 7 x 11 = 77 Calculate θ(n) = (p -1)(q -1) = 6 x 10 = 60 Calculate d value using the formula d=(1+X * θ(n) )/e X=0 d=(1+0*60)/ 17 = 0.0588 X=1 d=(1+1*60)/17 = 3.58 X=2 d=(1+2*60)/17 =7.11 x=3 d=(1+3*60)/17=10.64 298
- 299. Key generation X=4 d=(1+4*60)/17=14.17 X=5 d=(1+5*60)/17=17.70 X=6 d=(1+6*60)/17=21.23 X=7 d=(1+7*60)/17=24.76 X=8 d=(1+8*60)/17=28.29 X=9 d=(1+9*60)/17=31.82 x=10 d=(1+10*60)/17=35.35 299
- 300. Key generation X=11 d=(1+11*60)/17=38.88 X=12 d=(1+12*60)/17=42.41 X=13 d=(1+13*60)/17=45.94 X=14 d=(1+14*60)/17=49.47 X=15 d=(1+15*60)/17=53 300
- 301. Key generation PU={e, n} PR={d , n} The resulting keys are public key PU = {17,77} private key PR = {53,77}. 301
- 302. Encryption Ciphertext: C = Me (mod n) C=817 (mod 77) c=57 302
- 303. Decryption Plaintext: M = Cd (mod n) M=5753 (mod 77) M=8 303
- 304. The Security of RSA Brute force: This involves trying all possible private keys. Mathematical attacks: There are several approaches, all equivalent in effort to factoring the product of two primes. Timing attacks: These depend on the running time of the decryption algorithm. Chosen cipher text attacks This type of attack make use of properties of the RSA algorithm. 304
- 305. Key Management One of the major roles of public-key encryption has been to address the problem of key distribution. • The distribution of public keys • Distribution of secret keys using public key 305
- 306. Distribution of Public Keys • Public announcement • Publicly available directory • Public-key authority • Public-key certificates 306
- 307. Public Announcement of Public Keys • any participant can send his or her public key to any other participant or broadcast the key to the community at large. 307
- 308. Public Announcement of Public Keys 308
- 309. Example • For Example USENET is a public forum anybody can post a message and read message. • it has a major weakness. • some user could pretend to be user A and send a public key to another participant. 309
- 310. Publicly Available Directory • can obtain greater security by registering keys with a public directory • The authority maintains a directory with a {name, public key} entry for each participant. • Each participant registers a public key with the directory authority. • A participant may replace the existing key with a new one at any time. • Participants could also access the directory electronically. 310
- 311. Publicly Available Directory 311
- 312. Public-Key Authority Stronger security for public-key distribution can be achieved by providing tighter control over the distribution of public keys from the directory. 312
- 313. Public-Key Authority 313
- 314. Public-Key Authority 1. A sends a time stamped message to the public-key authority containing a request for the current public key of B. 2. The authority responds with a message that is encrypted using the authority's private key, PRauthThus, A is able to decrypt the message using the authority's public key. The message includes the following: ● B's public key, PUb which A can use to encrypt messages destined for B ● The original request, to enable A to match this response with the corresponding earlier request and to verify that the original request was not altered before reception by the authority ● The original timestamp, so A can determine that this is not an old message from the authority. 314
- 315. Public-Key Authority A stores B's public key and also uses it to encrypt a message to B containing an identifier of A(IDA) and a nonce (N1), which is used to identify this transaction uniquely. 4,5.B retrieves A's public key from the authority in the same manner as A retrieved B's public key. At this point, public keys have been securely delivered to A and B, and they may begin their protected exchange. However, two additional steps are desirable: 6. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new nonce generated by B (N2) Because only B could have decrypted message (3), the presence of N1 in message (6) assures A that the correspondent is B. 7. A returns N2, encrypted using B's public key, to assure B that its correspondent is A. 315
- 316. Public-Key Certificates 316
- 317. Public-Key Certificates • Any participant can read a certificate to determine the name and public key of the certificate's owner. • Any participant can verify that the certificate originated from the certificate authority and is not counterfeit. • Only the certificate authority can create and update certificates. 317
- 318. Distribution of Secret Keys Using Public-Key Cryptography • Simple Secret Key Distribution • Secret Key Distribution with Confidentiality and Authentication 318
- 319. Simple Secret Key Distribution 319
- 320. Simple Secret Key Distribution 1.A generates a public/private key pair {PUa, PRa} and transmits a message to B consisting of Pua and an identifier of A, IDA. 2. B generates a secret key, Ks, and transmits it to A, encrypted with A's public key. 320
- 321. Simple Secret Key Distribution 3. A computes D(PRa, E(PUa, Ks)) to recover the secret key. Because only A can decrypt the message, only A and B will know the identity of Ks. 4. A discards PUa and PRa and B discards PUa. 321
- 322. Man-in-the-middle attack 1.A generates a public/private key pair {PUa, PRa} and transmits a message intended for B consisting of PUa and an identifier of A, IDA. 2.E capture the message, creates its own public/private key pair {PUe, PRe} and transmits PUe|| IDA to B. 322
- 323. Man-in-the-middle attack 3.B generates a secret key, Ks, and transmits E(PUe, Ks). 4.E capture the message, and learns Ks by computing D(PRe, E(PUe, Ks)). 5.E transmits E(PUa, Ks) to A. 323
- 324. Secret Key Distribution with Confidentiality and Authentication 324
- 325. 1. A uses B's public key to encrypt a message to B containing an identifier of A (IDA) and a nonce (N1), which is used to identify this transaction uniquely. 2. B sends a message to A encrypted with PUa and containing A's nonce (N1) as well as a new nonce generated by B (N2) Because only B could have decrypted message (1), the presence of N1 in message (2) assures A that the correspondent is B. 325
- 326. 3. A returns N2 encrypted using B's public key, to assure B that its correspondent is A. 4. A selects a secret key Ks and sends M = E(PUb, E(PRa, Ks)) to B. Encryption of this message with B's public key ensures that only B can read it; encryption with A's private key ensures that only A could have sent it. 5. B computes D(PUa, D(PRb, M)) to recover the secret key. 326
- 327. Diffie-Hellman Key Exchange The purpose of the algorithm is to enable two users to securely exchange a key that can then be used for subsequent encryption of messages. 327
- 328. Primitive roots P is prime number a is a primitive root of p means It should satisfies following condition a mod p, a2 mod p,..., ap-1 mod p are distinct and consist of the integers from 1 through p-1 in some permutation. 328
- 329. Primitive roots 3 is a primitive root of 5: a=3,p=5 p ap ap mod 5 1 3 3 2 9 4 3 27 2 4 81 1 329
- 330. Primitive roots 4 is not a primitive root of 5: a= 4 p=5 p ap ap mod 5 1 4 4 2 16 1 3 64 4 4 256 1 330
- 331. The Diffie-Hellman Key Exchange Algorithm 331
- 332. The Diffie-Hellman Key Exchange Algorithm 332
- 333. The Diffie-Hellman Key Exchange Algorithm 333
- 334. The Diffie-Hellman Key Exchange Algorithm 334
- 335. The Diffie-Hellman Key Exchange Algorithm 335
- 336. The Diffie-Hellman Key Exchange Algorithm 336
- 337. Diffie-Hellman Example Users A and B use the Diffie-Hellman key exchange technique with a common prime q = 71 and a primitive root a = 7. i)If user A has private key XA = 5, what is A's public key YA? ii)If user B has private key XB = 12, what is B's public key YB? iii) What is the shared secret key? 337
- 338. Diffie-Hellman Example YA= a XA mod q =75 mod 71 = 51 YB= a XB mod q =712 mod 71 = 4 338
- 339. Diffie-Hellman Example Ks= yB XA mod q = 4 5 mod 71 = 30 Ks= yA XB mod q = 51 12 mod 71 = 30 339
- 340. Diffie-Hellman Example Consider a Diffie-Hellman scheme with a common prime q = 11 and a primitive root a = 2. I. Show that 2 is a primitive root of 11. II.If user A has public key YA = 9, what is A's private key XA? III.If user B has public key YB = 3, what is the shared secret key K, shared with A? 340
- 341. Elliptic Curve Cryptography Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. 341
- 342. Elliptic Curve Cryptography ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers 342
- 343. Elliptic Curve Cryptography • ECC requires significantly smaller key size with same level of security. • Benefits of having smaller key sizes : faster computations, need less storage space. • ECC ideal for constrained environments : Pagers ; PDAs ; Cellular Phones ; Smart Cards. 343
- 344. elliptic curve • Elliptic curves are not ellipses. They are so named because they are described by cubic equations, used for calculating the circumference of an ellipse. • An elliptic curve is a set of points (x, y), for which it is true that • y2 = x3 + ax + b given certain chosen numbers a and b. 344
- 345. elliptic curve 345
- 346. ECC Diffie-Hellman Key Exchange 346
- 347. ECC Diffie-Hellman Key Exchange 347
- 348. ECC Diffie-Hellman Key Exchange 348
- 349. ECC Diffie-Hellman Key Exchange 349
- 350. ECC Diffie-Hellman Key Exchange 350
- 351. UNIT-III 351
- 352. Contents Message Authentication and Hash functions Authentication requirements Authentication functions Message Authentication codes and Hash functions Security of hash functions and MAC’s Secure hash Algorithm Whirlpool HMAC and CMAC Digital Signatures Authentication protocols Digital signature standard Kerberos X.509 Authentication Service • Public Key Infrastructure. 352
- 353. Authentication requirements disclosure traffic analysis masquerade content modification sequence modification timing modification source repudiation destination repudiation 353
- 354. Authentication Functions Message encryption: The cipher text of the entire message serves as its authenticator Message authentication code (MAC): A function of the message and a secret key that produces a fixed-length value that serves as the authenticator Hash function: A function that maps a message of any length into a fixed-length hash value, which serves as the authenticator 354
- 355. Basic Uses of Message Encryption 355
- 356. Basic Uses of Message Encryption 356
- 357. Basic Uses of Message Encryption 357
- 358. Basic Uses of Message Encryption 358
- 359. Internal Error Control 359
- 360. External Error Control 360
- 361. Message Authentication Codes Message authentication code (often MAC) is a short piece of information used to authenticate a message. 361
- 362. Message Authentication Codes MAC = C(K, M) M = input message C= MAC function K= shared secret key MAC= message authentication code 362
- 363. Basic Uses of Message Authentication Code 363
- 364. Basic Uses of Message Authentication Code 364
- 365. Basic Uses of Message Authentication Code 365
- 366. Requirements for MACs 1. knowing a message and MAC, is infeasible to find another message with same MAC 2. MACs should be uniformly distributed 3. MAC should depend equally on all bits of the message.
- 367. Data Authentication Algorithm • Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC – using IV=0 and zero-pad of final block – encrypt message using DES in CBC mode – and send just the final block as the MAC • or the leftmost M bits (16≤M≤64) of final block • but final MAC is now too small for security
- 368. Data Authentication Algorithm
- 369. Hash Function hash function accepts a variable-size message M as input and produces a fixed- size output, referred to as a hash code H(M). The hash code is also referred to as a message digest or hash value A hash value h is generated by a function H of the form h = H(M) 369
- 370. Basic Uses of Hash Function 370
- 371. Basic Uses of Hash Function 371
- 372. Basic Uses of Hash Function 372
- 373. Basic Uses of Hash Function 373
- 374. Basic Uses of Hash Function 374
- 375. Basic Uses of Hash Function 375
- 376. Requirements for Hash Functions 1. can be applied to any sized message M 2. produces fixed-length output h 3. is easy to compute h=H(M) for any message M 4. given h is infeasible to find x s.t. H(x)=h • one-way property
- 377. Weak collision resistance Given an input m1 it should be difficult to find another input m2 — where m1!=m2 — such that H(m1)=H(m2) 377
- 378. Strong collision resistance It should be difficult to find two different messages m1 and m2 such that H(m1)=H(m2) 378
- 379. Hash Functions & MAC Security • like block ciphers have: • brute-force attacks exploiting – strong collision resistance hash have cost 2 m/2 • have proposal for h/w MD5 cracker • 128-bit hash looks vulnerable, 160-bits better – MACs with known message-MAC pairs • can either attack keyspace (cf key search) or MAC • at least 128-bit MAC is needed for security
- 380. Hash Functions & MAC Security • cryptanalytic attacks exploit structure – like block ciphers want brute-force attacks to be the best alternative • have a number of analytic attacks on iterated hash functions – CVi = f[CVi-1, Mi]; H(M)=CVN – typically focus on collisions in function f – like block ciphers is often composed of rounds – attacks exploit properties of round functions
- 381. Secure Hash Algorithms The Secure Hash Algorithm (SHA) was developed by the National Institute of Standards and Technology (NIST) and published as a federal information processing standard in 1993. 381
- 382. Types of SHA 1. SHA-0 2. SHA-1 3. SHA-224 4. SHA-256 5. SHA-384 6. SHA-512 382
- 383. Comparisons SHA-1 SHA-256 SHA-384 SHA-512 Message digest size 160 256 384 512 Message size <264 <264 <2128 <2128 Block size 512 512 1024 1024 Word size 32 32 64 64 Number of steps 80 64 80 80 383
- 384. SHA-512 • The algorithm takes as input a message with a maximum length of less than 2128 bits and produces as output a 512-bit message digest. • The input is processed in 1024-bit blocks. 384
- 385. SHA-512 Logic Padding is the addition of one or more extra bits to a transmission . 385
- 386. Message Digest Generation Using SHA-512 386
- 387. Message Digest Generation Using SHA-512 Step 1: Append padding bits. Step 2: Append length. Step 3: Initialize hash buffer. Step 4: Process message in 1024-bit (128-word) blocks. 387
- 388. Processing of a Single 1024-Bit Block 388
- 389. Processing of a Single 1024- Bit Block • A 512-bit buffer is used to hold intermediate and final results of the hash function. • The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h). • These registers are initialized default hexadecimal values. 389
- 390. a = 6A09E667F3BCC908 b = BB67AE8584CAA73B c = 3C6EF372FE94F82B c = A54FF53A5F1D36F1 e = 510E527FADE682D1 f = 9B05688C2B3E6C1F g = 1F83D9ABFB41BD6B h = 5BE0CDI9137E2179 390
- 391. SHA-512 Processing of a Single 1024-Bit Block • Each round takes as input the 512-bit buffer value abcdefgh, and updates the contents of the buffer. 391
- 392. H0= IV Hi= SUM64(Hi-1, abcdefghi) MD= HN 392
- 393. • Where IV= initial value of the abcdefgh buffer, • abcdefghi= the output of the last round of processing of the ith message block • N= the number of blocks in the message (including padding and length fields) • SUM64= Addition modulo 264 performed separately on each word of the pair of inputs • MD= final message digest value 393
- 394. SHA-512 Round Function 394
- 395. SHA-512 Round Function 395
- 396. SHA-512 Round Function 396
- 397. SHA-512 Round Function 397
- 398. SHA-512 Round Function 398
- 399. SHA-512 Round Function 399
- 400. Creation of 80-word Input Sequence for SHA- 512 Processing of Single Block 400
- 401. Creation of 80-word Input Sequence for SHA- 512 Processing of Single Block 401
- 402. Creation of 80-word Input Sequence for SHA- 512 Processing of Single Block 402
- 403. Whirlpool • Whirlpool is based on the use of a block cipher for the compression function. • It takes a message of any length less than 2256 bits and returns a 512-bit message digest. 403
- 404. Features • The hash code length is 512 bits • The underlying block cipher is based on AES . 404
- 405. Whirlpool Hash Structure 405
- 406. 12.406 Message Digest Generation Using Whirlpool
- 407. Whirlpool Overview Step 1: Append padding bits Step 2: Append length Step 3: Initialize hash matrix Step 4: Process message in 512-bit (64- byte) blocks, using as its core, the block cipher W. 407
- 408. Whirlpool Overview 408
- 409. Comparison of Whirlpool Block Cipher W and AES W AES Block size (bits) 512 128 Key size (bits) 512 128, 192, or 256 Matrix orientation Input is mapped row-wise Input is mapped column- wise Number of rounds 10 10, 12, or 14 409
- 410. Whirlpool Block Cipher W 410
- 411. Whirlpool Block Cipher W The encryption algorithm takes a 512-bit block of plaintext and a 512-bit key as input and produces a 512-bit block of cipher text as output. The encryption algorithm involves the use of four different functions add key (AK), substitute bytes (SB), shift columns (SC), and mix rows (MR). 411
- 412. Whirlpool Matrix Structure • The plaintext input to W is a single 512-bit block. • This block is treated as an 8 x 8 square matrix of bytes, labeled Cstate. 412
- 413. Whirlpool Matrix Structure 413
- 414. The Nonlinear Layer SB 414
- 415. The Nonlinear Layer SB The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as a column value. These row and column values serve as indexes into the S-box to select a unique 8-bit output value. For example, the hexadecimal value[3] {95}references row 9, column 5 of the S- box, which contains the value {BA}. Accordingly, the value {95}is mapped into the value {BA}. 415
- 416. Mix Row • Each byte of a row is mapped into a new value that is a function of all eight bytes in that row. • The transformation can be defined by the matrix multiplication: B = AC • where A is the input matrix, B is the output matrix, and C is the transformation matrix: 416
- 417. Whirlpool Performance & Security • Whirlpool is a very new proposal, hence there is little experience with use • compared to SHA-512, Whirlpool requires more hardware resources but performs much better in terms of throughput. 417
- 418. MAC 418
- 419. HMAC(Hash-based Message Authentication Code) CMAC(Cipher-based Message Authentication Code) Types of MAC 419
- 420. HMAC Message authentication code is generated by hash function. HMAC is computationally very fast and very compact. Any cryptographic hash function, such as MD5 or SHA-1, may be used in the calculation of an HMAC. 420
- 421. HMAC Algorithm H = embedded hash function IV = initial value input to hash function M = message input to HMAC Yi = ith block of M, L = number of blocks in M b = number of bits in a block n = length of hash code produced by embedded hash function K= secret key 421
- 422. HMAC Algorithm K+ = K padded with zeros on the left ipad = 00110110 (36 in hexadecimal) opad = 01011100 (5C in hexadecimal) 422
- 423. HMAC Overview 423
- 424. HMAC Overview 1.Append zeros to the left end of K to create a b-bit string K+. 2. XOR K+ with ipad to produce the b-bit block Si. 3. Append M to Si. 4. Apply H to the stream generated in step 5. XOR K+ with opad to produce the b-bit block So 424
- 425. HMAC Overview 6.Append the hash result from step 4 to So 7.Apply H to the stream generated in step 6 and output the result. 425
- 426. HMAC Overview 426
- 427. Efficient Implementation of HMAC 427
- 428. Two quantities are precomputed 428
- 429. CMAC Message authentication code is generated by cipher based. 429
- 430. CMAC Overview 430
- 431. CMAC Overview The message is divided into n blocks M1..Mn, padded if necessary. The algorithm makes use of a k-bit encryption key K and an n-bit constant K1 or K2 (depending on whether the message was padded or not). 431
- 432. CMAC Overview 432
- 433. CMAC Overview T= MSBTlen(Cn) where T= message authentication code, also referred to as the tag Tlen= bit length of T MSBs(X)= the s leftmost bits of the bit string X 433
- 434. Digital signature A digital signature is an authentication mechanism that enables the creator of a message to attach a code that acts as a signature. The signature is formed by taking the hash of the message and encrypting the message with the creator's private key. The signature guarantees the source and integrity of the message. 434
- 435. Digital Signature Properties The signature must be a bit pattern that depends on the message being signed. The signature must use some information unique to the sender, to prevent both fake and disagreement. It must be relatively easy to produce the digital signature. It must be relatively easy to recognize and verify the digital signature. It must be computationally infeasible to fake a digital signature. It must be practical to retain a copy of the digital signature in storage. 435
- 436. Direct Digital Signatures Direct Digital Signatures involve only the communicating parties. A digital signature may be formed by encrypting the entire message with the sender’s private key. Confidentiality can be provided by further encrypting the entire message plus signature using either public or private key schemes. security depends on sender’s private-key 436
- 437. Arbitrated Digital Signatures • involves use of arbiter A – validates any signed message – then dated and sent to recipient • requires suitable level of trust in arbiter • can be implemented with either private or public-key algorithms • arbiter may or may not see message 437
- 438. Arbitrated Digital Signatures 438 X = sender Y = recipient A = Arbiter M = message T = timestamp
- 439. Authentication Protocols • Authentication Protocols are used to support parties of each others identity and to exchange session keys. • may be one-way or mutual 439
- 440. One-Way Authentication • required when sender & receiver are not in communications at same time (eg. email) 440
- 441. Mutual Authentication • required when sender & receiver are in communications at same time. (eg. Client- server) 441
- 442. Digital Signature Standard The digital signature standard (DSS) is an NIST standard that uses the secure hash algorithm (SHA). 442
- 443. Two Approaches to Digital Signatures 443
- 444. The Digital Signature Algorithm (DSA) 444
- 445. Global Public-Key Components p prime number where 2L-1 < p < 2L for 512 <= L <= 1024 q prime divisor of (p- 1), where 2159 < q < 2160 g = h(p-1)/q mod p, where h is any integer with 1 < h < (p -1) such that h(p- 1)/q mod p > 1 445
- 446. User's Private Key X random or pseudorandom integer with 0 < x < q 446
- 447. User's Public Key y= gx mod p 447
- 448. User's Per-Message Secret Number k= random or pseudorandom integer with 0 < k < q 448
- 449. Signing r= (gk mod p) mod q s= [k-1 (H(M) + xr)] mod q Signature = (r, s) 449
- 450. Verifying w= (s')-1 mod q u1= [H(M')w] mod q u2=(r')w mod q v= [(gu1 yu2 ) mod p] mod q 450
- 451. Verifying TEST: v = r' M= message to be signed H(M)= hash of M using SHA-1 M', r', s’= received versions of M, r, s 451
- 452. Kerberos 452
- 453. Kerberos Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. 453
- 454. Kerberos Kerberos is an authentication service designed for use in a distributed environment. Kerberos makes use of a trusted third-part authentication service that enables clients and servers to establish authenticated communication. 454
- 455. 455 Requirements for KERBEROS Secure: opponent does not find it to be the weak link Scalable: The system supports large number of clients and severs Reliable: For all services that rely on Kerberos for access control, lack of availability of the Kerberos service means lack of availability of the supported services. Transparent: the user should not be aware that authentication is taking place.
- 456. A Simple Authentication Dialogue C = client AS = authentication server V =server IDC = identifier of user on C IDV = identifier of V PC = password of user on C ADC = network address of C Kv = secret encryption key shared by AS and V 456
- 457. 457 A Simple Authentication Dialogue 1- IDc + Pc+IDv 2- Ticket 3- IDc +Ticket Ticket=Ekv[IDc,ADc,IDv] kv=Secret Key between AS and V (Server) Pc=password of client
- 458. A More Secure Authentication Dialogue minimize the number of times that a user has to enter a password tickets are not reusable To solve these problems, we introduce a scheme a new server, known as the ticket- granting server (TGS) 458
- 459. Once per user logon session: (1)CAS : IDC||Idtgs (2) AS C : E(Kc, Tickettgs) 459
- 460. Once per type of service: (3) C TGS: IDC||IDV||Tickettgs (4) TGS C: Ticketv 460
- 461. Once per service session: (5) C V: IDC||Ticketv 461
- 462. Kerberos 4 Overview 462
- 463. 1.The client requests a ticket-granting ticket on behalf of the user by sending its user's ID and password to the AS, together with the TGS ID, indicating a request to use the TGS service. 2. The AS responds with a ticket that is encrypted with a key that is derived from the user‘s password. When this response arrives at the client, the client prompts the user for his or her password, generates the key, and attempts to decrypt the incoming message. If the correct password is supplied, the ticket is successfully recovered. 463
- 464. 3.The client requests a service-granting ticket on behalf of the user. 4. The TGS decrypts the incoming ticket and verifies the success of the decryption by the presence of its ID. It checks to make sure that the lifetime has not expired. Then it compares the user ID and network address with the incoming information to authenticate the user. If the user is permitted access to the server V, the TGS issues a ticket to grant access to the requested service. 464
- 465. 5.The client requests access to a service on behalf of the user. For this purpose, the client transmits a message to the server containing the user's ID and the service- granting ticket. The server authenticates by using the contents of the ticket. 465
- 466. 466
- 467. 467
- 468. 468
- 469. Kerberos allows the global distribution of ASs and TGSs, with each system called a realm. A user may get a ticket for a local server or a remote server. Kerberos realm
- 470. Kerberos realm • 1.The Kerberos server must have the user ID and hashed passwords of all participating users in its database. • 2.The Kerberos server must share a secret key with each server. All servers are registered with the Kerberos server. • Such an environment is referred to as a Kerberos realm. 470
- 471. 31/03/2005 Authentication Applications471 Request for Service in another realm: 1-Request ticket for local TGS 2-Ticket for local TGS 5-Request ticket for remote server 6-Ticket for remote server 3-Request ticket for remote TGS 4-Ticket for remote TGS 7-request for remote service
- 472. The minor differences between version 4 and version 5 1) Version 5 has a longer ticket lifetime. 2) Version 5 allows tickets to be renewed. 3) Version 5 can accept any symmetric-key algorithm. 4) Version 5 uses a different protocol for describing data types. 5) Version 5 has more overhead than version 4.
- 473. X.509 Authentication Service X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm. 473
- 474. Public-Key Certificate Use 474
- 475. X.509 Certificates • issued by a Certification Authority (CA), containing: – version (1, 2, or 3) – serial number (unique within CA) identifying certificate – signature algorithm identifier – issuer X.500 name (CA) – period of validity (from - to dates) – subject X.500 name (name of owner) – subject public-key info (algorithm, parameters, key) – issuer unique identifier (v2+) – subject unique identifier (v2+) – extension fields (v3) – signature (of hash of all fields in certificate) • notation CA<<A>> denotes certificate for A signed by CA 475
- 476. X.509 Certificates 476
- 477. CRL • certificates have a period of validity • may need to revoke before expiry, eg: 1. user's private key is compromised 2. user is no longer certified by this CA 3. CA's certificate is compromised • CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. 477
- 478. Obtaining a Certificate • any user with access to CA can get any certificate from it • only the CA can modify a certificate • because cannot be forged, certificates can be placed in a public directory 478
- 479. CA Hierarchy • if both users share a common CA then they are assumed to know its public key • otherwise CA's must form a hierarchy • use certificates linking members of hierarchy to validate other CA's – each CA has certificates for clients (forward) and parent (backward) • each client trusts parents certificates • enable verification of any certificate from one CA by users of all other CAs in hierarchy 479
- 480. CA Hierarchy Use 480 A get B certificate using chain: X<<W>>W<<V>>V<<Y>>Y<<Z>>Z<<B>>
- 481. 31/03/2005 Authentication Applications 481 Authentication Procedures: • CA must authenticate/verify an applicant before issuing it a certificate for it. • Three alternative authentication procedures: – One-Way Authentication – Two-Way Authentication – Three-Way Authentication
- 482. One-Way Authentication • One way authentication involves a single transfer of information from one user (A) to another (B) 482
- 483. 31/03/2005 Authentication Applications 483 One-Way Authentication: • 1 message ( A->B) used to establish – the identity of A and that message is from A – message was intended for B – integrity & originality of message A B1-A {ta,ra,B,sgnData,KUb[Kab]} Ta-timestamp rA=nonce B =identity sgnData=signed with A’s private key
- 484. 31/03/2005 Authentication Applications 484 Two-Way Authentication • 2 messages (A->B, B->A) which also establishes in addition: – the identity of B and that reply is from B – that reply is intended for A – integrity & originality of reply A B 1-A {ta,ra,B,sgnData,KUb[Kab]} 2-B {tb,rb,A,sgnData,KUa[Kab]}
- 485. 31/03/2005 Authentication Applications 485 Three-Way Authentication • 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks A B 1- A {ta,ra,B,sgnData,KUb[Kab]} 2 -B {tb,rb,A,sgnData,KUa[Kab]} 3- A{rb}
- 486. Public-Key Infrastructure public-key infrastructure (PKI) as the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography. 486
- 487. Public-Key Infrastructure End entity: A generic term used to denote end users, devices (e.g., servers, routers) Certification authority (CA): The issuer of certificates and certificate revocation lists (CRLs). Registration authority (RA): An optional component that can assume a number of administrative functions. 487
- 488. Public-Key Infrastructure CRL issuer: An optional component that a CA can delegate to publish CRLs. Repository: A generic term used to denote any method for storing certificates and CRLs so that they can be retrieved by End Entities. 488
- 489. Public-Key Infrastructure 489
- 490. Public-Key Infrastructure Registration: This is the process whereby a user first makes itself known to a CA (directly, or through an RA), prior to that CA issuing a certificate or certificates for that user. Initialization: Before a client system can operate securely, it is necessary to install key materials that have the appropriate relationship with keys stored elsewhere in the infrastructure 490
- 491. Public-Key Infrastructure Certification: This is the process in which a CA issues a certificate for a user's public key, and returns that certificate to the user's client system and/or posts that certificate in a repository. Key pair update: All key pairs need to be updated regularly (i.e., replaced with a new key pair) and new certificates issued. 491
- 492. Public-Key Infrastructure Cross certification: one certificate authority use the certificate to the another certificate authority. 492
- 493. UNIT-IV 493
- 494. Contents Pretty Good Privacy S/MIME IP Security Overview IP Security Architecture Authentication Header Encapsulating Security Payload Combining Security Associations Key management. 494
- 495. Pretty Good Privacy 495
- 496. Pretty Good Privacy PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications. 496
- 497. Pretty Good Privacy PGP is an open-source freely available software package for e-mail security. It provides authentication through the use of digital signature; It provides confidentiality through the use of symmetric block encryption; 497
- 498. Pretty Good Privacy It provides compression using the ZIP algorithm. It provides e-mail compatibility using the radix-64 encoding scheme. It provides Segmentation and reassembly to accommodate long e-mails. 498
- 499. Pretty Good Privacy Ks =session key used in symmetric encryption scheme PRa =private key of user A, used in public-key encryption scheme PUa =public key of user A, used in public- key encryption scheme 499
- 500. Pretty Good Privacy EP = public-key encryption DP = public-key decryption EC = symmetric encryption DC = symmetric decryption H = hash function || = concatenation Z = compression using ZIP algorithm R64 = conversion to radix 64 ASCII format 500
- 501. 501
- 502. Authentication 1.The sender creates a message. 2.SHA-1 is used to generate a 160-bit hash code of the message. 3.The hash code is encrypted with RSA using the sender's private key, and the result is prepended to the message. 4.The receiver uses RSA with the sender's public key to decrypt and recover the hash code. 502
- 503. Authentication 5. The receiver generates a new hash code for the message and compares it with the decrypted hash code. If the two match, the message is accepted as authentic. 503
- 504. Confidentiality 1.The sender generates a message and a random 128-bit number to be used as a session key for this message only. 2.The message is encrypted, using CAST- 128 (or IDEA or 3DES) with the session key. 3.The session key is encrypted with RSA, using the recipient's public key, and is prepended to the message. 504
- 505. Confidentiality 4.The receiver uses RSA with its private key to decrypt and recover the session key. 5.The session key is used to decrypt the message. 505
- 506. Transmission and Reception of PGP Messages 506
- 507. PGP Message Format
- 508. PGP Message Format The message component includes the actual data to be stored or transmitted, as well as a filename and a timestamp that specifies the time of creation. 508
- 509. PGP Message Format The signature component includes the following: Timestamp: The time at which the signature was made. Message digest: The 160-bit SHA-1 digest, encrypted with the sender's private signature key. 509
- 510. PGP Message Format Leading two oc

Be the first to comment