03-VU-NetSec-Modern-Ciphers all important questions and answers

VU Network Security
Lecture 03
Modern Ciphers
Tanja Zseby
Institute of Telecommunications, TU Wien
SS 2024
www.tuwien.at

Wireless LAN Security
T. Zseby, VU Network Security 2

Overview
■ Stream Ciphers
■ Basics
■ A5/1
■ RC4
■ Fluhrer-Mantin-Shamir Attack
■ Block Ciphers
■ Basics
■ DES, 3DES
■ AES
■ Block Cipher Modes

Recap: Basic Techniques
■ Substitution
■ Substitute PT units
■ è S-Box
■ Transposition
■ Permutation of PT units
■ è P-Box
■ Product cipher
■ Combination of substitution and transposition functions
■ Realization with S-Boxes and P-Boxes

Substitution-Permutation (SP) Network
Source: wikipedia

Perfect vs. Computational Security
■ Perfect security
■ Against adversary with unlimited computing power
■ Impossible to crack cipher
■ Computational security
■ Assume adversaries with limited computing power
■ Possible to crack cipher, but not with reasonable effort
■ Design ciphers that are hard to crack
■ New inventions may violate assumptions
■ Faster hardware
■ Better algorithms
■ Quantum computers

Kerckhoffs's Principle (1883)
■ Cipher system must be
■ practically (if not mathematically) indecipherable
■ not required to be secret and able to fall into the hands of the enemy
without inconvenience
■ key must be communicable and retainable without the help of written
notes, and changeable or modifiable at the will of the correspondents
■ applicable to telegraphic correspondence
■ portable, and its usage and function must not require the concourse of
several people
■ easy to use (requiring neither mental strain nor the knowledge of a long
series of rules to observe)
■ Shannons Maxim: “The enemy knows the system.”
èno “security by obscurity”
Source: A. Kerckhoffs: La cryptographie militaire. Journal des sciences militaires. Feb. 1883

Cryptanalysis
■ Power of adversary
■ Resources available to adversary
■ Information available to adversary
■ Resources
■ Assumption: limited resources (computational security)
■ processing, memory, time
■ è consider computational complexity of cracking a
cipher

Information Available to Adversary
■ Ciphertext-only attack
■ Adversary has access to set of ciphertexts
■ e.g. from eavesdropping messages exchanged between A and B
■ Known-plaintext attack
■ Adversary has access to set of ciphertexts to which he knows the
corresponding plaintext
■ Chosen Plaintext Attack
■ Adversary can obtain ciphertexts for an arbitray set of plaintexts that he
selected
■ Chosen Ciphertext Attack
■ Adversary can obtain plaintexts for an arbitray set of ciphertexts that he
selected

Information Available to Adversary
■ Adaptively Chosen Plaintext Attack
■ Adversary can choose subsequent plaintexts based on ciphertexts he
received for previous plaintexts
■ Adaptively Chosen Ciphertext Attack
■ Adversary can choose subsequent ciphertexts based on plaintexts he
received for previous ciphertexts
■ Related-key attack
■ Adversary can obtain ciphertexts encrypted by two different keys.
■ Keys remain unknown, but relationship between keys is known (e.g. differ in
one bit).

Recap: Symmetric Encryption
Alice Bob
Eve
Ciphertext c
k k
c=E(k,m) m=D(k,E(k,m))
- Sees ciphertext c
- Knows functions E() and D()
- May have additional information
(e.g. language, purpose of
conversation)

Stream Ciphers
■ Basic Idea: similar to One Time Pad
■ Generate a keystream
■ One key bit for each plaintext bit
■ Combine plaintext bits with key bits
! = ! ! !!! ! = ! ! !!!
Alice Bob
k = 011000001010….
k = 011000001010….
m = 111100001011….
è m = 111100001011….
c = 100100000001 …

Stream Ciphers
■ Problem: random keystream
■ How to generate random key
■ How exchange key with communication partner?
■ Approach
■ Generate a pseudorandom key
■ Use a smaller truly random key as seed
■ Pseudorandom is not a truly random key
è no perfect secrecy

Random Numbers for Cryptography
■ Needed for
■ Seed to generate symmetric keys
■ Input for asymmetric cryptography
■ Security protocols
■ Special requirements
■ Statistically random
■ Unpredictable è unbiased and uncorrelated
■ Natural sources of randomness
■ Radioactive decay
■ Coin toss
■ Noise diode

Pseudo Random Generator (PRG)
■ Deterministic Function that expands a short truly random sequence s
(seed) to longer pseudo-random sequence G(s)
!: 0,1 ! → 0,1 !!with!!!!! ≪ !!!
s G(s)
Possible sequences for R
(real random sequence of length n)
Possible sequences for s

Pseudo Random Generator (PRG)
Possible sequences for R
(real random sequence of length n)
Possible sequences for G(s)
(generated from seed s)

Pseudo Random Generator Security
■ PRG considered secure if G(s) indistinguishable from random
sequence R
■ Statistical test A
■ checks if sequence looks random
■ Test passed if A(sequence)=1
è if test passed sequence is considered random

PRG Security: Advantage
■ Real random Sequence R
■ If A(R) = 1 è Test recognizes real rand. seq as random è test
suitable to detect randomness
■ Probability that test detects randomness correctly P(A(R)=1)
■ Pseudo random sequence G(s)
■ If A(G(s)) = 1 è Test recognizes pseudo rand. sequence as random
è good pseudo random generator
■ Advantage (for an attacker)
■ Suitability of test for detecting randomness
■ Quality of pseudo random sequence
!"# !, ! ! = ! ! ! ! = 1 − ! ! ! = 1 ! !!

Advantage
■ Shows if test performs different on pseudo-random sequence G(s) or
real random sequence R
■ Compares probabilities
■ Prob. that test passed for G(s) vs.
■ Prob. that test passed for R
■ High difference è high advantage è G(s) detectable different from
random è weak PRG
■ Small difference è low advantage ègood PRG
!"# !, ! ! = ! ! ! ! = 1 − ! ! ! = 1 ! !!

Advantage Examples
!"# !, ! ! = ! ! ! ! = 1 − ! ! ! = 1 ! !!
! ! ! ! = 1 = 0.1!!
! ! ! = 1 = 0.9!! è Test suitable to discover randomness
è But does not consider G(s) as random
!"# !, ! ! = 0.1 − 0.9! = 0.8!!
è Weak PRG

Stream Cipher Example: A5/1 Keystream Generator
■ Purpose: encryption of data in GSM networks
■ Voice calls, text messages
■ Developed 1987
■ Based on shift registers
■ Designed for hardware implementation
■ Generation of pseudo random key (G(s))
■ 3 Linear Feedback Shift Register (LFSR)
■ X: 19 bits, Y: 22 bits, Z: 23 bits
■ Clocked with a majority rule maj(x8,y10,z10)
■ Seed (64 bits) filled into register
■ Initialization procedures with seed and 22-bit number

A5/1 Keystream Generator
Source: wikipedia
Clocking bit:
If x8=maj(x8,y10,z10) è register X steps
If y10=maj(x8,y10,z10) è register Y steps
If z10=maj(x8,y10,z10) è register Z steps

A5/1 Security
■ Keysize too small (64-bit)
■ “Security by Obscurity” è Violation of Kerckhoffs’s Principles
■ Algorithm was kept secret è re-engineered è problems found
■ Some flaws in structure of registers*
■ With first 2 min of conversation è 1 sec to crack key
■ With arbitrary 2 sec of conversation è several min
■ A5/2
■ Weaker version
■ A5/3
■ KASUMI Block Cipher
■ 128 bit, used in 3G
■ related key attack possible**
* Source: Biryukov et al. Real Time Cryptanalysis of A5/1 on a PC. 7th International Workshop on Fast Software Encryption, 2000
** Dunkelman, Keller, Shamir, A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony, 2010

Example Stream Cipher: RC4
■ Developed by Ronald Rivest (Ron's Code 4)
■ Each step of PRG generates one byte of keystream
■ Designed for software implementation
■ Initially kept secret (later published as Alleged RC4 )
■ Self-modifying lookup table
■ Permutation of 256 byte values
■ Table changes every time a keystream byte is created
■ Random seed initializes lookup table
■ Used in
■ WEP, WPA (not WPA2)
■ initially in TLS/SSL (now other ciphers supported)

RC4
■ Byte array S
■ Permutation of all possible bytes è 256 entries
■ Byte array K for initial key
■ 2 index pointer i, j
■ Seed (master key)
■ 1 ≤ keylength ≤ 256 (typically 40 – 128 bits)
■ Filled in K
i 0 1 2 3 4 5 …
S[i] S[0] S[1] S[2] S[3] …
K[i] K[0] K[1] K[2] K[3] …
Bytearray K
Bytearray S
i j

RC4 Initializtion
for i=0 to 255
S[i]=i
K[i]=key(i mod N)
next i
Set array to identity permutation
Fill K with seed, repeat seed if seed <256
i 0 1 2 3 4 5 …
S[i] 0 1 2 3 4 5 …
K[i] k0 k1 k2 k3 k4 k5 …
j=0
for i=0 to 255
j=(j+S[i]+K[i]) mod 256 Calculate index j using S and key bytes
swap(S[i],S[j]) Swap Bytes
next i
i=j=0 Initialize indices
Source: M. Stamp, Information Security: Principles and Practice, 2011
i 0 1 2 3 4 5 …
S[i] S[0] S[1] S[2] S[3] S[4] S[5] …
i j
swap

RC4 Operation
Generate one byte keystream for each byte of plaintext
Generation Algorithm (after initialization):
i=i+1 mod 256 Increase index i
j=(j+S[i]) mod 256 Calculate index j
swap(S[i],S[j]) Swap Bytes
t=(S[i]+S[j]) mod 256 Calculate index t
output S[t] Output byte for keystream

RC4
Source: wikipedia
1. Calculate Index t=S[i]+S[j]
S[t]
2. Output Byte
For keystream

IEEE 802.11b Wired Equivalent Privacy (WEP)
■ Encryption of wireless communication
■ Uses RC4 stream cipher
■ Long term key (real random seed):
■ 40 bit key or 104 bit key
■ 24 bit initialization vector (IV)
■ Changed for subsequent messages
■ Prepended to key to prevent repetitions
■ Transmitted in plaintext to inform communication partner (and allow
decryption)
i 0 1 2 3 4 5 …
S[i] 0 1 2 3 4 5 …
K[i] IV1 IV2 IV3 k0 k1 k2 …

WEP
Source: wikipedia
Initialization Vector (IV) transmitted as plain text

Fluhrer-Mantin-Shamir Attack on WEP
■ Situation for adversary
■ IV known (submitted in plaintext)
■ Key unknown
■ Prerequisite
■ Adversary knows many ciphertext messages (e.g., from eavesdropping)
■ Adversary knows (or can guess) first byte of plaintext
■ e.g. from standard message formats
è known-plaintext attack
■ Goal: Discover the secret key (seed)

Fluhrer-Mantin-Shamir Attack on WEP
!" = 3,255, ! !
Assume Initialization Vector (IV) with the following 3 bytes:
- V is arbitrary value
- Whole IV (including V) is known to attacker
- Observing traffic è just wait until IV of above
form occurs

WEP Initialization
2. Build K[i] (input to RC4 algorithm) from IV and key (seed):
for i=0 to 255
S[i]=i
next i
1. Fill S[i] with identitiy permutation:
i 0 1 2 3 4 5 …
S[i] 0 1 2 3 4 5 …
i 0 1 2 3 4 5 …
K[i] 3 255 V k0 k1 k2 …

WEP Initialization
j=0
for i=0 to 255
j=(j+S[i]+K[i]) mod 256
swap(S[i],S[j])
next i
3. Calculate j
i=0
j=(0+S[0]+K[0]) mod 256 = 3
4. Swap(S[i],S[j]) (with i=0, j=3):
0 3
i 0 1 2 3 4 5 …
S[i] 0 1 2 3 4 5 …
K[i] 3 255 V k0 k1 k2 …
i 0 1 2 3 4 5 …
S[i] 3 1 2 0 4 5 …
K[i] 3 255 V k0 k1 k2 …

WEP Initialization
j=0
for i=0 to 255
j=(j+S[i]+K[i]) mod 256
swap(S[i],S[j])
next i
5. Calculate new j
i=1
j=(j+S[1]+K[1]) mod 256
=(3+1+255) mod 256=3
6. Swap(S[i],S[j]) (with i=1, j=3)
i 0 1 2 3 4 5 …
S[i] 3 1 2 0 4 5 …
K[i] 3 255 V k0 k1 k2 …
i 0 1 2 3 4 5 …
S[i] 3 0 2 1 4 5 …
K[i] 3 255 V k0 k1 k2 …

WEP Initialization
j=0
for i=0 to 255
j=(j+S[i]+K[i]) mod 256
swap(S[i],S[j])
next i
7. Calculate new j
i=2
j=(3+S[2]+K[2]) mod 256
=(3+2+V) mod 256 = (5+V) mod 256
8. Swap(S[i],S[j]) (with i=2, j=5+V mod 256)
i 0 1 2 3 4 5 … 5+V
S[i] 3 0 2 1 4 5 … 5+V
K[i] 3 255 V k0 k1 k2 … k2+V
i 0 1 2 3 4 5 … 5+V
S[i] 3 0 5+V 1 4 5 … 2
K[i] 3 255 V k0 k1 k2 … k2+V

WEP Initialization
j=0
for i=0 to 255
j=(j+S[i]+K[i]) mod 256
swap(S[i],S[j])
next i
9. Calculate new j
i=3
j= (5+V+S[3]+K[3]) mod 256
= (5+V+1+K[3]) mod 256
= (6+V+K[3]) mod 256
10. Swap(S[i],S[j]) (with i=3, j=6+V +K[3] mod256)
i 0 1 2 3 4 5 … 5+V … 6+V+K[3]
S[i] 3 0 5+V 1 4 5 … 2 … 6+V+K[3]
K[i] 3 255 V k0 k1 k2 … k2+V … k6+V+K[3]
i 0 1 2 3 4 5 … 5+V … 6+V+K[3]
S[i] 3 0 5+V 6+V+K[3] 4 5 … 2 … 1
K[i] 3 255 V k0 k1 k2 … k2+V … k6+V+K[3]

Array after 4 Rounds Initialization (i=3)
Assume RC4 stops after i=3 and we start keystream generation (i=0, j=0):
i=i+1 mod 256 è i=1
j=(j+S[i]) mod 256 è j=0+S[1]=0
swap(S[i],S[j]) è swap(S[1],S[0])
t=(S[i]+S[j]) mod 256 è t=S[1]+S[0]=3+0=3
output S[t] è S[t]=S[3]=6+V+K[3]
S[t] is first keystream byte
i 0 1 2 3 4 5 … 5+V … 7+V+K[3]
S[i] 3 0 5+V 6+V+K[3] 4 5 … 2 … 1
i 0 1 2 3 4 5 … 5+V … 7+V+K[3]
S[i] 0 3 5+V 6+V+K[3] 4 5 … 2 … 1

RC4: Discovering Parts of the Key
S[t]=S[3]=6+V+K[3] è S[3] is first keystream byte
Assumption was:
- Adversary knows ciphertext messages
- Adversary knows first byte of plaintext
- Adversary knows V
Encryption of first byte:
! = ! ! !!!
known
known
unknown 1st keystream byte=S[3]

■ deduce S[3] with
■ recover K[3] (first byte of secret key)
!! 0 = ! 0 ! 3 !!!
!! 3 = ! 0 ! 0 !!!
S[3]=6+V+K[3]
K[3]=S[3]-6-V
i 0 1 2 3 4 5 …
K[i] 3 255 V k0 k1 k2 …
first byte of secret key (seed)
discovered!
! = ! ! !!!
è 1st keystream byte S[3]

RC4: Discovering Remaining Parts of the Key
■ If K[3] known
■ look for IVs with IV=(4,255,V)
■ Repeat whole the procedure
■ First byte of keystream S[4]=10+V+K[3]+K[4]
■ Recover K[4] è recover second byte of seed
■ If enough IVs (enough observations) è can recover arbitrary bytes of
secret key (seed)
■ WEP “unsafe at any keysize”
i 0 1 2 3 4 5 …
K[i] 4 255 V k0 k1 k2 …
S[i] 0 1 2 3 4 5 …
S[i] 4 1 2 3 0 5 …

■ But: RC4 Initialization takes 256 steps
■ If S[0],S[1] or S[3] are changed during initialization èAttack
does no longer work
■ Probability that S[0],S[1] or S[3] is changed?
■ Only possible during swap(S[i],S[j])
■ Index i è no influence (already at i=4)
■ è only swapped if index j=0 or j=1 or j=3

■ Probability that j=0 or j=1 or j=3?
■ Probability that j=0 (for random j and one step)
■ Probability that j=0 OR j=1 OR j=3:
■ Probability that S[0], S[1], S[3] remain (after one step)
! (! = 0) ∪ (! = 1) ∪ (! = 2) =
!
!"#
!!
! ! = 0 =
!
!"#
!! same for others
!(#[0], #[1], #[3] +,-./0) = 1 −
!
"#$
=
"#!
"#$
= 0.988

■ Probability that S[0], S[1], S[3] remain after additional 252 initialization
steps:
■ None changed in 5% of the time
■ K[3]=S[3]-6-V in 5% of times
■ With n=60 messages (with same IV)
■ 0.05*n=3 è expected to see K[3] three times
■ Adversary just needs sufficient equal IVs (3,255,V)
■ 24 bit IV è224 different values possible
! !"!#!!ℎ!"#$% =
!"#
!"#
!"!
≈ 0.05!!

Preventing WEP Attack
■ Possibilities to prevent Fluhrer-Mantin-Shamir attack
■ Add 256 additional steps è start keystream generation and discard
first 256 bytes
■ Combine key with IV in other ways
■ But: WEP has further problems
■ Other attacks on RC4 possible
■ 2011: Sepehrdad, et al., “Discovery and Exploitation of New Biases in
RC4,” in Selected Areas in Cryptography, 2011
■ 2013: AlFardan, et al.: On the Security of RC4 in TLS and WPA,
USENIX Security, 2013
■ Heise News: http://www.heise.de/security/meldung/NSA-
entschluesselt-Webserver-Daten-angeblich-in-Echtzeit-2041383.html

Stream Cipher Advantages
■ Fast
■ Simple
■ Keystream for each byte
■ no retransmission of block if transmission errors
■ No padding
■ Easy to implement in hardware
■ Useful for
■ Resource constraint devices
■ High data rates
■ High error rates

Stream Cipher Examples
■ A5/1
■ Optimized for hardware implementation
■ Bitwise generation of keystream
■ Small key (64 bits)
■ Initially violation of Kerckhoffs's principle
■ Efficient attacks known
■ RC4
■ Optimized for software implementation
■ Bytewise generation of keystream
■ Initially violation of Kerckhoffs's principle
■ Today not considered secure
■ Bad implementations, e.g. WEP
■ Alternatives: Rabbit, Salsa20/12, SOSEMANUK

Block Ciphers
■ Basic Idea: similar to codebook
■ Algorithm operates on message blocks of fixed length
■ Usually a product cipher with multiple iterations (rounds) of S-
Box and P-Box operations
■ Key
■ Specifies the transformation
■ Usually split into sub-keys (round keys) to get a different key for
each round
■ Parameters: block size, encryption and decryption algorithms, key
■ Encryption of bulk data

Feistel Cipher
Source: wikipedia
F - round function
K0, K1,…Kn - round keys
Plaintext split into left (L) and right (R) part
Encryption:
Decryption:
Output Ciphertext:
Output Plaintext:
Input Plaintext:
Input Ciphertext:

Data Encryption Standard (DES)
■ 1971 IBM invents Lucifer Cipher
■ Based on Feistel cipher
■ 1973 US NBS (National Bureau of Standards, now NIST) issues
call for a data encryption standard that fulfills their (and NSA)
needs
■ è no suitable candidate
■ 1974 new call
■ IBM submits cipher based on Lucifer
■ Selected as suitable candidate
■ 1976 modified version of Lucifer becomes federal standard DES

DES Structure
■ Block cipher
■ Blocklength: 64 bits
■ Key (seed): 56 bits
■ Subkeys: 48 bits
■ Feistel Structure
■ 16 Rounds
■ Round Function F
Initial Permutation
Final Permutation
Source: wikipedia
!!!! !!!!

DES Round Function
! !!!!, !! = !_!"#(!_!"#$% !"#$%& !!!! ⊕!!! )! !!
Feistel Cipher with Round Function:
Source: wikipedia
1. Expansion 32è 48 bits
2. XOR with subkey
3. Substitution (S-Boxes)
4. Permutation (P-Box)

DES Security
■ Today:
■ Not considered secure è key too small (56 bits)
■ Exhaustive Key search 256=72*1015
■ DES Challenge
■ Launched by RSA Security
■ Goal: Demonstrate that 56 bit key not sufficient
■ Given: some plaintext with matching ciphertext (known-plaintext
attack)
■ Task: find key
■ Using exhaustive key search

DES Security
■ 1997 DESHALL è 140 days
■ Distributed computing over Internet
■ Clients connected to key server and got tasks
■ Nearly 80.000 participants (according to DESCHALL)
■ 1998 Deep Crack è 56 hours
■ Electronic Frontier Foundation (EFF)
■ 1536 specialized crypto chips
■ 88 billion keys/sec
■ Costs: 250.000 USD
■ 1999 Joint effort è 22 hours
■ Deep Crack together with distributed computing

DES Security
■ 2006 COPACOBANA è 6.4. days (average)
■ Cost-Optimized Parallel Code Breaker
■ Ruhr-University Bochum and University Kiel
■ Machine with 120 FPGAs
■ Optimized for cryptanalysis
■ Can test 65 billion keys per second
■ Costs: 10.000 USD

Triple DES (TDES, 3DES)
■ Double DES
■ Repeat encryption
■ Keylength 2x56=112 bits
■ But chosen-plaintext attack exists
■ Triple DES
■ Encrypt-decrypt-encrypt
! = #(#(%, '(), '*)
! = ! ! ! !, !! , !! , !! !!

3DES
■ Why not: ?
■ è Backwards compatibility
■ If kA=kB =kCè single DES
! = ! ! ! !, !! , !! , !! !!
! = ! ! ! !, !! , !! , !! = ! !, !! !!

DES Successor
■ 1997 NIST calls for new cipher standard: Advanced Encryption
Standard (AES)
■ Requirements
■ Symmetric block cipher
■ Block size: 128 Bit
■ Support key lengths of 128, 192 and 256 bits
■ Easy to implement in hardware and software
■ Very good performance
■ Secure against all known attacks
■ Resource efficient (use in smart cards
■ Free available (no license fees)
■ è 15 submissions

Advanced Encryption Standard (AES)
■ Rijndael Algortihm
■ Successor of DES/3DES
■ 2000 announced as standard
■ Block lengths: 128 bits
■ generic Rijndahl allows also others
■ Rounds: 10-14 (depending on key length)
■ Key lengths: 128, 192 or 256 bits

AES is a Substitution-Permutation Network
Source: wikipedia
Substitution Layer
Permutation Layer
Key Addition Layer

AES Operation
■ SubBytes
■ substitute bytes in message
■ ShiftRows
■ shift bytes within a row of the block
■ MixColumns
■ multiply columns with matrix
■ except in final round
■ AddRoundKey
■ XOR column with part of round key
■ Exact description of all functions in NIST AES Standard
■ Kerckhoffs's Principle

AES
■ AES used in
■ WPA2 IEEE 802.11i encryption (Wi-Fi Protected
Access 2)
■ SSH
■ IPsec
■ Skype
■ And many more…

Block Ciphers vs. Stream Ciphers
■ Stream
■ RC4 è126 MB/sec
■ Salsa 20/12 è 643 MB/sec
■ Sosemanuk è727 MB/sec
■ Block
■ 3DES (64 bit blocksize, 168 bit key) è13 MB/sec
■ AES-128 (128 bit blocksize, 128 bit key) è 109 MB/sec
è Stream ciphers faster
(exact numbers dependent on hardware and experiments settings)
Source: Dan Boneh, Cryptography I

Block Ciphers vs. Stream Ciphers
■ Stream Ciphers
■ Speed and Simplicity
■ Useful for high data rates, resource constraint environments
■ Block Ciphers
■ Good for encryption of bulk data
■ Better security
■ Slower
■ Blocks è may require padding of messages
■ Transmission error è block retransmission
■ Can be used to generate stream cipher

Block Cipher Modes
■ How to split data into blocks?
■ How to preprocess blocks?
■ How to apply encryption scheme?
■ è Different Block Cipher Modes

Electronic Codebook (ECB) Mode
■ Message is split into blocks of equal size
■ If needed padding
■ Each block encrypted independently
Problem?
èequal plaintext generates equal ciphertext
Source: wikipedia

ECB
Source: wikipedia

Solution
■ Randomization
■ Randomize plaintext data by using an initialization vector
Source: wikipedia

Source: wikipedia
r1 r2 r3
Idea: Randomization
■ XOR random number before encryption
■ Transmit random numbers with CT
■ Advantage: Randomization
■ Disadvantages
■ Need to transmit random number per block
■ Attacker can change decrypted PT by changing r
■ Attacker can swap blocks to change PT

Cipher Block Chaining (CBC)
■ Initialization vector (IV)
■ XOR random IV to first block
■ XOR result to next block etc.
■ è generate own random numbers from IV and PT
■ Randomization without need to transmit random number
Source: wikipedia

CBC Decryption
Source: wikipedia

CBC
■ Randomization
■ Random IV ensures that CT changes even if PT remains
■ Adversary cannot tell if PT has changed
■ Similar performance to ECB
■ Just add generation and transmission of IV
■ Disadvantages:
■ Dependencies: If one character lost in transmission è whole
message is corrupted
■ If attacker changes cn it has an effect on mn+1 because cn is used
to decrypt cn+1
■ Complete PT block to generate CT

Output Feedback (OFB)
■ PT not needed for randomization
Source: wikipedia

Output Feedback (OFB)
■ Advantage:
■ Can generate keystream without plaintext
■ No padding or waiting until enough bits for block
■ Can use keystream like stream cipher !
Source: wikipedia

Cipher Feedback (CFB)
■ Less vulnerable to tampering (compared to CBC)
■ Can re-synchronize if one block is lost or corrupted
■ Generates keystream but needs message è cannot be generated in advance
Source: wikipedia

Counter Mode (CTR)
■ Realizes a stream cipher
■ No dependence on message è key stream pre-computed
■ Initialization Vector is incremented
■ Nonce remains
■ Counter incremented
Source: wikipedia

Bob
Man in the Middle
Man in the Middle: “A form of active wiretapping attack in which the attacker intercepts and
selectively modifies communicated data to masquerade as one or more of the entities
involved in a communication association.” [RFC4949]
How to protect communication against message modification?
Message Message*
Malory
Alice

Goal: Integrity
“…data has not been changed, destroyed, or lost in an
unauthorized or accidental manner.” [RFC4949]

Message Authentication Code (MAC)
Alice Bob
m,t
t=S(m,k)
Message Authentication Message Verification
- Calculate tag
- Compare tags
- Accept or reject
- Generate a tag t
- Append tag to message as MAC
k k
t’=S(m,k)
If t’=t è accept

Using CRC?
■ CRC does not use key è not suitable
Alice Bob
m,t
t=CRC(m) V(m*,CRC*)
Mallory
m*,CRC*
t*=CRC(m*)
è accept

■ Adversary does not know secret key k
■ è cannot calculate correct tag for modified message
Alice Bob
m,t
t=S(m,k)
k k
Mallory
m*,?
t*=S(m*,?)

But still…
WEP Operation
Source: wikipedia

■ Using a valid Message Authentication Code
■ With a secret key
Q: Can Bob prove (in a court) that message was sent by Alice?
k k
Alice Bob
m,t
t=S(m,k) t’=S(m,k)
If t’=t è accept

MAC vs. Digital Signatures
■ MAC
■ Verify that message was not altered
■ Generation and Verification of MAC with same secret key (symmetric
cryptography)
è everyone who knows secret key can generate MAC
è Bob can create MAC for message from Alice
■ Digital Signatures
■ Purpose: prove that message was sent by a specific sender (non-
repudiation)
■ Only originator of message should be able to provide correct signature
è Possible with asymmetric cryptography

MAC Generation (Possibility 1)
■ Cipher-Based Message Authentication Code (CMAC)
■ Based on block cipher (3DES, AES)
■ Advantage:
■ Same operation for encryption and message authentication
■ Example: Cipher Block Chaining (CBC) MAC
■ Use last block of CBC operation (CBC residue) as MAC
■ Depends on message and key

CBC MAC
■ Calculated based on message and key
Source: wikipedia

CBC MAC Options
■ How to use last block?
■ Idea 1: just resend last block (raw CBC)
■ Could be done by anyone
■ Not a good option è not secure
■ Idea 2: calculate CBC residue
■ Attach to plaintext
■ Encrypt both

CBC-MAC Option?
■ Any Problem with this?
■ è c7 is encryption of block with all zeros
■ è known plaintext situation (adv. knows CT for message=000...)
Source: Kaufman, Perlman, Speciner: Network Security: Private Communication in a Public World, Prentice Hall; 2 edition, 2002
CBC residue
!!⨁!! = 0!!!
Plaintext message
0000..

CBC MAC Options
■ Solution:
■ Use different keys for encryption and MAC
■ Calculate encrypted message with encryption key
■ Calculate CBC residue with message authentication key

MAC Generation (Possibility 2)
■ Keyed-Hash Message Authentication Code (HMAC)
■ Based on cryptographic hash functions
■ Generate MAC from:
■ Cryptographic hash function (e.g. MD5, SHA-2) and
■ Secret key (è keyed hash)

Cryptographic Hash Function
Source: wikipedia (Jorge Stolfi)

Cryptographic Hash Functions
■ Compression
■ len(h(x)) < len(x)
■ h(x) usually fixed size
■ Efficiency
■ Easy to compute h(x) for any x
■ One-way
■ No feasible way to invert hash, i.e. find x for a given y=h(x)
■ Weak collision resistance
■ Given x and h(x) infeasible to find any y such that h(y)=h(x)
■ Not feasible to modify message without changing the hash
■ Strong collision resistance
■ Infeasible to find any x and y s.t. h(y)=h(x)
■ Cannot find any two inputs that hash to the same output
x è h(x)

HMAC Construction
! ! ⊕ !"#$ |! ! ⊕ !"#$ |! !
inner padding (constant)
outer padding (constant)
Source: NIST FIPS PUB 198-1
if keysize < blocksize è append 0s
If keysize > blocksize è H(key) and append 0s
apply hash function
concatenate
apply hash function
concatenate
Determine K0
Steps 1-3:
K0 † ipad
H((K0 † ipad) || text)
K0 † opad
Step 4:
Step 5:
Step 7:
Step 8:
Step 9:
Step 6:
H((K0 † opad) || H((K0 † ipad) || text))
Figure 1: Illustration of the HMAC Construction
(K0 † opad) || H ((K0 † ipad) || text)
(K0 † ipad) || text

HMAC Construction
Source: By Gdrooid - Own work, CC0,
https://commons.wikimedia.org/w/index.php?curid=34446189

Message-Digest Algorithm 5 (MD5)
■ Cryptographic hash function, 1991
■ RFC1321, RFC 6151 (Updated Security Consideration)
■ Generates 128 bit hash value
■ Merkle-Damgård Construction with 4 rounds
■ Used to check files
■ MD5 value provided together with file
■ After download generate MD5 from file
■ Compare with provided MD5 value
■ Security
■ Some methods published to find collisions
■ Today not considered secure

Secure Hash Algorithm (SHA)
■ SHA-1 (1995)
■ Merkle-Damgård Construction with 80 rounds
■ 160 bit hash value
■ 2005: method to find collisions
■ SHA-2 (2001):
■ Set of cryptographic hash functions
■ Merkle-Damgård Construction with 64 or 80 rounds
■ Different hash sizes: SHA-224, SHA-256, SHA-384, SHA-512
■ SHA-3 (2012)
■ Completely new algorithm
■ Arbitrary hash sizes

Authenticated Encryption
■ Provide both: Confidentiality and Message Integrity
■ Encryption è Confidentiality
■ Message Authentication è Message Integrity
■ Which operation first?

Authenticated Encryption Options
■ Encrypt-and–MAC
■ Encrypt message
■ Calculate MAC from (PT) message
■ è no integrity of CT, MAC may reveal PT info
■ MAC-then-encrypt
■ Calculate MAC and append to message
■ Encrypt message (with appended MAC)
■ è no integrity of CT
■ Encrypt-then-MAC
■ Encrypt message
■ MAC over encrypted message è integrity of CT
■ è best option, standard method

Message Authentication Codes Summary
■ Ensures integrity of the data
■ Data was not changed on the path
■ But does not ensure non-repudiation
■ Everyone who knows symmetric key can generate valid MAC
■ è difference to digital signature
■ MAC generation
■ Cryptographic hash function AND secret key
■ HMAC Standard
■ Authenticated Encryption
■ Message encryption and authentication
■ è Encrypt then MAC

03-VU-NetSec-Modern-Ciphers all important questions and answers

Recommended

Recommended

More Related Content

Similar to 03-VU-NetSec-Modern-Ciphers all important questions and answers

Similar to 03-VU-NetSec-Modern-Ciphers all important questions and answers (20)

Recently uploaded

Recently uploaded (20)

03-VU-NetSec-Modern-Ciphers all important questions and answers